Coverage Report

Created: 2025-03-01 06:26

/src/mbedtls/library/ssl_tls13_server.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  TLS 1.3 server-side functions
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
8
#include "common.h"
9
10
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
11
12
#include "debug_internal.h"
13
#include "mbedtls/error.h"
14
#include "mbedtls/platform.h"
15
#include "mbedtls/constant_time.h"
16
#include "mbedtls/oid.h"
17
#include "mbedtls/psa_util.h"
18
19
#include "ssl_misc.h"
20
#include "ssl_tls13_keys.h"
21
#include "ssl_debug_helpers.h"
22
23
24
static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
25
    mbedtls_ssl_context *ssl,
26
    unsigned int cipher_suite)
27
0
{
28
0
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
29
0
    if (!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
30
0
        return NULL;
31
0
    }
32
33
0
    ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
34
0
    if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
35
0
                                          ssl->tls_version,
36
0
                                          ssl->tls_version) != 0)) {
37
0
        return NULL;
38
0
    }
39
0
    return ciphersuite_info;
40
0
}
41
42
static void ssl_tls13_select_ciphersuite(
43
    mbedtls_ssl_context *ssl,
44
    const unsigned char *cipher_suites,
45
    const unsigned char *cipher_suites_end,
46
    int psk_ciphersuite_id,
47
    psa_algorithm_t psk_hash_alg,
48
    const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
49
0
{
50
0
    *selected_ciphersuite_info = NULL;
51
52
    /*
53
     * In a compliant ClientHello the byte-length of the list of ciphersuites
54
     * is even and this function relies on this fact. This should have been
55
     * checked in the main ClientHello parsing function. Double check here.
56
     */
57
0
    if ((cipher_suites_end - cipher_suites) & 1) {
58
0
        return;
59
0
    }
60
61
0
    for (const unsigned char *p = cipher_suites;
62
0
         p < cipher_suites_end; p += 2) {
63
        /*
64
         * "cipher_suites_end - p is even" is an invariant of the loop. As
65
         * cipher_suites_end - p > 0, we have cipher_suites_end - p >= 2 and it
66
         * is thus safe to read two bytes.
67
         */
68
0
        uint16_t id = MBEDTLS_GET_UINT16_BE(p, 0);
69
70
0
        const mbedtls_ssl_ciphersuite_t *info =
71
0
            ssl_tls13_validate_peer_ciphersuite(ssl, id);
72
0
        if (info == NULL) {
73
0
            continue;
74
0
        }
75
76
        /*
77
         * If a valid PSK ciphersuite identifier has been passed in, we want
78
         * an exact match.
79
         */
80
0
        if (psk_ciphersuite_id != 0) {
81
0
            if (id != psk_ciphersuite_id) {
82
0
                continue;
83
0
            }
84
0
        } else if (psk_hash_alg != PSA_ALG_NONE) {
85
0
            if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac) !=
86
0
                psk_hash_alg) {
87
0
                continue;
88
0
            }
89
0
        }
90
91
0
        *selected_ciphersuite_info = info;
92
0
        return;
93
0
    }
94
95
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx",
96
0
                              (unsigned) psk_ciphersuite_id,
97
0
                              (unsigned long) psk_hash_alg));
98
0
}
99
100
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
101
/* From RFC 8446:
102
 *
103
 *   enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
104
 *   struct {
105
 *       PskKeyExchangeMode ke_modes<1..255>;
106
 *   } PskKeyExchangeModes;
107
 */
108
MBEDTLS_CHECK_RETURN_CRITICAL
109
static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
110
                                                  const unsigned char *buf,
111
                                                  const unsigned char *end)
112
0
{
113
0
    const unsigned char *p = buf;
114
0
    size_t ke_modes_len;
115
0
    int ke_modes = 0;
116
117
    /* Read ke_modes length (1 Byte) */
118
0
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
119
0
    ke_modes_len = *p++;
120
    /* Currently, there are only two PSK modes, so even without looking
121
     * at the content, something's wrong if the list has more than 2 items. */
122
0
    if (ke_modes_len > 2) {
123
0
        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
124
0
                                     MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
125
0
        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
126
0
    }
127
128
0
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ke_modes_len);
129
130
0
    while (ke_modes_len-- != 0) {
131
0
        switch (*p++) {
132
0
            case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
133
0
                ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
134
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK KEX MODE"));
135
0
                break;
136
0
            case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:
137
0
                ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
138
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK_EPHEMERAL KEX MODE"));
139
0
                break;
140
0
            default:
141
0
                MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
142
0
                                             MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
143
0
                return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
144
0
        }
145
0
    }
146
147
0
    ssl->handshake->tls13_kex_modes = ke_modes;
148
0
    return 0;
149
0
}
150
151
/*
152
 * Non-error return values of
153
 * ssl_tls13_offered_psks_check_identity_match_ticket() and
154
 * ssl_tls13_offered_psks_check_identity_match(). They are positive to
155
 * not collide with error codes that are negative. Zero
156
 * (SSL_TLS1_3_PSK_IDENTITY_MATCH) in case of success as it may be propagated
157
 * up by the callers of this function as a generic success condition.
158
 *
159
 * The return value SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE means
160
 * that the pre-shared-key identity matches that of a ticket or an externally-
161
 * provisioned pre-shared-key. We have thus been able to retrieve the
162
 * attributes of the pre-shared-key but at least one of them does not meet
163
 * some criteria and the pre-shared-key cannot be used. For example, a ticket
164
 * is expired or its version is not TLS 1.3. Note eventually that the return
165
 * value SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE does not have
166
 * anything to do with binder check. A binder check is done only when a
167
 * suitable pre-shared-key has been selected and only for that selected
168
 * pre-shared-key: if the binder check fails, we fail the handshake and we do
169
 * not try to find another pre-shared-key for which the binder check would
170
 * succeed as recommended by the specification.
171
 */
172
0
#define SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH 2
173
0
#define SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE 1
174
0
#define SSL_TLS1_3_PSK_IDENTITY_MATCH 0
175
176
MBEDTLS_CHECK_RETURN_CRITICAL
177
static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl);
178
MBEDTLS_CHECK_RETURN_CRITICAL
179
static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl);
180
181
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
182
MBEDTLS_CHECK_RETURN_CRITICAL
183
static int ssl_tls13_offered_psks_check_identity_match_ticket(
184
    mbedtls_ssl_context *ssl,
185
    const unsigned char *identity,
186
    size_t identity_len,
187
    uint32_t obfuscated_ticket_age,
188
    mbedtls_ssl_session *session)
189
0
{
190
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
191
0
    unsigned char *ticket_buffer;
192
0
#if defined(MBEDTLS_HAVE_TIME)
193
0
    mbedtls_ms_time_t now;
194
0
    mbedtls_ms_time_t server_age;
195
0
    uint32_t client_age;
196
0
    mbedtls_ms_time_t age_diff;
197
0
#endif
198
199
0
    ((void) obfuscated_ticket_age);
200
201
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> check_identity_match_ticket"));
202
203
    /* Ticket parser is not configured, Skip */
204
0
    if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) {
205
0
        return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
206
0
    }
207
208
    /* We create a copy of the encrypted ticket since the ticket parsing
209
     * function is allowed to use its input buffer as an output buffer
210
     * (in-place decryption). We do, however, need the original buffer for
211
     * computing the PSK binder value.
212
     */
213
0
    ticket_buffer = mbedtls_calloc(1, identity_len);
214
0
    if (ticket_buffer == NULL) {
215
0
        return MBEDTLS_ERR_SSL_ALLOC_FAILED;
216
0
    }
217
0
    memcpy(ticket_buffer, identity, identity_len);
218
219
0
    ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket,
220
0
                                    session,
221
0
                                    ticket_buffer, identity_len);
222
0
    switch (ret) {
223
0
        case 0:
224
0
            ret = SSL_TLS1_3_PSK_IDENTITY_MATCH;
225
0
            break;
226
227
0
        case MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED:
228
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
229
0
            ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE;
230
0
            break;
231
232
0
        case MBEDTLS_ERR_SSL_INVALID_MAC:
233
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
234
0
            ret = SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
235
0
            break;
236
237
0
        default:
238
0
            MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret);
239
0
            ret = SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
240
0
    }
241
242
    /* We delete the temporary buffer */
243
0
    mbedtls_free(ticket_buffer);
244
245
0
    if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) {
246
0
        goto exit;
247
0
    }
248
249
    /*
250
     * The identity matches that of a ticket. Now check that it has suitable
251
     * attributes and bet it will not be the case.
252
     */
253
0
    ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE;
254
255
0
    if (session->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) {
256
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket TLS version is not 1.3."));
257
0
        goto exit;
258
0
    }
259
260
0
#if defined(MBEDTLS_HAVE_TIME)
261
0
    now = mbedtls_ms_time();
262
263
0
    if (now < session->ticket_creation_time) {
264
0
        MBEDTLS_SSL_DEBUG_MSG(
265
0
            3, ("Invalid ticket creation time ( now = %" MBEDTLS_PRINTF_MS_TIME
266
0
                ", creation_time = %" MBEDTLS_PRINTF_MS_TIME " )",
267
0
                now, session->ticket_creation_time));
268
0
        goto exit;
269
0
    }
270
271
0
    server_age = now - session->ticket_creation_time;
272
273
    /* RFC 8446 section 4.6.1
274
     *
275
     * Servers MUST NOT use any value greater than 604800 seconds (7 days).
276
     *
277
     * RFC 8446 section 4.2.11.1
278
     *
279
     * Clients MUST NOT attempt to use tickets which have ages greater than
280
     * the "ticket_lifetime" value which was provided with the ticket.
281
     *
282
     */
283
0
    if (server_age > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME * 1000) {
284
0
        MBEDTLS_SSL_DEBUG_MSG(
285
0
            3, ("Ticket age exceeds limitation ticket_age = %" MBEDTLS_PRINTF_MS_TIME,
286
0
                server_age));
287
0
        goto exit;
288
0
    }
289
290
    /* RFC 8446 section 4.2.10
291
     *
292
     * For PSKs provisioned via NewSessionTicket, a server MUST validate that
293
     * the ticket age for the selected PSK identity (computed by subtracting
294
     * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
295
     * within a small tolerance of the time since the ticket was issued.
296
     *
297
     * NOTE: The typical accuracy of an RTC crystal is ±100 to ±20 parts per
298
     *       million (360 to 72 milliseconds per hour). Default tolerance
299
     *       window is 6s, thus in the worst case clients and servers must
300
     *       sync up their system time every 6000/360/2~=8 hours.
301
     */
302
0
    client_age = obfuscated_ticket_age - session->ticket_age_add;
303
0
    age_diff = server_age - (mbedtls_ms_time_t) client_age;
304
0
    if (age_diff < -MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE ||
305
0
        age_diff > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) {
306
0
        MBEDTLS_SSL_DEBUG_MSG(
307
0
            3, ("Ticket age outside tolerance window ( diff = %"
308
0
                MBEDTLS_PRINTF_MS_TIME ")",
309
0
                age_diff));
310
0
        goto exit;
311
0
    }
312
0
#endif /* MBEDTLS_HAVE_TIME */
313
314
    /*
315
     * All good, we have found a suitable ticket.
316
     */
317
0
    ret = SSL_TLS1_3_PSK_IDENTITY_MATCH;
318
319
0
exit:
320
0
    if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) {
321
0
        mbedtls_ssl_session_free(session);
322
0
    }
323
324
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= check_identity_match_ticket"));
325
0
    return ret;
326
0
}
327
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
328
329
MBEDTLS_CHECK_RETURN_CRITICAL
330
static int ssl_tls13_offered_psks_check_identity_match(
331
    mbedtls_ssl_context *ssl,
332
    const unsigned char *identity,
333
    size_t identity_len,
334
    uint32_t obfuscated_ticket_age,
335
    int *psk_type,
336
    mbedtls_ssl_session *session)
337
0
{
338
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
339
340
0
    ((void) session);
341
0
    ((void) obfuscated_ticket_age);
342
0
    *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
343
344
0
    MBEDTLS_SSL_DEBUG_BUF(4, "identity", identity, identity_len);
345
346
0
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
347
0
    ret = ssl_tls13_offered_psks_check_identity_match_ticket(
348
0
        ssl, identity, identity_len, obfuscated_ticket_age, session);
349
0
    if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH) {
350
0
        *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
351
0
        ret = mbedtls_ssl_set_hs_psk(ssl,
352
0
                                     session->resumption_key,
353
0
                                     session->resumption_key_len);
354
0
        if (ret != 0) {
355
0
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
356
0
            return ret;
357
0
        }
358
359
0
        MBEDTLS_SSL_DEBUG_BUF(4, "Ticket-resumed PSK:",
360
0
                              session->resumption_key,
361
0
                              session->resumption_key_len);
362
0
        MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u",
363
0
                                  (unsigned) obfuscated_ticket_age));
364
0
        return SSL_TLS1_3_PSK_IDENTITY_MATCH;
365
0
    } else if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE) {
366
0
        return SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE;
367
0
    }
368
0
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
369
370
    /* Check identity with external configured function */
371
0
    if (ssl->conf->f_psk != NULL) {
372
0
        if (ssl->conf->f_psk(
373
0
                ssl->conf->p_psk, ssl, identity, identity_len) == 0) {
374
0
            return SSL_TLS1_3_PSK_IDENTITY_MATCH;
375
0
        }
376
0
        return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
377
0
    }
378
379
0
    MBEDTLS_SSL_DEBUG_BUF(5, "identity", identity, identity_len);
380
    /* Check identity with pre-configured psk */
381
0
    if (ssl->conf->psk_identity != NULL &&
382
0
        identity_len == ssl->conf->psk_identity_len &&
383
0
        mbedtls_ct_memcmp(ssl->conf->psk_identity,
384
0
                          identity, identity_len) == 0) {
385
0
        ret = mbedtls_ssl_set_hs_psk(ssl, ssl->conf->psk, ssl->conf->psk_len);
386
0
        if (ret != 0) {
387
0
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
388
0
            return ret;
389
0
        }
390
0
        return SSL_TLS1_3_PSK_IDENTITY_MATCH;
391
0
    }
392
393
0
    return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
394
0
}
395
396
/*
397
 * Non-error return values of ssl_tls13_offered_psks_check_binder_match().
398
 * They are positive to not collide with error codes that are negative. Zero
399
 * (SSL_TLS1_3_BINDER_MATCH) in case of success as it may be propagated up
400
 * by the callers of this function as a generic success condition.
