TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 947571efff70d8a1b66501c2aa761bd702d538ee / . / library / ssl_tls13_generic.c
blob: 8cae7898bf58d27383afe39d04d75688d655d581 [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
22#if defined(MBEDTLS_SSL_TLS_C)
23
24#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
25
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]26#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]27#include "mbedtls/debug.h"
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]28
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]29#include "ssl_misc.h"
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame^]30#include <mbedtls/debug.h>
31#include <mbedtls/oid.h>
32#include <mbedtls/platform.h>
33
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]34
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]35int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl,
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]36 unsigned hs_type,
37 unsigned char **buf,
38 size_t *buflen )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]39{
40 int ret;
41
42 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
43 {
44 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
45 goto cleanup;
46 }
47
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]48 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]49 ssl->in_msg[0] != hs_type )
50 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]51 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]52 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]53 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]54 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
55 goto cleanup;
56 }
57
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]58 /*
59 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
60 * ...
61 * HandshakeType msg_type;
62 * uint24 length;
63 * ...
64 */
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]65 *buf = ssl->in_msg + 4;
66 *buflen = ssl->in_hslen - 4;
67
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]68cleanup:
69
70 return( ret );
71}
72
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]73int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]74 unsigned hs_type,
75 unsigned char **buf,
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]76 size_t *buf_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]77{
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]78 /*
79 * Reserve 4 bytes for hanshake header. ( Section 4,RFC 8446 )
80 * ...
81 * HandshakeType msg_type;
82 * uint24 length;
83 * ...
84 */
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]85 *buf = ssl->out_msg + 4;
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]86 *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]87
88 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
89 ssl->out_msg[0] = hs_type;
90
91 return( 0 );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]92}
93
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]94int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]95 size_t buf_len,
96 size_t msg_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]97{
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]98 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yudbfb7bd2021-09-04 09:58:58 +0800[diff] [blame]99 size_t msg_len_with_header;
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]100 ((void) buf_len);
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]101
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]102 /* Add reserved 4 bytes for handshake header */
Jerry Yudbfb7bd2021-09-04 09:58:58 +0800[diff] [blame]103 msg_len_with_header = msg_len + 4;
104 ssl->out_msglen = msg_len_with_header;
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800[diff] [blame]105 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0 ) );
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]106
107cleanup:
108 return( ret );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]109}
110
Jerry Yu48369522021-09-18 16:09:01 +0800[diff] [blame]111void mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
112 unsigned hs_type,
113 unsigned char const *msg,
114 size_t msg_len )
Jerry Yu7bea4ba2021-09-09 15:06:18 +0800[diff] [blame]115{
116 mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len );
117 ssl->handshake->update_checksum( ssl, msg, msg_len );
118}
119
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]120void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]121 unsigned hs_type,
122 size_t total_hs_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]123{
124 unsigned char hs_hdr[4];
125
126 /* Build HS header for checksum update. */
Jerry Yu2ac64192021-08-26 18:38:58 +0800[diff] [blame]127 hs_hdr[0] = MBEDTLS_BYTE_0( hs_type );
128 hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len );
129 hs_hdr[2] = MBEDTLS_BYTE_1( total_hs_len );
130 hs_hdr[3] = MBEDTLS_BYTE_0( total_hs_len );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]131
132 ssl->handshake->update_checksum( ssl, hs_hdr, sizeof( hs_hdr ) );
133}
134
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]135#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
136
137/*
Jerry Yue41dec02021-08-31 10:57:07 +0800[diff] [blame]138 * mbedtls_ssl_tls13_write_sig_alg_ext( )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]139 *
140 * enum {
141 * ....
142 * ecdsa_secp256r1_sha256( 0x0403 ),
143 * ecdsa_secp384r1_sha384( 0x0503 ),
144 * ecdsa_secp521r1_sha512( 0x0603 ),
145 * ....
146 * } SignatureScheme;
147 *
148 * struct {
149 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
150 * } SignatureSchemeList;
151 *
152 * Only if we handle at least one key exchange that needs signatures.
153 */
Jerry Yue41dec02021-08-31 10:57:07 +0800[diff] [blame]154int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl,
155 unsigned char *buf,
156 unsigned char *end,
157 size_t *olen )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]158{
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]159 unsigned char *p = buf;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]160 unsigned char *supported_sig_alg_ptr; /* Start of supported_signature_algorithms */
161 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]162
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]163 *olen = 0;
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]164
165 /* Skip the extension on the client if all allowed key exchanges
166 * are PSK-based. */
167#if defined(MBEDTLS_SSL_CLI_C)
168 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
169 !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
170 {
171 return( 0 );
172 }
173#endif /* MBEDTLS_SSL_CLI_C */
174
175 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding signature_algorithms extension" ) );
176
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]177 /* Check if we have space for header and length field:
178 * - extension_type (2 bytes)
179 * - extension_data_length (2 bytes)
180 * - supported_signature_algorithms_length (2 bytes)
181 */
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]182 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
183 p += 6;
184
185 /*
186 * Write supported_signature_algorithms
187 */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]188 supported_sig_alg_ptr = p;
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]189 for( const uint16_t *sig_alg = ssl->conf->tls13_sig_algs;
190 *sig_alg != MBEDTLS_TLS13_SIG_NONE; sig_alg++ )
191 {
192 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
193 MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
194 p += 2;
195 MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) );
196 }
197
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]198 /* Length of supported_signature_algorithms */
199 supported_sig_alg_len = p - supported_sig_alg_ptr;
200 if( supported_sig_alg_len == 0 )
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]201 {
202 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No signature algorithms defined." ) );
203 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
204 }
205
206 /* Write extension_type */
207 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SIG_ALG, buf, 0 );
208 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]209 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len + 2, buf, 2 );
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]210 /* Write length of supported_signature_algorithms */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]211 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len, buf, 4 );
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]212
213 /* Output the total length of signature algorithms extension. */
214 *olen = p - buf;
215
216 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]217 return( 0 );
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]218}
219
220#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
221
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame^]222/*
223 *
224 * STATE HANDLING: Incoming Certificate, client-side only currently.
225 *
226 */
227
228/*
229 * Overview
230 */
231
232/* Main state-handling entry point; orchestrates the other functions. */
233int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
234
235#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
236/* Parse certificate chain send by the server. */
237static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
238 const unsigned char *buf,
239 const unsigned char *end );
240/* Validate certificate chain sent by the server. */
241static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl );
242
243#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
244
245/* Update the state after handling the incoming certificate message. */
246static int ssl_tls13_process_certificate_postprocess( mbedtls_ssl_context *ssl );
247
248/*
249 * Implementation
250 */
251
252int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
253{
254 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
255 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
256
257#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
258 unsigned char *buf;
259 size_t buf_len;
260
261 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg(
262 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
263 &buf, &buf_len ) );
264
265 /* Parse the certificate chain sent by the peer. */
266 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, buf + buf_len ) );
267 /* Validate the certificate chain and set the verification results. */
268 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
269
270 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
271 buf, buf_len );
272
273#else
274 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
275 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
276#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
277
278 /* Update state */
279 MBEDTLS_SSL_PROC_CHK( ssl_tls13_process_certificate_postprocess( ssl ) );
280
281cleanup:
282
283 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
284 return( ret );
285}
286
287#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
288#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
289/*
290 * Structure of Certificate message:
291 *
292 * enum {
293 * X509(0),
294 * RawPublicKey(2),
295 * (255)
296 * } CertificateType;
297 *
298 * struct {
299 * select (certificate_type) {
300 * case RawPublicKey:
301 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
302 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
303 * case X509:
304 * opaque cert_data<1..2^24-1>;
305 * };
306 * Extension extensions<0..2^16-1>;
307 * } CertificateEntry;
308 *
309 * struct {
310 * opaque certificate_request_context<0..2^8-1>;
311 * CertificateEntry certificate_list<0..2^24-1>;
312 * } Certificate;
313 *
314 */
315static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
316 const unsigned char *buf,
317 const unsigned char *end )
318{
319 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
320 size_t certificate_request_context_len = 0;
321 size_t certificate_list_len = 0;
322 const unsigned char *p = buf;
323 const unsigned char *certificate_list_end;
324
325 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
326 certificate_request_context_len = p[0];
327 certificate_list_len = ( p[1] << 16 ) | ( p[2] << 8 ) | p[3];
328
329 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
330 * support anything beyond 2^16 = 64K.
331 */
332 if( certificate_request_context_len != 0 )
333 {
334 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
335 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
336 MBEDTLS_ERR_SSL_DECODE_ERROR );
337 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
338 }
339
340 /* In case we tried to reuse a session but it failed */
341 if( ssl->session_negotiate->peer_cert != NULL )
342 {
343 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
344 mbedtls_free( ssl->session_negotiate->peer_cert );
345 }
346
347 if( ( ssl->session_negotiate->peer_cert =
348 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
349 {
350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
351 sizeof( mbedtls_x509_crt ) ) );
352 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
353 MBEDTLS_ERR_SSL_ALLOC_FAILED );
354 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
355 }
356
357 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
358
359 p += 4;
360 certificate_list_end = p + certificate_list_len;
361 while ( p < certificate_list_end )
362 {
363 size_t cert_data_len, extensions_len;
364
365 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 3 );
366 cert_data_len = ( ( size_t )p[0] << 16 ) |
367 ( ( size_t )p[1] << 8 ) |
368 ( ( size_t )p[2] );
369 p += 3;
370
371 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
372 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
373 * check that we have a minimum of 128 bytes of data, this is not
374 * clear why we need that though.
375 */
376 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
377 {
378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
379 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
380 MBEDTLS_ERR_SSL_DECODE_ERROR );
381 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
382 }
383
384 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len);
385 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
386 p, cert_data_len );
387
388 switch( ret )
389 {
390 case 0: /*ok*/
391 break;
392 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
393 /* Ignore certificate with an unknown algorithm: maybe a
394 prior certificate was already trusted. */
395 break;
396
397 case MBEDTLS_ERR_X509_ALLOC_FAILED:
398 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
399 MBEDTLS_ERR_X509_ALLOC_FAILED );
400 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
401 return( ret );
402
403 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
404 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
405 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
406 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
407 return( ret );
408
409 default:
410 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
411 ret );
412 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
413 return( ret );
414 }
415
416 p += cert_data_len;
417
418 /* Certificate extensions length */
419 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
420 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
421 p += 2;
422 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len);
423 p += extensions_len;
424 }
425
426 /* Check that all the message is consumed. */
427 if( p != end )
428 {
429 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
430 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
431 MBEDTLS_ERR_SSL_DECODE_ERROR );
432 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
433 }
434
435 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
436
437 return( ret );
438}
439#else
440static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
441 const unsigned char *buf,
442 const unsigned char *end )
443{
444 ((void) ssl);
445 ((void) buf);
446 ((void) end);
447 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
448}
449#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
450#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
451
452#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
453#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
454static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
455{
456 int ret = 0;
457 mbedtls_x509_crt *ca_chain;
458 mbedtls_x509_crl *ca_crl;
459
460#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
461 if( ssl->handshake->sni_ca_chain != NULL )
462 {
463 ca_chain = ssl->handshake->sni_ca_chain;
464 ca_crl = ssl->handshake->sni_ca_crl;
465 }
466 else
467#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
468 {
469 ca_chain = ssl->conf->ca_chain;
470 ca_crl = ssl->conf->ca_crl;
471 }
472
473 /*
474 * Main check: verify certificate
475 */
476 ret = mbedtls_x509_crt_verify_with_profile(
477 ssl->session_negotiate->peer_cert,
478 ca_chain, ca_crl,
479 ssl->conf->cert_profile,
480 ssl->hostname,
481 &ssl->session_negotiate->verify_result,
482 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
483
484 if( ret != 0 )
485 {
486 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
487 }
488
489 /*
490 * Secondary checks: always done, but change 'ret' only if it was 0
491 */
492
493#if defined(MBEDTLS_ECP_C)
494 {
495 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
496
497 /* If certificate uses an EC key, make sure the curve is OK */
498 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
499 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
500 {
501 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
502
503 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) );
504 if( ret == 0 )
505 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
506 }
507 }
508#endif /* MBEDTLS_ECP_C */
509
510 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
511 ssl->handshake->ciphersuite_info,
512 !ssl->conf->endpoint,
513 &ssl->session_negotiate->verify_result ) != 0 )
514 {
515 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
516 if( ret == 0 )
517 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
518 }
519
520
521 if( ca_chain == NULL )
522 {
523 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
524 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
525 }
526
527 if( ret != 0 )
528 {
529 /* The certificate may have been rejected for several reasons.
530 Pick one and send the corresponding alert. Which alert to send
531 may be a subject of debate in some cases. */
532 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
533 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
534 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
535 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
536 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
537 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
538 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
539 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
540 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
541 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
542 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
543 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
544 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
545 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
546 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
547 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
548 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
549 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
550 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
551 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
552 else
553 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
554 }
555
556#if defined(MBEDTLS_DEBUG_C)
557 if( ssl->session_negotiate->verify_result != 0 )
558 {
559 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
560 (unsigned int) ssl->session_negotiate->verify_result ) );
561 }
562 else
563 {
564 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
565 }
566#endif /* MBEDTLS_DEBUG_C */
567
568 return( ret );
569}
570#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
571static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
572{
573 ((void) ssl);
574 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
575}
576#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
577#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
578
579static int ssl_tls13_process_certificate_postprocess( mbedtls_ssl_context *ssl )
580{
581 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
582 return( 0 );
583}
584
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]585#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
586
587#endif /* MBEDTLS_SSL_TLS_C */