diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 693e4510b..396fce6e8 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1185,6 +1185,71 @@ cleanup: return( ret ); } + +/* + * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST + */ +static int ssl_tls13_write_hello_retry_request_coordinate( + mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + if( ssl->handshake->hello_retry_request_count > 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + /* + * Create stateless transcript hash for HRR + */ + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) ); + ret = mbedtls_ssl_reset_transcript_for_hrr( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret ); + return( ret ); + } + mbedtls_ssl_session_reset_msg_layer( ssl, 0 ); + + return( 0 ); +} + +static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *buf; + size_t buf_len, msg_len; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) ); + + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_coordinate( ssl ) ); + + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( + ssl, MBEDTLS_SSL_HS_SERVER_HELLO, + &buf, &buf_len ) ); + + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf, + buf + buf_len, + &msg_len, + 1 ) ); + mbedtls_ssl_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len ); + + + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len, + msg_len ) ); + + ssl->handshake->hello_retry_request_count++; + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); + +cleanup: + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) ); + return( ret ); +} + /* * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS */ @@ -1377,71 +1442,6 @@ cleanup: return( ret ); } -/* - * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST - */ - -static int ssl_tls13_write_hello_retry_request_coordinate( - mbedtls_ssl_context *ssl ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if( ssl->handshake->hello_retry_request_count > 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } - - /* - * Create stateless transcript hash for HRR - */ - MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) ); - ret = mbedtls_ssl_reset_transcript_for_hrr( ssl ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret ); - return( ret ); - } - mbedtls_ssl_session_reset_msg_layer( ssl, 0 ); - - return( 0 ); -} - -static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - unsigned char *buf; - size_t buf_len, msg_len; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) ); - - MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_coordinate( ssl ) ); - - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( - ssl, MBEDTLS_SSL_HS_SERVER_HELLO, - &buf, &buf_len ) ); - - MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf, - buf + buf_len, - &msg_len, - 1 ) ); - mbedtls_ssl_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len ); - - - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len, - msg_len ) ); - - ssl->handshake->hello_retry_request_count++; - - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); - -cleanup: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) ); - return( ret ); -} - /* * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE */