blob: 53810b81adea3166dee65a5b726e1056f11b383d [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +08001/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
22#if defined(MBEDTLS_SSL_TLS_C)
23
24#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
25
Jerry Yu30b071c2021-09-12 20:16:03 +080026#include <string.h>
27
Jerry Yuc8a392c2021-08-18 16:46:28 +080028#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +080029#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +080030#include "mbedtls/oid.h"
31#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +010032#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +000033#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +080034
Jerry Yu65dd2cc2021-08-18 16:38:40 +080035#include "ssl_misc.h"
Jerry Yu30b071c2021-09-12 20:16:03 +080036#include "ssl_tls13_keys.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +080037
XiaokangQian6b226b02021-09-24 07:51:16 +000038int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl,
XiaokangQian16c61aa2021-09-27 09:30:17 +000039 unsigned hs_type,
40 unsigned char **buf,
41 size_t *buflen )
XiaokangQian6b226b02021-09-24 07:51:16 +000042{
43 int ret;
44
45 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
46 {
47 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
48 goto cleanup;
49 }
50
XiaokangQian16c61aa2021-09-27 09:30:17 +000051 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +000052 ssl->in_msg[0] != hs_type )
53 {
XiaokangQian16c61aa2021-09-27 09:30:17 +000054 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +000055 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +000056 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +000057 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
58 goto cleanup;
59 }
60
XiaokangQian05420b12021-09-29 08:46:37 +000061 /*
62 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
63 * ...
64 * HandshakeType msg_type;
65 * uint24 length;
66 * ...
67 */
XiaokangQian6b226b02021-09-24 07:51:16 +000068 *buf = ssl->in_msg + 4;
69 *buflen = ssl->in_hslen - 4;
70
XiaokangQian6b226b02021-09-24 07:51:16 +000071cleanup:
72
73 return( ret );
74}
75
Jerry Yuf4436812021-08-26 22:59:56 +080076int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +080077 unsigned hs_type,
78 unsigned char **buf,
Jerry Yu0c63af62021-09-02 12:59:12 +080079 size_t *buf_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +080080{
Jerry Yu1bc2c1f2021-09-01 12:57:29 +080081 /*
82 * Reserve 4 bytes for hanshake header. ( Section 4,RFC 8446 )
83 * ...
84 * HandshakeType msg_type;
85 * uint24 length;
86 * ...
87 */
Jerry Yuc8a392c2021-08-18 16:46:28 +080088 *buf = ssl->out_msg + 4;
Jerry Yu0c63af62021-09-02 12:59:12 +080089 *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Jerry Yuc8a392c2021-08-18 16:46:28 +080090
91 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
92 ssl->out_msg[0] = hs_type;
93
94 return( 0 );
Jerry Yu65dd2cc2021-08-18 16:38:40 +080095}
96
Jerry Yuf4436812021-08-26 22:59:56 +080097int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +080098 size_t buf_len,
99 size_t msg_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800100{
Jerry Yuc8a392c2021-08-18 16:46:28 +0800101 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yudbfb7bd2021-09-04 09:58:58 +0800102 size_t msg_len_with_header;
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800103 ((void) buf_len);
Jerry Yuc8a392c2021-08-18 16:46:28 +0800104
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800105 /* Add reserved 4 bytes for handshake header */
Jerry Yudbfb7bd2021-09-04 09:58:58 +0800106 msg_len_with_header = msg_len + 4;
107 ssl->out_msglen = msg_len_with_header;
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800108 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0 ) );
Jerry Yuc8a392c2021-08-18 16:46:28 +0800109
110cleanup:
111 return( ret );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800112}
113
Jerry Yu48369522021-09-18 16:09:01 +0800114void mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
115 unsigned hs_type,
116 unsigned char const *msg,
117 size_t msg_len )
Jerry Yu7bea4ba2021-09-09 15:06:18 +0800118{
119 mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len );
120 ssl->handshake->update_checksum( ssl, msg, msg_len );
121}
122
Jerry Yuf4436812021-08-26 22:59:56 +0800123void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800124 unsigned hs_type,
125 size_t total_hs_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800126{
127 unsigned char hs_hdr[4];
128
129 /* Build HS header for checksum update. */
Jerry Yu2ac64192021-08-26 18:38:58 +0800130 hs_hdr[0] = MBEDTLS_BYTE_0( hs_type );
131 hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len );
132 hs_hdr[2] = MBEDTLS_BYTE_1( total_hs_len );
133 hs_hdr[3] = MBEDTLS_BYTE_0( total_hs_len );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800134
135 ssl->handshake->update_checksum( ssl, hs_hdr, sizeof( hs_hdr ) );
136}
137
Jerry Yubc20bdd2021-08-24 15:59:48 +0800138#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
139
140/*
Jerry Yue41dec02021-08-31 10:57:07 +0800141 * mbedtls_ssl_tls13_write_sig_alg_ext( )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800142 *
143 * enum {
144 * ....
145 * ecdsa_secp256r1_sha256( 0x0403 ),
146 * ecdsa_secp384r1_sha384( 0x0503 ),
147 * ecdsa_secp521r1_sha512( 0x0603 ),
148 * ....
149 * } SignatureScheme;
150 *
151 * struct {
152 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
153 * } SignatureSchemeList;
154 *
155 * Only if we handle at least one key exchange that needs signatures.
156 */
Jerry Yue41dec02021-08-31 10:57:07 +0800157int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl,
158 unsigned char *buf,
159 unsigned char *end,
160 size_t *olen )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800161{
Jerry Yu72369942021-08-31 15:41:21 +0800162 unsigned char *p = buf;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800163 unsigned char *supported_sig_alg_ptr; /* Start of supported_signature_algorithms */
164 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
Jerry Yu72369942021-08-31 15:41:21 +0800165
Jerry Yu75336352021-09-01 15:59:36 +0800166 *olen = 0;
Jerry Yu72369942021-08-31 15:41:21 +0800167
168 /* Skip the extension on the client if all allowed key exchanges
169 * are PSK-based. */
170#if defined(MBEDTLS_SSL_CLI_C)
171 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
172 !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
173 {
174 return( 0 );
175 }
176#endif /* MBEDTLS_SSL_CLI_C */
177
178 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding signature_algorithms extension" ) );
179
Jerry Yub60e3cf2021-09-08 16:41:02 +0800180 /* Check if we have space for header and length field:
181 * - extension_type (2 bytes)
182 * - extension_data_length (2 bytes)
183 * - supported_signature_algorithms_length (2 bytes)
184 */
Jerry Yu72369942021-08-31 15:41:21 +0800185 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
186 p += 6;
187
188 /*
189 * Write supported_signature_algorithms
190 */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800191 supported_sig_alg_ptr = p;
Jerry Yu72369942021-08-31 15:41:21 +0800192 for( const uint16_t *sig_alg = ssl->conf->tls13_sig_algs;
193 *sig_alg != MBEDTLS_TLS13_SIG_NONE; sig_alg++ )
194 {
195 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
196 MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
197 p += 2;
198 MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) );
199 }
200
Jerry Yub60e3cf2021-09-08 16:41:02 +0800201 /* Length of supported_signature_algorithms */
202 supported_sig_alg_len = p - supported_sig_alg_ptr;
203 if( supported_sig_alg_len == 0 )
Jerry Yu72369942021-08-31 15:41:21 +0800204 {
205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No signature algorithms defined." ) );
206 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
207 }
208
209 /* Write extension_type */
210 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SIG_ALG, buf, 0 );
211 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800212 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len + 2, buf, 2 );
Jerry Yu72369942021-08-31 15:41:21 +0800213 /* Write length of supported_signature_algorithms */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800214 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len, buf, 4 );
Jerry Yu72369942021-08-31 15:41:21 +0800215
216 /* Output the total length of signature algorithms extension. */
217 *olen = p - buf;
218
219 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
Jerry Yu75336352021-09-01 15:59:36 +0800220 return( 0 );
Jerry Yubc20bdd2021-08-24 15:59:48 +0800221}
222
Jerry Yu30b071c2021-09-12 20:16:03 +0800223/*
Jerry Yu30b071c2021-09-12 20:16:03 +0800224 * STATE HANDLING: Read CertificateVerify
225 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800226/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +0800227 *
228 * The structure is computed per TLS 1.3 specification as:
229 * - 64 bytes of octet 32,
230 * - 33 bytes for the context string
231 * (which is either "TLS 1.3, client CertificateVerify"
232 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +0800233 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +0800234 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
235 * (depending on the size of the transcript_hash)
236 *
237 * This results in a total size of
238 * - 130 bytes for a SHA256-based transcript hash, or
239 * (64 + 33 + 1 + 32 bytes)
240 * - 146 bytes for a SHA384-based transcript hash.