401
 */
402
0
#define SSL_TLS1_3_BINDER_DOES_NOT_MATCH 1
403
0
#define SSL_TLS1_3_BINDER_MATCH 0
404
MBEDTLS_CHECK_RETURN_CRITICAL
405
static int ssl_tls13_offered_psks_check_binder_match(
406
    mbedtls_ssl_context *ssl,
407
    const unsigned char *binder, size_t binder_len,
408
    int psk_type, psa_algorithm_t psk_hash_alg)
409
0
{
410
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
411
412
0
    unsigned char transcript[PSA_HASH_MAX_SIZE];
413
0
    size_t transcript_len;
414
0
    unsigned char *psk;
415
0
    size_t psk_len;
416
0
    unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
417
418
0
    if (binder_len != PSA_HASH_LENGTH(psk_hash_alg)) {
419
0
        return SSL_TLS1_3_BINDER_DOES_NOT_MATCH;
420
0
    }
421
422
    /* Get current state of handshake transcript. */
423
0
    ret = mbedtls_ssl_get_handshake_transcript(
424
0
        ssl, mbedtls_md_type_from_psa_alg(psk_hash_alg),
425
0
        transcript, sizeof(transcript), &transcript_len);
426
0
    if (ret != 0) {
427
0
        return ret;
428
0
    }
429
430
0
    ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len);
431
0
    if (ret != 0) {
432
0
        return ret;
433
0
    }
434
435
0
    ret = mbedtls_ssl_tls13_create_psk_binder(ssl, psk_hash_alg,
436
0
                                              psk, psk_len, psk_type,
437
0
                                              transcript,
438
0
                                              server_computed_binder);
439
#if defined(MBEDTLS_USE_PSA_CRYPTO)
440
    mbedtls_free((void *) psk);
441
#endif
442
0
    if (ret != 0) {
443
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("PSK binder calculation failed."));
444
0
        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
445
0
    }
446
447
0
    MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( computed ): ",
448
0
                          server_computed_binder, transcript_len);
449
0
    MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len);
450
451
0
    if (mbedtls_ct_memcmp(server_computed_binder,
452
0
                          binder,
453
0
                          PSA_HASH_LENGTH(psk_hash_alg)) == 0) {
454
0
        return SSL_TLS1_3_BINDER_MATCH;
455
0
    }
456
457
0
    mbedtls_platform_zeroize(server_computed_binder,
458
0
                             sizeof(server_computed_binder));
459
0
    return SSL_TLS1_3_BINDER_DOES_NOT_MATCH;
460
0
}
461
462
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
463
MBEDTLS_CHECK_RETURN_CRITICAL
464
static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst,
465
                                         const mbedtls_ssl_session *src)
466
0
{
467
0
    dst->ticket_age_add = src->ticket_age_add;
468
0
    dst->ticket_flags = src->ticket_flags;
469
0
    dst->resumption_key_len = src->resumption_key_len;
470
0
    if (src->resumption_key_len == 0) {
471
0
        return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
472
0
    }
473
0
    memcpy(dst->resumption_key, src->resumption_key, src->resumption_key_len);
474
475
0
#if defined(MBEDTLS_SSL_EARLY_DATA)
476
0
    dst->max_early_data_size = src->max_early_data_size;
477
478
0
#if defined(MBEDTLS_SSL_ALPN)
479
0
    int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
480
0
    if (ret != 0) {
481
0
        return ret;
482
0
    }
483
0
#endif /* MBEDTLS_SSL_ALPN */
484
0
#endif /* MBEDTLS_SSL_EARLY_DATA*/
485
486
0
    return 0;
487
0
}
488
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
489
490
struct psk_attributes {
491
    int type;
492
    int key_exchange_mode;
493
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
494
};
495
1.28k
#define PSK_ATTRIBUTES_INIT { 0, 0, NULL }
496
497
/* Parser for pre_shared_key extension in client hello
498
 *    struct {
499
 *        opaque identity<1..2^16-1>;
500
 *        uint32 obfuscated_ticket_age;
501
 *    } PskIdentity;
502
 *
503
 *    opaque PskBinderEntry<32..255>;
504
 *
505
 *    struct {
506
 *        PskIdentity identities<7..2^16-1>;
507
 *        PskBinderEntry binders<33..2^16-1>;
508
 *    } OfferedPsks;
509
 *
510
 *    struct {
511
 *        select (Handshake.msg_type) {
512
 *            case client_hello: OfferedPsks;
513
 *            ....
514
 *        };
515
 *    } PreSharedKeyExtension;
516
 */
517
MBEDTLS_CHECK_RETURN_CRITICAL
518
static int ssl_tls13_parse_pre_shared_key_ext(
519
    mbedtls_ssl_context *ssl,
520
    const unsigned char *pre_shared_key_ext,
521
    const unsigned char *pre_shared_key_ext_end,
522
    const unsigned char *ciphersuites,
523
    const unsigned char *ciphersuites_end,
524
    struct psk_attributes *psk)
525
0
{
526
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
527
0
    const unsigned char *identities = pre_shared_key_ext;
528
0
    const unsigned char *p_identity_len;
529
0
    size_t identities_len;
530
0
    const unsigned char *identities_end;
531
0
    const unsigned char *binders;
532
0
    const unsigned char *p_binder_len;
533
0
    size_t binders_len;
534
0
    const unsigned char *binders_end;
535
0
    int matched_identity = -1;
536
0
    int identity_id = -1;
537
538
0
    MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key extension",
539
0
                          pre_shared_key_ext,
540
0
                          pre_shared_key_ext_end - pre_shared_key_ext);
541
542
    /* identities_len       2 bytes
543
     * identities_data   >= 7 bytes
544
     */
545
0
    MBEDTLS_SSL_CHK_BUF_READ_PTR(identities, pre_shared_key_ext_end, 7 + 2);
546
0
    identities_len = MBEDTLS_GET_UINT16_BE(identities, 0);
547
0
    p_identity_len = identities + 2;
548
0
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, pre_shared_key_ext_end,
549
0
                                 identities_len);
550
0
    identities_end = p_identity_len + identities_len;
551
552
    /* binders_len     2  bytes
553
     * binders      >= 33 bytes
554
     */
555
0
    binders = identities_end;
556
0
    MBEDTLS_SSL_CHK_BUF_READ_PTR(binders, pre_shared_key_ext_end, 33 + 2);
557
0
    binders_len = MBEDTLS_GET_UINT16_BE(binders, 0);
558
0
    p_binder_len = binders + 2;
559
0
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len);
560
0
    binders_end = p_binder_len + binders_len;
561
562
0
    ret = ssl->handshake->update_checksum(ssl, pre_shared_key_ext,
563
0
                                          identities_end - pre_shared_key_ext);
564
0
    if (0 != ret) {
565
0
        MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
566
0
        return ret;
567
0
    }
568
569
0
    while (p_identity_len < identities_end && p_binder_len < binders_end) {
570
0
        const unsigned char *identity;
571
0
        size_t identity_len;
572
0
        uint32_t obfuscated_ticket_age;
573
0
        const unsigned char *binder;
574
0
        size_t binder_len;
575
0
        int psk_ciphersuite_id;
576
0
        psa_algorithm_t psk_hash_alg;
577
0
        int allowed_key_exchange_modes;
578
579
0
        mbedtls_ssl_session session;
580
0
        mbedtls_ssl_session_init(&session);
581
582
0
        MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4);
583
0
        identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0);
584
0
        identity = p_identity_len + 2;
585
0
        MBEDTLS_SSL_CHK_BUF_READ_PTR(identity, identities_end, identity_len + 4);
586
0
        obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE(identity, identity_len);
587
0
        p_identity_len += identity_len + 6;
588
589
0
        MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, binders_end, 1 + 32);
590
0
        binder_len = *p_binder_len;
591
0
        binder = p_binder_len + 1;
592
0
        MBEDTLS_SSL_CHK_BUF_READ_PTR(binder, binders_end, binder_len);
593
0
        p_binder_len += binder_len + 1;
594
595
0
        identity_id++;
596
0
        if (matched_identity != -1) {
597
0
            continue;
598
0
        }
599
600
0
        ret = ssl_tls13_offered_psks_check_identity_match(
601
0
            ssl, identity, identity_len, obfuscated_ticket_age,
602
0
            &psk->type, &session);
603
0
        if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) {
604
0
            continue;
605
0
        }
606
607
0
        MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity"));
608
609
0
        switch (psk->type) {
610
0
            case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
611
0
                psk_ciphersuite_id = 0;
612
0
                psk_hash_alg = PSA_ALG_SHA_256;
613
0
                allowed_key_exchange_modes =
614
0
                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
615
0
                break;
616
0
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
617
0
            case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
618
0
                psk_ciphersuite_id = session.ciphersuite;
619
0
                psk_hash_alg = PSA_ALG_NONE;
620
0
                ssl->session_negotiate->ticket_flags = session.ticket_flags;
621
0
                allowed_key_exchange_modes =
622
0
                    session.ticket_flags &
623
0
                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
624
0
                break;
625
0
#endif
626
0
            default:
627
0
                return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
628
0
        }
629
630
0
        psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
631
632
0
        if ((allowed_key_exchange_modes &
633
0
             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) &&
634
0
            ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) {
635
0
            psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
636
0
        } else if ((allowed_key_exchange_modes &
637
0
                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) &&
638
0
                   ssl_tls13_key_exchange_is_psk_available(ssl)) {
639
0
            psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
640
0
        }
641
642
0
        if (psk->key_exchange_mode == MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE) {
643
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable PSK key exchange mode"));
644
0
            continue;
645
0
        }
646
647
0
        ssl_tls13_select_ciphersuite(ssl, ciphersuites, ciphersuites_end,
648
0
                                     psk_ciphersuite_id, psk_hash_alg,
649
0
                                     &psk->ciphersuite_info);
650
651
0
        if (psk->ciphersuite_info == NULL) {
652
0
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
653
0
            mbedtls_ssl_session_free(&session);
654
0
#endif
655
            /*
656
             * We consider finding a ciphersuite suitable for the PSK as part
657
             * of the validation of its binder. Thus if we do not find one, we
658
             * abort the handshake with a decrypt_error alert.
659
             */
660
0
            MBEDTLS_SSL_PEND_FATAL_ALERT(
661
0
                MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
662
0
                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
663
0
            return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
664
0
        }
665
666
0
        ret = ssl_tls13_offered_psks_check_binder_match(
667
0
            ssl, binder, binder_len, psk->type,
668
0
            mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) psk->ciphersuite_info->mac));
669
0
        if (ret != SSL_TLS1_3_BINDER_MATCH) {
670
            /* For security reasons, the handshake should be aborted when we
671
             * fail to validate a binder value. See RFC 8446 section 4.2.11.2
672
             * and appendix E.6. */
673
0
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
674
0
            mbedtls_ssl_session_free(&session);
675
0
#endif
676
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder."));
677
0
            MBEDTLS_SSL_DEBUG_RET(
678
0
                1, "ssl_tls13_offered_psks_check_binder_match", ret);
679
0
            MBEDTLS_SSL_PEND_FATAL_ALERT(
680
0
                MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
681
0
                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
682
0
            return ret;
683
0
        }
684
685
0
        matched_identity = identity_id;
686
687
0
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
688
0
        if (psk->type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
689
0
            ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate,
690
0
                                                &session);
691
0
            mbedtls_ssl_session_free(&session);
692
0
            if (ret != 0) {
693
0
                return ret;
694
0
            }
695
0
        }
696
0
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
697
0
    }
698
699
0
    if (p_identity_len != identities_end || p_binder_len != binders_end) {
700
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("pre_shared_key extension decode error"));
701
0
        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
702
0
                                     MBEDTLS_ERR_SSL_DECODE_ERROR);
703
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
704
0
    }
705
706
    /* Update the handshake transcript with the binder list. */
707
0
    ret = ssl->handshake->update_checksum(
708
0
        ssl, identities_end, (size_t) (binders_end - identities_end));
709
0
    if (0 != ret) {
710
0
        MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
711
0
        return ret;
712
0
    }
713
0
    if (matched_identity == -1) {
714
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("No usable PSK or ticket."));
715
0
        return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
716
0
    }
717
718
0
    ssl->handshake->selected_identity = (uint16_t) matched_identity;
719
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("Pre shared key found"));
720
721
0
    return 0;
722
0
}
723
724
/*
725
 * struct {
726
 *   select ( Handshake.msg_type ) {
727
 *      ....
728
 *      case server_hello:
729
 *          uint16 selected_identity;
730
 *   }
731
 * } PreSharedKeyExtension;
732
 */
733
static int ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
734
                                                     unsigned char *buf,
735
                                                     unsigned char *end,
736
                                                     size_t *olen)
737
0
{
738
0
    unsigned char *p = (unsigned char *) buf;
739
740
0
    *olen = 0;
741
742
0
    int not_using_psk = 0;
743
#if defined(MBEDTLS_USE_PSA_CRYPTO)
744
    not_using_psk = (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque));
745
#else
746
0
    not_using_psk = (ssl->handshake->psk == NULL);
747
0
#endif
748
0
    if (not_using_psk) {
749
        /* We shouldn't have called this extension writer unless we've
750
         * chosen to use a PSK. */
751
0
        return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
752
0
    }
753
754
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding pre_shared_key extension"));
755
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
756
757
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0);
758
0
    MBEDTLS_PUT_UINT16_BE(2, p, 2);
759
760
0
    MBEDTLS_PUT_UINT16_BE(ssl->handshake->selected_identity, p, 4);
761
762
0
    *olen = 6;
763
764
0
    MBEDTLS_SSL_DEBUG_MSG(4, ("sent selected_identity: %u",
765
0
                              ssl->handshake->selected_identity));
766
767
0
    mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
768
769
0
    return 0;
770
0
}
771
772
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
773
774
/* From RFC 8446:
775
 *   struct {
776
 *          ProtocolVersion versions<2..254>;
777
 *   } SupportedVersions;
778
 */
779
MBEDTLS_CHECK_RETURN_CRITICAL
780
static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
781
                                                  const unsigned char *buf,
782
                                                  const unsigned char *end)
783
241
{
784
241
    const unsigned char *p = buf;
785
241
    size_t versions_len;
786
241
    const unsigned char *versions_end;
787
241
    uint16_t tls_version;
788
241
    int found_supported_version = 0;
789
790
241
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
791
239
    versions_len = p[0];
792
239
    p += 1;
793
794
239
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, versions_len);
795
236
    versions_end = p + versions_len;
796
2.46k
    while (p < versions_end) {
797
2.44k
        MBEDTLS_SSL_CHK_BUF_READ_PTR(p, versions_end, 2);
798
2.43k
        tls_version = mbedtls_ssl_read_version(p, ssl->conf->transport);
799
2.43k
        p += 2;
800
801
2.43k
        if (MBEDTLS_SSL_VERSION_TLS1_3 == tls_version) {
802
4
            found_supported_version = 1;
803
4
            break;
804
4
        }
805
806
2.43k
        if ((MBEDTLS_SSL_VERSION_TLS1_2 == tls_version) &&
807
2.43k
            mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
808
208
            found_supported_version = 1;
809
208
            break;
810
208
        }
811
2.43k
    }
812
813
225
    if (!found_supported_version) {
814
13
        MBEDTLS_SSL_DEBUG_MSG(1, ("No supported version found."));
815
816
13
        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
817
13
                                     MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
818
13
        return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
819
13
    }
820
821
212
    MBEDTLS_SSL_DEBUG_MSG(1, ("Negotiated version: [%04x]",
822
212
                              (unsigned int) tls_version));
823
824
212
    return (int) tls_version;
825
225
}
826
827
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
828
/*
829
 *
830
 * From RFC 8446:
831
 *   enum {
832
 *       ... (0xFFFF)
833
 *   } NamedGroup;
834
 *   struct {
835
 *       NamedGroup named_group_list<2..2^16-1>;
836
 *   } NamedGroupList;
837
 */
838
MBEDTLS_CHECK_RETURN_CRITICAL
839
static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
840
                                                const unsigned char *buf,
841
                                                const unsigned char *end)
842
0
{
843
0
    const unsigned char *p = buf;
844
0
    size_t named_group_list_len;
845
0
    const unsigned char *named_group_list_end;
846
847
0
    MBEDTLS_SSL_DEBUG_BUF(3, "supported_groups extension", p, end - buf);
848
0
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
849
0
    named_group_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
850
0
    p += 2;
851
0
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, named_group_list_len);
852
0
    named_group_list_end = p + named_group_list_len;
853
0
    ssl->handshake->hrr_selected_group = 0;
854
855
0
    while (p < named_group_list_end) {
856
0
        uint16_t named_group;
857
0
        MBEDTLS_SSL_CHK_BUF_READ_PTR(p, named_group_list_end, 2);
858
0
        named_group = MBEDTLS_GET_UINT16_BE(p, 0);
859
0
        p += 2;
860
861
0
        MBEDTLS_SSL_DEBUG_MSG(2,
862
0
                              ("got named group: %s(%04x)",
863
0
                               mbedtls_ssl_named_group_to_str(named_group),
864
0
                               named_group));
865
866
0
        if (!mbedtls_ssl_named_group_is_offered(ssl, named_group) ||
867
0
            !mbedtls_ssl_named_group_is_supported(named_group) ||
868
0
            ssl->handshake->hrr_selected_group != 0) {
869
0
            continue;
870
0
        }
871
872
0
        MBEDTLS_SSL_DEBUG_MSG(2,
873
0
                              ("add named group %s(%04x) into received list.",
874
0
                               mbedtls_ssl_named_group_to_str(named_group),
875
0
                               named_group));
876
877
0
        ssl->handshake->hrr_selected_group = named_group;
878
0
    }
879
880
0
    return 0;
881
882
0
}
883
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
884
885
0
#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
886
887
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
888
/*
889
 *  ssl_tls13_parse_key_shares_ext() verifies whether the information in the
890
 *  extension is correct and stores the first acceptable key share and its
891
 *  associated group.
