edhoc 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (672) hide show
  1. package/binding.gyp +64 -0
  2. package/external/libedhoc/backends/cbor/include/backend_cbor_bstr_type_decode.h +35 -0
  3. package/external/libedhoc/backends/cbor/include/backend_cbor_bstr_type_encode.h +35 -0
  4. package/external/libedhoc/backends/cbor/include/backend_cbor_bstr_type_types.h +34 -0
  5. package/external/libedhoc/backends/cbor/include/backend_cbor_ead_decode.h +35 -0
  6. package/external/libedhoc/backends/cbor/include/backend_cbor_ead_encode.h +35 -0
  7. package/external/libedhoc/backends/cbor/include/backend_cbor_edhoc_types.h +97 -0
  8. package/external/libedhoc/backends/cbor/include/backend_cbor_enc_structure_decode.h +35 -0
  9. package/external/libedhoc/backends/cbor/include/backend_cbor_enc_structure_encode.h +35 -0
  10. package/external/libedhoc/backends/cbor/include/backend_cbor_enc_structure_types.h +37 -0
  11. package/external/libedhoc/backends/cbor/include/backend_cbor_id_cred_x_decode.h +35 -0
  12. package/external/libedhoc/backends/cbor/include/backend_cbor_id_cred_x_encode.h +35 -0
  13. package/external/libedhoc/backends/cbor/include/backend_cbor_info_decode.h +35 -0
  14. package/external/libedhoc/backends/cbor/include/backend_cbor_info_encode.h +35 -0
  15. package/external/libedhoc/backends/cbor/include/backend_cbor_int_type_decode.h +35 -0
  16. package/external/libedhoc/backends/cbor/include/backend_cbor_int_type_encode.h +35 -0
  17. package/external/libedhoc/backends/cbor/include/backend_cbor_int_type_types.h +34 -0
  18. package/external/libedhoc/backends/cbor/include/backend_cbor_message_1_decode.h +35 -0
  19. package/external/libedhoc/backends/cbor/include/backend_cbor_message_1_encode.h +35 -0
  20. package/external/libedhoc/backends/cbor/include/backend_cbor_message_2_decode.h +35 -0
  21. package/external/libedhoc/backends/cbor/include/backend_cbor_message_2_encode.h +35 -0
  22. package/external/libedhoc/backends/cbor/include/backend_cbor_message_3_decode.h +35 -0
  23. package/external/libedhoc/backends/cbor/include/backend_cbor_message_3_encode.h +35 -0
  24. package/external/libedhoc/backends/cbor/include/backend_cbor_message_4_decode.h +35 -0
  25. package/external/libedhoc/backends/cbor/include/backend_cbor_message_4_encode.h +35 -0
  26. package/external/libedhoc/backends/cbor/include/backend_cbor_message_error_decode.h +35 -0
  27. package/external/libedhoc/backends/cbor/include/backend_cbor_message_error_encode.h +35 -0
  28. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_2_decode.h +35 -0
  29. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_2_encode.h +35 -0
  30. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_3_decode.h +35 -0
  31. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_3_encode.h +35 -0
  32. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_4_decode.h +35 -0
  33. package/external/libedhoc/backends/cbor/include/backend_cbor_plaintext_4_encode.h +35 -0
  34. package/external/libedhoc/backends/cbor/include/backend_cbor_sig_structure_decode.h +35 -0
  35. package/external/libedhoc/backends/cbor/include/backend_cbor_sig_structure_encode.h +35 -0
  36. package/external/libedhoc/backends/cbor/include/backend_cbor_sig_structure_types.h +38 -0
  37. package/external/libedhoc/backends/cbor/include/backend_cbor_x509_types.h +170 -0
  38. package/external/libedhoc/backends/cbor/src/backend_cbor_bstr_type_decode.c +59 -0
  39. package/external/libedhoc/backends/cbor/src/backend_cbor_bstr_type_encode.c +59 -0
  40. package/external/libedhoc/backends/cbor/src/backend_cbor_ead_decode.c +74 -0
  41. package/external/libedhoc/backends/cbor/src/backend_cbor_ead_encode.c +74 -0
  42. package/external/libedhoc/backends/cbor/src/backend_cbor_enc_structure_decode.c +62 -0
  43. package/external/libedhoc/backends/cbor/src/backend_cbor_enc_structure_encode.c +62 -0
  44. package/external/libedhoc/backends/cbor/src/backend_cbor_id_cred_x_decode.c +141 -0
  45. package/external/libedhoc/backends/cbor/src/backend_cbor_id_cred_x_encode.c +141 -0
  46. package/external/libedhoc/backends/cbor/src/backend_cbor_info_decode.c +61 -0
  47. package/external/libedhoc/backends/cbor/src/backend_cbor_info_encode.c +61 -0
  48. package/external/libedhoc/backends/cbor/src/backend_cbor_int_type_decode.c +59 -0
  49. package/external/libedhoc/backends/cbor/src/backend_cbor_int_type_encode.c +59 -0
  50. package/external/libedhoc/backends/cbor/src/backend_cbor_message_1_decode.c +112 -0
  51. package/external/libedhoc/backends/cbor/src/backend_cbor_message_1_encode.c +112 -0
  52. package/external/libedhoc/backends/cbor/src/backend_cbor_message_2_decode.c +59 -0
  53. package/external/libedhoc/backends/cbor/src/backend_cbor_message_2_encode.c +59 -0
  54. package/external/libedhoc/backends/cbor/src/backend_cbor_message_3_decode.c +59 -0
  55. package/external/libedhoc/backends/cbor/src/backend_cbor_message_3_encode.c +59 -0
  56. package/external/libedhoc/backends/cbor/src/backend_cbor_message_4_decode.c +59 -0
  57. package/external/libedhoc/backends/cbor/src/backend_cbor_message_4_encode.c +59 -0
  58. package/external/libedhoc/backends/cbor/src/backend_cbor_message_error_decode.c +93 -0
  59. package/external/libedhoc/backends/cbor/src/backend_cbor_message_error_encode.c +93 -0
  60. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_2_decode.c +193 -0
  61. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_2_encode.c +194 -0
  62. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_3_decode.c +189 -0
  63. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_3_encode.c +189 -0
  64. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_4_decode.c +88 -0
  65. package/external/libedhoc/backends/cbor/src/backend_cbor_plaintext_4_encode.c +88 -0
  66. package/external/libedhoc/backends/cbor/src/backend_cbor_sig_structure_decode.c +63 -0
  67. package/external/libedhoc/backends/cbor/src/backend_cbor_sig_structure_encode.c +63 -0
  68. package/external/libedhoc/externals/compact25519/src/c25519/c25519.c +126 -0
  69. package/external/libedhoc/externals/compact25519/src/c25519/c25519.h +49 -0
  70. package/external/libedhoc/externals/compact25519/src/c25519/ed25519.c +323 -0
  71. package/external/libedhoc/externals/compact25519/src/c25519/ed25519.h +84 -0
  72. package/external/libedhoc/externals/compact25519/src/c25519/edsign.c +171 -0
  73. package/external/libedhoc/externals/compact25519/src/c25519/edsign.h +53 -0
  74. package/external/libedhoc/externals/compact25519/src/c25519/f25519.c +330 -0
  75. package/external/libedhoc/externals/compact25519/src/c25519/f25519.h +98 -0
  76. package/external/libedhoc/externals/compact25519/src/c25519/fprime.c +226 -0
  77. package/external/libedhoc/externals/compact25519/src/c25519/fprime.h +81 -0
  78. package/external/libedhoc/externals/compact25519/src/c25519/sha512.c +230 -0
  79. package/external/libedhoc/externals/compact25519/src/c25519/sha512.h +54 -0
  80. package/external/libedhoc/externals/compact25519/src/compact_ed25519.c +46 -0
  81. package/external/libedhoc/externals/compact25519/src/compact_ed25519.h +110 -0
  82. package/external/libedhoc/externals/compact25519/src/compact_wipe.c +12 -0
  83. package/external/libedhoc/externals/compact25519/src/compact_wipe.h +14 -0
  84. package/external/libedhoc/externals/compact25519/src/compact_x25519.c +68 -0
  85. package/external/libedhoc/externals/compact25519/src/compact_x25519.h +101 -0
  86. package/external/libedhoc/externals/compact25519/test/pcg_random.h +25 -0
  87. package/external/libedhoc/externals/compact25519/test/run-all.c +178 -0
  88. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/Hacl_Curve25519.h +21 -0
  89. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/everest.h +234 -0
  90. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlib/FStar_UInt128.h +124 -0
  91. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h +280 -0
  92. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlib.h +29 -0
  93. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/c_endianness.h +204 -0
  94. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/builtin.h +16 -0
  95. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/callconv.h +46 -0
  96. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/compat.h +34 -0
  97. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/debug.h +57 -0
  98. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/target.h +102 -0
  99. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/types.h +61 -0
  100. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/kremlin/internal/wasmsupport.h +5 -0
  101. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/vs2013/Hacl_Curve25519.h +21 -0
  102. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/vs2013/inttypes.h +36 -0
  103. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/vs2013/stdbool.h +31 -0
  104. package/external/libedhoc/externals/mbedtls/3rdparty/everest/include/everest/x25519.h +190 -0
  105. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/Hacl_Curve25519.c +760 -0
  106. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/Hacl_Curve25519_joined.c +50 -0
  107. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/everest.c +102 -0
  108. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/kremlib/FStar_UInt128_extracted.c +413 -0
  109. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.c +100 -0
  110. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/legacy/Hacl_Curve25519.c +805 -0
  111. package/external/libedhoc/externals/mbedtls/3rdparty/everest/library/x25519.c +186 -0
  112. package/external/libedhoc/externals/mbedtls/3rdparty/p256-m/p256-m/p256-m.c +1514 -0
  113. package/external/libedhoc/externals/mbedtls/3rdparty/p256-m/p256-m/p256-m.h +135 -0
  114. package/external/libedhoc/externals/mbedtls/3rdparty/p256-m/p256-m_driver_entrypoints.c +312 -0
  115. package/external/libedhoc/externals/mbedtls/3rdparty/p256-m/p256-m_driver_entrypoints.h +219 -0
  116. package/external/libedhoc/externals/mbedtls/configs/config-ccm-psk-dtls1_2.h +92 -0
  117. package/external/libedhoc/externals/mbedtls/configs/config-ccm-psk-tls1_2.h +83 -0
  118. package/external/libedhoc/externals/mbedtls/configs/config-no-entropy.h +73 -0
  119. package/external/libedhoc/externals/mbedtls/configs/config-suite-b.h +106 -0
  120. package/external/libedhoc/externals/mbedtls/configs/config-symmetric-only.h +77 -0
  121. package/external/libedhoc/externals/mbedtls/configs/config-thread.h +76 -0
  122. package/external/libedhoc/externals/mbedtls/configs/crypto-config-ccm-aes-sha256.h +25 -0
  123. package/external/libedhoc/externals/mbedtls/configs/crypto_config_profile_medium.h +136 -0
  124. package/external/libedhoc/externals/mbedtls/configs/tfm_mbedcrypto_config_profile_medium.h +609 -0
  125. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_encdec.h +54 -0
  126. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_hashing.h +30 -0
  127. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_mainpage.h +19 -0
  128. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_rng.h +27 -0
  129. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_ssltls.h +37 -0
  130. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_tcpip.h +32 -0
  131. package/external/libedhoc/externals/mbedtls/doxygen/input/doc_x509.h +31 -0
  132. package/external/libedhoc/externals/mbedtls/include/mbedtls/aes.h +627 -0
  133. package/external/libedhoc/externals/mbedtls/include/mbedtls/aria.h +341 -0
  134. package/external/libedhoc/externals/mbedtls/include/mbedtls/asn1.h +641 -0
  135. package/external/libedhoc/externals/mbedtls/include/mbedtls/asn1write.h +389 -0
  136. package/external/libedhoc/externals/mbedtls/include/mbedtls/base64.h +82 -0
  137. package/external/libedhoc/externals/mbedtls/include/mbedtls/bignum.h +1084 -0
  138. package/external/libedhoc/externals/mbedtls/include/mbedtls/build_info.h +146 -0
  139. package/external/libedhoc/externals/mbedtls/include/mbedtls/camellia.h +303 -0
  140. package/external/libedhoc/externals/mbedtls/include/mbedtls/ccm.h +518 -0
  141. package/external/libedhoc/externals/mbedtls/include/mbedtls/chacha20.h +202 -0
  142. package/external/libedhoc/externals/mbedtls/include/mbedtls/chachapoly.h +342 -0
  143. package/external/libedhoc/externals/mbedtls/include/mbedtls/check_config.h +1206 -0
  144. package/external/libedhoc/externals/mbedtls/include/mbedtls/cipher.h +1183 -0
  145. package/external/libedhoc/externals/mbedtls/include/mbedtls/cmac.h +246 -0
  146. package/external/libedhoc/externals/mbedtls/include/mbedtls/compat-2.x.h +46 -0
  147. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h +183 -0
  148. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h +877 -0
  149. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h +334 -0
  150. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h +142 -0
  151. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_ssl.h +76 -0
  152. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_adjust_x509.h +25 -0
  153. package/external/libedhoc/externals/mbedtls/include/mbedtls/config_psa.h +55 -0
  154. package/external/libedhoc/externals/mbedtls/include/mbedtls/constant_time.h +36 -0
  155. package/external/libedhoc/externals/mbedtls/include/mbedtls/ctr_drbg.h +564 -0
  156. package/external/libedhoc/externals/mbedtls/include/mbedtls/debug.h +308 -0
  157. package/external/libedhoc/externals/mbedtls/include/mbedtls/des.h +385 -0
  158. package/external/libedhoc/externals/mbedtls/include/mbedtls/dhm.h +972 -0
  159. package/external/libedhoc/externals/mbedtls/include/mbedtls/ecdh.h +441 -0
  160. package/external/libedhoc/externals/mbedtls/include/mbedtls/ecdsa.h +671 -0
  161. package/external/libedhoc/externals/mbedtls/include/mbedtls/ecjpake.h +298 -0
  162. package/external/libedhoc/externals/mbedtls/include/mbedtls/ecp.h +1362 -0
  163. package/external/libedhoc/externals/mbedtls/include/mbedtls/entropy.h +273 -0
  164. package/external/libedhoc/externals/mbedtls/include/mbedtls/error.h +201 -0
  165. package/external/libedhoc/externals/mbedtls/include/mbedtls/gcm.h +370 -0
  166. package/external/libedhoc/externals/mbedtls/include/mbedtls/hkdf.h +124 -0
  167. package/external/libedhoc/externals/mbedtls/include/mbedtls/hmac_drbg.h +434 -0
  168. package/external/libedhoc/externals/mbedtls/include/mbedtls/lms.h +440 -0
  169. package/external/libedhoc/externals/mbedtls/include/mbedtls/mbedtls_config.h +4116 -0
  170. package/external/libedhoc/externals/mbedtls/include/mbedtls/md.h +640 -0
  171. package/external/libedhoc/externals/mbedtls/include/mbedtls/md5.h +190 -0
  172. package/external/libedhoc/externals/mbedtls/include/mbedtls/memory_buffer_alloc.h +142 -0
  173. package/external/libedhoc/externals/mbedtls/include/mbedtls/net_sockets.h +299 -0
  174. package/external/libedhoc/externals/mbedtls/include/mbedtls/nist_kw.h +166 -0
  175. package/external/libedhoc/externals/mbedtls/include/mbedtls/oid.h +722 -0
  176. package/external/libedhoc/externals/mbedtls/include/mbedtls/pem.h +160 -0
  177. package/external/libedhoc/externals/mbedtls/include/mbedtls/pk.h +1091 -0
  178. package/external/libedhoc/externals/mbedtls/include/mbedtls/pkcs12.h +186 -0
  179. package/external/libedhoc/externals/mbedtls/include/mbedtls/pkcs5.h +197 -0
  180. package/external/libedhoc/externals/mbedtls/include/mbedtls/pkcs7.h +241 -0
  181. package/external/libedhoc/externals/mbedtls/include/mbedtls/platform.h +485 -0
  182. package/external/libedhoc/externals/mbedtls/include/mbedtls/platform_time.h +79 -0
  183. package/external/libedhoc/externals/mbedtls/include/mbedtls/platform_util.h +201 -0
  184. package/external/libedhoc/externals/mbedtls/include/mbedtls/poly1305.h +168 -0
  185. package/external/libedhoc/externals/mbedtls/include/mbedtls/private_access.h +20 -0
  186. package/external/libedhoc/externals/mbedtls/include/mbedtls/psa_util.h +104 -0
  187. package/external/libedhoc/externals/mbedtls/include/mbedtls/ripemd160.h +136 -0
  188. package/external/libedhoc/externals/mbedtls/include/mbedtls/rsa.h +1143 -0
  189. package/external/libedhoc/externals/mbedtls/include/mbedtls/sha1.h +219 -0
  190. package/external/libedhoc/externals/mbedtls/include/mbedtls/sha256.h +198 -0
  191. package/external/libedhoc/externals/mbedtls/include/mbedtls/sha3.h +172 -0
  192. package/external/libedhoc/externals/mbedtls/include/mbedtls/sha512.h +208 -0
  193. package/external/libedhoc/externals/mbedtls/include/mbedtls/ssl.h +5369 -0
  194. package/external/libedhoc/externals/mbedtls/include/mbedtls/ssl_cache.h +187 -0
  195. package/external/libedhoc/externals/mbedtls/include/mbedtls/ssl_ciphersuites.h +616 -0
  196. package/external/libedhoc/externals/mbedtls/include/mbedtls/ssl_cookie.h +106 -0
  197. package/external/libedhoc/externals/mbedtls/include/mbedtls/ssl_ticket.h +181 -0
  198. package/external/libedhoc/externals/mbedtls/include/mbedtls/threading.h +105 -0
  199. package/external/libedhoc/externals/mbedtls/include/mbedtls/timing.h +94 -0
  200. package/external/libedhoc/externals/mbedtls/include/mbedtls/version.h +78 -0
  201. package/external/libedhoc/externals/mbedtls/include/mbedtls/x509.h +550 -0
  202. package/external/libedhoc/externals/mbedtls/include/mbedtls/x509_crl.h +184 -0
  203. package/external/libedhoc/externals/mbedtls/include/mbedtls/x509_crt.h +1196 -0
  204. package/external/libedhoc/externals/mbedtls/include/mbedtls/x509_csr.h +319 -0
  205. package/external/libedhoc/externals/mbedtls/include/psa/build_info.h +20 -0
  206. package/external/libedhoc/externals/mbedtls/include/psa/crypto.h +4685 -0
  207. package/external/libedhoc/externals/mbedtls/include/psa/crypto_adjust_auto_enabled.h +21 -0
  208. package/external/libedhoc/externals/mbedtls/include/psa/crypto_adjust_config_key_pair_types.h +91 -0
  209. package/external/libedhoc/externals/mbedtls/include/psa/crypto_adjust_config_synonyms.h +45 -0
  210. package/external/libedhoc/externals/mbedtls/include/psa/crypto_builtin_composites.h +210 -0
  211. package/external/libedhoc/externals/mbedtls/include/psa/crypto_builtin_key_derivation.h +118 -0
  212. package/external/libedhoc/externals/mbedtls/include/psa/crypto_builtin_primitives.h +114 -0
  213. package/external/libedhoc/externals/mbedtls/include/psa/crypto_compat.h +153 -0
  214. package/external/libedhoc/externals/mbedtls/include/psa/crypto_config.h +153 -0
  215. package/external/libedhoc/externals/mbedtls/include/psa/crypto_driver_common.h +44 -0
  216. package/external/libedhoc/externals/mbedtls/include/psa/crypto_driver_contexts_composites.h +151 -0
  217. package/external/libedhoc/externals/mbedtls/include/psa/crypto_driver_contexts_key_derivation.h +52 -0
  218. package/external/libedhoc/externals/mbedtls/include/psa/crypto_driver_contexts_primitives.h +105 -0
  219. package/external/libedhoc/externals/mbedtls/include/psa/crypto_extra.h +2064 -0
  220. package/external/libedhoc/externals/mbedtls/include/psa/crypto_legacy.h +88 -0
  221. package/external/libedhoc/externals/mbedtls/include/psa/crypto_platform.h +92 -0
  222. package/external/libedhoc/externals/mbedtls/include/psa/crypto_se_driver.h +1383 -0
  223. package/external/libedhoc/externals/mbedtls/include/psa/crypto_sizes.h +1282 -0
  224. package/external/libedhoc/externals/mbedtls/include/psa/crypto_struct.h +460 -0
  225. package/external/libedhoc/externals/mbedtls/include/psa/crypto_types.h +453 -0
  226. package/external/libedhoc/externals/mbedtls/include/psa/crypto_values.h +2756 -0
  227. package/external/libedhoc/externals/mbedtls/library/aes.c +2315 -0
  228. package/external/libedhoc/externals/mbedtls/library/aesce.c +503 -0
  229. package/external/libedhoc/externals/mbedtls/library/aesce.h +121 -0
  230. package/external/libedhoc/externals/mbedtls/library/aesni.c +802 -0
  231. package/external/libedhoc/externals/mbedtls/library/aesni.h +158 -0
  232. package/external/libedhoc/externals/mbedtls/library/alignment.h +509 -0
  233. package/external/libedhoc/externals/mbedtls/library/aria.c +991 -0
  234. package/external/libedhoc/externals/mbedtls/library/asn1parse.c +467 -0
  235. package/external/libedhoc/externals/mbedtls/library/asn1write.c +436 -0
  236. package/external/libedhoc/externals/mbedtls/library/base64.c +299 -0
  237. package/external/libedhoc/externals/mbedtls/library/base64_internal.h +45 -0
  238. package/external/libedhoc/externals/mbedtls/library/bignum.c +2806 -0
  239. package/external/libedhoc/externals/mbedtls/library/bignum_core.c +894 -0
  240. package/external/libedhoc/externals/mbedtls/library/bignum_core.h +763 -0
  241. package/external/libedhoc/externals/mbedtls/library/bignum_mod.c +394 -0
  242. package/external/libedhoc/externals/mbedtls/library/bignum_mod.h +452 -0
  243. package/external/libedhoc/externals/mbedtls/library/bignum_mod_raw.c +276 -0
  244. package/external/libedhoc/externals/mbedtls/library/bignum_mod_raw.h +416 -0
  245. package/external/libedhoc/externals/mbedtls/library/bignum_mod_raw_invasive.h +34 -0
  246. package/external/libedhoc/externals/mbedtls/library/bn_mul.h +1094 -0
  247. package/external/libedhoc/externals/mbedtls/library/camellia.c +1044 -0
  248. package/external/libedhoc/externals/mbedtls/library/ccm.c +712 -0
  249. package/external/libedhoc/externals/mbedtls/library/chacha20.c +497 -0
  250. package/external/libedhoc/externals/mbedtls/library/chachapoly.c +478 -0
  251. package/external/libedhoc/externals/mbedtls/library/check_crypto_config.h +141 -0
  252. package/external/libedhoc/externals/mbedtls/library/cipher.c +1664 -0
  253. package/external/libedhoc/externals/mbedtls/library/cipher_wrap.c +2422 -0
  254. package/external/libedhoc/externals/mbedtls/library/cipher_wrap.h +132 -0
  255. package/external/libedhoc/externals/mbedtls/library/cmac.c +1067 -0
  256. package/external/libedhoc/externals/mbedtls/library/common.h +325 -0
  257. package/external/libedhoc/externals/mbedtls/library/constant_time.c +261 -0
  258. package/external/libedhoc/externals/mbedtls/library/constant_time_impl.h +554 -0
  259. package/external/libedhoc/externals/mbedtls/library/constant_time_internal.h +579 -0
  260. package/external/libedhoc/externals/mbedtls/library/ctr_drbg.c +881 -0
  261. package/external/libedhoc/externals/mbedtls/library/debug.c +465 -0
  262. package/external/libedhoc/externals/mbedtls/library/des.c +1042 -0
  263. package/external/libedhoc/externals/mbedtls/library/dhm.c +712 -0
  264. package/external/libedhoc/externals/mbedtls/library/ecdh.c +685 -0
  265. package/external/libedhoc/externals/mbedtls/library/ecdsa.c +867 -0
  266. package/external/libedhoc/externals/mbedtls/library/ecjpake.c +1216 -0
  267. package/external/libedhoc/externals/mbedtls/library/ecp.c +3631 -0
  268. package/external/libedhoc/externals/mbedtls/library/ecp_curves.c +5467 -0
  269. package/external/libedhoc/externals/mbedtls/library/ecp_curves_new.c +6043 -0
  270. package/external/libedhoc/externals/mbedtls/library/ecp_internal_alt.h +287 -0
  271. package/external/libedhoc/externals/mbedtls/library/ecp_invasive.h +325 -0
  272. package/external/libedhoc/externals/mbedtls/library/entropy.c +676 -0
  273. package/external/libedhoc/externals/mbedtls/library/entropy_poll.c +229 -0
  274. package/external/libedhoc/externals/mbedtls/library/entropy_poll.h +64 -0
  275. package/external/libedhoc/externals/mbedtls/library/error.c +878 -0
  276. package/external/libedhoc/externals/mbedtls/library/gcm.c +1168 -0
  277. package/external/libedhoc/externals/mbedtls/library/hkdf.c +161 -0
  278. package/external/libedhoc/externals/mbedtls/library/hmac_drbg.c +633 -0
  279. package/external/libedhoc/externals/mbedtls/library/lmots.c +821 -0
  280. package/external/libedhoc/externals/mbedtls/library/lmots.h +311 -0
  281. package/external/libedhoc/externals/mbedtls/library/lms.c +779 -0
  282. package/external/libedhoc/externals/mbedtls/library/md.c +1108 -0
  283. package/external/libedhoc/externals/mbedtls/library/md5.c +426 -0
  284. package/external/libedhoc/externals/mbedtls/library/md_psa.h +63 -0
  285. package/external/libedhoc/externals/mbedtls/library/md_wrap.h +46 -0
  286. package/external/libedhoc/externals/mbedtls/library/memory_buffer_alloc.c +745 -0
  287. package/external/libedhoc/externals/mbedtls/library/mps_common.h +181 -0
  288. package/external/libedhoc/externals/mbedtls/library/mps_error.h +89 -0
  289. package/external/libedhoc/externals/mbedtls/library/mps_reader.c +538 -0
  290. package/external/libedhoc/externals/mbedtls/library/mps_reader.h +366 -0
  291. package/external/libedhoc/externals/mbedtls/library/mps_trace.c +112 -0
  292. package/external/libedhoc/externals/mbedtls/library/mps_trace.h +154 -0
  293. package/external/libedhoc/externals/mbedtls/library/net_sockets.c +696 -0
  294. package/external/libedhoc/externals/mbedtls/library/nist_kw.c +725 -0
  295. package/external/libedhoc/externals/mbedtls/library/oid.c +1154 -0
  296. package/external/libedhoc/externals/mbedtls/library/padlock.c +155 -0
  297. package/external/libedhoc/externals/mbedtls/library/padlock.h +111 -0
  298. package/external/libedhoc/externals/mbedtls/library/pem.c +520 -0
  299. package/external/libedhoc/externals/mbedtls/library/pk.c +970 -0
  300. package/external/libedhoc/externals/mbedtls/library/pk_internal.h +118 -0
  301. package/external/libedhoc/externals/mbedtls/library/pk_wrap.c +1834 -0
  302. package/external/libedhoc/externals/mbedtls/library/pk_wrap.h +156 -0
  303. package/external/libedhoc/externals/mbedtls/library/pkcs12.c +447 -0
  304. package/external/libedhoc/externals/mbedtls/library/pkcs5.c +496 -0
  305. package/external/libedhoc/externals/mbedtls/library/pkcs7.c +773 -0
  306. package/external/libedhoc/externals/mbedtls/library/pkparse.c +1845 -0
  307. package/external/libedhoc/externals/mbedtls/library/pkwrite.c +836 -0
  308. package/external/libedhoc/externals/mbedtls/library/pkwrite.h +112 -0
  309. package/external/libedhoc/externals/mbedtls/library/platform.c +402 -0
  310. package/external/libedhoc/externals/mbedtls/library/platform_util.c +285 -0
  311. package/external/libedhoc/externals/mbedtls/library/poly1305.c +492 -0
  312. package/external/libedhoc/externals/mbedtls/library/psa_crypto.c +8432 -0
  313. package/external/libedhoc/externals/mbedtls/library/psa_crypto_aead.c +653 -0
  314. package/external/libedhoc/externals/mbedtls/library/psa_crypto_aead.h +499 -0
  315. package/external/libedhoc/externals/mbedtls/library/psa_crypto_cipher.c +590 -0
  316. package/external/libedhoc/externals/mbedtls/library/psa_crypto_cipher.h +293 -0
  317. package/external/libedhoc/externals/mbedtls/library/psa_crypto_client.c +67 -0
  318. package/external/libedhoc/externals/mbedtls/library/psa_crypto_core.h +838 -0
  319. package/external/libedhoc/externals/mbedtls/library/psa_crypto_core_common.h +52 -0
  320. package/external/libedhoc/externals/mbedtls/library/psa_crypto_driver_wrappers.h +2871 -0
  321. package/external/libedhoc/externals/mbedtls/library/psa_crypto_driver_wrappers_no_static.c +256 -0
  322. package/external/libedhoc/externals/mbedtls/library/psa_crypto_driver_wrappers_no_static.h +31 -0
  323. package/external/libedhoc/externals/mbedtls/library/psa_crypto_ecp.c +561 -0
  324. package/external/libedhoc/externals/mbedtls/library/psa_crypto_ecp.h +267 -0
  325. package/external/libedhoc/externals/mbedtls/library/psa_crypto_ffdh.c +295 -0
  326. package/external/libedhoc/externals/mbedtls/library/psa_crypto_ffdh.h +132 -0
  327. package/external/libedhoc/externals/mbedtls/library/psa_crypto_hash.c +470 -0
  328. package/external/libedhoc/externals/mbedtls/library/psa_crypto_hash.h +211 -0
  329. package/external/libedhoc/externals/mbedtls/library/psa_crypto_invasive.h +70 -0
  330. package/external/libedhoc/externals/mbedtls/library/psa_crypto_its.h +131 -0
  331. package/external/libedhoc/externals/mbedtls/library/psa_crypto_mac.c +496 -0
  332. package/external/libedhoc/externals/mbedtls/library/psa_crypto_mac.h +264 -0
  333. package/external/libedhoc/externals/mbedtls/library/psa_crypto_pake.c +571 -0
  334. package/external/libedhoc/externals/mbedtls/library/psa_crypto_pake.h +159 -0
  335. package/external/libedhoc/externals/mbedtls/library/psa_crypto_random_impl.h +192 -0
  336. package/external/libedhoc/externals/mbedtls/library/psa_crypto_rsa.c +727 -0
  337. package/external/libedhoc/externals/mbedtls/library/psa_crypto_rsa.h +317 -0
  338. package/external/libedhoc/externals/mbedtls/library/psa_crypto_se.c +373 -0
  339. package/external/libedhoc/externals/mbedtls/library/psa_crypto_se.h +185 -0
  340. package/external/libedhoc/externals/mbedtls/library/psa_crypto_slot_management.c +559 -0
  341. package/external/libedhoc/externals/mbedtls/library/psa_crypto_slot_management.h +213 -0
  342. package/external/libedhoc/externals/mbedtls/library/psa_crypto_storage.c +481 -0
  343. package/external/libedhoc/externals/mbedtls/library/psa_crypto_storage.h +384 -0
  344. package/external/libedhoc/externals/mbedtls/library/psa_its_file.c +259 -0
  345. package/external/libedhoc/externals/mbedtls/library/psa_util.c +160 -0
  346. package/external/libedhoc/externals/mbedtls/library/psa_util_internal.h +96 -0
  347. package/external/libedhoc/externals/mbedtls/library/ripemd160.c +490 -0
  348. package/external/libedhoc/externals/mbedtls/library/rsa.c +2640 -0
  349. package/external/libedhoc/externals/mbedtls/library/rsa_alt_helpers.c +447 -0
  350. package/external/libedhoc/externals/mbedtls/library/rsa_alt_helpers.h +208 -0
  351. package/external/libedhoc/externals/mbedtls/library/sha1.c +480 -0
  352. package/external/libedhoc/externals/mbedtls/library/sha256.c +946 -0
  353. package/external/libedhoc/externals/mbedtls/library/sha3.c +626 -0
  354. package/external/libedhoc/externals/mbedtls/library/sha512.c +1111 -0
  355. package/external/libedhoc/externals/mbedtls/library/ssl_cache.c +410 -0
  356. package/external/libedhoc/externals/mbedtls/library/ssl_ciphersuites.c +2050 -0
  357. package/external/libedhoc/externals/mbedtls/library/ssl_client.c +1017 -0
  358. package/external/libedhoc/externals/mbedtls/library/ssl_client.h +22 -0
  359. package/external/libedhoc/externals/mbedtls/library/ssl_cookie.c +380 -0
  360. package/external/libedhoc/externals/mbedtls/library/ssl_debug_helpers.h +78 -0
  361. package/external/libedhoc/externals/mbedtls/library/ssl_debug_helpers_generated.c +234 -0
  362. package/external/libedhoc/externals/mbedtls/library/ssl_misc.h +2847 -0
  363. package/external/libedhoc/externals/mbedtls/library/ssl_msg.c +6155 -0
  364. package/external/libedhoc/externals/mbedtls/library/ssl_ticket.c +540 -0
  365. package/external/libedhoc/externals/mbedtls/library/ssl_tls.c +9577 -0
  366. package/external/libedhoc/externals/mbedtls/library/ssl_tls12_client.c +3607 -0
  367. package/external/libedhoc/externals/mbedtls/library/ssl_tls12_server.c +4403 -0
  368. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_client.c +3046 -0
  369. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_generic.c +1740 -0
  370. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_invasive.h +23 -0
  371. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_keys.c +1897 -0
  372. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_keys.h +651 -0
  373. package/external/libedhoc/externals/mbedtls/library/ssl_tls13_server.c +3146 -0
  374. package/external/libedhoc/externals/mbedtls/library/threading.c +181 -0
  375. package/external/libedhoc/externals/mbedtls/library/timing.c +154 -0
  376. package/external/libedhoc/externals/mbedtls/library/version.c +32 -0
  377. package/external/libedhoc/externals/mbedtls/library/version_features.c +826 -0
  378. package/external/libedhoc/externals/mbedtls/library/x509.c +1776 -0
  379. package/external/libedhoc/externals/mbedtls/library/x509_create.c +557 -0
  380. package/external/libedhoc/externals/mbedtls/library/x509_crl.c +712 -0
  381. package/external/libedhoc/externals/mbedtls/library/x509_crt.c +3292 -0
  382. package/external/libedhoc/externals/mbedtls/library/x509_csr.c +574 -0
  383. package/external/libedhoc/externals/mbedtls/library/x509write.c +174 -0
  384. package/external/libedhoc/externals/mbedtls/library/x509write_crt.c +681 -0
  385. package/external/libedhoc/externals/mbedtls/library/x509write_csr.c +331 -0
  386. package/external/libedhoc/externals/mbedtls/programs/aes/crypt_and_hash.c +573 -0
  387. package/external/libedhoc/externals/mbedtls/programs/cipher/cipher_aead_demo.c +259 -0
  388. package/external/libedhoc/externals/mbedtls/programs/fuzz/common.c +105 -0
  389. package/external/libedhoc/externals/mbedtls/programs/fuzz/common.h +25 -0
  390. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_client.c +195 -0
  391. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_dtlsclient.c +138 -0
  392. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_dtlsserver.c +183 -0
  393. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_pkcs7.c +20 -0
  394. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_privkey.c +106 -0
  395. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_pubkey.c +86 -0
  396. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_server.c +218 -0
  397. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_x509crl.c +41 -0
  398. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_x509crt.c +41 -0
  399. package/external/libedhoc/externals/mbedtls/programs/fuzz/fuzz_x509csr.c +41 -0
  400. package/external/libedhoc/externals/mbedtls/programs/fuzz/onefile.c +69 -0
  401. package/external/libedhoc/externals/mbedtls/programs/hash/generic_sum.c +209 -0
  402. package/external/libedhoc/externals/mbedtls/programs/hash/hello.c +45 -0
  403. package/external/libedhoc/externals/mbedtls/programs/hash/md_hmac_demo.c +136 -0
  404. package/external/libedhoc/externals/mbedtls/programs/pkey/dh_client.c +274 -0
  405. package/external/libedhoc/externals/mbedtls/programs/pkey/dh_genprime.c +161 -0
  406. package/external/libedhoc/externals/mbedtls/programs/pkey/dh_server.c +296 -0
  407. package/external/libedhoc/externals/mbedtls/programs/pkey/ecdh_curve25519.c +189 -0
  408. package/external/libedhoc/externals/mbedtls/programs/pkey/ecdsa.c +217 -0
  409. package/external/libedhoc/externals/mbedtls/programs/pkey/gen_key.c +419 -0
  410. package/external/libedhoc/externals/mbedtls/programs/pkey/key_app.c +316 -0
  411. package/external/libedhoc/externals/mbedtls/programs/pkey/key_app_writer.c +435 -0
  412. package/external/libedhoc/externals/mbedtls/programs/pkey/mpi_demo.c +84 -0
  413. package/external/libedhoc/externals/mbedtls/programs/pkey/pk_decrypt.c +153 -0
  414. package/external/libedhoc/externals/mbedtls/programs/pkey/pk_encrypt.c +154 -0
  415. package/external/libedhoc/externals/mbedtls/programs/pkey/pk_sign.c +155 -0
  416. package/external/libedhoc/externals/mbedtls/programs/pkey/pk_verify.c +128 -0
  417. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_decrypt.c +172 -0
  418. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_encrypt.c +149 -0
  419. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_genkey.c +141 -0
  420. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_sign.c +155 -0
  421. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_sign_pss.c +161 -0
  422. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_verify.c +131 -0
  423. package/external/libedhoc/externals/mbedtls/programs/pkey/rsa_verify_pss.c +136 -0
  424. package/external/libedhoc/externals/mbedtls/programs/psa/aead_demo.c +281 -0
  425. package/external/libedhoc/externals/mbedtls/programs/psa/crypto_examples.c +321 -0
  426. package/external/libedhoc/externals/mbedtls/programs/psa/hmac_demo.c +159 -0
  427. package/external/libedhoc/externals/mbedtls/programs/psa/key_ladder_demo.c +691 -0
  428. package/external/libedhoc/externals/mbedtls/programs/psa/psa_constant_names.c +310 -0
  429. package/external/libedhoc/externals/mbedtls/programs/psa/psa_constant_names_generated.c +474 -0
  430. package/external/libedhoc/externals/mbedtls/programs/random/gen_entropy.c +75 -0
  431. package/external/libedhoc/externals/mbedtls/programs/random/gen_random_ctr_drbg.c +107 -0
  432. package/external/libedhoc/externals/mbedtls/programs/ssl/dtls_client.c +342 -0
  433. package/external/libedhoc/externals/mbedtls/programs/ssl/dtls_server.c +408 -0
  434. package/external/libedhoc/externals/mbedtls/programs/ssl/mini_client.c +274 -0
  435. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_client1.c +288 -0
  436. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_client2.c +3118 -0
  437. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_context_info.c +1009 -0
  438. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_fork_server.c +381 -0
  439. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_mail_client.c +804 -0
  440. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_pthread_server.c +489 -0
  441. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_server.c +362 -0
  442. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_server2.c +4268 -0
  443. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_test_common_source.c +375 -0
  444. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_test_lib.c +601 -0
  445. package/external/libedhoc/externals/mbedtls/programs/ssl/ssl_test_lib.h +306 -0
  446. package/external/libedhoc/externals/mbedtls/programs/test/benchmark.c +1284 -0
  447. package/external/libedhoc/externals/mbedtls/programs/test/cmake_package/cmake_package.c +27 -0
  448. package/external/libedhoc/externals/mbedtls/programs/test/cmake_package_install/cmake_package_install.c +28 -0
  449. package/external/libedhoc/externals/mbedtls/programs/test/cmake_subproject/cmake_subproject.c +28 -0
  450. package/external/libedhoc/externals/mbedtls/programs/test/dlopen.c +92 -0
  451. package/external/libedhoc/externals/mbedtls/programs/test/query_compile_time_config.c +66 -0
  452. package/external/libedhoc/externals/mbedtls/programs/test/query_config.c +5137 -0
  453. package/external/libedhoc/externals/mbedtls/programs/test/query_config.h +34 -0
  454. package/external/libedhoc/externals/mbedtls/programs/test/query_included_headers.c +29 -0
  455. package/external/libedhoc/externals/mbedtls/programs/test/selftest.c +583 -0
  456. package/external/libedhoc/externals/mbedtls/programs/test/udp_proxy.c +967 -0
  457. package/external/libedhoc/externals/mbedtls/programs/test/zeroize.c +72 -0
  458. package/external/libedhoc/externals/mbedtls/programs/util/pem2der.c +265 -0
  459. package/external/libedhoc/externals/mbedtls/programs/util/strerror.c +61 -0
  460. package/external/libedhoc/externals/mbedtls/programs/wince_main.c +31 -0
  461. package/external/libedhoc/externals/mbedtls/programs/x509/cert_app.c +456 -0
  462. package/external/libedhoc/externals/mbedtls/programs/x509/cert_req.c +509 -0
  463. package/external/libedhoc/externals/mbedtls/programs/x509/cert_write.c +1012 -0
  464. package/external/libedhoc/externals/mbedtls/programs/x509/crl_app.c +132 -0
  465. package/external/libedhoc/externals/mbedtls/programs/x509/load_roots.c +165 -0
  466. package/external/libedhoc/externals/mbedtls/programs/x509/req_app.c +132 -0
  467. package/external/libedhoc/externals/mbedtls/tests/configs/tls13-only.h +31 -0
  468. package/external/libedhoc/externals/mbedtls/tests/configs/user-config-for-test.h +89 -0
  469. package/external/libedhoc/externals/mbedtls/tests/configs/user-config-malloc-0-null.h +22 -0
  470. package/external/libedhoc/externals/mbedtls/tests/configs/user-config-zeroize-memset.h +17 -0
  471. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/aes_alt.h +23 -0
  472. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/aria_alt.h +16 -0
  473. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/camellia_alt.h +16 -0
  474. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/ccm_alt.h +16 -0
  475. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/chacha20_alt.h +16 -0