241 * (64 + 33 + 1 + 48 bytes)
242 *
243 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800244#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
245 33 + \
246 1 + \
247 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800248 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800249
Jerry Yu0b32c502021-10-28 13:41:59 +0800250/*
251 * The ssl_tls13_create_verify_structure() creates the verify structure.
252 * As input, it requires the transcript hash.
253 *
254 * The caller has to ensure that the buffer has size at least
255 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
256 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800257static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800258 size_t transcript_hash_len,
259 unsigned char *verify_buffer,
260 size_t *verify_buffer_len,
261 int from )
262{
263 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800264
Jerry Yu0b32c502021-10-28 13:41:59 +0800265 /* RFC 8446, Section 4.4.3:
266 *
267 * The digital signature [in the CertificateVerify message] is then
268 * computed over the concatenation of:
269 * - A string that consists of octet 32 (0x20) repeated 64 times
270 * - The context string
271 * - A single 0 byte which serves as the separator
272 * - The content to be signed
273 */
274 memset( verify_buffer, 0x20, 64 );
275 idx = 64;
276
277 if( from == MBEDTLS_SSL_IS_CLIENT )
278 {
279 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
280 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
281 }
282 else
283 { /* from == MBEDTLS_SSL_IS_SERVER */
284 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
285 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
286 }
287
288 verify_buffer[idx++] = 0x0;
289
290 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
291 idx += transcript_hash_len;
292
293 *verify_buffer_len = idx;
294}
295
Jerry Yud0fc5852021-10-29 11:09:06 +0800296static int ssl_tls13_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
297 uint16_t sig_alg )
Jerry Yu982d9e52021-10-14 15:59:37 +0800298{
299 const uint16_t *tls13_sig_alg = ssl->conf->tls13_sig_algs;
300
Jerry Yud0fc5852021-10-29 11:09:06 +0800301 for( ; *tls13_sig_alg != MBEDTLS_TLS13_SIG_NONE ; tls13_sig_alg++ )
Jerry Yu982d9e52021-10-14 15:59:37 +0800302 {
303 if( *tls13_sig_alg == sig_alg )
Jerry Yud0fc5852021-10-29 11:09:06 +0800304 return( 1 );
Jerry Yu982d9e52021-10-14 15:59:37 +0800305 }
Jerry Yud0fc5852021-10-29 11:09:06 +0800306 return( 0 );
Jerry Yu982d9e52021-10-14 15:59:37 +0800307}
308
Jerry Yu0b32c502021-10-28 13:41:59 +0800309static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800310 const unsigned char *buf,
311 const unsigned char *end,
312 const unsigned char *verify_buffer,
313 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800314{
315 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
316 const unsigned char *p = buf;
317 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800318 size_t signature_len;
319 mbedtls_pk_type_t sig_alg;
320 mbedtls_md_type_t md_alg;
Jerry Yud0fc5852021-10-29 11:09:06 +0800321 unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800322 size_t verify_hash_len;
323
324 /*
325 * struct {
326 * SignatureScheme algorithm;
327 * opaque signature<0..2^16-1>;
328 * } CertificateVerify;
329 */
330 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
331 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
332 p += 2;
333
334 /* RFC 8446 section 4.4.3
335 *
336 * If the CertificateVerify message is sent by a server, the signature algorithm
337 * MUST be one offered in the client's "signature_algorithms" extension unless
338 * no valid certificate chain can be produced without unsupported algorithms
339 *
340 * RFC 8446 section 4.4.2.2
341 *
342 * If the client cannot construct an acceptable chain using the provided
343 * certificates and decides to abort the handshake, then it MUST abort the handshake
344 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
345 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800346 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800347 */
Jerry Yu0b32c502021-10-28 13:41:59 +0800348 if( ! ssl_tls13_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800349 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800350 /* algorithm not in offered signature algorithms list */
351 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
352 "offered.",
353 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800354 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800355 }
356
357 /* We currently only support ECDSA-based signatures */
358 switch( algorithm )
359 {
360 case MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256:
361 md_alg = MBEDTLS_MD_SHA256;
362 sig_alg = MBEDTLS_PK_ECDSA;
363 break;
364 case MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384:
365 md_alg = MBEDTLS_MD_SHA384;
366 sig_alg = MBEDTLS_PK_ECDSA;
367 break;
368 case MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512:
369 md_alg = MBEDTLS_MD_SHA512;
370 sig_alg = MBEDTLS_PK_ECDSA;
371 break;
372 default:
373 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800374 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800375 }
376
377 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
378 ( unsigned int ) algorithm ) );
379
380 /*
381 * Check the certificate's key type matches the signature alg
382 */
383 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
384 {
385 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800386 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800387 }
388
389 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
390 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
391 p += 2;
392 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
393
394 /* Hash verify buffer with indicated hash function */
395 switch( md_alg )
396 {
397#if defined(MBEDTLS_SHA256_C)
398 case MBEDTLS_MD_SHA256:
399 verify_hash_len = 32;
Jerry Yu133690c2021-10-25 14:01:13 +0800400 ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800401 break;
402#endif /* MBEDTLS_SHA256_C */
403
404#if defined(MBEDTLS_SHA384_C)
405 case MBEDTLS_MD_SHA384:
406 verify_hash_len = 48;
Jerry Yu133690c2021-10-25 14:01:13 +0800407 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800408 break;
409#endif /* MBEDTLS_SHA384_C */
410
411#if defined(MBEDTLS_SHA512_C)
412 case MBEDTLS_MD_SHA512:
413 verify_hash_len = 64;
Jerry Yu133690c2021-10-25 14:01:13 +0800414 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800415 break;
416#endif /* MBEDTLS_SHA512_C */
417
Jerry Yu0b32c502021-10-28 13:41:59 +0800418 default:
419 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
420 break;
Jerry Yu30b071c2021-09-12 20:16:03 +0800421 }
422
Jerry Yu133690c2021-10-25 14:01:13 +0800423 if( ret != 0 )
424 {
425 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
Jerry Yu6f87f252021-10-29 20:12:51 +0800426 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800427 }
428
Jerry Yu30b071c2021-09-12 20:16:03 +0800429 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
430
431 if( ( ret = mbedtls_pk_verify_ext( sig_alg, NULL,
432 &ssl->session_negotiate->peer_cert->pk,
433 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800434 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800435 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800436 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800437 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800438 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800439
Jerry Yu6f87f252021-10-29 20:12:51 +0800440error:
441 /* RFC 8446 section 4.4.3
442 *
443 * If the verification fails, the receiver MUST terminate the handshake
444 * with a "decrypt_error" alert.
445 */
446 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
447 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
448 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
449
Jerry Yu30b071c2021-09-12 20:16:03 +0800450}
451#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
452
453int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
454{
Jerry Yu30b071c2021-09-12 20:16:03 +0800455
Jerry Yuda8cdf22021-10-25 15:06:49 +0800456#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
457 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
458 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
459 size_t verify_buffer_len;
460 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
461 size_t transcript_len;
462 unsigned char *buf;
463 size_t buf_len;
464
Jerry Yu30b071c2021-09-12 20:16:03 +0800465 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
466
Jerry Yuda8cdf22021-10-25 15:06:49 +0800467 MBEDTLS_SSL_PROC_CHK(
468 mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl,
469 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800470
Jerry Yuda8cdf22021-10-25 15:06:49 +0800471 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800472 * before reading the message since otherwise it gets
473 * included in the transcript
474 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800475 ret = mbedtls_ssl_get_handshake_transcript( ssl,
476 ssl->handshake->ciphersuite_info->mac,
477 transcript, sizeof( transcript ),
478 &transcript_len );
479 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800480 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800481 MBEDTLS_SSL_PEND_FATAL_ALERT(
482 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
483 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
484 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800485 }
486
Jerry Yuda8cdf22021-10-25 15:06:49 +0800487 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
488
489 /* Create verify structure */
490 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800491 transcript_len,
492 verify_buffer,
493 &verify_buffer_len,
494 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
495 MBEDTLS_SSL_IS_SERVER :
496 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800497
498 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800499 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
500 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800501
502 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl,
503 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800504
505cleanup:
506
507 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800508 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800509 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800510#else
511 ((void) ssl);
512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
513 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
514#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800515}
516
517/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000518 *
519 * STATE HANDLING: Incoming Certificate, client-side only currently.
520 *
521 */
522
523/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000524 * Implementation
525 */
526
Xiaofei Bai947571e2021-09-29 09:12:03 +0000527#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
528#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
529/*
530 * Structure of Certificate message:
531 *
532 * enum {
533 * X509(0),
534 * RawPublicKey(2),
535 * (255)
536 * } CertificateType;
537 *
538 * struct {
539 * select (certificate_type) {
540 * case RawPublicKey:
541 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
542 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
543 * case X509:
544 * opaque cert_data<1..2^24-1>;
545 * };
546 * Extension extensions<0..2^16-1>;
547 * } CertificateEntry;
548 *
549 * struct {
550 * opaque certificate_request_context<0..2^8-1>;
551 * CertificateEntry certificate_list<0..2^24-1>;
552 * } Certificate;
553 *
554 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000555
556/* Parse certificate chain send by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000557static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
558 const unsigned char *buf,
559 const unsigned char *end )
560{
561 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
562 size_t certificate_request_context_len = 0;
563 size_t certificate_list_len = 0;
564 const unsigned char *p = buf;
565 const unsigned char *certificate_list_end;
566
567 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
568 certificate_request_context_len = p[0];
Jerry Yub640bf62021-10-29 10:05:32 +0800569 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000570 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000571
572 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
573 * support anything beyond 2^16 = 64K.
574 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000575 if( ( certificate_request_context_len != 0 ) ||
576 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000577 {
578 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
579 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
580 MBEDTLS_ERR_SSL_DECODE_ERROR );
581 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
582 }
583
584 /* In case we tried to reuse a session but it failed */
585 if( ssl->session_negotiate->peer_cert != NULL )
586 {
587 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
588 mbedtls_free( ssl->session_negotiate->peer_cert );
589 }
590
591 if( ( ssl->session_negotiate->peer_cert =
592 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
593 {
594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
595 sizeof( mbedtls_x509_crt ) ) );
596 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
597 MBEDTLS_ERR_SSL_ALLOC_FAILED );
598 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
599 }
600
601 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
602
Xiaofei Bai947571e2021-09-29 09:12:03 +0000603 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000604 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000605 {
606 size_t cert_data_len, extensions_len;
607
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000608 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000609 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000610 p += 3;
611
612 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
613 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
614 * check that we have a minimum of 128 bytes of data, this is not
615 * clear why we need that though.
616 */
617 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000618 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000619 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
620 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
621 MBEDTLS_ERR_SSL_DECODE_ERROR );
622 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
623 }
624
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000625 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000626 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
627 p, cert_data_len );
628
629 switch( ret )
630 {
631 case 0: /*ok*/
632 break;
633 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
634 /* Ignore certificate with an unknown algorithm: maybe a
635 prior certificate was already trusted. */
636 break;
637
638 case MBEDTLS_ERR_X509_ALLOC_FAILED:
639 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
640 MBEDTLS_ERR_X509_ALLOC_FAILED );
641 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
642 return( ret );
643
644 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
645 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
646 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
647 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
648 return( ret );
649
650 default:
651 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
652 ret );
653 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
654 return( ret );
655 }
656
657 p += cert_data_len;
658
659 /* Certificate extensions length */
660 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
661 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
662 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000663 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000664 p += extensions_len;
665 }
666
667 /* Check that all the message is consumed. */
668 if( p != end )
669 {
670 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
671 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
672 MBEDTLS_ERR_SSL_DECODE_ERROR );
673 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
674 }
675
676 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
677
678 return( ret );
679}
680#else
681static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
682 const unsigned char *buf,
683 const unsigned char *end )
684{
685 ((void) ssl);
686 ((void) buf);
687 ((void) end);
688 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
689}
690#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
691#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
692
693#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
694#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000695/* Validate certificate chain sent by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000696static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
697{
698 int ret = 0;
699 mbedtls_x509_crt *ca_chain;
700 mbedtls_x509_crl *ca_crl;
Xiaofei Baiff456022021-10-28 06:50:17 +0000701 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000702
703#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
704 if( ssl->handshake->sni_ca_chain != NULL )
705 {
706 ca_chain = ssl->handshake->sni_ca_chain;
707 ca_crl = ssl->handshake->sni_ca_crl;
708 }
709 else
710#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
711 {
712 ca_chain = ssl->conf->ca_chain;
713 ca_crl = ssl->conf->ca_crl;
714 }
715
716 /*
717 * Main check: verify certificate
718 */
719 ret = mbedtls_x509_crt_verify_with_profile(
720 ssl->session_negotiate->peer_cert,
721 ca_chain, ca_crl,
722 ssl->conf->cert_profile,
723 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000724 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000725 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
726
727 if( ret != 0 )
728 {
729 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
730 }
731
732 /*
733 * Secondary checks: always done, but change 'ret' only if it was 0
734 */
735
736#if defined(MBEDTLS_ECP_C)
737 {
738 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
739
740 /* If certificate uses an EC key, make sure the curve is OK */
741 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
742 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
743 {
Xiaofei Baiff456022021-10-28 06:50:17 +0000744 verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000745
746 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) );
747 if( ret == 0 )
748 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
749 }
750 }
751#endif /* MBEDTLS_ECP_C */
752
753 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
754 ssl->handshake->ciphersuite_info,
755 !ssl->conf->endpoint,
Xiaofei Baiff456022021-10-28 06:50:17 +0000756 &verify_result ) != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000757 {
758 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
759 if( ret == 0 )
760 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
761 }
762
763
764 if( ca_chain == NULL )
765 {
766 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
767 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
768 }
769
770 if( ret != 0 )
771 {
772 /* The certificate may have been rejected for several reasons.
773 Pick one and send the corresponding alert. Which alert to send
774 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000775 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000776 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000777 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000778 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000779 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
780 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
781 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
782 MBEDTLS_X509_BADCERT_BAD_PK |
783 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000784 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000785 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000786 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000787 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000788 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000789 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000790 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
791 else
792 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
793 }
794
795#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000796 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000797 {
798 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800799 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000800 }
801 else
802 {
803 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
804 }
805#endif /* MBEDTLS_DEBUG_C */
806
Xiaofei Baiff456022021-10-28 06:50:17 +0000807 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000808 return( ret );
809}
810#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
811static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
812{
813 ((void) ssl);
814 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
815}
816#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
817#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
818
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000819int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000820{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000821 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
822 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
823
824#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
825 unsigned char *buf;
826 size_t buf_len;
827
828 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg(
829 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
830 &buf, &buf_len ) );
831
832 /* Parse the certificate chain sent by the peer. */
833 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, buf + buf_len ) );
834 /* Validate the certificate chain and set the verification results. */
835 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
836
837 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
838 buf, buf_len );
839
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000840cleanup:
841
842 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Xiaofei Bai10aeec02021-10-26 09:50:08 +0000843#else
844 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
845 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
846#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000847 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000848}
849
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000850/*
851 *
XiaokangQianc5c39d52021-11-09 11:55:10 +0000852 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000853 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000854/*
855 * Implementation
856 */
857
XiaokangQianaaa0e192021-11-10 03:07:04 +0000858static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000859{
860 int ret;
861
XiaokangQianc5c39d52021-11-09 11:55:10 +0000862 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000863 ssl->handshake->state_local.finished_in.digest,
864 sizeof( ssl->handshake->state_local.finished_in.digest ),
865 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000866 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +0000867 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000868 if( ret != 0 )
869 {
XiaokangQianc5c39d52021-11-09 11:55:10 +0000870 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000871 return( ret );
872 }
873
874 return( 0 );
875}
876
XiaokangQianc5c39d52021-11-09 11:55:10 +0000877static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
878 const unsigned char *buf,
879 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000880{
XiaokangQian33062842021-11-11 03:37:45 +0000881 /*
882 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +0000883 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +0000884 * } Finished;
885 */
886 const unsigned char *expected_verify_data =
887 ssl->handshake->state_local.finished_in.digest;
888 size_t expected_verify_data_len =
889 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000890 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +0000891 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000892 {
893 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
894
895 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000896 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000897 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
898 }
899
XiaokangQianc5c39d52021-11-09 11:55:10 +0000900 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +0000901 expected_verify_data,
902 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000903 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +0000904 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000905
906 /* Semantic validation */
Gabor Mezei685472b2021-11-24 11:17:36 +0100907 if( mbedtls_ct_memcmp( buf,
908 expected_verify_data,
909 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000910 {
911 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
912
XiaokangQian33062842021-11-11 03:37:45 +0000913 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000914 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000915 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
916 }
917 return( 0 );
918}
919
XiaokangQianc13f9352021-11-11 06:13:22 +0000920#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaaa0e192021-11-10 03:07:04 +0000921static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000922{
XiaokangQian33062842021-11-11 03:37:45 +0000923 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000924 mbedtls_ssl_key_set traffic_keys;
XiaokangQian1aef02e2021-10-28 09:54:34 +0000925 mbedtls_ssl_transform *transform_application = NULL;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000926
XiaokangQian4cab0242021-10-12 08:43:37 +0000927 ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000928 if( ret != 0 )
929 {
930 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQian4cab0242021-10-12 08:43:37 +0000931 "mbedtls_ssl_tls13_key_schedule_stage_application", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000932 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000933 }
934
XiaokangQian33062842021-11-11 03:37:45 +0000935 ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000936 if( ret != 0 )
937 {
938 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000939 "mbedtls_ssl_tls13_generate_application_keys", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000940 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000941 }
942
943 transform_application =
944 mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
945 if( transform_application == NULL )
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000946 {
947 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
948 goto cleanup;
949 }
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000950
951 ret = mbedtls_ssl_tls13_populate_transform(
952 transform_application,
953 ssl->conf->endpoint,
954 ssl->session_negotiate->ciphersuite,
955 &traffic_keys,
956 ssl );
957 if( ret != 0 )
958 {
959 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000960 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000961 }
962
963 ssl->transform_application = transform_application;