892
 *
893
 *  Possible return values are:
894
 *  - 0: Successful processing of the client provided key share extension.
895
 *  - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by
896
 *    the client does not match a group supported by the server. A
897
 *    HelloRetryRequest will be needed.
898
 *  - A negative value for fatal errors.
899
 */
900
MBEDTLS_CHECK_RETURN_CRITICAL
901
static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl,
902
                                          const unsigned char *buf,
903
                                          const unsigned char *end)
904
0
{
905
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
906
0
    unsigned char const *p = buf;
907
0
    unsigned char const *client_shares_end;
908
0
    size_t client_shares_len;
909
910
    /* From RFC 8446:
911
     *
912
     * struct {
913
     *     KeyShareEntry client_shares<0..2^16-1>;
914
     * } KeyShareClientHello;
915
     *
916
     */
917
918
0
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
919
0
    client_shares_len = MBEDTLS_GET_UINT16_BE(p, 0);
920
0
    p += 2;
921
0
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, client_shares_len);
922
923
0
    ssl->handshake->offered_group_id = 0;
924
0
    client_shares_end = p + client_shares_len;
925
926
    /* We try to find a suitable key share entry and copy it to the
927
     * handshake context. Later, we have to find out whether we can do
928
     * something with the provided key share or whether we have to
929
     * dismiss it and send a HelloRetryRequest message.
930
     */
931
932
0
    while (p < client_shares_end) {
933
0
        uint16_t group;
934
0
        size_t key_exchange_len;
935
0
        const unsigned char *key_exchange;
936
937
        /*
938
         * struct {
939
         *    NamedGroup group;
940
         *    opaque key_exchange<1..2^16-1>;
941
         * } KeyShareEntry;
942
         */
943
0
        MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, 4);
944
0
        group = MBEDTLS_GET_UINT16_BE(p, 0);
945
0
        key_exchange_len = MBEDTLS_GET_UINT16_BE(p, 2);
946
0
        p += 4;
947
0
        key_exchange = p;
948
0
        MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, key_exchange_len);
949
0
        p += key_exchange_len;
950
951
        /* Continue parsing even if we have already found a match,
952
         * for input validation purposes.
953
         */
954
0
        if (!mbedtls_ssl_named_group_is_offered(ssl, group) ||
955
0
            !mbedtls_ssl_named_group_is_supported(group) ||
956
0
            ssl->handshake->offered_group_id != 0) {
957
0
            continue;
958
0
        }
959
960
        /*
961
         * ECDHE and FFDHE groups are supported
962
         */
963
0
        if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
964
0
            mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
965
0
            MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH/FFDH group: %s (%04x)",
966
0
                                      mbedtls_ssl_named_group_to_str(group),
967
0
                                      group));
968
0
            ret = mbedtls_ssl_tls13_read_public_xxdhe_share(
969
0
                ssl, key_exchange - 2, key_exchange_len + 2);
970
0
            if (ret != 0) {
971
0
                return ret;
972
0
            }
973
974
0
        } else {
975
0
            MBEDTLS_SSL_DEBUG_MSG(4, ("Unrecognized NamedGroup %u",
976
0
                                      (unsigned) group));
977
0
            continue;
978
0
        }
979
980
0
        ssl->handshake->offered_group_id = group;
981
0
    }
982
983
984
0
    if (ssl->handshake->offered_group_id == 0) {
985
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("no matching key share"));
986
0
        return SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH;
987
0
    }
988
0
    return 0;
989
0
}
990
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
991
992
MBEDTLS_CHECK_RETURN_CRITICAL
993
static int ssl_tls13_client_hello_has_exts(mbedtls_ssl_context *ssl,
994
                                           int exts_mask)
995
0
{
996
0
    int masked = ssl->handshake->received_extensions & exts_mask;
997
0
    return masked == exts_mask;
998
0
}
999
1000
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
1001
MBEDTLS_CHECK_RETURN_CRITICAL
1002
static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
1003
    mbedtls_ssl_context *ssl)
1004
0
{
1005
0
    return ssl_tls13_client_hello_has_exts(
1006
0
        ssl,
1007
0
        MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |
1008
0
        MBEDTLS_SSL_EXT_MASK(KEY_SHARE)        |
1009
0
        MBEDTLS_SSL_EXT_MASK(SIG_ALG));
1010
0
}
1011
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1012
1013
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
1014
MBEDTLS_CHECK_RETURN_CRITICAL
1015
static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
1016
    mbedtls_ssl_context *ssl)
1017
0
{
1018
0
    return ssl_tls13_client_hello_has_exts(
1019
0
        ssl,
1020
0
        MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)          |
1021
0
        MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
1022
0
}
1023
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */
1024
1025
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
1026
MBEDTLS_CHECK_RETURN_CRITICAL
1027
static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
1028
    mbedtls_ssl_context *ssl)
1029
0
{
1030
0
    return ssl_tls13_client_hello_has_exts(
1031
0
        ssl,
1032
0
        MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS)        |
1033
0
        MBEDTLS_SSL_EXT_MASK(KEY_SHARE)               |
1034
0
        MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)          |
1035
0
        MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
1036
0
}
1037
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */
1038
1039
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1040
MBEDTLS_CHECK_RETURN_CRITICAL
1041
static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl)
1042
0
{
1043
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
1044
0
    return mbedtls_ssl_conf_tls13_is_psk_enabled(ssl) &&
1045
0
           mbedtls_ssl_tls13_is_psk_supported(ssl) &&
1046
0
           ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
1047
#else
1048
    ((void) ssl);
1049
    return 0;
1050
#endif
1051
0
}
1052
1053
MBEDTLS_CHECK_RETURN_CRITICAL
1054
static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl)
1055
0
{
1056
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
1057
0
    return mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl) &&
1058
0
           mbedtls_ssl_tls13_is_psk_ephemeral_supported(ssl) &&
1059
0
           ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
1060
#else
1061
    ((void) ssl);
1062
    return 0;
1063
#endif
1064
0
}
1065
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1066
1067
MBEDTLS_CHECK_RETURN_CRITICAL
1068
static int ssl_tls13_key_exchange_is_ephemeral_available(mbedtls_ssl_context *ssl)
1069
0
{
1070
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
1071
0
    return mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl) &&
1072
0
           ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
1073
#else
1074
    ((void) ssl);
1075
    return 0;
1076
#endif
1077
0
}
1078
1079
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1080
    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
1081
1082
#if defined(MBEDTLS_USE_PSA_CRYPTO)
1083
static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
1084
{
1085
    switch (sig_alg) {
1086
        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
1087
            return PSA_ALG_ECDSA(PSA_ALG_SHA_256);
1088
        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
1089
            return PSA_ALG_ECDSA(PSA_ALG_SHA_384);
1090
        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
1091
            return PSA_ALG_ECDSA(PSA_ALG_SHA_512);
1092
        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
1093
            return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
1094
        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
1095
            return PSA_ALG_RSA_PSS(PSA_ALG_SHA_384);
1096
        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
1097
            return PSA_ALG_RSA_PSS(PSA_ALG_SHA_512);
1098
        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
1099
            return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
1100
        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
1101
            return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384);
1102
        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
1103
            return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_512);
1104
        default:
1105
            return PSA_ALG_NONE;
1106
    }
1107
}
1108
#endif /* MBEDTLS_USE_PSA_CRYPTO */
1109
1110
/*
1111
 * Pick best ( private key, certificate chain ) pair based on the signature
1112
 * algorithms supported by the client.
1113
 */
1114
MBEDTLS_CHECK_RETURN_CRITICAL
1115
static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
1116
0
{
1117
0
    mbedtls_ssl_key_cert *key_cert, *key_cert_list;
1118
0
    const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
1119
1120
0
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1121
0
    if (ssl->handshake->sni_key_cert != NULL) {
1122
0
        key_cert_list = ssl->handshake->sni_key_cert;
1123
0
    } else
1124
0
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1125
0
    key_cert_list = ssl->conf->key_cert;
1126
1127
0
    if (key_cert_list == NULL) {
1128
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
1129
0
        return -1;
1130
0
    }
1131
1132
0
    for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
1133
0
        if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {
1134
0
            continue;
1135
0
        }
1136
1137
0
        if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {
1138
0
            continue;
1139
0
        }
1140
1141
0
        for (key_cert = key_cert_list; key_cert != NULL;
1142
0
             key_cert = key_cert->next) {
1143
#if defined(MBEDTLS_USE_PSA_CRYPTO)
1144
            psa_algorithm_t psa_alg = PSA_ALG_NONE;
1145
#endif /* MBEDTLS_USE_PSA_CRYPTO */
1146
1147
0
            MBEDTLS_SSL_DEBUG_CRT(3, "certificate (chain) candidate",
1148
0
                                  key_cert->cert);
1149
1150
            /*
1151
             * This avoids sending the client a cert it'll reject based on
1152
             * keyUsage or other extensions.
1153
             */
1154
0
            if (mbedtls_x509_crt_check_key_usage(
1155
0
                    key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0 ||
1156
0
                mbedtls_x509_crt_check_extended_key_usage(
1157
0
                    key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
1158
0
                    MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) != 0) {
1159
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
1160
0
                                          "(extended) key usage extension"));
1161
0
                continue;
1162
0
            }
1163
1164
0
            MBEDTLS_SSL_DEBUG_MSG(3,
1165
0
                                  ("ssl_tls13_pick_key_cert:"
1166
0
                                   "check signature algorithm %s [%04x]",
1167
0
                                   mbedtls_ssl_sig_alg_to_str(*sig_alg),
1168
0
                                   *sig_alg));
1169
#if defined(MBEDTLS_USE_PSA_CRYPTO)
1170
            psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg(*sig_alg);
1171
#endif /* MBEDTLS_USE_PSA_CRYPTO */
1172
1173
0
            if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
1174
0
                    *sig_alg, &key_cert->cert->pk)
1175
#if defined(MBEDTLS_USE_PSA_CRYPTO)
1176
                && psa_alg != PSA_ALG_NONE &&
1177
                mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
1178
                                      PSA_KEY_USAGE_SIGN_HASH) == 1
1179
#endif /* MBEDTLS_USE_PSA_CRYPTO */
1180
0
                ) {
1181
0
                ssl->handshake->key_cert = key_cert;
1182
0
                MBEDTLS_SSL_DEBUG_MSG(3,
1183
0
                                      ("ssl_tls13_pick_key_cert:"
1184
0
                                       "selected signature algorithm"
1185
0
                                       " %s [%04x]",
1186
0
                                       mbedtls_ssl_sig_alg_to_str(*sig_alg),
1187
0
                                       *sig_alg));
1188
0
                MBEDTLS_SSL_DEBUG_CRT(
1189
0
                    3, "selected certificate (chain)",
1190
0
                    ssl->handshake->key_cert->cert);
1191
0
                return 0;
1192
0
            }
1193
0
        }
1194
0
    }
1195
1196
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("ssl_tls13_pick_key_cert:"
1197
0
                              "no suitable certificate found"));
1198
0
    return -1;
1199
0
}
1200
#endif /* MBEDTLS_X509_CRT_PARSE_C &&
1201
          MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1202
1203
/*
1204
 *
1205
 * STATE HANDLING: ClientHello
1206
 *
1207
 * There are three possible classes of outcomes when parsing the ClientHello:
1208
 *
1209
 * 1) The ClientHello was well-formed and matched the server's configuration.
1210
 *
1211
 *    In this case, the server progresses to sending its ServerHello.
1212
 *
1213
 * 2) The ClientHello was well-formed but didn't match the server's
1214
 *    configuration.
1215
 *
1216
 *    For example, the client might not have offered a key share which
1217
 *    the server supports, or the server might require a cookie.
1218
 *
1219
 *    In this case, the server sends a HelloRetryRequest.
1220
 *
1221
 * 3) The ClientHello was ill-formed
1222
 *
1223
 *    In this case, we abort the handshake.
1224
 *
1225
 */
1226
1227
/*
1228
 * Structure of this message:
1229
 *
1230
 * uint16 ProtocolVersion;
1231
 * opaque Random[32];
1232
 * uint8 CipherSuite[2];    // Cryptographic suite selector
1233
 *
1234
 * struct {
1235
 *      ProtocolVersion legacy_version = 0x0303;    // TLS v1.2
1236
 *      Random random;
1237
 *      opaque legacy_session_id<0..32>;
1238
 *      CipherSuite cipher_suites<2..2^16-2>;
1239
 *      opaque legacy_compression_methods<1..2^8-1>;
1240
 *      Extension extensions<8..2^16-1>;
1241
 * } ClientHello;
1242
 */
1243
1244
0
#define SSL_CLIENT_HELLO_OK           0
1245
0
#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
1246
2.33k
#define SSL_CLIENT_HELLO_TLS1_2       2
1247
1248
MBEDTLS_CHECK_RETURN_CRITICAL
1249
static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
1250
                                        const unsigned char *buf,
1251
                                        const unsigned char *end)
1252
1.28k
{
1253
1.28k
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1254
1.28k
    const unsigned char *p = buf;
1255
1.28k
    const unsigned char *random;
1256
1.28k
    size_t legacy_session_id_len;
1257
1.28k
    const unsigned char *legacy_session_id;
1258
1.28k
    size_t cipher_suites_len;
1259
1.28k
    const unsigned char *cipher_suites;
1260
1.28k
    const unsigned char *cipher_suites_end;
1261
1.28k
    size_t extensions_len;
1262
1.28k
    const unsigned char *extensions_end;
1263
1.28k
    const unsigned char *supported_versions_data;
1264
1.28k
    const unsigned char *supported_versions_data_end;
1265
1.28k
    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1266
1.28k
    int hrr_required = 0;
1267
1.28k
    int no_usable_share_for_key_agreement = 0;
1268
1269
1.28k
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1270
1.28k
    int got_psk = 0;
1271
1.28k
    struct psk_attributes psk = PSK_ATTRIBUTES_INIT;
1272
1.28k
    const unsigned char *pre_shared_key_ext = NULL;
1273
1.28k
    const unsigned char *pre_shared_key_ext_end = NULL;
1274
1.28k
#endif
1275
1276
    /*
1277
     * ClientHello layout:
1278
     *     0  .   1   protocol version
1279
     *     2  .  33   random bytes
1280
     *    34  .  34   session id length ( 1 byte )
1281
     *    35  . 34+x  session id
1282
     *    ..  .  ..   ciphersuite list length ( 2 bytes )
1283
     *    ..  .  ..   ciphersuite list
1284
     *    ..  .  ..   compression alg. list length ( 1 byte )
1285
     *    ..  .  ..   compression alg. list
1286
     *    ..  .  ..   extensions length ( 2 bytes, optional )
1287
     *    ..  .  ..   extensions ( optional )
1288
     */
1289
1290
    /*
1291
     * Minimal length ( with everything empty and extensions omitted ) is
1292
     * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1293
     * read at least up to session id length without worrying.
1294
     */
1295
1.28k
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 38);
1296
1297
    /* ...
1298
     * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1299
     * ...
1300
     * with ProtocolVersion defined as:
1301
     * uint16 ProtocolVersion;
1302
     */
1303
1.27k
    if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1304
1.27k
        MBEDTLS_SSL_VERSION_TLS1_2) {
1305
6
        MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1306
6
        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1307
6
                                     MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
1308
6
        return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1309
6
    }
1310
1.27k
    p += 2;
1311
1312
    /* ...
1313
     * Random random;
1314
     * ...
1315
     * with Random defined as:
1316
     * opaque Random[32];
1317
     */
1318
1.27k
    random = p;
1319
1.27k
    p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
1320
1321
    /* ...
1322
     * opaque legacy_session_id<0..32>;
1323
     * ...
