TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f1e7d12cb657680e04430a3ffec4cc98f94c7605 / . / library / ssl_tls13_generic.c
blob: b4af2e053f0763454093ed69f834cf0aab813e48 [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
22#if defined(MBEDTLS_SSL_TLS_C)
23
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]24#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]25
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]26#include <string.h>
27
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]28#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]29#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]30#include "mbedtls/oid.h"
31#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]32#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]33#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]34
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]35#include "ssl_misc.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]36#include "ssl_tls13_keys.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]37
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]38int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
39 unsigned hs_type,
40 unsigned char **buf,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]41 size_t *buf_len )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]42{
43 int ret;
44
45 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
46 {
47 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
48 goto cleanup;
49 }
50
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]51 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]52 ssl->in_msg[0] != hs_type )
53 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]54 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]55 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]56 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]57 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
58 goto cleanup;
59 }
60
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]61 /*
62 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
63 * ...
64 * HandshakeType msg_type;
65 * uint24 length;
66 * ...
67 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]68 *buf = ssl->in_msg + 4;
69 *buf_len = ssl->in_hslen - 4;
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]70
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]71cleanup:
72
73 return( ret );
74}
75
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]76int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]77 unsigned hs_type,
78 unsigned char **buf,
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]79 size_t *buf_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]80{
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]81 /*
82 * Reserve 4 bytes for hanshake header. ( Section 4,RFC 8446 )
83 * ...
84 * HandshakeType msg_type;
85 * uint24 length;
86 * ...
87 */
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]88 *buf = ssl->out_msg + 4;
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]89 *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]90
91 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
92 ssl->out_msg[0] = hs_type;
93
94 return( 0 );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]95}
96
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]97int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]98 size_t buf_len,
99 size_t msg_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]100{
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]101 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]102 size_t msg_with_header_len;
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]103 ((void) buf_len);
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]104
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]105 /* Add reserved 4 bytes for handshake header */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]106 msg_with_header_len = msg_len + 4;
107 ssl->out_msglen = msg_with_header_len;
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800[diff] [blame]108 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0 ) );
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]109
110cleanup:
111 return( ret );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]112}
113
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]114void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
115 unsigned hs_type,
116 unsigned char const *msg,
117 size_t msg_len )
Jerry Yu7bea4ba2021-09-09 15:06:18 +0800[diff] [blame]118{
119 mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len );
120 ssl->handshake->update_checksum( ssl, msg, msg_len );
121}
122
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]123void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]124 unsigned hs_type,
125 size_t total_hs_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]126{
127 unsigned char hs_hdr[4];
128
129 /* Build HS header for checksum update. */
Jerry Yu2ac64192021-08-26 18:38:58 +0800[diff] [blame]130 hs_hdr[0] = MBEDTLS_BYTE_0( hs_type );
131 hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len );
132 hs_hdr[2] = MBEDTLS_BYTE_1( total_hs_len );
133 hs_hdr[3] = MBEDTLS_BYTE_0( total_hs_len );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]134
135 ssl->handshake->update_checksum( ssl, hs_hdr, sizeof( hs_hdr ) );
136}
137
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]138#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]139/*
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]140 * STATE HANDLING: Read CertificateVerify
141 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]142/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]143 *
144 * The structure is computed per TLS 1.3 specification as:
145 * - 64 bytes of octet 32,
146 * - 33 bytes for the context string
147 * (which is either "TLS 1.3, client CertificateVerify"
148 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]149 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]150 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
151 * (depending on the size of the transcript_hash)
152 *
153 * This results in a total size of
154 * - 130 bytes for a SHA256-based transcript hash, or
155 * (64 + 33 + 1 + 32 bytes)
156 * - 146 bytes for a SHA384-based transcript hash.
157 * (64 + 33 + 1 + 48 bytes)
158 *
159 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800[diff] [blame]160#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
161 33 + \
162 1 + \
163 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]164 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]165
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]166/*
167 * The ssl_tls13_create_verify_structure() creates the verify structure.
168 * As input, it requires the transcript hash.
169 *
170 * The caller has to ensure that the buffer has size at least
171 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
172 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]173static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]174 size_t transcript_hash_len,
175 unsigned char *verify_buffer,
176 size_t *verify_buffer_len,
177 int from )
178{
179 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]180
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]181 /* RFC 8446, Section 4.4.3:
182 *
183 * The digital signature [in the CertificateVerify message] is then
184 * computed over the concatenation of:
185 * - A string that consists of octet 32 (0x20) repeated 64 times
186 * - The context string
187 * - A single 0 byte which serves as the separator
188 * - The content to be signed
189 */
190 memset( verify_buffer, 0x20, 64 );
191 idx = 64;
192
193 if( from == MBEDTLS_SSL_IS_CLIENT )
194 {
195 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
196 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
197 }
198 else
199 { /* from == MBEDTLS_SSL_IS_SERVER */
200 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
201 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
202 }
203
204 verify_buffer[idx++] = 0x0;
205
206 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
207 idx += transcript_hash_len;
208
209 *verify_buffer_len = idx;
210}
211
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]212static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]213 const unsigned char *buf,
214 const unsigned char *end,
215 const unsigned char *verify_buffer,
216 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]217{
218 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
219 const unsigned char *p = buf;
220 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]221 size_t signature_len;
222 mbedtls_pk_type_t sig_alg;
223 mbedtls_md_type_t md_alg;
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]224 unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]225 size_t verify_hash_len;
226
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]227 void const *options = NULL;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]228#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]229 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]230#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
231
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]232 /*
233 * struct {
234 * SignatureScheme algorithm;
235 * opaque signature<0..2^16-1>;
236 * } CertificateVerify;
237 */
238 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
239 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
240 p += 2;
241
242 /* RFC 8446 section 4.4.3
243 *
244 * If the CertificateVerify message is sent by a server, the signature algorithm
245 * MUST be one offered in the client's "signature_algorithms" extension unless
246 * no valid certificate chain can be produced without unsupported algorithms
247 *
248 * RFC 8446 section 4.4.2.2
249 *
250 * If the client cannot construct an acceptable chain using the provided
251 * certificates and decides to abort the handshake, then it MUST abort the handshake
252 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
253 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]254 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]255 */
Jerry Yu24811fb2022-01-19 18:02:15 +0800[diff] [blame]256 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]257 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]258 /* algorithm not in offered signature algorithms list */
259 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
260 "offered.",
261 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]262 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]263 }
264
265 /* We currently only support ECDSA-based signatures */
266 switch( algorithm )
267 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]268 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]269 md_alg = MBEDTLS_MD_SHA256;
270 sig_alg = MBEDTLS_PK_ECDSA;
271 break;
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]272 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]273 md_alg = MBEDTLS_MD_SHA384;
274 sig_alg = MBEDTLS_PK_ECDSA;
275 break;
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]276 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]277 md_alg = MBEDTLS_MD_SHA512;
278 sig_alg = MBEDTLS_PK_ECDSA;
279 break;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]280#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Bai6dc90da2021-11-26 08:11:40 +0000[diff] [blame]281 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
XiaokangQiana83014d2021-11-22 07:53:34 +0000[diff] [blame]282 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Certificate Verify: using RSA PSS" ) );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]283 md_alg = MBEDTLS_MD_SHA256;
284 sig_alg = MBEDTLS_PK_RSASSA_PSS;
285 break;
286#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]287 default:
288 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]289 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]290 }
291
292 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
293 ( unsigned int ) algorithm ) );
294
295 /*
296 * Check the certificate's key type matches the signature alg
297 */
298 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
299 {
300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]301 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]302 }
303
304 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
305 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
306 p += 2;
307 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
308
309 /* Hash verify buffer with indicated hash function */
310 switch( md_alg )
311 {
312#if defined(MBEDTLS_SHA256_C)
313 case MBEDTLS_MD_SHA256:
314 verify_hash_len = 32;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]315 ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]316 break;
317#endif /* MBEDTLS_SHA256_C */
318
319#if defined(MBEDTLS_SHA384_C)
320 case MBEDTLS_MD_SHA384:
321 verify_hash_len = 48;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]322 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]323 break;
324#endif /* MBEDTLS_SHA384_C */
325
326#if defined(MBEDTLS_SHA512_C)
327 case MBEDTLS_MD_SHA512:
328 verify_hash_len = 64;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]329 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]330 break;
331#endif /* MBEDTLS_SHA512_C */
332
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]333 default:
334 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
335 break;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]336 }
337
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]338 if( ret != 0 )
339 {
340 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]341 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]342 }
343
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]344 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]345#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
346 if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
347 {
348 const mbedtls_md_info_t* md_info;
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]349 rsassa_pss_options.mgf1_hash_id = md_alg;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]350 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
351 {
352 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
353 }
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]354 rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
355 options = (const void*) &rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]356 }
357#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]358
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]359 if( ( ret = mbedtls_pk_verify_ext( sig_alg, options,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]360 &ssl->session_negotiate->peer_cert->pk,
361 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]362 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]363 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]364 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]365 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]366 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]367
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]368error:
369 /* RFC 8446 section 4.4.3
370 *
371 * If the verification fails, the receiver MUST terminate the handshake
372 * with a "decrypt_error" alert.
373 */
374 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
375 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
376 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
377
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]378}
379#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
380
381int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
382{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]383
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]384#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
385 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
386 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
387 size_t verify_buffer_len;
388 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
389 size_t transcript_len;
390 unsigned char *buf;
391 size_t buf_len;
392
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]393 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
394
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]395 MBEDTLS_SSL_PROC_CHK(
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]396 mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]397 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]398
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]399 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]400 * before reading the message since otherwise it gets
401 * included in the transcript
402 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]403 ret = mbedtls_ssl_get_handshake_transcript( ssl,
404 ssl->handshake->ciphersuite_info->mac,
405 transcript, sizeof( transcript ),
406 &transcript_len );
407 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]408 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]409 MBEDTLS_SSL_PEND_FATAL_ALERT(
410 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
411 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
412 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]413 }
414
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]415 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
416
417 /* Create verify structure */
418 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]419 transcript_len,
420 verify_buffer,
421 &verify_buffer_len,
422 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
423 MBEDTLS_SSL_IS_SERVER :
424 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]425
426 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]427 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
428 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]429
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]430 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]431 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]432
433cleanup:
434
435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800[diff] [blame]436 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]437 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]438#else
439 ((void) ssl);
440 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
441 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
442#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]443}
444
445/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]446 *
447 * STATE HANDLING: Incoming Certificate, client-side only currently.
448 *
449 */
450
451/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]452 * Implementation
453 */
454
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]455#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
456#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
457/*
458 * Structure of Certificate message:
459 *
460 * enum {
461 * X509(0),
462 * RawPublicKey(2),
463 * (255)
464 * } CertificateType;
465 *
466 * struct {
467 * select (certificate_type) {
468 * case RawPublicKey:
469 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
470 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
471 * case X509:
472 * opaque cert_data<1..2^24-1>;
473 * };
474 * Extension extensions<0..2^16-1>;
475 * } CertificateEntry;
476 *
477 * struct {
478 * opaque certificate_request_context<0..2^8-1>;
479 * CertificateEntry certificate_list<0..2^24-1>;
480 * } Certificate;
481 *
482 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]483
484/* Parse certificate chain send by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]485static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
486 const unsigned char *buf,
487 const unsigned char *end )
488{
489 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
490 size_t certificate_request_context_len = 0;
491 size_t certificate_list_len = 0;
492 const unsigned char *p = buf;
493 const unsigned char *certificate_list_end;
494
495 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
496 certificate_request_context_len = p[0];
Jerry Yub640bf62021-10-29 10:05:32 +0800[diff] [blame]497 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]498 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]499
500 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
501 * support anything beyond 2^16 = 64K.
502 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]503 if( ( certificate_request_context_len != 0 ) ||
504 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]505 {
506 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
507 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
508 MBEDTLS_ERR_SSL_DECODE_ERROR );
509 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
510 }
511
512 /* In case we tried to reuse a session but it failed */
513 if( ssl->session_negotiate->peer_cert != NULL )
514 {
515 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
516 mbedtls_free( ssl->session_negotiate->peer_cert );
517 }
518
519 if( ( ssl->session_negotiate->peer_cert =
520 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
521 {
522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
523 sizeof( mbedtls_x509_crt ) ) );
524 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
525 MBEDTLS_ERR_SSL_ALLOC_FAILED );
526 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
527 }
528
529 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
530
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]531 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]532 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]533 {
534 size_t cert_data_len, extensions_len;
535
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]536 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]537 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]538 p += 3;
539
540 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
541 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
542 * check that we have a minimum of 128 bytes of data, this is not
543 * clear why we need that though.
544 */
545 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]546 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]547 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
548 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
549 MBEDTLS_ERR_SSL_DECODE_ERROR );
550 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
551 }
552
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]553 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]554 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
555 p, cert_data_len );
556
557 switch( ret )
558 {
559 case 0: /*ok*/
560 break;
561 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
562 /* Ignore certificate with an unknown algorithm: maybe a
563 prior certificate was already trusted. */
564 break;
565
566 case MBEDTLS_ERR_X509_ALLOC_FAILED:
567 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
568 MBEDTLS_ERR_X509_ALLOC_FAILED );
569 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
570 return( ret );
571
572 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
573 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
574 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
575 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
576 return( ret );
577
578 default:
579 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
580 ret );
581 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
582 return( ret );
583 }
584
585 p += cert_data_len;
586
587 /* Certificate extensions length */
588 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
589 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
590 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]591 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]592 p += extensions_len;
593 }
594
595 /* Check that all the message is consumed. */
596 if( p != end )
597 {
598 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
599 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
600 MBEDTLS_ERR_SSL_DECODE_ERROR );
601 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
602 }
603
604 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
605
606 return( ret );
607}
608#else
609static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
610 const unsigned char *buf,
611 const unsigned char *end )
612{
613 ((void) ssl);
614 ((void) buf);
615 ((void) end);
616 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
617}
618#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
619#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
620
621#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
622#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]623/* Validate certificate chain sent by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]624static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
625{
626 int ret = 0;
627 mbedtls_x509_crt *ca_chain;
628 mbedtls_x509_crl *ca_crl;
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]629 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]630
631#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
632 if( ssl->handshake->sni_ca_chain != NULL )
633 {
634 ca_chain = ssl->handshake->sni_ca_chain;
635 ca_crl = ssl->handshake->sni_ca_crl;
636 }
637 else
638#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
639 {
640 ca_chain = ssl->conf->ca_chain;
641 ca_crl = ssl->conf->ca_crl;
642 }
643
644 /*
645 * Main check: verify certificate
646 */
647 ret = mbedtls_x509_crt_verify_with_profile(
648 ssl->session_negotiate->peer_cert,
649 ca_chain, ca_crl,
650 ssl->conf->cert_profile,
651 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]652 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]653 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
654
655 if( ret != 0 )
656 {
657 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
658 }
659
660 /*
661 * Secondary checks: always done, but change 'ret' only if it was 0
662 */
663
664#if defined(MBEDTLS_ECP_C)
665 {
666 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
667
668 /* If certificate uses an EC key, make sure the curve is OK */
669 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
670 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
671 {
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]672 verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]673
674 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) );
675 if( ret == 0 )
676 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
677 }
678 }
679#endif /* MBEDTLS_ECP_C */
680
681 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
682 ssl->handshake->ciphersuite_info,
683 !ssl->conf->endpoint,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]684 &verify_result ) != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]685 {
686 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
687 if( ret == 0 )
688 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
689 }
690
691
692 if( ca_chain == NULL )
693 {
694 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
695 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
696 }
697
698 if( ret != 0 )
699 {
700 /* The certificate may have been rejected for several reasons.
701 Pick one and send the corresponding alert. Which alert to send
702 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]703 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]704 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]705 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]706 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]707 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
708 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
709 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
710 MBEDTLS_X509_BADCERT_BAD_PK |
711 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]712 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]713 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]714 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]715 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]716 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]717 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]718 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
719 else
720 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
721 }
722
723#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]724 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]725 {
726 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800[diff] [blame]727 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]728 }
729 else
730 {
731 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
732 }
733#endif /* MBEDTLS_DEBUG_C */
734
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]735 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]736 return( ret );
737}
738#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
739static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
740{
741 ((void) ssl);
742 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
743}
744#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
745#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
746
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]747int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]748{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]749 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
750 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
751
752#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
753 unsigned char *buf;
754 size_t buf_len;
755
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]756 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]757 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
758 &buf, &buf_len ) );
759
760 /* Parse the certificate chain sent by the peer. */
761 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, buf + buf_len ) );
762 /* Validate the certificate chain and set the verification results. */
763 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
764
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]765 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
766 buf, buf_len );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]767
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]768cleanup:
769
770 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Xiaofei Bai10aeec02021-10-26 09:50:08 +0000[diff] [blame]771#else
772 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
773 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
774#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]775 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]776}
777
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]778/*
779 *
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]780 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]781 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]782/*
783 * Implementation
784 */
785
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]786static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]787{
788 int ret;
789
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]790 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]791 ssl->handshake->state_local.finished_in.digest,
792 sizeof( ssl->handshake->state_local.finished_in.digest ),
793 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]794 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]795 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]796 if( ret != 0 )
797 {
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]798 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]799 return( ret );
800 }
801
802 return( 0 );
803}
804
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]805static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
806 const unsigned char *buf,
807 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]808{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]809 /*
810 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]811 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]812 * } Finished;
813 */
814 const unsigned char *expected_verify_data =
815 ssl->handshake->state_local.finished_in.digest;
816 size_t expected_verify_data_len =
817 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]818 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]819 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]820 {
821 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
822
823 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]824 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]825 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
826 }
827
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]828 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]829 expected_verify_data,
830 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]831 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]832 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]833
834 /* Semantic validation */
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]835 if( mbedtls_ct_memcmp( buf,
836 expected_verify_data,
837 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]838 {
839 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
840
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]841 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]842 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]843 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
844 }
845 return( 0 );
846}
847
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]848#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]849static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]850{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]851 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]852 mbedtls_ssl_key_set traffic_keys;
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]853 mbedtls_ssl_transform *transform_application = NULL;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]854
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]855 ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]856 if( ret != 0 )
857 {
858 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]859 "mbedtls_ssl_tls13_key_schedule_stage_application", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]860 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]861 }
862
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]863 ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]864 if( ret != 0 )
865 {
866 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]867 "mbedtls_ssl_tls13_generate_application_keys", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]868 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]869 }
870
871 transform_application =
872 mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
873 if( transform_application == NULL )
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]874 {
875 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
876 goto cleanup;
877 }
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]878
879 ret = mbedtls_ssl_tls13_populate_transform(
880 transform_application,
881 ssl->conf->endpoint,
882 ssl->session_negotiate->ciphersuite,
883 &traffic_keys,
884 ssl );
885 if( ret != 0 )
886 {
887 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]888 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]889 }
890
891 ssl->transform_application = transform_application;
892
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]893cleanup:
894
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]895 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]896 if( ret != 0 )
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]897 {
898 mbedtls_free( transform_application );
899 MBEDTLS_SSL_PEND_FATAL_ALERT(
900 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
901 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
902 }
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]903 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]904}
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]905#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]906
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]907static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]908{
909
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]910#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]911 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
912 {
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]913 return( ssl_tls13_postprocess_server_finished_message( ssl ) );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]914 }
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]915#else
916 ((void) ssl);
917#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]918
919 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
920}
921
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]922int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
923{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]924 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]925 unsigned char *buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]926 size_t buf_len;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]927
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]928 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]929
930 /* Preprocessing step: Compute handshake digest */
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]931 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]932
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]933 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]934 MBEDTLS_SSL_HS_FINISHED,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]935 &buf, &buf_len ) );
936 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]937 mbedtls_ssl_tls13_add_hs_msg_to_checksum(
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]938 ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len );
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]939 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]940
941cleanup:
942
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]943 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]944 return( ret );
945}
946
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]947/*
948 *
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]949 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]950 *
951 */
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]952/*
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]953 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]954 */
955
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]956static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]957{
958 int ret;
959
960 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]961 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]962 ssl->handshake->state_local.finished_out.digest,
963 sizeof( ssl->handshake->state_local.finished_out.digest ),
964 &ssl->handshake->state_local.finished_out.digest_len,
965 ssl->conf->endpoint );
966
967 if( ret != 0 )
968 {
Jerry Yu7ca30542021-12-08 15:57:57 +0800[diff] [blame]969 MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]970 return( ret );
971 }
972
973 return( 0 );
974}
975
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]976static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]977{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]978 // TODO: Add back resumption keys calculation after MVP.
979 ((void) ssl);
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]980
981 return( 0 );
982}
983
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]984static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]985 unsigned char *buf,
986 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]987 size_t *out_len )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]988{
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]989 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]990 /*
991 * struct {
992 * opaque verify_data[Hash.length];
993 * } Finished;
994 */
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]995 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]996
997 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]998 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]999
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1000 *out_len = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1001 return( 0 );
1002}
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1003
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1004/* Main entry point: orchestrates the other functions */
1005int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1006{
1007 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1008 unsigned char *buf;
1009 size_t buf_len, msg_len;
1010
1011 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1012
XiaokangQiandce82242021-11-15 06:01:26 +0000[diff] [blame]1013 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1014
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1015 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
1016 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1017
1018 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1019 ssl, buf, buf + buf_len, &msg_len ) );
1020
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1021 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1022 buf, msg_len );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1023
1024 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) );
1025 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl,
1026 buf_len, msg_len ) );
1027 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) );
1028
1029cleanup:
1030
1031 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1032 return( ret );
1033}
1034
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1035void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1036{
1037
1038 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1039
1040 /*
Jerry Yucfe64f02021-11-15 13:54:06 +0800[diff] [blame]1041 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1042 */
1043 if( ssl->session )
1044 {
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1045 mbedtls_ssl_session_free( ssl->session );
1046 mbedtls_free( ssl->session );
1047 }
1048 ssl->session = ssl->session_negotiate;
1049 ssl->session_negotiate = NULL;
1050
1051 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1052}
1053
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1054/*
1055 *
1056 * STATE HANDLING: Write ChangeCipherSpec
1057 *
1058 */
1059#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1060
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1061static int ssl_tls13_finalize_change_cipher_spec( mbedtls_ssl_context* ssl )
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]1062{
1063
1064#if defined(MBEDTLS_SSL_CLI_C)
1065 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1066 {
1067 switch( ssl->state )
1068 {
1069 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
1070 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
1071 break;
1072 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
1073 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
1074 break;
1075 default:
1076 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1077 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1078 }
1079 }
1080#else
1081 ((void) ssl);
1082#endif /* MBEDTLS_SSL_CLI_C */
1083
1084 return( 0 );
1085}
1086
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1087static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
1088 unsigned char *buf,
1089 unsigned char *end,
1090 size_t *olen )
1091{
1092 ((void) ssl);
1093
1094 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 );
1095 buf[0] = 1;
1096 *olen = 1;
1097
1098 return( 0 );
1099}
1100
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1101int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
1102{
1103 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1104
1105 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1106
1107 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) );
1108
1109 /* Write CCS message */
1110 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body(
1111 ssl, ssl->out_msg,
1112 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1113 &ssl->out_msglen ) );
1114
1115 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1116
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]1117 /* Update state */
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1118 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_change_cipher_spec( ssl ) );
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]1119
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1120 /* Dispatch message */
1121 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 1 ) );
1122
1123cleanup:
1124
1125 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1126 return( ret );
1127}
1128
1129#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1130
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1131static int ssl_hash_transcript_core( mbedtls_ssl_context *ssl,
1132 mbedtls_md_type_t md,
1133 unsigned char *transcript,
1134 size_t len,
1135 size_t *olen )
1136{
1137 int ret;
1138 size_t hash_size;
1139
1140 if( len < 4 )
1141 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1142
1143 ret = mbedtls_ssl_get_handshake_transcript( ssl, md,
1144 transcript + 4,
1145 len - 4,
1146 &hash_size );
1147 if( ret != 0 )
1148 {
1149 MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret );
1150 return( ret );
1151 }
1152
1153 transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1154 transcript[1] = 0;
1155 transcript[2] = 0;
1156 transcript[3] = (unsigned char) hash_size;
1157
1158 *olen = 4 + hash_size;
1159 return( 0 );
1160}
1161
1162/* Reset SSL context and update hash for handling HRR.
1163 *
1164 * Replace Transcript-Hash(X) by
1165 * Transcript-Hash( message_hash ||
1166 * 00 00 Hash.length ||
1167 * X )
1168 * A few states of the handshake are preserved, including:
1169 * - session ID
1170 * - session ticket
1171 * - negotiated ciphersuite
1172 */
1173int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
1174{
1175 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1176 unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ];
1177 size_t hash_olen;
1178 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1179 uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
1180 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
1181
1182 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) );
1183
1184 if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
1185 {
1186#if defined(MBEDTLS_SHA256_C)
1187 ret = ssl_hash_transcript_core( ssl, MBEDTLS_MD_SHA256,
1188 hash_transcript,
1189 sizeof( hash_transcript ),
1190 &hash_olen );
1191 if( ret != 0 )
1192 {
1193 MBEDTLS_SSL_DEBUG_RET( 4, "ssl_hash_transcript_core", ret );
1194 return( ret );
1195 }
1196 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
1197 hash_transcript, hash_olen );
1198
1199#if defined(MBEDTLS_USE_PSA_CRYPTO)
1200 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
1201 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
1202#else
1203 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
1204#endif
1205 ssl->handshake->update_checksum( ssl, hash_transcript, hash_olen );
1206#endif /* MBEDTLS_SHA256_C */
1207 }
1208 else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
1209 {
1210#if defined(MBEDTLS_SHA384_C)
1211 ret = ssl_hash_transcript_core( ssl, MBEDTLS_MD_SHA384,
1212 hash_transcript,
1213 sizeof( hash_transcript ),
1214 &hash_olen );
1215 if( ret != 0 )
1216 {
1217 MBEDTLS_SSL_DEBUG_RET( 4, "ssl_hash_transcript_core", ret );
1218 return( ret );
1219 }
1220 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
1221 hash_transcript, hash_olen );
1222
1223#if defined(MBEDTLS_USE_PSA_CRYPTO)
1224 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
1225 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
1226#else
1227 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
1228#endif
1229 ssl->handshake->update_checksum( ssl, hash_transcript, hash_olen );
1230#endif /* MBEDTLS_SHA384_C */
1231 }
1232
1233 return( ret );
1234}
1235
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]1236#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1237
1238#endif /* MBEDTLS_SSL_TLS_C */