xref: /optee_os/lib/libmbedtls/mbedtls/library/ssl_tls13_generic.c (revision 5d5d7d0b1c038a6836be9f0b38585f5aa6a4dd01) 
1 /*
2  *  TLS 1.3 functionality shared between client and server
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6  */
7 
8 #include "common.h"
9 
10 #if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
11 
12 #include <string.h>
13 
14 #include "mbedtls/error.h"
15 #include "debug_internal.h"
16 #include "mbedtls/oid.h"
17 #include "mbedtls/platform.h"
18 #include "mbedtls/constant_time.h"
19 #include "psa/crypto.h"
20 #include "mbedtls/psa_util.h"
21 
22 #include "ssl_misc.h"
23 #include "ssl_tls13_invasive.h"
24 #include "ssl_tls13_keys.h"
25 #include "ssl_debug_helpers.h"
26 
27 #include "psa/crypto.h"
28 #include "psa_util_internal.h"
29 
30 /* Define a local translating function to save code size by not using too many
31  * arguments in each translating place. */
32 static int local_err_translation(psa_status_t status)
33 {
34     return psa_status_to_mbedtls(status, psa_to_ssl_errors,
35                                  ARRAY_LENGTH(psa_to_ssl_errors),
36                                  psa_generic_status_to_mbedtls);
37 }
38 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
39 
40 int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl)
41 {
42     psa_status_t status = psa_crypto_init();
43     if (status != PSA_SUCCESS) {
44         (void) ssl; // unused when debugging is disabled
45         MBEDTLS_SSL_DEBUG_RET(1, "psa_crypto_init", status);
46     }
47     return PSA_TO_MBEDTLS_ERR(status);
48 }
49 
50 const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
51     MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
52 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
53   0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
54   0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
55   0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C };
56 
57 int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
58                                           unsigned hs_type,
59                                           unsigned char **buf,
60                                           size_t *buf_len)
61 {
62     int ret;
63 
64     if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
65         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
66         goto cleanup;
67     }
68 
69     if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
70         ssl->in_msg[0]  != hs_type) {
71         MBEDTLS_SSL_DEBUG_MSG(1, ("Receive unexpected handshake message."));
72         MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
73                                      MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
74         ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
75         goto cleanup;
76     }
77 
78     /*
79      * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
80      *    ...
81      *    HandshakeType msg_type;
82      *    uint24 length;
83      *    ...
84      */
85     *buf = ssl->in_msg   + 4;
86     *buf_len = ssl->in_hslen - 4;
87 
88 cleanup:
89 
90     return ret;
91 }
92 
93 int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
94     mbedtls_ssl_context *ssl,
95     const unsigned char *buf, const unsigned char *end,
96     const unsigned char **supported_versions_data,
97     const unsigned char **supported_versions_data_end)
98 {
99     const unsigned char *p = buf;
100     size_t extensions_len;
101     const unsigned char *extensions_end;
102 
103     *supported_versions_data = NULL;
104     *supported_versions_data_end = NULL;
105 
106     /* Case of no extension */
107     if (p == end) {
108         return 0;
109     }
110 
111     /* ...
112      * Extension extensions<x..2^16-1>;
113      * ...
114      * struct {
115      *      ExtensionType extension_type; (2 bytes)
116      *      opaque extension_data<0..2^16-1>;
117      * } Extension;
118      */
119     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
120     extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
121     p += 2;
122 
123     /* Check extensions do not go beyond the buffer of data. */
124     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
125     extensions_end = p + extensions_len;
126 
127     while (p < extensions_end) {
128         unsigned int extension_type;
129         size_t extension_data_len;
130 
131         MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
132         extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
133         extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
134         p += 4;
135         MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
136 
137         if (extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS) {
138             *supported_versions_data = p;
139             *supported_versions_data_end = p + extension_data_len;
140             return 1;
141         }
142         p += extension_data_len;
143     }
144 
145     return 0;
146 }
147 
148 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
149 /*
150  * STATE HANDLING: Read CertificateVerify
151  */
152 /* Macro to express the maximum length of the verify structure.
153  *
154  * The structure is computed per TLS 1.3 specification as:
155  *   - 64 bytes of octet 32,
156  *   - 33 bytes for the context string
157  *        (which is either "TLS 1.3, client CertificateVerify"
158  *         or "TLS 1.3, server CertificateVerify"),
159  *   - 1 byte for the octet 0x0, which serves as a separator,
160  *   - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
161  *     (depending on the size of the transcript_hash)
162  *
163  * This results in a total size of
164  * - 130 bytes for a SHA256-based transcript hash, or
165  *   (64 + 33 + 1 + 32 bytes)
166  * - 146 bytes for a SHA384-based transcript hash.
167  *   (64 + 33 + 1 + 48 bytes)
168  *
169  */
170 #define SSL_VERIFY_STRUCT_MAX_SIZE  (64 +                          \
171                                      33 +                          \
172                                      1 +                          \
173                                      MBEDTLS_TLS1_3_MD_MAX_SIZE    \
174                                      )
175 
176 /*
177  * The ssl_tls13_create_verify_structure() creates the verify structure.
178  * As input, it requires the transcript hash.
179  *
180  * The caller has to ensure that the buffer has size at least
181  * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
182  */
183 static void ssl_tls13_create_verify_structure(const unsigned char *transcript_hash,
184                                               size_t transcript_hash_len,
185                                               unsigned char *verify_buffer,
186                                               size_t *verify_buffer_len,
187                                               int from)
188 {
189     size_t idx;
190 
191     /* RFC 8446, Section 4.4.3:
192      *
193      * The digital signature [in the CertificateVerify message] is then
194      * computed over the concatenation of:
195      * -  A string that consists of octet 32 (0x20) repeated 64 times
196      * -  The context string
197      * -  A single 0 byte which serves as the separator
198      * -  The content to be signed
199      */
200     memset(verify_buffer, 0x20, 64);
201     idx = 64;
202 
203     if (from == MBEDTLS_SSL_IS_CLIENT) {
204         memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.client_cv,
205                MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv));
206         idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv);
207     } else { /* from == MBEDTLS_SSL_IS_SERVER */
208         memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.server_cv,
209                MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv));
210         idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv);
211     }
212 
213     verify_buffer[idx++] = 0x0;
214 
215     memcpy(verify_buffer + idx, transcript_hash, transcript_hash_len);
216     idx += transcript_hash_len;
217 
218     *verify_buffer_len = idx;
219 }
220 
221 MBEDTLS_CHECK_RETURN_CRITICAL
222 static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
223                                               const unsigned char *buf,
224                                               const unsigned char *end,
225                                               const unsigned char *verify_buffer,
226                                               size_t verify_buffer_len)
227 {
228     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
229     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
230     const unsigned char *p = buf;
231     uint16_t algorithm;
232     size_t signature_len;
233     mbedtls_pk_type_t sig_alg;
234     mbedtls_md_type_t md_alg;
235     psa_algorithm_t hash_alg = PSA_ALG_NONE;
236     unsigned char verify_hash[PSA_HASH_MAX_SIZE];
237     size_t verify_hash_len;
238 
239     void const *options = NULL;
240 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
241     mbedtls_pk_rsassa_pss_options rsassa_pss_options;
242 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
243 
244     /*
245      * struct {
246      *     SignatureScheme algorithm;
247      *     opaque signature<0..2^16-1>;
248      * } CertificateVerify;
249      */
250     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
251     algorithm = MBEDTLS_GET_UINT16_BE(p, 0);
252     p += 2;
253 
254     /* RFC 8446 section 4.4.3
255      *
256      * If the CertificateVerify message is sent by a server, the signature
257      * algorithm MUST be one offered in the client's "signature_algorithms"
258      * extension unless no valid certificate chain can be produced without
259      * unsupported algorithms
260      *
261      * RFC 8446 section 4.4.2.2
262      *
263      * If the client cannot construct an acceptable chain using the provided
264      * certificates and decides to abort the handshake, then it MUST abort the
265      * handshake with an appropriate certificate-related alert
266      * (by default, "unsupported_certificate").
267      *
268      * Check if algorithm is an offered signature algorithm.
269      */
270     if (!mbedtls_ssl_sig_alg_is_offered(ssl, algorithm)) {
271         /* algorithm not in offered signature algorithms list */
272         MBEDTLS_SSL_DEBUG_MSG(1, ("Received signature algorithm(%04x) is not "
273                                   "offered.",
274                                   (unsigned int) algorithm));
275         goto error;
276     }
277 
278     if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
279             algorithm, &sig_alg, &md_alg) != 0) {
280         goto error;
281     }
282 
283     hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
284     if (hash_alg == 0) {
285         goto error;
286     }
287 
288     MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate Verify: Signature algorithm ( %04x )",
289                               (unsigned int) algorithm));
290 
291     /*
292      * Check the certificate's key type matches the signature alg
293      */
294     if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, sig_alg)) {
295         MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key"));
296         goto error;
297     }
298 
299     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
300     signature_len = MBEDTLS_GET_UINT16_BE(p, 0);
301     p += 2;
302     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, signature_len);
303 
304     status = psa_hash_compute(hash_alg,
305                               verify_buffer,
306                               verify_buffer_len,
307                               verify_hash,
308                               sizeof(verify_hash),
309                               &verify_hash_len);
310     if (status != PSA_SUCCESS) {
311         MBEDTLS_SSL_DEBUG_RET(1, "hash computation PSA error", status);
312         goto error;
313     }
314 
315     MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
316 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
317     if (sig_alg == MBEDTLS_PK_RSASSA_PSS) {
318         rsassa_pss_options.mgf1_hash_id = md_alg;
319 
320         rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH(hash_alg);
321         options = (const void *) &rsassa_pss_options;
322     }
323 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
324 
325     if ((ret = mbedtls_pk_verify_ext(sig_alg, options,
326                                      &ssl->session_negotiate->peer_cert->pk,
327                                      md_alg, verify_hash, verify_hash_len,
328                                      p, signature_len)) == 0) {
329         return 0;
330     }
331     MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret);
332 
333 error:
334     /* RFC 8446 section 4.4.3
335      *
336      * If the verification fails, the receiver MUST terminate the handshake
337      * with a "decrypt_error" alert.
338      */
339     MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
340                                  MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
341     return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
342 
343 }
344 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
345 
346 int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
347 {
348 
349 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
350     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
351     unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
352     size_t verify_buffer_len;
353     unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
354     size_t transcript_len;
355     unsigned char *buf;
356     size_t buf_len;
357 
358     MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
359 
360     MBEDTLS_SSL_PROC_CHK(
361         mbedtls_ssl_tls13_fetch_handshake_msg(
362             ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len));
363 
364     /* Need to calculate the hash of the transcript first
365      * before reading the message since otherwise it gets
366      * included in the transcript
367      */
368     ret = mbedtls_ssl_get_handshake_transcript(
369         ssl,
370         (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac,
371         transcript, sizeof(transcript),
372         &transcript_len);
373     if (ret != 0) {
374         MBEDTLS_SSL_PEND_FATAL_ALERT(
375             MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
376             MBEDTLS_ERR_SSL_INTERNAL_ERROR);
377         return ret;
378     }
379 
380     MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash", transcript, transcript_len);
381 
382     /* Create verify structure */
383     ssl_tls13_create_verify_structure(transcript,
384                                       transcript_len,
385                                       verify_buffer,
386                                       &verify_buffer_len,
387                                       (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) ?
388                                       MBEDTLS_SSL_IS_SERVER :
389                                       MBEDTLS_SSL_IS_CLIENT);
390 
391     /* Process the message contents */
392     MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_verify(
393                              ssl, buf, buf + buf_len,
394                              verify_buffer, verify_buffer_len));
395 
396     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
397                              ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
398                              buf, buf_len));
399 
400 cleanup:
401 
402     MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
403     MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_process_certificate_verify", ret);
404     return ret;
405 #else
406     ((void) ssl);
407     MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
408     return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
409 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
410 }
411 
412 /*
413  *
414  * STATE HANDLING: Incoming Certificate.
415  *
416  */
417 
418 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
419 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
420 /*
421  * Structure of Certificate message:
422  *
423  * enum {
424  *     X509(0),
425  *     RawPublicKey(2),
426  *     (255)
427  * } CertificateType;
428  *
429  * struct {
430  *     select (certificate_type) {
431  *         case RawPublicKey:
432  *           * From RFC 7250 ASN.1_subjectPublicKeyInfo *
433  *           opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
434  *         case X509:
435  *           opaque cert_data<1..2^24-1>;
436  *     };
437  *     Extension extensions<0..2^16-1>;
438  * } CertificateEntry;
439  *
440  * struct {
441  *     opaque certificate_request_context<0..2^8-1>;
442  *     CertificateEntry certificate_list<0..2^24-1>;
443  * } Certificate;
444  *
445  */
446 
447 /* Parse certificate chain send by the server. */
448 MBEDTLS_CHECK_RETURN_CRITICAL
449 MBEDTLS_STATIC_TESTABLE
450 int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
451                                         const unsigned char *buf,
452                                         const unsigned char *end)
453 {
454     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
455     size_t certificate_request_context_len = 0;
456     size_t certificate_list_len = 0;
457     const unsigned char *p = buf;
458     const unsigned char *certificate_list_end;
459     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
460 
461     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
462     certificate_request_context_len = p[0];
463     certificate_list_len = MBEDTLS_GET_UINT24_BE(p, 1);
464     p += 4;
465 
466     /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
467      * support anything beyond 2^16 = 64K.
468      */
469     if ((certificate_request_context_len != 0) ||
470         (certificate_list_len >= 0x10000)) {
471         MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
472         MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
473                                      MBEDTLS_ERR_SSL_DECODE_ERROR);
474         return MBEDTLS_ERR_SSL_DECODE_ERROR;
475     }
476 
477     /* In case we tried to reuse a session but it failed */
478     if (ssl->session_negotiate->peer_cert != NULL) {
479         mbedtls_x509_crt_free(ssl->session_negotiate->peer_cert);
480         mbedtls_free(ssl->session_negotiate->peer_cert);
481     }
482 
483     /* This is used by ssl_tls13_validate_certificate() */
484     if (certificate_list_len == 0) {
485         ssl->session_negotiate->peer_cert = NULL;
486         ret = 0;
487         goto exit;
488     }
489 
490     if ((ssl->session_negotiate->peer_cert =
491              mbedtls_calloc(1, sizeof(mbedtls_x509_crt))) == NULL) {
492         MBEDTLS_SSL_DEBUG_MSG(1, ("alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
493                                   sizeof(mbedtls_x509_crt)));
494         MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
495                                      MBEDTLS_ERR_SSL_ALLOC_FAILED);
496         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
497     }
498 
499     mbedtls_x509_crt_init(ssl->session_negotiate->peer_cert);
500 
501     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_list_len);
502     certificate_list_end = p + certificate_list_len;
503     while (p < certificate_list_end) {
504         size_t cert_data_len, extensions_len;
505         const unsigned char *extensions_end;
506 
507         MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 3);
508         cert_data_len = MBEDTLS_GET_UINT24_BE(p, 0);
509         p += 3;
510 
511         /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
512          * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
513          * check that we have a minimum of 128 bytes of data, this is not
514          * clear why we need that though.
515          */
516         if ((cert_data_len < 128) || (cert_data_len >= 0x10000)) {
517             MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message"));
518             MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
519                                          MBEDTLS_ERR_SSL_DECODE_ERROR);
520             return MBEDTLS_ERR_SSL_DECODE_ERROR;
521         }
522 
523         MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, cert_data_len);
524         ret = mbedtls_x509_crt_parse_der(ssl->session_negotiate->peer_cert,
525                                          p, cert_data_len);
526 
527         switch (ret) {
528             case 0: /*ok*/
529                 break;
530             case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
531                 /* Ignore certificate with an unknown algorithm: maybe a
532                    prior certificate was already trusted. */
533                 break;
534 
535             case MBEDTLS_ERR_X509_ALLOC_FAILED:
536                 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
537                                              MBEDTLS_ERR_X509_ALLOC_FAILED);
538                 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
539                 return ret;
540 
541             case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
542                 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
543                                              MBEDTLS_ERR_X509_UNKNOWN_VERSION);
544                 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
545                 return ret;
546 
547             default:
548                 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
549                                              ret);
550                 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
551                 return ret;
552         }
553 
554         p += cert_data_len;
555 
556         /* Certificate extensions length */
557         MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 2);
558         extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
559         p += 2;
560         MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, extensions_len);
561 
562         extensions_end = p + extensions_len;
563         handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
564 
565         while (p < extensions_end) {
566             unsigned int extension_type;
567             size_t extension_data_len;
568 
569             /*
570              * struct {
571              *     ExtensionType extension_type; (2 bytes)
572              *     opaque extension_data<0..2^16-1>;
573              * } Extension;
574              */
575             MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
576             extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
577             extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
578             p += 4;
579 
580             MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
581 
582             ret = mbedtls_ssl_tls13_check_received_extension(
583                 ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
584                 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT);
585             if (ret != 0) {
586                 return ret;
587             }
588 
589             switch (extension_type) {
590                 default:
591                     MBEDTLS_SSL_PRINT_EXT(
592                         3, MBEDTLS_SSL_HS_CERTIFICATE,
593                         extension_type, "( ignored )");
594                     break;
595             }
596 
597             p += extension_data_len;
598         }
599 
600         MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE,
601                                handshake->received_extensions);
602     }
603 
604 exit:
605     /* Check that all the message is consumed. */
606     if (p != end) {
607         MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message"));
608         MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
609                                      MBEDTLS_ERR_SSL_DECODE_ERROR);
610         return MBEDTLS_ERR_SSL_DECODE_ERROR;
611     }
612 
613     MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate",
614                           ssl->session_negotiate->peer_cert);
615 
616     return ret;
617 }
618 #else
619 MBEDTLS_CHECK_RETURN_CRITICAL
620 MBEDTLS_STATIC_TESTABLE
621 int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
622                                         const unsigned char *buf,
623                                         const unsigned char *end)
624 {
625     ((void) ssl);
626     ((void) buf);
627     ((void) end);
628     return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
629 }
630 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
631 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
632 
633 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
634 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
635 /* Validate certificate chain sent by the server. */
636 MBEDTLS_CHECK_RETURN_CRITICAL
637 static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
638 {
639     /* Authmode: precedence order is SNI if used else configuration */
640 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
641     const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
642                        ? ssl->handshake->sni_authmode
643                        : ssl->conf->authmode;
644 #else
645     const int authmode = ssl->conf->authmode;
646 #endif
647 
648     /*
649      * If the peer hasn't sent a certificate ( i.e. it sent
650      * an empty certificate chain ), this is reflected in the peer CRT
651      * structure being unset.
652      * Check for that and handle it depending on the
653      * authentication mode.
654      */
655     if (ssl->session_negotiate->peer_cert == NULL) {
656         MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
657 
658 #if defined(MBEDTLS_SSL_SRV_C)
659         if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
660             /* The client was asked for a certificate but didn't send
661              * one. The client should know what's going on, so we
662              * don't send an alert.
663              */
664             ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
665             if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
666                 return 0;
667             } else {
668                 MBEDTLS_SSL_PEND_FATAL_ALERT(
669                     MBEDTLS_SSL_ALERT_MSG_NO_CERT,
670                     MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE);
671                 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
672             }
673         }
674 #endif /* MBEDTLS_SSL_SRV_C */
675 
676 #if defined(MBEDTLS_SSL_CLI_C)
677         /* Regardless of authmode, the server is not allowed to send an empty
678          * certificate chain. (Last paragraph before 4.4.2.1 in RFC 8446: "The
679          * server's certificate_list MUST always be non-empty.") With authmode
680          * optional/none, we continue the handshake if we can't validate the
681          * server's cert, but we still break it if no certificate was sent. */
682         if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
683             MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT,
684                                          MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE);
685             return MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE;
686         }
687 #endif /* MBEDTLS_SSL_CLI_C */
688     }
689 
690     return mbedtls_ssl_verify_certificate(ssl, authmode,
691                                           ssl->session_negotiate->peer_cert,
692                                           NULL, NULL);
693 }
694 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
695 MBEDTLS_CHECK_RETURN_CRITICAL
696 static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
697 {
698     ((void) ssl);
699     return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
700 }
701 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
702 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
703 
704 int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl)
705 {
706     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
707     MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
708 
709 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
710     unsigned char *buf;
711     size_t buf_len;
712 
713     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
714                              ssl, MBEDTLS_SSL_HS_CERTIFICATE,
715                              &buf, &buf_len));
716 
717     /* Parse the certificate chain sent by the peer. */
718     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_parse_certificate(ssl, buf,
719                                                              buf + buf_len));
720     /* Validate the certificate chain and set the verification results. */
721     MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl));
722 
723     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
724                              ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, buf_len));
725 
726 cleanup:
727 #else /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
728     (void) ssl;
729 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
730 
731     MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
732     return ret;
733 }
734 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
735 /*
736  *  enum {
737  *        X509(0),
738  *        RawPublicKey(2),
739  *        (255)
740  *    } CertificateType;
741  *
742  *    struct {
743  *        select (certificate_type) {
744  *            case RawPublicKey:
745  *              // From RFC 7250 ASN.1_subjectPublicKeyInfo
746  *              opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
747  *
748  *            case X509:
749  *              opaque cert_data<1..2^24-1>;
750  *        };
751  *        Extension extensions<0..2^16-1>;
752  *    } CertificateEntry;
753  *
754  *    struct {
755  *        opaque certificate_request_context<0..2^8-1>;
756  *        CertificateEntry certificate_list<0..2^24-1>;
757  *    } Certificate;
758  */
759 MBEDTLS_CHECK_RETURN_CRITICAL
760 static int ssl_tls13_write_certificate_body(mbedtls_ssl_context *ssl,
761                                             unsigned char *buf,
762                                             unsigned char *end,
763                                             size_t *out_len)
764 {
765     const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert(ssl);
766     unsigned char *p = buf;
767     unsigned char *certificate_request_context =
768         ssl->handshake->certificate_request_context;
769     unsigned char certificate_request_context_len =
770         ssl->handshake->certificate_request_context_len;
771     unsigned char *p_certificate_list_len;
772 
773 
774     /* ...
775      * opaque certificate_request_context<0..2^8-1>;
776      * ...
777      */
778     MBEDTLS_SSL_CHK_BUF_PTR(p, end, certificate_request_context_len + 1);
779     *p++ = certificate_request_context_len;
780     if (certificate_request_context_len > 0) {
781         memcpy(p, certificate_request_context, certificate_request_context_len);
782         p += certificate_request_context_len;
783     }
784 
785     /* ...
786      * CertificateEntry certificate_list<0..2^24-1>;
787      * ...
788      */
789     MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
790     p_certificate_list_len = p;
791     p += 3;
792 
793     MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", crt);
794 
795     while (crt != NULL) {
796         size_t cert_data_len = crt->raw.len;
797 
798         MBEDTLS_SSL_CHK_BUF_PTR(p, end, cert_data_len + 3 + 2);
799         MBEDTLS_PUT_UINT24_BE(cert_data_len, p, 0);
800         p += 3;
801 
802         memcpy(p, crt->raw.p, cert_data_len);
803         p += cert_data_len;
804         crt = crt->next;
805 
806         /* Currently, we don't have any certificate extensions defined.
807          * Hence, we are sending an empty extension with length zero.
808          */
809         MBEDTLS_PUT_UINT16_BE(0, p, 0);
810         p += 2;
811     }
812 
813     MBEDTLS_PUT_UINT24_BE(p - p_certificate_list_len - 3,
814                           p_certificate_list_len, 0);
815 
816     *out_len = p - buf;
817 
818     MBEDTLS_SSL_PRINT_EXTS(
819         3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->sent_extensions);
820 
821     return 0;
822 }
823 
824 int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl)
825 {
826     int ret;
827     unsigned char *buf;
828     size_t buf_len, msg_len;
829 
830     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
831 
832     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
833                              ssl, MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len));
834 
835     MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_body(ssl,
836                                                           buf,
837                                                           buf + buf_len,
838                                                           &msg_len));
839 
840     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
841                              ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, msg_len));
842 
843     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
844                              ssl, buf_len, msg_len));
845 cleanup:
846 
847     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
848     return ret;
849 }
850 
851 /*
852  * STATE HANDLING: Output Certificate Verify
853  */
854 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
855                                                    mbedtls_pk_context *key)
856 {
857     mbedtls_pk_type_t pk_type = (mbedtls_pk_type_t) mbedtls_ssl_sig_from_pk(key);
858     size_t key_size = mbedtls_pk_get_bitlen(key);
859 
860     switch (pk_type) {
861         case MBEDTLS_SSL_SIG_ECDSA:
862             switch (key_size) {
863                 case 256:
864                     return
865                         sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
866 
867                 case 384:
868                     return
869                         sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
870 
871                 case 521:
872                     return
873                         sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
874                 default:
875                     break;
876             }
877             break;
878 
879         case MBEDTLS_SSL_SIG_RSA:
880             switch (sig_alg) {
881                 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */
882                 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */
883                 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
884                     return 1;
885 
886                 default:
887                     break;
888             }
889             break;
890 
891         default:
892             break;
893     }
894 
895     return 0;
896 }
897 
898 MBEDTLS_CHECK_RETURN_CRITICAL
899 static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
900                                                    unsigned char *buf,
901                                                    unsigned char *end,
902                                                    size_t *out_len)
903 {
904     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
905     unsigned char *p = buf;
906     mbedtls_pk_context *own_key;
907 
908     unsigned char handshake_hash[MBEDTLS_TLS1_3_MD_MAX_SIZE];
909     size_t handshake_hash_len;
910     unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
911     size_t verify_buffer_len;
912 
913     uint16_t *sig_alg = ssl->handshake->received_sig_algs;
914     size_t signature_len = 0;
915 
916     *out_len = 0;
917 
918     own_key = mbedtls_ssl_own_key(ssl);
919     if (own_key == NULL) {
920         MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
921         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
922     }
923 
924     ret = mbedtls_ssl_get_handshake_transcript(
925         ssl, (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac,
926         handshake_hash, sizeof(handshake_hash), &handshake_hash_len);
927     if (ret != 0) {
928         return ret;
929     }
930 
931     MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash",
932                           handshake_hash,
933                           handshake_hash_len);
934 
935     ssl_tls13_create_verify_structure(handshake_hash, handshake_hash_len,
936                                       verify_buffer, &verify_buffer_len,
937                                       ssl->conf->endpoint);
938 
939     /*
940      *  struct {
941      *    SignatureScheme algorithm;
942      *    opaque signature<0..2^16-1>;
943      *  } CertificateVerify;
944      */
945     /* Check there is space for the algorithm identifier (2 bytes) and the
946      * signature length (2 bytes).
947      */
948     MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
949 
950     for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
951         psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
952         mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
953         mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
954         psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
955         unsigned char verify_hash[PSA_HASH_MAX_SIZE];
956         size_t verify_hash_len;
957 
958         if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {
959             continue;
960         }
961 
962         if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {
963             continue;
964         }
965 
966         if (!mbedtls_ssl_tls13_check_sig_alg_cert_key_match(*sig_alg, own_key)) {
967             continue;
968         }
969 
970         if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
971                 *sig_alg, &pk_type, &md_alg) != 0) {
972             return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
973         }
974 
975         /* Hash verify buffer with indicated hash function */
976         psa_algorithm = mbedtls_md_psa_alg_from_type(md_alg);
977         status = psa_hash_compute(psa_algorithm,
978                                   verify_buffer,
979                                   verify_buffer_len,
980                                   verify_hash, sizeof(verify_hash),
981                                   &verify_hash_len);
982         if (status != PSA_SUCCESS) {
983             return PSA_TO_MBEDTLS_ERR(status);
984         }
985 
986         MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
987 
988         if ((ret = mbedtls_pk_sign_ext(pk_type, own_key,
989                                        md_alg, verify_hash, verify_hash_len,
990                                        p + 4, (size_t) (end - (p + 4)), &signature_len,
991                                        ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
992             MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature failed with %s",
993                                       mbedtls_ssl_sig_alg_to_str(*sig_alg)));
994             MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_pk_sign_ext", ret);
995 
996             /* The signature failed. This is possible if the private key
997              * was not suitable for the signature operation as purposely we
998              * did not check its suitability completely. Let's try with
999              * another signature algorithm.
1000              */
1001             continue;
1002         }
1003 
1004         MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature with %s",
1005                                   mbedtls_ssl_sig_alg_to_str(*sig_alg)));
1006 
1007         break;
1008     }
1009 
1010     if (*sig_alg == MBEDTLS_TLS1_3_SIG_NONE) {
1011         MBEDTLS_SSL_DEBUG_MSG(1, ("no suitable signature algorithm"));
1012         MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1013                                      MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1014         return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1015     }
1016 
1017     MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
1018     MBEDTLS_PUT_UINT16_BE(signature_len, p, 2);
1019 
1020     *out_len = 4 + signature_len;
1021 
1022     return 0;
1023 }
1024 
1025 int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
1026 {
1027     int ret = 0;
1028     unsigned char *buf;
1029     size_t buf_len, msg_len;
1030 
1031     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
1032 
1033     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
1034                              ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1035                              &buf, &buf_len));
1036 
1037     MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body(
1038                              ssl, buf, buf + buf_len, &msg_len));
1039 
1040     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1041                              ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1042                              buf, msg_len));
1043 
1044     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
1045                              ssl, buf_len, msg_len));
1046 
1047 cleanup:
1048 
1049     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
1050     return ret;
1051 }
1052 
1053 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1054 
1055 /*
1056  *
1057  * STATE HANDLING: Incoming Finished message.
1058  */
1059 /*
1060  * Implementation
1061  */
1062 
1063 MBEDTLS_CHECK_RETURN_CRITICAL
1064 static int ssl_tls13_preprocess_finished_message(mbedtls_ssl_context *ssl)
1065 {
1066     int ret;
1067 
1068     ret = mbedtls_ssl_tls13_calculate_verify_data(
1069         ssl,
1070         ssl->handshake->state_local.finished_in.digest,
1071         sizeof(ssl->handshake->state_local.finished_in.digest),
1072         &ssl->handshake->state_local.finished_in.digest_len,
1073         ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
1074         MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT);
1075     if (ret != 0) {
1076         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_calculate_verify_data", ret);
1077         return ret;
1078     }
1079 
1080     return 0;
1081 }
1082 
1083 MBEDTLS_CHECK_RETURN_CRITICAL
1084 static int ssl_tls13_parse_finished_message(mbedtls_ssl_context *ssl,
1085                                             const unsigned char *buf,
1086                                             const unsigned char *end)
1087 {
1088     /*
1089      * struct {
1090      *     opaque verify_data[Hash.length];
1091      * } Finished;
1092      */
1093     const unsigned char *expected_verify_data =
1094         ssl->handshake->state_local.finished_in.digest;
1095     size_t expected_verify_data_len =
1096         ssl->handshake->state_local.finished_in.digest_len;
1097     /* Structural validation */
1098     if ((size_t) (end - buf) != expected_verify_data_len) {
1099         MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
1100 
1101         MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1102                                      MBEDTLS_ERR_SSL_DECODE_ERROR);
1103         return MBEDTLS_ERR_SSL_DECODE_ERROR;
1104     }
1105 
1106     MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (self-computed):",
1107                           expected_verify_data,
1108                           expected_verify_data_len);
1109     MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (received message):", buf,
1110                           expected_verify_data_len);
1111 
1112     /* Semantic validation */
1113     if (mbedtls_ct_memcmp(buf,
1114                           expected_verify_data,
1115                           expected_verify_data_len) != 0) {
1116         MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
1117 
1118         MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
1119                                      MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1120         return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1121     }
1122     return 0;
1123 }
1124 
1125 int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl)
1126 {
1127     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1128     unsigned char *buf;
1129     size_t buf_len;
1130 
1131     MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished message"));
1132 
1133     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1134                              ssl, MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len));
1135 
1136     /* Preprocessing step: Compute handshake digest */
1137     MBEDTLS_SSL_PROC_CHK(ssl_tls13_preprocess_finished_message(ssl));
1138 
1139     MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(
1140                              ssl, buf, buf + buf_len));
1141 
1142     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1143                              ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len));
1144 
1145 cleanup:
1146 
1147     MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished message"));
1148     return ret;
1149 }
1150 
1151 /*
1152  *
1153  * STATE HANDLING: Write and send Finished message.
1154  *
1155  */
1156 /*
1157  * Implement
1158  */
1159 
1160 MBEDTLS_CHECK_RETURN_CRITICAL
1161 static int ssl_tls13_prepare_finished_message(mbedtls_ssl_context *ssl)
1162 {
1163     int ret;
1164 
1165     /* Compute transcript of handshake up to now. */
1166     ret = mbedtls_ssl_tls13_calculate_verify_data(ssl,
1167                                                   ssl->handshake->state_local.finished_out.digest,
1168                                                   sizeof(ssl->handshake->state_local.finished_out.
1169                                                          digest),
1170                                                   &ssl->handshake->state_local.finished_out.digest_len,
1171                                                   ssl->conf->endpoint);
1172 
1173     if (ret != 0) {
1174         MBEDTLS_SSL_DEBUG_RET(1, "calculate_verify_data failed", ret);
1175         return ret;
1176     }
1177 
1178     return 0;
1179 }
1180 
1181 MBEDTLS_CHECK_RETURN_CRITICAL
1182 static int ssl_tls13_write_finished_message_body(mbedtls_ssl_context *ssl,
1183                                                  unsigned char *buf,
1184                                                  unsigned char *end,
1185                                                  size_t *out_len)
1186 {
1187     size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
1188     /*
1189      * struct {
1190      *     opaque verify_data[Hash.length];
1191      * } Finished;
1192      */
1193     MBEDTLS_SSL_CHK_BUF_PTR(buf, end, verify_data_len);
1194 
1195     memcpy(buf, ssl->handshake->state_local.finished_out.digest,
1196            verify_data_len);
1197 
1198     *out_len = verify_data_len;
1199     return 0;
1200 }
1201 
1202 /* Main entry point: orchestrates the other functions */
1203 int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl)
1204 {
1205     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1206     unsigned char *buf;
1207     size_t buf_len, msg_len;
1208 
1209     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished message"));
1210 
1211     MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_finished_message(ssl));
1212 
1213     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
1214                                                          MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len));
1215 
1216     MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_finished_message_body(
1217                              ssl, buf, buf + buf_len, &msg_len));
1218 
1219     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
1220                                                             MBEDTLS_SSL_HS_FINISHED, buf, msg_len));
1221 
1222     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
1223                              ssl, buf_len, msg_len));
1224 cleanup:
1225 
1226     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished message"));
1227     return ret;
1228 }
1229 
1230 void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
1231 {
1232 
1233     MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
1234 
1235     MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for inbound traffic"));
1236     mbedtls_ssl_set_inbound_transform(ssl, ssl->transform_application);
1237 
1238     MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for outbound traffic"));
1239     mbedtls_ssl_set_outbound_transform(ssl, ssl->transform_application);
1240 
1241     /*
1242      * Free the previous session and switch to the current one.
1243      */
1244     if (ssl->session) {
1245         mbedtls_ssl_session_free(ssl->session);
1246         mbedtls_free(ssl->session);
1247     }
1248     ssl->session = ssl->session_negotiate;
1249     ssl->session_negotiate = NULL;
1250 
1251     MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
1252 }
1253 
1254 /*
1255  *
1256  * STATE HANDLING: Write ChangeCipherSpec
1257  *
1258  */
1259 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1260 MBEDTLS_CHECK_RETURN_CRITICAL
1261 static int ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context *ssl,
1262                                                    unsigned char *buf,
1263                                                    unsigned char *end,
1264                                                    size_t *olen)
1265 {
1266     ((void) ssl);
1267 
1268     MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1);
1269     buf[0] = 1;
1270     *olen = 1;
1271 
1272     return 0;
1273 }
1274 
1275 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl)
1276 {
1277     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1278 
1279     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
1280 
1281     /* Only one CCS to send. */
1282     if (ssl->handshake->ccs_sent) {
1283         ret = 0;
1284         goto cleanup;
1285     }
1286 
1287     /* Write CCS message */
1288     MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body(
1289                              ssl, ssl->out_msg,
1290                              ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1291                              &ssl->out_msglen));
1292 
1293     ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1294 
1295     /* Dispatch message */
1296     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl, 0));
1297 
1298     ssl->handshake->ccs_sent = 1;
1299 
1300 cleanup:
1301 
1302     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
1303     return ret;
1304 }
1305 
1306 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1307 
1308 /* Early Data Indication Extension
1309  *
1310  * struct {
1311  *   select ( Handshake.msg_type ) {
1312  *     case new_session_ticket:   uint32 max_early_data_size;
1313  *     case client_hello:         Empty;
1314  *     case encrypted_extensions: Empty;
1315  *   };
1316  * } EarlyDataIndication;
1317  */
1318 #if defined(MBEDTLS_SSL_EARLY_DATA)
1319 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
1320                                            int in_new_session_ticket,
1321                                            unsigned char *buf,
1322                                            const unsigned char *end,
1323                                            size_t *out_len)
1324 {
1325     unsigned char *p = buf;
1326 
1327 #if defined(MBEDTLS_SSL_SRV_C)
1328     const size_t needed = in_new_session_ticket ? 8 : 4;
1329 #else
1330     const size_t needed = 4;
1331     ((void) in_new_session_ticket);
1332 #endif
1333 
1334     *out_len = 0;
1335 
1336     MBEDTLS_SSL_CHK_BUF_PTR(p, end, needed);
1337 
1338     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EARLY_DATA, p, 0);
1339     MBEDTLS_PUT_UINT16_BE(needed - 4, p, 2);
1340 
1341 #if defined(MBEDTLS_SSL_SRV_C)
1342     if (in_new_session_ticket) {
1343         MBEDTLS_PUT_UINT32_BE(ssl->conf->max_early_data_size, p, 4);
1344         MBEDTLS_SSL_DEBUG_MSG(
1345             4, ("Sent max_early_data_size=%u",
1346                 (unsigned int) ssl->conf->max_early_data_size));
1347     }
1348 #endif
1349 
1350     *out_len = needed;
1351 
1352     mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_EARLY_DATA);
1353 
1354     return 0;
1355 }
1356 
1357 #if defined(MBEDTLS_SSL_SRV_C)
1358 int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
1359                                            size_t early_data_len)
1360 {
1361     /*
1362      * This function should be called only while an handshake is in progress
1363      * and thus a session under negotiation. Add a sanity check to detect a
1364      * misuse.
1365      */
1366     if (ssl->session_negotiate == NULL) {
1367         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1368     }
1369 
1370     /* RFC 8446 section 4.6.1
1371      *
1372      * A server receiving more than max_early_data_size bytes of 0-RTT data
1373      * SHOULD terminate the connection with an "unexpected_message" alert.
1374      * Note that if it is still possible to send early_data_len bytes of early
1375      * data, it means that early_data_len is smaller than max_early_data_size
1376      * (type uint32_t) and can fit in an uint32_t. We use this further
1377      * down.
1378      */
1379     if (early_data_len >
1380         (ssl->session_negotiate->max_early_data_size -
1381          ssl->total_early_data_size)) {
1382 
1383         MBEDTLS_SSL_DEBUG_MSG(
1384             2, ("EarlyData: Too much early data received, "
1385                 "%lu + %" MBEDTLS_PRINTF_SIZET " > %lu",
1386                 (unsigned long) ssl->total_early_data_size,
1387                 early_data_len,
1388                 (unsigned long) ssl->session_negotiate->max_early_data_size));
1389 
1390         MBEDTLS_SSL_PEND_FATAL_ALERT(
1391             MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1392             MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
1393         return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1394     }
1395 
1396     /*
1397      * early_data_len has been checked to be less than max_early_data_size
1398      * that is uint32_t. Its cast to an uint32_t below is thus safe. We need
1399      * the cast to appease some compilers.
1400      */
1401     ssl->total_early_data_size += (uint32_t) early_data_len;
1402 
1403     return 0;
1404 }
1405 #endif /* MBEDTLS_SSL_SRV_C */
1406 #endif /* MBEDTLS_SSL_EARLY_DATA */
1407 
1408 /* Reset SSL context and update hash for handling HRR.
1409  *
1410  * Replace Transcript-Hash(X) by
1411  * Transcript-Hash( message_hash     ||
1412  *                 00 00 Hash.length ||
1413  *                 X )
1414  * A few states of the handshake are preserved, including:
1415  *   - session ID
1416  *   - session ticket
1417  *   - negotiated ciphersuite
1418  */
1419 int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl)
1420 {
1421     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1422     unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4];
1423     size_t hash_len;
1424     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1425         ssl->handshake->ciphersuite_info;
1426 
1427     MBEDTLS_SSL_DEBUG_MSG(3, ("Reset SSL session for HRR"));
1428 
1429     ret = mbedtls_ssl_get_handshake_transcript(ssl, (mbedtls_md_type_t) ciphersuite_info->mac,
1430                                                hash_transcript + 4,
1431                                                PSA_HASH_MAX_SIZE,
1432                                                &hash_len);
1433     if (ret != 0) {
1434         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_handshake_transcript", ret);
1435         return ret;
1436     }
1437 
1438     hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1439     hash_transcript[1] = 0;
1440     hash_transcript[2] = 0;
1441     hash_transcript[3] = (unsigned char) hash_len;
1442 
1443     hash_len += 4;
1444 
1445     MBEDTLS_SSL_DEBUG_BUF(4, "Truncated handshake transcript",
1446                           hash_transcript, hash_len);
1447 
1448     /* Reset running hash and replace it with a hash of the transcript */
1449     ret = mbedtls_ssl_reset_checksum(ssl);
1450     if (ret != 0) {
1451         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1452         return ret;
1453     }
1454     ret = ssl->handshake->update_checksum(ssl, hash_transcript, hash_len);
1455     if (ret != 0) {
1456         MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
1457         return ret;
1458     }
1459 
1460     return ret;
1461 }
1462 
1463 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1464 
1465 int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
1466                                               const unsigned char *buf,
1467                                               size_t buf_len)
1468 {
1469     uint8_t *p = (uint8_t *) buf;
1470     const uint8_t *end = buf + buf_len;
1471     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1472 
1473     /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
1474     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1475     uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE(p, 0);
1476     p += 2;
1477 
1478     /* Check if key size is consistent with given buffer length. */
1479     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len);
1480 
1481     /* Store peer's ECDH/FFDH public key. */
1482     if (peerkey_len > sizeof(handshake->xxdh_psa_peerkey)) {
1483         MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %u > %" MBEDTLS_PRINTF_SIZET,
1484                                   (unsigned) peerkey_len,
1485                                   sizeof(handshake->xxdh_psa_peerkey)));
1486         return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1487     }
1488     memcpy(handshake->xxdh_psa_peerkey, p, peerkey_len);
1489     handshake->xxdh_psa_peerkey_len = peerkey_len;
1490 
1491     return 0;
1492 }
1493 
1494 #if defined(PSA_WANT_ALG_FFDH)
1495 static psa_status_t  mbedtls_ssl_get_psa_ffdh_info_from_tls_id(
1496     uint16_t tls_id, size_t *bits, psa_key_type_t *key_type)
1497 {
1498     switch (tls_id) {
1499 #if defined(PSA_WANT_DH_RFC7919_2048)
1500         case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:
1501             *bits = 2048;
1502             *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1503             return PSA_SUCCESS;
1504 #endif /* PSA_WANT_DH_RFC7919_2048 */
1505 #if defined(PSA_WANT_DH_RFC7919_3072)
1506         case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:
1507             *bits = 3072;
1508             *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1509             return PSA_SUCCESS;
1510 #endif /* PSA_WANT_DH_RFC7919_3072 */
1511 #if defined(PSA_WANT_DH_RFC7919_4096)
1512         case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:
1513             *bits = 4096;
1514             *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1515             return PSA_SUCCESS;
1516 #endif /* PSA_WANT_DH_RFC7919_4096 */
1517 #if defined(PSA_WANT_DH_RFC7919_6144)
1518         case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:
1519             *bits = 6144;
1520             *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1521             return PSA_SUCCESS;
1522 #endif /* PSA_WANT_DH_RFC7919_6144 */
1523 #if defined(PSA_WANT_DH_RFC7919_8192)
1524         case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:
1525             *bits = 8192;
1526             *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1527             return PSA_SUCCESS;
1528 #endif /* PSA_WANT_DH_RFC7919_8192 */
1529         default:
1530             return PSA_ERROR_NOT_SUPPORTED;
1531     }
1532 }
1533 #endif /* PSA_WANT_ALG_FFDH */
1534 
1535 int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
1536     mbedtls_ssl_context *ssl,
1537     uint16_t named_group,
1538     unsigned char *buf,
1539     unsigned char *end,
1540     size_t *out_len)
1541 {
1542     psa_status_t status = PSA_ERROR_GENERIC_ERROR;
1543     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1544     psa_key_attributes_t key_attributes;
1545     size_t own_pubkey_len;
1546     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1547     size_t bits = 0;
1548     psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
1549     psa_algorithm_t alg = PSA_ALG_NONE;
1550     size_t buf_size = (size_t) (end - buf);
1551 
1552     MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH/FFDH computation."));
1553 
1554     /* Convert EC's TLS ID to PSA key type. */
1555 #if defined(PSA_WANT_ALG_ECDH)
1556     if (mbedtls_ssl_get_psa_curve_info_from_tls_id(
1557             named_group, &key_type, &bits) == PSA_SUCCESS) {
1558         alg = PSA_ALG_ECDH;
1559     }
1560 #endif
1561 #if defined(PSA_WANT_ALG_FFDH)
1562     if (mbedtls_ssl_get_psa_ffdh_info_from_tls_id(named_group, &bits,
1563                                                   &key_type) == PSA_SUCCESS) {
1564         alg = PSA_ALG_FFDH;
1565     }
1566 #endif
1567 
1568     if (key_type == PSA_KEY_TYPE_NONE) {
1569         return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1570     }
1571 
1572     if (buf_size < PSA_BITS_TO_BYTES(bits)) {
1573         return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
1574     }
1575 
1576     handshake->xxdh_psa_type = key_type;
1577     ssl->handshake->xxdh_psa_bits = bits;
1578 
1579     key_attributes = psa_key_attributes_init();
1580     psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
1581     psa_set_key_algorithm(&key_attributes, alg);
1582     psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
1583     psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
1584 
1585     /* Generate ECDH/FFDH private key. */
1586     status = psa_generate_key(&key_attributes,
1587                               &handshake->xxdh_psa_privkey);
1588     if (status != PSA_SUCCESS) {
1589         ret = PSA_TO_MBEDTLS_ERR(status);
1590         MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
1591         return ret;
1592 
1593     }
1594 
1595     /* Export the public part of the ECDH/FFDH private key from PSA. */
1596     status = psa_export_public_key(handshake->xxdh_psa_privkey,
1597                                    buf, buf_size,
1598                                    &own_pubkey_len);
1599 
1600     if (status != PSA_SUCCESS) {
1601         ret = PSA_TO_MBEDTLS_ERR(status);
1602         MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
1603         return ret;
1604     }
1605 
1606     *out_len = own_pubkey_len;
1607 
1608     return 0;
1609 }
1610 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
1611 
1612 /* RFC 8446 section 4.2
1613  *
1614  * If an implementation receives an extension which it recognizes and which is
1615  * not specified for the message in which it appears, it MUST abort the handshake
1616  * with an "illegal_parameter" alert.
1617  *
1618  */
1619 int mbedtls_ssl_tls13_check_received_extension(
1620     mbedtls_ssl_context *ssl,
1621     int hs_msg_type,
1622     unsigned int received_extension_type,
1623     uint32_t hs_msg_allowed_extensions_mask)
1624 {
1625     uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
1626         received_extension_type);
1627 
1628     MBEDTLS_SSL_PRINT_EXT(
1629         3, hs_msg_type, received_extension_type, "received");
1630 
1631     if ((extension_mask & hs_msg_allowed_extensions_mask) == 0) {
1632         MBEDTLS_SSL_PRINT_EXT(
1633             3, hs_msg_type, received_extension_type, "is illegal");
1634         MBEDTLS_SSL_PEND_FATAL_ALERT(
1635             MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1636             MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1637         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1638     }
1639 
1640     ssl->handshake->received_extensions |= extension_mask;
1641     /*
1642      * If it is a message containing extension responses, check that we
1643      * previously sent the extension.
1644      */
1645     switch (hs_msg_type) {
1646         case MBEDTLS_SSL_HS_SERVER_HELLO:
1647         case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
1648         case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
1649         case MBEDTLS_SSL_HS_CERTIFICATE:
1650             /* Check if the received extension is sent by peer message.*/
1651             if ((ssl->handshake->sent_extensions & extension_mask) != 0) {
1652                 return 0;
1653             }
1654             break;
1655         default:
1656             return 0;
1657     }
1658 
1659     MBEDTLS_SSL_PRINT_EXT(
1660         3, hs_msg_type, received_extension_type, "is unsupported");
1661     MBEDTLS_SSL_PEND_FATAL_ALERT(
1662         MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1663         MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
1664     return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1665 }
1666 
1667 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1668 
1669 /* RFC 8449, section 4:
1670  *
1671  * The ExtensionData of the "record_size_limit" extension is
1672  * RecordSizeLimit:
1673  *     uint16 RecordSizeLimit;
1674  */
1675 MBEDTLS_CHECK_RETURN_CRITICAL
1676 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
1677                                                   const unsigned char *buf,
1678                                                   const unsigned char *end)
1679 {
1680     const unsigned char *p = buf;
1681     uint16_t record_size_limit;
1682     const size_t extension_data_len = end - buf;
1683 
1684     if (extension_data_len !=
1685         MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH) {
1686         MBEDTLS_SSL_DEBUG_MSG(2,
1687                               ("record_size_limit extension has invalid length: %"
1688                                MBEDTLS_PRINTF_SIZET " Bytes",
1689                                extension_data_len));
1690 
1691         MBEDTLS_SSL_PEND_FATAL_ALERT(
1692             MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1693             MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1694         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1695     }
1696 
1697     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1698     record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
1699 
1700     MBEDTLS_SSL_DEBUG_MSG(2, ("RecordSizeLimit: %u Bytes", record_size_limit));
1701 
1702     /* RFC 8449, section 4:
1703      *
1704      * Endpoints MUST NOT send a "record_size_limit" extension with a value
1705      * smaller than 64.  An endpoint MUST treat receipt of a smaller value
1706      * as a fatal error and generate an "illegal_parameter" alert.
1707      */
1708     if (record_size_limit < MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN) {
1709         MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid record size limit : %u Bytes",
1710                                   record_size_limit));
1711         MBEDTLS_SSL_PEND_FATAL_ALERT(
1712             MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1713             MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1714         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1715     }
1716 
1717     ssl->session_negotiate->record_size_limit = record_size_limit;
1718 
1719     return 0;
1720 }
1721 
1722 MBEDTLS_CHECK_RETURN_CRITICAL
1723 int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
1724                                                   unsigned char *buf,
1725                                                   const unsigned char *end,
1726                                                   size_t *out_len)
1727 {
1728     unsigned char *p = buf;
1729     *out_len = 0;
1730 
1731     MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_IN_CONTENT_LEN >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN,
1732                           "MBEDTLS_SSL_IN_CONTENT_LEN is less than the "
1733                           "minimum record size limit");
1734 
1735     MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
1736 
1737     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT, p, 0);
1738     MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH,
1739                           p, 2);
1740     MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_IN_CONTENT_LEN, p, 4);
1741 
1742     *out_len = 6;
1743 
1744     MBEDTLS_SSL_DEBUG_MSG(2, ("Sent RecordSizeLimit: %d Bytes",
1745                               MBEDTLS_SSL_IN_CONTENT_LEN));
1746 
1747     mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT);
1748 
1749     return 0;
1750 }
1751 
1752 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
1753 
1754 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
1755