1324
     */
1325
1.27k
    legacy_session_id_len = *(p++);
1326
1.27k
    legacy_session_id = p;
1327
1328
    /*
1329
     * Check we have enough data for the legacy session identifier
1330
     * and the ciphersuite list length.
1331
     */
1332
1.27k
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_len + 2);
1333
1.26k
    p += legacy_session_id_len;
1334
1335
    /* ...
1336
     * CipherSuite cipher_suites<2..2^16-2>;
1337
     * ...
1338
     * with CipherSuite defined as:
1339
     * uint8 CipherSuite[2];
1340
     */
1341
1.26k
    cipher_suites_len = MBEDTLS_GET_UINT16_BE(p, 0);
1342
1.26k
    p += 2;
1343
1.26k
    cipher_suites = p;
1344
1345
    /*
1346
     * The length of the ciphersuite list has to be even.
1347
     */
1348
1.26k
    if (cipher_suites_len & 1) {
1349
2
        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1350
2
                                     MBEDTLS_ERR_SSL_DECODE_ERROR);
1351
2
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
1352
2
    }
1353
1354
    /* Check we have enough data for the ciphersuite list, the legacy
1355
     * compression methods and the length of the extensions.
1356
     *
1357
     * cipher_suites                cipher_suites_len bytes
1358
     * legacy_compression_methods length            1 byte
1359
     */
1360
1.26k
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 1);
1361
1.25k
    p += cipher_suites_len;
1362
1.25k
    cipher_suites_end = p;
1363
1364
    /* Check if we have enough data for legacy_compression_methods
1365
     * and the length of the extensions (2 bytes).
1366
     */
1367
1.25k
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p + 1, end, p[0] + 2);
1368
1369
    /*
1370
     * Search for the supported versions extension and parse it to determine
1371
     * if the client supports TLS 1.3.
1372
     */
1373
1.24k
    ret = mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
1374
1.24k
        ssl, p + 1 + p[0], end,
1375
1.24k
        &supported_versions_data, &supported_versions_data_end);
1376
1.24k
    if (ret < 0) {
1377
47
        MBEDTLS_SSL_DEBUG_RET(1,
1378
47
                              ("mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts"), ret);
1379
47
        return ret;
1380
47
    }
1381
1382
1.19k
    if (ret == 0) {
1383
958
        return SSL_CLIENT_HELLO_TLS1_2;
1384
958
    }
1385
1386
241
    if (ret == 1) {
1387
241
        ret = ssl_tls13_parse_supported_versions_ext(ssl,
1388
241
                                                     supported_versions_data,
1389
241
                                                     supported_versions_data_end);
1390
241
        if (ret < 0) {
1391
29
            MBEDTLS_SSL_DEBUG_RET(1,
1392
29
                                  ("ssl_tls13_parse_supported_versions_ext"), ret);
1393
29
            return ret;
1394
29
        }
1395
1396
        /*
1397
         * The supported versions extension was parsed successfully as the
1398
         * value returned by ssl_tls13_parse_supported_versions_ext() is
1399
         * positive. The return value is then equal to
1400
         * MBEDTLS_SSL_VERSION_TLS1_2 or MBEDTLS_SSL_VERSION_TLS1_3, defining
1401
         * the TLS version to negotiate.
1402
         */
1403
212
        if (MBEDTLS_SSL_VERSION_TLS1_2 == ret) {
1404
208
            return SSL_CLIENT_HELLO_TLS1_2;
1405
208
        }
1406
212
    }
1407
1408
    /*
1409
     * We negotiate TLS 1.3.
1410
     */
1411
4
    ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
1412
4
    ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
1413
4
    ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1414
1415
    /* Before doing any crypto, make sure we can. */
1416
4
    ret = mbedtls_ssl_tls13_crypto_init(ssl);
1417
4
    if (ret != 0) {
1418
4
        return ret;
1419
4
    }
1420
1421
    /*
1422
     * We are negotiating the version 1.3 of the protocol. Do what we have
1423
     * postponed: copy of the client random bytes, copy of the legacy session
1424
     * identifier and selection of the TLS 1.3 cipher suite.
1425
     */
1426
0
    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes",
1427
0
                          random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
1428
0
    memcpy(&handshake->randbytes[0], random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
1429
1430
0
    if (legacy_session_id_len > sizeof(ssl->session_negotiate->id)) {
1431
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1432
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
1433
0
    }
1434
0
    ssl->session_negotiate->id_len = legacy_session_id_len;
1435
0
    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id",
1436
0
                          legacy_session_id, legacy_session_id_len);
1437
0
    memcpy(&ssl->session_negotiate->id[0],
1438
0
           legacy_session_id, legacy_session_id_len);
1439
1440
    /*
1441
     * Search for a matching ciphersuite
1442
     */
1443
0
    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, list of cipher suites",
1444
0
                          cipher_suites, cipher_suites_len);
1445
1446
0
    ssl_tls13_select_ciphersuite(ssl, cipher_suites, cipher_suites_end,
1447
0
                                 0, PSA_ALG_NONE, &handshake->ciphersuite_info);
1448
1449
0
    if (handshake->ciphersuite_info == NULL) {
1450
0
        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1451
0
                                     MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1452
0
        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1453
0
    }
1454
0
    ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
1455
1456
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s",
1457
0
                              ((unsigned) handshake->ciphersuite_info->id),
1458
0
                              handshake->ciphersuite_info->name));
1459
1460
    /* ...
1461
     * opaque legacy_compression_methods<1..2^8-1>;
1462
     * ...
1463
     */
1464
0
    if (p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL) {
1465
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
1466
0
        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1467
0
                                     MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1468
0
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1469
0
    }
1470
0
    p += 2;
1471
1472
    /* ...
1473
     * Extension extensions<8..2^16-1>;
1474
     * ...
1475
     * with Extension defined as:
1476
     * struct {
1477
     *    ExtensionType extension_type;
1478
     *    opaque extension_data<0..2^16-1>;
1479
     * } Extension;
1480
     */
1481
0
    extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
1482
0
    p += 2;
1483
0
    MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
1484
0
    extensions_end = p + extensions_len;
1485
1486
0
    MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", p, extensions_len);
1487
0
    handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
1488
1489
0
    while (p < extensions_end) {
1490
0
        unsigned int extension_type;
1491
0
        size_t extension_data_len;
1492
0
        const unsigned char *extension_data_end;
1493
0
        uint32_t allowed_exts = MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH;
1494
1495
0
        if (ssl->handshake->hello_retry_request_flag) {
1496
            /* Do not accept early data extension in 2nd ClientHello */
1497
0
            allowed_exts &= ~MBEDTLS_SSL_EXT_MASK(EARLY_DATA);
1498
0
        }
1499
1500
        /* RFC 8446, section 4.2.11
1501
         *
1502
         * The "pre_shared_key" extension MUST be the last extension in the
1503
         * ClientHello (this facilitates implementation as described below).
1504
         * Servers MUST check that it is the last extension and otherwise fail
1505
         * the handshake with an "illegal_parameter" alert.
1506
         */
1507
0
        if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) {
1508
0
            MBEDTLS_SSL_DEBUG_MSG(
1509
0
                3, ("pre_shared_key is not last extension."));
1510
0
            MBEDTLS_SSL_PEND_FATAL_ALERT(
1511
0
                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1512
0
                MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1513
0
            return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1514
0
        }
1515
1516
0
        MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1517
0
        extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1518
0
        extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
1519
0
        p += 4;
1520
1521
0
        MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
1522
0
        extension_data_end = p + extension_data_len;
1523
1524
0
        ret = mbedtls_ssl_tls13_check_received_extension(
1525
0
            ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
1526
0
            allowed_exts);
1527
0
        if (ret != 0) {
1528
0
            return ret;
1529
0
        }
1530
1531
0
        switch (extension_type) {
1532
0
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1533
0
            case MBEDTLS_TLS_EXT_SERVERNAME:
1534
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1535
0
                ret = mbedtls_ssl_parse_server_name_ext(ssl, p,
1536
0
                                                        extension_data_end);
1537
0
                if (ret != 0) {
1538
0
                    MBEDTLS_SSL_DEBUG_RET(
1539
0
                        1, "mbedtls_ssl_parse_servername_ext", ret);
1540
0
                    return ret;
1541
0
                }
1542
0
                break;
1543
0
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1544
1545
0
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
1546
0
            case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1547
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension"));
1548
1549
                /* Supported Groups Extension
1550
                 *
1551
                 * When sent by the client, the "supported_groups" extension
1552
                 * indicates the named groups which the client supports,
1553
                 * ordered from most preferred to least preferred.
1554
                 */
1555
0
                ret = ssl_tls13_parse_supported_groups_ext(
1556
0
                    ssl, p, extension_data_end);
1557
0
                if (ret != 0) {
1558
0
                    MBEDTLS_SSL_DEBUG_RET(
1559
0
                        1, "ssl_tls13_parse_supported_groups_ext", ret);
1560
0
                    return ret;
1561
0
                }
1562
1563
0
                break;
1564
0
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH*/
1565
1566
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1567
0
            case MBEDTLS_TLS_EXT_KEY_SHARE:
1568
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension"));
1569
1570
                /*
1571
                 * Key Share Extension
1572
                 *
1573
                 * When sent by the client, the "key_share" extension
1574
                 * contains the endpoint's cryptographic parameters for
1575
                 * ECDHE/DHE key establishment methods.
1576
                 */
1577
0
                ret = ssl_tls13_parse_key_shares_ext(
1578
0
                    ssl, p, extension_data_end);
1579
0
                if (ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH) {
1580
0
                    MBEDTLS_SSL_DEBUG_MSG(2, ("No usable share for key agreement."));
1581
0
                    no_usable_share_for_key_agreement = 1;
1582
0
                }
1583
1584
0
                if (ret < 0) {
1585
0
                    MBEDTLS_SSL_DEBUG_RET(
1586
0
                        1, "ssl_tls13_parse_key_shares_ext", ret);
1587
0
                    return ret;
1588
0
                }
1589
1590
0
                break;
1591
0
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
1592
1593
0
            case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1594
                /* Already parsed */
1595
0
                break;
1596
1597
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1598
0
            case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
1599
0
                MBEDTLS_SSL_DEBUG_MSG(
1600
0
                    3, ("found psk key exchange modes extension"));
1601
1602
0
                ret = ssl_tls13_parse_key_exchange_modes_ext(
1603
0
                    ssl, p, extension_data_end);
1604
0
                if (ret != 0) {
1605
0
                    MBEDTLS_SSL_DEBUG_RET(
1606
0
                        1, "ssl_tls13_parse_key_exchange_modes_ext", ret);
1607
0
                    return ret;
1608
0
                }
1609
1610
0
                break;
1611
0
#endif
1612
1613
0
            case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1614
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
1615
0
                if ((handshake->received_extensions &
1616
0
                     MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)) == 0) {
1617
0
                    MBEDTLS_SSL_PEND_FATAL_ALERT(
1618
0
                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1619
0
                        MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1620
0
                    return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1621
0
                }
1622
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1623
                /* Delay processing of the PSK identity once we have
1624
                 * found out which algorithms to use. We keep a pointer
1625
                 * to the buffer and the size for later processing.
1626
                 */
1627
0
                pre_shared_key_ext = p;
1628
0
                pre_shared_key_ext_end = extension_data_end;
1629
0
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1630
0
                break;
1631
1632
0
#if defined(MBEDTLS_SSL_ALPN)
1633
0
            case MBEDTLS_TLS_EXT_ALPN:
1634
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
1635
1636
0
                ret = mbedtls_ssl_parse_alpn_ext(ssl, p, extension_data_end);
1637
0
                if (ret != 0) {
1638
0
                    MBEDTLS_SSL_DEBUG_RET(
1639
0
                        1, ("mbedtls_ssl_parse_alpn_ext"), ret);
1640
0
                    return ret;
1641
0
                }
1642
0
                break;
1643
0
#endif /* MBEDTLS_SSL_ALPN */
1644
1645
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
1646
0
            case MBEDTLS_TLS_EXT_SIG_ALG:
1647
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
1648
1649
0
                ret = mbedtls_ssl_parse_sig_alg_ext(
1650
0
                    ssl, p, extension_data_end);
1651
0
                if (ret != 0) {
1652
0
                    MBEDTLS_SSL_DEBUG_RET(
1653
0
                        1, "mbedtls_ssl_parse_sig_alg_ext", ret);
1654
0
                    return ret;
1655
0
                }
1656
0
                break;
1657
0
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1658
1659
0
#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1660
0
            case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
1661
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
1662
1663
0
                ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
1664
0
                    ssl, p, extension_data_end);
1665
0
                if (ret != 0) {
1666
0
                    MBEDTLS_SSL_DEBUG_RET(
1667
0
                        1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
1668
0
                    return ret;
1669
0
                }
1670
0
                break;
1671
0
#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
1672
1673
0
            default:
1674
0
                MBEDTLS_SSL_PRINT_EXT(
1675
0
                    3, MBEDTLS_SSL_HS_CLIENT_HELLO,
1676
0
                    extension_type, "( ignored )");
1677
0
                break;
1678
0
        }
1679
1680
0
        p += extension_data_len;
1681
0
    }
1682
1683
0
    MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO,
1684
0
                           handshake->received_extensions);
1685
1686
0
    ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
1687
0
                                             MBEDTLS_SSL_HS_CLIENT_HELLO,
1688
0
                                             p - buf);
1689
0
    if (0 != ret) {
1690
0
        MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret);
1691
0
        return ret;
1692
0
    }
1693
1694
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1695
    /* Update checksum with either
1696
     * - The entire content of the CH message, if no PSK extension is present
1697
     * - The content up to but excluding the PSK extension, if present.
1698
     * Always parse the pre-shared-key extension when present in the
1699
     * ClientHello even if some pre-requisites for PSK key exchange modes are
1700
     * not met. That way we always validate the syntax of the extension.
1701
     */
1702
0
    if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) {
1703
0
        ret = handshake->update_checksum(ssl, buf,
1704
0
                                         pre_shared_key_ext - buf);
1705
0
        if (0 != ret) {
1706
0
            MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1707
0
            return ret;
1708
0
        }
1709
0
        ret = ssl_tls13_parse_pre_shared_key_ext(ssl,
1710
0
                                                 pre_shared_key_ext,
1711
0
                                                 pre_shared_key_ext_end,
1712
0
                                                 cipher_suites,
1713
0
                                                 cipher_suites_end,
1714
0
                                                 &psk);
1715
0
        if (ret == 0) {
1716
0
            got_psk = 1;
1717
0
        } else if (ret != MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
1718
0
            MBEDTLS_SSL_DEBUG_RET(
1719
0
                1, "ssl_tls13_parse_pre_shared_key_ext", ret);
1720
0
            return ret;
1721
0
        }
1722
0
    } else
1723
0
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1724
0
    {
1725
0
        ret = handshake->update_checksum(ssl, buf, p - buf);
1726
0
        if (0 != ret) {
1727
0
            MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1728
0
            return ret;
1729
0
        }
1730
0
    }
1731
1732
    /*
1733
     * Determine the key exchange algorithm to use.
1734
     * There are three types of key exchanges supported in TLS 1.3:
1735
     * - (EC)DH with ECDSA,
1736
     * - (EC)DH with PSK,
1737
     * - plain PSK.
1738
     *
1739
     * The PSK-based key exchanges may additionally be used with 0-RTT.
