TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 9b5d04b078de4acd8471eb0bfb7db28fea000720 / . / library / ssl_tls13_generic.c
blob: a6bcac318363a06bbe661eea3e1b050de38291d5 [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]23
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]24#include <string.h>
25
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]26#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]27#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]28#include "mbedtls/oid.h"
29#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]30#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]31#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]32
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]33#include "ssl_misc.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]34#include "ssl_tls13_keys.h"
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]35#include "ssl_debug_helpers.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]36
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]37int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
38 unsigned hs_type,
39 unsigned char **buf,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]40 size_t *buf_len )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]41{
42 int ret;
43
44 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
45 {
46 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
47 goto cleanup;
48 }
49
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]50 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]51 ssl->in_msg[0] != hs_type )
52 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]53 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]54 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]55 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]56 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
57 goto cleanup;
58 }
59
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]60 /*
61 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
62 * ...
63 * HandshakeType msg_type;
64 * uint24 length;
65 * ...
66 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]67 *buf = ssl->in_msg + 4;
68 *buf_len = ssl->in_hslen - 4;
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]69
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]70cleanup:
71
72 return( ret );
73}
74
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]75#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]76/* mbedtls_ssl_tls13_parse_sig_alg_ext()
77 *
78 * enum {
79 * ....
80 * ecdsa_secp256r1_sha256( 0x0403 ),
81 * ecdsa_secp384r1_sha384( 0x0503 ),
82 * ecdsa_secp521r1_sha512( 0x0603 ),
83 * ....
84 * } SignatureScheme;
85 *
86 * struct {
87 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
88 * } SignatureSchemeList;
89 */
90int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
91 const unsigned char *buf,
92 const unsigned char *end )
93{
94 const unsigned char *p = buf;
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]95 size_t supported_sig_algs_len = 0;
96 const unsigned char *supported_sig_algs_end;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]97 uint16_t sig_alg;
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]98 uint32_t common_idx = 0;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]99
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]100 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]101 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]102 p += 2;
103
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]104 memset( ssl->handshake->received_sig_algs, 0,
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]105 sizeof(ssl->handshake->received_sig_algs) );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]106
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]107 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
108 supported_sig_algs_end = p + supported_sig_algs_len;
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]109 while( p < supported_sig_algs_end )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]110 {
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]111 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]112 sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]113 p += 2;
114
115 MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]116 sig_alg ) );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]117
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]118 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ||
119 ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
120 continue;
121
122 if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]123 {
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]124 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]125 common_idx += 1;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]126 }
127 }
128 /* Check that we consumed all the message. */
129 if( p != end )
130 {
131 MBEDTLS_SSL_DEBUG_MSG( 1,
132 ( "Signature algorithms extension length misaligned" ) );
133 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
134 MBEDTLS_ERR_SSL_DECODE_ERROR );
135 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
136 }
137
138 if( common_idx == 0 )
139 {
140 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) );
141 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
142 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
143 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
144 }
145
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]146 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS1_3_SIG_NONE;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]147 return( 0 );
148}
149
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]150/*
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]151 * STATE HANDLING: Read CertificateVerify
152 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]153/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]154 *
155 * The structure is computed per TLS 1.3 specification as:
156 * - 64 bytes of octet 32,
157 * - 33 bytes for the context string
158 * (which is either "TLS 1.3, client CertificateVerify"
159 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]160 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]161 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
162 * (depending on the size of the transcript_hash)
163 *
164 * This results in a total size of
165 * - 130 bytes for a SHA256-based transcript hash, or
166 * (64 + 33 + 1 + 32 bytes)
167 * - 146 bytes for a SHA384-based transcript hash.
168 * (64 + 33 + 1 + 48 bytes)
169 *
170 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800[diff] [blame]171#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
172 33 + \
173 1 + \
174 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]175 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]176
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]177/*
178 * The ssl_tls13_create_verify_structure() creates the verify structure.
179 * As input, it requires the transcript hash.
180 *
181 * The caller has to ensure that the buffer has size at least
182 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
183 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]184static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]185 size_t transcript_hash_len,
186 unsigned char *verify_buffer,
187 size_t *verify_buffer_len,
188 int from )
189{
190 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]191
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]192 /* RFC 8446, Section 4.4.3:
193 *
194 * The digital signature [in the CertificateVerify message] is then
195 * computed over the concatenation of:
196 * - A string that consists of octet 32 (0x20) repeated 64 times
197 * - The context string
198 * - A single 0 byte which serves as the separator
199 * - The content to be signed
200 */
201 memset( verify_buffer, 0x20, 64 );
202 idx = 64;
203
204 if( from == MBEDTLS_SSL_IS_CLIENT )
205 {
206 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
207 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
208 }
209 else
210 { /* from == MBEDTLS_SSL_IS_SERVER */
211 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
212 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
213 }
214
215 verify_buffer[idx++] = 0x0;
216
217 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
218 idx += transcript_hash_len;
219
220 *verify_buffer_len = idx;
221}
222
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]223static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]224 const unsigned char *buf,
225 const unsigned char *end,
226 const unsigned char *verify_buffer,
227 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]228{
229 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
230 const unsigned char *p = buf;
231 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]232 size_t signature_len;
233 mbedtls_pk_type_t sig_alg;
234 mbedtls_md_type_t md_alg;
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]235 unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]236 size_t verify_hash_len;
237
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]238 void const *options = NULL;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]239#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]240 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]241#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
242
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]243 /*
244 * struct {
245 * SignatureScheme algorithm;
246 * opaque signature<0..2^16-1>;
247 * } CertificateVerify;
248 */
249 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
250 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
251 p += 2;
252
253 /* RFC 8446 section 4.4.3
254 *
255 * If the CertificateVerify message is sent by a server, the signature algorithm
256 * MUST be one offered in the client's "signature_algorithms" extension unless
257 * no valid certificate chain can be produced without unsupported algorithms
258 *
259 * RFC 8446 section 4.4.2.2
260 *
261 * If the client cannot construct an acceptable chain using the provided
262 * certificates and decides to abort the handshake, then it MUST abort the handshake
263 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
264 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]265 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]266 */
Jerry Yu24811fb2022-01-19 18:02:15 +0800[diff] [blame]267 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]268 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]269 /* algorithm not in offered signature algorithms list */
270 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
271 "offered.",
272 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]273 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]274 }
275
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]276 if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
Jerry Yuf8aa9a42022-03-23 20:40:28 +0800[diff] [blame]277 algorithm, &sig_alg, &md_alg ) != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]278 {
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]279 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]280 }
281
282 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
283 ( unsigned int ) algorithm ) );
284
285 /*
286 * Check the certificate's key type matches the signature alg
287 */
288 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
289 {
290 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]291 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]292 }
293
294 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
295 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
296 p += 2;
297 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
298
299 /* Hash verify buffer with indicated hash function */
300 switch( md_alg )
301 {
302#if defined(MBEDTLS_SHA256_C)
303 case MBEDTLS_MD_SHA256:
304 verify_hash_len = 32;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]305 ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]306 break;
307#endif /* MBEDTLS_SHA256_C */
308
309#if defined(MBEDTLS_SHA384_C)
310 case MBEDTLS_MD_SHA384:
311 verify_hash_len = 48;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]312 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]313 break;
314#endif /* MBEDTLS_SHA384_C */
315
316#if defined(MBEDTLS_SHA512_C)
317 case MBEDTLS_MD_SHA512:
318 verify_hash_len = 64;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]319 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]320 break;
321#endif /* MBEDTLS_SHA512_C */
322
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]323 default:
324 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
325 break;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]326 }
327
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]328 if( ret != 0 )
329 {
330 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]331 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]332 }
333
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]334 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]335#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
336 if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
337 {
338 const mbedtls_md_info_t* md_info;
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]339 rsassa_pss_options.mgf1_hash_id = md_alg;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]340 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
341 {
342 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
343 }
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]344 rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
345 options = (const void*) &rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]346 }
347#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]348
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]349 if( ( ret = mbedtls_pk_verify_ext( sig_alg, options,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]350 &ssl->session_negotiate->peer_cert->pk,
351 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]352 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]353 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]354 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]355 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]356 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]357
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]358error:
359 /* RFC 8446 section 4.4.3
360 *
361 * If the verification fails, the receiver MUST terminate the handshake
362 * with a "decrypt_error" alert.
363 */
364 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
365 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
366 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
367
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]368}
369#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
370
371int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
372{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]373
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]374#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
375 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
376 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
377 size_t verify_buffer_len;
378 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
379 size_t transcript_len;
380 unsigned char *buf;
381 size_t buf_len;
382
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]383 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
384
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]385 MBEDTLS_SSL_PROC_CHK(
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]386 mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]387 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]388
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]389 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]390 * before reading the message since otherwise it gets
391 * included in the transcript
392 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]393 ret = mbedtls_ssl_get_handshake_transcript( ssl,
394 ssl->handshake->ciphersuite_info->mac,
395 transcript, sizeof( transcript ),
396 &transcript_len );
397 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]398 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]399 MBEDTLS_SSL_PEND_FATAL_ALERT(
400 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
401 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
402 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]403 }
404
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]405 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
406
407 /* Create verify structure */
408 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]409 transcript_len,
410 verify_buffer,
411 &verify_buffer_len,
412 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
413 MBEDTLS_SSL_IS_SERVER :
414 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]415
416 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]417 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
418 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]419
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]420 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
421 buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]422
423cleanup:
424
425 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800[diff] [blame]426 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]427 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]428#else
429 ((void) ssl);
430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
431 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
432#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]433}
434
435/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]436 *
437 * STATE HANDLING: Incoming Certificate, client-side only currently.
438 *
439 */
440
441/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]442 * Implementation
443 */
444
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]445#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
446#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
447/*
448 * Structure of Certificate message:
449 *
450 * enum {
451 * X509(0),
452 * RawPublicKey(2),
453 * (255)
454 * } CertificateType;
455 *
456 * struct {
457 * select (certificate_type) {
458 * case RawPublicKey:
459 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
460 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
461 * case X509:
462 * opaque cert_data<1..2^24-1>;
463 * };
464 * Extension extensions<0..2^16-1>;
465 * } CertificateEntry;
466 *
467 * struct {
468 * opaque certificate_request_context<0..2^8-1>;
469 * CertificateEntry certificate_list<0..2^24-1>;
470 * } Certificate;
471 *
472 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]473
474/* Parse certificate chain send by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]475static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
476 const unsigned char *buf,
477 const unsigned char *end )
478{
479 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
480 size_t certificate_request_context_len = 0;
481 size_t certificate_list_len = 0;
482 const unsigned char *p = buf;
483 const unsigned char *certificate_list_end;
484
485 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
486 certificate_request_context_len = p[0];
Jerry Yub640bf62021-10-29 10:05:32 +0800[diff] [blame]487 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]488 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]489
490 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
491 * support anything beyond 2^16 = 64K.
492 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]493 if( ( certificate_request_context_len != 0 ) ||
494 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]495 {
496 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
497 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
498 MBEDTLS_ERR_SSL_DECODE_ERROR );
499 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
500 }
501
502 /* In case we tried to reuse a session but it failed */
503 if( ssl->session_negotiate->peer_cert != NULL )
504 {
505 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
506 mbedtls_free( ssl->session_negotiate->peer_cert );
507 }
508
509 if( ( ssl->session_negotiate->peer_cert =
510 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
511 {
512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
513 sizeof( mbedtls_x509_crt ) ) );
514 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
515 MBEDTLS_ERR_SSL_ALLOC_FAILED );
516 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
517 }
518
519 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
520
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]521 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]522 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]523 {
524 size_t cert_data_len, extensions_len;
525
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]526 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]527 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]528 p += 3;
529
530 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
531 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
532 * check that we have a minimum of 128 bytes of data, this is not
533 * clear why we need that though.
534 */
535 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]536 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
538 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
539 MBEDTLS_ERR_SSL_DECODE_ERROR );
540 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
541 }
542
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]543 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]544 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
545 p, cert_data_len );
546
547 switch( ret )
548 {
549 case 0: /*ok*/
550 break;
551 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
552 /* Ignore certificate with an unknown algorithm: maybe a
553 prior certificate was already trusted. */
554 break;
555
556 case MBEDTLS_ERR_X509_ALLOC_FAILED:
557 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
558 MBEDTLS_ERR_X509_ALLOC_FAILED );
559 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
560 return( ret );
561
562 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
563 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
564 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
565 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
566 return( ret );
567
568 default:
569 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
570 ret );
571 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
572 return( ret );
573 }
574
575 p += cert_data_len;
576
577 /* Certificate extensions length */
578 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
579 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
580 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]581 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]582 p += extensions_len;
583 }
584
585 /* Check that all the message is consumed. */
586 if( p != end )
587 {
588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
589 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
590 MBEDTLS_ERR_SSL_DECODE_ERROR );
591 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
592 }
593
594 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
595
596 return( ret );
597}
598#else
599static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
600 const unsigned char *buf,
601 const unsigned char *end )
602{
603 ((void) ssl);
604 ((void) buf);
605 ((void) end);
606 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
607}
608#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
609#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
610
611#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
612#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]613/* Validate certificate chain sent by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]614static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
615{
616 int ret = 0;
617 mbedtls_x509_crt *ca_chain;
618 mbedtls_x509_crl *ca_crl;
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]619 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]620
621#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
622 if( ssl->handshake->sni_ca_chain != NULL )
623 {
624 ca_chain = ssl->handshake->sni_ca_chain;
625 ca_crl = ssl->handshake->sni_ca_crl;
626 }
627 else
628#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
629 {
630 ca_chain = ssl->conf->ca_chain;
631 ca_crl = ssl->conf->ca_crl;
632 }
633
634 /*
635 * Main check: verify certificate
636 */
637 ret = mbedtls_x509_crt_verify_with_profile(
638 ssl->session_negotiate->peer_cert,
639 ca_chain, ca_crl,
640 ssl->conf->cert_profile,
641 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]642 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]643 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
644
645 if( ret != 0 )
646 {
647 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
648 }
649
650 /*
651 * Secondary checks: always done, but change 'ret' only if it was 0
652 */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]653 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
654 ssl->handshake->ciphersuite_info,
655 !ssl->conf->endpoint,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]656 &verify_result ) != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]657 {
658 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
659 if( ret == 0 )
660 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
661 }
662
663
664 if( ca_chain == NULL )
665 {
666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
667 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
668 }
669
670 if( ret != 0 )
671 {
672 /* The certificate may have been rejected for several reasons.
673 Pick one and send the corresponding alert. Which alert to send
674 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]675 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]676 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]677 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]678 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]679 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
680 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
681 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
682 MBEDTLS_X509_BADCERT_BAD_PK |
683 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]684 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]685 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]686 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]687 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]688 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]689 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]690 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
691 else
692 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
693 }
694
695#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]696 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]697 {
698 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800[diff] [blame]699 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]700 }
701 else
702 {
703 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
704 }
705#endif /* MBEDTLS_DEBUG_C */
706
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]707 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]708 return( ret );
709}
710#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
711static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
712{
713 ((void) ssl);
714 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
715}
716#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
717#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
718
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]719int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]720{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]721 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
722 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
723
724#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
725 unsigned char *buf;
726 size_t buf_len;
727
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]728 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]729 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
730 &buf, &buf_len ) );
731
732 /* Parse the certificate chain sent by the peer. */
733 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, buf + buf_len ) );
734 /* Validate the certificate chain and set the verification results. */
735 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
736
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]737 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
738 buf, buf_len );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]739
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]740cleanup:
741
742 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Xiaofei Bai10aeec02021-10-26 09:50:08 +0000[diff] [blame]743#else
744 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
745 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
746#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]747 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]748}
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]749#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]750/*
751 * enum {
752 * X509(0),
753 * RawPublicKey(2),
754 * (255)
755 * } CertificateType;
756 *
757 * struct {
758 * select (certificate_type) {
759 * case RawPublicKey:
760 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
761 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
762 *
763 * case X509:
764 * opaque cert_data<1..2^24-1>;
765 * };
766 * Extension extensions<0..2^16-1>;
767 * } CertificateEntry;
768 *
769 * struct {
770 * opaque certificate_request_context<0..2^8-1>;
771 * CertificateEntry certificate_list<0..2^24-1>;
772 * } Certificate;
773 */
774static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]775 unsigned char *buf,
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]776 unsigned char *end,
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]777 size_t *out_len )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]778{
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]779 const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert( ssl );
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]780 unsigned char *p = buf;
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]781 unsigned char *certificate_request_context =
782 ssl->handshake->certificate_request_context;
783 unsigned char certificate_request_context_len =
784 ssl->handshake->certificate_request_context_len;
785 unsigned char *p_certificate_list_len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]786
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]787
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]788 /* ...
789 * opaque certificate_request_context<0..2^8-1>;
790 * ...
791 */
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]792 MBEDTLS_SSL_CHK_BUF_PTR( p, end, certificate_request_context_len + 1 );
793 *p++ = certificate_request_context_len;
794 if( certificate_request_context_len > 0 )
Jerry Yu537530d2022-02-15 14:00:57 +0800[diff] [blame]795 {
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]796 memcpy( p, certificate_request_context, certificate_request_context_len );
797 p += certificate_request_context_len;
Jerry Yu537530d2022-02-15 14:00:57 +0800[diff] [blame]798 }
799
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]800 /* ...
801 * CertificateEntry certificate_list<0..2^24-1>;
802 * ...
803 */
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]804 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]805 p_certificate_list_len = p;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]806 p += 3;
807
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]808 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", crt );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]809
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]810 while( crt != NULL )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]811 {
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]812 size_t cert_data_len = crt->raw.len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]813
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]814 MBEDTLS_SSL_CHK_BUF_PTR( p, end, cert_data_len + 3 + 2 );
815 MBEDTLS_PUT_UINT24_BE( cert_data_len, p, 0 );
816 p += 3;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]817
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]818 memcpy( p, crt->raw.p, cert_data_len );
819 p += cert_data_len;
820 crt = crt->next;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]821
822 /* Currently, we don't have any certificate extensions defined.
823 * Hence, we are sending an empty extension with length zero.
824 */
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]825 MBEDTLS_PUT_UINT24_BE( 0, p, 0 );
826 p += 2;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]827 }
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]828
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]829 MBEDTLS_PUT_UINT24_BE( p - p_certificate_list_len - 3,
830 p_certificate_list_len, 0 );
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]831
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]832 *out_len = p - buf;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]833
834 return( 0 );
835}
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]836
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]837int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]838{
839 int ret;
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]840 unsigned char *buf;
841 size_t buf_len, msg_len;
842
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]843 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
844
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]845 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]846 MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]847
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]848 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_body( ssl,
849 buf,
850 buf + buf_len,
851 &msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]852
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]853 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
854 buf, msg_len );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]855
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]856 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]857 ssl, buf_len, msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]858cleanup:
859
860 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
861 return( ret );
862}
863
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]864/*
865 * STATE HANDLING: Output Certificate Verify
866 */
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]867static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
868 mbedtls_pk_context *own_key,
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]869 uint16_t *algorithm )
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]870{
871 mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key );
872 /* Determine the size of the key */
873 size_t own_key_size = mbedtls_pk_get_bitlen( own_key );
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]874 *algorithm = MBEDTLS_TLS1_3_SIG_NONE;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]875 ((void) own_key_size);
876
877 switch( sig )
878 {
879#if defined(MBEDTLS_ECDSA_C)
880 case MBEDTLS_SSL_SIG_ECDSA:
881 switch( own_key_size )
882 {
883 case 256:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]884 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]885 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]886 case 384:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]887 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]888 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]889 case 521:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]890 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]891 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]892 default:
893 MBEDTLS_SSL_DEBUG_MSG( 3,
894 ( "unknown key size: %"
895 MBEDTLS_PRINTF_SIZET " bits",
896 own_key_size ) );
897 break;
898 }
899 break;
900#endif /* MBEDTLS_ECDSA_C */
901
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]902#if defined(MBEDTLS_RSA_C)
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]903 case MBEDTLS_SSL_SIG_RSA:
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]904#if defined(MBEDTLS_PKCS1_V21)
905#if defined(MBEDTLS_SHA256_C)
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]906 if( own_key_size <= 2048 &&
907 mbedtls_ssl_sig_alg_is_received( ssl,
908 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 ) )
909 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]910 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]911 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]912 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]913 else
914#endif /* MBEDTLS_SHA256_C */
915#if defined(MBEDTLS_SHA384_C)
916 if( own_key_size <= 3072 &&
917 mbedtls_ssl_sig_alg_is_received( ssl,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]918 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 ) )
919 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]920 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]921 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]922 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]923 else
924#endif /* MBEDTLS_SHA384_C */
925#if defined(MBEDTLS_SHA512_C)
926 if( own_key_size <= 4096 &&
927 mbedtls_ssl_sig_alg_is_received( ssl,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]928 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 ) )
929 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]930 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]931 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]932 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]933 else
934#endif /* MBEDTLS_SHA512_C */
935#endif /* MBEDTLS_PKCS1_V21 */
936#if defined(MBEDTLS_PKCS1_V15)
937#if defined(MBEDTLS_SHA256_C)
938 if( own_key_size <= 2048 &&
939 mbedtls_ssl_sig_alg_is_received( ssl,
940 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 ) )
941 {
942 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]943 return( 0 );
944 }
945 else
946#endif /* MBEDTLS_SHA256_C */
947#if defined(MBEDTLS_SHA384_C)
948 if( own_key_size <= 3072 &&
949 mbedtls_ssl_sig_alg_is_received( ssl,
950 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 ) )
951 {
952 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]953 return( 0 );
954 }
955 else
956#endif /* MBEDTLS_SHA384_C */
957#if defined(MBEDTLS_SHA512_C)
958 if( own_key_size <= 4096 &&
959 mbedtls_ssl_sig_alg_is_received( ssl,
960 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 ) )
961 {
962 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]963 return( 0 );
964 }
965 else
966#endif /* MBEDTLS_SHA512_C */
967#endif /* MBEDTLS_PKCS1_V15 */
968 {
969 MBEDTLS_SSL_DEBUG_MSG( 3,
970 ( "unknown key size: %"
971 MBEDTLS_PRINTF_SIZET " bits",
972 own_key_size ) );
973 }
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]974 break;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]975#endif /* MBEDTLS_RSA_C */
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]976 default:
977 MBEDTLS_SSL_DEBUG_MSG( 1,
978 ( "unkown signature type : %u", sig ) );
979 break;
980 }
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]981 return( -1 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]982}
983
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]984static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
985 unsigned char *buf,
986 unsigned char *end,
987 size_t *out_len )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]988{
989 int ret;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]990 unsigned char *p = buf;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]991 mbedtls_pk_context *own_key;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]992
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]993 unsigned char handshake_hash[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
994 size_t handshake_hash_len;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]995 unsigned char verify_buffer[ SSL_VERIFY_STRUCT_MAX_SIZE ];
996 size_t verify_buffer_len;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]997 mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]998 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Jerry Yu78272072022-02-22 10:28:13 +0800[diff] [blame]999 uint16_t algorithm = MBEDTLS_TLS1_3_SIG_NONE;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1000 size_t signature_len = 0;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1001 const mbedtls_md_info_t *md_info;
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1002 unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ];
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1003 size_t verify_hash_len;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1004
Jerry Yu0b7b1012022-02-23 12:23:05 +0800[diff] [blame]1005 *out_len = 0;
1006
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1007 own_key = mbedtls_ssl_own_key( ssl );
1008 if( own_key == NULL )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1009 {
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1010 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1011 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1012 }
1013
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1014 ret = mbedtls_ssl_get_handshake_transcript( ssl,
1015 ssl->handshake->ciphersuite_info->mac,
1016 handshake_hash,
1017 sizeof( handshake_hash ),
1018 &handshake_hash_len );
1019 if( ret != 0 )
1020 return( ret );
1021
1022 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash",
1023 handshake_hash,
1024 handshake_hash_len);
1025
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1026 ssl_tls13_create_verify_structure( handshake_hash, handshake_hash_len,
1027 verify_buffer, &verify_buffer_len,
1028 ssl->conf->endpoint );
1029
1030 /*
1031 * struct {
1032 * SignatureScheme algorithm;
1033 * opaque signature<0..2^16-1>;
1034 * } CertificateVerify;
1035 */
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1036 ret = ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1037 if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1038 {
Jerry Yud66409a2022-02-18 16:42:24 +0800[diff] [blame]1039 MBEDTLS_SSL_DEBUG_MSG( 1,
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]1040 ( "signature algorithm not in received or offered list." ) );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1041
1042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Signature algorithm is %s",
1043 mbedtls_ssl_sig_alg_to_str( algorithm ) ) );
1044
Jerry Yu71f36f12022-02-23 17:34:29 +0800[diff] [blame]1045 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
Jerry Yud66409a2022-02-18 16:42:24 +0800[diff] [blame]1046 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1047 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1048 }
1049
Jerry Yu6c6f1022022-03-25 11:09:50 +0800[diff] [blame]1050 if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
1051 algorithm, &pk_type, &md_alg ) != 0 )
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1052 {
Jerry Yuf8aa9a42022-03-23 20:40:28 +0800[diff] [blame]1053 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1054 }
1055
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1056 /* Check there is space for the algorithm identifier (2 bytes) and the
1057 * signature length (2 bytes).
1058 */
1059 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1060 MBEDTLS_PUT_UINT16_BE( algorithm, p, 0 );
1061 p += 2;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1062
1063 /* Hash verify buffer with indicated hash function */
1064 md_info = mbedtls_md_info_from_type( md_alg );
1065 if( md_info == NULL )
1066 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1067
1068 ret = mbedtls_md( md_info, verify_buffer, verify_buffer_len, verify_hash );
1069 if( ret != 0 )
1070 return( ret );
1071
1072 verify_hash_len = mbedtls_md_get_size( md_info );
1073 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
1074
Jerry Yu8beb9e12022-03-12 16:23:53 +0800[diff] [blame]1075 if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
1076 md_alg, verify_hash, verify_hash_len,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1077 p + 2, (size_t)( end - ( p + 2 ) ), &signature_len,
1078 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1079 {
1080 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
1081 return( ret );
1082 }
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1083
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1084 MBEDTLS_PUT_UINT16_BE( signature_len, p, 0 );
1085 p += 2 + signature_len;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1086
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1087 *out_len = (size_t)( p - buf );
1088
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1089 return( ret );
1090}
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1091
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1092int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1093{
1094 int ret = 0;
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1095 unsigned char *buf;
1096 size_t buf_len, msg_len;
1097
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1098 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1099
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1100 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1101 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1102
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1103 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_verify_body(
1104 ssl, buf, buf + buf_len, &msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1105
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1106 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1107 buf, msg_len );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1108
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1109 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1110 ssl, buf_len, msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1111
1112cleanup:
1113
1114 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
1115 return( ret );
1116}
1117
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]1118#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1119
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1120/*
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1121 *
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1122 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1123 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1124/*
1125 * Implementation
1126 */
1127
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1128static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1129{
1130 int ret;
1131
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1132 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1133 ssl->handshake->state_local.finished_in.digest,
1134 sizeof( ssl->handshake->state_local.finished_in.digest ),
1135 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1136 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1137 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1138 if( ret != 0 )
1139 {
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1140 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1141 return( ret );
1142 }
1143
1144 return( 0 );
1145}
1146
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1147static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
1148 const unsigned char *buf,
1149 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1150{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1151 /*
1152 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1153 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1154 * } Finished;
1155 */
1156 const unsigned char *expected_verify_data =
1157 ssl->handshake->state_local.finished_in.digest;
1158 size_t expected_verify_data_len =
1159 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1160 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1161 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1162 {
1163 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1164
1165 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1166 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1167 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1168 }
1169
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1170 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1171 expected_verify_data,
1172 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1173 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1174 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1175
1176 /* Semantic validation */
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]1177 if( mbedtls_ct_memcmp( buf,
1178 expected_verify_data,
1179 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1180 {
1181 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1182
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1183 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1184 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1185 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1186 }
1187 return( 0 );
1188}
1189
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1190#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1191static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1192{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1193 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1194 mbedtls_ssl_key_set traffic_keys;
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]1195 mbedtls_ssl_transform *transform_application = NULL;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1196
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1197 ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1198 if( ret != 0 )
1199 {
1200 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1201 "mbedtls_ssl_tls13_key_schedule_stage_application", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1202 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1203 }
1204
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1205 ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1206 if( ret != 0 )
1207 {
1208 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1209 "mbedtls_ssl_tls13_generate_application_keys", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1210 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1211 }
1212
1213 transform_application =
1214 mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
1215 if( transform_application == NULL )
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1216 {
1217 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1218 goto cleanup;
1219 }
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1220
1221 ret = mbedtls_ssl_tls13_populate_transform(
1222 transform_application,
1223 ssl->conf->endpoint,
1224 ssl->session_negotiate->ciphersuite,
1225 &traffic_keys,
1226 ssl );
1227 if( ret != 0 )
1228 {
1229 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1230 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1231 }
1232
1233 ssl->transform_application = transform_application;
1234
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1235cleanup:
1236
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1237 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1238 if( ret != 0 )
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]1239 {
1240 mbedtls_free( transform_application );
1241 MBEDTLS_SSL_PEND_FATAL_ALERT(
1242 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1243 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1244 }
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1245 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1246}
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1247#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1248
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1249static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1250{
1251
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1252#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1253 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1254 {
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1255 return( ssl_tls13_postprocess_server_finished_message( ssl ) );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1256 }
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1257#else
1258 ((void) ssl);
1259#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1260
1261 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1262}
1263
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1264int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
1265{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1266 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1267 unsigned char *buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1268 size_t buf_len;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1269
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1270 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1271
1272 /* Preprocessing step: Compute handshake digest */
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1273 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1274
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1275 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1276 MBEDTLS_SSL_HS_FINISHED,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1277 &buf, &buf_len ) );
1278 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1279 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1280 buf, buf_len );
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1281 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1282
1283cleanup:
1284
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1285 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1286 return( ret );
1287}
1288
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1289/*
1290 *
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1291 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1292 *
1293 */
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1294/*
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1295 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1296 */
1297
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1298static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1299{
1300 int ret;
1301
1302 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1303 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1304 ssl->handshake->state_local.finished_out.digest,
1305 sizeof( ssl->handshake->state_local.finished_out.digest ),
1306 &ssl->handshake->state_local.finished_out.digest_len,
1307 ssl->conf->endpoint );
1308
1309 if( ret != 0 )
1310 {
Jerry Yu7ca30542021-12-08 15:57:57 +0800[diff] [blame]1311 MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1312 return( ret );
1313 }
1314
1315 return( 0 );
1316}
1317
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1318static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1319{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1320 // TODO: Add back resumption keys calculation after MVP.
1321 ((void) ssl);
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1322
1323 return( 0 );
1324}
1325
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1326static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1327 unsigned char *buf,
1328 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1329 size_t *out_len )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1330{
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1331 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1332 /*
1333 * struct {
1334 * opaque verify_data[Hash.length];
1335 * } Finished;
1336 */
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1337 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1338
1339 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1340 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1341
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1342 *out_len = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1343 return( 0 );
1344}
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1345
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1346/* Main entry point: orchestrates the other functions */
1347int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1348{
1349 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1350 unsigned char *buf;
1351 size_t buf_len, msg_len;
1352
1353 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1354
XiaokangQiandce82242021-11-15 06:01:26 +0000[diff] [blame]1355 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1356
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1357 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1358 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1359
1360 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1361 ssl, buf, buf + buf_len, &msg_len ) );
1362
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1363 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1364 buf, msg_len );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1365
1366 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) );
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1367 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
1368 ssl, buf_len, msg_len ) );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1369cleanup:
1370
1371 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1372 return( ret );
1373}
1374
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1375void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1376{
1377
1378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1379
1380 /*
Jerry Yucfe64f02021-11-15 13:54:06 +0800[diff] [blame]1381 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1382 */
1383 if( ssl->session )
1384 {
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1385 mbedtls_ssl_session_free( ssl->session );
1386 mbedtls_free( ssl->session );
1387 }
1388 ssl->session = ssl->session_negotiate;
1389 ssl->session_negotiate = NULL;
1390
1391 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1392}
1393
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1394/*
1395 *
1396 * STATE HANDLING: Write ChangeCipherSpec
1397 *
1398 */
1399#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1400static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
1401 unsigned char *buf,
1402 unsigned char *end,
1403 size_t *olen )
1404{
1405 ((void) ssl);
1406
1407 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 );
1408 buf[0] = 1;
1409 *olen = 1;
1410
1411 return( 0 );
1412}
1413
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1414int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
1415{
1416 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1417
1418 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1419
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1420 /* Write CCS message */
1421 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body(
1422 ssl, ssl->out_msg,
1423 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1424 &ssl->out_msglen ) );
1425
1426 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1427
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1428 /* Dispatch message */
Ronald Cron66dbf912022-02-02 15:33:46 +0100[diff] [blame]1429 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0 ) );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1430
1431cleanup:
1432
1433 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1434 return( ret );
1435}
1436
1437#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1438
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1439/* Reset SSL context and update hash for handling HRR.
1440 *
1441 * Replace Transcript-Hash(X) by
1442 * Transcript-Hash( message_hash ||
1443 * 00 00 Hash.length ||
1444 * X )
1445 * A few states of the handshake are preserved, including:
1446 * - session ID
1447 * - session ticket
1448 * - negotiated ciphersuite
1449 */
1450int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
1451{
1452 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1453 unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ];
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1454 size_t hash_len;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1455 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1456 uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
1457 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
1458
1459 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) );
1460
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1461 ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
1462 hash_transcript + 4,
1463 MBEDTLS_MD_MAX_SIZE,
1464 &hash_len );
1465 if( ret != 0 )
1466 {
1467 MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret );
1468 return( ret );
1469 }
1470
1471 hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1472 hash_transcript[1] = 0;
1473 hash_transcript[2] = 0;
1474 hash_transcript[3] = (unsigned char) hash_len;
1475
1476 hash_len += 4;
1477
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1478 if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
1479 {
1480#if defined(MBEDTLS_SHA256_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1481 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1482 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1483
1484#if defined(MBEDTLS_USE_PSA_CRYPTO)
1485 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
1486 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
1487#else
1488 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
1489#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1490#endif /* MBEDTLS_SHA256_C */
1491 }
1492 else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
1493 {
1494#if defined(MBEDTLS_SHA384_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1495 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1496 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1497
1498#if defined(MBEDTLS_USE_PSA_CRYPTO)
1499 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
1500 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
1501#else
1502 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
1503#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1504#endif /* MBEDTLS_SHA384_C */
1505 }
1506
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1507#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C)
1508 ssl->handshake->update_checksum( ssl, hash_transcript, hash_len );
1509#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */
Przemyslaw Stekiel4b3fff42022-02-14 16:39:52 +0100[diff] [blame]1510
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1511 return( ret );
1512}
1513
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame^]1514#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1515
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame^]1516int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
1517 const unsigned char *buf,
1518 size_t buf_len )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1519{
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame^]1520 uint8_t *p = (uint8_t*)buf;
1521 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1522
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame^]1523 /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
1524 uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1525 p += 2;
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]1526
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame^]1527 /* Check if key size is consistent with given buffer length. */
1528 if ( peerkey_len > ( buf_len - 2 ) )
1529 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1530
1531 /* Store peer's ECDH public key. */
1532 memcpy( handshake->ecdh_psa_peerkey, p, peerkey_len );
1533 handshake->ecdh_psa_peerkey_len = peerkey_len;
1534
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]1535 return( 0 );
1536}
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame^]1537#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1538
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]1539#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */