1 /*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #include "common.h"
9
10 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
11
12 #include <string.h>
13
14 #include "debug_internal.h"
15 #include "mbedtls/error.h"
16 #include "mbedtls/platform.h"
17
18 #include "ssl_misc.h"
19 #include "ssl_client.h"
20 #include "ssl_tls13_keys.h"
21 #include "ssl_debug_helpers.h"
22 #include "mbedtls/psa_util.h"
23
24 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
25 /* Define a local translating function to save code size by not using too many
26 * arguments in each translating place. */
local_err_translation(psa_status_t status)27 static int local_err_translation(psa_status_t status)
28 {
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
30 ARRAY_LENGTH(psa_to_ssl_errors),
31 psa_generic_status_to_mbedtls);
32 }
33 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
34 #endif
35
36 /* Write extensions */
37
38 /*
39 * ssl_tls13_write_supported_versions_ext():
40 *
41 * struct {
42 * ProtocolVersion versions<2..254>;
43 * } SupportedVersions;
44 */
45 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)46 static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,
47 unsigned char *buf,
48 unsigned char *end,
49 size_t *out_len)
50 {
51 unsigned char *p = buf;
52 unsigned char versions_len = (ssl->handshake->min_tls_version <=
53 MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;
54
55 *out_len = 0;
56
57 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));
58
59 /* Check if we have space to write the extension:
60 * - extension_type (2 bytes)
61 * - extension_data_length (2 bytes)
62 * - versions_length (1 byte )
63 * - versions (2 or 4 bytes)
64 */
65 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);
66
67 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);
68 MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);
69 p += 4;
70
71 /* Length of versions */
72 *p++ = versions_len;
73
74 /* Write values of supported versions.
75 * They are defined by the configuration.
76 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
77 */
78 mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,
79 MBEDTLS_SSL_VERSION_TLS1_3);
80 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));
81
82
83 if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {
84 mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
85 MBEDTLS_SSL_VERSION_TLS1_2);
86 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));
87 }
88
89 *out_len = 5 + versions_len;
90
91 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
92 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
93
94 return 0;
95 }
96
97 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)98 static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
99 const unsigned char *buf,
100 const unsigned char *end)
101 {
102 ((void) ssl);
103
104 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
105 if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=
106 MBEDTLS_SSL_VERSION_TLS1_3) {
107 MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));
108
109 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
110 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
111 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
112 }
113
114 if (&buf[2] != end) {
115 MBEDTLS_SSL_DEBUG_MSG(
116 1, ("supported_versions ext data length incorrect"));
117 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
118 MBEDTLS_ERR_SSL_DECODE_ERROR);
119 return MBEDTLS_ERR_SSL_DECODE_ERROR;
120 }
121
122 return 0;
123 }
124
125 #if defined(MBEDTLS_SSL_ALPN)
126 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)127 static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,
128 const unsigned char *buf, size_t len)
129 {
130 const unsigned char *p = buf;
131 const unsigned char *end = buf + len;
132 size_t protocol_name_list_len, protocol_name_len;
133 const unsigned char *protocol_name_list_end;
134
135 /* If we didn't send it, the server shouldn't send it */
136 if (ssl->conf->alpn_list == NULL) {
137 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
138 }
139
140 /*
141 * opaque ProtocolName<1..2^8-1>;
142 *
143 * struct {
144 * ProtocolName protocol_name_list<2..2^16-1>
145 * } ProtocolNameList;
146 *
147 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
148 */
149
150 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
151 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
152 p += 2;
153
154 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
155 protocol_name_list_end = p + protocol_name_list_len;
156
157 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);
158 protocol_name_len = *p++;
159
160 /* Check that the server chosen protocol was in our list and save it */
161 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);
162 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
163 if (protocol_name_len == strlen(*alpn) &&
164 memcmp(p, *alpn, protocol_name_len) == 0) {
165 ssl->alpn_chosen = *alpn;
166 return 0;
167 }
168 }
169
170 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
171 }
172 #endif /* MBEDTLS_SSL_ALPN */
173
174 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_reset_key_share(mbedtls_ssl_context * ssl)175 static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
176 {
177 uint16_t group_id = ssl->handshake->offered_group_id;
178
179 if (group_id == 0) {
180 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
181 }
182
183 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
184 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
185 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
187 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
188
189 /* Destroy generated private key. */
190 status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);
191 if (status != PSA_SUCCESS) {
192 ret = PSA_TO_MBEDTLS_ERR(status);
193 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
194 return ret;
195 }
196
197 ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
198 return 0;
199 } else
200 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
201 if (0 /* other KEMs? */) {
202 /* Do something */
203 }
204
205 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
206 }
207
208 /*
209 * Functions for writing key_share extension.
210 */
211 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
212 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_get_default_group_id(mbedtls_ssl_context * ssl,uint16_t * group_id)213 static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
214 uint16_t *group_id)
215 {
216 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
217
218
219 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
220 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
221 /* Pick first available ECDHE group compatible with TLS 1.3 */
222 if (group_list == NULL) {
223 return MBEDTLS_ERR_SSL_BAD_CONFIG;
224 }
225
226 for (; *group_list != 0; group_list++) {
227 #if defined(PSA_WANT_ALG_ECDH)
228 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
229 *group_list, NULL, NULL) == PSA_SUCCESS) &&
230 mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
231 *group_id = *group_list;
232 return 0;
233 }
234 #endif
235 #if defined(PSA_WANT_ALG_FFDH)
236 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
237 *group_id = *group_list;
238 return 0;
239 }
240 #endif
241 }
242 #else
243 ((void) ssl);
244 ((void) group_id);
245 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
246
247 return ret;
248 }
249
250 /*
251 * ssl_tls13_write_key_share_ext
252 *
253 * Structure of key_share extension in ClientHello:
254 *
255 * struct {
256 * NamedGroup group;
257 * opaque key_exchange<1..2^16-1>;
258 * } KeyShareEntry;
259 * struct {
260 * KeyShareEntry client_shares<0..2^16-1>;
261 * } KeyShareClientHello;
262 */
263 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_key_share_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)264 static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
265 unsigned char *buf,
266 unsigned char *end,
267 size_t *out_len)
268 {
269 unsigned char *p = buf;
270 unsigned char *client_shares; /* Start of client_shares */
271 size_t client_shares_len; /* Length of client_shares */
272 uint16_t group_id;
273 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
274
275 *out_len = 0;
276
277 /* Check if we have space for header and length fields:
278 * - extension_type (2 bytes)
279 * - extension_data_length (2 bytes)
280 * - client_shares_length (2 bytes)
281 */
282 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
283 p += 6;
284
285 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));
286
287 /* HRR could already have requested something else. */
288 group_id = ssl->handshake->offered_group_id;
289 if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&
290 !mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
291 MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,
292 &group_id));
293 }
294
295 /*
296 * Dispatch to type-specific key generation function.
297 *
298 * So far, we're only supporting ECDHE. With the introduction
299 * of PQC KEMs, we'll want to have multiple branches, one per
300 * type of KEM, and dispatch to the corresponding crypto. And
301 * only one key share entry is allowed.
302 */
303 client_shares = p;
304 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
305 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
306 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
307 /* Pointer to group */
308 unsigned char *group = p;
309 /* Length of key_exchange */
310 size_t key_exchange_len = 0;
311
312 /* Check there is space for header of KeyShareEntry
313 * - group (2 bytes)
314 * - key_exchange_length (2 bytes)
315 */
316 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
317 p += 4;
318 ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
319 ssl, group_id, p, end, &key_exchange_len);
320 p += key_exchange_len;
321 if (ret != 0) {
322 return ret;
323 }
324
325 /* Write group */
326 MBEDTLS_PUT_UINT16_BE(group_id, group, 0);
327 /* Write key_exchange_length */
328 MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);
329 } else
330 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
331 if (0 /* other KEMs? */) {
332 /* Do something */
333 } else {
334 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
335 }
336
337 /* Length of client_shares */
338 client_shares_len = p - client_shares;
339 if (client_shares_len == 0) {
340 MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));
341 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
342 }
343 /* Write extension_type */
344 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
345 /* Write extension_data_length */
346 MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);
347 /* Write client_shares_length */
348 MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);
349
350 /* Update offered_group_id field */
351 ssl->handshake->offered_group_id = group_id;
352
353 /* Output the total length of key_share extension. */
354 *out_len = p - buf;
355
356 MBEDTLS_SSL_DEBUG_BUF(
357 3, "client hello, key_share extension", buf, *out_len);
358
359 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
360
361 cleanup:
362
363 return ret;
364 }
365 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
366
367 /*
368 * ssl_tls13_parse_hrr_key_share_ext()
369 * Parse key_share extension in Hello Retry Request
370 *
371 * struct {
372 * NamedGroup selected_group;
373 * } KeyShareHelloRetryRequest;
374 */
375 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)376 static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
377 const unsigned char *buf,
378 const unsigned char *end)
379 {
380 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
381 const unsigned char *p = buf;
382 int selected_group;
383 int found = 0;
384
385 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
386 if (group_list == NULL) {
387 return MBEDTLS_ERR_SSL_BAD_CONFIG;
388 }
389
390 MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);
391
392 /* Read selected_group */
393 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
394 selected_group = MBEDTLS_GET_UINT16_BE(p, 0);
395 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));
396
397 /* Upon receipt of this extension in a HelloRetryRequest, the client
398 * MUST first verify that the selected_group field corresponds to a
399 * group which was provided in the "supported_groups" extension in the
400 * original ClientHello.
401 * The supported_group was based on the info in ssl->conf->group_list.
402 *
403 * If the server provided a key share that was not sent in the ClientHello
404 * then the client MUST abort the handshake with an "illegal_parameter" alert.
405 */
406 for (; *group_list != 0; group_list++) {
407 #if defined(PSA_WANT_ALG_ECDH)
408 if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
409 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
410 *group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
411 *group_list != selected_group) {
412 found = 1;
413 break;
414 }
415 }
416 #endif /* PSA_WANT_ALG_ECDH */
417 #if defined(PSA_WANT_ALG_FFDH)
418 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
419 found = 1;
420 break;
421 }
422 #endif /* PSA_WANT_ALG_FFDH */
423 }
424
425 /* Client MUST verify that the selected_group field does not
426 * correspond to a group which was provided in the "key_share"
427 * extension in the original ClientHello. If the server sent an
428 * HRR message with a key share already provided in the
429 * ClientHello then the client MUST abort the handshake with
430 * an "illegal_parameter" alert.
431 */
432 if (found == 0 || selected_group == ssl->handshake->offered_group_id) {
433 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));
434 MBEDTLS_SSL_PEND_FATAL_ALERT(
435 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
436 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
437 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
438 }
439
440 /* Remember server's preference for next ClientHello */
441 ssl->handshake->offered_group_id = selected_group;
442
443 return 0;
444 #else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
445 (void) ssl;
446 (void) buf;
447 (void) end;
448 return MBEDTLS_ERR_SSL_BAD_CONFIG;
449 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
450 }
451
452 /*
453 * ssl_tls13_parse_key_share_ext()
454 * Parse key_share extension in Server Hello
455 *
456 * struct {
457 * KeyShareEntry server_share;
458 * } KeyShareServerHello;
459 * struct {
460 * NamedGroup group;
461 * opaque key_exchange<1..2^16-1>;
462 * } KeyShareEntry;
463 */
464 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_key_share_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)465 static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
466 const unsigned char *buf,
467 const unsigned char *end)
468 {
469 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
470 const unsigned char *p = buf;
471 uint16_t group, offered_group;
472
473 /* ...
474 * NamedGroup group; (2 bytes)
475 * ...
476 */
477 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
478 group = MBEDTLS_GET_UINT16_BE(p, 0);
479 p += 2;
480
481 /* Check that the chosen group matches the one we offered. */
482 offered_group = ssl->handshake->offered_group_id;
483 if (offered_group != group) {
484 MBEDTLS_SSL_DEBUG_MSG(
485 1, ("Invalid server key share, our group %u, their group %u",
486 (unsigned) offered_group, (unsigned) group));
487 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
488 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
489 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
490 }
491
492 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
493 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
494 mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
495 MBEDTLS_SSL_DEBUG_MSG(2,
496 ("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));
497 ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);
498 if (ret != 0) {
499 return ret;
500 }
501 } else
502 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
503 if (0 /* other KEMs? */) {
504 /* Do something */
505 } else {
506 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
507 }
508
509 return ret;
510 }
511
512 /*
513 * ssl_tls13_parse_cookie_ext()
514 * Parse cookie extension in Hello Retry Request
515 *
516 * struct {
517 * opaque cookie<1..2^16-1>;
518 * } Cookie;
519 *
520 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
521 * extension to the client (this is an exception to the usual rule that
522 * the only extensions that may be sent are those that appear in the
523 * ClientHello). When sending the new ClientHello, the client MUST copy
524 * the contents of the extension received in the HelloRetryRequest into
525 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
526 * cookies in their initial ClientHello in subsequent connections.
527 */
528 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_cookie_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)529 static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,
530 const unsigned char *buf,
531 const unsigned char *end)
532 {
533 uint16_t cookie_len;
534 const unsigned char *p = buf;
535 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
536
537 /* Retrieve length field of cookie */
538 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
539 cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);
540 p += 2;
541
542 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);
543 MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);
544
545 mbedtls_free(handshake->cookie);
546 handshake->cookie_len = 0;
547 handshake->cookie = mbedtls_calloc(1, cookie_len);
548 if (handshake->cookie == NULL) {
549 MBEDTLS_SSL_DEBUG_MSG(1,
550 ("alloc failed ( %ud bytes )",
551 cookie_len));
552 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
553 }
554
555 memcpy(handshake->cookie, p, cookie_len);
556 handshake->cookie_len = cookie_len;
557
558 return 0;
559 }
560
561 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_cookie_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)562 static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,
563 unsigned char *buf,
564 unsigned char *end,
565 size_t *out_len)
566 {
567 unsigned char *p = buf;
568 *out_len = 0;
569 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
570
571 if (handshake->cookie == NULL) {
572 MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));
573 return 0;
574 }
575
576 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
577 handshake->cookie,
578 handshake->cookie_len);
579
580 MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);
581
582 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));
583
584 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);
585 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);
586 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);
587 p += 6;
588
589 /* Cookie */
590 memcpy(p, handshake->cookie, handshake->cookie_len);
591
592 *out_len = handshake->cookie_len + 6;
593
594 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);
595
596 return 0;
597 }
598
599 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
600 /*
601 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
602 *
603 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
604 *
605 * struct {
606 * PskKeyExchangeMode ke_modes<1..255>;
607 * } PskKeyExchangeModes;
608 */
609 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)610 static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
611 unsigned char *buf,
612 unsigned char *end,
613 size_t *out_len)
614 {
615 unsigned char *p = buf;
616 int ke_modes_len = 0;
617
618 ((void) ke_modes_len);
619 *out_len = 0;
620
621 /* Skip writing extension if no PSK key exchange mode
622 * is enabled in the config.
623 */
624 if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
625 MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
626 return 0;
627 }
628
629 /* Require 7 bytes of data, otherwise fail,
630 * even if extension might be shorter.
631 */
632 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);
633 MBEDTLS_SSL_DEBUG_MSG(
634 3, ("client hello, adding psk_key_exchange_modes extension"));
635
636 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);
637
638 /* Skip extension length (2 bytes) and
639 * ke_modes length (1 byte) for now.
640 */
641 p += 5;
642
643 if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {
644 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
645 ke_modes_len++;
646
647 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
648 }
649
650 if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {
651 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
652 ke_modes_len++;
653
654 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));
655 }
656
657 /* Now write the extension and ke_modes length */
658 MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);
659 buf[4] = ke_modes_len;
660
661 *out_len = p - buf;
662
663 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
664 ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);
665
666 return 0;
667 }
668
ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)669 static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
670 {
671 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
672 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
673
674 if (ciphersuite_info != NULL) {
675 return mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
676 }
677
678 return PSA_ALG_NONE;
679 }
680
681 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_tls13_has_configured_ticket(mbedtls_ssl_context * ssl)682 static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
683 {
684 mbedtls_ssl_session *session = ssl->session_negotiate;
685 return ssl->handshake->resume &&
686 session != NULL && session->ticket != NULL &&
687 mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
688 ssl, mbedtls_ssl_tls13_session_get_ticket_flags(
689 session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
690 }
691
692 #if defined(MBEDTLS_SSL_EARLY_DATA)
ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context * ssl)693 static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)
694 {
695 mbedtls_ssl_session *session = ssl->session_negotiate;
696 return ssl->handshake->resume &&
697 session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
698 mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&
699 mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);
700 }
701 #endif
702
703 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_ticket_get_identity(mbedtls_ssl_context * ssl,psa_algorithm_t * hash_alg,const unsigned char ** identity,size_t * identity_len)704 static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,
705 psa_algorithm_t *hash_alg,
706 const unsigned char **identity,
707 size_t *identity_len)
708 {
709 mbedtls_ssl_session *session = ssl->session_negotiate;
710
711 if (!ssl_tls13_has_configured_ticket(ssl)) {
712 return -1;
713 }
714
715 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
716 *identity = session->ticket;
717 *identity_len = session->ticket_len;
718 return 0;
719 }
720
721 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_ticket_get_psk(mbedtls_ssl_context * ssl,psa_algorithm_t * hash_alg,const unsigned char ** psk,size_t * psk_len)722 static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,
723 psa_algorithm_t *hash_alg,
724 const unsigned char **psk,
725 size_t *psk_len)
726 {
727
728 mbedtls_ssl_session *session = ssl->session_negotiate;
729
730 if (!ssl_tls13_has_configured_ticket(ssl)) {
731 return -1;
732 }
733
734 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
735 *psk = session->resumption_key;
736 *psk_len = session->resumption_key_len;
737
738 return 0;
739 }
740 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
741
742 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_psk_get_identity(mbedtls_ssl_context * ssl,psa_algorithm_t * hash_alg,const unsigned char ** identity,size_t * identity_len)743 static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,
744 psa_algorithm_t *hash_alg,
745 const unsigned char **identity,
746 size_t *identity_len)
747 {
748
749 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
750 return -1;
751 }
752
753 *hash_alg = PSA_ALG_SHA_256;
754 *identity = ssl->conf->psk_identity;
755 *identity_len = ssl->conf->psk_identity_len;
756 return 0;
757 }
758
759 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_psk_get_psk(mbedtls_ssl_context * ssl,psa_algorithm_t * hash_alg,const unsigned char ** psk,size_t * psk_len)760 static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,
761 psa_algorithm_t *hash_alg,
762 const unsigned char **psk,
763 size_t *psk_len)
764 {
765
766 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
767 return -1;
768 }
769
770 *hash_alg = PSA_ALG_SHA_256;
771 *psk = ssl->conf->psk;
772 *psk_len = ssl->conf->psk_len;
773 return 0;
774 }
775
ssl_tls13_get_configured_psk_count(mbedtls_ssl_context * ssl)776 static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)
777 {
778 int configured_psk_count = 0;
779 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
780 if (ssl_tls13_has_configured_ticket(ssl)) {
781 MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));
782 configured_psk_count++;
783 }
784 #endif
785 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
786 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));
787 configured_psk_count++;
788 }
789 return configured_psk_count;
790 }
791
792 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_identity(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,const unsigned char * identity,size_t identity_len,uint32_t obfuscated_ticket_age,size_t * out_len)793 static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,
794 unsigned char *buf,
795 unsigned char *end,
796 const unsigned char *identity,
797 size_t identity_len,
798 uint32_t obfuscated_ticket_age,
799 size_t *out_len)
800 {
801 ((void) ssl);
802 *out_len = 0;
803
804 /*
805 * - identity_len (2 bytes)
806 * - identity (psk_identity_len bytes)
807 * - obfuscated_ticket_age (4 bytes)
808 */
809 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);
810
811 MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);
812 memcpy(buf + 2, identity, identity_len);
813 MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);
814
815 MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);
816
817 *out_len = 6 + identity_len;
818
819 return 0;
820 }
821
822 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_binder(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,int psk_type,psa_algorithm_t hash_alg,const unsigned char * psk,size_t psk_len,size_t * out_len)823 static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,
824 unsigned char *buf,
825 unsigned char *end,
826 int psk_type,
827 psa_algorithm_t hash_alg,
828 const unsigned char *psk,
829 size_t psk_len,
830 size_t *out_len)
831 {
832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
833 unsigned char binder_len;
834 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
835 size_t transcript_len = 0;
836
837 *out_len = 0;
838
839 binder_len = PSA_HASH_LENGTH(hash_alg);
840
841 /*
842 * - binder_len (1 bytes)
843 * - binder (binder_len bytes)
844 */
845 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);
846
847 buf[0] = binder_len;
848
849 /* Get current state of handshake transcript. */
850 ret = mbedtls_ssl_get_handshake_transcript(
851 ssl, mbedtls_md_type_from_psa_alg(hash_alg),
852 transcript, sizeof(transcript), &transcript_len);
853 if (ret != 0) {
854 return ret;
855 }
856
857 ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,
858 psk, psk_len, psk_type,
859 transcript, buf + 1);
860 if (ret != 0) {
861 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);
862 return ret;
863 }
864 MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);
865
866 *out_len = 1 + binder_len;
867
868 return 0;
869 }
870
871 /*
872 * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
873 *
874 * struct {
875 * opaque identity<1..2^16-1>;
876 * uint32 obfuscated_ticket_age;
877 * } PskIdentity;
878 *
879 * opaque PskBinderEntry<32..255>;
880 *
881 * struct {
882 * PskIdentity identities<7..2^16-1>;
883 * PskBinderEntry binders<33..2^16-1>;
884 * } OfferedPsks;
885 *
886 * struct {
887 * select (Handshake.msg_type) {
888 * case client_hello: OfferedPsks;
889 * ...
890 * };
891 * } PreSharedKeyExtension;
892 *
893 */
mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len,size_t * binders_len)894 int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
895 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
896 size_t *out_len, size_t *binders_len)
897 {
898 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
899 int configured_psk_count = 0;
900 unsigned char *p = buf;
901 psa_algorithm_t hash_alg = PSA_ALG_NONE;
902 const unsigned char *identity;
903 size_t identity_len;
904 size_t l_binders_len = 0;
905 size_t output_len;
906
907 *out_len = 0;
908 *binders_len = 0;
909
910 /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
911 configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);
912 if (configured_psk_count == 0) {
913 MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));
914 return 0;
915 }
916
917 MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",
918 configured_psk_count));
919
920 /* Check if we have space to write the extension, binders included.
921 * - extension_type (2 bytes)
922 * - extension_data_len (2 bytes)
923 * - identities_len (2 bytes)
924 */
925 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
926 p += 6;
927
928 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
929 if (ssl_tls13_ticket_get_identity(
930 ssl, &hash_alg, &identity, &identity_len) == 0) {
931 #if defined(MBEDTLS_HAVE_TIME)
932 mbedtls_ms_time_t now = mbedtls_ms_time();
933 mbedtls_ssl_session *session = ssl->session_negotiate;
934 /* The ticket age has been checked to be smaller than the
935 * `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than
936 * 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the
937 * cast to `uint32_t` of the ticket age is safe. */
938 uint32_t obfuscated_ticket_age =
939 (uint32_t) (now - session->ticket_reception_time);
940 obfuscated_ticket_age += session->ticket_age_add;
941
942 ret = ssl_tls13_write_identity(ssl, p, end,
943 identity, identity_len,
944 obfuscated_ticket_age,
945 &output_len);
946 #else
947 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,
948 0, &output_len);
949 #endif /* MBEDTLS_HAVE_TIME */
950 if (ret != 0) {
951 return ret;
952 }
953
954 p += output_len;
955 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
956 }
957 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
958
959 if (ssl_tls13_psk_get_identity(
960 ssl, &hash_alg, &identity, &identity_len) == 0) {
961
962 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,
963 &output_len);
964 if (ret != 0) {
965 return ret;
966 }
967
968 p += output_len;
969 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
970 }
971
972 MBEDTLS_SSL_DEBUG_MSG(3,
973 ("client hello, adding pre_shared_key extension, "
974 "omitting PSK binder list"));
975
976 /* Take into account the two bytes for the length of the binders. */
977 l_binders_len += 2;
978 /* Check if there is enough space for binders */
979 MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);
980
981 /*
982 * - extension_type (2 bytes)
983 * - extension_data_len (2 bytes)
984 * - identities_len (2 bytes)
985 */
986 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);
987 MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);
988 MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);
989
990 *out_len = (p - buf) + l_binders_len;
991 *binders_len = l_binders_len;
992
993 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);
994
995 return 0;
996 }
997
mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end)998 int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
999 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)
1000 {
1001 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1002 unsigned char *p = buf;
1003 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1004 const unsigned char *psk;
1005 size_t psk_len;
1006 size_t output_len;
1007
1008 /* Check if we have space to write binders_len.
1009 * - binders_len (2 bytes)
1010 */
1011 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
1012 p += 2;
1013
1014 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1015 if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
1016
1017 ret = ssl_tls13_write_binder(ssl, p, end,
1018 MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
1019 hash_alg, psk, psk_len,
1020 &output_len);
1021 if (ret != 0) {
1022 return ret;
1023 }
1024 p += output_len;
1025 }
1026 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1027
1028 if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
1029
1030 ret = ssl_tls13_write_binder(ssl, p, end,
1031 MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
1032 hash_alg, psk, psk_len,
1033 &output_len);
1034 if (ret != 0) {
1035 return ret;
1036 }
1037 p += output_len;
1038 }
1039
1040 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));
1041
1042 /*
1043 * - binders_len (2 bytes)
1044 */
1045 MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);
1046
1047 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);
1048
1049 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
1050 ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
1051
1052 return 0;
1053 }
1054
1055 /*
1056 * struct {
1057 * opaque identity<1..2^16-1>;
1058 * uint32 obfuscated_ticket_age;
1059 * } PskIdentity;
1060 *
1061 * opaque PskBinderEntry<32..255>;
1062 *
1063 * struct {
1064 *
1065 * select (Handshake.msg_type) {
1066 * ...
1067 * case server_hello: uint16 selected_identity;
1068 * };
1069 *
1070 * } PreSharedKeyExtension;
1071 *
1072 */
1073 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1074 static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
1075 const unsigned char *buf,
1076 const unsigned char *end)
1077 {
1078 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1079 int selected_identity;
1080 const unsigned char *psk;
1081 size_t psk_len;
1082 psa_algorithm_t hash_alg;
1083
1084 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
1085 selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);
1086 ssl->handshake->selected_identity = (uint16_t) selected_identity;
1087
1088 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));
1089
1090 if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {
1091 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));
1092
1093 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1094 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1095 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1096 }
1097
1098 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1099 if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {
1100 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1101 } else
1102 #endif
1103 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
1104 ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);
1105 } else {
1106 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1107 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1108 }
1109 if (ret != 0) {
1110 return ret;
1111 }
1112
1113 if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac)
1114 != hash_alg) {
1115 MBEDTLS_SSL_DEBUG_MSG(
1116 1, ("Invalid ciphersuite for external psk."));
1117
1118 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1119 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1120 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1121 }
1122
1123 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1124 if (ret != 0) {
1125 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1126 return ret;
1127 }
1128
1129 return 0;
1130 }
1131 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1132
mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)1133 int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
1134 unsigned char *buf,
1135 unsigned char *end,
1136 size_t *out_len)
1137 {
1138 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1139 unsigned char *p = buf;
1140 size_t ext_len;
1141
1142 *out_len = 0;
1143
1144 /* Write supported_versions extension
1145 *
1146 * Supported Versions Extension is mandatory with TLS 1.3.
1147 */
1148 ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);
1149 if (ret != 0) {
1150 return ret;
1151 }
1152 p += ext_len;
1153
1154 /* Echo the cookie if the server provided one in its preceding
1155 * HelloRetryRequest message.
1156 */
1157 ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);
1158 if (ret != 0) {
1159 return ret;
1160 }
1161 p += ext_len;
1162
1163 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1164 ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
1165 ssl, p, end, &ext_len);
1166 if (ret != 0) {
1167 return ret;
1168 }
1169 p += ext_len;
1170 #endif
1171
1172 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1173 if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
1174 ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
1175 if (ret != 0) {
1176 return ret;
1177 }
1178 p += ext_len;
1179 }
1180 #endif
1181
1182 #if defined(MBEDTLS_SSL_EARLY_DATA)
1183 /* In the first ClientHello, write the early data indication extension if
1184 * necessary and update the early data state.
1185 * If an HRR has been received and thus we are currently writing the
1186 * second ClientHello, the second ClientHello must not contain an early
1187 * data extension and the early data state must stay as it is:
1188 * MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT or
1189 * MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED.
1190 */
1191 if (!ssl->handshake->hello_retry_request_flag) {
1192 if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
1193 ssl_tls13_early_data_has_valid_ticket(ssl) &&
1194 ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
1195 ret = mbedtls_ssl_tls13_write_early_data_ext(
1196 ssl, 0, p, end, &ext_len);
1197 if (ret != 0) {
1198 return ret;
1199 }
1200 p += ext_len;
1201
1202 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT;
1203 } else {
1204 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT;
1205 }
1206 }
1207 #endif /* MBEDTLS_SSL_EARLY_DATA */
1208
1209 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1210 /* For PSK-based key exchange we need the pre_shared_key extension
1211 * and the psk_key_exchange_modes extension.
1212 *
1213 * The pre_shared_key extension MUST be the last extension in the
1214 * ClientHello. Servers MUST check that it is the last extension and
1215 * otherwise fail the handshake with an "illegal_parameter" alert.
1216 *
1217 * Add the psk_key_exchange_modes extension.
1218 */
1219 ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);
1220 if (ret != 0) {
1221 return ret;
1222 }
1223 p += ext_len;
1224 #endif
1225
1226 *out_len = p - buf;
1227
1228 return 0;
1229 }
1230
mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context * ssl)1231 int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
1232 {
1233 ((void) ssl);
1234
1235 #if defined(MBEDTLS_SSL_EARLY_DATA)
1236 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1237 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1238 const unsigned char *psk;
1239 size_t psk_len;
1240 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1241
1242 if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT) {
1243 MBEDTLS_SSL_DEBUG_MSG(
1244 1, ("Set hs psk for early data when writing the first psk"));
1245
1246 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1247 if (ret != 0) {
1248 MBEDTLS_SSL_DEBUG_RET(
1249 1, "ssl_tls13_ticket_get_psk", ret);
1250 return ret;
1251 }
1252
1253 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1254 if (ret != 0) {
1255 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1256 return ret;
1257 }
1258
1259 /*
1260 * Early data are going to be encrypted using the ciphersuite
1261 * associated with the pre-shared key used for the handshake.
1262 * Note that if the server rejects early data, the handshake
1263 * based on the pre-shared key may complete successfully
1264 * with a selected ciphersuite different from the ciphersuite
1265 * associated with the pre-shared key. Only the hashes of the
1266 * two ciphersuites have to be the same. In that case, the
1267 * encrypted handshake data and application data are
1268 * encrypted using a different ciphersuite than the one used for
1269 * the rejected early data.
1270 */
1271 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
1272 ssl->session_negotiate->ciphersuite);
1273 ssl->handshake->ciphersuite_info = ciphersuite_info;
1274
1275 /* Enable psk and psk_ephemeral to make stage early happy */
1276 ssl->handshake->key_exchange_mode =
1277 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
1278
1279 /* Start the TLS 1.3 key schedule:
1280 * Set the PSK and derive early secret.
1281 */
1282 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1283 if (ret != 0) {
1284 MBEDTLS_SSL_DEBUG_RET(
1285 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
1286 return ret;
1287 }
1288
1289 /* Derive early data key material */
1290 ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
1291 if (ret != 0) {
1292 MBEDTLS_SSL_DEBUG_RET(
1293 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
1294 return ret;
1295 }
1296
1297 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1298 mbedtls_ssl_handshake_set_state(
1299 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
1300 #else
1301 MBEDTLS_SSL_DEBUG_MSG(
1302 1, ("Switch to early data keys for outbound traffic"));
1303 mbedtls_ssl_set_outbound_transform(
1304 ssl, ssl->handshake->transform_earlydata);
1305 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;
1306 #endif
1307 }
1308 #endif /* MBEDTLS_SSL_EARLY_DATA */
1309 return 0;
1310 }
1311 /*
1312 * Functions for parsing and processing Server Hello
1313 */
1314
1315 /**
1316 * \brief Detect if the ServerHello contains a supported_versions extension
1317 * or not.
1318 *
1319 * \param[in] ssl SSL context
1320 * \param[in] buf Buffer containing the ServerHello message
1321 * \param[in] end End of the buffer containing the ServerHello message
1322 *
1323 * \return 0 if the ServerHello does not contain a supported_versions extension
1324 * \return 1 if the ServerHello contains a supported_versions extension
1325 * \return A negative value if an error occurred while parsing the ServerHello.
1326 */
1327 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_is_supported_versions_ext_present(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1328 static int ssl_tls13_is_supported_versions_ext_present(
1329 mbedtls_ssl_context *ssl,
1330 const unsigned char *buf,
1331 const unsigned char *end)
1332 {
1333 const unsigned char *p = buf;
1334 size_t legacy_session_id_echo_len;
1335 const unsigned char *supported_versions_data;
1336 const unsigned char *supported_versions_data_end;
1337
1338 /*
1339 * Check there is enough data to access the legacy_session_id_echo vector
1340 * length:
1341 * - legacy_version 2 bytes
1342 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1343 * - legacy_session_id_echo length 1 byte
1344 */
1345 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);
1346 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1347 legacy_session_id_echo_len = *p;
1348
1349 /*
1350 * Jump to the extensions, jumping over:
1351 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1352 * - cipher_suite 2 bytes
1353 * - legacy_compression_method 1 byte
1354 */
1355 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);
1356 p += legacy_session_id_echo_len + 4;
1357
1358 return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
1359 ssl, p, end,
1360 &supported_versions_data, &supported_versions_data_end);
1361 }
1362
1363 /* Returns a negative value on failure, and otherwise
1364 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1365 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1366 * - 0 otherwise
1367 */
1368 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1369 static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,
1370 const unsigned char *buf,
1371 const unsigned char *end)
1372 {
1373 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1374 static const unsigned char magic_downgrade_string[] =
1375 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
1376 const unsigned char *last_eight_bytes_of_random;
1377 unsigned char last_byte_of_random;
1378
1379 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);
1380 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1381
1382 if (memcmp(last_eight_bytes_of_random,
1383 magic_downgrade_string,
1384 sizeof(magic_downgrade_string)) == 0) {
1385 last_byte_of_random = last_eight_bytes_of_random[7];
1386 return last_byte_of_random == 0 ||
1387 last_byte_of_random == 1;
1388 }
1389
1390 return 0;
1391 }
1392
1393 /* Returns a negative value on failure, and otherwise
1394 * - SSL_SERVER_HELLO or
1395 * - SSL_SERVER_HELLO_HRR
1396 * to indicate which message is expected and to be parsed next.
1397 */
1398 #define SSL_SERVER_HELLO 0
1399 #define SSL_SERVER_HELLO_HRR 1
1400 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_server_hello_is_hrr(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1401 static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,
1402 const unsigned char *buf,
1403 const unsigned char *end)
1404 {
1405
1406 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1407 *
1408 * Server Hello and HRR are only distinguished by Random set to the
1409 * special value of the SHA-256 of "HelloRetryRequest".
1410 *
1411 * struct {
1412 * ProtocolVersion legacy_version = 0x0303;
1413 * Random random;
1414 * opaque legacy_session_id_echo<0..32>;
1415 * CipherSuite cipher_suite;
1416 * uint8 legacy_compression_method = 0;
1417 * Extension extensions<6..2^16-1>;
1418 * } ServerHello;
1419 *
1420 */
1421 MBEDTLS_SSL_CHK_BUF_READ_PTR(
1422 buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));
1423
1424 if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1425 sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {
1426 return SSL_SERVER_HELLO_HRR;
1427 }
1428
1429 return SSL_SERVER_HELLO;
1430 }
1431
1432 /*
1433 * Returns a negative value on failure, and otherwise
1434 * - SSL_SERVER_HELLO or
1435 * - SSL_SERVER_HELLO_HRR or
1436 * - SSL_SERVER_HELLO_TLS1_2
1437 */
1438 #define SSL_SERVER_HELLO_TLS1_2 2
1439 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_preprocess_server_hello(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1440 static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
1441 const unsigned char *buf,
1442 const unsigned char *end)
1443 {
1444 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1445 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1446
1447 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(
1448 ssl, buf, end));
1449
1450 if (ret == 0) {
1451 MBEDTLS_SSL_PROC_CHK_NEG(
1452 ssl_tls13_is_downgrade_negotiation(ssl, buf, end));
1453
1454 /* If the server is negotiating TLS 1.2 or below and:
1455 * . we did not propose TLS 1.2 or
1456 * . the server responded it is TLS 1.3 capable but negotiating a lower
1457 * version of the protocol and thus we are under downgrade attack
1458 * abort the handshake with an "illegal parameter" alert.
1459 */
1460 if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {
1461 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1462 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1463 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1464 }
1465
1466 /*
1467 * Version 1.2 of the protocol has been negotiated, set the
1468 * ssl->keep_current_message flag for the ServerHello to be kept and
1469 * parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to
1470 * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
1471 * will dispatch to the TLS 1.2 state machine.
1472 */
1473 ssl->keep_current_message = 1;
1474 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
1475 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1476 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1477 buf, (size_t) (end - buf)));
1478
1479 if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
1480 ret = ssl_tls13_reset_key_share(ssl);
1481 if (ret != 0) {
1482 return ret;
1483 }
1484 }
1485
1486 return SSL_SERVER_HELLO_TLS1_2;
1487 }
1488
1489 ssl->session_negotiate->tls_version = ssl->tls_version;
1490 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1491
1492 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
1493
1494 ret = ssl_server_hello_is_hrr(ssl, buf, end);
1495 switch (ret) {
1496 case SSL_SERVER_HELLO:
1497 MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));
1498 break;
1499 case SSL_SERVER_HELLO_HRR:
1500 MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));
1501 /* If a client receives a second HelloRetryRequest in the same
1502 * connection (i.e., where the ClientHello was itself in response
1503 * to a HelloRetryRequest), it MUST abort the handshake with an
1504 * "unexpected_message" alert.
1505 */
1506 if (handshake->hello_retry_request_flag) {
1507 MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));
1508 MBEDTLS_SSL_PEND_FATAL_ALERT(
1509 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1510 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
1511 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1512 }
1513 /*
1514 * Clients must abort the handshake with an "illegal_parameter"
1515 * alert if the HelloRetryRequest would not result in any change
1516 * in the ClientHello.
1517 * In a PSK only key exchange that what we expect.
1518 */
1519 if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
1520 MBEDTLS_SSL_DEBUG_MSG(1,
1521 ("Unexpected HRR in pure PSK key exchange."));
1522 MBEDTLS_SSL_PEND_FATAL_ALERT(
1523 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1524 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1525 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1526 }
1527
1528 handshake->hello_retry_request_flag = 1;
1529
1530 break;
1531 }
1532
1533 cleanup:
1534
1535 return ret;
1536 }
1537
1538 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context * ssl,const unsigned char ** buf,const unsigned char * end)1539 static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,
1540 const unsigned char **buf,
1541 const unsigned char *end)
1542 {
1543 const unsigned char *p = *buf;
1544 size_t legacy_session_id_echo_len;
1545
1546 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1547 legacy_session_id_echo_len = *p++;
1548
1549 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);
1550
1551 /* legacy_session_id_echo */
1552 if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1553 memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {
1554 MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",
1555 ssl->session_negotiate->id,
1556 ssl->session_negotiate->id_len);
1557 MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,
1558 legacy_session_id_echo_len);
1559
1560 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1561 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1562
1563 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1564 }
1565
1566 p += legacy_session_id_echo_len;
1567 *buf = p;
1568
1569 MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,
1570 ssl->session_negotiate->id_len);
1571 return 0;
1572 }
1573
1574 /* Parse ServerHello message and configure context
1575 *
1576 * struct {
1577 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1578 * Random random;
1579 * opaque legacy_session_id_echo<0..32>;
1580 * CipherSuite cipher_suite;
1581 * uint8 legacy_compression_method = 0;
1582 * Extension extensions<6..2^16-1>;
1583 * } ServerHello;
1584 */
1585 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_server_hello(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end,int is_hrr)1586 static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
1587 const unsigned char *buf,
1588 const unsigned char *end,
1589 int is_hrr)
1590 {
1591 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1592 const unsigned char *p = buf;
1593 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1594 size_t extensions_len;
1595 const unsigned char *extensions_end;
1596 uint16_t cipher_suite;
1597 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1598 int fatal_alert = 0;
1599 uint32_t allowed_extensions_mask;
1600 int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
1601 MBEDTLS_SSL_HS_SERVER_HELLO;
1602
1603 /*
1604 * Check there is space for minimal fields
1605 *
1606 * - legacy_version ( 2 bytes)
1607 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
1608 * - legacy_session_id_echo ( 1 byte ), minimum size
1609 * - cipher_suite ( 2 bytes)
1610 * - legacy_compression_method ( 1 byte )
1611 */
1612 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);
1613
1614 MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);
1615 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);
1616
1617 /* ...
1618 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1619 * ...
1620 * with ProtocolVersion defined as:
1621 * uint16 ProtocolVersion;
1622 */
1623 if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1624 MBEDTLS_SSL_VERSION_TLS1_2) {
1625 MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1626 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1627 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
1628 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1629 goto cleanup;
1630 }
1631 p += 2;
1632
1633 /* ...
1634 * Random random;
1635 * ...
1636 * with Random defined as:
1637 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
1638 */
1639 if (!is_hrr) {
1640 memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
1641 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1642 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
1643 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1644 }
1645 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
1646
1647 /* ...
1648 * opaque legacy_session_id_echo<0..32>;
1649 * ...
1650 */
1651 if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {
1652 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
1653 goto cleanup;
1654 }
1655
1656 /* ...
1657 * CipherSuite cipher_suite;
1658 * ...
1659 * with CipherSuite defined as:
1660 * uint8 CipherSuite[2];
1661 */
1662 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1663 cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
1664 p += 2;
1665
1666
1667 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
1668 /*
1669 * Check whether this ciphersuite is valid and offered.
1670 */
1671 if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
1672 ssl->tls_version,
1673 ssl->tls_version) != 0) ||
1674 !mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
1675 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
1676 }
1677 /*
1678 * If we received an HRR before and that the proposed selected
1679 * ciphersuite in this server hello is not the same as the one
1680 * proposed in the HRR, we abort the handshake and send an
1681 * "illegal_parameter" alert.
1682 */
1683 else if ((!is_hrr) && handshake->hello_retry_request_flag &&
1684 (cipher_suite != ssl->session_negotiate->ciphersuite)) {
1685 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
1686 }
1687
1688 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1689 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",
1690 cipher_suite));
1691 goto cleanup;
1692 }
1693
1694 /* Configure ciphersuites */
1695 mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);
1696
1697 handshake->ciphersuite_info = ciphersuite_info;
1698 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",
1699 cipher_suite, ciphersuite_info->name));
1700
1701 #if defined(MBEDTLS_HAVE_TIME)
1702 ssl->session_negotiate->start = mbedtls_time(NULL);
1703 #endif /* MBEDTLS_HAVE_TIME */
1704
1705 /* ...
1706 * uint8 legacy_compression_method = 0;
1707 * ...
1708 */
1709 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1710 if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {
1711 MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
1712 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
1713 goto cleanup;
1714 }
1715 p++;
1716
1717 /* ...
1718 * Extension extensions<6..2^16-1>;
1719 * ...
1720 * struct {
1721 * ExtensionType extension_type; (2 bytes)
1722 * opaque extension_data<0..2^16-1>;
1723 * } Extension;
1724 */
1725 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1726 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
1727 p += 2;
1728
1729 /* Check extensions do not go beyond the buffer of data. */
1730 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
1731 extensions_end = p + extensions_len;
1732
1733 MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);
1734
1735 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
1736 allowed_extensions_mask = is_hrr ?
1737 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
1738 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
1739
1740 while (p < extensions_end) {
1741 unsigned int extension_type;
1742 size_t extension_data_len;
1743 const unsigned char *extension_data_end;
1744
1745 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1746 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1747 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
1748 p += 4;
1749
1750 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
1751 extension_data_end = p + extension_data_len;
1752
1753 ret = mbedtls_ssl_tls13_check_received_extension(
1754 ssl, hs_msg_type, extension_type, allowed_extensions_mask);
1755 if (ret != 0) {
1756 return ret;
1757 }
1758
1759 switch (extension_type) {
1760 case MBEDTLS_TLS_EXT_COOKIE:
1761
1762 ret = ssl_tls13_parse_cookie_ext(ssl,
1763 p, extension_data_end);
1764 if (ret != 0) {
1765 MBEDTLS_SSL_DEBUG_RET(1,
1766 "ssl_tls13_parse_cookie_ext",
1767 ret);
1768 goto cleanup;
1769 }
1770 break;
1771
1772 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1773 ret = ssl_tls13_parse_supported_versions_ext(ssl,
1774 p,
1775 extension_data_end);
1776 if (ret != 0) {
1777 goto cleanup;
1778 }
1779 break;
1780
1781 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1782 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1783 MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
1784
1785 if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(
1786 ssl, p, extension_data_end)) != 0) {
1787 MBEDTLS_SSL_DEBUG_RET(
1788 1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);
1789 return ret;
1790 }
1791 break;
1792 #endif
1793
1794 case MBEDTLS_TLS_EXT_KEY_SHARE:
1795 MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
1796 if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
1797 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
1798 goto cleanup;
1799 }
1800
1801 if (is_hrr) {
1802 ret = ssl_tls13_parse_hrr_key_share_ext(ssl,
1803 p, extension_data_end);
1804 } else {
1805 ret = ssl_tls13_parse_key_share_ext(ssl,
1806 p, extension_data_end);
1807 }
1808 if (ret != 0) {
1809 MBEDTLS_SSL_DEBUG_RET(1,
1810 "ssl_tls13_parse_key_share_ext",
1811 ret);
1812 goto cleanup;
1813 }
1814 break;
1815
1816 default:
1817 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1818 goto cleanup;
1819 }
1820
1821 p += extension_data_len;
1822 }
1823
1824 MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);
1825
1826 cleanup:
1827
1828 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {
1829 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1830 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
1831 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1832 } else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1833 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1834 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1835 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1836 }
1837 return ret;
1838 }
1839
1840 #if defined(MBEDTLS_DEBUG_C)
ssl_tls13_get_kex_mode_str(int mode)1841 static const char *ssl_tls13_get_kex_mode_str(int mode)
1842 {
1843 switch (mode) {
1844 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1845 return "psk";
1846 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1847 return "ephemeral";
1848 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1849 return "psk_ephemeral";
1850 default:
1851 return "unknown mode";
1852 }
1853 }
1854 #endif /* MBEDTLS_DEBUG_C */
1855
1856 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_postprocess_server_hello(mbedtls_ssl_context * ssl)1857 static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
1858 {
1859 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1860 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1861
1862 /* Determine the key exchange mode:
1863 * 1) If both the pre_shared_key and key_share extensions were received
1864 * then the key exchange mode is PSK with EPHEMERAL.
1865 * 2) If only the pre_shared_key extension was received then the key
1866 * exchange mode is PSK-only.
1867 * 3) If only the key_share extension was received then the key
1868 * exchange mode is EPHEMERAL-only.
1869 */
1870 switch (handshake->received_extensions &
1871 (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1872 MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {
1873 /* Only the pre_shared_key extension was received */
1874 case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):
1875 handshake->key_exchange_mode =
1876 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1877 break;
1878
1879 /* Only the key_share extension was received */
1880 case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):
1881 handshake->key_exchange_mode =
1882 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
1883 break;
1884
1885 /* Both the pre_shared_key and key_share extensions were received */
1886 case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1887 MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):
1888 handshake->key_exchange_mode =
1889 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1890 break;
1891
1892 /* Neither pre_shared_key nor key_share extension was received */
1893 default:
1894 MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));
1895 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1896 goto cleanup;
1897 }
1898
1899 if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
1900 ssl, handshake->key_exchange_mode)) {
1901 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1902 MBEDTLS_SSL_DEBUG_MSG(
1903 2, ("Key exchange mode(%s) is not supported.",
1904 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
1905 goto cleanup;
1906 }
1907
1908 MBEDTLS_SSL_DEBUG_MSG(
1909 3, ("Selected key exchange mode: %s",
1910 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
1911
1912 /* Start the TLS 1.3 key scheduling if not already done.
1913 *
1914 * If we proposed early data then we have already derived an
1915 * early secret using the selected PSK and its associated hash.
1916 * It means that if the negotiated key exchange mode is psk or
1917 * psk_ephemeral, we have already correctly computed the
1918 * early secret and thus we do not do it again. In all other
1919 * cases we compute it here.
1920 */
1921 #if defined(MBEDTLS_SSL_EARLY_DATA)
1922 if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT ||
1923 handshake->key_exchange_mode ==
1924 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)
1925 #endif
1926 {
1927 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1928 if (ret != 0) {
1929 MBEDTLS_SSL_DEBUG_RET(
1930 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
1931 goto cleanup;
1932 }
1933 }
1934
1935 ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
1936 if (ret != 0) {
1937 MBEDTLS_SSL_DEBUG_RET(1,
1938 "mbedtls_ssl_tls13_compute_handshake_transform",
1939 ret);
1940 goto cleanup;
1941 }
1942
1943 mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);
1944 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
1945 ssl->session_in = ssl->session_negotiate;
1946
1947 cleanup:
1948 if (ret != 0) {
1949 MBEDTLS_SSL_PEND_FATAL_ALERT(
1950 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1951 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1952 }
1953
1954 return ret;
1955 }
1956
1957 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_postprocess_hrr(mbedtls_ssl_context * ssl)1958 static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)
1959 {
1960 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1961
1962 mbedtls_ssl_session_reset_msg_layer(ssl, 0);
1963
1964 /*
1965 * We are going to re-generate a shared secret corresponding to the group
1966 * selected by the server, which is different from the group for which we
1967 * generated a shared secret in the first client hello.
1968 * Thus, reset the shared secret.
1969 */
1970 ret = ssl_tls13_reset_key_share(ssl);
1971 if (ret != 0) {
1972 return ret;
1973 }
1974
1975 ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;
1976
1977 #if defined(MBEDTLS_SSL_EARLY_DATA)
1978 if (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {
1979 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;
1980 }
1981 #endif
1982
1983 return 0;
1984 }
1985
1986 /*
1987 * Wait and parse ServerHello handshake message.
1988 * Handler for MBEDTLS_SSL_SERVER_HELLO
1989 */
1990 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_server_hello(mbedtls_ssl_context * ssl)1991 static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
1992 {
1993 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1994 unsigned char *buf = NULL;
1995 size_t buf_len = 0;
1996 int is_hrr = 0;
1997
1998 MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));
1999
2000 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2001 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
2002
2003 ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);
2004 if (ret < 0) {
2005 goto cleanup;
2006 } else {
2007 is_hrr = (ret == SSL_SERVER_HELLO_HRR);
2008 }
2009
2010 if (ret == SSL_SERVER_HELLO_TLS1_2) {
2011 ret = 0;
2012 goto cleanup;
2013 }
2014
2015 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,
2016 buf + buf_len,
2017 is_hrr));
2018 if (is_hrr) {
2019 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
2020 }
2021
2022 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2023 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));
2024
2025 if (is_hrr) {
2026 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
2027 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2028 /* If not offering early data, the client sends a dummy CCS record
2029 * immediately before its second flight. This may either be before
2030 * its second ClientHello or before its encrypted handshake flight.
2031 */
2032 mbedtls_ssl_handshake_set_state(
2033 ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
2034 #else
2035 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2036 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2037 } else {
2038 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));
2039 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
2040 }
2041
2042 cleanup:
2043 MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,
2044 is_hrr ? "HelloRetryRequest" : "ServerHello"));
2045 return ret;
2046 }
2047
2048 /*
2049 *
2050 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2051 *
2052 * The EncryptedExtensions message contains any extensions which
2053 * should be protected, i.e., any which are not needed to establish
2054 * the cryptographic context.
2055 */
2056
2057 /* Parse EncryptedExtensions message
2058 * struct {
2059 * Extension extensions<0..2^16-1>;
2060 * } EncryptedExtensions;
2061 */
2062 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)2063 static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
2064 const unsigned char *buf,
2065 const unsigned char *end)
2066 {
2067 int ret = 0;
2068 size_t extensions_len;
2069 const unsigned char *p = buf;
2070 const unsigned char *extensions_end;
2071 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2072
2073 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2074 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
2075 p += 2;
2076
2077 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
2078 extensions_end = p + extensions_len;
2079
2080 MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);
2081
2082 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2083
2084 while (p < extensions_end) {
2085 unsigned int extension_type;
2086 size_t extension_data_len;
2087
2088 /*
2089 * struct {
2090 * ExtensionType extension_type; (2 bytes)
2091 * opaque extension_data<0..2^16-1>;
2092 * } Extension;
2093 */
2094 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2095 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2096 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
2097 p += 4;
2098
2099 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
2100
2101 ret = mbedtls_ssl_tls13_check_received_extension(
2102 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
2103 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);
2104 if (ret != 0) {
2105 return ret;
2106 }
2107
2108 switch (extension_type) {
2109 #if defined(MBEDTLS_SSL_ALPN)
2110 case MBEDTLS_TLS_EXT_ALPN:
2111 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
2112
2113 if ((ret = ssl_tls13_parse_alpn_ext(
2114 ssl, p, (size_t) extension_data_len)) != 0) {
2115 return ret;
2116 }
2117
2118 break;
2119 #endif /* MBEDTLS_SSL_ALPN */
2120
2121 #if defined(MBEDTLS_SSL_EARLY_DATA)
2122 case MBEDTLS_TLS_EXT_EARLY_DATA:
2123
2124 if (extension_data_len != 0) {
2125 /* The message must be empty. */
2126 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2127 MBEDTLS_ERR_SSL_DECODE_ERROR);
2128 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2129 }
2130
2131 break;
2132 #endif /* MBEDTLS_SSL_EARLY_DATA */
2133
2134 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2135 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
2136 MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
2137
2138 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
2139 ssl, p, p + extension_data_len);
2140 if (ret != 0) {
2141 MBEDTLS_SSL_DEBUG_RET(
2142 1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
2143 return ret;
2144 }
2145 break;
2146 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2147
2148 default:
2149 MBEDTLS_SSL_PRINT_EXT(
2150 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2151 extension_type, "( ignored )");
2152 break;
2153 }
2154
2155 p += extension_data_len;
2156 }
2157
2158 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&
2159 (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {
2160 MBEDTLS_SSL_DEBUG_MSG(3,
2161 (
2162 "Record size limit extension cannot be used with max fragment length extension"));
2163 MBEDTLS_SSL_PEND_FATAL_ALERT(
2164 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2165 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2166 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2167 }
2168
2169 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2170 handshake->received_extensions);
2171
2172 /* Check that we consumed all the message. */
2173 if (p != end) {
2174 MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));
2175 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2176 MBEDTLS_ERR_SSL_DECODE_ERROR);
2177 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2178 }
2179
2180 return ret;
2181 }
2182
2183 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context * ssl)2184 static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
2185 {
2186 int ret;
2187 unsigned char *buf;
2188 size_t buf_len;
2189 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2190
2191 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));
2192
2193 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2194 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2195 &buf, &buf_len));
2196
2197 /* Process the message contents */
2198 MBEDTLS_SSL_PROC_CHK(
2199 ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));
2200
2201 #if defined(MBEDTLS_SSL_EARLY_DATA)
2202 if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
2203 /* RFC8446 4.2.11
2204 * If the server supplies an "early_data" extension, the
2205 * client MUST verify that the server's selected_identity
2206 * is 0. If any other value is returned, the client MUST
2207 * abort the handshake with an "illegal_parameter" alert.
2208 *
2209 * RFC 8446 4.2.10
2210 * In order to accept early data, the server MUST have accepted a PSK
2211 * cipher suite and selected the first key offered in the client's
2212 * "pre_shared_key" extension. In addition, it MUST verify that the
2213 * following values are the same as those associated with the
2214 * selected PSK:
2215 * - The TLS version number
2216 * - The selected cipher suite
2217 * - The selected ALPN [RFC7301] protocol, if any
2218 *
2219 * The server has sent an early data extension in its Encrypted
2220 * Extension message thus accepted to receive early data. We
2221 * check here that the additional constraints on the handshake
2222 * parameters, when early data are exchanged, are met,
2223 * namely:
2224 * - a PSK has been selected for the handshake
2225 * - the selected PSK for the handshake was the first one proposed
2226 * by the client.
2227 * - the selected ciphersuite for the handshake is the ciphersuite
2228 * associated with the selected PSK.
2229 */
2230 if ((!mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) ||
2231 handshake->selected_identity != 0 ||
2232 handshake->ciphersuite_info->id !=
2233 ssl->session_negotiate->ciphersuite) {
2234
2235 MBEDTLS_SSL_PEND_FATAL_ALERT(
2236 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2237 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2238 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2239 }
2240
2241 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED;
2242 } else if (ssl->early_data_state !=
2243 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {
2244 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;
2245 }
2246 #endif
2247
2248 /*
2249 * In case the client has proposed a PSK associated with a ticket,
2250 * `ssl->session_negotiate->ciphersuite` still contains at this point the
2251 * identifier of the ciphersuite associated with the ticket. This is that
2252 * way because, if an exchange of early data is agreed upon, we need
2253 * it to check that the ciphersuite selected for the handshake is the
2254 * ticket ciphersuite (see above). This information is not needed
2255 * anymore thus we can now set it to the identifier of the ciphersuite
2256 * used in this session under negotiation.
2257 */
2258 ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
2259
2260 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2261 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2262 buf, buf_len));
2263
2264 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2265 if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2266 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2267 } else {
2268 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2269 }
2270 #else
2271 ((void) ssl);
2272 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2273 #endif
2274
2275 cleanup:
2276
2277 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));
2278 return ret;
2279
2280 }
2281
2282 #if defined(MBEDTLS_SSL_EARLY_DATA)
2283 /*
2284 * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
2285 *
2286 * RFC 8446 section 4.5
2287 *
2288 * struct {} EndOfEarlyData;
2289 *
2290 * If the server sent an "early_data" extension in EncryptedExtensions, the
2291 * client MUST send an EndOfEarlyData message after receiving the server
2292 * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.
2293 */
2294
2295 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_end_of_early_data(mbedtls_ssl_context * ssl)2296 static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)
2297 {
2298 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2299 unsigned char *buf = NULL;
2300 size_t buf_len;
2301 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));
2302
2303 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2304 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
2305 &buf, &buf_len));
2306
2307 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(
2308 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));
2309
2310 MBEDTLS_SSL_PROC_CHK(
2311 mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));
2312
2313 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2314
2315 cleanup:
2316
2317 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));
2318 return ret;
2319 }
2320
mbedtls_ssl_get_early_data_status(mbedtls_ssl_context * ssl)2321 int mbedtls_ssl_get_early_data_status(mbedtls_ssl_context *ssl)
2322 {
2323 if ((ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) ||
2324 (!mbedtls_ssl_is_handshake_over(ssl))) {
2325 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2326 }
2327
2328 switch (ssl->early_data_state) {
2329 case MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT:
2330 return MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED;
2331 break;
2332
2333 case MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED:
2334 return MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
2335 break;
2336
2337 case MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED:
2338 return MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
2339 break;
2340
2341 default:
2342 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2343 }
2344 }
2345 #endif /* MBEDTLS_SSL_EARLY_DATA */
2346
2347 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2348 /*
2349 * STATE HANDLING: CertificateRequest
2350 *
2351 */
2352 #define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2353 #define SSL_CERTIFICATE_REQUEST_SKIP 1
2354 /* Coordination:
2355 * Deals with the ambiguity of not knowing if a CertificateRequest
2356 * will be sent. Returns a negative code on failure, or
2357 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2358 * - SSL_CERTIFICATE_REQUEST_SKIP
2359 * indicating if a Certificate Request is expected or not.
2360 */
2361 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context * ssl)2362 static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
2363 {
2364 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2365
2366 if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
2367 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2368 return ret;
2369 }
2370 ssl->keep_current_message = 1;
2371
2372 if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&
2373 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {
2374 MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));
2375 return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;
2376 }
2377
2378 MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));
2379
2380 return SSL_CERTIFICATE_REQUEST_SKIP;
2381 }
2382
2383 /*
2384 * ssl_tls13_parse_certificate_request()
2385 * Parse certificate request
2386 * struct {
2387 * opaque certificate_request_context<0..2^8-1>;
2388 * Extension extensions<2..2^16-1>;
2389 * } CertificateRequest;
2390 */
2391 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_certificate_request(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)2392 static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,
2393 const unsigned char *buf,
2394 const unsigned char *end)
2395 {
2396 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2397 const unsigned char *p = buf;
2398 size_t certificate_request_context_len = 0;
2399 size_t extensions_len = 0;
2400 const unsigned char *extensions_end;
2401 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2402
2403 /* ...
2404 * opaque certificate_request_context<0..2^8-1>
2405 * ...
2406 */
2407 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
2408 certificate_request_context_len = (size_t) p[0];
2409 p += 1;
2410
2411 if (certificate_request_context_len > 0) {
2412 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);
2413 MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",
2414 p, certificate_request_context_len);
2415
2416 handshake->certificate_request_context =
2417 mbedtls_calloc(1, certificate_request_context_len);
2418 if (handshake->certificate_request_context == NULL) {
2419 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2420 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2421 }
2422 memcpy(handshake->certificate_request_context, p,
2423 certificate_request_context_len);
2424 p += certificate_request_context_len;
2425 }
2426
2427 /* ...
2428 * Extension extensions<2..2^16-1>;
2429 * ...
2430 */
2431 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2432 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
2433 p += 2;
2434
2435 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
2436 extensions_end = p + extensions_len;
2437
2438 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2439
2440 while (p < extensions_end) {
2441 unsigned int extension_type;
2442 size_t extension_data_len;
2443
2444 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2445 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2446 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
2447 p += 4;
2448
2449 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
2450
2451 ret = mbedtls_ssl_tls13_check_received_extension(
2452 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
2453 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);
2454 if (ret != 0) {
2455 return ret;
2456 }
2457
2458 switch (extension_type) {
2459 case MBEDTLS_TLS_EXT_SIG_ALG:
2460 MBEDTLS_SSL_DEBUG_MSG(3,
2461 ("found signature algorithms extension"));
2462 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,
2463 p + extension_data_len);
2464 if (ret != 0) {
2465 return ret;
2466 }
2467
2468 break;
2469
2470 default:
2471 MBEDTLS_SSL_PRINT_EXT(
2472 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2473 extension_type, "( ignored )");
2474 break;
2475 }
2476
2477 p += extension_data_len;
2478 }
2479
2480 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2481 handshake->received_extensions);
2482
2483 /* Check that we consumed all the message. */
2484 if (p != end) {
2485 MBEDTLS_SSL_DEBUG_MSG(1,
2486 ("CertificateRequest misaligned"));
2487 goto decode_error;
2488 }
2489
2490 /* RFC 8446 section 4.3.2
2491 *
2492 * The "signature_algorithms" extension MUST be specified
2493 */
2494 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {
2495 MBEDTLS_SSL_DEBUG_MSG(3,
2496 ("no signature algorithms extension found"));
2497 goto decode_error;
2498 }
2499
2500 ssl->handshake->client_auth = 1;
2501 return 0;
2502
2503 decode_error:
2504 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2505 MBEDTLS_ERR_SSL_DECODE_ERROR);
2506 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2507 }
2508
2509 /*
2510 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2511 */
2512 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_certificate_request(mbedtls_ssl_context * ssl)2513 static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)
2514 {
2515 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2516
2517 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
2518
2519 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
2520
2521 if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {
2522 unsigned char *buf;
2523 size_t buf_len;
2524
2525 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2526 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2527 &buf, &buf_len));
2528
2529 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(
2530 ssl, buf, buf + buf_len));
2531
2532 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2533 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2534 buf, buf_len));
2535 } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
2536 ret = 0;
2537 } else {
2538 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2539 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2540 goto cleanup;
2541 }
2542
2543 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
2544
2545 cleanup:
2546
2547 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
2548 return ret;
2549 }
2550
2551 /*
2552 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2553 */
2554 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_server_certificate(mbedtls_ssl_context * ssl)2555 static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)
2556 {
2557 int ret;
2558
2559 ret = mbedtls_ssl_tls13_process_certificate(ssl);
2560 if (ret != 0) {
2561 return ret;
2562 }
2563
2564 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2565 return 0;
2566 }
2567
2568 /*
2569 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2570 */
2571 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_certificate_verify(mbedtls_ssl_context * ssl)2572 static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
2573 {
2574 int ret;
2575
2576 ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
2577 if (ret != 0) {
2578 return ret;
2579 }
2580
2581 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2582 return 0;
2583 }
2584 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2585
2586 /*
2587 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2588 */
2589 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_server_finished(mbedtls_ssl_context * ssl)2590 static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)
2591 {
2592 int ret;
2593
2594 ret = mbedtls_ssl_tls13_process_finished_message(ssl);
2595 if (ret != 0) {
2596 return ret;
2597 }
2598
2599 ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2600 if (ret != 0) {
2601 MBEDTLS_SSL_PEND_FATAL_ALERT(
2602 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2603 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2604 return ret;
2605 }
2606
2607 #if defined(MBEDTLS_SSL_EARLY_DATA)
2608 if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED) {
2609 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED;
2610 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
2611 } else
2612 #endif /* MBEDTLS_SSL_EARLY_DATA */
2613 {
2614 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2615 mbedtls_ssl_handshake_set_state(
2616 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);
2617 #else
2618 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2619 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2620 }
2621
2622 return 0;
2623 }
2624
2625 /*
2626 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2627 */
2628 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_client_certificate(mbedtls_ssl_context * ssl)2629 static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)
2630 {
2631 int non_empty_certificate_msg = 0;
2632
2633 MBEDTLS_SSL_DEBUG_MSG(1,
2634 ("Switch to handshake traffic keys for outbound traffic"));
2635 mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);
2636
2637 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2638 if (ssl->handshake->client_auth) {
2639 int ret = mbedtls_ssl_tls13_write_certificate(ssl);
2640 if (ret != 0) {
2641 return ret;
2642 }
2643
2644 if (mbedtls_ssl_own_cert(ssl) != NULL) {
2645 non_empty_certificate_msg = 1;
2646 }
2647 } else {
2648 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));
2649 }
2650 #endif
2651
2652 if (non_empty_certificate_msg) {
2653 mbedtls_ssl_handshake_set_state(ssl,
2654 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
2655 } else {
2656 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));
2657 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2658 }
2659
2660 return 0;
2661 }
2662
2663 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2664 /*
2665 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2666 */
2667 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context * ssl)2668 static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)
2669 {
2670 int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
2671
2672 if (ret == 0) {
2673 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2674 }
2675
2676 return ret;
2677 }
2678 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2679
2680 /*
2681 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2682 */
2683 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_client_finished(mbedtls_ssl_context * ssl)2684 static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)
2685 {
2686 int ret;
2687
2688 ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2689 if (ret != 0) {
2690 return ret;
2691 }
2692
2693 ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
2694 if (ret != 0) {
2695 MBEDTLS_SSL_DEBUG_RET(
2696 1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);
2697 return ret;
2698 }
2699
2700 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);
2701 return 0;
2702 }
2703
2704 /*
2705 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2706 */
2707 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_flush_buffers(mbedtls_ssl_context * ssl)2708 static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)
2709 {
2710 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
2711 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
2712 return 0;
2713 }
2714
2715 /*
2716 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2717 */
2718 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_handshake_wrapup(mbedtls_ssl_context * ssl)2719 static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
2720 {
2721
2722 mbedtls_ssl_tls13_handshake_wrapup(ssl);
2723
2724 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2725 return 0;
2726 }
2727
2728 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2729
2730 #if defined(MBEDTLS_SSL_EARLY_DATA)
2731 /* From RFC 8446 section 4.2.10
2732 *
2733 * struct {
2734 * select (Handshake.msg_type) {
2735 * case new_session_ticket: uint32 max_early_data_size;
2736 * ...
2737 * };
2738 * } EarlyDataIndication;
2739 */
2740 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_new_session_ticket_early_data_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)2741 static int ssl_tls13_parse_new_session_ticket_early_data_ext(
2742 mbedtls_ssl_context *ssl,
2743 const unsigned char *buf,
2744 const unsigned char *end)
2745 {
2746 mbedtls_ssl_session *session = ssl->session;
2747
2748 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);
2749
2750 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);
2751 mbedtls_ssl_tls13_session_set_ticket_flags(
2752 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
2753 MBEDTLS_SSL_DEBUG_MSG(
2754 3, ("received max_early_data_size: %u",
2755 (unsigned int) session->max_early_data_size));
2756
2757 return 0;
2758 }
2759 #endif /* MBEDTLS_SSL_EARLY_DATA */
2760
2761 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)2762 static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
2763 const unsigned char *buf,
2764 const unsigned char *end)
2765 {
2766 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2767 const unsigned char *p = buf;
2768
2769
2770 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2771
2772 while (p < end) {
2773 unsigned int extension_type;
2774 size_t extension_data_len;
2775 int ret;
2776
2777 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
2778 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2779 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
2780 p += 4;
2781
2782 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);
2783
2784 ret = mbedtls_ssl_tls13_check_received_extension(
2785 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
2786 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);
2787 if (ret != 0) {
2788 return ret;
2789 }
2790
2791 switch (extension_type) {
2792 #if defined(MBEDTLS_SSL_EARLY_DATA)
2793 case MBEDTLS_TLS_EXT_EARLY_DATA:
2794 ret = ssl_tls13_parse_new_session_ticket_early_data_ext(
2795 ssl, p, p + extension_data_len);
2796 if (ret != 0) {
2797 MBEDTLS_SSL_DEBUG_RET(
2798 1, "ssl_tls13_parse_new_session_ticket_early_data_ext",
2799 ret);
2800 }
2801 break;
2802 #endif /* MBEDTLS_SSL_EARLY_DATA */
2803
2804 default:
2805 MBEDTLS_SSL_PRINT_EXT(
2806 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2807 extension_type, "( ignored )");
2808 break;
2809 }
2810
2811 p += extension_data_len;
2812 }
2813
2814 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2815 handshake->received_extensions);
2816
2817 return 0;
2818 }
2819
2820 /*
2821 * From RFC8446, page 74
2822 *
2823 * struct {
2824 * uint32 ticket_lifetime;
2825 * uint32 ticket_age_add;
2826 * opaque ticket_nonce<0..255>;
2827 * opaque ticket<1..2^16-1>;
2828 * Extension extensions<0..2^16-2>;
2829 * } NewSessionTicket;
2830 *
2831 */
2832 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,unsigned char ** ticket_nonce,size_t * ticket_nonce_len)2833 static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
2834 unsigned char *buf,
2835 unsigned char *end,
2836 unsigned char **ticket_nonce,
2837 size_t *ticket_nonce_len)
2838 {
2839 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2840 unsigned char *p = buf;
2841 mbedtls_ssl_session *session = ssl->session;
2842 size_t ticket_len;
2843 unsigned char *ticket;
2844 size_t extensions_len;
2845
2846 *ticket_nonce = NULL;
2847 *ticket_nonce_len = 0;
2848 /*
2849 * ticket_lifetime 4 bytes
2850 * ticket_age_add 4 bytes
2851 * ticket_nonce_len 1 byte
2852 */
2853 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);
2854
2855 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
2856 MBEDTLS_SSL_DEBUG_MSG(3,
2857 ("ticket_lifetime: %u",
2858 (unsigned int) session->ticket_lifetime));
2859 if (session->ticket_lifetime >
2860 MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
2861 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
2862 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2863 }
2864
2865 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);
2866 MBEDTLS_SSL_DEBUG_MSG(3,
2867 ("ticket_age_add: %u",
2868 (unsigned int) session->ticket_age_add));
2869
2870 *ticket_nonce_len = p[8];
2871 p += 9;
2872
2873 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);
2874 *ticket_nonce = p;
2875 MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);
2876 p += *ticket_nonce_len;
2877
2878 /* Ticket */
2879 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2880 ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
2881 p += 2;
2882 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);
2883 MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);
2884
2885 /* Check if we previously received a ticket already. */
2886 if (session->ticket != NULL || session->ticket_len > 0) {
2887 mbedtls_free(session->ticket);
2888 session->ticket = NULL;
2889 session->ticket_len = 0;
2890 }
2891
2892 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
2893 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
2894 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2895 }
2896 memcpy(ticket, p, ticket_len);
2897 p += ticket_len;
2898 session->ticket = ticket;
2899 session->ticket_len = ticket_len;
2900
2901 /* Clear all flags in ticket_flags */
2902 mbedtls_ssl_tls13_session_clear_ticket_flags(
2903 session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2904
2905 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2906 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
2907 p += 2;
2908 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
2909
2910 MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);
2911
2912 ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);
2913 if (ret != 0) {
2914 MBEDTLS_SSL_DEBUG_RET(1,
2915 "ssl_tls13_parse_new_session_ticket_exts",
2916 ret);
2917 return ret;
2918 }
2919
2920 return 0;
2921 }
2922
2923 /* Non negative return values for ssl_tls13_postprocess_new_session_ticket().
2924 * - POSTPROCESS_NEW_SESSION_TICKET_SIGNAL, all good, we have to signal the
2925 * application that a valid ticket has been received.
2926 * - POSTPROCESS_NEW_SESSION_TICKET_DISCARD, no fatal error, we keep the
2927 * connection alive but we do not signal the ticket to the application.
2928 */
2929 #define POSTPROCESS_NEW_SESSION_TICKET_SIGNAL 0
2930 #define POSTPROCESS_NEW_SESSION_TICKET_DISCARD 1
2931 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context * ssl,unsigned char * ticket_nonce,size_t ticket_nonce_len)2932 static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
2933 unsigned char *ticket_nonce,
2934 size_t ticket_nonce_len)
2935 {
2936 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2937 mbedtls_ssl_session *session = ssl->session;
2938 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2939 psa_algorithm_t psa_hash_alg;
2940 int hash_length;
2941
2942 if (session->ticket_lifetime == 0) {
2943 return POSTPROCESS_NEW_SESSION_TICKET_DISCARD;
2944 }
2945
2946 #if defined(MBEDTLS_HAVE_TIME)
2947 /* Store ticket creation time */
2948 session->ticket_reception_time = mbedtls_ms_time();
2949 #endif
2950
2951 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
2952 if (ciphersuite_info == NULL) {
2953 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2954 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2955 }
2956
2957 psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
2958 hash_length = PSA_HASH_LENGTH(psa_hash_alg);
2959 if (hash_length == -1 ||
2960 (size_t) hash_length > sizeof(session->resumption_key)) {
2961 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2962 }
2963
2964
2965 MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
2966 session->app_secrets.resumption_master_secret,
2967 hash_length);
2968
2969 /* Compute resumption key
2970 *
2971 * HKDF-Expand-Label( resumption_master_secret,
2972 * "resumption", ticket_nonce, Hash.length )
2973 */
2974 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2975 psa_hash_alg,
2976 session->app_secrets.resumption_master_secret,
2977 hash_length,
2978 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
2979 ticket_nonce,
2980 ticket_nonce_len,
2981 session->resumption_key,
2982 hash_length);
2983
2984 if (ret != 0) {
2985 MBEDTLS_SSL_DEBUG_RET(2,
2986 "Creating the ticket-resumed PSK failed",
2987 ret);
2988 return ret;
2989 }
2990
2991 session->resumption_key_len = hash_length;
2992
2993 MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
2994 session->resumption_key,
2995 session->resumption_key_len);
2996
2997 /* Set ticket_flags depends on the selected key exchange modes */
2998 mbedtls_ssl_tls13_session_set_ticket_flags(
2999 session, ssl->conf->tls13_kex_modes);
3000 MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
3001
3002 return POSTPROCESS_NEW_SESSION_TICKET_SIGNAL;
3003 }
3004
3005 /*
3006 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
3007 */
3008 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_new_session_ticket(mbedtls_ssl_context * ssl)3009 static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)
3010 {
3011 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3012 unsigned char *buf;
3013 size_t buf_len;
3014 unsigned char *ticket_nonce;
3015 size_t ticket_nonce_len;
3016
3017 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
3018
3019 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
3020 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
3021 &buf, &buf_len));
3022
3023 /*
3024 * We are about to update (maybe only partially) ticket data thus block
3025 * any session export for the time being.
3026 */
3027 ssl->session->exported = 1;
3028
3029 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(
3030 ssl, buf, buf + buf_len,
3031 &ticket_nonce, &ticket_nonce_len));
3032
3033 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_postprocess_new_session_ticket(
3034 ssl, ticket_nonce, ticket_nonce_len));
3035
3036 switch (ret) {
3037 case POSTPROCESS_NEW_SESSION_TICKET_SIGNAL:
3038 /*
3039 * All good, we have received a new valid ticket, session data can
3040 * be exported now and we signal the ticket to the application.
3041 */
3042 ssl->session->exported = 0;
3043 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
3044 break;
3045
3046 case POSTPROCESS_NEW_SESSION_TICKET_DISCARD:
3047 ret = 0;
3048 MBEDTLS_SSL_DEBUG_MSG(2, ("Discard new session ticket"));
3049 break;
3050
3051 default:
3052 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3053 }
3054
3055 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
3056
3057 cleanup:
3058
3059 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
3060 return ret;
3061 }
3062 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3063
mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context * ssl)3064 int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
3065 {
3066 int ret = 0;
3067
3068 switch (ssl->state) {
3069 case MBEDTLS_SSL_HELLO_REQUEST:
3070 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3071 break;
3072
3073 case MBEDTLS_SSL_CLIENT_HELLO:
3074 ret = mbedtls_ssl_write_client_hello(ssl);
3075 break;
3076
3077 case MBEDTLS_SSL_SERVER_HELLO:
3078 ret = ssl_tls13_process_server_hello(ssl);
3079 break;
3080
3081 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
3082 ret = ssl_tls13_process_encrypted_extensions(ssl);
3083 break;
3084
3085 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
3086 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3087 ret = ssl_tls13_process_certificate_request(ssl);
3088 break;
3089
3090 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3091 ret = ssl_tls13_process_server_certificate(ssl);
3092 break;
3093
3094 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3095 ret = ssl_tls13_process_certificate_verify(ssl);
3096 break;
3097 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
3098
3099 case MBEDTLS_SSL_SERVER_FINISHED:
3100 ret = ssl_tls13_process_server_finished(ssl);
3101 break;
3102
3103 #if defined(MBEDTLS_SSL_EARLY_DATA)
3104 case MBEDTLS_SSL_END_OF_EARLY_DATA:
3105 ret = ssl_tls13_write_end_of_early_data(ssl);
3106 break;
3107 #endif
3108
3109 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3110 ret = ssl_tls13_write_client_certificate(ssl);
3111 break;
3112
3113 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
3114 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
3115 ret = ssl_tls13_write_client_certificate_verify(ssl);
3116 break;
3117 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
3118
3119 case MBEDTLS_SSL_CLIENT_FINISHED:
3120 ret = ssl_tls13_write_client_finished(ssl);
3121 break;
3122
3123 case MBEDTLS_SSL_FLUSH_BUFFERS:
3124 ret = ssl_tls13_flush_buffers(ssl);
3125 break;
3126
3127 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3128 ret = ssl_tls13_handshake_wrapup(ssl);
3129 break;
3130
3131 /*
3132 * Injection of dummy-CCS's for middlebox compatibility
3133 */
3134 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
3135 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
3136 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3137 if (ret != 0) {
3138 break;
3139 }
3140 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3141 break;
3142
3143 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
3144 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3145 if (ret != 0) {
3146 break;
3147 }
3148 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
3149 break;
3150
3151 #if defined(MBEDTLS_SSL_EARLY_DATA)
3152 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
3153 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3154 if (ret == 0) {
3155 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
3156
3157 MBEDTLS_SSL_DEBUG_MSG(
3158 1, ("Switch to early data keys for outbound traffic"));
3159 mbedtls_ssl_set_outbound_transform(
3160 ssl, ssl->handshake->transform_earlydata);
3161 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;
3162 }
3163 break;
3164 #endif /* MBEDTLS_SSL_EARLY_DATA */
3165 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3166
3167 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3168 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
3169 ret = ssl_tls13_process_new_session_ticket(ssl);
3170 break;
3171 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3172
3173 default:
3174 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3175 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3176 }
3177
3178 return ret;
3179 }
3180
3181 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
3182