1740
     *
1741
     * Our built-in order of preference is
1742
     *  1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
1743
     *  2 ) Certificate Mode ( ephemeral )
1744
     *  3 ) Plain PSK Mode ( psk )
1745
     */
1746
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1747
0
    if (got_psk && (psk.key_exchange_mode ==
1748
0
                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL)) {
1749
0
        handshake->key_exchange_mode =
1750
0
            MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1751
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral"));
1752
1753
0
    } else
1754
0
#endif
1755
0
    if (ssl_tls13_key_exchange_is_ephemeral_available(ssl)) {
1756
0
        handshake->key_exchange_mode =
1757
0
            MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
1758
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral"));
1759
1760
0
    }
1761
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1762
0
    else if (got_psk && (psk.key_exchange_mode ==
1763
0
                         MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK)) {
1764
0
        handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1765
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk"));
1766
0
    }
1767
0
#endif
1768
0
    else {
1769
0
        MBEDTLS_SSL_DEBUG_MSG(
1770
0
            1,
1771
0
            ("ClientHello message misses mandatory extensions."));
1772
0
        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION,
1773
0
                                     MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1774
0
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1775
0
    }
1776
1777
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1778
0
    if (handshake->key_exchange_mode &
1779
0
        MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL) {
1780
0
        handshake->ciphersuite_info = psk.ciphersuite_info;
1781
0
        ssl->session_negotiate->ciphersuite = psk.ciphersuite_info->id;
1782
1783
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("Select PSK ciphersuite: %04x - %s",
1784
0
                                  ((unsigned) psk.ciphersuite_info->id),
1785
0
                                  psk.ciphersuite_info->name));
1786
1787
0
        if (psk.type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
1788
0
            handshake->resume = 1;
1789
0
        }
1790
0
    }
1791
0
#endif
1792
1793
0
    if (handshake->key_exchange_mode !=
1794
0
        MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) {
1795
0
        hrr_required = (no_usable_share_for_key_agreement != 0);
1796
0
    }
1797
1798
0
    mbedtls_ssl_optimize_checksum(ssl, handshake->ciphersuite_info);
1799
1800
0
    return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK;
1801
0
}
1802
1803
#if defined(MBEDTLS_SSL_EARLY_DATA)
1804
static int ssl_tls13_check_early_data_requirements(mbedtls_ssl_context *ssl)
1805
0
{
1806
0
    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1807
1808
0
    if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) {
1809
0
        MBEDTLS_SSL_DEBUG_MSG(
1810
0
            1,
1811
0
            ("EarlyData: rejected, feature disabled in server configuration."));
1812
0
        return -1;
1813
0
    }
1814
1815
0
    if (!handshake->resume) {
1816
        /* We currently support early data only in the case of PSKs established
1817
           via a NewSessionTicket message thus in the case of a session
1818
           resumption. */
1819
0
        MBEDTLS_SSL_DEBUG_MSG(
1820
0
            1, ("EarlyData: rejected, not a session resumption."));
1821
0
        return -1;
1822
0
    }
1823
1824
    /* RFC 8446 4.2.10
1825
     *
1826
     * In order to accept early data, the server MUST have accepted a PSK cipher
1827
     * suite and selected the first key offered in the client's "pre_shared_key"
1828
     * extension. In addition, it MUST verify that the following values are the
1829
     * same as those associated with the selected PSK:
1830
     * - The TLS version number
1831
     * - The selected cipher suite
1832
     * - The selected ALPN [RFC7301] protocol, if any
1833
     *
1834
     * NOTE:
1835
     *  - The TLS version number is checked in
1836
     *    ssl_tls13_offered_psks_check_identity_match_ticket().
1837
     */
1838
1839
0
    if (handshake->selected_identity != 0) {
1840
0
        MBEDTLS_SSL_DEBUG_MSG(
1841
0
            1, ("EarlyData: rejected, the selected key in "
1842
0
                "`pre_shared_key` is not the first one."));
1843
0
        return -1;
1844
0
    }
1845
1846
0
    if (handshake->ciphersuite_info->id !=
1847
0
        ssl->session_negotiate->ciphersuite) {
1848
0
        MBEDTLS_SSL_DEBUG_MSG(
1849
0
            1, ("EarlyData: rejected, the selected ciphersuite is not the one "
1850
0
                "of the selected pre-shared key."));
1851
0
        return -1;
1852
1853
0
    }
1854
1855
0
    if (!mbedtls_ssl_tls13_session_ticket_allow_early_data(ssl->session_negotiate)) {
1856
0
        MBEDTLS_SSL_DEBUG_MSG(
1857
0
            1,
1858
0
            ("EarlyData: rejected, early_data not allowed in ticket "
1859
0
             "permission bits."));
1860
0
        return -1;
1861
0
    }
1862
1863
0
#if defined(MBEDTLS_SSL_ALPN)
1864
0
    const char *alpn = mbedtls_ssl_get_alpn_protocol(ssl);
1865
0
    size_t alpn_len;
1866
1867
0
    if (alpn == NULL && ssl->session_negotiate->ticket_alpn == NULL) {
1868
0
        return 0;
1869
0
    }
1870
1871
0
    if (alpn != NULL) {
1872
0
        alpn_len = strlen(alpn);
1873
0
    }
1874
1875
0
    if (alpn == NULL ||
1876
0
        ssl->session_negotiate->ticket_alpn == NULL ||
1877
0
        alpn_len != strlen(ssl->session_negotiate->ticket_alpn) ||
1878
0
        (memcmp(alpn, ssl->session_negotiate->ticket_alpn, alpn_len) != 0)) {
1879
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("EarlyData: rejected, the selected ALPN is different "
1880
0
                                  "from the one associated with the pre-shared key."));
1881
0
        return -1;
1882
0
    }
1883
0
#endif
1884
1885
0
    return 0;
1886
0
}
1887
#endif /* MBEDTLS_SSL_EARLY_DATA */
1888
1889
/* Update the handshake state machine */
1890
1891
MBEDTLS_CHECK_RETURN_CRITICAL
1892
static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl,
1893
                                              int hrr_required)
1894
0
{
1895
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1896
1897
    /*
1898
     * Server certificate selection
1899
     */
1900
0
    if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1901
0
        MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1902
0
        return ret;
1903
0
    }
1904
0
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1905
0
    ssl->handshake->sni_name = NULL;
1906
0
    ssl->handshake->sni_name_len = 0;
1907
0
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1908
1909
0
    ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1910
0
    if (ret != 0) {
1911
0
        MBEDTLS_SSL_DEBUG_RET(1,
1912
0
                              "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret);
1913
0
        return ret;
1914
0
    }
1915
1916
0
#if defined(MBEDTLS_SSL_EARLY_DATA)
1917
0
    if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
1918
0
        ssl->handshake->early_data_accepted =
1919
0
            (!hrr_required) && (ssl_tls13_check_early_data_requirements(ssl) == 0);
1920
1921
0
        if (ssl->handshake->early_data_accepted) {
1922
0
            ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
1923
0
            if (ret != 0) {
1924
0
                MBEDTLS_SSL_DEBUG_RET(
1925
0
                    1, "mbedtls_ssl_tls13_compute_early_transform", ret);
1926
0
                return ret;
1927
0
            }
1928
0
        } else {
1929
0
            ssl->discard_early_data_record =
1930
0
                hrr_required ?
1931
0
                MBEDTLS_SSL_EARLY_DATA_DISCARD :
1932
0
                MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD;
1933
0
        }
1934
0
    }
1935
#else
1936
    ((void) hrr_required);
1937
#endif /* MBEDTLS_SSL_EARLY_DATA */
1938
1939
0
    return 0;
1940
0
}
1941
1942
/*
1943
 * Main entry point from the state machine; orchestrates the otherfunctions.
1944
 */
1945
1946
MBEDTLS_CHECK_RETURN_CRITICAL
1947
static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
1948
1.59k
{
1949
1950
1.59k
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1951
1.59k
    unsigned char *buf = NULL;
1952
1.59k
    size_t buflen = 0;
1953
1.59k
    int parse_client_hello_ret;
1954
1955
1.59k
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
1956
1957
1.59k
    MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1958
1.59k
                             ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
1959
1.59k
                             &buf, &buflen));
1960
1961
1.28k
    MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_parse_client_hello(ssl, buf,
1962
1.28k
                                                          buf + buflen));
1963
1.16k
    parse_client_hello_ret = ret; /* Store positive return value of
1964
                                   * parse_client_hello,
1965
                                   * as negative error codes are handled
1966
                                   * by MBEDTLS_SSL_PROC_CHK_NEG. */
1967
1968
    /*
1969
     * Version 1.2 of the protocol has to be used for the handshake.
1970
     * If TLS 1.2 is not supported, abort the handshake. Otherwise, set the
1971
     * ssl->keep_current_message flag for the ClientHello to be kept and parsed
1972
     * as a TLS 1.2 ClientHello. We also change ssl->tls_version to
1973
     * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
1974
     * will dispatch to the TLS 1.2 state machine.
1975
     */
1976
1.16k
    if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) {
1977
        /* Check if server supports TLS 1.2 */
1978
1.16k
        if (!mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
1979
0
            MBEDTLS_SSL_DEBUG_MSG(
1980
0
                1, ("TLS 1.2 not supported."));
1981
0
            MBEDTLS_SSL_PEND_FATAL_ALERT(
1982
0
                MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1983
0
                MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
1984
0
            return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1985
0
        }
1986
1.16k
        ssl->keep_current_message = 1;
1987
1.16k
        ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
1988
1.16k
        return 0;
1989
1.16k
    }
1990
1991
0
    MBEDTLS_SSL_PROC_CHK(
1992
0
        ssl_tls13_postprocess_client_hello(ssl, parse_client_hello_ret ==
1993
0
                                           SSL_CLIENT_HELLO_HRR_REQUIRED));
1994
1995
0
    if (SSL_CLIENT_HELLO_OK == parse_client_hello_ret) {
1996
0
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
1997
0
    } else {
1998
0
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST);
1999
0
    }
2000
2001
433
cleanup:
2002
2003
433
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
2004
433
    return ret;
2005
0
}
2006
2007
/*
2008
 * Handler for MBEDTLS_SSL_SERVER_HELLO
2009
 */
2010
MBEDTLS_CHECK_RETURN_CRITICAL
2011
static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
2012
0
{
2013
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2014
0
    unsigned char *server_randbytes =
2015
0
        ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
2016
2017
0
    if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes,
2018
0
                                MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {
2019
0
        MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
2020
0
        return ret;
2021
0
    }
2022
2023
0
    MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", server_randbytes,
2024
0
                          MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2025
2026
0
#if defined(MBEDTLS_HAVE_TIME)
2027
0
    ssl->session_negotiate->start = mbedtls_time(NULL);
2028
0
#endif /* MBEDTLS_HAVE_TIME */
2029
2030
0
    return ret;
2031
0
}
2032
2033
/*
2034
 * ssl_tls13_write_server_hello_supported_versions_ext ():
2035
 *
2036
 * struct {
2037
 *      ProtocolVersion selected_version;
2038
 * } SupportedVersions;
2039
 */
2040
MBEDTLS_CHECK_RETURN_CRITICAL
2041
static int ssl_tls13_write_server_hello_supported_versions_ext(
2042
    mbedtls_ssl_context *ssl,
2043
    unsigned char *buf,
2044
    unsigned char *end,
2045
    size_t *out_len)
2046
0
{
2047
0
    *out_len = 0;
2048
2049
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, write selected version"));
2050
2051
    /* Check if we have space to write the extension:
2052
     * - extension_type         (2 bytes)
2053
     * - extension_data_length  (2 bytes)
2054
     * - selected_version       (2 bytes)
2055
     */
2056
0
    MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
2057
2058
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0);
2059
2060
0
    MBEDTLS_PUT_UINT16_BE(2, buf, 2);
2061
2062
0
    mbedtls_ssl_write_version(buf + 4,
2063
0
                              ssl->conf->transport,
2064
0
                              ssl->tls_version);
2065
2066
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [%04x]",
2067
0
                              ssl->tls_version));
2068
2069
0
    *out_len = 6;
2070
2071
0
    mbedtls_ssl_tls13_set_hs_sent_ext_mask(
2072
0
        ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
2073
2074
0
    return 0;
2075
0
}
2076
2077
2078
2079
/* Generate and export a single key share. For hybrid KEMs, this can
2080
 * be called multiple times with the different components of the hybrid. */
2081
MBEDTLS_CHECK_RETURN_CRITICAL
2082
static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl,
2083
                                                  uint16_t named_group,
2084
                                                  unsigned char *buf,
2085
                                                  unsigned char *end,
2086
                                                  size_t *out_len)
2087
0
{
2088
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2089
2090
0
    *out_len = 0;
2091
2092
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
2093
0
    if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group) ||
2094
0
        mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
2095
0
        ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
2096
0
            ssl, named_group, buf, end, out_len);
2097
0
        if (ret != 0) {
2098
0
            MBEDTLS_SSL_DEBUG_RET(
2099
0
                1, "mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange",
2100
0
                ret);
2101
0
            return ret;
2102
0
        }
2103
0
    } else
2104
0
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
2105
0
    if (0 /* Other kinds of KEMs */) {
2106
0
    } else {
2107
0
        ((void) ssl);
2108
0
        ((void) named_group);
2109
0
        ((void) buf);
2110
0
        ((void) end);
2111
0
        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2112
0
    }
2113
2114
0
    return ret;
2115
0
}
2116
2117
/*
2118
 * ssl_tls13_write_key_share_ext
2119
 *
2120
 * Structure of key_share extension in ServerHello:
2121
 *
2122
 * struct {
2123
 *     NamedGroup group;
2124
 *     opaque key_exchange<1..2^16-1>;
2125
 * } KeyShareEntry;
2126
 * struct {
2127
 *     KeyShareEntry server_share;
2128
 * } KeyShareServerHello;
2129
 */
2130
MBEDTLS_CHECK_RETURN_CRITICAL
2131
static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
2132
                                         unsigned char *buf,
2133
                                         unsigned char *end,
2134
                                         size_t *out_len)
2135
0
{
2136
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2137
0
    unsigned char *p = buf;
2138
0
    uint16_t group = ssl->handshake->offered_group_id;
2139
0
    unsigned char *server_share = buf + 4;
2140
0
    size_t key_exchange_length;
2141
2142
0
    *out_len = 0;
2143
2144
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding key share extension"));
2145
2146
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("server hello, write selected_group: %s (%04x)",
2147
0
                              mbedtls_ssl_named_group_to_str(group),
2148
0
                              group));
2149
2150
    /* Check if we have space for header and length fields:
2151
     * - extension_type         (2 bytes)
2152
     * - extension_data_length  (2 bytes)
2153
     * - group                  (2 bytes)
2154
     * - key_exchange_length    (2 bytes)
2155
     */
2156
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 8);
2157
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, p, 0);
2158
0
    MBEDTLS_PUT_UINT16_BE(group, server_share, 0);
2159
0
    p += 8;
2160
2161
    /* When we introduce PQC-ECDHE hybrids, we'll want to call this
2162
     * function multiple times. */
2163
0
    ret = ssl_tls13_generate_and_write_key_share(
2164
0
        ssl, group, server_share + 4, end, &key_exchange_length);
2165
0
    if (ret != 0) {
2166
0
        return ret;
2167
0
    }
2168
0
    p += key_exchange_length;
2169
2170
0
    MBEDTLS_PUT_UINT16_BE(key_exchange_length, server_share + 2, 0);
2171
2172
0
    MBEDTLS_PUT_UINT16_BE(p - server_share, buf, 2);
2173
2174
0
    *out_len = p - buf;
2175
2176
0
    mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
2177
2178
0
    return 0;
2179
0
}
2180
2181
MBEDTLS_CHECK_RETURN_CRITICAL
2182
static int ssl_tls13_write_hrr_key_share_ext(mbedtls_ssl_context *ssl,
2183
                                             unsigned char *buf,
2184
                                             unsigned char *end,
2185
                                             size_t *out_len)
2186
0
{
2187
0
    uint16_t selected_group = ssl->handshake->hrr_selected_group;
2188
    /* key_share Extension
2189
     *
2190
     *  struct {
2191
     *    select (Handshake.msg_type) {
2192
     *      ...
2193
     *      case hello_retry_request:
2194
     *          NamedGroup selected_group;
2195
     *      ...
2196
     *    };
2197
     * } KeyShare;
2198
     */
2199
2200
0
    *out_len = 0;
2201
2202
    /*
2203
     * For a pure PSK key exchange, there is no group to agree upon. The purpose
2204
     * of the HRR is then to transmit a cookie to force the client to demonstrate
2205
     * reachability at their apparent network address (primarily useful for DTLS).
2206
     */
2207
0
    if (!mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
2208
0
        return 0;
2209
0
    }
2210
2211
    /* We should only send the key_share extension if the client's initial
2212
     * key share was not acceptable. */
2213
0
    if (ssl->handshake->offered_group_id != 0) {
2214
0
        MBEDTLS_SSL_DEBUG_MSG(4, ("Skip key_share extension in HRR"));
2215
0
        return 0;
2216
0
    }
2217
2218
0
    if (selected_group == 0) {
2219
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("no matching named group found"));
2220
0
        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2221
0
    }
2222
2223
    /* Check if we have enough space:
2224
     * - extension_type         (2 bytes)
2225
     * - extension_data_length  (2 bytes)
2226
     * - selected_group         (2 bytes)
2227
     */
2228
0
    MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
2229
2230
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
2231
0
    MBEDTLS_PUT_UINT16_BE(2, buf, 2);
2232
0
    MBEDTLS_PUT_UINT16_BE(selected_group, buf, 4);
2233
2234
0
    MBEDTLS_SSL_DEBUG_MSG(3,
2235
0
                          ("HRR selected_group: %s (%x)",
2236
0
                           mbedtls_ssl_named_group_to_str(selected_group),
2237
0
                           selected_group));
2238
2239
0
    *out_len = 6;
2240
2241
0
    mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
2242
2243
0
    return 0;
2244
0
}
2245
2246
/*
2247
 * Structure of ServerHello message:
2248
 *
2249
 *     struct {
2250
 *        ProtocolVersion legacy_version = 0x0303;    // TLS v1.2
2251
 *        Random random;
2252
 *        opaque legacy_session_id_echo<0..32>;
2253
 *        CipherSuite cipher_suite;
2254
 *        uint8 legacy_compression_method = 0;
2255
 *        Extension extensions<6..2^16-1>;
2256
 *    } ServerHello;
2257
 */
2258
MBEDTLS_CHECK_RETURN_CRITICAL
2259
static int ssl_tls13_write_server_hello_body(mbedtls_ssl_context *ssl,
2260
                                             unsigned char *buf,
2261
                                             unsigned char *end,
2262
                                             size_t *out_len,
2263
                                             int is_hrr)
2264
0
{
2265
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2266
0
    unsigned char *p = buf;
2267
0
    unsigned char *p_extensions_len;
2268
0
    size_t output_len;
2269
2270
0
    *out_len = 0;
2271
0
    ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2272
2273
    /* ...
2274
     * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
2275
     * ...
2276
     * with ProtocolVersion defined as:
2277
     * uint16 ProtocolVersion;
2278
     */
2279
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2280
0
    MBEDTLS_PUT_UINT16_BE(0x0303, p, 0);
2281
0
    p += 2;
2282
2283
    /* ...
2284
     * Random random;
2285
     * ...
2286
     * with Random defined as:
2287
     * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
2288
     */
2289
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2290
0
    if (is_hrr) {
2291
0
        memcpy(p, mbedtls_ssl_tls13_hello_retry_request_magic,
2292
0
               MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2293
0
    } else {
2294
0
        memcpy(p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],
2295
0
               MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2296
0
    }
2297
0
    MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
2298
0
                          p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2299
0
    p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
2300
2301
    /* ...
2302
     * opaque legacy_session_id_echo<0..32>;
2303
     * ...
2304
     */
2305
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + ssl->session_negotiate->id_len);
2306
0
    *p++ = (unsigned char) ssl->session_negotiate->id_len;
2307
0
    if (ssl->session_negotiate->id_len > 0) {
2308
0
        memcpy(p, &ssl->session_negotiate->id[0],
2309
0
               ssl->session_negotiate->id_len);
2310
0
        p += ssl->session_negotiate->id_len;
2311
2312
0
        MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id,
2313
0
                              ssl->session_negotiate->id_len);
2314
0
    }
2315
2316
    /* ...
2317
     * CipherSuite cipher_suite;
2318
     * ...
2319
     * with CipherSuite defined as:
2320
     * uint8 CipherSuite[2];
2321
     */
2322
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2323
0
    MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
2324
0
    p += 2;
2325
0
    MBEDTLS_SSL_DEBUG_MSG(3,
2326
0
                          ("server hello, chosen ciphersuite: %s ( id=%d )",
2327
0
                           mbedtls_ssl_get_ciphersuite_name(
2328
0
                               ssl->session_negotiate->ciphersuite),
2329
0
                           ssl->session_negotiate->ciphersuite));
2330
2331
    /* ...
2332
     * uint8 legacy_compression_method = 0;
2333
     * ...
2334
     */
2335
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1);
2336
0
    *p++ = MBEDTLS_SSL_COMPRESS_NULL;
2337
2338
    /* ...
2339
     * Extension extensions<6..2^16-1>;
2340
     * ...
2341
     * struct {
2342
     *      ExtensionType extension_type; (2 bytes)
2343
     *      opaque extension_data<0..2^16-1>;
2344
     * } Extension;
2345
     */
2346
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2347
0
    p_extensions_len = p;
2348
0
    p += 2;
2349
2350
0
    if ((ret = ssl_tls13_write_server_hello_supported_versions_ext(
2351
0
             ssl, p, end, &output_len)) != 0) {
2352
0
        MBEDTLS_SSL_DEBUG_RET(
2353
0
            1, "ssl_tls13_write_server_hello_supported_versions_ext", ret);
2354
0
        return ret;
2355
0
    }
2356
0
    p += output_len;
2357
2358
0
    if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
2359
0
        if (is_hrr) {
2360
0
            ret = ssl_tls13_write_hrr_key_share_ext(ssl, p, end, &output_len);
2361
0
        } else {
2362
0
            ret = ssl_tls13_write_key_share_ext(ssl, p, end, &output_len);
2363
0
        }
2364
0
        if (ret != 0) {
2365
0
            return ret;
2366
0
        }
2367
0
        p += output_len;
2368
0
    }
2369
2370
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2371
0
    if (!is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2372
0
        ret = ssl_tls13_write_server_pre_shared_key_ext(ssl, p, end, &output_len);
2373
0
        if (ret != 0) {
2374
0
            MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_server_pre_shared_key_ext",
2375
0
                                  ret);
2376
0
            return ret;
2377
0
        }
2378
0
        p += output_len;
2379
0
    }
2380
0
#endif
2381
2382
0
    MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
2383
2384
0
    MBEDTLS_SSL_DEBUG_BUF(4, "server hello extensions",
2385
0
                          p_extensions_len, p - p_extensions_len);
2386
2387
0
    *out_len = p - buf;
2388
2389
0
    MBEDTLS_SSL_DEBUG_BUF(3, "server hello", buf, *out_len);
2390
2391
0
    MBEDTLS_SSL_PRINT_EXTS(
2392
0
        3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
2393
0
        MBEDTLS_SSL_HS_SERVER_HELLO,
2394
0
        ssl->handshake->sent_extensions);
2395
2396
0
    return ret;
2397
0
}
2398
2399
MBEDTLS_CHECK_RETURN_CRITICAL
2400
static int ssl_tls13_finalize_server_hello(mbedtls_ssl_context *ssl)
2401
0
{
2402
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2403
0
    ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
2404
0
    if (ret != 0) {
2405
0
        MBEDTLS_SSL_DEBUG_RET(1,
2406
0
                              "mbedtls_ssl_tls13_compute_handshake_transform",
2407
0
                              ret);
2408
0
        return ret;
2409
0
    }
2410
2411
0
    return ret;
2412
0
}
2413
2414
MBEDTLS_CHECK_RETURN_CRITICAL
2415
static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl)
2416
0
{
2417
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2418
0
    unsigned char *buf;
2419
0
    size_t buf_len, msg_len;
2420
2421
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
2422
2423
0
    MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl));
2424
2425
0
    MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2426
0
                             ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
2427
2428
0
    MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
2429
0
                                                           buf + buf_len,
2430
0
                                                           &msg_len,
2431
0
                                                           0));
2432
2433
0
    MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2434
0
                             ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
2435
2436
0
    MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2437
0
                             ssl, buf_len, msg_len));
2438
2439
0
    MBEDTLS_SSL_PROC_CHK(ssl_tls13_finalize_server_hello(ssl));
2440
2441
0
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2442
    /* The server sends a dummy change_cipher_spec record immediately
2443
     * after its first handshake message. This may either be after
2444
     * a ServerHello or a HelloRetryRequest.
2445
     */
2446
0
    mbedtls_ssl_handshake_set_state(
2447
0
        ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO);
2448
#else
2449
    mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
2450
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2451
2452
0
cleanup:
2453
2454
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2455
0
    return ret;
2456
0
}
2457
2458
2459
/*
2460
 * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
2461
 */
2462
MBEDTLS_CHECK_RETURN_CRITICAL
2463
static int ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context *ssl)
2464
0
{
2465
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2466
0
    if (ssl->handshake->hello_retry_request_flag) {
2467
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs"));
2468
0
        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2469
0
                                     MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2470
0
        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2471
0
    }
2472
2473
    /*
2474
     * Create stateless transcript hash for HRR
2475
     */
2476
0
    MBEDTLS_SSL_DEBUG_MSG(4, ("Reset transcript for HRR"));
2477
0
    ret = mbedtls_ssl_reset_transcript_for_hrr(ssl);
2478
0
    if (ret != 0) {
2479
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_transcript_for_hrr", ret);
2480
0
        return ret;
2481
0
    }
2482
0
    mbedtls_ssl_session_reset_msg_layer(ssl, 0);
2483
2484
0
    return 0;
2485
0
}
2486
2487
MBEDTLS_CHECK_RETURN_CRITICAL
2488
static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl)
2489
0
{
2490
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2491
0
    unsigned char *buf;
2492
0
    size_t buf_len, msg_len;
2493
2494
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello retry request"));
2495
2496
0
    MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_hello_retry_request(ssl));
2497
2498
0
    MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2499
0
                             ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
2500
0
                             &buf, &buf_len));
2501
2502
0
    MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
2503
0
                                                           buf + buf_len,
2504
0
                                                           &msg_len,
2505
0
                                                           1));
2506
0
    MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2507
0
                             ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
2508
2509
2510
0
    MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len,
2511
0
                                                          msg_len));
2512
2513
0
    ssl->handshake->hello_retry_request_flag = 1;
2514
2515
0
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2516
    /* The server sends a dummy change_cipher_spec record immediately
2517
     * after its first handshake message. This may either be after
2518
     * a ServerHello or a HelloRetryRequest.
2519
     */
2520
0
    mbedtls_ssl_handshake_set_state(
2521
0
        ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST);
2522
#else
2523
    mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2524
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2525
2526
0
cleanup:
2527
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello retry request"));
2528
0
    return ret;
2529
0
}
2530
2531
/*
2532
 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2533
 */
2534
2535
/*
2536
 * struct {
2537
 *    Extension extensions<0..2 ^ 16 - 1>;
2538
 * } EncryptedExtensions;
2539
 *
2540
 */
2541
MBEDTLS_CHECK_RETURN_CRITICAL
2542
static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl,
2543
                                                     unsigned char *buf,
2544
                                                     unsigned char *end,
2545
                                                     size_t *out_len)
2546
0
{
2547
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2548
0
    unsigned char *p = buf;
2549
0
    size_t extensions_len = 0;
2550
0
    unsigned char *p_extensions_len;
2551
0
    size_t output_len;
2552
2553
0
    *out_len = 0;
2554
2555
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2556
0
    p_extensions_len = p;
2557
0
    p += 2;
2558
2559
0
    ((void) ssl);
2560
0
    ((void) ret);
2561
0
    ((void) output_len);
2562
2563
0
#if defined(MBEDTLS_SSL_ALPN)
2564
0
    ret = mbedtls_ssl_write_alpn_ext(ssl, p, end, &output_len);
2565
0
    if (ret != 0) {
2566
0
        return ret;
2567
0
    }
2568
0
    p += output_len;
2569
0
#endif /* MBEDTLS_SSL_ALPN */
2570
2571
0
#if defined(MBEDTLS_SSL_EARLY_DATA)
2572
0
    if (ssl->handshake->early_data_accepted) {
2573
0
        ret = mbedtls_ssl_tls13_write_early_data_ext(
2574
0
            ssl, 0, p, end, &output_len);
2575
0
        if (ret != 0) {
2576
0
            return ret;
2577
0
        }
2578
0
        p += output_len;
2579
0
    }
2580
0
#endif /* MBEDTLS_SSL_EARLY_DATA */
2581
2582
0
#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2583
0
    if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) {
2584
0
        ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
2585
0
            ssl, p, end, &output_len);
2586
0
        if (ret != 0) {
2587
0
            return ret;
2588
0
        }
2589
0
        p += output_len;
2590
0
    }
2591
0
#endif
2592
2593
0
    extensions_len = (p - p_extensions_len) - 2;
2594
0
    MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);
2595
2596
0
    *out_len = p - buf;
2597
2598
0
    MBEDTLS_SSL_DEBUG_BUF(4, "encrypted extensions", buf, *out_len);
2599
2600
0
    MBEDTLS_SSL_PRINT_EXTS(
2601
0
        3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions);
2602
2603
0
    return 0;
2604
0
}
2605
2606
MBEDTLS_CHECK_RETURN_CRITICAL
2607
static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
2608
0
{
2609
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2610
0
    unsigned char *buf;
2611
0
    size_t buf_len, msg_len;
2612
2613
0
    mbedtls_ssl_set_outbound_transform(ssl,
2614
0
                                       ssl->handshake->transform_handshake);
2615
0
    MBEDTLS_SSL_DEBUG_MSG(
2616
0
        3, ("switching to handshake transform for outbound data"));
2617
2618
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions"));
2619
2620
0
    MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2621
0
                             ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2622
0
                             &buf, &buf_len));
2623
2624
0
    MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body(
2625
0
                             ssl, buf, buf + buf_len, &msg_len));
2626
2627
0
    MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2628
0
                             ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2629
0
                             buf, msg_len));
2630
2631
0
    MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2632
0
                             ssl, buf_len, msg_len));
2633
2634
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2635
0
    if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2636
0
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2637
0
    } else {
2638
0
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2639
0
    }
2640
#else
2641
    mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2642
#endif
2643
2644
0
cleanup:
2645
2646
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write encrypted extensions"));
2647
0
    return ret;
2648
0
}
2649
2650
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2651
0
#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
2652
0
#define SSL_CERTIFICATE_REQUEST_SKIP         1
2653
/* Coordination:
2654
 * Check whether a CertificateRequest message should be written.
2655
 * Returns a negative code on failure, or
2656
 * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
2657
 * - SSL_CERTIFICATE_REQUEST_SKIP
2658
 * indicating if the writing of the CertificateRequest
2659
 * should be skipped or not.
2660
 */
2661
MBEDTLS_CHECK_RETURN_CRITICAL
2662
static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
2663
0
{
2664
0
    int authmode;
2665
2666
0
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2667
0
    if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
2668
0
        authmode = ssl->handshake->sni_authmode;
2669
0
    } else
2670
0
#endif
2671
0
    authmode = ssl->conf->authmode;
2672
2673
0
    if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
2674
0
        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
2675
0
        return SSL_CERTIFICATE_REQUEST_SKIP;
2676
0
    }
2677
2678
0
    ssl->handshake->certificate_request_sent = 1;
2679
2680
0
    return SSL_CERTIFICATE_REQUEST_SEND_REQUEST;
2681
0
}
2682
2683
/*
2684
 * struct {
2685
 *   opaque certificate_request_context<0..2^8-1>;
2686
 *   Extension extensions<2..2^16-1>;
2687
 * } CertificateRequest;
2688
 *
2689
 */
2690
MBEDTLS_CHECK_RETURN_CRITICAL
2691
static int ssl_tls13_write_certificate_request_body(mbedtls_ssl_context *ssl,
2692
                                                    unsigned char *buf,
2693
                                                    const unsigned char *end,
2694
                                                    size_t *out_len)
2695
0
{
2696
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2697
0
    unsigned char *p = buf;
2698
0
    size_t output_len = 0;
2699
0
    unsigned char *p_extensions_len;
2700
2701
0
    *out_len = 0;
2702
2703
    /* Check if we have enough space:
2704
     * - certificate_request_context (1 byte)
2705
     * - extensions length           (2 bytes)
2706
     */
2707
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
2708
2709
    /*
2710
     * Write certificate_request_context
2711
     */
2712
    /*
2713
     * We use a zero length context for the normal handshake
2714
     * messages. For post-authentication handshake messages
2715
     * this request context would be set to a non-zero value.
2716
     */
2717
0
    *p++ = 0x0;
2718
2719
    /*
2720
     * Write extensions
2721
     */
2722
    /* The extensions must contain the signature_algorithms. */
2723
0
    p_extensions_len = p;
2724
0
    p += 2;
2725
0
    ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len);
2726
0
    if (ret != 0) {
2727
0
        return ret;
2728
0
    }
2729
2730
0
    p += output_len;
2731
0
    MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
2732
2733
0
    *out_len = p - buf;
2734
2735
0
    MBEDTLS_SSL_PRINT_EXTS(
2736
0
        3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions);
2737
2738
0
    return 0;
2739
0
}
2740
2741
MBEDTLS_CHECK_RETURN_CRITICAL
2742
static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl)
2743
0
{
2744
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2745
2746
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2747
2748
0
    MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
2749
2750
0
    if (ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST) {
2751
0
        unsigned char *buf;
2752
0
        size_t buf_len, msg_len;
2753
2754
0
        MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2755
0
                                 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2756
0
                                 &buf, &buf_len));
2757
2758
0
        MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body(
2759
0
                                 ssl, buf, buf + buf_len, &msg_len));
2760
2761
0
        MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2762
0
                                 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2763
0
                                 buf, msg_len));
2764
2765
0
        MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2766
0
                                 ssl, buf_len, msg_len));
2767
0
    } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
2768
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2769
0
        ret = 0;
2770
0
    } else {
2771
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2772
0
        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2773
0
        goto cleanup;
2774
0
    }
2775
2776
0
    mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
2777
0
cleanup:
2778
2779
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
2780
0
    return ret;
2781
0
}
2782
2783
/*
2784
 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2785
 */
2786
MBEDTLS_CHECK_RETURN_CRITICAL
2787
static int ssl_tls13_write_server_certificate(mbedtls_ssl_context *ssl)
2788
0
{
2789
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2790
2791
0
#if defined(MBEDTLS_X509_CRT_PARSE_C)
2792
0
    if ((ssl_tls13_pick_key_cert(ssl) != 0) ||
2793
0
        mbedtls_ssl_own_cert(ssl) == NULL) {
2794
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("No certificate available."));
2795
0
        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2796
0
                                     MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2797
0
        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2798
0
    }
2799
0
#endif /* MBEDTLS_X509_CRT_PARSE_C */
2800
2801
0
    ret = mbedtls_ssl_tls13_write_certificate(ssl);
2802
0
    if (ret != 0) {
2803
0
        return ret;
2804
0
    }
2805
0
    mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2806
0
    return 0;
2807
0
}
2808
2809
/*
2810
 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2811
 */
2812
MBEDTLS_CHECK_RETURN_CRITICAL
2813
static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
2814
0
{
2815
0
    int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
2816
0
    if (ret != 0) {
2817
0
        return ret;
2818
0
    }
2819
0
    mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2820
0
    return 0;
2821
0
}
2822
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2823
2824
/*
2825
 * RFC 8446 section A.2
2826
 *
2827
 *                                | Send ServerHello
2828
 *                                | K_send = handshake
2829
 *                                | Send EncryptedExtensions
2830
 *                                | [Send CertificateRequest]
2831
 * Can send                       | [Send Certificate + CertificateVerify]
2832
 * app data                       | Send Finished
2833
 * after   -->                    | K_send = application
2834
 * here                  +--------+--------+
2835
 *              No 0-RTT |                 | 0-RTT
2836
 *                       |                 |
2837
 *   K_recv = handshake  |                 | K_recv = early data
2838
 * [Skip decrypt errors] |    +------> WAIT_EOED -+
2839
 *                       |    |       Recv |      | Recv EndOfEarlyData
2840
 *                       |    | early data |      | K_recv = handshake
2841
 *                       |    +------------+      |
2842
 *                       |                        |
2843
 *                       +> WAIT_FLIGHT2 <--------+
2844
 *                                |
2845
 *                       +--------+--------+
2846
 *               No auth |                 | Client auth
2847
 *                       |                 |
2848
 *                       |                 v
2849
 *                       |             WAIT_CERT
2850
 *                       |        Recv |       | Recv Certificate
2851
 *                       |       empty |       v
2852
 *                       | Certificate |    WAIT_CV
2853
 *                       |             |       | Recv
2854
 *                       |             v       | CertificateVerify
2855
 *                       +-> WAIT_FINISHED <---+
2856
 *                                | Recv Finished
2857
 *
2858
 *
2859
 * The following function handles the state changes after WAIT_FLIGHT2 in the
2860
 * above diagram. We are not going to receive early data related messages
2861
 * anymore, prepare to receive the first handshake message of the client
2862
 * second flight.
2863
 */
2864
static void ssl_tls13_prepare_for_handshake_second_flight(
2865
    mbedtls_ssl_context *ssl)
2866
0
{
2867
0
    if (ssl->handshake->certificate_request_sent) {
2868
0
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2869
0
    } else {
2870
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate"));
2871
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
2872
2873
0
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2874
0
    }
2875
0
}
2876
2877
/*
2878
 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2879
 */
2880
MBEDTLS_CHECK_RETURN_CRITICAL
2881
static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl)
2882
0
{
2883
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2884
2885
0
    ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2886
0
    if (ret != 0) {
2887
0
        return ret;
2888
0
    }
2889
2890
0
    ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2891
0
    if (ret != 0) {
2892
0
        MBEDTLS_SSL_PEND_FATAL_ALERT(
2893
0
            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2894
0
            MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2895
0
        return ret;
2896
0
    }
2897
2898
0
#if defined(MBEDTLS_SSL_EARLY_DATA)
2899
0
    if (ssl->handshake->early_data_accepted) {
2900
        /* See RFC 8446 section A.2 for more information */
2901
0
        MBEDTLS_SSL_DEBUG_MSG(
2902
0
            1, ("Switch to early keys for inbound traffic. "
2903
0
                "( K_recv = early data )"));
2904
0
        mbedtls_ssl_set_inbound_transform(
2905
0
            ssl, ssl->handshake->transform_earlydata);
2906
0
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
2907
0
        return 0;
2908
0
    }
2909
0
#endif /* MBEDTLS_SSL_EARLY_DATA */
2910
0
    MBEDTLS_SSL_DEBUG_MSG(
2911
0
        1, ("Switch to handshake keys for inbound traffic "
2912
0
            "( K_recv = handshake )"));
2913
0
    mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake);
2914
2915
0
    ssl_tls13_prepare_for_handshake_second_flight(ssl);
2916
2917
0
    return 0;
2918
0
}
2919
2920
#if defined(MBEDTLS_SSL_EARLY_DATA)
2921
/*
2922
 * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
2923
 */
2924
0
#define SSL_GOT_END_OF_EARLY_DATA      0
2925
0
#define SSL_GOT_EARLY_DATA             1
2926
/* Coordination:
2927
 * Deals with the ambiguity of not knowing if the next message is an
2928
 * EndOfEarlyData message or an application message containing early data.
2929
 * Returns a negative code on failure, or
2930
 * - SSL_GOT_END_OF_EARLY_DATA
2931
 * - SSL_GOT_EARLY_DATA
2932
 * indicating which message is received.
2933
 */
2934
MBEDTLS_CHECK_RETURN_CRITICAL
2935
static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl)
2936
0
{
2937
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2938
2939
0
    if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
2940
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2941
0
        return ret;
2942
0
    }
2943
0
    ssl->keep_current_message = 1;
2944
2945
0
    if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE        &&
2946
0
        ssl->in_msg[0]  == MBEDTLS_SSL_HS_END_OF_EARLY_DATA) {
2947
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("Received an end_of_early_data message."));
2948
0
        return SSL_GOT_END_OF_EARLY_DATA;
2949
0
    }
2950
2951
0
    if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
2952
0
        if (ssl->in_offt == NULL) {
2953
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data"));
2954
            /* Set the reading pointer */
2955
0
            ssl->in_offt = ssl->in_msg;
2956
0
            ret = mbedtls_ssl_tls13_check_early_data_len(ssl, ssl->in_msglen);
2957
0
            if (ret != 0) {
2958
0
                return ret;
2959
0
            }
2960
0
        }
2961
0
        return SSL_GOT_EARLY_DATA;
2962
0
    }
2963
2964
0
    MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
2965
0
                                 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
2966
0
    return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2967
0
}
2968
2969
MBEDTLS_CHECK_RETURN_CRITICAL
2970
static int ssl_tls13_parse_end_of_early_data(mbedtls_ssl_context *ssl,
2971
                                             const unsigned char *buf,
2972
                                             const unsigned char *end)
2973
0
{
2974
    /* RFC 8446 section 4.5
2975
     *
2976
     * struct {} EndOfEarlyData;
2977
     */
2978
0
    if (buf != end) {
2979
0
        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2980
0
                                     MBEDTLS_ERR_SSL_DECODE_ERROR);
2981
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
2982
0
    }
2983
0
    return 0;
2984
0
}
2985
2986
/*
2987
 * RFC 8446 section A.2
2988
 *
2989
 *                                | Send ServerHello
2990
 *                                | K_send = handshake
2991
 *                                | Send EncryptedExtensions
2992
 *                                | [Send CertificateRequest]
2993
 * Can send                       | [Send Certificate + CertificateVerify]
2994
 * app data                       | Send Finished
2995
 * after   -->                    | K_send = application
2996
 * here                  +--------+--------+
2997
 *              No 0-RTT |                 | 0-RTT
2998
 *                       |                 |
2999
 *   K_recv = handshake  |                 | K_recv = early data
3000
 * [Skip decrypt errors] |    +------> WAIT_EOED -+
3001
 *                       |    |       Recv |      | Recv EndOfEarlyData
3002
 *                       |    | early data |      | K_recv = handshake
3003
 *                       |    +------------+      |
3004
 *                       |                        |
3005
 *                       +> WAIT_FLIGHT2 <--------+
3006
 *                                |
3007
 *                       +--------+--------+
3008
 *               No auth |                 | Client auth
3009
 *                       |                 |
3010
 *                       |                 v
3011
 *                       |             WAIT_CERT
3012
 *                       |        Recv |       | Recv Certificate
3013
 *                       |       empty |       v
3014
 *                       | Certificate |    WAIT_CV
3015
 *                       |             |       | Recv
3016
 *                       |             v       | CertificateVerify
3017
 *                       +-> WAIT_FINISHED <---+
3018
 *                                | Recv Finished
3019
 *
3020
 * The function handles actions and state changes from 0-RTT to WAIT_FLIGHT2 in
3021
 * the above diagram.
3022
 */
3023
MBEDTLS_CHECK_RETURN_CRITICAL
3024
static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl)
3025
0
{
3026
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3027
3028
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_process_end_of_early_data"));
3029
3030
0
    MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_end_of_early_data_coordinate(ssl));
3031
3032
0
    if (ret == SSL_GOT_END_OF_EARLY_DATA) {
3033
0
        unsigned char *buf;
3034
0
        size_t buf_len;
3035
3036
0
        MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
3037
0
                                 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
3038
0
                                 &buf, &buf_len));
3039
3040
0
        MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_end_of_early_data(
3041
0
                                 ssl, buf, buf + buf_len));
3042
3043
0
        MBEDTLS_SSL_DEBUG_MSG(
3044
0
            1, ("Switch to handshake keys for inbound traffic"
3045
0
                "( K_recv = handshake )"));
3046
0
        mbedtls_ssl_set_inbound_transform(
3047
0
            ssl, ssl->handshake->transform_handshake);
3048
3049
0
        MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
3050
0
                                 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
3051
0
                                 buf, buf_len));
3052
3053
0
        ssl_tls13_prepare_for_handshake_second_flight(ssl);
3054
3055
0
    } else if (ret == SSL_GOT_EARLY_DATA) {
3056
0
        ret = MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA;
3057
0
        goto cleanup;
3058
0
    } else {
3059
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3060
0
        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3061
0
        goto cleanup;
3062
0
    }
3063
3064
0
cleanup:
3065
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_end_of_early_data"));
3066
0
    return ret;
3067
0
}
3068
#endif /* MBEDTLS_SSL_EARLY_DATA */
3069
3070
/*
3071
 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
3072
 */
3073
MBEDTLS_CHECK_RETURN_CRITICAL
3074
static int ssl_tls13_process_client_finished(mbedtls_ssl_context *ssl)
3075
0
{
3076
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3077
3078
0
    ret = mbedtls_ssl_tls13_process_finished_message(ssl);
3079
0
    if (ret != 0) {
3080
0
        return ret;
3081
0
    }
3082
3083
0
    ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
3084
0
    if (ret != 0) {
3085
0
        MBEDTLS_SSL_DEBUG_RET(
3086
0
            1, "mbedtls_ssl_tls13_compute_resumption_master_secret", ret);
3087
0
    }
3088
3089
0
    mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
3090
0
    return 0;
3091
0
}
3092
3093
/*
3094
 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
3095
 */
3096
MBEDTLS_CHECK_RETURN_CRITICAL
3097
static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
3098
0
{
3099
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
3100
3101
0
    mbedtls_ssl_tls13_handshake_wrapup(ssl);
3102
3103
0
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
3104
0
    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
3105
/* TODO: Remove the check of SOME_PSK_ENABLED since SESSION_TICKETS requires
3106
 *       SOME_PSK_ENABLED to be enabled. Here is just to make CI happy. It is
3107
 *       expected to be resolved with issue#6395.
3108
 */
3109
    /* Sent NewSessionTicket message only when client supports PSK */
3110
0
    if (mbedtls_ssl_tls13_is_some_psk_supported(ssl)) {
3111
0
        mbedtls_ssl_handshake_set_state(
3112
0
            ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
3113
0
    } else
3114
0
#endif
3115
0
    {
3116
0
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
3117
0
    }
3118
0
    return 0;
3119
0
}
3120
3121
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3122
/*
3123
 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
3124
 */
3125
0
#define SSL_NEW_SESSION_TICKET_SKIP  0
3126
0
#define SSL_NEW_SESSION_TICKET_WRITE 1
3127
MBEDTLS_CHECK_RETURN_CRITICAL
3128
static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ssl)
3129
0
{
3130
    /* Check whether the use of session tickets is enabled */
3131
0
    if (ssl->conf->f_ticket_write == NULL) {
3132
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
3133
0
                                  " callback is not set"));
3134
0
        return SSL_NEW_SESSION_TICKET_SKIP;
3135
0
    }
3136
0
    if (ssl->conf->new_session_tickets_count == 0) {
3137
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
3138
0
                                  " configured count is zero"));
3139
0
        return SSL_NEW_SESSION_TICKET_SKIP;
3140
0
    }
3141
3142
0
    if (ssl->handshake->new_session_tickets_count == 0) {
3143
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: all tickets have "
3144
0
                                  "been sent."));
3145
0
        return SSL_NEW_SESSION_TICKET_SKIP;
3146
0
    }
3147
3148
0
    return SSL_NEW_SESSION_TICKET_WRITE;
3149
0
}
3150
3151
MBEDTLS_CHECK_RETURN_CRITICAL
3152
static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
3153
                                                unsigned char *ticket_nonce,
3154
                                                size_t ticket_nonce_size)
3155
0
{
3156
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3157
0
    mbedtls_ssl_session *session = ssl->session;
3158
0
    mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3159
0
    psa_algorithm_t psa_hash_alg;
3160
0
    int hash_length;
3161
3162
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg"));
3163
3164
    /* Set ticket_flags depends on the advertised psk key exchange mode */
3165
0
    mbedtls_ssl_tls13_session_clear_ticket_flags(
3166
0
        session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
3167
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
3168
0
    mbedtls_ssl_tls13_session_set_ticket_flags(
3169
0
        session, ssl->handshake->tls13_kex_modes);
3170
0
#endif
3171
3172
0
#if defined(MBEDTLS_SSL_EARLY_DATA)
3173
0
    if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED &&
3174
0
        ssl->conf->max_early_data_size > 0) {
3175
0
        mbedtls_ssl_tls13_session_set_ticket_flags(
3176
0
            session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
3177
0
        session->max_early_data_size = ssl->conf->max_early_data_size;
3178
0
    }
3179
0
#endif /* MBEDTLS_SSL_EARLY_DATA */
3180
3181
0
    MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
3182
3183
0
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3184
0
    if (session->ticket_alpn == NULL) {
3185
0
        ret = mbedtls_ssl_session_set_ticket_alpn(session, ssl->alpn_chosen);
3186
0
        if (ret != 0) {
3187
0
            return ret;
3188
0
        }
3189
0
    }
3190
0
#endif
3191
3192
    /* Generate ticket_age_add */
3193
0
    if ((ret = ssl->conf->f_rng(ssl->conf->p_rng,
3194
0
                                (unsigned char *) &session->ticket_age_add,
3195
0
                                sizeof(session->ticket_age_add)) != 0)) {
3196
0
        MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret);
3197
0
        return ret;
3198
0
    }
3199
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
3200
0
                              (unsigned int) session->ticket_age_add));
3201
3202
    /* Generate ticket_nonce */
3203
0
    ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size);
3204
0
    if (ret != 0) {
3205
0
        MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret);
3206
0
        return ret;
3207
0
    }
3208
0
    MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:",
3209
0
                          ticket_nonce, ticket_nonce_size);
3210
3211
0
    ciphersuite_info =
3212
0
        (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
3213
0
    psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
3214
0
    hash_length = PSA_HASH_LENGTH(psa_hash_alg);
3215
0
    if (hash_length == -1 ||
3216
0
        (size_t) hash_length > sizeof(session->resumption_key)) {
3217
0
        return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3218
0
    }
3219
3220
    /* In this code the psk key length equals the length of the hash */
3221
0
    session->resumption_key_len = hash_length;
3222
0
    session->ciphersuite = ciphersuite_info->id;
3223
3224
    /* Compute resumption key
3225
     *
3226
     *  HKDF-Expand-Label( resumption_master_secret,
3227
     *                    "resumption", ticket_nonce, Hash.length )
3228
     */
3229
0
    ret = mbedtls_ssl_tls13_hkdf_expand_label(
3230
0
        psa_hash_alg,
3231
0
        session->app_secrets.resumption_master_secret,
3232
0
        hash_length,
3233
0
        MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
3234
0
        ticket_nonce,
3235
0
        ticket_nonce_size,
3236
0
        session->resumption_key,
3237
0
        hash_length);
3238
3239
0
    if (ret != 0) {
3240
0
        MBEDTLS_SSL_DEBUG_RET(2,
3241
0
                              "Creating the ticket-resumed PSK failed",
3242
0
                              ret);
3243
0
        return ret;
3244
0
    }
3245
0
    MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
3246
0
                          session->resumption_key,
3247
0
                          session->resumption_key_len);
3248
3249
0
    MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
3250
0
                          session->app_secrets.resumption_master_secret,
3251
0
                          hash_length);
3252
3253
0
    return 0;
3254
0
}
3255
3256
/* This function creates a NewSessionTicket message in the following format:
3257
 *
3258
 * struct {
3259
 *    uint32 ticket_lifetime;
3260
 *    uint32 ticket_age_add;
3261
 *    opaque ticket_nonce<0..255>;
3262
 *    opaque ticket<1..2^16-1>;
3263
 *    Extension extensions<0..2^16-2>;
3264
 * } NewSessionTicket;
3265
 *
3266
 * The ticket inside the NewSessionTicket message is an encrypted container
3267
 * carrying the necessary information so that the server is later able to
3268
 * re-start the communication.
3269
 *
3270
 * The following fields are placed inside the ticket by the
3271
 * f_ticket_write() function:
3272
 *
3273
 *  - creation time (ticket_creation_time)
3274
 *  - flags (ticket_flags)
3275
 *  - age add (ticket_age_add)
3276
 *  - key (resumption_key)
3277
 *  - key length (resumption_key_len)
3278
 *  - ciphersuite (ciphersuite)
3279
 *  - max_early_data_size (max_early_data_size)
3280
 */
3281
MBEDTLS_CHECK_RETURN_CRITICAL
3282
static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
3283
                                                   unsigned char *buf,
3284
                                                   unsigned char *end,
3285
                                                   size_t *out_len,
3286
                                                   unsigned char *ticket_nonce,
3287
                                                   size_t ticket_nonce_size)
3288
0
{
3289
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3290
0
    unsigned char *p = buf;
3291
0
    mbedtls_ssl_session *session = ssl->session;
3292
0
    size_t ticket_len;
3293
0
    uint32_t ticket_lifetime;
3294
0
    unsigned char *p_extensions_len;
3295
3296
0
    *out_len = 0;
3297
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg"));
3298
3299
    /*
3300
     *    ticket_lifetime   4 bytes
3301
     *    ticket_age_add    4 bytes
3302
     *    ticket_nonce      1 + ticket_nonce_size bytes
3303
     *    ticket            >=2 bytes
3304
     */
3305
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + 4 + 1 + ticket_nonce_size + 2);
3306
3307
    /* Generate ticket and ticket_lifetime */
3308
0
#if defined(MBEDTLS_HAVE_TIME)
3309
0
    session->ticket_creation_time = mbedtls_ms_time();
3310
0
#endif
3311
0
    ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
3312
0
                                    session,
3313
0
                                    p + 9 + ticket_nonce_size + 2,
3314
0
                                    end,
3315
0
                                    &ticket_len,
3316
0
                                    &ticket_lifetime);
3317
0
    if (ret != 0) {
3318
0
        MBEDTLS_SSL_DEBUG_RET(1, "write_ticket", ret);
3319
0
        return ret;
3320
0
    }
3321
3322
    /* RFC 8446 section 4.6.1
3323
     *
3324
     *  ticket_lifetime:  Indicates the lifetime in seconds as a 32-bit
3325
     *     unsigned integer in network byte order from the time of ticket
3326
     *     issuance.  Servers MUST NOT use any value greater than
3327
     *     604800 seconds (7 days) ...
3328
     */
3329
0
    if (ticket_lifetime > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
3330
0
        MBEDTLS_SSL_DEBUG_MSG(
3331
0
            1, ("Ticket lifetime (%u) is greater than 7 days.",
3332
0
                (unsigned int) ticket_lifetime));
3333
0
        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3334
0
    }
3335
3336
0
    MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);
3337
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",
3338
0
                              (unsigned int) ticket_lifetime));
3339
3340
    /* Write ticket_age_add */
3341
0
    MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 4);
3342
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
3343
0
                              (unsigned int) session->ticket_age_add));
3344
3345
    /* Write ticket_nonce */
3346
0
    p[8] = (unsigned char) ticket_nonce_size;
3347
0
    if (ticket_nonce_size > 0) {
3348
0
        memcpy(p + 9, ticket_nonce, ticket_nonce_size);
3349
0
    }
3350
0
    p += 9 + ticket_nonce_size;
3351
3352
    /* Write ticket */
3353
0
    MBEDTLS_PUT_UINT16_BE(ticket_len, p, 0);
3354
0
    p += 2;
3355
0
    MBEDTLS_SSL_DEBUG_BUF(4, "ticket", p, ticket_len);
3356
0
    p += ticket_len;
3357
3358
    /* Ticket Extensions
3359
     *
3360
     * Extension extensions<0..2^16-2>;
3361
     */
3362
0
    ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
3363
3364
0
    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
3365
0
    p_extensions_len = p;
3366
0
    p += 2;
3367
3368
0
#if defined(MBEDTLS_SSL_EARLY_DATA)
3369
0
    if (mbedtls_ssl_tls13_session_ticket_allow_early_data(session)) {
3370
0
        size_t output_len;
3371
3372
0
        if ((ret = mbedtls_ssl_tls13_write_early_data_ext(
3373
0
                 ssl, 1, p, end, &output_len)) != 0) {
3374
0
            MBEDTLS_SSL_DEBUG_RET(
3375
0
                1, "mbedtls_ssl_tls13_write_early_data_ext", ret);
3376
0
            return ret;
3377
0
        }
3378
0
        p += output_len;
3379
0
    } else {
3380
0
        MBEDTLS_SSL_DEBUG_MSG(
3381
0
            4, ("early_data not allowed, "
3382
0
                "skip early_data extension in NewSessionTicket"));
3383
0
    }
3384
3385
0
#endif /* MBEDTLS_SSL_EARLY_DATA */
3386
3387
0
    MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
3388
3389
0
    *out_len = p - buf;
3390
0
    MBEDTLS_SSL_DEBUG_BUF(4, "ticket", buf, *out_len);
3391
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
3392
3393
0
    MBEDTLS_SSL_PRINT_EXTS(
3394
0
        3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions);
3395
3396
0
    return 0;
3397
0
}
3398
3399
/*
3400
 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
3401
 */
3402
static int ssl_tls13_write_new_session_ticket(mbedtls_ssl_context *ssl)
3403
0
{
3404
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3405
3406
0
    MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_write_new_session_ticket_coordinate(ssl));
3407
3408
0
    if (ret == SSL_NEW_SESSION_TICKET_WRITE) {
3409
0
        unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
3410
0
        unsigned char *buf;
3411
0
        size_t buf_len, msg_len;
3412
3413
0
        MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket(
3414
0
                                 ssl, ticket_nonce, sizeof(ticket_nonce)));
3415
3416
0
        MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
3417
0
                                 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
3418
0
                                 &buf, &buf_len));
3419
3420
0
        MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body(
3421
0
                                 ssl, buf, buf + buf_len, &msg_len,
3422
0
                                 ticket_nonce, sizeof(ticket_nonce)));
3423
3424
0
        MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
3425
0
                                 ssl, buf_len, msg_len));
3426
3427
        /* Limit session tickets count to one when resumption connection.
3428
         *
3429
         * See document of mbedtls_ssl_conf_new_session_tickets.
3430
         */
3431
0
        if (ssl->handshake->resume == 1) {
3432
0
            ssl->handshake->new_session_tickets_count = 0;
3433
0
        } else {
3434
0
            ssl->handshake->new_session_tickets_count--;
3435
0
        }
3436
3437
0
        mbedtls_ssl_handshake_set_state(
3438
0
            ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH);
3439
0
    } else {
3440
0
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
3441
0
    }
3442
3443
0
cleanup:
3444
3445
0
    return ret;
3446
0
}
3447
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3448
3449
/*
3450
 * TLS 1.3 State Machine -- server side
3451
 */
3452
int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)
3453
3.19k
{
3454
3.19k
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3455
3456
3.19k
    if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) {
3457
0
        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3458
0
    }
3459
3460
3.19k
    MBEDTLS_SSL_DEBUG_MSG(2, ("tls13 server state: %s(%d)",
3461
3.19k
                              mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state),
3462
3.19k
                              ssl->state));
3463
3464
3.19k
    switch (ssl->state) {
3465
        /* start state */
3466
1.59k
        case MBEDTLS_SSL_HELLO_REQUEST:
3467
1.59k
            mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3468
1.59k
            ret = 0;
3469
1.59k
            break;
3470
3471
1.59k
        case MBEDTLS_SSL_CLIENT_HELLO:
3472
1.59k
            ret = ssl_tls13_process_client_hello(ssl);
3473
1.59k
            if (ret != 0) {
3474
433
                MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_process_client_hello", ret);
3475
433
            }
3476
1.59k
            break;
3477
3478
0
        case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
3479
0
            ret = ssl_tls13_write_hello_retry_request(ssl);
3480
0
            if (ret != 0) {
3481
0
                MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_hello_retry_request", ret);
3482
0
                return ret;
3483
0
            }
3484
0
            break;
3485
3486
0
        case MBEDTLS_SSL_SERVER_HELLO:
3487
0
            ret = ssl_tls13_write_server_hello(ssl);
3488
0
            break;
3489
3490
0
        case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
3491
0
            ret = ssl_tls13_write_encrypted_extensions(ssl);
3492
0
            if (ret != 0) {
3493
0
                MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_encrypted_extensions", ret);
3494
0
                return ret;
3495
0
            }
3496
0
            break;
3497
3498
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
3499
0
        case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3500
0
            ret = ssl_tls13_write_certificate_request(ssl);
3501
0
            break;
3502
3503
0
        case MBEDTLS_SSL_SERVER_CERTIFICATE:
3504
0
            ret = ssl_tls13_write_server_certificate(ssl);
3505
0
            break;
3506
3507
0
        case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3508
0
            ret = ssl_tls13_write_certificate_verify(ssl);
3509
0
            break;
3510
0
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
3511
3512
            /*
3513
             * Injection of dummy-CCS's for middlebox compatibility
3514
             */
3515
0
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
3516
0
        case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
3517
0
            ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3518
0
            if (ret == 0) {
3519
0
                mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3520
0
            }
3521
0
            break;
3522
3523
0
        case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
3524
0
            ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3525
0
            if (ret != 0) {
3526
0
                break;
3527
0
            }
3528
0
            mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
3529
0
            break;
3530
0
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3531
3532
0
        case MBEDTLS_SSL_SERVER_FINISHED:
3533
0
            ret = ssl_tls13_write_server_finished(ssl);
3534
0
            break;
3535
3536
0
#if defined(MBEDTLS_SSL_EARLY_DATA)
3537
0
        case MBEDTLS_SSL_END_OF_EARLY_DATA:
3538
0
            ret = ssl_tls13_process_end_of_early_data(ssl);
3539
0
            break;
3540
0
#endif /* MBEDTLS_SSL_EARLY_DATA */
3541
3542
0
        case MBEDTLS_SSL_CLIENT_FINISHED:
3543
0
            ret = ssl_tls13_process_client_finished(ssl);
3544
0
            break;
3545
3546
0
        case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3547
0
            ret = ssl_tls13_handshake_wrapup(ssl);
3548
0
            break;
3549
3550
0
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
3551
0
        case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3552
0
            ret = mbedtls_ssl_tls13_process_certificate(ssl);
3553
0
            if (ret == 0) {
3554
0
                if (ssl->session_negotiate->peer_cert != NULL) {
3555
0
                    mbedtls_ssl_handshake_set_state(
3556
0
                        ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
3557
0
                } else {
3558
0
                    MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
3559
0
                    mbedtls_ssl_handshake_set_state(
3560
0
                        ssl, MBEDTLS_SSL_CLIENT_FINISHED);
3561
0
                }
3562
0
            }
3563
0
            break;
3564
3565
0
        case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
3566
0
            ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
3567
0
            if (ret == 0) {
3568
0
                mbedtls_ssl_handshake_set_state(
3569
0
                    ssl, MBEDTLS_SSL_CLIENT_FINISHED);
3570
0
            }
3571
0
            break;
3572
0
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
3573
3574
0
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3575
0
        case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
3576
0
            ret = ssl_tls13_write_new_session_ticket(ssl);
3577
0
            if (ret != 0) {
3578
0
                MBEDTLS_SSL_DEBUG_RET(1,
3579
0
                                      "ssl_tls13_write_new_session_ticket ",
3580
0
                                      ret);
3581
0
            }
3582
0
            break;
3583
0
        case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH:
3584
            /* This state is necessary to do the flush of the New Session
3585
             * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
3586
             * as part of ssl_prepare_handshake_step.
3587
             */
3588
0
            ret = 0;
3589
3590
0
            if (ssl->handshake->new_session_tickets_count == 0) {
3591
0
                mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
3592
0
            } else {
3593
0
                mbedtls_ssl_handshake_set_state(
3594
0
                    ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
3595
0
            }
3596
0
            break;
3597
3598
0
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3599
3600
0
        default:
3601
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3602
0
            return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3603
3.19k
    }
3604
3605
3.19k
    return ret;
3606
3.19k
}
3607
3608
#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */