blob: 39b86b984a6eb1a24773e79093eaf6c9b1aa3f9c [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +08001/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +080022#if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu65dd2cc2021-08-18 16:38:40 +080023
Jerry Yu30b071c2021-09-12 20:16:03 +080024#include <string.h>
25
Jerry Yuc8a392c2021-08-18 16:46:28 +080026#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +080027#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +080028#include "mbedtls/oid.h"
29#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +010030#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +000031#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +080032
Jerry Yu65dd2cc2021-08-18 16:38:40 +080033#include "ssl_misc.h"
Ronald Crone3dac4a2022-06-10 17:21:51 +020034#include "ssl_tls13_invasive.h"
Jerry Yu30b071c2021-09-12 20:16:03 +080035#include "ssl_tls13_keys.h"
Jerry Yu67eced02022-02-25 13:37:36 +080036#include "ssl_debug_helpers.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +080037
pespaceka1378102022-04-26 15:03:11 +020038#include "psa/crypto.h"
39#include "mbedtls/psa_util.h"
40
Jerry Yufbe3e642022-04-25 19:31:51 +080041const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
42 MBEDTLS_SERVER_HELLO_RANDOM_LEN ] =
43 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
44 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
45 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
46 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C };
Jerry Yu93a13f22022-04-11 23:00:01 +080047
Xiaofei Bai746f9482021-11-12 08:53:56 +000048int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
49 unsigned hs_type,
50 unsigned char **buf,
Xiaofei Baieef15042021-11-18 07:29:56 +000051 size_t *buf_len )
XiaokangQian6b226b02021-09-24 07:51:16 +000052{
53 int ret;
54
55 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
56 {
57 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
58 goto cleanup;
59 }
60
XiaokangQian16c61aa2021-09-27 09:30:17 +000061 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +000062 ssl->in_msg[0] != hs_type )
63 {
XiaokangQian16c61aa2021-09-27 09:30:17 +000064 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +000065 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +000066 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +000067 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
68 goto cleanup;
69 }
70
XiaokangQian05420b12021-09-29 08:46:37 +000071 /*
72 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
73 * ...
74 * HandshakeType msg_type;
75 * uint24 length;
76 * ...
77 */
Xiaofei Baieef15042021-11-18 07:29:56 +000078 *buf = ssl->in_msg + 4;
79 *buf_len = ssl->in_hslen - 4;
XiaokangQian6b226b02021-09-24 07:51:16 +000080
XiaokangQian6b226b02021-09-24 07:51:16 +000081cleanup:
82
83 return( ret );
84}
85
Ronald Cron928cbd32022-10-04 16:14:26 +020086#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu30b071c2021-09-12 20:16:03 +080087/*
Jerry Yu30b071c2021-09-12 20:16:03 +080088 * STATE HANDLING: Read CertificateVerify
89 */
Jerry Yud0fc5852021-10-29 11:09:06 +080090/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +080091 *
92 * The structure is computed per TLS 1.3 specification as:
93 * - 64 bytes of octet 32,
94 * - 33 bytes for the context string
95 * (which is either "TLS 1.3, client CertificateVerify"
96 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +080097 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +080098 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
99 * (depending on the size of the transcript_hash)
100 *
101 * This results in a total size of
102 * - 130 bytes for a SHA256-based transcript hash, or
103 * (64 + 33 + 1 + 32 bytes)
104 * - 146 bytes for a SHA384-based transcript hash.
105 * (64 + 33 + 1 + 48 bytes)
106 *
107 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800108#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
109 33 + \
110 1 + \
111 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800112 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800113
Jerry Yu0b32c502021-10-28 13:41:59 +0800114/*
115 * The ssl_tls13_create_verify_structure() creates the verify structure.
116 * As input, it requires the transcript hash.
117 *
118 * The caller has to ensure that the buffer has size at least
119 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
120 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800121static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800122 size_t transcript_hash_len,
123 unsigned char *verify_buffer,
124 size_t *verify_buffer_len,
125 int from )
126{
127 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800128
Jerry Yu0b32c502021-10-28 13:41:59 +0800129 /* RFC 8446, Section 4.4.3:
130 *
131 * The digital signature [in the CertificateVerify message] is then
132 * computed over the concatenation of:
133 * - A string that consists of octet 32 (0x20) repeated 64 times
134 * - The context string
135 * - A single 0 byte which serves as the separator
136 * - The content to be signed
137 */
138 memset( verify_buffer, 0x20, 64 );
139 idx = 64;
140
141 if( from == MBEDTLS_SSL_IS_CLIENT )
142 {
143 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
144 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
145 }
146 else
147 { /* from == MBEDTLS_SSL_IS_SERVER */
148 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
149 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
150 }
151
152 verify_buffer[idx++] = 0x0;
153
154 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
155 idx += transcript_hash_len;
156
157 *verify_buffer_len = idx;
158}
159
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200160MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu0b32c502021-10-28 13:41:59 +0800161static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800162 const unsigned char *buf,
163 const unsigned char *end,
164 const unsigned char *verify_buffer,
165 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800166{
167 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
pespaceka1378102022-04-26 15:03:11 +0200168 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Jerry Yu30b071c2021-09-12 20:16:03 +0800169 const unsigned char *p = buf;
170 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800171 size_t signature_len;
172 mbedtls_pk_type_t sig_alg;
173 mbedtls_md_type_t md_alg;
pespaceka1378102022-04-26 15:03:11 +0200174 psa_algorithm_t hash_alg = PSA_ALG_NONE;
175 unsigned char verify_hash[PSA_HASH_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800176 size_t verify_hash_len;
177
Xiaofei Baid25fab62021-12-02 06:36:27 +0000178 void const *options = NULL;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000179#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000180 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000181#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
182
Jerry Yu30b071c2021-09-12 20:16:03 +0800183 /*
184 * struct {
185 * SignatureScheme algorithm;
186 * opaque signature<0..2^16-1>;
187 * } CertificateVerify;
188 */
189 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
190 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
191 p += 2;
192
193 /* RFC 8446 section 4.4.3
194 *
195 * If the CertificateVerify message is sent by a server, the signature algorithm
196 * MUST be one offered in the client's "signature_algorithms" extension unless
197 * no valid certificate chain can be produced without unsupported algorithms
198 *
199 * RFC 8446 section 4.4.2.2
200 *
201 * If the client cannot construct an acceptable chain using the provided
202 * certificates and decides to abort the handshake, then it MUST abort the handshake
203 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
204 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800205 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800206 */
Jerry Yu24811fb2022-01-19 18:02:15 +0800207 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800208 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800209 /* algorithm not in offered signature algorithms list */
210 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
211 "offered.",
212 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800213 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800214 }
215
Jerry Yu95b743c2022-07-23 11:37:50 +0800216 if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
Jerry Yuf8aa9a42022-03-23 20:40:28 +0800217 algorithm, &sig_alg, &md_alg ) != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800218 {
Jerry Yu8c338862022-03-23 13:34:04 +0800219 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800220 }
221
Manuel Pégourié-Gonnardabac0372022-07-18 13:41:11 +0200222 hash_alg = mbedtls_hash_info_psa_from_md( md_alg );
pespaceka1378102022-04-26 15:03:11 +0200223 if( hash_alg == 0 )
224 {
225 goto error;
226 }
227
Jerry Yu30b071c2021-09-12 20:16:03 +0800228 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
229 ( unsigned int ) algorithm ) );
230
231 /*
232 * Check the certificate's key type matches the signature alg
233 */
234 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
235 {
236 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800237 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800238 }
239
240 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
241 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
242 p += 2;
243 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
244
pespaceka1378102022-04-26 15:03:11 +0200245 status = psa_hash_compute( hash_alg,
246 verify_buffer,
247 verify_buffer_len,
248 verify_hash,
249 sizeof( verify_hash ),
250 &verify_hash_len );
251 if( status != PSA_SUCCESS )
Jerry Yu30b071c2021-09-12 20:16:03 +0800252 {
pespaceka1378102022-04-26 15:03:11 +0200253 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation PSA error", status );
Jerry Yu6f87f252021-10-29 20:12:51 +0800254 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800255 }
256
Jerry Yu30b071c2021-09-12 20:16:03 +0800257 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000258#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
259 if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
260 {
Xiaofei Baid25fab62021-12-02 06:36:27 +0000261 rsassa_pss_options.mgf1_hash_id = md_alg;
Przemek Stekiel6a5e0182022-06-27 11:53:13 +0200262
Przemek Stekiel4dc87442022-06-28 11:05:42 +0200263 rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH( hash_alg );
Xiaofei Baid25fab62021-12-02 06:36:27 +0000264 options = (const void*) &rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000265 }
266#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800267
Xiaofei Baid25fab62021-12-02 06:36:27 +0000268 if( ( ret = mbedtls_pk_verify_ext( sig_alg, options,
Jerry Yu30b071c2021-09-12 20:16:03 +0800269 &ssl->session_negotiate->peer_cert->pk,
270 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800271 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800272 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800273 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800274 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800275 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800276
Jerry Yu6f87f252021-10-29 20:12:51 +0800277error:
278 /* RFC 8446 section 4.4.3
279 *
280 * If the verification fails, the receiver MUST terminate the handshake
281 * with a "decrypt_error" alert.
282 */
283 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
284 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
285 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
286
Jerry Yu30b071c2021-09-12 20:16:03 +0800287}
Ronald Cron928cbd32022-10-04 16:14:26 +0200288#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800289
290int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
291{
Jerry Yu30b071c2021-09-12 20:16:03 +0800292
Ronald Cron928cbd32022-10-04 16:14:26 +0200293#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yuda8cdf22021-10-25 15:06:49 +0800294 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
295 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
296 size_t verify_buffer_len;
297 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
298 size_t transcript_len;
299 unsigned char *buf;
300 size_t buf_len;
301
Jerry Yu30b071c2021-09-12 20:16:03 +0800302 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
303
Jerry Yuda8cdf22021-10-25 15:06:49 +0800304 MBEDTLS_SSL_PROC_CHK(
Xiaofei Bai746f9482021-11-12 08:53:56 +0000305 mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800306 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800307
Jerry Yuda8cdf22021-10-25 15:06:49 +0800308 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800309 * before reading the message since otherwise it gets
310 * included in the transcript
311 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800312 ret = mbedtls_ssl_get_handshake_transcript( ssl,
313 ssl->handshake->ciphersuite_info->mac,
314 transcript, sizeof( transcript ),
315 &transcript_len );
316 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800317 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800318 MBEDTLS_SSL_PEND_FATAL_ALERT(
319 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
320 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
321 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800322 }
323
Jerry Yuda8cdf22021-10-25 15:06:49 +0800324 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
325
326 /* Create verify structure */
327 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800328 transcript_len,
329 verify_buffer,
330 &verify_buffer_len,
331 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
332 MBEDTLS_SSL_IS_SERVER :
333 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800334
335 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800336 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
337 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800338
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100339 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
340 buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800341
342cleanup:
343
344 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800345 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800346 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800347#else
348 ((void) ssl);
349 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
350 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Ronald Cron928cbd32022-10-04 16:14:26 +0200351#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800352}
353
354/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000355 *
XiaokangQian6b916b12022-04-25 07:29:34 +0000356 * STATE HANDLING: Incoming Certificate.
Xiaofei Bai947571e2021-09-29 09:12:03 +0000357 *
358 */
359
Ronald Cronde08cf32022-10-04 17:15:35 +0200360#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Xiaofei Bai947571e2021-09-29 09:12:03 +0000361#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
362/*
363 * Structure of Certificate message:
364 *
365 * enum {
366 * X509(0),
367 * RawPublicKey(2),
368 * (255)
369 * } CertificateType;
370 *
371 * struct {
372 * select (certificate_type) {
373 * case RawPublicKey:
374 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
375 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
376 * case X509:
377 * opaque cert_data<1..2^24-1>;
378 * };
379 * Extension extensions<0..2^16-1>;
380 * } CertificateEntry;
381 *
382 * struct {
383 * opaque certificate_request_context<0..2^8-1>;
384 * CertificateEntry certificate_list<0..2^24-1>;
385 * } Certificate;
386 *
387 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000388
389/* Parse certificate chain send by the server. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200390MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Crone3dac4a2022-06-10 17:21:51 +0200391MBEDTLS_STATIC_TESTABLE
392int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
393 const unsigned char *buf,
394 const unsigned char *end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000395{
396 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
397 size_t certificate_request_context_len = 0;
398 size_t certificate_list_len = 0;
399 const unsigned char *p = buf;
400 const unsigned char *certificate_list_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800401 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000402
XiaokangQian63e713e2022-05-15 04:26:57 +0000403 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000404 certificate_request_context_len = p[0];
XiaokangQian63e713e2022-05-15 04:26:57 +0000405 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
406 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000407
408 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
409 * support anything beyond 2^16 = 64K.
410 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000411 if( ( certificate_request_context_len != 0 ) ||
412 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000413 {
414 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
415 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
416 MBEDTLS_ERR_SSL_DECODE_ERROR );
417 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
418 }
419
420 /* In case we tried to reuse a session but it failed */
421 if( ssl->session_negotiate->peer_cert != NULL )
422 {
423 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
424 mbedtls_free( ssl->session_negotiate->peer_cert );
425 }
426
XiaokangQianc3017f62022-05-13 05:55:41 +0000427 if( certificate_list_len == 0 )
428 {
429 ssl->session_negotiate->peer_cert = NULL;
430 ret = 0;
431 goto exit;
432 }
433
Xiaofei Bai947571e2021-09-29 09:12:03 +0000434 if( ( ssl->session_negotiate->peer_cert =
435 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
436 {
437 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
438 sizeof( mbedtls_x509_crt ) ) );
439 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
440 MBEDTLS_ERR_SSL_ALLOC_FAILED );
441 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
442 }
443
444 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
445
Ronald Cron2b1a43c2022-06-10 17:03:54 +0200446 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_list_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000447 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000448 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000449 {
450 size_t cert_data_len, extensions_len;
Jerry Yu2eaa7602022-08-04 17:28:15 +0800451 const unsigned char *extensions_end;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000452
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000453 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000454 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000455 p += 3;
456
457 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
458 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
459 * check that we have a minimum of 128 bytes of data, this is not
460 * clear why we need that though.
461 */
462 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000463 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
465 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
466 MBEDTLS_ERR_SSL_DECODE_ERROR );
467 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
468 }
469
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000470 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000471 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
472 p, cert_data_len );
473
474 switch( ret )
475 {
476 case 0: /*ok*/
477 break;
478 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
479 /* Ignore certificate with an unknown algorithm: maybe a
480 prior certificate was already trusted. */
481 break;
482
483 case MBEDTLS_ERR_X509_ALLOC_FAILED:
484 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
485 MBEDTLS_ERR_X509_ALLOC_FAILED );
486 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
487 return( ret );
488
489 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
490 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
491 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
492 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
493 return( ret );
494
495 default:
496 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
497 ret );
498 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
499 return( ret );
500 }
501
502 p += cert_data_len;
503
504 /* Certificate extensions length */
505 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
506 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
507 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000508 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Jerry Yu2eaa7602022-08-04 17:28:15 +0800509
510 extensions_end = p + extensions_len;
Jerry Yu0d5cfb72022-10-31 14:15:48 +0800511 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu2eaa7602022-08-04 17:28:15 +0800512
513 while( p < extensions_end )
514 {
515 unsigned int extension_type;
516 size_t extension_data_len;
517
518 /*
519 * struct {
520 * ExtensionType extension_type; (2 bytes)
521 * opaque extension_data<0..2^16-1>;
522 * } Extension;
523 */
524 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
525 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
526 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
527 p += 4;
528
529 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
530
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800531 ret = mbedtls_ssl_tls13_check_received_extension(
532 ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
533 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT );
Jerry Yu0c354a22022-08-29 15:25:36 +0800534 if( ret != 0 )
535 return( ret );
536
Jerry Yu2eaa7602022-08-04 17:28:15 +0800537 switch( extension_type )
538 {
539 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800540 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu0d5cfb72022-10-31 14:15:48 +0800541 3, MBEDTLS_SSL_HS_CERTIFICATE,
542 extension_type, "( ignored )" );
Jerry Yu2eaa7602022-08-04 17:28:15 +0800543 break;
544 }
545
546 p += extension_data_len;
547 }
548
Jerry Yu0d5cfb72022-10-31 14:15:48 +0800549 MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000550 }
551
XiaokangQian63e713e2022-05-15 04:26:57 +0000552exit:
Xiaofei Bai947571e2021-09-29 09:12:03 +0000553 /* Check that all the message is consumed. */
554 if( p != end )
555 {
556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800557 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000558 MBEDTLS_ERR_SSL_DECODE_ERROR );
559 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
560 }
561
562 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
563
564 return( ret );
565}
566#else
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200567MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Crone3dac4a2022-06-10 17:21:51 +0200568MBEDTLS_STATIC_TESTABLE
569int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
570 const unsigned char *buf,
571 const unsigned char *end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000572{
573 ((void) ssl);
574 ((void) buf);
575 ((void) end);
576 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
577}
578#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Ronald Cronde08cf32022-10-04 17:15:35 +0200579#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000580
Ronald Cronde08cf32022-10-04 17:15:35 +0200581#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Xiaofei Bai947571e2021-09-29 09:12:03 +0000582#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000583/* Validate certificate chain sent by the server. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200584MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai947571e2021-09-29 09:12:03 +0000585static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
586{
587 int ret = 0;
XiaokangQian989f06d2022-05-17 01:50:15 +0000588 int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000589 mbedtls_x509_crt *ca_chain;
590 mbedtls_x509_crl *ca_crl;
Ronald Cron30c5a252022-06-16 19:31:06 +0200591 const char *ext_oid;
592 size_t ext_len;
Xiaofei Baiff456022021-10-28 06:50:17 +0000593 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000594
XiaokangQian6b916b12022-04-25 07:29:34 +0000595 /* If SNI was used, overwrite authentication mode
596 * from the configuration. */
XiaokangQian989f06d2022-05-17 01:50:15 +0000597#if defined(MBEDTLS_SSL_SRV_C)
598 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
XiaokangQian0557c942022-05-30 08:10:53 +0000599 {
600#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
601 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
602 authmode = ssl->handshake->sni_authmode;
603 else
604#endif
605 authmode = ssl->conf->authmode;
606 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000607#endif
608
609 /*
XiaokangQian989f06d2022-05-17 01:50:15 +0000610 * If the peer hasn't sent a certificate ( i.e. it sent
XiaokangQian6b916b12022-04-25 07:29:34 +0000611 * an empty certificate chain ), this is reflected in the peer CRT
612 * structure being unset.
613 * Check for that and handle it depending on the
XiaokangQian989f06d2022-05-17 01:50:15 +0000614 * authentication mode.
XiaokangQian6b916b12022-04-25 07:29:34 +0000615 */
XiaokangQian63e713e2022-05-15 04:26:57 +0000616 if( ssl->session_negotiate->peer_cert == NULL )
XiaokangQian6b916b12022-04-25 07:29:34 +0000617 {
Ronald Cron19385882022-06-15 16:26:13 +0200618 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has no certificate" ) );
XiaokangQian989f06d2022-05-17 01:50:15 +0000619
XiaokangQian63e713e2022-05-15 04:26:57 +0000620#if defined(MBEDTLS_SSL_SRV_C)
621 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
622 {
XiaokangQian63e713e2022-05-15 04:26:57 +0000623 /* The client was asked for a certificate but didn't send
624 * one. The client should know what's going on, so we
625 * don't send an alert.
626 */
627 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
628 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
629 return( 0 );
630 else
XiaokangQian989f06d2022-05-17 01:50:15 +0000631 {
632 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT,
XiaokangQianaca90482022-05-19 07:19:31 +0000633 MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
634 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
XiaokangQian989f06d2022-05-17 01:50:15 +0000635 }
XiaokangQian63e713e2022-05-15 04:26:57 +0000636 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000637#endif /* MBEDTLS_SSL_SRV_C */
638
XiaokangQianc3017f62022-05-13 05:55:41 +0000639#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQian63e713e2022-05-15 04:26:57 +0000640 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
641 {
642 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT,
643 MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
644 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
645 }
XiaokangQianc3017f62022-05-13 05:55:41 +0000646#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQian63e713e2022-05-15 04:26:57 +0000647 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000648
Xiaofei Bai947571e2021-09-29 09:12:03 +0000649#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
650 if( ssl->handshake->sni_ca_chain != NULL )
651 {
652 ca_chain = ssl->handshake->sni_ca_chain;
653 ca_crl = ssl->handshake->sni_ca_crl;
654 }
655 else
656#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
657 {
658 ca_chain = ssl->conf->ca_chain;
659 ca_crl = ssl->conf->ca_crl;
660 }
661
662 /*
663 * Main check: verify certificate
664 */
665 ret = mbedtls_x509_crt_verify_with_profile(
666 ssl->session_negotiate->peer_cert,
667 ca_chain, ca_crl,
668 ssl->conf->cert_profile,
669 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000670 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000671 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
672
673 if( ret != 0 )
674 {
675 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
676 }
677
678 /*
679 * Secondary checks: always done, but change 'ret' only if it was 0
680 */
Ronald Cron30c5a252022-06-16 19:31:06 +0200681 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000682 {
Ronald Cron30c5a252022-06-16 19:31:06 +0200683 ext_oid = MBEDTLS_OID_SERVER_AUTH;
684 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
685 }
686 else
687 {
688 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
689 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
690 }
691
692 if( ( mbedtls_x509_crt_check_key_usage(
693 ssl->session_negotiate->peer_cert,
694 MBEDTLS_X509_KU_DIGITAL_SIGNATURE ) != 0 ) ||
695 ( mbedtls_x509_crt_check_extended_key_usage(
696 ssl->session_negotiate->peer_cert,
697 ext_oid, ext_len ) != 0 ) )
698 {
699 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000700 if( ret == 0 )
701 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
702 }
703
XiaokangQian6b916b12022-04-25 07:29:34 +0000704 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
705 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
706 * with details encoded in the verification flags. All other kinds
707 * of error codes, including those from the user provided f_vrfy
708 * functions, are treated as fatal and lead to a failure of
Ronald Crone3dac4a2022-06-10 17:21:51 +0200709 * mbedtls_ssl_tls13_parse_certificate even if verification was optional.
710 */
XiaokangQian6b916b12022-04-25 07:29:34 +0000711 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
712 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
713 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
714 {
715 ret = 0;
716 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000717
XiaokangQian6b916b12022-04-25 07:29:34 +0000718 if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000719 {
720 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
721 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
722 }
723
724 if( ret != 0 )
725 {
726 /* The certificate may have been rejected for several reasons.
727 Pick one and send the corresponding alert. Which alert to send
728 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000729 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000730 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000731 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000732 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000733 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
734 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
735 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
736 MBEDTLS_X509_BADCERT_BAD_PK |
737 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000738 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000739 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000740 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000741 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000742 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000743 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000744 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
745 else
746 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
747 }
748
749#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000750 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000751 {
752 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800753 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000754 }
755 else
756 {
757 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
758 }
759#endif /* MBEDTLS_DEBUG_C */
760
Xiaofei Baiff456022021-10-28 06:50:17 +0000761 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000762 return( ret );
763}
764#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200765MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai947571e2021-09-29 09:12:03 +0000766static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
767{
768 ((void) ssl);
769 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
770}
771#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Ronald Cronde08cf32022-10-04 17:15:35 +0200772#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000773
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000774int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000775{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000776 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
777 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
778
Ronald Cronde08cf32022-10-04 17:15:35 +0200779#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
XiaokangQianc3017f62022-05-13 05:55:41 +0000780 unsigned char *buf;
781 size_t buf_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000782
XiaokangQianc3017f62022-05-13 05:55:41 +0000783 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
784 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
785 &buf, &buf_len ) );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000786
XiaokangQianc3017f62022-05-13 05:55:41 +0000787 /* Parse the certificate chain sent by the peer. */
Ronald Crone3dac4a2022-06-10 17:21:51 +0200788 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_parse_certificate( ssl, buf,
789 buf + buf_len ) );
XiaokangQianc3017f62022-05-13 05:55:41 +0000790 /* Validate the certificate chain and set the verification results. */
791 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000792
XiaokangQianc3017f62022-05-13 05:55:41 +0000793 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
794 buf, buf_len );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000795
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000796cleanup:
Ronald Cronde08cf32022-10-04 17:15:35 +0200797#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000798
799 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
800 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000801}
Ronald Cron928cbd32022-10-04 16:14:26 +0200802#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu7399d0d2022-01-30 17:54:19 +0800803/*
804 * enum {
805 * X509(0),
806 * RawPublicKey(2),
807 * (255)
808 * } CertificateType;
809 *
810 * struct {
811 * select (certificate_type) {
812 * case RawPublicKey:
813 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
814 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
815 *
816 * case X509:
817 * opaque cert_data<1..2^24-1>;
818 * };
819 * Extension extensions<0..2^16-1>;
820 * } CertificateEntry;
821 *
822 * struct {
823 * opaque certificate_request_context<0..2^8-1>;
824 * CertificateEntry certificate_list<0..2^24-1>;
825 * } Certificate;
826 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200827MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu7399d0d2022-01-30 17:54:19 +0800828static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
Jerry Yu3e536442022-02-15 11:05:59 +0800829 unsigned char *buf,
Jerry Yu7399d0d2022-01-30 17:54:19 +0800830 unsigned char *end,
Jerry Yu3e536442022-02-15 11:05:59 +0800831 size_t *out_len )
Jerry Yu5cc35062022-01-28 16:16:08 +0800832{
Jerry Yu5cc35062022-01-28 16:16:08 +0800833 const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert( ssl );
Jerry Yu3e536442022-02-15 11:05:59 +0800834 unsigned char *p = buf;
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800835 unsigned char *certificate_request_context =
836 ssl->handshake->certificate_request_context;
837 unsigned char certificate_request_context_len =
838 ssl->handshake->certificate_request_context_len;
839 unsigned char *p_certificate_list_len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800840
Jerry Yu5cc35062022-01-28 16:16:08 +0800841
Jerry Yu3391ac02022-02-16 11:21:37 +0800842 /* ...
843 * opaque certificate_request_context<0..2^8-1>;
844 * ...
845 */
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800846 MBEDTLS_SSL_CHK_BUF_PTR( p, end, certificate_request_context_len + 1 );
847 *p++ = certificate_request_context_len;
848 if( certificate_request_context_len > 0 )
Jerry Yu537530d2022-02-15 14:00:57 +0800849 {
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800850 memcpy( p, certificate_request_context, certificate_request_context_len );
851 p += certificate_request_context_len;
Jerry Yu537530d2022-02-15 14:00:57 +0800852 }
853
Jerry Yu3391ac02022-02-16 11:21:37 +0800854 /* ...
855 * CertificateEntry certificate_list<0..2^24-1>;
856 * ...
857 */
Jerry Yu3e536442022-02-15 11:05:59 +0800858 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800859 p_certificate_list_len = p;
Jerry Yu3e536442022-02-15 11:05:59 +0800860 p += 3;
861
Jerry Yu7399d0d2022-01-30 17:54:19 +0800862 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", crt );
Jerry Yu5cc35062022-01-28 16:16:08 +0800863
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800864 while( crt != NULL )
Jerry Yu5cc35062022-01-28 16:16:08 +0800865 {
Jerry Yu7399d0d2022-01-30 17:54:19 +0800866 size_t cert_data_len = crt->raw.len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800867
Jerry Yu7399d0d2022-01-30 17:54:19 +0800868 MBEDTLS_SSL_CHK_BUF_PTR( p, end, cert_data_len + 3 + 2 );
869 MBEDTLS_PUT_UINT24_BE( cert_data_len, p, 0 );
870 p += 3;
Jerry Yu5cc35062022-01-28 16:16:08 +0800871
Jerry Yu7399d0d2022-01-30 17:54:19 +0800872 memcpy( p, crt->raw.p, cert_data_len );
873 p += cert_data_len;
874 crt = crt->next;
Jerry Yu5cc35062022-01-28 16:16:08 +0800875
876 /* Currently, we don't have any certificate extensions defined.
877 * Hence, we are sending an empty extension with length zero.
878 */
Ronald Cron11b53322022-06-01 14:58:52 +0200879 MBEDTLS_PUT_UINT16_BE( 0, p, 0 );
Jerry Yu7399d0d2022-01-30 17:54:19 +0800880 p += 2;
Jerry Yu5cc35062022-01-28 16:16:08 +0800881 }
Jerry Yu5cc35062022-01-28 16:16:08 +0800882
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800883 MBEDTLS_PUT_UINT24_BE( p - p_certificate_list_len - 3,
884 p_certificate_list_len, 0 );
Jerry Yu7399d0d2022-01-30 17:54:19 +0800885
Jerry Yu3e536442022-02-15 11:05:59 +0800886 *out_len = p - buf;
Jerry Yu5cc35062022-01-28 16:16:08 +0800887
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800888 MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE );
889
Jerry Yu5cc35062022-01-28 16:16:08 +0800890 return( 0 );
891}
Jerry Yu5cc35062022-01-28 16:16:08 +0800892
Jerry Yu3e536442022-02-15 11:05:59 +0800893int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl )
Jerry Yu5cc35062022-01-28 16:16:08 +0800894{
895 int ret;
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100896 unsigned char *buf;
897 size_t buf_len, msg_len;
898
Jerry Yu5cc35062022-01-28 16:16:08 +0800899 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
900
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100901 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100902 MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800903
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100904 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_body( ssl,
905 buf,
906 buf + buf_len,
907 &msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800908
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100909 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
910 buf, msg_len );
Jerry Yu5cc35062022-01-28 16:16:08 +0800911
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100912 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100913 ssl, buf_len, msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800914cleanup:
915
916 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
917 return( ret );
918}
919
Jerry Yu3e536442022-02-15 11:05:59 +0800920/*
921 * STATE HANDLING: Output Certificate Verify
922 */
Jerry Yuc2e04932022-06-27 22:13:03 +0800923int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
924 mbedtls_pk_context *key )
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800925{
926 mbedtls_pk_type_t pk_type = mbedtls_ssl_sig_from_pk( key );
927 size_t key_size = mbedtls_pk_get_bitlen( key );
928
929 switch( pk_type )
Jerry Yu67eced02022-02-25 13:37:36 +0800930 {
Jerry Yu67eced02022-02-25 13:37:36 +0800931 case MBEDTLS_SSL_SIG_ECDSA:
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800932 switch( key_size )
Jerry Yu67eced02022-02-25 13:37:36 +0800933 {
934 case 256:
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800935 return(
936 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256 );
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800937
Jerry Yu67eced02022-02-25 13:37:36 +0800938 case 384:
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800939 return(
940 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384 );
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800941
Jerry Yu67eced02022-02-25 13:37:36 +0800942 case 521:
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800943 return(
944 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512 );
Jerry Yu67eced02022-02-25 13:37:36 +0800945 default:
Jerry Yu67eced02022-02-25 13:37:36 +0800946 break;
947 }
948 break;
Jerry Yu67eced02022-02-25 13:37:36 +0800949
Jerry Yu67eced02022-02-25 13:37:36 +0800950 case MBEDTLS_SSL_SIG_RSA:
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800951 switch( sig_alg )
Jerry Yu67eced02022-02-25 13:37:36 +0800952 {
Ronald Cron38391bf2022-09-16 11:19:27 +0200953 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */
954 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800955 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
Jerry Yua1255e62022-06-24 10:10:47 +0800956 return( 1 );
Jerry Yuc2e04932022-06-27 22:13:03 +0800957
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800958 default:
959 break;
Jerry Yucef3f332022-03-22 23:00:13 +0800960 }
Jerry Yu67eced02022-02-25 13:37:36 +0800961 break;
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800962
Jerry Yu67eced02022-02-25 13:37:36 +0800963 default:
Jerry Yu67eced02022-02-25 13:37:36 +0800964 break;
965 }
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800966
967 return( 0 );
968}
969
Ronald Cronce7d76e2022-07-08 18:56:49 +0200970MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3e536442022-02-15 11:05:59 +0800971static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
972 unsigned char *buf,
973 unsigned char *end,
974 size_t *out_len )
Jerry Yu8511f122022-01-29 10:01:04 +0800975{
Ronald Cron067a1e72022-09-16 13:44:49 +0200976 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3e536442022-02-15 11:05:59 +0800977 unsigned char *p = buf;
Jerry Yu8511f122022-01-29 10:01:04 +0800978 mbedtls_pk_context *own_key;
Jerry Yu3e536442022-02-15 11:05:59 +0800979
Jerry Yu8511f122022-01-29 10:01:04 +0800980 unsigned char handshake_hash[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
981 size_t handshake_hash_len;
Jerry Yu3e536442022-02-15 11:05:59 +0800982 unsigned char verify_buffer[ SSL_VERIFY_STRUCT_MAX_SIZE ];
983 size_t verify_buffer_len;
Ronald Cron067a1e72022-09-16 13:44:49 +0200984
985 uint16_t *sig_alg = ssl->handshake->received_sig_algs;
Jerry Yu3e536442022-02-15 11:05:59 +0800986 size_t signature_len = 0;
Jerry Yu8511f122022-01-29 10:01:04 +0800987
Jerry Yu0b7b1012022-02-23 12:23:05 +0800988 *out_len = 0;
989
Jerry Yu3e536442022-02-15 11:05:59 +0800990 own_key = mbedtls_ssl_own_key( ssl );
991 if( own_key == NULL )
Jerry Yu8511f122022-01-29 10:01:04 +0800992 {
Jerry Yu3e536442022-02-15 11:05:59 +0800993 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
994 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu8511f122022-01-29 10:01:04 +0800995 }
996
Jerry Yu8511f122022-01-29 10:01:04 +0800997 ret = mbedtls_ssl_get_handshake_transcript( ssl,
998 ssl->handshake->ciphersuite_info->mac,
999 handshake_hash,
1000 sizeof( handshake_hash ),
1001 &handshake_hash_len );
1002 if( ret != 0 )
1003 return( ret );
1004
1005 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash",
1006 handshake_hash,
1007 handshake_hash_len);
1008
Jerry Yu8511f122022-01-29 10:01:04 +08001009 ssl_tls13_create_verify_structure( handshake_hash, handshake_hash_len,
1010 verify_buffer, &verify_buffer_len,
1011 ssl->conf->endpoint );
1012
1013 /*
1014 * struct {
1015 * SignatureScheme algorithm;
1016 * opaque signature<0..2^16-1>;
1017 * } CertificateVerify;
1018 */
Ronald Cron067a1e72022-09-16 13:44:49 +02001019 /* Check there is space for the algorithm identifier (2 bytes) and the
1020 * signature length (2 bytes).
1021 */
1022 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
1023
1024 for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ )
Jerry Yu8511f122022-01-29 10:01:04 +08001025 {
Ronald Cron067a1e72022-09-16 13:44:49 +02001026 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1027 mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
1028 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
1029 psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
1030 unsigned char verify_hash[PSA_HASH_MAX_SIZE];
1031 size_t verify_hash_len;
Jerry Yu67eced02022-02-25 13:37:36 +08001032
Ronald Cron067a1e72022-09-16 13:44:49 +02001033 if( !mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) )
1034 continue;
Jerry Yu67eced02022-02-25 13:37:36 +08001035
Ronald Cron067a1e72022-09-16 13:44:49 +02001036 if( !mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) )
1037 continue;
1038
1039 if( !mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) )
1040 continue;
1041
1042 if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
1043 *sig_alg, &pk_type, &md_alg ) != 0 )
1044 {
1045 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1046 }
1047
1048 /* Hash verify buffer with indicated hash function */
1049 psa_algorithm = mbedtls_hash_info_psa_from_md( md_alg );
1050 status = psa_hash_compute( psa_algorithm,
1051 verify_buffer,
1052 verify_buffer_len,
1053 verify_hash, sizeof( verify_hash ),
1054 &verify_hash_len );
1055 if( status != PSA_SUCCESS )
1056 return( psa_ssl_status_to_mbedtls( status ) );
1057
1058 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
1059
1060 if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
1061 md_alg, verify_hash, verify_hash_len,
1062 p + 4, (size_t)( end - ( p + 4 ) ), &signature_len,
1063 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
1064 {
1065 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify signature failed with %s",
1066 mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
1067 MBEDTLS_SSL_DEBUG_RET( 2, "mbedtls_pk_sign_ext", ret );
Ronald Cronc27a9072022-09-27 10:02:42 +02001068
1069 /* The signature failed. This is possible if the private key
1070 * was not suitable for the signature operation as purposely we
1071 * did not check its suitability completely. Let's try with
1072 * another signature algorithm.
1073 */
Ronald Cron067a1e72022-09-16 13:44:49 +02001074 continue;
1075 }
1076
1077 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify signature with %s",
1078 mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
1079
1080 break;
1081 }
1082
1083 if( *sig_alg == MBEDTLS_TLS1_3_SIG_NONE )
1084 {
1085 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no suitable signature algorithm" ) );
Jerry Yu71f36f12022-02-23 17:34:29 +08001086 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
Jerry Yud66409a2022-02-18 16:42:24 +08001087 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu3391ac02022-02-16 11:21:37 +08001088 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu8511f122022-01-29 10:01:04 +08001089 }
1090
Ronald Cron067a1e72022-09-16 13:44:49 +02001091 MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
1092 MBEDTLS_PUT_UINT16_BE( signature_len, p, 2 );
Jerry Yuf3b46b52022-06-19 16:52:27 +08001093
Ronald Cron067a1e72022-09-16 13:44:49 +02001094 *out_len = 4 + signature_len;
Jerry Yu8c338862022-03-23 13:34:04 +08001095
Ronald Cron067a1e72022-09-16 13:44:49 +02001096 return( 0 );
Jerry Yu8511f122022-01-29 10:01:04 +08001097}
Jerry Yu8511f122022-01-29 10:01:04 +08001098
Jerry Yu3e536442022-02-15 11:05:59 +08001099int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu8511f122022-01-29 10:01:04 +08001100{
1101 int ret = 0;
Jerry Yuca133a32022-02-15 14:22:05 +08001102 unsigned char *buf;
1103 size_t buf_len, msg_len;
1104
Jerry Yu8511f122022-01-29 10:01:04 +08001105 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1106
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001107 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuca133a32022-02-15 14:22:05 +08001108 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +08001109
Jerry Yuca133a32022-02-15 14:22:05 +08001110 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_verify_body(
1111 ssl, buf, buf + buf_len, &msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +08001112
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001113 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1114 buf, msg_len );
Jerry Yu8511f122022-01-29 10:01:04 +08001115
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001116 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuca133a32022-02-15 14:22:05 +08001117 ssl, buf_len, msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +08001118
1119cleanup:
1120
1121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
1122 return( ret );
1123}
1124
Ronald Cron928cbd32022-10-04 16:14:26 +02001125#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu90f152d2022-01-29 22:12:42 +08001126
Jerry Yu5cc35062022-01-28 16:16:08 +08001127/*
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001128 *
XiaokangQianc5c39d52021-11-09 11:55:10 +00001129 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001130 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001131/*
1132 * Implementation
1133 */
1134
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001135MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianaaa0e192021-11-10 03:07:04 +00001136static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001137{
1138 int ret;
1139
XiaokangQianc5c39d52021-11-09 11:55:10 +00001140 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001141 ssl->handshake->state_local.finished_in.digest,
1142 sizeof( ssl->handshake->state_local.finished_in.digest ),
1143 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +00001144 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +00001145 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001146 if( ret != 0 )
1147 {
XiaokangQianc5c39d52021-11-09 11:55:10 +00001148 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001149 return( ret );
1150 }
1151
1152 return( 0 );
1153}
1154
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001155MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianc5c39d52021-11-09 11:55:10 +00001156static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
1157 const unsigned char *buf,
1158 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001159{
XiaokangQian33062842021-11-11 03:37:45 +00001160 /*
1161 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +00001162 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +00001163 * } Finished;
1164 */
1165 const unsigned char *expected_verify_data =
1166 ssl->handshake->state_local.finished_in.digest;
1167 size_t expected_verify_data_len =
1168 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001169 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +00001170 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001171 {
1172 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1173
1174 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +00001175 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001176 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1177 }
1178
XiaokangQianc5c39d52021-11-09 11:55:10 +00001179 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +00001180 expected_verify_data,
1181 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +00001182 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +00001183 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001184
1185 /* Semantic validation */
Gabor Mezei685472b2021-11-24 11:17:36 +01001186 if( mbedtls_ct_memcmp( buf,
1187 expected_verify_data,
1188 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001189 {
1190 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1191
XiaokangQian33062842021-11-11 03:37:45 +00001192 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +00001193 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001194 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1195 }
1196 return( 0 );
1197}
1198
XiaokangQianc5c39d52021-11-09 11:55:10 +00001199int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
1200{
XiaokangQian33062842021-11-11 03:37:45 +00001201 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +00001202 unsigned char *buf;
Xiaofei Baieef15042021-11-18 07:29:56 +00001203 size_t buf_len;
XiaokangQianc5c39d52021-11-09 11:55:10 +00001204
XiaokangQiand0aa3e92021-11-10 06:17:40 +00001205 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +00001206
Xiaofei Bai746f9482021-11-12 08:53:56 +00001207 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianc5c39d52021-11-09 11:55:10 +00001208 MBEDTLS_SSL_HS_FINISHED,
Xiaofei Baieef15042021-11-18 07:29:56 +00001209 &buf, &buf_len ) );
Jerry Yu0a92d6c2022-05-16 16:54:46 +08001210
1211 /* Preprocessing step: Compute handshake digest */
1212 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
1213
Xiaofei Baieef15042021-11-18 07:29:56 +00001214 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
Jerry Yu0a92d6c2022-05-16 16:54:46 +08001215
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001216 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1217 buf, buf_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +00001218
1219cleanup:
1220
XiaokangQiand0aa3e92021-11-10 06:17:40 +00001221 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +00001222 return( ret );
1223}
1224
XiaokangQian74af2a82021-09-22 07:40:30 +00001225/*
1226 *
XiaokangQiancc90c942021-11-09 12:30:09 +00001227 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +00001228 *
1229 */
XiaokangQian74af2a82021-09-22 07:40:30 +00001230/*
XiaokangQian35dc6252021-11-11 08:16:19 +00001231 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +00001232 */
1233
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001234MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian8773aa02021-11-10 07:33:09 +00001235static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +00001236{
1237 int ret;
1238
1239 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +00001240 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +00001241 ssl->handshake->state_local.finished_out.digest,
1242 sizeof( ssl->handshake->state_local.finished_out.digest ),
1243 &ssl->handshake->state_local.finished_out.digest_len,
1244 ssl->conf->endpoint );
1245
1246 if( ret != 0 )
1247 {
Jerry Yu7ca30542021-12-08 15:57:57 +08001248 MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
XiaokangQian74af2a82021-09-22 07:40:30 +00001249 return( ret );
1250 }
1251
1252 return( 0 );
1253}
1254
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001255MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian8773aa02021-11-10 07:33:09 +00001256static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +00001257 unsigned char *buf,
1258 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +00001259 size_t *out_len )
XiaokangQian74af2a82021-09-22 07:40:30 +00001260{
XiaokangQian8773aa02021-11-10 07:33:09 +00001261 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +00001262 /*
1263 * struct {
1264 * opaque verify_data[Hash.length];
1265 * } Finished;
1266 */
XiaokangQian8773aa02021-11-10 07:33:09 +00001267 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +00001268
1269 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +00001270 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +00001271
Xiaofei Baid25fab62021-12-02 06:36:27 +00001272 *out_len = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +00001273 return( 0 );
1274}
XiaokangQianc5c39d52021-11-09 11:55:10 +00001275
XiaokangQian35dc6252021-11-11 08:16:19 +00001276/* Main entry point: orchestrates the other functions */
1277int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1278{
1279 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1280 unsigned char *buf;
1281 size_t buf_len, msg_len;
1282
1283 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1284
XiaokangQiandce82242021-11-15 06:01:26 +00001285 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1286
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001287 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +00001288 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1289
1290 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1291 ssl, buf, buf + buf_len, &msg_len ) );
1292
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001293 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1294 buf, msg_len );
XiaokangQian35dc6252021-11-11 08:16:19 +00001295
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001296 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
1297 ssl, buf_len, msg_len ) );
XiaokangQian35dc6252021-11-11 08:16:19 +00001298cleanup:
1299
1300 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1301 return( ret );
1302}
1303
Jerry Yu378254d2021-10-30 21:44:47 +08001304void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1305{
1306
1307 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1308
Jerry Yue8c1fca2022-05-18 14:48:56 +08001309 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
1310 mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
1311
1312 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) );
1313 mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
1314
Jerry Yu378254d2021-10-30 21:44:47 +08001315 /*
Jerry Yucfe64f02021-11-15 13:54:06 +08001316 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +08001317 */
1318 if( ssl->session )
1319 {
Jerry Yu378254d2021-10-30 21:44:47 +08001320 mbedtls_ssl_session_free( ssl->session );
1321 mbedtls_free( ssl->session );
1322 }
1323 ssl->session = ssl->session_negotiate;
1324 ssl->session_negotiate = NULL;
1325
1326 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1327}
1328
Ronald Cron49ad6192021-11-24 16:25:31 +01001329/*
1330 *
1331 * STATE HANDLING: Write ChangeCipherSpec
1332 *
1333 */
1334#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001335MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron49ad6192021-11-24 16:25:31 +01001336static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
1337 unsigned char *buf,
1338 unsigned char *end,
1339 size_t *olen )
1340{
1341 ((void) ssl);
1342
1343 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 );
1344 buf[0] = 1;
1345 *olen = 1;
1346
1347 return( 0 );
1348}
1349
Ronald Cron49ad6192021-11-24 16:25:31 +01001350int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
1351{
1352 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1353
1354 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1355
Ronald Cron49ad6192021-11-24 16:25:31 +01001356 /* Write CCS message */
1357 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body(
1358 ssl, ssl->out_msg,
1359 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1360 &ssl->out_msglen ) );
1361
1362 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1363
Ronald Cron49ad6192021-11-24 16:25:31 +01001364 /* Dispatch message */
Ronald Cron66dbf912022-02-02 15:33:46 +01001365 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0 ) );
Ronald Cron49ad6192021-11-24 16:25:31 +01001366
1367cleanup:
1368
1369 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1370 return( ret );
1371}
1372
1373#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1374
XiaokangQian78b1fa72022-01-19 06:56:30 +00001375/* Reset SSL context and update hash for handling HRR.
1376 *
1377 * Replace Transcript-Hash(X) by
1378 * Transcript-Hash( message_hash ||
1379 * 00 00 Hash.length ||
1380 * X )
1381 * A few states of the handshake are preserved, including:
1382 * - session ID
1383 * - session ticket
1384 * - negotiated ciphersuite
1385 */
1386int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
1387{
1388 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Przemyslaw Stekielda645252022-09-14 12:50:51 +02001389 unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4];
XiaokangQian0ece9982022-01-24 08:56:23 +00001390 size_t hash_len;
XiaokangQian78b1fa72022-01-19 06:56:30 +00001391 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1392 uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
1393 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
1394
1395 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) );
1396
XiaokangQian0ece9982022-01-24 08:56:23 +00001397 ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
1398 hash_transcript + 4,
Przemyslaw Stekielda645252022-09-14 12:50:51 +02001399 PSA_HASH_MAX_SIZE,
XiaokangQian0ece9982022-01-24 08:56:23 +00001400 &hash_len );
1401 if( ret != 0 )
1402 {
1403 MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret );
1404 return( ret );
1405 }
1406
1407 hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1408 hash_transcript[1] = 0;
1409 hash_transcript[2] = 0;
1410 hash_transcript[3] = (unsigned char) hash_len;
1411
1412 hash_len += 4;
1413
Przemek Stekiel9dfbf3a2022-09-06 07:40:46 +02001414#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
XiaokangQian78b1fa72022-01-19 06:56:30 +00001415 if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
1416 {
XiaokangQian78b1fa72022-01-19 06:56:30 +00001417 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +00001418 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +00001419
1420#if defined(MBEDTLS_USE_PSA_CRYPTO)
1421 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
1422 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
1423#else
1424 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
1425#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +00001426 }
Przemek Stekiel9dfbf3a2022-09-06 07:40:46 +02001427#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
1428#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Przemek Stekiel0852ef82022-09-07 10:56:30 +02001429 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
XiaokangQian78b1fa72022-01-19 06:56:30 +00001430 {
XiaokangQian78b1fa72022-01-19 06:56:30 +00001431 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +00001432 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +00001433
1434#if defined(MBEDTLS_USE_PSA_CRYPTO)
1435 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
1436 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
1437#else
Andrzej Kureka242e832022-08-11 10:03:14 -04001438 mbedtls_sha512_starts( &ssl->handshake->fin_sha384, 1 );
XiaokangQian78b1fa72022-01-19 06:56:30 +00001439#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +00001440 }
Przemek Stekiel9dfbf3a2022-09-06 07:40:46 +02001441#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
Przemek Stekiel47e3cb12022-09-02 13:17:03 +02001442#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
XiaokangQian0ece9982022-01-24 08:56:23 +00001443 ssl->handshake->update_checksum( ssl, hash_transcript, hash_len );
Przemek Stekiel47e3cb12022-09-02 13:17:03 +02001444#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
Przemyslaw Stekiel4b3fff42022-02-14 16:39:52 +01001445
XiaokangQian78b1fa72022-01-19 06:56:30 +00001446 return( ret );
1447}
1448
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001449#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +00001450
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001451int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
1452 const unsigned char *buf,
1453 size_t buf_len )
XiaokangQian7807f9f2022-02-15 10:04:37 +00001454{
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001455 uint8_t *p = (uint8_t*)buf;
XiaokangQiancfd925f2022-04-14 07:10:37 +00001456 const uint8_t *end = buf + buf_len;
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001457 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001458
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001459 /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
Ronald Cron154d1b62022-06-01 15:33:26 +02001460 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001461 uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1462 p += 2;
XiaokangQian3207a322022-02-23 03:15:27 +00001463
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001464 /* Check if key size is consistent with given buffer length. */
Ronald Cron154d1b62022-06-01 15:33:26 +02001465 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, peerkey_len );
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001466
1467 /* Store peer's ECDH public key. */
1468 memcpy( handshake->ecdh_psa_peerkey, p, peerkey_len );
1469 handshake->ecdh_psa_peerkey_len = peerkey_len;
1470
XiaokangQian3207a322022-02-23 03:15:27 +00001471 return( 0 );
1472}
Jerry Yu89e103c2022-03-30 22:43:29 +08001473
1474int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
1475 mbedtls_ssl_context *ssl,
1476 uint16_t named_group,
1477 unsigned char *buf,
1478 unsigned char *end,
1479 size_t *out_len )
1480{
1481 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
1482 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1483 psa_key_attributes_t key_attributes;
1484 size_t own_pubkey_len;
1485 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1486 size_t ecdh_bits = 0;
1487
1488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
1489
1490 /* Convert EC group to PSA key type. */
1491 if( ( handshake->ecdh_psa_type =
1492 mbedtls_psa_parse_tls_ecc_group( named_group, &ecdh_bits ) ) == 0 )
1493 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1494
1495 ssl->handshake->ecdh_bits = ecdh_bits;
1496
1497 key_attributes = psa_key_attributes_init();
1498 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
1499 psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
1500 psa_set_key_type( &key_attributes, handshake->ecdh_psa_type );
1501 psa_set_key_bits( &key_attributes, handshake->ecdh_bits );
1502
1503 /* Generate ECDH private key. */
1504 status = psa_generate_key( &key_attributes,
1505 &handshake->ecdh_psa_privkey );
1506 if( status != PSA_SUCCESS )
1507 {
1508 ret = psa_ssl_status_to_mbedtls( status );
1509 MBEDTLS_SSL_DEBUG_RET( 1, "psa_generate_key", ret );
1510 return( ret );
1511
1512 }
1513
1514 /* Export the public part of the ECDH private key from PSA. */
1515 status = psa_export_public_key( handshake->ecdh_psa_privkey,
1516 buf, (size_t)( end - buf ),
1517 &own_pubkey_len );
1518 if( status != PSA_SUCCESS )
1519 {
1520 ret = psa_ssl_status_to_mbedtls( status );
1521 MBEDTLS_SSL_DEBUG_RET( 1, "psa_export_public_key", ret );
1522 return( ret );
1523
1524 }
1525
1526 *out_len = own_pubkey_len;
1527
1528 return( 0 );
1529}
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001530#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +00001531
Jerry Yu0c354a22022-08-29 15:25:36 +08001532/* RFC 8446 section 4.2
1533 *
1534 * If an implementation receives an extension which it recognizes and which is
1535 * not specified for the message in which it appears, it MUST abort the handshake
1536 * with an "illegal_parameter" alert.
1537 *
1538 */
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001539int mbedtls_ssl_tls13_check_received_extension(
1540 mbedtls_ssl_context *ssl,
1541 int hs_msg_type,
1542 unsigned int received_extension_type,
1543 uint32_t hs_msg_allowed_extensions_mask )
Jerry Yu0c354a22022-08-29 15:25:36 +08001544{
Jerry Yudf0ad652022-10-31 13:20:57 +08001545 uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
1546 received_extension_type );
Jerry Yu0c354a22022-08-29 15:25:36 +08001547
Jerry Yu79aa7212022-11-08 21:30:21 +08001548 MBEDTLS_SSL_PRINT_EXT(
Jerry Yudf0ad652022-10-31 13:20:57 +08001549 3, hs_msg_type, received_extension_type, "received" );
Jerry Yu0c354a22022-08-29 15:25:36 +08001550
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001551 if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 )
Jerry Yu0c354a22022-08-29 15:25:36 +08001552 {
Jerry Yu79aa7212022-11-08 21:30:21 +08001553 MBEDTLS_SSL_PRINT_EXT(
Jerry Yudf0ad652022-10-31 13:20:57 +08001554 3, hs_msg_type, received_extension_type, "is illegal" );
Jerry Yu0c354a22022-08-29 15:25:36 +08001555 MBEDTLS_SSL_PEND_FATAL_ALERT(
1556 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001557 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1558 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yu0c354a22022-08-29 15:25:36 +08001559 }
1560
1561 ssl->handshake->received_extensions |= extension_mask;
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001562 /*
1563 * If it is a message containing extension responses, check that we
1564 * previously sent the extension.
1565 */
Jerry Yu0c354a22022-08-29 15:25:36 +08001566 switch( hs_msg_type )
1567 {
1568 case MBEDTLS_SSL_HS_SERVER_HELLO:
Jerry Yudf0ad652022-10-31 13:20:57 +08001569 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
Jerry Yu0c354a22022-08-29 15:25:36 +08001570 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
1571 case MBEDTLS_SSL_HS_CERTIFICATE:
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001572 /* Check if the received extension is sent by peer message.*/
1573 if( ( ssl->handshake->sent_extensions & extension_mask ) != 0 )
Jerry Yu0c354a22022-08-29 15:25:36 +08001574 return( 0 );
1575 break;
1576 default:
1577 return( 0 );
1578 }
1579
Jerry Yu79aa7212022-11-08 21:30:21 +08001580 MBEDTLS_SSL_PRINT_EXT(
Jerry Yudf0ad652022-10-31 13:20:57 +08001581 3, hs_msg_type, received_extension_type, "is unsupported" );
Jerry Yu0c354a22022-08-29 15:25:36 +08001582 MBEDTLS_SSL_PEND_FATAL_ALERT(
1583 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001584 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1585 return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
Jerry Yu0c354a22022-08-29 15:25:36 +08001586}
1587
Jerry Yufb4b6472022-01-27 15:03:26 +08001588#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yudf0ad652022-10-31 13:20:57 +08001589