TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 8773aa0da95fbae3d83c7e63a72363338a8d2798 / . / library / ssl_tls13_generic.c
blob: d52ec2f799e926baf671a191714055e07ec27e8f [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
22#if defined(MBEDTLS_SSL_TLS_C)
23
24#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
25
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]26#include <string.h>
27
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]28#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]29#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]30#include "mbedtls/oid.h"
31#include "mbedtls/platform.h"
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]32#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]33
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]34#include "ssl_misc.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]35#include "ssl_tls13_keys.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]36
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]37int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl,
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]38 unsigned hs_type,
39 unsigned char **buf,
40 size_t *buflen )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]41{
42 int ret;
43
44 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
45 {
46 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
47 goto cleanup;
48 }
49
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]50 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]51 ssl->in_msg[0] != hs_type )
52 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]53 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]54 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]55 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]56 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
57 goto cleanup;
58 }
59
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]60 /*
61 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
62 * ...
63 * HandshakeType msg_type;
64 * uint24 length;
65 * ...
66 */
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]67 *buf = ssl->in_msg + 4;
68 *buflen = ssl->in_hslen - 4;
69
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]70cleanup:
71
72 return( ret );
73}
74
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]75int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]76 unsigned hs_type,
77 unsigned char **buf,
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]78 size_t *buf_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]79{
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]80 /*
81 * Reserve 4 bytes for hanshake header. ( Section 4,RFC 8446 )
82 * ...
83 * HandshakeType msg_type;
84 * uint24 length;
85 * ...
86 */
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]87 *buf = ssl->out_msg + 4;
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]88 *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]89
90 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
91 ssl->out_msg[0] = hs_type;
92
93 return( 0 );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]94}
95
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]96int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]97 size_t buf_len,
98 size_t msg_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]99{
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]100 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yudbfb7bd2021-09-04 09:58:58 +0800[diff] [blame]101 size_t msg_len_with_header;
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]102 ((void) buf_len);
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]103
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]104 /* Add reserved 4 bytes for handshake header */
Jerry Yudbfb7bd2021-09-04 09:58:58 +0800[diff] [blame]105 msg_len_with_header = msg_len + 4;
106 ssl->out_msglen = msg_len_with_header;
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800[diff] [blame]107 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0 ) );
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]108
109cleanup:
110 return( ret );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]111}
112
Jerry Yu48369522021-09-18 16:09:01 +0800[diff] [blame]113void mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
114 unsigned hs_type,
115 unsigned char const *msg,
116 size_t msg_len )
Jerry Yu7bea4ba2021-09-09 15:06:18 +0800[diff] [blame]117{
118 mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len );
119 ssl->handshake->update_checksum( ssl, msg, msg_len );
120}
121
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]122void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]123 unsigned hs_type,
124 size_t total_hs_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]125{
126 unsigned char hs_hdr[4];
127
128 /* Build HS header for checksum update. */
Jerry Yu2ac64192021-08-26 18:38:58 +0800[diff] [blame]129 hs_hdr[0] = MBEDTLS_BYTE_0( hs_type );
130 hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len );
131 hs_hdr[2] = MBEDTLS_BYTE_1( total_hs_len );
132 hs_hdr[3] = MBEDTLS_BYTE_0( total_hs_len );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]133
134 ssl->handshake->update_checksum( ssl, hs_hdr, sizeof( hs_hdr ) );
135}
136
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]137#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
138
139/*
Jerry Yue41dec02021-08-31 10:57:07 +0800[diff] [blame]140 * mbedtls_ssl_tls13_write_sig_alg_ext( )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]141 *
142 * enum {
143 * ....
144 * ecdsa_secp256r1_sha256( 0x0403 ),
145 * ecdsa_secp384r1_sha384( 0x0503 ),
146 * ecdsa_secp521r1_sha512( 0x0603 ),
147 * ....
148 * } SignatureScheme;
149 *
150 * struct {
151 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
152 * } SignatureSchemeList;
153 *
154 * Only if we handle at least one key exchange that needs signatures.
155 */
Jerry Yue41dec02021-08-31 10:57:07 +0800[diff] [blame]156int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl,
157 unsigned char *buf,
158 unsigned char *end,
159 size_t *olen )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]160{
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]161 unsigned char *p = buf;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]162 unsigned char *supported_sig_alg_ptr; /* Start of supported_signature_algorithms */
163 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]164
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]165 *olen = 0;
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]166
167 /* Skip the extension on the client if all allowed key exchanges
168 * are PSK-based. */
169#if defined(MBEDTLS_SSL_CLI_C)
170 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
171 !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
172 {
173 return( 0 );
174 }
175#endif /* MBEDTLS_SSL_CLI_C */
176
177 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding signature_algorithms extension" ) );
178
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]179 /* Check if we have space for header and length field:
180 * - extension_type (2 bytes)
181 * - extension_data_length (2 bytes)
182 * - supported_signature_algorithms_length (2 bytes)
183 */
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]184 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
185 p += 6;
186
187 /*
188 * Write supported_signature_algorithms
189 */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]190 supported_sig_alg_ptr = p;
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]191 for( const uint16_t *sig_alg = ssl->conf->tls13_sig_algs;
192 *sig_alg != MBEDTLS_TLS13_SIG_NONE; sig_alg++ )
193 {
194 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
195 MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
196 p += 2;
197 MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) );
198 }
199
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]200 /* Length of supported_signature_algorithms */
201 supported_sig_alg_len = p - supported_sig_alg_ptr;
202 if( supported_sig_alg_len == 0 )
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]203 {
204 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No signature algorithms defined." ) );
205 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
206 }
207
208 /* Write extension_type */
209 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SIG_ALG, buf, 0 );
210 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]211 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len + 2, buf, 2 );
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]212 /* Write length of supported_signature_algorithms */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]213 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len, buf, 4 );
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]214
215 /* Output the total length of signature algorithms extension. */
216 *olen = p - buf;
217
218 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]219 return( 0 );
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]220}
221
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]222/*
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]223 * STATE HANDLING: Read CertificateVerify
224 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]225/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]226 *
227 * The structure is computed per TLS 1.3 specification as:
228 * - 64 bytes of octet 32,
229 * - 33 bytes for the context string
230 * (which is either "TLS 1.3, client CertificateVerify"
231 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]232 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]233 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
234 * (depending on the size of the transcript_hash)
235 *
236 * This results in a total size of
237 * - 130 bytes for a SHA256-based transcript hash, or
238 * (64 + 33 + 1 + 32 bytes)
239 * - 146 bytes for a SHA384-based transcript hash.
240 * (64 + 33 + 1 + 48 bytes)
241 *
242 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800[diff] [blame]243#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
244 33 + \
245 1 + \
246 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]247 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]248
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]249/*
250 * The ssl_tls13_create_verify_structure() creates the verify structure.
251 * As input, it requires the transcript hash.
252 *
253 * The caller has to ensure that the buffer has size at least
254 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
255 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]256static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]257 size_t transcript_hash_len,
258 unsigned char *verify_buffer,
259 size_t *verify_buffer_len,
260 int from )
261{
262 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]263
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]264 /* RFC 8446, Section 4.4.3:
265 *
266 * The digital signature [in the CertificateVerify message] is then
267 * computed over the concatenation of:
268 * - A string that consists of octet 32 (0x20) repeated 64 times
269 * - The context string
270 * - A single 0 byte which serves as the separator
271 * - The content to be signed
272 */
273 memset( verify_buffer, 0x20, 64 );
274 idx = 64;
275
276 if( from == MBEDTLS_SSL_IS_CLIENT )
277 {
278 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
279 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
280 }
281 else
282 { /* from == MBEDTLS_SSL_IS_SERVER */
283 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
284 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
285 }
286
287 verify_buffer[idx++] = 0x0;
288
289 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
290 idx += transcript_hash_len;
291
292 *verify_buffer_len = idx;
293}
294
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]295static int ssl_tls13_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
296 uint16_t sig_alg )
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]297{
298 const uint16_t *tls13_sig_alg = ssl->conf->tls13_sig_algs;
299
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]300 for( ; *tls13_sig_alg != MBEDTLS_TLS13_SIG_NONE ; tls13_sig_alg++ )
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]301 {
302 if( *tls13_sig_alg == sig_alg )
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]303 return( 1 );
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]304 }
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]305 return( 0 );
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]306}
307
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]308static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]309 const unsigned char *buf,
310 const unsigned char *end,
311 const unsigned char *verify_buffer,
312 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]313{
314 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
315 const unsigned char *p = buf;
316 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]317 size_t signature_len;
318 mbedtls_pk_type_t sig_alg;
319 mbedtls_md_type_t md_alg;
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]320 unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]321 size_t verify_hash_len;
322
323 /*
324 * struct {
325 * SignatureScheme algorithm;
326 * opaque signature<0..2^16-1>;
327 * } CertificateVerify;
328 */
329 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
330 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
331 p += 2;
332
333 /* RFC 8446 section 4.4.3
334 *
335 * If the CertificateVerify message is sent by a server, the signature algorithm
336 * MUST be one offered in the client's "signature_algorithms" extension unless
337 * no valid certificate chain can be produced without unsupported algorithms
338 *
339 * RFC 8446 section 4.4.2.2
340 *
341 * If the client cannot construct an acceptable chain using the provided
342 * certificates and decides to abort the handshake, then it MUST abort the handshake
343 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
344 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]345 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]346 */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]347 if( ! ssl_tls13_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]348 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]349 /* algorithm not in offered signature algorithms list */
350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
351 "offered.",
352 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]353 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]354 }
355
356 /* We currently only support ECDSA-based signatures */
357 switch( algorithm )
358 {
359 case MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256:
360 md_alg = MBEDTLS_MD_SHA256;
361 sig_alg = MBEDTLS_PK_ECDSA;
362 break;
363 case MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384:
364 md_alg = MBEDTLS_MD_SHA384;
365 sig_alg = MBEDTLS_PK_ECDSA;
366 break;
367 case MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512:
368 md_alg = MBEDTLS_MD_SHA512;
369 sig_alg = MBEDTLS_PK_ECDSA;
370 break;
371 default:
372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]373 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]374 }
375
376 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
377 ( unsigned int ) algorithm ) );
378
379 /*
380 * Check the certificate's key type matches the signature alg
381 */
382 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
383 {
384 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]385 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]386 }
387
388 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
389 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
390 p += 2;
391 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
392
393 /* Hash verify buffer with indicated hash function */
394 switch( md_alg )
395 {
396#if defined(MBEDTLS_SHA256_C)
397 case MBEDTLS_MD_SHA256:
398 verify_hash_len = 32;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]399 ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]400 break;
401#endif /* MBEDTLS_SHA256_C */
402
403#if defined(MBEDTLS_SHA384_C)
404 case MBEDTLS_MD_SHA384:
405 verify_hash_len = 48;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]406 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]407 break;
408#endif /* MBEDTLS_SHA384_C */
409
410#if defined(MBEDTLS_SHA512_C)
411 case MBEDTLS_MD_SHA512:
412 verify_hash_len = 64;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]413 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]414 break;
415#endif /* MBEDTLS_SHA512_C */
416
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]417 default:
418 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
419 break;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]420 }
421
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]422 if( ret != 0 )
423 {
424 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]425 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]426 }
427
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]428 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
429
430 if( ( ret = mbedtls_pk_verify_ext( sig_alg, NULL,
431 &ssl->session_negotiate->peer_cert->pk,
432 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]433 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]434 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]435 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]436 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]437 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]438
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]439error:
440 /* RFC 8446 section 4.4.3
441 *
442 * If the verification fails, the receiver MUST terminate the handshake
443 * with a "decrypt_error" alert.
444 */
445 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
446 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
447 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
448
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]449}
450#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
451
452int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
453{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]454
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]455#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
456 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
457 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
458 size_t verify_buffer_len;
459 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
460 size_t transcript_len;
461 unsigned char *buf;
462 size_t buf_len;
463
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]464 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
465
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]466 MBEDTLS_SSL_PROC_CHK(
467 mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl,
468 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]469
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]470 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]471 * before reading the message since otherwise it gets
472 * included in the transcript
473 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]474 ret = mbedtls_ssl_get_handshake_transcript( ssl,
475 ssl->handshake->ciphersuite_info->mac,
476 transcript, sizeof( transcript ),
477 &transcript_len );
478 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]479 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]480 MBEDTLS_SSL_PEND_FATAL_ALERT(
481 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
482 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
483 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]484 }
485
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]486 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
487
488 /* Create verify structure */
489 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]490 transcript_len,
491 verify_buffer,
492 &verify_buffer_len,
493 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
494 MBEDTLS_SSL_IS_SERVER :
495 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]496
497 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]498 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
499 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]500
501 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl,
502 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]503
504cleanup:
505
506 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800[diff] [blame]507 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]508 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]509#else
510 ((void) ssl);
511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
512 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
513#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]514}
515
516/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]517 *
518 * STATE HANDLING: Incoming Certificate, client-side only currently.
519 *
520 */
521
522/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]523 * Implementation
524 */
525
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]526#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
527#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
528/*
529 * Structure of Certificate message:
530 *
531 * enum {
532 * X509(0),
533 * RawPublicKey(2),
534 * (255)
535 * } CertificateType;
536 *
537 * struct {
538 * select (certificate_type) {
539 * case RawPublicKey:
540 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
541 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
542 * case X509:
543 * opaque cert_data<1..2^24-1>;
544 * };
545 * Extension extensions<0..2^16-1>;
546 * } CertificateEntry;
547 *
548 * struct {
549 * opaque certificate_request_context<0..2^8-1>;
550 * CertificateEntry certificate_list<0..2^24-1>;
551 * } Certificate;
552 *
553 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]554
555/* Parse certificate chain send by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]556static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
557 const unsigned char *buf,
558 const unsigned char *end )
559{
560 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
561 size_t certificate_request_context_len = 0;
562 size_t certificate_list_len = 0;
563 const unsigned char *p = buf;
564 const unsigned char *certificate_list_end;
565
566 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
567 certificate_request_context_len = p[0];
Jerry Yub640bf62021-10-29 10:05:32 +0800[diff] [blame]568 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]569 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]570
571 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
572 * support anything beyond 2^16 = 64K.
573 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]574 if( ( certificate_request_context_len != 0 ) ||
575 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]576 {
577 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
578 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
579 MBEDTLS_ERR_SSL_DECODE_ERROR );
580 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
581 }
582
583 /* In case we tried to reuse a session but it failed */
584 if( ssl->session_negotiate->peer_cert != NULL )
585 {
586 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
587 mbedtls_free( ssl->session_negotiate->peer_cert );
588 }
589
590 if( ( ssl->session_negotiate->peer_cert =
591 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
592 {
593 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
594 sizeof( mbedtls_x509_crt ) ) );
595 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
596 MBEDTLS_ERR_SSL_ALLOC_FAILED );
597 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
598 }
599
600 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
601
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]602 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]603 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]604 {
605 size_t cert_data_len, extensions_len;
606
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]607 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]608 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]609 p += 3;
610
611 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
612 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
613 * check that we have a minimum of 128 bytes of data, this is not
614 * clear why we need that though.
615 */
616 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]617 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]618 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
619 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
620 MBEDTLS_ERR_SSL_DECODE_ERROR );
621 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
622 }
623
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]624 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]625 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
626 p, cert_data_len );
627
628 switch( ret )
629 {
630 case 0: /*ok*/
631 break;
632 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
633 /* Ignore certificate with an unknown algorithm: maybe a
634 prior certificate was already trusted. */
635 break;
636
637 case MBEDTLS_ERR_X509_ALLOC_FAILED:
638 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
639 MBEDTLS_ERR_X509_ALLOC_FAILED );
640 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
641 return( ret );
642
643 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
644 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
645 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
646 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
647 return( ret );
648
649 default:
650 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
651 ret );
652 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
653 return( ret );
654 }
655
656 p += cert_data_len;
657
658 /* Certificate extensions length */
659 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
660 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
661 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]662 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]663 p += extensions_len;
664 }
665
666 /* Check that all the message is consumed. */
667 if( p != end )
668 {
669 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
670 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
671 MBEDTLS_ERR_SSL_DECODE_ERROR );
672 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
673 }
674
675 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
676
677 return( ret );
678}
679#else
680static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
681 const unsigned char *buf,
682 const unsigned char *end )
683{
684 ((void) ssl);
685 ((void) buf);
686 ((void) end);
687 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
688}
689#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
690#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
691
692#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
693#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]694/* Validate certificate chain sent by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]695static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
696{
697 int ret = 0;
698 mbedtls_x509_crt *ca_chain;
699 mbedtls_x509_crl *ca_crl;
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]700 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]701
702#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
703 if( ssl->handshake->sni_ca_chain != NULL )
704 {
705 ca_chain = ssl->handshake->sni_ca_chain;
706 ca_crl = ssl->handshake->sni_ca_crl;
707 }
708 else
709#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
710 {
711 ca_chain = ssl->conf->ca_chain;
712 ca_crl = ssl->conf->ca_crl;
713 }
714
715 /*
716 * Main check: verify certificate
717 */
718 ret = mbedtls_x509_crt_verify_with_profile(
719 ssl->session_negotiate->peer_cert,
720 ca_chain, ca_crl,
721 ssl->conf->cert_profile,
722 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]723 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]724 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
725
726 if( ret != 0 )
727 {
728 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
729 }
730
731 /*
732 * Secondary checks: always done, but change 'ret' only if it was 0
733 */
734
735#if defined(MBEDTLS_ECP_C)
736 {
737 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
738
739 /* If certificate uses an EC key, make sure the curve is OK */
740 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
741 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
742 {
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]743 verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]744
745 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) );
746 if( ret == 0 )
747 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
748 }
749 }
750#endif /* MBEDTLS_ECP_C */
751
752 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
753 ssl->handshake->ciphersuite_info,
754 !ssl->conf->endpoint,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]755 &verify_result ) != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]756 {
757 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
758 if( ret == 0 )
759 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
760 }
761
762
763 if( ca_chain == NULL )
764 {
765 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
766 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
767 }
768
769 if( ret != 0 )
770 {
771 /* The certificate may have been rejected for several reasons.
772 Pick one and send the corresponding alert. Which alert to send
773 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]774 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]775 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]776 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]777 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]778 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
779 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
780 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
781 MBEDTLS_X509_BADCERT_BAD_PK |
782 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]783 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]784 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]785 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]786 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]787 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]788 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]789 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
790 else
791 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
792 }
793
794#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]795 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]796 {
797 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800[diff] [blame]798 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]799 }
800 else
801 {
802 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
803 }
804#endif /* MBEDTLS_DEBUG_C */
805
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]806 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]807 return( ret );
808}
809#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
810static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
811{
812 ((void) ssl);
813 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
814}
815#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
816#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
817
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]818int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]819{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]820 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
821 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
822
823#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
824 unsigned char *buf;
825 size_t buf_len;
826
827 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg(
828 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
829 &buf, &buf_len ) );
830
831 /* Parse the certificate chain sent by the peer. */
832 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, buf + buf_len ) );
833 /* Validate the certificate chain and set the verification results. */
834 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
835
836 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
837 buf, buf_len );
838
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]839cleanup:
840
841 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Xiaofei Bai10aeec02021-10-26 09:50:08 +0000[diff] [blame]842#else
843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
844 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
845#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]846 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]847}
848
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]849/*
850 *
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]851 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]852 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]853/*
854 * Implementation
855 */
856
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]857static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]858{
859 int ret;
860
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]861 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]862 ssl->handshake->state_local.finished_in.digest,
863 sizeof( ssl->handshake->state_local.finished_in.digest ),
864 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]865 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]866 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]867 if( ret != 0 )
868 {
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]869 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]870 return( ret );
871 }
872
873 return( 0 );
874}
875
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]876static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
877 const unsigned char *buf,
878 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]879{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]880 /*
881 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]882 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]883 * } Finished;
884 */
885 const unsigned char *expected_verify_data =
886 ssl->handshake->state_local.finished_in.digest;
887 size_t expected_verify_data_len =
888 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]889 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]890 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]891 {
892 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
893
894 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]895 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]896 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
897 }
898
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]899 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]900 expected_verify_data,
901 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]902 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]903 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]904
905 /* Semantic validation */
906 if( mbedtls_ssl_safer_memcmp( buf,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]907 expected_verify_data,
908 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]909 {
910 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
911
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]912 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]913 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]914 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
915 }
916 return( 0 );
917}
918
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]919#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]920static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]921{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]922 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]923 mbedtls_ssl_key_set traffic_keys;
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]924 mbedtls_ssl_transform *transform_application = NULL;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]925
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]926 ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]927 if( ret != 0 )
928 {
929 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]930 "mbedtls_ssl_tls13_key_schedule_stage_application", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]931 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]932 }
933
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]934 ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]935 if( ret != 0 )
936 {
937 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]938 "mbedtls_ssl_tls13_generate_application_keys", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]939 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]940 }
941
942 transform_application =
943 mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
944 if( transform_application == NULL )
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]945 {
946 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
947 goto cleanup;
948 }
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]949
950 ret = mbedtls_ssl_tls13_populate_transform(
951 transform_application,
952 ssl->conf->endpoint,
953 ssl->session_negotiate->ciphersuite,
954 &traffic_keys,
955 ssl );
956 if( ret != 0 )
957 {
958 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]959 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]960 }
961
962 ssl->transform_application = transform_application;
963
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]964cleanup:
965
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]966 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]967 if( ret != 0 )
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]968 {
969 mbedtls_free( transform_application );
970 MBEDTLS_SSL_PEND_FATAL_ALERT(
971 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
972 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
973 }
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]974 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]975}
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]976#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]977
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]978static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]979{
980
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]981#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]982 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
983 {
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]984 return( ssl_tls13_postprocess_server_finished_message( ssl ) );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]985 }
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]986#else
987 ((void) ssl);
988#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]989
990 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
991}
992
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]993int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
994{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]995 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]996 unsigned char *buf;
997 size_t buflen;
998
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]999 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1000
1001 /* Preprocessing step: Compute handshake digest */
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1002 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1003
1004 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl,
1005 MBEDTLS_SSL_HS_FINISHED,
1006 &buf, &buflen ) );
1007 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buflen ) );
1008 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum(
1009 ssl, MBEDTLS_SSL_HS_FINISHED, buf, buflen );
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1010 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1011
1012cleanup:
1013
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1014 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1015 return( ret );
1016}
1017
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1018/*
1019 *
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1020 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1021 *
1022 */
1023
1024/*
1025 * Overview
1026 */
1027
1028/* Main entry point: orchestrates the other functions */
1029
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1030static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl );
1031static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1032 unsigned char *buf,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1033 unsigned char *end,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1034 size_t *olen );
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1035static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1036
1037
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1038int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1039{
1040 int ret;
1041 unsigned char *buf;
1042 size_t buf_len, msg_len;
1043
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1045
1046 if( !ssl->handshake->state_local.finished_out.preparation_done )
1047 {
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1048 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1049 ssl->handshake->state_local.finished_out.preparation_done = 1;
1050 }
1051
1052 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
1053 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1054
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1055 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1056 ssl, buf, buf + buf_len, &msg_len ) );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1057
1058 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1059 buf, msg_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1060
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1061 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1062 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl,
1063 buf_len, msg_len ) );
1064 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) );
1065
1066cleanup:
1067
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1068 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1069 return( ret );
1070}
1071
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1072static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1073{
1074 int ret;
1075
1076 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1077 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1078 ssl->handshake->state_local.finished_out.digest,
1079 sizeof( ssl->handshake->state_local.finished_out.digest ),
1080 &ssl->handshake->state_local.finished_out.digest_len,
1081 ssl->conf->endpoint );
1082
1083 if( ret != 0 )
1084 {
1085 MBEDTLS_SSL_DEBUG_RET( 1, "calc_finished failed", ret );
1086 return( ret );
1087 }
1088
1089 return( 0 );
1090}
1091
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1092static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1093{
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1094
1095#if defined(MBEDTLS_SSL_CLI_C)
1096 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1097 {
1098 /* Compute resumption_master_secret */
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1099 ((void) ssl);
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1100
1101 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
1102 }
1103 else
1104#endif /* MBEDTLS_SSL_CLI_C */
1105 {
XiaokangQiane1655e42021-11-03 07:13:47 +0000[diff] [blame]1106 ((void) ssl);
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1107 /* Should never happen */
1108 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1109 }
1110
1111 return( 0 );
1112}
1113
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1114static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1115 unsigned char *buf,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1116 unsigned char *end,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1117 size_t *olen )
1118{
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1119 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1120
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1121 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1122
1123 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1124 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1125
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame^]1126 *olen = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1127 return( 0 );
1128}
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1129
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1130#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1131
1132#endif /* MBEDTLS_SSL_TLS_C */