TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 10aeec0685c878601cc65aee4fc424be9f65e823 / . / library / ssl_tls13_generic.c
blob: 0157726afba869ac3eccd64990783df0a7da5975 [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
22#if defined(MBEDTLS_SSL_TLS_C)
23
24#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
25
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]26#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]27#include "mbedtls/debug.h"
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]28
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]29#include "ssl_misc.h"
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]30#include <mbedtls/debug.h>
31#include <mbedtls/oid.h>
32#include <mbedtls/platform.h>
33
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]34
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]35int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl,
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]36 unsigned hs_type,
37 unsigned char **buf,
38 size_t *buflen )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]39{
40 int ret;
41
42 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
43 {
44 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
45 goto cleanup;
46 }
47
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]48 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]49 ssl->in_msg[0] != hs_type )
50 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]51 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]52 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]53 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]54 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
55 goto cleanup;
56 }
57
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]58 /*
59 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
60 * ...
61 * HandshakeType msg_type;
62 * uint24 length;
63 * ...
64 */
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]65 *buf = ssl->in_msg + 4;
66 *buflen = ssl->in_hslen - 4;
67
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]68cleanup:
69
70 return( ret );
71}
72
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]73int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]74 unsigned hs_type,
75 unsigned char **buf,
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]76 size_t *buf_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]77{
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]78 /*
79 * Reserve 4 bytes for hanshake header. ( Section 4,RFC 8446 )
80 * ...
81 * HandshakeType msg_type;
82 * uint24 length;
83 * ...
84 */
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]85 *buf = ssl->out_msg + 4;
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]86 *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]87
88 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
89 ssl->out_msg[0] = hs_type;
90
91 return( 0 );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]92}
93
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]94int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]95 size_t buf_len,
96 size_t msg_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]97{
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]98 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yudbfb7bd2021-09-04 09:58:58 +0800[diff] [blame]99 size_t msg_len_with_header;
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]100 ((void) buf_len);
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]101
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]102 /* Add reserved 4 bytes for handshake header */
Jerry Yudbfb7bd2021-09-04 09:58:58 +0800[diff] [blame]103 msg_len_with_header = msg_len + 4;
104 ssl->out_msglen = msg_len_with_header;
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800[diff] [blame]105 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0 ) );
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]106
107cleanup:
108 return( ret );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]109}
110
Jerry Yu48369522021-09-18 16:09:01 +0800[diff] [blame]111void mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
112 unsigned hs_type,
113 unsigned char const *msg,
114 size_t msg_len )
Jerry Yu7bea4ba2021-09-09 15:06:18 +0800[diff] [blame]115{
116 mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len );
117 ssl->handshake->update_checksum( ssl, msg, msg_len );
118}
119
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]120void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]121 unsigned hs_type,
122 size_t total_hs_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]123{
124 unsigned char hs_hdr[4];
125
126 /* Build HS header for checksum update. */
Jerry Yu2ac64192021-08-26 18:38:58 +0800[diff] [blame]127 hs_hdr[0] = MBEDTLS_BYTE_0( hs_type );
128 hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len );
129 hs_hdr[2] = MBEDTLS_BYTE_1( total_hs_len );
130 hs_hdr[3] = MBEDTLS_BYTE_0( total_hs_len );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]131
132 ssl->handshake->update_checksum( ssl, hs_hdr, sizeof( hs_hdr ) );
133}
134
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]135#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
136
137/*
Jerry Yue41dec02021-08-31 10:57:07 +0800[diff] [blame]138 * mbedtls_ssl_tls13_write_sig_alg_ext( )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]139 *
140 * enum {
141 * ....
142 * ecdsa_secp256r1_sha256( 0x0403 ),
143 * ecdsa_secp384r1_sha384( 0x0503 ),
144 * ecdsa_secp521r1_sha512( 0x0603 ),
145 * ....
146 * } SignatureScheme;
147 *
148 * struct {
149 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
150 * } SignatureSchemeList;
151 *
152 * Only if we handle at least one key exchange that needs signatures.
153 */
Jerry Yue41dec02021-08-31 10:57:07 +0800[diff] [blame]154int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl,
155 unsigned char *buf,
156 unsigned char *end,
157 size_t *olen )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]158{
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]159 unsigned char *p = buf;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]160 unsigned char *supported_sig_alg_ptr; /* Start of supported_signature_algorithms */
161 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]162
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]163 *olen = 0;
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]164
165 /* Skip the extension on the client if all allowed key exchanges
166 * are PSK-based. */
167#if defined(MBEDTLS_SSL_CLI_C)
168 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
169 !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
170 {
171 return( 0 );
172 }
173#endif /* MBEDTLS_SSL_CLI_C */
174
175 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding signature_algorithms extension" ) );
176
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]177 /* Check if we have space for header and length field:
178 * - extension_type (2 bytes)
179 * - extension_data_length (2 bytes)
180 * - supported_signature_algorithms_length (2 bytes)
181 */
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]182 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
183 p += 6;
184
185 /*
186 * Write supported_signature_algorithms
187 */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]188 supported_sig_alg_ptr = p;
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]189 for( const uint16_t *sig_alg = ssl->conf->tls13_sig_algs;
190 *sig_alg != MBEDTLS_TLS13_SIG_NONE; sig_alg++ )
191 {
192 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
193 MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
194 p += 2;
195 MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) );
196 }
197
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]198 /* Length of supported_signature_algorithms */
199 supported_sig_alg_len = p - supported_sig_alg_ptr;
200 if( supported_sig_alg_len == 0 )
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]201 {
202 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No signature algorithms defined." ) );
203 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
204 }
205
206 /* Write extension_type */
207 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SIG_ALG, buf, 0 );
208 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]209 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len + 2, buf, 2 );
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]210 /* Write length of supported_signature_algorithms */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]211 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len, buf, 4 );
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]212
213 /* Output the total length of signature algorithms extension. */
214 *olen = p - buf;
215
216 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]217 return( 0 );
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]218}
219
220#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
221
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]222/*
223 *
224 * STATE HANDLING: Incoming Certificate, client-side only currently.
225 *
226 */
227
228/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]229 * Implementation
230 */
231
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]232#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
233#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
234/*
235 * Structure of Certificate message:
236 *
237 * enum {
238 * X509(0),
239 * RawPublicKey(2),
240 * (255)
241 * } CertificateType;
242 *
243 * struct {
244 * select (certificate_type) {
245 * case RawPublicKey:
246 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
247 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
248 * case X509:
249 * opaque cert_data<1..2^24-1>;
250 * };
251 * Extension extensions<0..2^16-1>;
252 * } CertificateEntry;
253 *
254 * struct {
255 * opaque certificate_request_context<0..2^8-1>;
256 * CertificateEntry certificate_list<0..2^24-1>;
257 * } Certificate;
258 *
259 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]260
261/* Parse certificate chain send by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]262static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
263 const unsigned char *buf,
264 const unsigned char *end )
265{
266 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
267 size_t certificate_request_context_len = 0;
268 size_t certificate_list_len = 0;
269 const unsigned char *p = buf;
270 const unsigned char *certificate_list_end;
271
272 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
273 certificate_request_context_len = p[0];
274 certificate_list_len = ( p[1] << 16 ) | ( p[2] << 8 ) | p[3];
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]275 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]276
277 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
278 * support anything beyond 2^16 = 64K.
279 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]280 if( ( certificate_request_context_len != 0 ) ||
281 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]282 {
283 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
284 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
285 MBEDTLS_ERR_SSL_DECODE_ERROR );
286 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
287 }
288
289 /* In case we tried to reuse a session but it failed */
290 if( ssl->session_negotiate->peer_cert != NULL )
291 {
292 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
293 mbedtls_free( ssl->session_negotiate->peer_cert );
294 }
295
296 if( ( ssl->session_negotiate->peer_cert =
297 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
298 {
299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
300 sizeof( mbedtls_x509_crt ) ) );
301 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
302 MBEDTLS_ERR_SSL_ALLOC_FAILED );
303 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
304 }
305
306 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
307
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]308 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]309 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]310 {
311 size_t cert_data_len, extensions_len;
312
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]313 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]314 cert_data_len = ( ( size_t )p[0] << 16 ) |
315 ( ( size_t )p[1] << 8 ) |
316 ( ( size_t )p[2] );
317 p += 3;
318
319 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
320 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
321 * check that we have a minimum of 128 bytes of data, this is not
322 * clear why we need that though.
323 */
324 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]325 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]326 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
327 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
328 MBEDTLS_ERR_SSL_DECODE_ERROR );
329 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
330 }
331
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]332 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]333 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
334 p, cert_data_len );
335
336 switch( ret )
337 {
338 case 0: /*ok*/
339 break;
340 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
341 /* Ignore certificate with an unknown algorithm: maybe a
342 prior certificate was already trusted. */
343 break;
344
345 case MBEDTLS_ERR_X509_ALLOC_FAILED:
346 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
347 MBEDTLS_ERR_X509_ALLOC_FAILED );
348 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
349 return( ret );
350
351 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
352 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
353 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
354 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
355 return( ret );
356
357 default:
358 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
359 ret );
360 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
361 return( ret );
362 }
363
364 p += cert_data_len;
365
366 /* Certificate extensions length */
367 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
368 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
369 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]370 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]371 p += extensions_len;
372 }
373
374 /* Check that all the message is consumed. */
375 if( p != end )
376 {
377 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
378 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
379 MBEDTLS_ERR_SSL_DECODE_ERROR );
380 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
381 }
382
383 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
384
385 return( ret );
386}
387#else
388static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
389 const unsigned char *buf,
390 const unsigned char *end )
391{
392 ((void) ssl);
393 ((void) buf);
394 ((void) end);
395 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
396}
397#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
398#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
399
400#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
401#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]402/* Validate certificate chain sent by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]403static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
404{
405 int ret = 0;
406 mbedtls_x509_crt *ca_chain;
407 mbedtls_x509_crl *ca_crl;
408
409#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
410 if( ssl->handshake->sni_ca_chain != NULL )
411 {
412 ca_chain = ssl->handshake->sni_ca_chain;
413 ca_crl = ssl->handshake->sni_ca_crl;
414 }
415 else
416#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
417 {
418 ca_chain = ssl->conf->ca_chain;
419 ca_crl = ssl->conf->ca_crl;
420 }
421
422 /*
423 * Main check: verify certificate
424 */
425 ret = mbedtls_x509_crt_verify_with_profile(
426 ssl->session_negotiate->peer_cert,
427 ca_chain, ca_crl,
428 ssl->conf->cert_profile,
429 ssl->hostname,
430 &ssl->session_negotiate->verify_result,
431 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
432
433 if( ret != 0 )
434 {
435 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
436 }
437
438 /*
439 * Secondary checks: always done, but change 'ret' only if it was 0
440 */
441
442#if defined(MBEDTLS_ECP_C)
443 {
444 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
445
446 /* If certificate uses an EC key, make sure the curve is OK */
447 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
448 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
449 {
450 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
451
452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) );
453 if( ret == 0 )
454 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
455 }
456 }
457#endif /* MBEDTLS_ECP_C */
458
459 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
460 ssl->handshake->ciphersuite_info,
461 !ssl->conf->endpoint,
462 &ssl->session_negotiate->verify_result ) != 0 )
463 {
464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
465 if( ret == 0 )
466 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
467 }
468
469
470 if( ca_chain == NULL )
471 {
472 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
473 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
474 }
475
476 if( ret != 0 )
477 {
478 /* The certificate may have been rejected for several reasons.
479 Pick one and send the corresponding alert. Which alert to send
480 may be a subject of debate in some cases. */
481 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
482 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
483 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
484 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
485 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
486 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
487 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
488 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
489 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
490 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
491 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
492 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
493 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
494 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
495 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
496 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
497 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
498 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
499 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
500 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
501 else
502 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
503 }
504
505#if defined(MBEDTLS_DEBUG_C)
506 if( ssl->session_negotiate->verify_result != 0 )
507 {
508 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
509 (unsigned int) ssl->session_negotiate->verify_result ) );
510 }
511 else
512 {
513 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
514 }
515#endif /* MBEDTLS_DEBUG_C */
516
517 return( ret );
518}
519#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
520static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
521{
522 ((void) ssl);
523 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
524}
525#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
526#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
527
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]528int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]529{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]530 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
531 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
532
533#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
534 unsigned char *buf;
535 size_t buf_len;
536
537 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg(
538 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
539 &buf, &buf_len ) );
540
541 /* Parse the certificate chain sent by the peer. */
542 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, buf + buf_len ) );
543 /* Validate the certificate chain and set the verification results. */
544 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
545
546 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
547 buf, buf_len );
548
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]549cleanup:
550
551 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Xiaofei Bai10aeec02021-10-26 09:50:08 +0000[diff] [blame^]552#else
553 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
554 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
555#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]556 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]557}
558
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]559#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
560
561#endif /* MBEDTLS_SSL_TLS_C */