964
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000965cleanup:
966
XiaokangQian33062842021-11-11 03:37:45 +0000967 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000968 if( ret != 0 )
XiaokangQian1aef02e2021-10-28 09:54:34 +0000969 {
970 mbedtls_free( transform_application );
971 MBEDTLS_SSL_PEND_FATAL_ALERT(
972 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
973 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
974 }
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000975 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000976}
XiaokangQianc13f9352021-11-11 06:13:22 +0000977#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000978
XiaokangQiancc90c942021-11-09 12:30:09 +0000979static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000980{
981
XiaokangQianc13f9352021-11-11 06:13:22 +0000982#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000983 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
984 {
XiaokangQianaaa0e192021-11-10 03:07:04 +0000985 return( ssl_tls13_postprocess_server_finished_message( ssl ) );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000986 }
XiaokangQianc13f9352021-11-11 06:13:22 +0000987#else
988 ((void) ssl);
989#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000990
991 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
992}
993
XiaokangQianc5c39d52021-11-09 11:55:10 +0000994int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
995{
XiaokangQian33062842021-11-11 03:37:45 +0000996 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000997 unsigned char *buf;
998 size_t buflen;
999
XiaokangQiand0aa3e92021-11-10 06:17:40 +00001000 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +00001001
1002 /* Preprocessing step: Compute handshake digest */
XiaokangQianaaa0e192021-11-10 03:07:04 +00001003 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +00001004
1005 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl,
1006 MBEDTLS_SSL_HS_FINISHED,
1007 &buf, &buflen ) );
1008 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buflen ) );
1009 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum(
1010 ssl, MBEDTLS_SSL_HS_FINISHED, buf, buflen );
XiaokangQianaaa0e192021-11-10 03:07:04 +00001011 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +00001012
1013cleanup:
1014
XiaokangQiand0aa3e92021-11-10 06:17:40 +00001015 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +00001016 return( ret );
1017}
1018
XiaokangQian74af2a82021-09-22 07:40:30 +00001019/*
1020 *
XiaokangQiancc90c942021-11-09 12:30:09 +00001021 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +00001022 *
1023 */
XiaokangQian74af2a82021-09-22 07:40:30 +00001024/*
XiaokangQian35dc6252021-11-11 08:16:19 +00001025 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +00001026 */
1027
XiaokangQian8773aa02021-11-10 07:33:09 +00001028static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +00001029{
1030 int ret;
1031
1032 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +00001033 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +00001034 ssl->handshake->state_local.finished_out.digest,
1035 sizeof( ssl->handshake->state_local.finished_out.digest ),
1036 &ssl->handshake->state_local.finished_out.digest_len,
1037 ssl->conf->endpoint );
1038
1039 if( ret != 0 )
1040 {
XiaokangQian9ec8fcf2021-11-15 08:24:08 +00001041 MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
XiaokangQian74af2a82021-09-22 07:40:30 +00001042 return( ret );
1043 }
1044
1045 return( 0 );
1046}
1047
XiaokangQiancc90c942021-11-09 12:30:09 +00001048static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +00001049{
XiaokangQian0fa66432021-11-15 03:33:57 +00001050 // TODO: Add back resumption keys calculation after MVP.
1051 ((void) ssl);
XiaokangQian74af2a82021-09-22 07:40:30 +00001052
1053 return( 0 );
1054}
1055
XiaokangQian8773aa02021-11-10 07:33:09 +00001056static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +00001057 unsigned char *buf,
1058 unsigned char *end,
1059 size_t *olen )
XiaokangQian74af2a82021-09-22 07:40:30 +00001060{
XiaokangQian8773aa02021-11-10 07:33:09 +00001061 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +00001062 /*
1063 * struct {
1064 * opaque verify_data[Hash.length];
1065 * } Finished;
1066 */
XiaokangQian8773aa02021-11-10 07:33:09 +00001067 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +00001068
1069 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +00001070 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +00001071
XiaokangQian8773aa02021-11-10 07:33:09 +00001072 *olen = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +00001073 return( 0 );
1074}
XiaokangQianc5c39d52021-11-09 11:55:10 +00001075
XiaokangQian35dc6252021-11-11 08:16:19 +00001076/* Main entry point: orchestrates the other functions */
1077int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1078{
1079 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1080 unsigned char *buf;
1081 size_t buf_len, msg_len;
1082
1083 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1084
XiaokangQiandce82242021-11-15 06:01:26 +00001085 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1086
XiaokangQian35dc6252021-11-11 08:16:19 +00001087 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
1088 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1089
1090 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1091 ssl, buf, buf + buf_len, &msg_len ) );
1092
1093 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1094 buf, msg_len );
1095
1096 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) );
1097 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl,
1098 buf_len, msg_len ) );
1099 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) );
1100
1101cleanup:
1102
1103 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1104 return( ret );
1105}
1106
Jerry Yu378254d2021-10-30 21:44:47 +08001107void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1108{
1109
1110 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1111
1112 /*
Jerry Yucfe64f02021-11-15 13:54:06 +08001113 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +08001114 */
1115 if( ssl->session )
1116 {
Jerry Yu378254d2021-10-30 21:44:47 +08001117 mbedtls_ssl_session_free( ssl->session );
1118 mbedtls_free( ssl->session );
1119 }
1120 ssl->session = ssl->session_negotiate;
1121 ssl->session_negotiate = NULL;
1122
1123 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1124}
1125
Jerry Yu65dd2cc2021-08-18 16:38:40 +08001126#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1127
1128#endif /* MBEDTLS_SSL_TLS_C */