  476. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/chachapoly_alt.h +18 -0
  477. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/cmac_alt.h +15 -0
  478. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/des_alt.h +22 -0
  479. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/dhm_alt.h +16 -0
  480. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/ecjpake_alt.h +15 -0
  481. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/ecp_alt.h +22 -0
  482. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/gcm_alt.h +16 -0
  483. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/md5_alt.h +16 -0
  484. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/nist_kw_alt.h +15 -0
  485. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/platform_alt.h +16 -0
  486. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/poly1305_alt.h +16 -0
  487. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/ripemd160_alt.h +16 -0
  488. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/rsa_alt.h +16 -0
  489. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/sha1_alt.h +16 -0
  490. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/sha256_alt.h +16 -0
  491. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/sha512_alt.h +16 -0
  492. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/threading_alt.h +14 -0
  493. package/external/libedhoc/externals/mbedtls/tests/include/alt-dummy/timing_alt.h +19 -0
  494. package/external/libedhoc/externals/mbedtls/tests/include/alt-extra/psa/crypto.h +7 -0
  495. package/external/libedhoc/externals/mbedtls/tests/include/baremetal-override/time.h +6 -0
  496. package/external/libedhoc/externals/mbedtls/tests/include/spe/crypto_spe.h +131 -0
  497. package/external/libedhoc/externals/mbedtls/tests/include/test/arguments.h +26 -0
  498. package/external/libedhoc/externals/mbedtls/tests/include/test/asn1_helpers.h +38 -0
  499. package/external/libedhoc/externals/mbedtls/tests/include/test/bignum_helpers.h +106 -0
  500. package/external/libedhoc/externals/mbedtls/tests/include/test/certs.h +234 -0
  501. package/external/libedhoc/externals/mbedtls/tests/include/test/constant_flow.h +71 -0
  502. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/aead.h +121 -0
  503. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/asymmetric_encryption.h +67 -0
  504. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/cipher.h +130 -0
  505. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/config_test_driver.h +44 -0
  506. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/crypto_config_test_driver_extension.h +430 -0
  507. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/hash.h +64 -0
  508. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/key_agreement.h +62 -0
  509. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/key_management.h +123 -0
  510. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/mac.h +125 -0
  511. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/pake.h +75 -0
  512. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/signature.h +112 -0
  513. package/external/libedhoc/externals/mbedtls/tests/include/test/drivers/test_driver.h +32 -0
  514. package/external/libedhoc/externals/mbedtls/tests/include/test/fake_external_rng_for_test.h +40 -0
  515. package/external/libedhoc/externals/mbedtls/tests/include/test/helpers.h +268 -0
  516. package/external/libedhoc/externals/mbedtls/tests/include/test/macros.h +250 -0
  517. package/external/libedhoc/externals/mbedtls/tests/include/test/psa_crypto_helpers.h +398 -0
  518. package/external/libedhoc/externals/mbedtls/tests/include/test/psa_exercise_key.h +223 -0
  519. package/external/libedhoc/externals/mbedtls/tests/include/test/psa_helpers.h +24 -0
  520. package/external/libedhoc/externals/mbedtls/tests/include/test/random.h +91 -0
  521. package/external/libedhoc/externals/mbedtls/tests/include/test/ssl_helpers.h +628 -0
  522. package/external/libedhoc/externals/mbedtls/tests/src/asn1_helpers.c +62 -0
  523. package/external/libedhoc/externals/mbedtls/tests/src/bignum_helpers.c +145 -0
  524. package/external/libedhoc/externals/mbedtls/tests/src/certs.c +480 -0
  525. package/external/libedhoc/externals/mbedtls/tests/src/drivers/hash.c +199 -0
  526. package/external/libedhoc/externals/mbedtls/tests/src/drivers/platform_builtin_keys.c +78 -0
  527. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_aead.c +462 -0
  528. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_asymmetric_encryption.c +151 -0
  529. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_cipher.c +424 -0
  530. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_key_agreement.c +147 -0
  531. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_key_management.c +783 -0
  532. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_mac.c +422 -0
  533. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_pake.c +202 -0
  534. package/external/libedhoc/externals/mbedtls/tests/src/drivers/test_driver_signature.c +405 -0
  535. package/external/libedhoc/externals/mbedtls/tests/src/fake_external_rng_for_test.c +45 -0
  536. package/external/libedhoc/externals/mbedtls/tests/src/helpers.c +353 -0
  537. package/external/libedhoc/externals/mbedtls/tests/src/psa_crypto_helpers.c +196 -0
  538. package/external/libedhoc/externals/mbedtls/tests/src/psa_exercise_key.c +989 -0
  539. package/external/libedhoc/externals/mbedtls/tests/src/random.c +136 -0
  540. package/external/libedhoc/externals/mbedtls/tests/src/test_certs.h +1226 -0
  541. package/external/libedhoc/externals/mbedtls/tests/src/test_helpers/ssl_helpers.c +2292 -0
  542. package/external/libedhoc/externals/mbedtls/tests/src/threading_helpers.c +210 -0
  543. package/external/libedhoc/externals/zcbor/include/zcbor_common.h +422 -0
  544. package/external/libedhoc/externals/zcbor/include/zcbor_debug.h +69 -0
  545. package/external/libedhoc/externals/zcbor/include/zcbor_decode.h +358 -0
  546. package/external/libedhoc/externals/zcbor/include/zcbor_encode.h +296 -0
  547. package/external/libedhoc/externals/zcbor/include/zcbor_tags.h +94 -0
  548. package/external/libedhoc/externals/zcbor/samples/hello_world/src/main.c +41 -0
  549. package/external/libedhoc/externals/zcbor/samples/pet/include/pet_decode.h +39 -0
  550. package/external/libedhoc/externals/zcbor/samples/pet/include/pet_encode.h +39 -0
  551. package/external/libedhoc/externals/zcbor/samples/pet/include/pet_types.h +47 -0
  552. package/external/libedhoc/externals/zcbor/samples/pet/src/main.c +128 -0
  553. package/external/libedhoc/externals/zcbor/samples/pet/src/pet_decode.c +69 -0
  554. package/external/libedhoc/externals/zcbor/samples/pet/src/pet_encode.c +70 -0
  555. package/external/libedhoc/externals/zcbor/src/zcbor_common.c +257 -0
  556. package/external/libedhoc/externals/zcbor/src/zcbor_decode.c +1107 -0
  557. package/external/libedhoc/externals/zcbor/src/zcbor_encode.c +722 -0
  558. package/external/libedhoc/externals/zcbor/tests/decode/test1_suit_old_formats/src/main.c +368 -0
  559. package/external/libedhoc/externals/zcbor/tests/decode/test2_suit/src/main.c +189 -0
  560. package/external/libedhoc/externals/zcbor/tests/decode/test3_simple/src/main.c +529 -0
  561. package/external/libedhoc/externals/zcbor/tests/decode/test5_corner_cases/src/main.c +2010 -0
  562. package/external/libedhoc/externals/zcbor/tests/decode/test7_suit9_simple/src/main.c +134 -0
  563. package/external/libedhoc/externals/zcbor/tests/decode/test8_suit12/src/main.c +863 -0
  564. package/external/libedhoc/externals/zcbor/tests/decode/test9_manifest14/src/main.c +364 -0
  565. package/external/libedhoc/externals/zcbor/tests/encode/test1_suit/src/main.c +453 -0
  566. package/external/libedhoc/externals/zcbor/tests/encode/test2_simple/src/main.c +123 -0
  567. package/external/libedhoc/externals/zcbor/tests/encode/test3_corner_cases/src/main.c +1527 -0
  568. package/external/libedhoc/externals/zcbor/tests/encode/test4_senml/src/main.c +66 -0
  569. package/external/libedhoc/externals/zcbor/tests/fuzz/fuzz_manifest12.c +136 -0
  570. package/external/libedhoc/externals/zcbor/tests/fuzz/fuzz_pet.c +12 -0
  571. package/external/libedhoc/externals/zcbor/tests/fuzz/main_entry.c +60 -0
  572. package/external/libedhoc/externals/zcbor/tests/fuzz/main_entry.h +5 -0
  573. package/external/libedhoc/externals/zcbor/tests/unit/test1_unit_tests/src/main.c +1044 -0
  574. package/external/libedhoc/externals/zcbor/tests/unit/test3_float16/src/main.c +202 -0
  575. package/external/libedhoc/include/edhoc.h +393 -0
  576. package/external/libedhoc/include/edhoc_context.h +318 -0
  577. package/external/libedhoc/include/edhoc_credentials.h +217 -0
  578. package/external/libedhoc/include/edhoc_crypto.h +331 -0
  579. package/external/libedhoc/include/edhoc_ead.h +99 -0
  580. package/external/libedhoc/include/edhoc_macros.h +51 -0
  581. package/external/libedhoc/include/edhoc_values.h +181 -0
  582. package/external/libedhoc/library/edhoc.c +219 -0
  583. package/external/libedhoc/library/edhoc_exporter.c +543 -0
  584. package/external/libedhoc/library/edhoc_message_1.c +439 -0
  585. package/external/libedhoc/library/edhoc_message_2.c +2994 -0
  586. package/external/libedhoc/library/edhoc_message_3.c +2658 -0
  587. package/external/libedhoc/library/edhoc_message_4.c +826 -0
  588. package/external/libedhoc/library/edhoc_message_error.c +238 -0
  589. package/external/libedhoc/tests/include/cipher_suite_negotiation/test_edhoc_cipher_suite_negotiation.h +37 -0
  590. package/external/libedhoc/tests/include/cipher_suites/cipher_suite_0.h +134 -0
  591. package/external/libedhoc/tests/include/cipher_suites/cipher_suite_2.h +140 -0
  592. package/external/libedhoc/tests/include/cipher_suites/test_cipher_suite_0.h +48 -0
  593. package/external/libedhoc/tests/include/cipher_suites/test_cipher_suite_2.h +48 -0
  594. package/external/libedhoc/tests/include/edhoc_trace_1/authentication_credentials_1.h +60 -0
  595. package/external/libedhoc/tests/include/edhoc_trace_1/test_edhoc_handshake_1.h +208 -0
  596. package/external/libedhoc/tests/include/edhoc_trace_1/test_edhoc_handshake_ead_1.h +59 -0
  597. package/external/libedhoc/tests/include/edhoc_trace_1/test_vector_1.h +738 -0
  598. package/external/libedhoc/tests/include/edhoc_trace_2/authentication_credentials_2.h +60 -0
  599. package/external/libedhoc/tests/include/edhoc_trace_2/test_edhoc_handshake_2.h +199 -0
  600. package/external/libedhoc/tests/include/edhoc_trace_2/test_vector_2.h +525 -0
  601. package/external/libedhoc/tests/include/error_message/test_edhoc_error_message.h +48 -0
  602. package/external/libedhoc/tests/include/x509_chain_cs_0/authentication_credentials_x5chain_cs_0.h +92 -0
  603. package/external/libedhoc/tests/include/x509_chain_cs_0/test_edhoc_handshake_x5chain_cs_0.h +96 -0
  604. package/external/libedhoc/tests/include/x509_chain_cs_0/test_vector_x5chain_cs_0.h +140 -0
  605. package/external/libedhoc/tests/include/x509_chain_cs_2/authentication_credentials_x5chain_cs_2.h +58 -0
  606. package/external/libedhoc/tests/include/x509_chain_cs_2/test_edhoc_handshake_x5chain_cs_2.h +56 -0
  607. package/external/libedhoc/tests/include/x509_chain_cs_2/test_edhoc_handshake_x5chain_cs_2_ead.h +57 -0
  608. package/external/libedhoc/tests/include/x509_chain_cs_2/test_vector_x5chain_cs_2.h +169 -0
  609. package/external/libedhoc/tests/include/x509_chain_cs_2_static_dh/authentication_credentials_x5chain_cs_2_static_dh.h +59 -0
  610. package/external/libedhoc/tests/include/x509_chain_cs_2_static_dh/test_edhoc_handshake_x5chain_cs_2_static_dh_ead.h +57 -0
  611. package/external/libedhoc/tests/include/x509_chain_cs_2_static_dh/test_vector_x5chain_cs_2_static_dh.h +163 -0
  612. package/external/libedhoc/tests/include/x509_hash_cs_2/authentication_credentials_x5t_cs_2.h +60 -0
  613. package/external/libedhoc/tests/include/x509_hash_cs_2/test_edhoc_handshake_x5t_cs_2_ead.h +57 -0
  614. package/external/libedhoc/tests/include/x509_hash_cs_2/test_vector_x5t_cs_2.h +181 -0
  615. package/external/libedhoc/tests/src/cipher_suite_negotiation/test_edhoc_cipher_suite_negotiation.c +544 -0
  616. package/external/libedhoc/tests/src/cipher_suites/cipher_suite_0.c +447 -0
  617. package/external/libedhoc/tests/src/cipher_suites/cipher_suite_2.c +600 -0
  618. package/external/libedhoc/tests/src/cipher_suites/test_cipher_suite_0.c +475 -0
  619. package/external/libedhoc/tests/src/cipher_suites/test_cipher_suite_2.c +473 -0
  620. package/external/libedhoc/tests/src/edhoc_trace_1/authentication_credentials_1.c +252 -0
  621. package/external/libedhoc/tests/src/edhoc_trace_1/test_edhoc_handshake_1.c +1829 -0
  622. package/external/libedhoc/tests/src/edhoc_trace_1/test_edhoc_handshake_ead_1.c +1247 -0
  623. package/external/libedhoc/tests/src/edhoc_trace_2/authentication_credentials_2.c +170 -0
  624. package/external/libedhoc/tests/src/edhoc_trace_2/test_edhoc_handshake_2.c +1783 -0
  625. package/external/libedhoc/tests/src/error_message/test_edhoc_error_message.c +226 -0
  626. package/external/libedhoc/tests/src/tests.c +228 -0
  627. package/external/libedhoc/tests/src/x509_chain_cs_0/authentication_credentials_x5chain_cs_0.c +332 -0
  628. package/external/libedhoc/tests/src/x509_chain_cs_0/test_edhoc_handshake_x5chain_cs_0.c +936 -0
  629. package/external/libedhoc/tests/src/x509_chain_cs_2/authentication_credentials_x5chain_cs_2.c +166 -0
  630. package/external/libedhoc/tests/src/x509_chain_cs_2/test_edhoc_handshake_x5chain_cs_2.c +587 -0
  631. package/external/libedhoc/tests/src/x509_chain_cs_2/test_edhoc_handshake_x5chain_cs_2_ead.c +917 -0
  632. package/external/libedhoc/tests/src/x509_chain_cs_2_static_dh/authentication_credentials_x5chain_cs_2_static_dh.c +186 -0
  633. package/external/libedhoc/tests/src/x509_chain_cs_2_static_dh/test_edhoc_handshake_x5chain_cs_2_static_dh_ead.c +743 -0
  634. package/external/libedhoc/tests/src/x509_hash_cs_2/authentication_credentials_x5t_cs_2.c +261 -0
  635. package/external/libedhoc/tests/src/x509_hash_cs_2/test_edhoc_handshake_x5t_cs_2_ead.c +854 -0
  636. package/include/EdhocComposeAsyncWorker.h +61 -0
  637. package/include/EdhocCredentialManager.h +100 -0
  638. package/include/EdhocCryptoManager.h +504 -0
  639. package/include/EdhocEadManager.h +151 -0
  640. package/include/EdhocExportAsyncWorker.h +71 -0
  641. package/include/EdhocProcessAsyncWorker.h +76 -0
  642. package/include/LibEDHOC.h +304 -0
  643. package/include/Suites.h +27 -0
  644. package/include/UserContext.h +79 -0
  645. package/include/Utils.h +110 -0
  646. package/package.json +5 -5
  647. package/prebuilds/win32-ia32/edhoc.node +0 -0
  648. package/prebuilds/win32-x64/edhoc.node +0 -0
  649. package/src/EdhocComposeAsyncWorker.cpp +88 -0
  650. package/src/EdhocCredentialManager.cpp +360 -0
  651. package/src/EdhocCryptoManager.cpp +967 -0
  652. package/src/EdhocEadManager.cpp +156 -0
  653. package/src/EdhocExportAsyncWorker.cpp +82 -0
  654. package/src/EdhocProcessAsyncWorker.cpp +74 -0
  655. package/src/LibEDHOC.cpp +369 -0
  656. package/src/Suites.cpp +153 -0
  657. package/src/Utils.cpp +115 -0
  658. package/dist/bindings.d.ts +0 -5
  659. package/dist/bindings.d.ts.map +0 -1
  660. package/dist/bindings.js +0 -10
  661. package/dist/credentials.d.ts +0 -16
  662. package/dist/credentials.d.ts.map +0 -1
  663. package/dist/credentials.js +0 -84
  664. package/dist/crypto.d.ts +0 -22
  665. package/dist/crypto.d.ts.map +0 -1
  666. package/dist/crypto.js +0 -177
  667. package/dist/edhoc.d.ts +0 -346
  668. package/dist/edhoc.d.ts.map +0 -1
  669. package/dist/edhoc.js +0 -76
  670. package/dist/index.d.ts +0 -4
  671. package/dist/index.d.ts.map +0 -1
  672. package/dist/index.js +0 -19
package/external/libedhoc/externals/mbedtls/library/ssl_tls13_server.c ADDED
@@ -0,0 +1,3146 @@
1
+ /*
2
+ * TLS 1.3 server-side functions
3
+ *
4
+ * Copyright The Mbed TLS Contributors
5
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
+ */
7
+
8
+ #include "common.h"
9
+
10
+ #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
11
+
12
+ #include "mbedtls/debug.h"
13
+ #include "mbedtls/error.h"
14
+ #include "mbedtls/platform.h"
15
+ #include "mbedtls/constant_time.h"
16
+ #include "mbedtls/oid.h"
17
+ #include "md_psa.h"
18
+
19
+ #include "ssl_misc.h"
20
+ #include "ssl_tls13_keys.h"
21
+ #include "ssl_debug_helpers.h"
22
+
23
+
24
+ static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
25
+ mbedtls_ssl_context *ssl,
26
+ unsigned int cipher_suite)
27
+ {
28
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
29
+ if (!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
30
+ return NULL;
31
+ }
32
+
33
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
34
+ if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
35
+ ssl->tls_version,
36
+ ssl->tls_version) != 0)) {
37
+ return NULL;
38
+ }
39
+ return ciphersuite_info;
40
+ }
41
+
42
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
43
+ /* From RFC 8446:
44
+ *
45
+ * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
46
+ * struct {
47
+ * PskKeyExchangeMode ke_modes<1..255>;
48
+ * } PskKeyExchangeModes;
49
+ */
50
+ MBEDTLS_CHECK_RETURN_CRITICAL
51
+ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
52
+ const unsigned char *buf,
53
+ const unsigned char *end)
54
+ {
55
+ const unsigned char *p = buf;
56
+ size_t ke_modes_len;
57
+ int ke_modes = 0;
58
+
59
+ /* Read ke_modes length (1 Byte) */
60
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
61
+ ke_modes_len = *p++;
62
+ /* Currently, there are only two PSK modes, so even without looking
63
+ * at the content, something's wrong if the list has more than 2 items. */
64
+ if (ke_modes_len > 2) {
65
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
66
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
67
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
68
+ }
69
+
70
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ke_modes_len);
71
+
72
+ while (ke_modes_len-- != 0) {
73
+ switch (*p++) {
74
+ case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
75
+ ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
76
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK KEX MODE"));
77
+ break;
78
+ case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:
79
+ ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
80
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK_EPHEMERAL KEX MODE"));
81
+ break;
82
+ default:
83
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
84
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
85
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
86
+ }
87
+ }
88
+
89
+ ssl->handshake->tls13_kex_modes = ke_modes;
90
+ return 0;
91
+ }
92
+
93
+ #define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1
94
+ #define SSL_TLS1_3_OFFERED_PSK_MATCH 0
95
+
96
+ #if defined(MBEDTLS_SSL_SESSION_TICKETS)
97
+
98
+ MBEDTLS_CHECK_RETURN_CRITICAL
99
+ static int ssl_tls13_offered_psks_check_identity_match_ticket(
100
+ mbedtls_ssl_context *ssl,
101
+ const unsigned char *identity,
102
+ size_t identity_len,
103
+ uint32_t obfuscated_ticket_age,
104
+ mbedtls_ssl_session *session)
105
+ {
106
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
107
+ unsigned char *ticket_buffer;
108
+ #if defined(MBEDTLS_HAVE_TIME)
109
+ mbedtls_time_t now;
110
+ uint64_t age_in_s;
111
+ int64_t age_diff_in_ms;
112
+ #endif
113
+
114
+ ((void) obfuscated_ticket_age);
115
+
116
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> check_identity_match_ticket"));
117
+
118
+ /* Ticket parser is not configured, Skip */
119
+ if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) {
120
+ return 0;
121
+ }
122
+
123
+ /* We create a copy of the encrypted ticket since the ticket parsing
124
+ * function is allowed to use its input buffer as an output buffer
125
+ * (in-place decryption). We do, however, need the original buffer for
126
+ * computing the PSK binder value.
127
+ */
128
+ ticket_buffer = mbedtls_calloc(1, identity_len);
129
+ if (ticket_buffer == NULL) {
130
+ MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
131
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
132
+ }
133
+ memcpy(ticket_buffer, identity, identity_len);
134
+
135
+ if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket,
136
+ session,
137
+ ticket_buffer, identity_len)) != 0) {
138
+ if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
139
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
140
+ } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
141
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
142
+ } else {
143
+ MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret);
144
+ }
145
+ }
146
+
147
+ /* We delete the temporary buffer */
148
+ mbedtls_free(ticket_buffer);
149
+
150
+ if (ret != 0) {
151
+ goto exit;
152
+ }
153
+
154
+ /* RFC 8446 section 4.2.9
155
+ *
156
+ * Servers SHOULD NOT send NewSessionTicket with tickets that are not
157
+ * compatible with the advertised modes; however, if a server does so,
158
+ * the impact will just be that the client's attempts at resumption fail.
159
+ *
160
+ * We regard the ticket with incompatible key exchange modes as not match.
161
+ */
162
+ ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR;
163
+ MBEDTLS_SSL_PRINT_TICKET_FLAGS(4,
164
+ session->ticket_flags);
165
+ if (mbedtls_ssl_tls13_check_kex_modes(
166
+ ssl,
167
+ mbedtls_ssl_session_get_ticket_flags(
168
+ session,
169
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL))) {
170
+ MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode"));
171
+ goto exit;
172
+ }
173
+
174
+ ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
175
+ #if defined(MBEDTLS_HAVE_TIME)
176
+ now = mbedtls_time(NULL);
177
+
178
+ if (now < session->start) {
179
+ MBEDTLS_SSL_DEBUG_MSG(
180
+ 3, ("Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG
181
+ ", start=%" MBEDTLS_PRINTF_LONGLONG " )",
182
+ (long long) now, (long long) session->start));
183
+ goto exit;
184
+ }
185
+
186
+ age_in_s = (uint64_t) (now - session->start);
187
+
188
+ /* RFC 8446 section 4.6.1
189
+ *
190
+ * Servers MUST NOT use any value greater than 604800 seconds (7 days).
191
+ *
192
+ * RFC 8446 section 4.2.11.1
193
+ *
194
+ * Clients MUST NOT attempt to use tickets which have ages greater than
195
+ * the "ticket_lifetime" value which was provided with the ticket.
196
+ *
197
+ * For time being, the age MUST be less than 604800 seconds (7 days).
198
+ */
199
+ if (age_in_s > 604800) {
200
+ MBEDTLS_SSL_DEBUG_MSG(
201
+ 3, ("Ticket age exceeds limitation ticket_age=%lu",
202
+ (long unsigned int) age_in_s));
203
+ goto exit;
204
+ }
205
+
206
+ /* RFC 8446 section 4.2.10
207
+ *
208
+ * For PSKs provisioned via NewSessionTicket, a server MUST validate that
209
+ * the ticket age for the selected PSK identity (computed by subtracting
210
+ * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
211
+ * within a small tolerance of the time since the ticket was issued.
212
+ *
213
+ * NOTE: When `now == session->start`, `age_diff_in_ms` may be negative
214
+ * as the age units are different on the server (s) and in the
215
+ * client (ms) side. Add a -1000 ms tolerance window to take this
216
+ * into account.
217
+ */
218
+ age_diff_in_ms = age_in_s * 1000;
219
+ age_diff_in_ms -= (obfuscated_ticket_age - session->ticket_age_add);
220
+ if (age_diff_in_ms <= -1000 ||
221
+ age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) {
222
+ MBEDTLS_SSL_DEBUG_MSG(
223
+ 3, ("Ticket age outside tolerance window ( diff=%d )",
224
+ (int) age_diff_in_ms));
225
+ goto exit;
226
+ }
227
+
228
+ ret = 0;
229
+
230
+ #endif /* MBEDTLS_HAVE_TIME */
231
+
232
+ exit:
233
+ if (ret != 0) {
234
+ mbedtls_ssl_session_free(session);
235
+ }
236
+
237
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= check_identity_match_ticket"));
238
+ return ret;
239
+ }
240
+ #endif /* MBEDTLS_SSL_SESSION_TICKETS */
241
+
242
+ MBEDTLS_CHECK_RETURN_CRITICAL
243
+ static int ssl_tls13_offered_psks_check_identity_match(
244
+ mbedtls_ssl_context *ssl,
245
+ const unsigned char *identity,
246
+ size_t identity_len,
247
+ uint32_t obfuscated_ticket_age,
248
+ int *psk_type,
249
+ mbedtls_ssl_session *session)
250
+ {
251
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
252
+
253
+ ((void) session);
254
+ ((void) obfuscated_ticket_age);
255
+ *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
256
+
257
+ MBEDTLS_SSL_DEBUG_BUF(4, "identity", identity, identity_len);
258
+ ssl->handshake->resume = 0;
259
+
260
+ #if defined(MBEDTLS_SSL_SESSION_TICKETS)
261
+ if (ssl_tls13_offered_psks_check_identity_match_ticket(
262
+ ssl, identity, identity_len, obfuscated_ticket_age,
263
+ session) == SSL_TLS1_3_OFFERED_PSK_MATCH) {
264
+ ssl->handshake->resume = 1;
265
+ *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
266
+ ret = mbedtls_ssl_set_hs_psk(ssl,
267
+ session->resumption_key,
268
+ session->resumption_key_len);
269
+ if (ret != 0) {
270
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
271
+ return ret;
272
+ }
273
+
274
+ MBEDTLS_SSL_DEBUG_BUF(4, "Ticket-resumed PSK:",
275
+ session->resumption_key,
276
+ session->resumption_key_len);
277
+ MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u",
278
+ (unsigned) obfuscated_ticket_age));
279
+ return SSL_TLS1_3_OFFERED_PSK_MATCH;
280
+ }
281
+ #endif /* MBEDTLS_SSL_SESSION_TICKETS */
282
+
283
+ /* Check identity with external configured function */
284
+ if (ssl->conf->f_psk != NULL) {
285
+ if (ssl->conf->f_psk(
286
+ ssl->conf->p_psk, ssl, identity, identity_len) == 0) {
287
+ return SSL_TLS1_3_OFFERED_PSK_MATCH;
288
+ }
289
+ return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
290
+ }
291
+
292
+ MBEDTLS_SSL_DEBUG_BUF(5, "identity", identity, identity_len);
293
+ /* Check identity with pre-configured psk */
294
+ if (ssl->conf->psk_identity != NULL &&
295
+ identity_len == ssl->conf->psk_identity_len &&
296
+ mbedtls_ct_memcmp(ssl->conf->psk_identity,
297
+ identity, identity_len) == 0) {
298
+ ret = mbedtls_ssl_set_hs_psk(ssl, ssl->conf->psk, ssl->conf->psk_len);
299
+ if (ret != 0) {
300
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
301
+ return ret;
302
+ }
303
+ return SSL_TLS1_3_OFFERED_PSK_MATCH;
304
+ }
305
+
306
+ return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
307
+ }
308
+
309
+ MBEDTLS_CHECK_RETURN_CRITICAL
310
+ static int ssl_tls13_offered_psks_check_binder_match(
311
+ mbedtls_ssl_context *ssl,
312
+ const unsigned char *binder, size_t binder_len,
313
+ int psk_type, psa_algorithm_t psk_hash_alg)
314
+ {
315
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
316
+
317
+ unsigned char transcript[PSA_HASH_MAX_SIZE];
318
+ size_t transcript_len;
319
+ unsigned char *psk;
320
+ size_t psk_len;
321
+ unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
322
+
323
+ /* Get current state of handshake transcript. */
324
+ ret = mbedtls_ssl_get_handshake_transcript(
325
+ ssl, mbedtls_md_type_from_psa_alg(psk_hash_alg),
326
+ transcript, sizeof(transcript), &transcript_len);
327
+ if (ret != 0) {
328
+ return ret;
329
+ }
330
+
331
+ ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len);
332
+ if (ret != 0) {
333
+ return ret;
334
+ }
335
+
336
+ ret = mbedtls_ssl_tls13_create_psk_binder(ssl, psk_hash_alg,
337
+ psk, psk_len, psk_type,
338
+ transcript,
339
+ server_computed_binder);
340
+ #if defined(MBEDTLS_USE_PSA_CRYPTO)
341
+ mbedtls_free((void *) psk);
342
+ #endif
343
+ if (ret != 0) {
344
+ MBEDTLS_SSL_DEBUG_MSG(1, ("PSK binder calculation failed."));
345
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
346
+ }
347
+
348
+ MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( computed ): ",
349
+ server_computed_binder, transcript_len);
350
+ MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len);
351
+
352
+ if (mbedtls_ct_memcmp(server_computed_binder, binder, binder_len) == 0) {
353
+ return SSL_TLS1_3_OFFERED_PSK_MATCH;
354
+ }
355
+
356
+ mbedtls_platform_zeroize(server_computed_binder,
357
+ sizeof(server_computed_binder));
358
+ return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
359
+ }
360
+
361
+ MBEDTLS_CHECK_RETURN_CRITICAL
362
+ static int ssl_tls13_select_ciphersuite_for_psk(
363
+ mbedtls_ssl_context *ssl,
364
+ const unsigned char *cipher_suites,
365
+ const unsigned char *cipher_suites_end,
366
+ uint16_t *selected_ciphersuite,
367
+ const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
368
+ {
369
+ psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256;
370
+
371
+ *selected_ciphersuite = 0;
372
+ *selected_ciphersuite_info = NULL;
373
+
374
+ /* RFC 8446, page 55.
375
+ *
376
+ * For externally established PSKs, the Hash algorithm MUST be set when the
377
+ * PSK is established or default to SHA-256 if no such algorithm is defined.
378
+ *
379
+ */
380
+
381
+ /*
382
+ * Search for a matching ciphersuite
383
+ */
384
+ for (const unsigned char *p = cipher_suites;
385
+ p < cipher_suites_end; p += 2) {
386
+ uint16_t cipher_suite;
387
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
388
+
389
+ cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
390
+ ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,
391
+ cipher_suite);
392
+ if (ciphersuite_info == NULL) {
393
+ continue;
394
+ }
395
+
396
+ /* MAC of selected ciphersuite MUST be same with PSK binder if exist.
397
+ * Otherwise, client should reject.
398
+ */
399
+ if (psk_hash_alg == mbedtls_md_psa_alg_from_type(ciphersuite_info->mac)) {
400
+ *selected_ciphersuite = cipher_suite;
401
+ *selected_ciphersuite_info = ciphersuite_info;
402
+ return 0;
403
+ }
404
+ }
405
+ MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite"));
406
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
407
+ }
408
+
409
+ #if defined(MBEDTLS_SSL_SESSION_TICKETS)
410
+ MBEDTLS_CHECK_RETURN_CRITICAL
411
+ static int ssl_tls13_select_ciphersuite_for_resumption(
412
+ mbedtls_ssl_context *ssl,
413
+ const unsigned char *cipher_suites,
414
+ const unsigned char *cipher_suites_end,
415
+ mbedtls_ssl_session *session,
416
+ uint16_t *selected_ciphersuite,
417
+ const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
418
+ {
419
+
420
+ *selected_ciphersuite = 0;
421
+ *selected_ciphersuite_info = NULL;
422
+ for (const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2) {
423
+ uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
424
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
425
+
426
+ if (cipher_suite != session->ciphersuite) {
427
+ continue;
428
+ }
429
+
430
+ ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,
431
+ cipher_suite);
432
+ if (ciphersuite_info == NULL) {
433
+ continue;
434
+ }
435
+
436
+ *selected_ciphersuite = cipher_suite;
437
+ *selected_ciphersuite_info = ciphersuite_info;
438
+
439
+ return 0;
440
+ }
441
+
442
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
443
+ }
444
+
445
+ MBEDTLS_CHECK_RETURN_CRITICAL
446
+ static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst,
447
+ const mbedtls_ssl_session *src)
448
+ {
449
+ dst->ticket_age_add = src->ticket_age_add;
450
+ dst->ticket_flags = src->ticket_flags;
451
+ dst->resumption_key_len = src->resumption_key_len;
452
+ if (src->resumption_key_len == 0) {
453
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
454
+ }
455
+ memcpy(dst->resumption_key, src->resumption_key, src->resumption_key_len);
456
+
457
+ return 0;
458
+ }
459
+ #endif /* MBEDTLS_SSL_SESSION_TICKETS */
460
+
461
+ /* Parser for pre_shared_key extension in client hello
462
+ * struct {
463
+ * opaque identity<1..2^16-1>;
464
+ * uint32 obfuscated_ticket_age;
465
+ * } PskIdentity;
466
+ *
467
+ * opaque PskBinderEntry<32..255>;
468
+ *
469
+ * struct {
470
+ * PskIdentity identities<7..2^16-1>;
471
+ * PskBinderEntry binders<33..2^16-1>;
472
+ * } OfferedPsks;
473
+ *
474
+ * struct {
475
+ * select (Handshake.msg_type) {
476
+ * case client_hello: OfferedPsks;
477
+ * ....
478
+ * };
479
+ * } PreSharedKeyExtension;
480
+ */
481
+ MBEDTLS_CHECK_RETURN_CRITICAL
482
+ static int ssl_tls13_parse_pre_shared_key_ext(
483
+ mbedtls_ssl_context *ssl,
484
+ const unsigned char *pre_shared_key_ext,
485
+ const unsigned char *pre_shared_key_ext_end,
486
+ const unsigned char *ciphersuites,
487
+ const unsigned char *ciphersuites_end)
488
+ {
489
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
490
+ const unsigned char *identities = pre_shared_key_ext;
491
+ const unsigned char *p_identity_len;
492
+ size_t identities_len;
493
+ const unsigned char *identities_end;
494
+ const unsigned char *binders;
495
+ const unsigned char *p_binder_len;
496
+ size_t binders_len;
497
+ const unsigned char *binders_end;
498
+ int matched_identity = -1;
499
+ int identity_id = -1;
500
+
501
+ MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key extension",
502
+ pre_shared_key_ext,
503
+ pre_shared_key_ext_end - pre_shared_key_ext);
504
+
505
+ /* identities_len 2 bytes
506
+ * identities_data >= 7 bytes
507
+ */
508
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(identities, pre_shared_key_ext_end, 7 + 2);
509
+ identities_len = MBEDTLS_GET_UINT16_BE(identities, 0);
510
+ p_identity_len = identities + 2;
511
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, pre_shared_key_ext_end,
512
+ identities_len);
513
+ identities_end = p_identity_len + identities_len;
514
+
515
+ /* binders_len 2 bytes
516
+ * binders >= 33 bytes
517
+ */
518
+ binders = identities_end;
519
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(binders, pre_shared_key_ext_end, 33 + 2);
520
+ binders_len = MBEDTLS_GET_UINT16_BE(binders, 0);
521
+ p_binder_len = binders + 2;
522
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len);
523
+ binders_end = p_binder_len + binders_len;
524
+
525
+ ret = ssl->handshake->update_checksum(ssl, pre_shared_key_ext,
526
+ identities_end - pre_shared_key_ext);
527
+ if (0 != ret) {
528
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
529
+ return ret;
530
+ }
531
+
532
+ while (p_identity_len < identities_end && p_binder_len < binders_end) {
533
+ const unsigned char *identity;
534
+ size_t identity_len;
535
+ uint32_t obfuscated_ticket_age;
536
+ const unsigned char *binder;
537
+ size_t binder_len;
538
+ int psk_type;
539
+ uint16_t cipher_suite;
540
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
541
+ #if defined(MBEDTLS_SSL_SESSION_TICKETS)
542
+ mbedtls_ssl_session session;
543
+ mbedtls_ssl_session_init(&session);
544
+ #endif
545
+
546
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4);
547
+ identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0);
548
+ identity = p_identity_len + 2;
549
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(identity, identities_end, identity_len + 4);
550
+ obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE(identity, identity_len);
551
+ p_identity_len += identity_len + 6;
552
+
553
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, binders_end, 1 + 32);
554
+ binder_len = *p_binder_len;
555
+ binder = p_binder_len + 1;
556
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(binder, binders_end, binder_len);
557
+ p_binder_len += binder_len + 1;
558
+
559
+ identity_id++;
560
+ if (matched_identity != -1) {
561
+ continue;
562
+ }
563
+
564
+ ret = ssl_tls13_offered_psks_check_identity_match(
565
+ ssl, identity, identity_len, obfuscated_ticket_age,
566
+ &psk_type, &session);
567
+ if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
568
+ continue;
569
+ }
570
+
571
+ MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity"));
572
+ switch (psk_type) {
573
+ case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
574
+ ret = ssl_tls13_select_ciphersuite_for_psk(
575
+ ssl, ciphersuites, ciphersuites_end,
576
+ &cipher_suite, &ciphersuite_info);
577
+ break;
578
+ case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
579
+ #if defined(MBEDTLS_SSL_SESSION_TICKETS)
580
+ ret = ssl_tls13_select_ciphersuite_for_resumption(
581
+ ssl, ciphersuites, ciphersuites_end, &session,
582
+ &cipher_suite, &ciphersuite_info);
583
+ if (ret != 0) {
584
+ mbedtls_ssl_session_free(&session);
585
+ }
586
+ #else
587
+ ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
588
+ #endif
589
+ break;
590
+ default:
591
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
592
+ }
593
+ if (ret != 0) {
594
+ /* See below, no cipher_suite available, abort handshake */
595
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
596
+ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
597
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
598
+ MBEDTLS_SSL_DEBUG_RET(
599
+ 2, "ssl_tls13_select_ciphersuite", ret);
600
+ return ret;
601
+ }
602
+
603
+ ret = ssl_tls13_offered_psks_check_binder_match(
604
+ ssl, binder, binder_len, psk_type,
605
+ mbedtls_md_psa_alg_from_type(ciphersuite_info->mac));
606
+ if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
607
+ /* For security reasons, the handshake should be aborted when we
608
+ * fail to validate a binder value. See RFC 8446 section 4.2.11.2
609
+ * and appendix E.6. */
610
+ #if defined(MBEDTLS_SSL_SESSION_TICKETS)
611
+ mbedtls_ssl_session_free(&session);
612
+ #endif
613
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder."));
614
+ MBEDTLS_SSL_DEBUG_RET(
615
+ 1, "ssl_tls13_offered_psks_check_binder_match", ret);
616
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
617
+ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
618
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
619
+ return ret;
620
+ }
621
+
622
+ matched_identity = identity_id;
623
+
624
+ /* Update handshake parameters */
625
+ ssl->handshake->ciphersuite_info = ciphersuite_info;
626
+ ssl->session_negotiate->ciphersuite = cipher_suite;
627
+ MBEDTLS_SSL_DEBUG_MSG(2, ("overwrite ciphersuite: %04x - %s",
628
+ cipher_suite, ciphersuite_info->name));
629
+ #if defined(MBEDTLS_SSL_SESSION_TICKETS)
630
+ if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
631
+ ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate,
632
+ &session);
633
+ mbedtls_ssl_session_free(&session);
634
+ if (ret != 0) {
635
+ return ret;
636
+ }
637
+ }
638
+ #endif /* MBEDTLS_SSL_SESSION_TICKETS */
639
+ }
640
+
641
+ if (p_identity_len != identities_end || p_binder_len != binders_end) {
642
+ MBEDTLS_SSL_DEBUG_MSG(3, ("pre_shared_key extension decode error"));
643
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
644
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
645
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
646
+ }
647
+
648
+ /* Update the handshake transcript with the binder list. */
649
+ ret = ssl->handshake->update_checksum(
650
+ ssl, identities_end, (size_t) (binders_end - identities_end));
651
+ if (0 != ret) {
652
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
653
+ return ret;
654
+ }
655
+ if (matched_identity == -1) {
656
+ MBEDTLS_SSL_DEBUG_MSG(3, ("No matched PSK or ticket."));
657
+ return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
658
+ }
659
+
660
+ ssl->handshake->selected_identity = (uint16_t) matched_identity;
661
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Pre shared key found"));
662
+
663
+ return 0;
664
+ }
665
+
666
+ /*
667
+ * struct {
668
+ * select ( Handshake.msg_type ) {
669
+ * ....
670
+ * case server_hello:
671
+ * uint16 selected_identity;
672
+ * }
673
+ * } PreSharedKeyExtension;
674
+ */
675
+ static int ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
676
+ unsigned char *buf,
677
+ unsigned char *end,
678
+ size_t *olen)
679
+ {
680
+ unsigned char *p = (unsigned char *) buf;
681
+
682
+ *olen = 0;
683
+
684
+ int not_using_psk = 0;
685
+ #if defined(MBEDTLS_USE_PSA_CRYPTO)
686
+ not_using_psk = (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque));
687
+ #else
688
+ not_using_psk = (ssl->handshake->psk == NULL);
689
+ #endif
690
+ if (not_using_psk) {
691
+ /* We shouldn't have called this extension writer unless we've
692
+ * chosen to use a PSK. */
693
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
694
+ }
695
+
696
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding pre_shared_key extension"));
697
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
698
+
699
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0);
700
+ MBEDTLS_PUT_UINT16_BE(2, p, 2);
701
+
702
+ MBEDTLS_PUT_UINT16_BE(ssl->handshake->selected_identity, p, 4);
703
+
704
+ *olen = 6;
705
+
706
+ MBEDTLS_SSL_DEBUG_MSG(4, ("sent selected_identity: %u",
707
+ ssl->handshake->selected_identity));
708
+
709
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
710
+
711
+ return 0;
712
+ }
713
+
714
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
715
+
716
+ /* From RFC 8446:
717
+ * struct {
718
+ * ProtocolVersion versions<2..254>;
719
+ * } SupportedVersions;
720
+ */
721
+ MBEDTLS_CHECK_RETURN_CRITICAL
722
+ static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
723
+ const unsigned char *buf,
724
+ const unsigned char *end)
725
+ {
726
+ const unsigned char *p = buf;
727
+ size_t versions_len;
728
+ const unsigned char *versions_end;
729
+ uint16_t tls_version;
730
+ int found_supported_version = 0;
731
+
732
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
733
+ versions_len = p[0];
734
+ p += 1;
735
+
736
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, versions_len);
737
+ versions_end = p + versions_len;
738
+ while (p < versions_end) {
739
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, versions_end, 2);
740
+ tls_version = mbedtls_ssl_read_version(p, ssl->conf->transport);
741
+ p += 2;
742
+
743
+ if (MBEDTLS_SSL_VERSION_TLS1_3 == tls_version) {
744
+ found_supported_version = 1;
745
+ break;
746
+ }
747
+
748
+ if ((MBEDTLS_SSL_VERSION_TLS1_2 == tls_version) &&
749
+ mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
750
+ found_supported_version = 1;
751
+ break;
752
+ }
753
+ }
754
+
755
+ if (!found_supported_version) {
756
+ MBEDTLS_SSL_DEBUG_MSG(1, ("No supported version found."));
757
+
758
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
759
+ MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
760
+ return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
761
+ }
762
+
763
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Negotiated version: [%04x]",
764
+ (unsigned int) tls_version));
765
+
766
+ return (int) tls_version;
767
+ }
768
+
769
+ #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
770
+ /*
771
+ *
772
+ * From RFC 8446:
773
+ * enum {
774
+ * ... (0xFFFF)
775
+ * } NamedGroup;
776
+ * struct {
777
+ * NamedGroup named_group_list<2..2^16-1>;
778
+ * } NamedGroupList;
779
+ */
780
+ MBEDTLS_CHECK_RETURN_CRITICAL
781
+ static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
782
+ const unsigned char *buf,
783
+ const unsigned char *end)
784
+ {
785
+ const unsigned char *p = buf;
786
+ size_t named_group_list_len;
787
+ const unsigned char *named_group_list_end;
788
+
789
+ MBEDTLS_SSL_DEBUG_BUF(3, "supported_groups extension", p, end - buf);
790
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
791
+ named_group_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
792
+ p += 2;
793
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, named_group_list_len);
794
+ named_group_list_end = p + named_group_list_len;
795
+ ssl->handshake->hrr_selected_group = 0;
796
+
797
+ while (p < named_group_list_end) {
798
+ uint16_t named_group;
799
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, named_group_list_end, 2);
800
+ named_group = MBEDTLS_GET_UINT16_BE(p, 0);
801
+ p += 2;
802
+
803
+ MBEDTLS_SSL_DEBUG_MSG(2,
804
+ ("got named group: %s(%04x)",
805
+ mbedtls_ssl_named_group_to_str(named_group),
806
+ named_group));
807
+
808
+ if (!mbedtls_ssl_named_group_is_offered(ssl, named_group) ||
809
+ !mbedtls_ssl_named_group_is_supported(named_group) ||
810
+ ssl->handshake->hrr_selected_group != 0) {
811
+ continue;
812
+ }
813
+
814
+ MBEDTLS_SSL_DEBUG_MSG(2,
815
+ ("add named group %s(%04x) into received list.",
816
+ mbedtls_ssl_named_group_to_str(named_group),
817
+ named_group));
818
+
819
+ ssl->handshake->hrr_selected_group = named_group;
820
+ }
821
+
822
+ return 0;
823
+
824
+ }
825
+ #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
826
+
827
+ #define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
828
+
829
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
830
+ /*
831
+ * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
832
+ * extension is correct and stores the first acceptable key share and its
833
+ * associated group.
834
+ *
835
+ * Possible return values are:
836
+ * - 0: Successful processing of the client provided key share extension.
837
+ * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by
838
+ * the client does not match a group supported by the server. A
839
+ * HelloRetryRequest will be needed.
840
+ * - A negative value for fatal errors.
841
+ */
842
+ MBEDTLS_CHECK_RETURN_CRITICAL
843
+ static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl,
844
+ const unsigned char *buf,
845
+ const unsigned char *end)
846
+ {
847
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
848
+ unsigned char const *p = buf;
849
+ unsigned char const *client_shares_end;
850
+ size_t client_shares_len;
851
+
852
+ /* From RFC 8446:
853
+ *
854
+ * struct {
855
+ * KeyShareEntry client_shares<0..2^16-1>;
856
+ * } KeyShareClientHello;
857
+ *
858
+ */
859
+
860
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
861
+ client_shares_len = MBEDTLS_GET_UINT16_BE(p, 0);
862
+ p += 2;
863
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, client_shares_len);
864
+
865
+ ssl->handshake->offered_group_id = 0;
866
+ client_shares_end = p + client_shares_len;
867
+
868
+ /* We try to find a suitable key share entry and copy it to the
869
+ * handshake context. Later, we have to find out whether we can do
870
+ * something with the provided key share or whether we have to
871
+ * dismiss it and send a HelloRetryRequest message.
872
+ */
873
+
874
+ while (p < client_shares_end) {
875
+ uint16_t group;
876
+ size_t key_exchange_len;
877
+ const unsigned char *key_exchange;
878
+
879
+ /*
880
+ * struct {
881
+ * NamedGroup group;
882
+ * opaque key_exchange<1..2^16-1>;
883
+ * } KeyShareEntry;
884
+ */
885
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, 4);
886
+ group = MBEDTLS_GET_UINT16_BE(p, 0);
887
+ key_exchange_len = MBEDTLS_GET_UINT16_BE(p, 2);
888
+ p += 4;
889
+ key_exchange = p;
890
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, key_exchange_len);
891
+ p += key_exchange_len;
892
+
893
+ /* Continue parsing even if we have already found a match,
894
+ * for input validation purposes.
895
+ */
896
+ if (!mbedtls_ssl_named_group_is_offered(ssl, group) ||
897
+ !mbedtls_ssl_named_group_is_supported(group) ||
898
+ ssl->handshake->offered_group_id != 0) {
899
+ continue;
900
+ }
901
+
902
+ /*
903
+ * ECDHE and FFDHE groups are supported
904
+ */
905
+ if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
906
+ mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
907
+ MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH/FFDH group: %s (%04x)",
908
+ mbedtls_ssl_named_group_to_str(group),
909
+ group));
910
+ ret = mbedtls_ssl_tls13_read_public_xxdhe_share(
911
+ ssl, key_exchange - 2, key_exchange_len + 2);
912
+ if (ret != 0) {
913
+ return ret;
914
+ }
915
+
916
+ } else {
917
+ MBEDTLS_SSL_DEBUG_MSG(4, ("Unrecognized NamedGroup %u",
918
+ (unsigned) group));
919
+ continue;
920
+ }
921
+
922
+ ssl->handshake->offered_group_id = group;
923
+ }
924
+
925
+
926
+ if (ssl->handshake->offered_group_id == 0) {
927
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no matching key share"));
928
+ return SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH;
929
+ }
930
+ return 0;
931
+ }
932
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
933
+
934
+ MBEDTLS_CHECK_RETURN_CRITICAL
935
+ static int ssl_tls13_client_hello_has_exts(mbedtls_ssl_context *ssl,
936
+ int exts_mask)
937
+ {
938
+ int masked = ssl->handshake->received_extensions & exts_mask;
939
+ return masked == exts_mask;
940
+ }
941
+
942
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
943
+ MBEDTLS_CHECK_RETURN_CRITICAL
944
+ static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
945
+ mbedtls_ssl_context *ssl)
946
+ {
947
+ return ssl_tls13_client_hello_has_exts(
948
+ ssl,
949
+ MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |
950
+ MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |
951
+ MBEDTLS_SSL_EXT_MASK(SIG_ALG));
952
+ }
953
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
954
+
955
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
956
+ MBEDTLS_CHECK_RETURN_CRITICAL
957
+ static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
958
+ mbedtls_ssl_context *ssl)
959
+ {
960
+ return ssl_tls13_client_hello_has_exts(
961
+ ssl,
962
+ MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
963
+ MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
964
+ }
965
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */
966
+
967
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
968
+ MBEDTLS_CHECK_RETURN_CRITICAL
969
+ static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
970
+ mbedtls_ssl_context *ssl)
971
+ {
972
+ return ssl_tls13_client_hello_has_exts(
973
+ ssl,
974
+ MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |
975
+ MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |
976
+ MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
977
+ MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
978
+ }
979
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */
980
+
981
+ MBEDTLS_CHECK_RETURN_CRITICAL
982
+ static int ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
983
+ {
984
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
985
+ return mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) &&
986
+ ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
987
+ #else
988
+ ((void) ssl);
989
+ return 0;
990
+ #endif
991
+ }
992
+
993
+ MBEDTLS_CHECK_RETURN_CRITICAL
994
+ static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl)
995
+ {
996
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
997
+ return mbedtls_ssl_conf_tls13_psk_enabled(ssl) &&
998
+ mbedtls_ssl_tls13_psk_enabled(ssl) &&
999
+ ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
1000
+ #else
1001
+ ((void) ssl);
1002
+ return 0;
1003
+ #endif
1004
+ }
1005
+
1006
+ MBEDTLS_CHECK_RETURN_CRITICAL
1007
+ static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
1008
+ {
1009
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
1010
+ return mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) &&
1011
+ mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) &&
1012
+ ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
1013
+ #else
1014
+ ((void) ssl);
1015
+ return 0;
1016
+ #endif
1017
+ }
1018
+
1019
+ static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl)
1020
+ {
1021
+ /*
1022
+ * Determine the key exchange algorithm to use.
1023
+ * There are three types of key exchanges supported in TLS 1.3:
1024
+ * - (EC)DH with ECDSA,
1025
+ * - (EC)DH with PSK,
1026
+ * - plain PSK.
1027
+ *
1028
+ * The PSK-based key exchanges may additionally be used with 0-RTT.
1029
+ *
1030
+ * Our built-in order of preference is
1031
+ * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
1032
+ * 2 ) Certificate Mode ( ephemeral )
1033
+ * 3 ) Plain PSK Mode ( psk )
1034
+ */
1035
+
1036
+ ssl->handshake->key_exchange_mode =
1037
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
1038
+
1039
+ if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
1040
+ ssl->handshake->key_exchange_mode =
1041
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1042
+ MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral"));
1043
+ } else
1044
+ if (ssl_tls13_check_ephemeral_key_exchange(ssl)) {
1045
+ ssl->handshake->key_exchange_mode =
1046
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
1047
+ MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral"));
1048
+ } else
1049
+ if (ssl_tls13_check_psk_key_exchange(ssl)) {
1050
+ ssl->handshake->key_exchange_mode =
1051
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1052
+ MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk"));
1053
+ } else {
1054
+ MBEDTLS_SSL_DEBUG_MSG(
1055
+ 1,
1056
+ ("ClientHello message misses mandatory extensions."));
1057
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION,
1058
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1059
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1060
+ }
1061
+
1062
+ return 0;
1063
+
1064
+ }
1065
+
1066
+ #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1067
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
1068
+
1069
+ #if defined(MBEDTLS_USE_PSA_CRYPTO)
1070
+ static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
1071
+ {
1072
+ switch (sig_alg) {
1073
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
1074
+ return PSA_ALG_ECDSA(PSA_ALG_SHA_256);
1075
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
1076
+ return PSA_ALG_ECDSA(PSA_ALG_SHA_384);
1077
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
1078
+ return PSA_ALG_ECDSA(PSA_ALG_SHA_512);
1079
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
1080
+ return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
1081
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
1082
+ return PSA_ALG_RSA_PSS(PSA_ALG_SHA_384);
1083
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
1084
+ return PSA_ALG_RSA_PSS(PSA_ALG_SHA_512);
1085
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
1086
+ return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
1087
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
1088
+ return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384);
1089
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
1090
+ return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_512);
1091
+ default:
1092
+ return PSA_ALG_NONE;
1093
+ }
1094
+ }
1095
+ #endif /* MBEDTLS_USE_PSA_CRYPTO */
1096
+
1097
+ /*
1098
+ * Pick best ( private key, certificate chain ) pair based on the signature
1099
+ * algorithms supported by the client.
1100
+ */
1101
+ MBEDTLS_CHECK_RETURN_CRITICAL
1102
+ static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
1103
+ {
1104
+ mbedtls_ssl_key_cert *key_cert, *key_cert_list;
1105
+ const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
1106
+
1107
+ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1108
+ if (ssl->handshake->sni_key_cert != NULL) {
1109
+ key_cert_list = ssl->handshake->sni_key_cert;
1110
+ } else
1111
+ #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1112
+ key_cert_list = ssl->conf->key_cert;
1113
+
1114
+ if (key_cert_list == NULL) {
1115
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
1116
+ return -1;
1117
+ }
1118
+
1119
+ for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
1120
+ if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {
1121
+ continue;
1122
+ }
1123
+
1124
+ if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {
1125
+ continue;
1126
+ }
1127
+
1128
+ for (key_cert = key_cert_list; key_cert != NULL;
1129
+ key_cert = key_cert->next) {
1130
+ #if defined(MBEDTLS_USE_PSA_CRYPTO)
1131
+ psa_algorithm_t psa_alg = PSA_ALG_NONE;
1132
+ #endif /* MBEDTLS_USE_PSA_CRYPTO */
1133
+
1134
+ MBEDTLS_SSL_DEBUG_CRT(3, "certificate (chain) candidate",
1135
+ key_cert->cert);
1136
+
1137
+ /*
1138
+ * This avoids sending the client a cert it'll reject based on
1139
+ * keyUsage or other extensions.
1140
+ */
1141
+ if (mbedtls_x509_crt_check_key_usage(
1142
+ key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0 ||
1143
+ mbedtls_x509_crt_check_extended_key_usage(
1144
+ key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
1145
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) != 0) {
1146
+ MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
1147
+ "(extended) key usage extension"));
1148
+ continue;
1149
+ }
1150
+
1151
+ MBEDTLS_SSL_DEBUG_MSG(3,
1152
+ ("ssl_tls13_pick_key_cert:"
1153
+ "check signature algorithm %s [%04x]",
1154
+ mbedtls_ssl_sig_alg_to_str(*sig_alg),
1155
+ *sig_alg));
1156
+ #if defined(MBEDTLS_USE_PSA_CRYPTO)
1157
+ psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg(*sig_alg);
1158
+ #endif /* MBEDTLS_USE_PSA_CRYPTO */
1159
+
1160
+ if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
1161
+ *sig_alg, &key_cert->cert->pk)
1162
+ #if defined(MBEDTLS_USE_PSA_CRYPTO)
1163
+ && psa_alg != PSA_ALG_NONE &&
1164
+ mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
1165
+ PSA_KEY_USAGE_SIGN_HASH) == 1
1166
+ #endif /* MBEDTLS_USE_PSA_CRYPTO */
1167
+ ) {
1168
+ ssl->handshake->key_cert = key_cert;
1169
+ MBEDTLS_SSL_DEBUG_MSG(3,
1170
+ ("ssl_tls13_pick_key_cert:"
1171
+ "selected signature algorithm"
1172
+ " %s [%04x]",
1173
+ mbedtls_ssl_sig_alg_to_str(*sig_alg),
1174
+ *sig_alg));
1175
+ MBEDTLS_SSL_DEBUG_CRT(
1176
+ 3, "selected certificate (chain)",
1177
+ ssl->handshake->key_cert->cert);
1178
+ return 0;
1179
+ }
1180
+ }
1181
+ }
1182
+
1183
+ MBEDTLS_SSL_DEBUG_MSG(2, ("ssl_tls13_pick_key_cert:"
1184
+ "no suitable certificate found"));
1185
+ return -1;
1186
+ }
1187
+ #endif /* MBEDTLS_X509_CRT_PARSE_C &&
1188
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1189
+
1190
+ /*
1191
+ *
1192
+ * STATE HANDLING: ClientHello
1193
+ *
1194
+ * There are three possible classes of outcomes when parsing the ClientHello:
1195
+ *
1196
+ * 1) The ClientHello was well-formed and matched the server's configuration.
1197
+ *
1198
+ * In this case, the server progresses to sending its ServerHello.
1199
+ *
1200
+ * 2) The ClientHello was well-formed but didn't match the server's
1201
+ * configuration.
1202
+ *
1203
+ * For example, the client might not have offered a key share which
1204
+ * the server supports, or the server might require a cookie.
1205
+ *
1206
+ * In this case, the server sends a HelloRetryRequest.
1207
+ *
1208
+ * 3) The ClientHello was ill-formed
1209
+ *
1210
+ * In this case, we abort the handshake.
1211
+ *
1212
+ */
1213
+
1214
+ /*
1215
+ * Structure of this message:
1216
+ *
1217
+ * uint16 ProtocolVersion;
1218
+ * opaque Random[32];
1219
+ * uint8 CipherSuite[2]; // Cryptographic suite selector
1220
+ *
1221
+ * struct {
1222
+ * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1223
+ * Random random;
1224
+ * opaque legacy_session_id<0..32>;
1225
+ * CipherSuite cipher_suites<2..2^16-2>;
1226
+ * opaque legacy_compression_methods<1..2^8-1>;
1227
+ * Extension extensions<8..2^16-1>;
1228
+ * } ClientHello;
1229
+ */
1230
+
1231
+ #define SSL_CLIENT_HELLO_OK 0
1232
+ #define SSL_CLIENT_HELLO_HRR_REQUIRED 1
1233
+ #define SSL_CLIENT_HELLO_TLS1_2 2
1234
+
1235
+ MBEDTLS_CHECK_RETURN_CRITICAL
1236
+ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
1237
+ const unsigned char *buf,
1238
+ const unsigned char *end)
1239
+ {
1240
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1241
+ const unsigned char *p = buf;
1242
+ const unsigned char *random;
1243
+ size_t legacy_session_id_len;
1244
+ const unsigned char *legacy_session_id;
1245
+ size_t cipher_suites_len;
1246
+ const unsigned char *cipher_suites;
1247
+ const unsigned char *cipher_suites_end;
1248
+ size_t extensions_len;
1249
+ const unsigned char *extensions_end;
1250
+ const unsigned char *supported_versions_data;
1251
+ const unsigned char *supported_versions_data_end;
1252
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1253
+ int hrr_required = 0;
1254
+ int no_usable_share_for_key_agreement = 0;
1255
+
1256
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1257
+ const unsigned char *pre_shared_key_ext = NULL;
1258
+ const unsigned char *pre_shared_key_ext_end = NULL;
1259
+ #endif
1260
+
1261
+ /*
1262
+ * ClientHello layout:
1263
+ * 0 . 1 protocol version
1264
+ * 2 . 33 random bytes
1265
+ * 34 . 34 session id length ( 1 byte )
1266
+ * 35 . 34+x session id
1267
+ * .. . .. ciphersuite list length ( 2 bytes )
1268
+ * .. . .. ciphersuite list
1269
+ * .. . .. compression alg. list length ( 1 byte )
1270
+ * .. . .. compression alg. list
1271
+ * .. . .. extensions length ( 2 bytes, optional )
1272
+ * .. . .. extensions ( optional )
1273
+ */
1274
+
1275
+ /*
1276
+ * Minimal length ( with everything empty and extensions omitted ) is
1277
+ * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1278
+ * read at least up to session id length without worrying.
1279
+ */
1280
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 38);
1281
+
1282
+ /* ...
1283
+ * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1284
+ * ...
1285
+ * with ProtocolVersion defined as:
1286
+ * uint16 ProtocolVersion;
1287
+ */
1288
+ if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1289
+ MBEDTLS_SSL_VERSION_TLS1_2) {
1290
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1291
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1292
+ MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
1293
+ return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1294
+ }
1295
+ p += 2;
1296
+
1297
+ /* ...
1298
+ * Random random;
1299
+ * ...
1300
+ * with Random defined as:
1301
+ * opaque Random[32];
1302
+ */
1303
+ random = p;
1304
+ p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
1305
+
1306
+ /* ...
1307
+ * opaque legacy_session_id<0..32>;
1308
+ * ...
1309
+ */
1310
+ legacy_session_id_len = *(p++);
1311
+ legacy_session_id = p;
1312
+
1313
+ /*
1314
+ * Check we have enough data for the legacy session identifier
1315
+ * and the ciphersuite list length.
1316
+ */
1317
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_len + 2);
1318
+ p += legacy_session_id_len;
1319
+
1320
+ /* ...
1321
+ * CipherSuite cipher_suites<2..2^16-2>;
1322
+ * ...
1323
+ * with CipherSuite defined as:
1324
+ * uint8 CipherSuite[2];
1325
+ */
1326
+ cipher_suites_len = MBEDTLS_GET_UINT16_BE(p, 0);
1327
+ p += 2;
1328
+ cipher_suites = p;
1329
+
1330
+ /*
1331
+ * The length of the ciphersuite list has to be even.
1332
+ */
1333
+ if (cipher_suites_len & 1) {
1334
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1335
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
1336
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
1337
+ }
1338
+
1339
+ /* Check we have enough data for the ciphersuite list, the legacy
1340
+ * compression methods and the length of the extensions.
1341
+ *
1342
+ * cipher_suites cipher_suites_len bytes
1343
+ * legacy_compression_methods 2 bytes
1344
+ * extensions_len 2 bytes
1345
+ */
1346
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 2 + 2);
1347
+ p += cipher_suites_len;
1348
+ cipher_suites_end = p;
1349
+
1350
+ /*
1351
+ * Search for the supported versions extension and parse it to determine
1352
+ * if the client supports TLS 1.3.
1353
+ */
1354
+ ret = mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
1355
+ ssl, p + 2, end,
1356
+ &supported_versions_data, &supported_versions_data_end);
1357
+ if (ret < 0) {
1358
+ MBEDTLS_SSL_DEBUG_RET(1,
1359
+ ("mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts"), ret);
1360
+ return ret;
1361
+ }
1362
+
1363
+ if (ret == 0) {
1364
+ return SSL_CLIENT_HELLO_TLS1_2;
1365
+ }
1366
+
1367
+ if (ret == 1) {
1368
+ ret = ssl_tls13_parse_supported_versions_ext(ssl,
1369
+ supported_versions_data,
1370
+ supported_versions_data_end);
1371
+ if (ret < 0) {
1372
+ MBEDTLS_SSL_DEBUG_RET(1,
1373
+ ("ssl_tls13_parse_supported_versions_ext"), ret);
1374
+ return ret;
1375
+ }
1376
+
1377
+ /*
1378
+ * The supported versions extension was parsed successfully as the
1379
+ * value returned by ssl_tls13_parse_supported_versions_ext() is
1380
+ * positive. The return value is then equal to
1381
+ * MBEDTLS_SSL_VERSION_TLS1_2 or MBEDTLS_SSL_VERSION_TLS1_3, defining
1382
+ * the TLS version to negotiate.
1383
+ */
1384
+ if (MBEDTLS_SSL_VERSION_TLS1_2 == ret) {
1385
+ return SSL_CLIENT_HELLO_TLS1_2;
1386
+ }
1387
+ }
1388
+
1389
+ /*
1390
+ * We negotiate TLS 1.3.
1391
+ */
1392
+ ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
1393
+
1394
+ #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1395
+ /* Store minor version for later use with ticket serialization. */
1396
+ ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
1397
+ ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1398
+ #endif
1399
+
1400
+ /*
1401
+ * We are negotiating the version 1.3 of the protocol. Do what we have
1402
+ * postponed: copy of the client random bytes, copy of the legacy session
1403
+ * identifier and selection of the TLS 1.3 cipher suite.
1404
+ */
1405
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes",
1406
+ random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
1407
+ memcpy(&handshake->randbytes[0], random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
1408
+
1409
+ if (legacy_session_id_len > sizeof(ssl->session_negotiate->id)) {
1410
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1411
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
1412
+ }
1413
+ ssl->session_negotiate->id_len = legacy_session_id_len;
1414
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id",
1415
+ legacy_session_id, legacy_session_id_len);
1416
+ memcpy(&ssl->session_negotiate->id[0],
1417
+ legacy_session_id, legacy_session_id_len);
1418
+
1419
+ /*
1420
+ * Search for a matching ciphersuite
1421
+ */
1422
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, list of cipher suites",
1423
+ cipher_suites, cipher_suites_len);
1424
+ for (const unsigned char *cipher_suites_p = cipher_suites;
1425
+ cipher_suites_p < cipher_suites_end; cipher_suites_p += 2) {
1426
+ uint16_t cipher_suite;
1427
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1428
+
1429
+ /*
1430
+ * "cipher_suites_end - cipher_suites_p is even" is an invariant of the
1431
+ * loop. As cipher_suites_end - cipher_suites_p > 0, we have
1432
+ * cipher_suites_end - cipher_suites_p >= 2 and it is thus safe to read
1433
+ * two bytes.
1434
+ */
1435
+ cipher_suite = MBEDTLS_GET_UINT16_BE(cipher_suites_p, 0);
1436
+ ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
1437
+ ssl, cipher_suite);
1438
+ if (ciphersuite_info == NULL) {
1439
+ continue;
1440
+ }
1441
+
1442
+ ssl->session_negotiate->ciphersuite = cipher_suite;
1443
+ handshake->ciphersuite_info = ciphersuite_info;
1444
+ MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s",
1445
+ cipher_suite,
1446
+ ciphersuite_info->name));
1447
+ break;
1448
+ }
1449
+
1450
+ if (handshake->ciphersuite_info == NULL) {
1451
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1452
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1453
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1454
+ }
1455
+
1456
+ /* ...
1457
+ * opaque legacy_compression_methods<1..2^8-1>;
1458
+ * ...
1459
+ */
1460
+ if (p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL) {
1461
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
1462
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1463
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1464
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1465
+ }
1466
+ p += 2;
1467
+
1468
+ /* ...
1469
+ * Extension extensions<8..2^16-1>;
1470
+ * ...
1471
+ * with Extension defined as:
1472
+ * struct {
1473
+ * ExtensionType extension_type;
1474
+ * opaque extension_data<0..2^16-1>;
1475
+ * } Extension;
1476
+ */
1477
+ extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
1478
+ p += 2;
1479
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
1480
+ extensions_end = p + extensions_len;
1481
+
1482
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", p, extensions_len);
1483
+ handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
1484
+
1485
+ while (p < extensions_end) {
1486
+ unsigned int extension_type;
1487
+ size_t extension_data_len;
1488
+ const unsigned char *extension_data_end;
1489
+
1490
+ /* RFC 8446, section 4.2.11
1491
+ *
1492
+ * The "pre_shared_key" extension MUST be the last extension in the
1493
+ * ClientHello (this facilitates implementation as described below).
1494
+ * Servers MUST check that it is the last extension and otherwise fail
1495
+ * the handshake with an "illegal_parameter" alert.
1496
+ */
1497
+ if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) {
1498
+ MBEDTLS_SSL_DEBUG_MSG(
1499
+ 3, ("pre_shared_key is not last extension."));
1500
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
1501
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1502
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1503
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1504
+ }
1505
+
1506
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1507
+ extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1508
+ extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
1509
+ p += 4;
1510
+
1511
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
1512
+ extension_data_end = p + extension_data_len;
1513
+
1514
+ ret = mbedtls_ssl_tls13_check_received_extension(
1515
+ ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
1516
+ MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH);
1517
+ if (ret != 0) {
1518
+ return ret;
1519
+ }
1520
+
1521
+ switch (extension_type) {
1522
+ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1523
+ case MBEDTLS_TLS_EXT_SERVERNAME:
1524
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1525
+ ret = mbedtls_ssl_parse_server_name_ext(ssl, p,
1526
+ extension_data_end);
1527
+ if (ret != 0) {
1528
+ MBEDTLS_SSL_DEBUG_RET(
1529
+ 1, "mbedtls_ssl_parse_servername_ext", ret);
1530
+ return ret;
1531
+ }
1532
+ break;
1533
+ #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1534
+
1535
+ #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
1536
+ case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1537
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension"));
1538
+
1539
+ /* Supported Groups Extension
1540
+ *
1541
+ * When sent by the client, the "supported_groups" extension
1542
+ * indicates the named groups which the client supports,
1543
+ * ordered from most preferred to least preferred.
1544
+ */
1545
+ ret = ssl_tls13_parse_supported_groups_ext(
1546
+ ssl, p, extension_data_end);
1547
+ if (ret != 0) {
1548
+ MBEDTLS_SSL_DEBUG_RET(
1549
+ 1, "ssl_tls13_parse_supported_groups_ext", ret);
1550
+ return ret;
1551
+ }
1552
+
1553
+ break;
1554
+ #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH*/
1555
+
1556
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1557
+ case MBEDTLS_TLS_EXT_KEY_SHARE:
1558
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension"));
1559
+
1560
+ /*
1561
+ * Key Share Extension
1562
+ *
1563
+ * When sent by the client, the "key_share" extension
1564
+ * contains the endpoint's cryptographic parameters for
1565
+ * ECDHE/DHE key establishment methods.
1566
+ */
1567
+ ret = ssl_tls13_parse_key_shares_ext(
1568
+ ssl, p, extension_data_end);
1569
+ if (ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH) {
1570
+ MBEDTLS_SSL_DEBUG_MSG(2, ("No usable share for key agreement."));
1571
+ no_usable_share_for_key_agreement = 1;
1572
+ }
1573
+
1574
+ if (ret < 0) {
1575
+ MBEDTLS_SSL_DEBUG_RET(
1576
+ 1, "ssl_tls13_parse_key_shares_ext", ret);
1577
+ return ret;
1578
+ }
1579
+
1580
+ break;
1581
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
1582
+
1583
+ case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1584
+ /* Already parsed */
1585
+ break;
1586
+
1587
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1588
+ case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
1589
+ MBEDTLS_SSL_DEBUG_MSG(
1590
+ 3, ("found psk key exchange modes extension"));
1591
+
1592
+ ret = ssl_tls13_parse_key_exchange_modes_ext(
1593
+ ssl, p, extension_data_end);
1594
+ if (ret != 0) {
1595
+ MBEDTLS_SSL_DEBUG_RET(
1596
+ 1, "ssl_tls13_parse_key_exchange_modes_ext", ret);
1597
+ return ret;
1598
+ }
1599
+
1600
+ break;
1601
+ #endif
1602
+
1603
+ case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1604
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
1605
+ if ((handshake->received_extensions &
1606
+ MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)) == 0) {
1607
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
1608
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1609
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1610
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1611
+ }
1612
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1613
+ /* Delay processing of the PSK identity once we have
1614
+ * found out which algorithms to use. We keep a pointer
1615
+ * to the buffer and the size for later processing.
1616
+ */
1617
+ pre_shared_key_ext = p;
1618
+ pre_shared_key_ext_end = extension_data_end;
1619
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1620
+ break;
1621
+
1622
+ #if defined(MBEDTLS_SSL_ALPN)
1623
+ case MBEDTLS_TLS_EXT_ALPN:
1624
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
1625
+
1626
+ ret = mbedtls_ssl_parse_alpn_ext(ssl, p, extension_data_end);
1627
+ if (ret != 0) {
1628
+ MBEDTLS_SSL_DEBUG_RET(
1629
+ 1, ("mbedtls_ssl_parse_alpn_ext"), ret);
1630
+ return ret;
1631
+ }
1632
+ break;
1633
+ #endif /* MBEDTLS_SSL_ALPN */
1634
+
1635
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
1636
+ case MBEDTLS_TLS_EXT_SIG_ALG:
1637
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
1638
+
1639
+ ret = mbedtls_ssl_parse_sig_alg_ext(
1640
+ ssl, p, extension_data_end);
1641
+ if (ret != 0) {
1642
+ MBEDTLS_SSL_DEBUG_RET(
1643
+ 1, "mbedtls_ssl_parse_sig_alg_ext", ret);
1644
+ return ret;
1645
+ }
1646
+ break;
1647
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1648
+
1649
+ #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1650
+ case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
1651
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
1652
+
1653
+ ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
1654
+ ssl, p, extension_data_end);
1655
+
1656
+ /*
1657
+ * TODO: Return unconditionally here until we handle the record
1658
+ * size limit correctly.
1659
+ * Once handled correctly, only return in case of errors.
1660
+ */
1661
+ return ret;
1662
+
1663
+ break;
1664
+ #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
1665
+
1666
+ default:
1667
+ MBEDTLS_SSL_PRINT_EXT(
1668
+ 3, MBEDTLS_SSL_HS_CLIENT_HELLO,
1669
+ extension_type, "( ignored )");
1670
+ break;
1671
+ }
1672
+
1673
+ p += extension_data_len;
1674
+ }
1675
+
1676
+ MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO,
1677
+ handshake->received_extensions);
1678
+
1679
+ ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
1680
+ MBEDTLS_SSL_HS_CLIENT_HELLO,
1681
+ p - buf);
1682
+ if (0 != ret) {
1683
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret);
1684
+ return ret;
1685
+ }
1686
+
1687
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1688
+ /* Update checksum with either
1689
+ * - The entire content of the CH message, if no PSK extension is present
1690
+ * - The content up to but excluding the PSK extension, if present.
1691
+ */
1692
+ /* If we've settled on a PSK-based exchange, parse PSK identity ext */
1693
+ if (mbedtls_ssl_tls13_some_psk_enabled(ssl) &&
1694
+ mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
1695
+ (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY))) {
1696
+ ret = handshake->update_checksum(ssl, buf,
1697
+ pre_shared_key_ext - buf);
1698
+ if (0 != ret) {
1699
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1700
+ return ret;
1701
+ }
1702
+ ret = ssl_tls13_parse_pre_shared_key_ext(ssl,
1703
+ pre_shared_key_ext,
1704
+ pre_shared_key_ext_end,
1705
+ cipher_suites,
1706
+ cipher_suites_end);
1707
+ if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
1708
+ handshake->received_extensions &= ~MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY);
1709
+ } else if (ret != 0) {
1710
+ MBEDTLS_SSL_DEBUG_RET(
1711
+ 1, "ssl_tls13_parse_pre_shared_key_ext", ret);
1712
+ return ret;
1713
+ }
1714
+ } else
1715
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1716
+ {
1717
+ ret = handshake->update_checksum(ssl, buf, p - buf);
1718
+ if (0 != ret) {
1719
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1720
+ return ret;
1721
+ }
1722
+ }
1723
+
1724
+ ret = ssl_tls13_determine_key_exchange_mode(ssl);
1725
+ if (ret < 0) {
1726
+ return ret;
1727
+ }
1728
+
1729
+ if (ssl->handshake->key_exchange_mode !=
1730
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) {
1731
+ hrr_required = (no_usable_share_for_key_agreement != 0);
1732
+ }
1733
+
1734
+ mbedtls_ssl_optimize_checksum(ssl, handshake->ciphersuite_info);
1735
+
1736
+ return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK;
1737
+ }
1738
+
1739
+ /* Update the handshake state machine */
1740
+
1741
+ MBEDTLS_CHECK_RETURN_CRITICAL
1742
+ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl)
1743
+ {
1744
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1745
+
1746
+ /*
1747
+ * Server certificate selection
1748
+ */
1749
+ if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1750
+ MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1751
+ return ret;
1752
+ }
1753
+ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1754
+ ssl->handshake->sni_name = NULL;
1755
+ ssl->handshake->sni_name_len = 0;
1756
+ #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1757
+
1758
+ ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1759
+ if (ret != 0) {
1760
+ MBEDTLS_SSL_DEBUG_RET(1,
1761
+ "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret);
1762
+ return ret;
1763
+ }
1764
+
1765
+ return 0;
1766
+
1767
+ }
1768
+
1769
+ /*
1770
+ * Main entry point from the state machine; orchestrates the otherfunctions.
1771
+ */
1772
+
1773
+ MBEDTLS_CHECK_RETURN_CRITICAL
1774
+ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
1775
+ {
1776
+
1777
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1778
+ unsigned char *buf = NULL;
1779
+ size_t buflen = 0;
1780
+ int parse_client_hello_ret;
1781
+
1782
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
1783
+
1784
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1785
+ ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
1786
+ &buf, &buflen));
1787
+
1788
+ MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_parse_client_hello(ssl, buf,
1789
+ buf + buflen));
1790
+ parse_client_hello_ret = ret; /* Store positive return value of
1791
+ * parse_client_hello,
1792
+ * as negative error codes are handled
1793
+ * by MBEDTLS_SSL_PROC_CHK_NEG. */
1794
+
1795
+ /*
1796
+ * Version 1.2 of the protocol has been chosen, set the
1797
+ * ssl->keep_current_message flag for the ClientHello to be kept and parsed
1798
+ * as a TLS 1.2 ClientHello. We also change ssl->tls_version to
1799
+ * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
1800
+ * will dispatch to the TLS 1.2 state machine.
1801
+ */
1802
+ if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) {
1803
+ ssl->keep_current_message = 1;
1804
+ ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
1805
+ return 0;
1806
+ }
1807
+
1808
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_client_hello(ssl));
1809
+
1810
+ if (SSL_CLIENT_HELLO_OK == parse_client_hello_ret) {
1811
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
1812
+ } else {
1813
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST);
1814
+ }
1815
+
1816
+ cleanup:
1817
+
1818
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
1819
+ return ret;
1820
+ }
1821
+
1822
+ /*
1823
+ * Handler for MBEDTLS_SSL_SERVER_HELLO
1824
+ */
1825
+ MBEDTLS_CHECK_RETURN_CRITICAL
1826
+ static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
1827
+ {
1828
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1829
+ unsigned char *server_randbytes =
1830
+ ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
1831
+ if (ssl->conf->f_rng == NULL) {
1832
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
1833
+ return MBEDTLS_ERR_SSL_NO_RNG;
1834
+ }
1835
+
1836
+ if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes,
1837
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {
1838
+ MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
1839
+ return ret;
1840
+ }
1841
+
1842
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", server_randbytes,
1843
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1844
+
1845
+ #if defined(MBEDTLS_HAVE_TIME)
1846
+ ssl->session_negotiate->start = mbedtls_time(NULL);
1847
+ #endif /* MBEDTLS_HAVE_TIME */
1848
+
1849
+ return ret;
1850
+ }
1851
+
1852
+ /*
1853
+ * ssl_tls13_write_server_hello_supported_versions_ext ():
1854
+ *
1855
+ * struct {
1856
+ * ProtocolVersion selected_version;
1857
+ * } SupportedVersions;
1858
+ */
1859
+ MBEDTLS_CHECK_RETURN_CRITICAL
1860
+ static int ssl_tls13_write_server_hello_supported_versions_ext(
1861
+ mbedtls_ssl_context *ssl,
1862
+ unsigned char *buf,
1863
+ unsigned char *end,
1864
+ size_t *out_len)
1865
+ {
1866
+ *out_len = 0;
1867
+
1868
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, write selected version"));
1869
+
1870
+ /* Check if we have space to write the extension:
1871
+ * - extension_type (2 bytes)
1872
+ * - extension_data_length (2 bytes)
1873
+ * - selected_version (2 bytes)
1874
+ */
1875
+ MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
1876
+
1877
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0);
1878
+
1879
+ MBEDTLS_PUT_UINT16_BE(2, buf, 2);
1880
+
1881
+ mbedtls_ssl_write_version(buf + 4,
1882
+ ssl->conf->transport,
1883
+ ssl->tls_version);
1884
+
1885
+ MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [%04x]",
1886
+ ssl->tls_version));
1887
+
1888
+ *out_len = 6;
1889
+
1890
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(
1891
+ ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
1892
+
1893
+ return 0;
1894
+ }
1895
+
1896
+
1897
+
1898
+ /* Generate and export a single key share. For hybrid KEMs, this can
1899
+ * be called multiple times with the different components of the hybrid. */
1900
+ MBEDTLS_CHECK_RETURN_CRITICAL
1901
+ static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl,
1902
+ uint16_t named_group,
1903
+ unsigned char *buf,
1904
+ unsigned char *end,
1905
+ size_t *out_len)
1906
+ {
1907
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1908
+
1909
+ *out_len = 0;
1910
+
1911
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1912
+ if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group) ||
1913
+ mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
1914
+ ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
1915
+ ssl, named_group, buf, end, out_len);
1916
+ if (ret != 0) {
1917
+ MBEDTLS_SSL_DEBUG_RET(
1918
+ 1, "mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange",
1919
+ ret);
1920
+ return ret;
1921
+ }
1922
+ } else
1923
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
1924
+ if (0 /* Other kinds of KEMs */) {
1925
+ } else {
1926
+ ((void) ssl);
1927
+ ((void) named_group);
1928
+ ((void) buf);
1929
+ ((void) end);
1930
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1931
+ }
1932
+
1933
+ return ret;
1934
+ }
1935
+
1936
+ /*
1937
+ * ssl_tls13_write_key_share_ext
1938
+ *
1939
+ * Structure of key_share extension in ServerHello:
1940
+ *
1941
+ * struct {
1942
+ * NamedGroup group;
1943
+ * opaque key_exchange<1..2^16-1>;
1944
+ * } KeyShareEntry;
1945
+ * struct {
1946
+ * KeyShareEntry server_share;
1947
+ * } KeyShareServerHello;
1948
+ */
1949
+ MBEDTLS_CHECK_RETURN_CRITICAL
1950
+ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
1951
+ unsigned char *buf,
1952
+ unsigned char *end,
1953
+ size_t *out_len)
1954
+ {
1955
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1956
+ unsigned char *p = buf;
1957
+ uint16_t group = ssl->handshake->offered_group_id;
1958
+ unsigned char *server_share = buf + 4;
1959
+ size_t key_exchange_length;
1960
+
1961
+ *out_len = 0;
1962
+
1963
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding key share extension"));
1964
+
1965
+ MBEDTLS_SSL_DEBUG_MSG(2, ("server hello, write selected_group: %s (%04x)",
1966
+ mbedtls_ssl_named_group_to_str(group),
1967
+ group));
1968
+
1969
+ /* Check if we have space for header and length fields:
1970
+ * - extension_type (2 bytes)
1971
+ * - extension_data_length (2 bytes)
1972
+ * - group (2 bytes)
1973
+ * - key_exchange_length (2 bytes)
1974
+ */
1975
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 8);
1976
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, p, 0);
1977
+ MBEDTLS_PUT_UINT16_BE(group, server_share, 0);
1978
+ p += 8;
1979
+
1980
+ /* When we introduce PQC-ECDHE hybrids, we'll want to call this
1981
+ * function multiple times. */
1982
+ ret = ssl_tls13_generate_and_write_key_share(
1983
+ ssl, group, server_share + 4, end, &key_exchange_length);
1984
+ if (ret != 0) {
1985
+ return ret;
1986
+ }
1987
+ p += key_exchange_length;
1988
+
1989
+ MBEDTLS_PUT_UINT16_BE(key_exchange_length, server_share + 2, 0);
1990
+
1991
+ MBEDTLS_PUT_UINT16_BE(p - server_share, buf, 2);
1992
+
1993
+ *out_len = p - buf;
1994
+
1995
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
1996
+
1997
+ return 0;
1998
+ }
1999
+
2000
+ MBEDTLS_CHECK_RETURN_CRITICAL
2001
+ static int ssl_tls13_write_hrr_key_share_ext(mbedtls_ssl_context *ssl,
2002
+ unsigned char *buf,
2003
+ unsigned char *end,
2004
+ size_t *out_len)
2005
+ {
2006
+ uint16_t selected_group = ssl->handshake->hrr_selected_group;
2007
+ /* key_share Extension
2008
+ *
2009
+ * struct {
2010
+ * select (Handshake.msg_type) {
2011
+ * ...
2012
+ * case hello_retry_request:
2013
+ * NamedGroup selected_group;
2014
+ * ...
2015
+ * };
2016
+ * } KeyShare;
2017
+ */
2018
+
2019
+ *out_len = 0;
2020
+
2021
+ /*
2022
+ * For a pure PSK key exchange, there is no group to agree upon. The purpose
2023
+ * of the HRR is then to transmit a cookie to force the client to demonstrate
2024
+ * reachability at their apparent network address (primarily useful for DTLS).
2025
+ */
2026
+ if (!mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
2027
+ return 0;
2028
+ }
2029
+
2030
+ /* We should only send the key_share extension if the client's initial
2031
+ * key share was not acceptable. */
2032
+ if (ssl->handshake->offered_group_id != 0) {
2033
+ MBEDTLS_SSL_DEBUG_MSG(4, ("Skip key_share extension in HRR"));
2034
+ return 0;
2035
+ }
2036
+
2037
+ if (selected_group == 0) {
2038
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no matching named group found"));
2039
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2040
+ }
2041
+
2042
+ /* Check if we have enough space:
2043
+ * - extension_type (2 bytes)
2044
+ * - extension_data_length (2 bytes)
2045
+ * - selected_group (2 bytes)
2046
+ */
2047
+ MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
2048
+
2049
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
2050
+ MBEDTLS_PUT_UINT16_BE(2, buf, 2);
2051
+ MBEDTLS_PUT_UINT16_BE(selected_group, buf, 4);
2052
+
2053
+ MBEDTLS_SSL_DEBUG_MSG(3,
2054
+ ("HRR selected_group: %s (%x)",
2055
+ mbedtls_ssl_named_group_to_str(selected_group),
2056
+ selected_group));
2057
+
2058
+ *out_len = 6;
2059
+
2060
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
2061
+
2062
+ return 0;
2063
+ }
2064
+
2065
+ /*
2066
+ * Structure of ServerHello message:
2067
+ *
2068
+ * struct {
2069
+ * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
2070
+ * Random random;
2071
+ * opaque legacy_session_id_echo<0..32>;
2072
+ * CipherSuite cipher_suite;
2073
+ * uint8 legacy_compression_method = 0;
2074
+ * Extension extensions<6..2^16-1>;
2075
+ * } ServerHello;
2076
+ */
2077
+ MBEDTLS_CHECK_RETURN_CRITICAL
2078
+ static int ssl_tls13_write_server_hello_body(mbedtls_ssl_context *ssl,
2079
+ unsigned char *buf,
2080
+ unsigned char *end,
2081
+ size_t *out_len,
2082
+ int is_hrr)
2083
+ {
2084
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2085
+ unsigned char *p = buf;
2086
+ unsigned char *p_extensions_len;
2087
+ size_t output_len;
2088
+
2089
+ *out_len = 0;
2090
+ ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2091
+
2092
+ /* ...
2093
+ * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
2094
+ * ...
2095
+ * with ProtocolVersion defined as:
2096
+ * uint16 ProtocolVersion;
2097
+ */
2098
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2099
+ MBEDTLS_PUT_UINT16_BE(0x0303, p, 0);
2100
+ p += 2;
2101
+
2102
+ /* ...
2103
+ * Random random;
2104
+ * ...
2105
+ * with Random defined as:
2106
+ * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
2107
+ */
2108
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2109
+ if (is_hrr) {
2110
+ memcpy(p, mbedtls_ssl_tls13_hello_retry_request_magic,
2111
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2112
+ } else {
2113
+ memcpy(p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],
2114
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2115
+ }
2116
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
2117
+ p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2118
+ p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
2119
+
2120
+ /* ...
2121
+ * opaque legacy_session_id_echo<0..32>;
2122
+ * ...
2123
+ */
2124
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + ssl->session_negotiate->id_len);
2125
+ *p++ = (unsigned char) ssl->session_negotiate->id_len;
2126
+ if (ssl->session_negotiate->id_len > 0) {
2127
+ memcpy(p, &ssl->session_negotiate->id[0],
2128
+ ssl->session_negotiate->id_len);
2129
+ p += ssl->session_negotiate->id_len;
2130
+
2131
+ MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id,
2132
+ ssl->session_negotiate->id_len);
2133
+ }
2134
+
2135
+ /* ...
2136
+ * CipherSuite cipher_suite;
2137
+ * ...
2138
+ * with CipherSuite defined as:
2139
+ * uint8 CipherSuite[2];
2140
+ */
2141
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2142
+ MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
2143
+ p += 2;
2144
+ MBEDTLS_SSL_DEBUG_MSG(3,
2145
+ ("server hello, chosen ciphersuite: %s ( id=%d )",
2146
+ mbedtls_ssl_get_ciphersuite_name(
2147
+ ssl->session_negotiate->ciphersuite),
2148
+ ssl->session_negotiate->ciphersuite));
2149
+
2150
+ /* ...
2151
+ * uint8 legacy_compression_method = 0;
2152
+ * ...
2153
+ */
2154
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1);
2155
+ *p++ = MBEDTLS_SSL_COMPRESS_NULL;
2156
+
2157
+ /* ...
2158
+ * Extension extensions<6..2^16-1>;
2159
+ * ...
2160
+ * struct {
2161
+ * ExtensionType extension_type; (2 bytes)
2162
+ * opaque extension_data<0..2^16-1>;
2163
+ * } Extension;
2164
+ */
2165
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2166
+ p_extensions_len = p;
2167
+ p += 2;
2168
+
2169
+ if ((ret = ssl_tls13_write_server_hello_supported_versions_ext(
2170
+ ssl, p, end, &output_len)) != 0) {
2171
+ MBEDTLS_SSL_DEBUG_RET(
2172
+ 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret);
2173
+ return ret;
2174
+ }
2175
+ p += output_len;
2176
+
2177
+ if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
2178
+ if (is_hrr) {
2179
+ ret = ssl_tls13_write_hrr_key_share_ext(ssl, p, end, &output_len);
2180
+ } else {
2181
+ ret = ssl_tls13_write_key_share_ext(ssl, p, end, &output_len);
2182
+ }
2183
+ if (ret != 0) {
2184
+ return ret;
2185
+ }
2186
+ p += output_len;
2187
+ }
2188
+
2189
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2190
+ if (!is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2191
+ ret = ssl_tls13_write_server_pre_shared_key_ext(ssl, p, end, &output_len);
2192
+ if (ret != 0) {
2193
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_server_pre_shared_key_ext",
2194
+ ret);
2195
+ return ret;
2196
+ }
2197
+ p += output_len;
2198
+ }
2199
+ #endif
2200
+
2201
+ MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
2202
+
2203
+ MBEDTLS_SSL_DEBUG_BUF(4, "server hello extensions",
2204
+ p_extensions_len, p - p_extensions_len);
2205
+
2206
+ *out_len = p - buf;
2207
+
2208
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello", buf, *out_len);
2209
+
2210
+ MBEDTLS_SSL_PRINT_EXTS(
2211
+ 3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
2212
+ MBEDTLS_SSL_HS_SERVER_HELLO,
2213
+ ssl->handshake->sent_extensions);
2214
+
2215
+ return ret;
2216
+ }
2217
+
2218
+ MBEDTLS_CHECK_RETURN_CRITICAL
2219
+ static int ssl_tls13_finalize_server_hello(mbedtls_ssl_context *ssl)
2220
+ {
2221
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2222
+ ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
2223
+ if (ret != 0) {
2224
+ MBEDTLS_SSL_DEBUG_RET(1,
2225
+ "mbedtls_ssl_tls13_compute_handshake_transform",
2226
+ ret);
2227
+ return ret;
2228
+ }
2229
+
2230
+ return ret;
2231
+ }
2232
+
2233
+ MBEDTLS_CHECK_RETURN_CRITICAL
2234
+ static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl)
2235
+ {
2236
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2237
+ unsigned char *buf;
2238
+ size_t buf_len, msg_len;
2239
+
2240
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
2241
+
2242
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl));
2243
+
2244
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2245
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
2246
+
2247
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
2248
+ buf + buf_len,
2249
+ &msg_len,
2250
+ 0));
2251
+
2252
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2253
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
2254
+
2255
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2256
+ ssl, buf_len, msg_len));
2257
+
2258
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_finalize_server_hello(ssl));
2259
+
2260
+ #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2261
+ /* The server sends a dummy change_cipher_spec record immediately
2262
+ * after its first handshake message. This may either be after
2263
+ * a ServerHello or a HelloRetryRequest.
2264
+ */
2265
+ mbedtls_ssl_handshake_set_state(
2266
+ ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO);
2267
+ #else
2268
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
2269
+ #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2270
+
2271
+ cleanup:
2272
+
2273
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2274
+ return ret;
2275
+ }
2276
+
2277
+
2278
+ /*
2279
+ * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
2280
+ */
2281
+ MBEDTLS_CHECK_RETURN_CRITICAL
2282
+ static int ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context *ssl)
2283
+ {
2284
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2285
+ if (ssl->handshake->hello_retry_request_count > 0) {
2286
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs"));
2287
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2288
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2289
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2290
+ }
2291
+
2292
+ /*
2293
+ * Create stateless transcript hash for HRR
2294
+ */
2295
+ MBEDTLS_SSL_DEBUG_MSG(4, ("Reset transcript for HRR"));
2296
+ ret = mbedtls_ssl_reset_transcript_for_hrr(ssl);
2297
+ if (ret != 0) {
2298
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_transcript_for_hrr", ret);
2299
+ return ret;
2300
+ }
2301
+ mbedtls_ssl_session_reset_msg_layer(ssl, 0);
2302
+
2303
+ return 0;
2304
+ }
2305
+
2306
+ MBEDTLS_CHECK_RETURN_CRITICAL
2307
+ static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl)
2308
+ {
2309
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2310
+ unsigned char *buf;
2311
+ size_t buf_len, msg_len;
2312
+
2313
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello retry request"));
2314
+
2315
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_hello_retry_request(ssl));
2316
+
2317
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2318
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
2319
+ &buf, &buf_len));
2320
+
2321
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
2322
+ buf + buf_len,
2323
+ &msg_len,
2324
+ 1));
2325
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2326
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
2327
+
2328
+
2329
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len,
2330
+ msg_len));
2331
+
2332
+ ssl->handshake->hello_retry_request_count++;
2333
+
2334
+ #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2335
+ /* The server sends a dummy change_cipher_spec record immediately
2336
+ * after its first handshake message. This may either be after
2337
+ * a ServerHello or a HelloRetryRequest.
2338
+ */
2339
+ mbedtls_ssl_handshake_set_state(
2340
+ ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST);
2341
+ #else
2342
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2343
+ #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2344
+
2345
+ cleanup:
2346
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello retry request"));
2347
+ return ret;
2348
+ }
2349
+
2350
+ /*
2351
+ * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2352
+ */
2353
+
2354
+ /*
2355
+ * struct {
2356
+ * Extension extensions<0..2 ^ 16 - 1>;
2357
+ * } EncryptedExtensions;
2358
+ *
2359
+ */
2360
+ MBEDTLS_CHECK_RETURN_CRITICAL
2361
+ static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl,
2362
+ unsigned char *buf,
2363
+ unsigned char *end,
2364
+ size_t *out_len)
2365
+ {
2366
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2367
+ unsigned char *p = buf;
2368
+ size_t extensions_len = 0;
2369
+ unsigned char *p_extensions_len;
2370
+ size_t output_len;
2371
+
2372
+ *out_len = 0;
2373
+
2374
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2375
+ p_extensions_len = p;
2376
+ p += 2;
2377
+
2378
+ ((void) ssl);
2379
+ ((void) ret);
2380
+ ((void) output_len);
2381
+
2382
+ #if defined(MBEDTLS_SSL_ALPN)
2383
+ ret = mbedtls_ssl_write_alpn_ext(ssl, p, end, &output_len);
2384
+ if (ret != 0) {
2385
+ return ret;
2386
+ }
2387
+ p += output_len;
2388
+ #endif /* MBEDTLS_SSL_ALPN */
2389
+
2390
+ extensions_len = (p - p_extensions_len) - 2;
2391
+ MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);
2392
+
2393
+ *out_len = p - buf;
2394
+
2395
+ MBEDTLS_SSL_DEBUG_BUF(4, "encrypted extensions", buf, *out_len);
2396
+
2397
+ MBEDTLS_SSL_PRINT_EXTS(
2398
+ 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions);
2399
+
2400
+ return 0;
2401
+ }
2402
+
2403
+ MBEDTLS_CHECK_RETURN_CRITICAL
2404
+ static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
2405
+ {
2406
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2407
+ unsigned char *buf;
2408
+ size_t buf_len, msg_len;
2409
+
2410
+ mbedtls_ssl_set_outbound_transform(ssl,
2411
+ ssl->handshake->transform_handshake);
2412
+ MBEDTLS_SSL_DEBUG_MSG(
2413
+ 3, ("switching to handshake transform for outbound data"));
2414
+
2415
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions"));
2416
+
2417
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2418
+ ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2419
+ &buf, &buf_len));
2420
+
2421
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body(
2422
+ ssl, buf, buf + buf_len, &msg_len));
2423
+
2424
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2425
+ ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2426
+ buf, msg_len));
2427
+
2428
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2429
+ ssl, buf_len, msg_len));
2430
+
2431
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2432
+ if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2433
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2434
+ } else {
2435
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2436
+ }
2437
+ #else
2438
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2439
+ #endif
2440
+
2441
+ cleanup:
2442
+
2443
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write encrypted extensions"));
2444
+ return ret;
2445
+ }
2446
+
2447
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2448
+ #define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
2449
+ #define SSL_CERTIFICATE_REQUEST_SKIP 1
2450
+ /* Coordination:
2451
+ * Check whether a CertificateRequest message should be written.
2452
+ * Returns a negative code on failure, or
2453
+ * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
2454
+ * - SSL_CERTIFICATE_REQUEST_SKIP
2455
+ * indicating if the writing of the CertificateRequest
2456
+ * should be skipped or not.
2457
+ */
2458
+ MBEDTLS_CHECK_RETURN_CRITICAL
2459
+ static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
2460
+ {
2461
+ int authmode;
2462
+
2463
+ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2464
+ if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
2465
+ authmode = ssl->handshake->sni_authmode;
2466
+ } else
2467
+ #endif
2468
+ authmode = ssl->conf->authmode;
2469
+
2470
+ if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
2471
+ ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
2472
+ return SSL_CERTIFICATE_REQUEST_SKIP;
2473
+ }
2474
+
2475
+ ssl->handshake->certificate_request_sent = 1;
2476
+
2477
+ return SSL_CERTIFICATE_REQUEST_SEND_REQUEST;
2478
+ }
2479
+
2480
+ /*
2481
+ * struct {
2482
+ * opaque certificate_request_context<0..2^8-1>;
2483
+ * Extension extensions<2..2^16-1>;
2484
+ * } CertificateRequest;
2485
+ *
2486
+ */
2487
+ MBEDTLS_CHECK_RETURN_CRITICAL
2488
+ static int ssl_tls13_write_certificate_request_body(mbedtls_ssl_context *ssl,
2489
+ unsigned char *buf,
2490
+ const unsigned char *end,
2491
+ size_t *out_len)
2492
+ {
2493
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2494
+ unsigned char *p = buf;
2495
+ size_t output_len = 0;
2496
+ unsigned char *p_extensions_len;
2497
+
2498
+ *out_len = 0;
2499
+
2500
+ /* Check if we have enough space:
2501
+ * - certificate_request_context (1 byte)
2502
+ * - extensions length (2 bytes)
2503
+ */
2504
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
2505
+
2506
+ /*
2507
+ * Write certificate_request_context
2508
+ */
2509
+ /*
2510
+ * We use a zero length context for the normal handshake
2511
+ * messages. For post-authentication handshake messages
2512
+ * this request context would be set to a non-zero value.
2513
+ */
2514
+ *p++ = 0x0;
2515
+
2516
+ /*
2517
+ * Write extensions
2518
+ */
2519
+ /* The extensions must contain the signature_algorithms. */
2520
+ p_extensions_len = p;
2521
+ p += 2;
2522
+ ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len);
2523
+ if (ret != 0) {
2524
+ return ret;
2525
+ }
2526
+
2527
+ p += output_len;
2528
+ MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
2529
+
2530
+ *out_len = p - buf;
2531
+
2532
+ MBEDTLS_SSL_PRINT_EXTS(
2533
+ 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions);
2534
+
2535
+ return 0;
2536
+ }
2537
+
2538
+ MBEDTLS_CHECK_RETURN_CRITICAL
2539
+ static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl)
2540
+ {
2541
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2542
+
2543
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2544
+
2545
+ MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
2546
+
2547
+ if (ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST) {
2548
+ unsigned char *buf;
2549
+ size_t buf_len, msg_len;
2550
+
2551
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2552
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2553
+ &buf, &buf_len));
2554
+
2555
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body(
2556
+ ssl, buf, buf + buf_len, &msg_len));
2557
+
2558
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2559
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2560
+ buf, msg_len));
2561
+
2562
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2563
+ ssl, buf_len, msg_len));
2564
+ } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
2565
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2566
+ ret = 0;
2567
+ } else {
2568
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2569
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2570
+ goto cleanup;
2571
+ }
2572
+
2573
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
2574
+ cleanup:
2575
+
2576
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
2577
+ return ret;
2578
+ }
2579
+
2580
+ /*
2581
+ * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2582
+ */
2583
+ MBEDTLS_CHECK_RETURN_CRITICAL
2584
+ static int ssl_tls13_write_server_certificate(mbedtls_ssl_context *ssl)
2585
+ {
2586
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2587
+
2588
+ #if defined(MBEDTLS_X509_CRT_PARSE_C)
2589
+ if ((ssl_tls13_pick_key_cert(ssl) != 0) ||
2590
+ mbedtls_ssl_own_cert(ssl) == NULL) {
2591
+ MBEDTLS_SSL_DEBUG_MSG(2, ("No certificate available."));
2592
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2593
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2594
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2595
+ }
2596
+ #endif /* MBEDTLS_X509_CRT_PARSE_C */
2597
+
2598
+ ret = mbedtls_ssl_tls13_write_certificate(ssl);
2599
+ if (ret != 0) {
2600
+ return ret;
2601
+ }
2602
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2603
+ return 0;
2604
+ }
2605
+
2606
+ /*
2607
+ * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2608
+ */
2609
+ MBEDTLS_CHECK_RETURN_CRITICAL
2610
+ static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
2611
+ {
2612
+ int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
2613
+ if (ret != 0) {
2614
+ return ret;
2615
+ }
2616
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2617
+ return 0;
2618
+ }
2619
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2620
+
2621
+ /*
2622
+ * Handler for MBEDTLS_SSL_SERVER_FINISHED
2623
+ */
2624
+ MBEDTLS_CHECK_RETURN_CRITICAL
2625
+ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl)
2626
+ {
2627
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2628
+
2629
+ ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2630
+ if (ret != 0) {
2631
+ return ret;
2632
+ }
2633
+
2634
+ ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2635
+ if (ret != 0) {
2636
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
2637
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2638
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2639
+ return ret;
2640
+ }
2641
+
2642
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
2643
+ mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake);
2644
+
2645
+ if (ssl->handshake->certificate_request_sent) {
2646
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2647
+ } else {
2648
+ MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate"));
2649
+ MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
2650
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2651
+ }
2652
+
2653
+ return 0;
2654
+ }
2655
+
2656
+ /*
2657
+ * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2658
+ */
2659
+ MBEDTLS_CHECK_RETURN_CRITICAL
2660
+ static int ssl_tls13_process_client_finished(mbedtls_ssl_context *ssl)
2661
+ {
2662
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2663
+
2664
+ ret = mbedtls_ssl_tls13_process_finished_message(ssl);
2665
+ if (ret != 0) {
2666
+ return ret;
2667
+ }
2668
+
2669
+ ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
2670
+ if (ret != 0) {
2671
+ MBEDTLS_SSL_DEBUG_RET(
2672
+ 1, "mbedtls_ssl_tls13_compute_resumption_master_secret", ret);
2673
+ }
2674
+
2675
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
2676
+ return 0;
2677
+ }
2678
+
2679
+ /*
2680
+ * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2681
+ */
2682
+ MBEDTLS_CHECK_RETURN_CRITICAL
2683
+ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
2684
+ {
2685
+ MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
2686
+
2687
+ mbedtls_ssl_tls13_handshake_wrapup(ssl);
2688
+
2689
+ #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
2690
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2691
+ /* TODO: Remove the check of SOME_PSK_ENABLED since SESSION_TICKETS requires
2692
+ * SOME_PSK_ENABLED to be enabled. Here is just to make CI happy. It is
2693
+ * expected to be resolved with issue#6395.
2694
+ */
2695
+ /* Sent NewSessionTicket message only when client supports PSK */
2696
+ if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) {
2697
+ mbedtls_ssl_handshake_set_state(
2698
+ ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
2699
+ } else
2700
+ #endif
2701
+ {
2702
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2703
+ }
2704
+ return 0;
2705
+ }
2706
+
2707
+ /*
2708
+ * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
2709
+ */
2710
+ #define SSL_NEW_SESSION_TICKET_SKIP 0
2711
+ #define SSL_NEW_SESSION_TICKET_WRITE 1
2712
+ MBEDTLS_CHECK_RETURN_CRITICAL
2713
+ static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ssl)
2714
+ {
2715
+ /* Check whether the use of session tickets is enabled */
2716
+ if (ssl->conf->f_ticket_write == NULL) {
2717
+ MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
2718
+ " callback is not set"));
2719
+ return SSL_NEW_SESSION_TICKET_SKIP;
2720
+ }
2721
+ if (ssl->conf->new_session_tickets_count == 0) {
2722
+ MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
2723
+ " configured count is zero"));
2724
+ return SSL_NEW_SESSION_TICKET_SKIP;
2725
+ }
2726
+
2727
+ if (ssl->handshake->new_session_tickets_count == 0) {
2728
+ MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: all tickets have "
2729
+ "been sent."));
2730
+ return SSL_NEW_SESSION_TICKET_SKIP;
2731
+ }
2732
+
2733
+ return SSL_NEW_SESSION_TICKET_WRITE;
2734
+ }
2735
+
2736
+ #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2737
+ MBEDTLS_CHECK_RETURN_CRITICAL
2738
+ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
2739
+ unsigned char *ticket_nonce,
2740
+ size_t ticket_nonce_size)
2741
+ {
2742
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2743
+ mbedtls_ssl_session *session = ssl->session;
2744
+ mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2745
+ psa_algorithm_t psa_hash_alg;
2746
+ int hash_length;
2747
+
2748
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg"));
2749
+
2750
+ #if defined(MBEDTLS_HAVE_TIME)
2751
+ session->start = mbedtls_time(NULL);
2752
+ #endif
2753
+
2754
+ /* Set ticket_flags depends on the advertised psk key exchange mode */
2755
+ mbedtls_ssl_session_clear_ticket_flags(
2756
+ session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2757
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2758
+ mbedtls_ssl_session_set_ticket_flags(
2759
+ session, ssl->handshake->tls13_kex_modes);
2760
+ #endif
2761
+ MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
2762
+
2763
+ /* Generate ticket_age_add */
2764
+ if ((ret = ssl->conf->f_rng(ssl->conf->p_rng,
2765
+ (unsigned char *) &session->ticket_age_add,
2766
+ sizeof(session->ticket_age_add)) != 0)) {
2767
+ MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret);
2768
+ return ret;
2769
+ }
2770
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
2771
+ (unsigned int) session->ticket_age_add));
2772
+
2773
+ /* Generate ticket_nonce */
2774
+ ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size);
2775
+ if (ret != 0) {
2776
+ MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret);
2777
+ return ret;
2778
+ }
2779
+ MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:",
2780
+ ticket_nonce, ticket_nonce_size);
2781
+
2782
+ ciphersuite_info =
2783
+ (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
2784
+ psa_hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
2785
+ hash_length = PSA_HASH_LENGTH(psa_hash_alg);
2786
+ if (hash_length == -1 ||
2787
+ (size_t) hash_length > sizeof(session->resumption_key)) {
2788
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2789
+ }
2790
+
2791
+ /* In this code the psk key length equals the length of the hash */
2792
+ session->resumption_key_len = hash_length;
2793
+ session->ciphersuite = ciphersuite_info->id;
2794
+
2795
+ /* Compute resumption key
2796
+ *
2797
+ * HKDF-Expand-Label( resumption_master_secret,
2798
+ * "resumption", ticket_nonce, Hash.length )
2799
+ */
2800
+ ret = mbedtls_ssl_tls13_hkdf_expand_label(
2801
+ psa_hash_alg,
2802
+ session->app_secrets.resumption_master_secret,
2803
+ hash_length,
2804
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
2805
+ ticket_nonce,
2806
+ ticket_nonce_size,
2807
+ session->resumption_key,
2808
+ hash_length);
2809
+
2810
+ if (ret != 0) {
2811
+ MBEDTLS_SSL_DEBUG_RET(2,
2812
+ "Creating the ticket-resumed PSK failed",
2813
+ ret);
2814
+ return ret;
2815
+ }
2816
+ MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
2817
+ session->resumption_key,
2818
+ session->resumption_key_len);
2819
+
2820
+ MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
2821
+ session->app_secrets.resumption_master_secret,
2822
+ hash_length);
2823
+
2824
+ return 0;
2825
+ }
2826
+
2827
+ /* This function creates a NewSessionTicket message in the following format:
2828
+ *
2829
+ * struct {
2830
+ * uint32 ticket_lifetime;
2831
+ * uint32 ticket_age_add;
2832
+ * opaque ticket_nonce<0..255>;
2833
+ * opaque ticket<1..2^16-1>;
2834
+ * Extension extensions<0..2^16-2>;
2835
+ * } NewSessionTicket;
2836
+ *
2837
+ * The ticket inside the NewSessionTicket message is an encrypted container
2838
+ * carrying the necessary information so that the server is later able to
2839
+ * re-start the communication.
2840
+ *
2841
+ * The following fields are placed inside the ticket by the
2842
+ * f_ticket_write() function:
2843
+ *
2844
+ * - creation time (start)
2845
+ * - flags (flags)
2846
+ * - age add (ticket_age_add)
2847
+ * - key (key)
2848
+ * - key length (key_len)
2849
+ * - ciphersuite (ciphersuite)
2850
+ */
2851
+ MBEDTLS_CHECK_RETURN_CRITICAL
2852
+ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
2853
+ unsigned char *buf,
2854
+ unsigned char *end,
2855
+ size_t *out_len,
2856
+ unsigned char *ticket_nonce,
2857
+ size_t ticket_nonce_size)
2858
+ {
2859
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2860
+ unsigned char *p = buf;
2861
+ mbedtls_ssl_session *session = ssl->session;
2862
+ size_t ticket_len;
2863
+ uint32_t ticket_lifetime;
2864
+
2865
+ *out_len = 0;
2866
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg"));
2867
+
2868
+ /*
2869
+ * ticket_lifetime 4 bytes
2870
+ * ticket_age_add 4 bytes
2871
+ * ticket_nonce 1 + ticket_nonce_size bytes
2872
+ * ticket >=2 bytes
2873
+ */
2874
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + 4 + 1 + ticket_nonce_size + 2);
2875
+
2876
+ /* Generate ticket and ticket_lifetime */
2877
+ ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
2878
+ session,
2879
+ p + 9 + ticket_nonce_size + 2,
2880
+ end,
2881
+ &ticket_len,
2882
+ &ticket_lifetime);
2883
+ if (ret != 0) {
2884
+ MBEDTLS_SSL_DEBUG_RET(1, "write_ticket", ret);
2885
+ return ret;
2886
+ }
2887
+ /* RFC 8446 4.6.1
2888
+ * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
2889
+ * unsigned integer in network byte order from the time of ticket
2890
+ * issuance. Servers MUST NOT use any value greater than
2891
+ * 604800 seconds (7 days). The value of zero indicates that the
2892
+ * ticket should be discarded immediately. Clients MUST NOT cache
2893
+ * tickets for longer than 7 days, regardless of the ticket_lifetime,
2894
+ * and MAY delete tickets earlier based on local policy. A server
2895
+ * MAY treat a ticket as valid for a shorter period of time than what
2896
+ * is stated in the ticket_lifetime.
2897
+ */
2898
+ if (ticket_lifetime > 604800) {
2899
+ ticket_lifetime = 604800;
2900
+ }
2901
+ MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);
2902
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",
2903
+ (unsigned int) ticket_lifetime));
2904
+
2905
+ /* Write ticket_age_add */
2906
+ MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 4);
2907
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
2908
+ (unsigned int) session->ticket_age_add));
2909
+
2910
+ /* Write ticket_nonce */
2911
+ p[8] = (unsigned char) ticket_nonce_size;
2912
+ if (ticket_nonce_size > 0) {
2913
+ memcpy(p + 9, ticket_nonce, ticket_nonce_size);
2914
+ }
2915
+ p += 9 + ticket_nonce_size;
2916
+
2917
+ /* Write ticket */
2918
+ MBEDTLS_PUT_UINT16_BE(ticket_len, p, 0);
2919
+ p += 2;
2920
+ MBEDTLS_SSL_DEBUG_BUF(4, "ticket", p, ticket_len);
2921
+ p += ticket_len;
2922
+
2923
+ /* Ticket Extensions
2924
+ *
2925
+ * Note: We currently don't have any extensions.
2926
+ * Set length to zero.
2927
+ */
2928
+ ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2929
+
2930
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2931
+ MBEDTLS_PUT_UINT16_BE(0, p, 0);
2932
+ p += 2;
2933
+
2934
+ *out_len = p - buf;
2935
+ MBEDTLS_SSL_DEBUG_BUF(4, "ticket", buf, *out_len);
2936
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
2937
+
2938
+ MBEDTLS_SSL_PRINT_EXTS(
2939
+ 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions);
2940
+
2941
+ return 0;
2942
+ }
2943
+
2944
+ /*
2945
+ * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
2946
+ */
2947
+ static int ssl_tls13_write_new_session_ticket(mbedtls_ssl_context *ssl)
2948
+ {
2949
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2950
+
2951
+ MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_write_new_session_ticket_coordinate(ssl));
2952
+
2953
+ if (ret == SSL_NEW_SESSION_TICKET_WRITE) {
2954
+ unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
2955
+ unsigned char *buf;
2956
+ size_t buf_len, msg_len;
2957
+
2958
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket(
2959
+ ssl, ticket_nonce, sizeof(ticket_nonce)));
2960
+
2961
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2962
+ ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2963
+ &buf, &buf_len));
2964
+
2965
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body(
2966
+ ssl, buf, buf + buf_len, &msg_len,
2967
+ ticket_nonce, sizeof(ticket_nonce)));
2968
+
2969
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2970
+ ssl, buf_len, msg_len));
2971
+
2972
+ /* Limit session tickets count to one when resumption connection.
2973
+ *
2974
+ * See document of mbedtls_ssl_conf_new_session_tickets.
2975
+ */
2976
+ if (ssl->handshake->resume == 1) {
2977
+ ssl->handshake->new_session_tickets_count = 0;
2978
+ } else {
2979
+ ssl->handshake->new_session_tickets_count--;
2980
+ }
2981
+
2982
+ mbedtls_ssl_handshake_set_state(
2983
+ ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH);
2984
+ } else {
2985
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2986
+ }
2987
+
2988
+ cleanup:
2989
+
2990
+ return ret;
2991
+ }
2992
+ #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2993
+
2994
+ /*
2995
+ * TLS 1.3 State Machine -- server side
2996
+ */
2997
+ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)
2998
+ {
2999
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3000
+
3001
+ if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) {
3002
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3003
+ }
3004
+
3005
+ MBEDTLS_SSL_DEBUG_MSG(2, ("tls13 server state: %s(%d)",
3006
+ mbedtls_ssl_states_str(ssl->state),
3007
+ ssl->state));
3008
+
3009
+ switch (ssl->state) {
3010
+ /* start state */
3011
+ case MBEDTLS_SSL_HELLO_REQUEST:
3012
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3013
+ ret = 0;
3014
+ break;
3015
+
3016
+ case MBEDTLS_SSL_CLIENT_HELLO:
3017
+ ret = ssl_tls13_process_client_hello(ssl);
3018
+ if (ret != 0) {
3019
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_process_client_hello", ret);
3020
+ }
3021
+ break;
3022
+
3023
+ case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
3024
+ ret = ssl_tls13_write_hello_retry_request(ssl);
3025
+ if (ret != 0) {
3026
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_hello_retry_request", ret);
3027
+ return ret;
3028
+ }
3029
+ break;
3030
+
3031
+ case MBEDTLS_SSL_SERVER_HELLO:
3032
+ ret = ssl_tls13_write_server_hello(ssl);
3033
+ break;
3034
+
3035
+ case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
3036
+ ret = ssl_tls13_write_encrypted_extensions(ssl);
3037
+ if (ret != 0) {
3038
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_encrypted_extensions", ret);
3039
+ return ret;
3040
+ }
3041
+ break;
3042
+
3043
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
3044
+ case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3045
+ ret = ssl_tls13_write_certificate_request(ssl);
3046
+ break;
3047
+
3048
+ case MBEDTLS_SSL_SERVER_CERTIFICATE:
3049
+ ret = ssl_tls13_write_server_certificate(ssl);
3050
+ break;
3051
+
3052
+ case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3053
+ ret = ssl_tls13_write_certificate_verify(ssl);
3054
+ break;
3055
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
3056
+
3057
+ /*
3058
+ * Injection of dummy-CCS's for middlebox compatibility
3059
+ */
3060
+ #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
3061
+ case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
3062
+ ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3063
+ if (ret == 0) {
3064
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3065
+ }
3066
+ break;
3067
+
3068
+ case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
3069
+ ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3070
+ if (ret == 0) {
3071
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
3072
+ }
3073
+ break;
3074
+ #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3075
+
3076
+ case MBEDTLS_SSL_SERVER_FINISHED:
3077
+ ret = ssl_tls13_write_server_finished(ssl);
3078
+ break;
3079
+
3080
+ case MBEDTLS_SSL_CLIENT_FINISHED:
3081
+ ret = ssl_tls13_process_client_finished(ssl);
3082
+ break;
3083
+
3084
+ case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3085
+ ret = ssl_tls13_handshake_wrapup(ssl);
3086
+ break;
3087
+
3088
+ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
3089
+ case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3090
+ ret = mbedtls_ssl_tls13_process_certificate(ssl);
3091
+ if (ret == 0) {
3092
+ if (ssl->session_negotiate->peer_cert != NULL) {
3093
+ mbedtls_ssl_handshake_set_state(
3094
+ ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
3095
+ } else {
3096
+ MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
3097
+ mbedtls_ssl_handshake_set_state(
3098
+ ssl, MBEDTLS_SSL_CLIENT_FINISHED);
3099
+ }
3100
+ }
3101
+ break;
3102
+
3103
+ case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
3104
+ ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
3105
+ if (ret == 0) {
3106
+ mbedtls_ssl_handshake_set_state(
3107
+ ssl, MBEDTLS_SSL_CLIENT_FINISHED);
3108
+ }
3109
+ break;
3110
+ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
3111
+
3112
+ #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3113
+ case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
3114
+ ret = ssl_tls13_write_new_session_ticket(ssl);
3115
+ if (ret != 0) {
3116
+ MBEDTLS_SSL_DEBUG_RET(1,
3117
+ "ssl_tls13_write_new_session_ticket ",
3118
+ ret);
3119
+ }
3120
+ break;
3121
+ case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH:
3122
+ /* This state is necessary to do the flush of the New Session
3123
+ * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
3124
+ * as part of ssl_prepare_handshake_step.
3125
+ */
3126
+ ret = 0;
3127
+
3128
+ if (ssl->handshake->new_session_tickets_count == 0) {
3129
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
3130
+ } else {
3131
+ mbedtls_ssl_handshake_set_state(
3132
+ ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
3133
+ }
3134
+ break;
3135
+
3136
+ #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3137
+
3138
+ default:
3139
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3140
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3141
+ }
3142
+
3143
+ return ret;
3144
+ }
3145
+
3146
+ #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */