TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a3115dc0e6b3185812efbf73cc01e4da238257e8 / . / library / ssl_tls13_generic.c
blob: c48922fbf8f9cfeb2f878b0a45212a07f2eaf710 [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]23
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]24#include <string.h>
25
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]26#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]27#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]28#include "mbedtls/oid.h"
29#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]30#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]31#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]32
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]33#include "ssl_misc.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]34#include "ssl_tls13_keys.h"
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]35#include "ssl_debug_helpers.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]36
pespaceka1378102022-04-26 15:03:11 +0200[diff] [blame]37#include "psa/crypto.h"
38#include "mbedtls/psa_util.h"
39
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]40const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
41 MBEDTLS_SERVER_HELLO_RANDOM_LEN ] =
42 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
43 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
44 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
45 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C };
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]46
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]47int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
48 unsigned hs_type,
49 unsigned char **buf,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]50 size_t *buf_len )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]51{
52 int ret;
53
54 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
55 {
56 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
57 goto cleanup;
58 }
59
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]60 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]61 ssl->in_msg[0] != hs_type )
62 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]63 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]64 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]65 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]66 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
67 goto cleanup;
68 }
69
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]70 /*
71 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
72 * ...
73 * HandshakeType msg_type;
74 * uint24 length;
75 * ...
76 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]77 *buf = ssl->in_msg + 4;
78 *buf_len = ssl->in_hslen - 4;
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]79
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]80cleanup:
81
82 return( ret );
83}
84
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]85#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]86/*
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]87 * STATE HANDLING: Read CertificateVerify
88 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]89/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]90 *
91 * The structure is computed per TLS 1.3 specification as:
92 * - 64 bytes of octet 32,
93 * - 33 bytes for the context string
94 * (which is either "TLS 1.3, client CertificateVerify"
95 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]96 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]97 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
98 * (depending on the size of the transcript_hash)
99 *
100 * This results in a total size of
101 * - 130 bytes for a SHA256-based transcript hash, or
102 * (64 + 33 + 1 + 32 bytes)
103 * - 146 bytes for a SHA384-based transcript hash.
104 * (64 + 33 + 1 + 48 bytes)
105 *
106 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800[diff] [blame]107#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
108 33 + \
109 1 + \
110 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]111 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]112
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]113/*
114 * The ssl_tls13_create_verify_structure() creates the verify structure.
115 * As input, it requires the transcript hash.
116 *
117 * The caller has to ensure that the buffer has size at least
118 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
119 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]120static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]121 size_t transcript_hash_len,
122 unsigned char *verify_buffer,
123 size_t *verify_buffer_len,
124 int from )
125{
126 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]127
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]128 /* RFC 8446, Section 4.4.3:
129 *
130 * The digital signature [in the CertificateVerify message] is then
131 * computed over the concatenation of:
132 * - A string that consists of octet 32 (0x20) repeated 64 times
133 * - The context string
134 * - A single 0 byte which serves as the separator
135 * - The content to be signed
136 */
137 memset( verify_buffer, 0x20, 64 );
138 idx = 64;
139
140 if( from == MBEDTLS_SSL_IS_CLIENT )
141 {
142 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
143 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
144 }
145 else
146 { /* from == MBEDTLS_SSL_IS_SERVER */
147 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
148 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
149 }
150
151 verify_buffer[idx++] = 0x0;
152
153 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
154 idx += transcript_hash_len;
155
156 *verify_buffer_len = idx;
157}
158
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]159MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]160static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]161 const unsigned char *buf,
162 const unsigned char *end,
163 const unsigned char *verify_buffer,
164 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]165{
166 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
pespaceka1378102022-04-26 15:03:11 +0200[diff] [blame]167 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]168 const unsigned char *p = buf;
169 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]170 size_t signature_len;
171 mbedtls_pk_type_t sig_alg;
172 mbedtls_md_type_t md_alg;
pespaceka1378102022-04-26 15:03:11 +0200[diff] [blame]173 psa_algorithm_t hash_alg = PSA_ALG_NONE;
174 unsigned char verify_hash[PSA_HASH_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]175 size_t verify_hash_len;
176
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]177 void const *options = NULL;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]178#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]179 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]180#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
181
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]182 /*
183 * struct {
184 * SignatureScheme algorithm;
185 * opaque signature<0..2^16-1>;
186 * } CertificateVerify;
187 */
188 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
189 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
190 p += 2;
191
192 /* RFC 8446 section 4.4.3
193 *
194 * If the CertificateVerify message is sent by a server, the signature algorithm
195 * MUST be one offered in the client's "signature_algorithms" extension unless
196 * no valid certificate chain can be produced without unsupported algorithms
197 *
198 * RFC 8446 section 4.4.2.2
199 *
200 * If the client cannot construct an acceptable chain using the provided
201 * certificates and decides to abort the handshake, then it MUST abort the handshake
202 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
203 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]204 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]205 */
Jerry Yu24811fb2022-01-19 18:02:15 +0800[diff] [blame]206 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]207 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]208 /* algorithm not in offered signature algorithms list */
209 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
210 "offered.",
211 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]212 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]213 }
214
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]215 if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
Jerry Yuf8aa9a42022-03-23 20:40:28 +0800[diff] [blame]216 algorithm, &sig_alg, &md_alg ) != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]217 {
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]218 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]219 }
220
pespaceka1378102022-04-26 15:03:11 +0200[diff] [blame]221 hash_alg = mbedtls_psa_translate_md( md_alg );
222 if( hash_alg == 0 )
223 {
224 goto error;
225 }
226
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]227 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
228 ( unsigned int ) algorithm ) );
229
230 /*
231 * Check the certificate's key type matches the signature alg
232 */
233 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
234 {
235 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]236 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]237 }
238
239 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
240 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
241 p += 2;
242 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
243
pespaceka1378102022-04-26 15:03:11 +0200[diff] [blame]244 status = psa_hash_compute( hash_alg,
245 verify_buffer,
246 verify_buffer_len,
247 verify_hash,
248 sizeof( verify_hash ),
249 &verify_hash_len );
250 if( status != PSA_SUCCESS )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]251 {
pespaceka1378102022-04-26 15:03:11 +0200[diff] [blame]252 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation PSA error", status );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]253 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]254 }
255
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]256 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]257#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
258 if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
259 {
260 const mbedtls_md_info_t* md_info;
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]261 rsassa_pss_options.mgf1_hash_id = md_alg;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]262 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
263 {
264 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
265 }
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]266 rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
267 options = (const void*) &rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]268 }
269#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]270
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]271 if( ( ret = mbedtls_pk_verify_ext( sig_alg, options,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]272 &ssl->session_negotiate->peer_cert->pk,
273 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]274 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]275 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]276 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]277 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]278 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]279
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]280error:
281 /* RFC 8446 section 4.4.3
282 *
283 * If the verification fails, the receiver MUST terminate the handshake
284 * with a "decrypt_error" alert.
285 */
286 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
287 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
288 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
289
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]290}
291#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
292
293int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
294{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]295
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]296#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
297 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
298 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
299 size_t verify_buffer_len;
300 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
301 size_t transcript_len;
302 unsigned char *buf;
303 size_t buf_len;
304
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]305 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
306
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]307 MBEDTLS_SSL_PROC_CHK(
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]308 mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]309 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]310
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]311 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]312 * before reading the message since otherwise it gets
313 * included in the transcript
314 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]315 ret = mbedtls_ssl_get_handshake_transcript( ssl,
316 ssl->handshake->ciphersuite_info->mac,
317 transcript, sizeof( transcript ),
318 &transcript_len );
319 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]320 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]321 MBEDTLS_SSL_PEND_FATAL_ALERT(
322 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
323 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
324 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]325 }
326
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]327 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
328
329 /* Create verify structure */
330 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]331 transcript_len,
332 verify_buffer,
333 &verify_buffer_len,
334 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
335 MBEDTLS_SSL_IS_SERVER :
336 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]337
338 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]339 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
340 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]341
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]342 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
343 buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]344
345cleanup:
346
347 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800[diff] [blame]348 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]349 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]350#else
351 ((void) ssl);
352 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
353 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
354#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]355}
356
357/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]358 *
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]359 * STATE HANDLING: Incoming Certificate.
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]360 *
361 */
362
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]363#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
364#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
365/*
366 * Structure of Certificate message:
367 *
368 * enum {
369 * X509(0),
370 * RawPublicKey(2),
371 * (255)
372 * } CertificateType;
373 *
374 * struct {
375 * select (certificate_type) {
376 * case RawPublicKey:
377 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
378 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
379 * case X509:
380 * opaque cert_data<1..2^24-1>;
381 * };
382 * Extension extensions<0..2^16-1>;
383 * } CertificateEntry;
384 *
385 * struct {
386 * opaque certificate_request_context<0..2^8-1>;
387 * CertificateEntry certificate_list<0..2^24-1>;
388 * } Certificate;
389 *
390 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]391
392/* Parse certificate chain send by the server. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]393MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]394static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
395 const unsigned char *buf,
396 const unsigned char *end )
397{
398 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
399 size_t certificate_request_context_len = 0;
400 size_t certificate_list_len = 0;
401 const unsigned char *p = buf;
402 const unsigned char *certificate_list_end;
403
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]404 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]405 certificate_request_context_len = p[0];
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]406 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
407 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]408
409 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
410 * support anything beyond 2^16 = 64K.
411 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]412 if( ( certificate_request_context_len != 0 ) ||
413 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]414 {
415 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
416 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
417 MBEDTLS_ERR_SSL_DECODE_ERROR );
418 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
419 }
420
421 /* In case we tried to reuse a session but it failed */
422 if( ssl->session_negotiate->peer_cert != NULL )
423 {
424 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
425 mbedtls_free( ssl->session_negotiate->peer_cert );
426 }
427
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]428 if( certificate_list_len == 0 )
429 {
430 ssl->session_negotiate->peer_cert = NULL;
431 ret = 0;
432 goto exit;
433 }
434
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]435 if( ( ssl->session_negotiate->peer_cert =
436 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
437 {
438 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
439 sizeof( mbedtls_x509_crt ) ) );
440 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
441 MBEDTLS_ERR_SSL_ALLOC_FAILED );
442 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
443 }
444
445 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
446
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]447 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]448 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]449 {
450 size_t cert_data_len, extensions_len;
451
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]452 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]453 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]454 p += 3;
455
456 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
457 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
458 * check that we have a minimum of 128 bytes of data, this is not
459 * clear why we need that though.
460 */
461 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]462 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
464 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
465 MBEDTLS_ERR_SSL_DECODE_ERROR );
466 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
467 }
468
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]469 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]470 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
471 p, cert_data_len );
472
473 switch( ret )
474 {
475 case 0: /*ok*/
476 break;
477 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
478 /* Ignore certificate with an unknown algorithm: maybe a
479 prior certificate was already trusted. */
480 break;
481
482 case MBEDTLS_ERR_X509_ALLOC_FAILED:
483 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
484 MBEDTLS_ERR_X509_ALLOC_FAILED );
485 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
486 return( ret );
487
488 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
489 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
490 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
491 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
492 return( ret );
493
494 default:
495 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
496 ret );
497 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
498 return( ret );
499 }
500
501 p += cert_data_len;
502
503 /* Certificate extensions length */
504 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
505 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
506 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]507 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]508 p += extensions_len;
509 }
510
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]511exit:
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]512 /* Check that all the message is consumed. */
513 if( p != end )
514 {
515 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
516 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
517 MBEDTLS_ERR_SSL_DECODE_ERROR );
518 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
519 }
520
521 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
522
523 return( ret );
524}
525#else
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]526MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]527static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
528 const unsigned char *buf,
529 const unsigned char *end )
530{
531 ((void) ssl);
532 ((void) buf);
533 ((void) end);
534 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
535}
536#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
537#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
538
539#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
540#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]541/* Validate certificate chain sent by the server. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]542MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]543static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
544{
545 int ret = 0;
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]546 int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]547 mbedtls_x509_crt *ca_chain;
548 mbedtls_x509_crl *ca_crl;
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]549 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]550
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]551 /* If SNI was used, overwrite authentication mode
552 * from the configuration. */
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]553#if defined(MBEDTLS_SSL_SRV_C)
554 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
XiaokangQiane7a5da52022-05-30 00:59:29 +0000[diff] [blame]555 authmode = ssl->conf->authmode;
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]556#endif
557
558 /*
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]559 * If the peer hasn't sent a certificate ( i.e. it sent
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]560 * an empty certificate chain ), this is reflected in the peer CRT
561 * structure being unset.
562 * Check for that and handle it depending on the
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]563 * authentication mode.
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]564 */
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]565 if( ssl->session_negotiate->peer_cert == NULL )
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]566 {
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]567 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has not sent a certificate" ) );
568
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]569#if defined(MBEDTLS_SSL_SRV_C)
570 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
571 {
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]572 /* The client was asked for a certificate but didn't send
573 * one. The client should know what's going on, so we
574 * don't send an alert.
575 */
576 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
577 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
578 return( 0 );
579 else
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]580 {
581 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT,
XiaokangQianaca90482022-05-19 07:19:31 +0000[diff] [blame]582 MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
583 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]584 }
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]585 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]586#endif /* MBEDTLS_SSL_SRV_C */
587
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]588#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]589 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
590 {
591 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT,
592 MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
593 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
594 }
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]595#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]596 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]597
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]598#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
599 if( ssl->handshake->sni_ca_chain != NULL )
600 {
601 ca_chain = ssl->handshake->sni_ca_chain;
602 ca_crl = ssl->handshake->sni_ca_crl;
603 }
604 else
605#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
606 {
607 ca_chain = ssl->conf->ca_chain;
608 ca_crl = ssl->conf->ca_crl;
609 }
610
611 /*
612 * Main check: verify certificate
613 */
614 ret = mbedtls_x509_crt_verify_with_profile(
615 ssl->session_negotiate->peer_cert,
616 ca_chain, ca_crl,
617 ssl->conf->cert_profile,
618 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]619 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]620 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
621
622 if( ret != 0 )
623 {
624 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
625 }
626
627 /*
628 * Secondary checks: always done, but change 'ret' only if it was 0
629 */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]630 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
631 ssl->handshake->ciphersuite_info,
632 !ssl->conf->endpoint,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]633 &verify_result ) != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]634 {
635 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
636 if( ret == 0 )
637 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
638 }
639
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]640 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
641 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
642 * with details encoded in the verification flags. All other kinds
643 * of error codes, including those from the user provided f_vrfy
644 * functions, are treated as fatal and lead to a failure of
645 * ssl_tls13_parse_certificate even if verification was optional. */
646 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
647 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
648 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
649 {
650 ret = 0;
651 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]652
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]653 if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]654 {
655 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
656 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
657 }
658
659 if( ret != 0 )
660 {
661 /* The certificate may have been rejected for several reasons.
662 Pick one and send the corresponding alert. Which alert to send
663 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]664 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]665 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]666 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]667 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]668 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
669 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
670 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
671 MBEDTLS_X509_BADCERT_BAD_PK |
672 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]673 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]674 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]675 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]676 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]677 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]678 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]679 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
680 else
681 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
682 }
683
684#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]685 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]686 {
687 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800[diff] [blame]688 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]689 }
690 else
691 {
692 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
693 }
694#endif /* MBEDTLS_DEBUG_C */
695
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]696 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]697 return( ret );
698}
699#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]700MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]701static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
702{
703 ((void) ssl);
704 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
705}
706#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
707#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
708
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]709int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]710{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]711 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
712 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
713
714#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]715 unsigned char *buf;
716 size_t buf_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]717
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]718 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
719 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
720 &buf, &buf_len ) );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]721
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]722 /* Parse the certificate chain sent by the peer. */
723 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf,
724 buf + buf_len ) );
725 /* Validate the certificate chain and set the verification results. */
726 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]727
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]728 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
729 buf, buf_len );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]730
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]731cleanup:
XiaokangQianaca90482022-05-19 07:19:31 +0000[diff] [blame]732#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]733
734 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
735 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]736}
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]737#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]738/*
739 * enum {
740 * X509(0),
741 * RawPublicKey(2),
742 * (255)
743 * } CertificateType;
744 *
745 * struct {
746 * select (certificate_type) {
747 * case RawPublicKey:
748 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
749 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
750 *
751 * case X509:
752 * opaque cert_data<1..2^24-1>;
753 * };
754 * Extension extensions<0..2^16-1>;
755 * } CertificateEntry;
756 *
757 * struct {
758 * opaque certificate_request_context<0..2^8-1>;
759 * CertificateEntry certificate_list<0..2^24-1>;
760 * } Certificate;
761 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]762MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]763static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]764 unsigned char *buf,
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]765 unsigned char *end,
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]766 size_t *out_len )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]767{
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]768 const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert( ssl );
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]769 unsigned char *p = buf;
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]770 unsigned char *certificate_request_context =
771 ssl->handshake->certificate_request_context;
772 unsigned char certificate_request_context_len =
773 ssl->handshake->certificate_request_context_len;
774 unsigned char *p_certificate_list_len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]775
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]776
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]777 /* ...
778 * opaque certificate_request_context<0..2^8-1>;
779 * ...
780 */
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]781 MBEDTLS_SSL_CHK_BUF_PTR( p, end, certificate_request_context_len + 1 );
782 *p++ = certificate_request_context_len;
783 if( certificate_request_context_len > 0 )
Jerry Yu537530d2022-02-15 14:00:57 +0800[diff] [blame]784 {
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]785 memcpy( p, certificate_request_context, certificate_request_context_len );
786 p += certificate_request_context_len;
Jerry Yu537530d2022-02-15 14:00:57 +0800[diff] [blame]787 }
788
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]789 /* ...
790 * CertificateEntry certificate_list<0..2^24-1>;
791 * ...
792 */
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]793 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]794 p_certificate_list_len = p;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]795 p += 3;
796
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]797 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", crt );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]798
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]799 while( crt != NULL )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]800 {
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]801 size_t cert_data_len = crt->raw.len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]802
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]803 MBEDTLS_SSL_CHK_BUF_PTR( p, end, cert_data_len + 3 + 2 );
804 MBEDTLS_PUT_UINT24_BE( cert_data_len, p, 0 );
805 p += 3;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]806
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]807 memcpy( p, crt->raw.p, cert_data_len );
808 p += cert_data_len;
809 crt = crt->next;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]810
811 /* Currently, we don't have any certificate extensions defined.
812 * Hence, we are sending an empty extension with length zero.
813 */
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]814 MBEDTLS_PUT_UINT24_BE( 0, p, 0 );
815 p += 2;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]816 }
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]817
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]818 MBEDTLS_PUT_UINT24_BE( p - p_certificate_list_len - 3,
819 p_certificate_list_len, 0 );
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]820
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]821 *out_len = p - buf;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]822
823 return( 0 );
824}
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]825
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]826int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]827{
828 int ret;
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]829 unsigned char *buf;
830 size_t buf_len, msg_len;
831
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]832 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
833
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]834 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]835 MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]836
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]837 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_body( ssl,
838 buf,
839 buf + buf_len,
840 &msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]841
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]842 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
843 buf, msg_len );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]844
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]845 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]846 ssl, buf_len, msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]847cleanup:
848
849 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
850 return( ret );
851}
852
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]853/*
854 * STATE HANDLING: Output Certificate Verify
855 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]856MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]857static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
858 mbedtls_pk_context *own_key,
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]859 uint16_t *algorithm )
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]860{
861 mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key );
862 /* Determine the size of the key */
863 size_t own_key_size = mbedtls_pk_get_bitlen( own_key );
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]864 *algorithm = MBEDTLS_TLS1_3_SIG_NONE;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]865 ((void) own_key_size);
866
867 switch( sig )
868 {
869#if defined(MBEDTLS_ECDSA_C)
870 case MBEDTLS_SSL_SIG_ECDSA:
871 switch( own_key_size )
872 {
873 case 256:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]874 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]875 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]876 case 384:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]877 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]878 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]879 case 521:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]880 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]881 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]882 default:
883 MBEDTLS_SSL_DEBUG_MSG( 3,
884 ( "unknown key size: %"
885 MBEDTLS_PRINTF_SIZET " bits",
886 own_key_size ) );
887 break;
888 }
889 break;
890#endif /* MBEDTLS_ECDSA_C */
891
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]892#if defined(MBEDTLS_RSA_C)
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]893 case MBEDTLS_SSL_SIG_RSA:
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]894#if defined(MBEDTLS_PKCS1_V21)
895#if defined(MBEDTLS_SHA256_C)
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]896 if( own_key_size <= 2048 &&
897 mbedtls_ssl_sig_alg_is_received( ssl,
898 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 ) )
899 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]900 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]901 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]902 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]903 else
904#endif /* MBEDTLS_SHA256_C */
905#if defined(MBEDTLS_SHA384_C)
906 if( own_key_size <= 3072 &&
907 mbedtls_ssl_sig_alg_is_received( ssl,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]908 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 ) )
909 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]910 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]911 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]912 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]913 else
914#endif /* MBEDTLS_SHA384_C */
915#if defined(MBEDTLS_SHA512_C)
916 if( own_key_size <= 4096 &&
917 mbedtls_ssl_sig_alg_is_received( ssl,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]918 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 ) )
919 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]920 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]921 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]922 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]923 else
924#endif /* MBEDTLS_SHA512_C */
925#endif /* MBEDTLS_PKCS1_V21 */
926#if defined(MBEDTLS_PKCS1_V15)
927#if defined(MBEDTLS_SHA256_C)
928 if( own_key_size <= 2048 &&
929 mbedtls_ssl_sig_alg_is_received( ssl,
930 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 ) )
931 {
932 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]933 return( 0 );
934 }
935 else
936#endif /* MBEDTLS_SHA256_C */
937#if defined(MBEDTLS_SHA384_C)
938 if( own_key_size <= 3072 &&
939 mbedtls_ssl_sig_alg_is_received( ssl,
940 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 ) )
941 {
942 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]943 return( 0 );
944 }
945 else
946#endif /* MBEDTLS_SHA384_C */
947#if defined(MBEDTLS_SHA512_C)
948 if( own_key_size <= 4096 &&
949 mbedtls_ssl_sig_alg_is_received( ssl,
950 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 ) )
951 {
952 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]953 return( 0 );
954 }
955 else
956#endif /* MBEDTLS_SHA512_C */
957#endif /* MBEDTLS_PKCS1_V15 */
958 {
959 MBEDTLS_SSL_DEBUG_MSG( 3,
960 ( "unknown key size: %"
961 MBEDTLS_PRINTF_SIZET " bits",
962 own_key_size ) );
963 }
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]964 break;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]965#endif /* MBEDTLS_RSA_C */
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]966 default:
967 MBEDTLS_SSL_DEBUG_MSG( 1,
Andrzej Kurek5c65c572022-04-13 14:28:52 -0400[diff] [blame]968 ( "unknown signature type : %u", sig ) );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]969 break;
970 }
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]971 return( -1 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]972}
973
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]974MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]975static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
976 unsigned char *buf,
977 unsigned char *end,
978 size_t *out_len )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]979{
980 int ret;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]981 unsigned char *p = buf;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]982 mbedtls_pk_context *own_key;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]983
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]984 unsigned char handshake_hash[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
985 size_t handshake_hash_len;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]986 unsigned char verify_buffer[ SSL_VERIFY_STRUCT_MAX_SIZE ];
987 size_t verify_buffer_len;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]988 mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]989 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
pespacek34935872022-05-20 15:43:32 +0200[diff] [blame]990 psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
Jerry Yu78272072022-02-22 10:28:13 +0800[diff] [blame]991 uint16_t algorithm = MBEDTLS_TLS1_3_SIG_NONE;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]992 size_t signature_len = 0;
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]993 unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ];
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]994 size_t verify_hash_len;
pespacekb06acd72022-06-07 13:07:21 +0200[diff] [blame]995 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]996
Jerry Yu0b7b1012022-02-23 12:23:05 +0800[diff] [blame]997 *out_len = 0;
998
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]999 own_key = mbedtls_ssl_own_key( ssl );
1000 if( own_key == NULL )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1001 {
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1002 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1003 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1004 }
1005
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1006 ret = mbedtls_ssl_get_handshake_transcript( ssl,
1007 ssl->handshake->ciphersuite_info->mac,
1008 handshake_hash,
1009 sizeof( handshake_hash ),
1010 &handshake_hash_len );
1011 if( ret != 0 )
1012 return( ret );
1013
1014 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash",
1015 handshake_hash,
1016 handshake_hash_len);
1017
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1018 ssl_tls13_create_verify_structure( handshake_hash, handshake_hash_len,
1019 verify_buffer, &verify_buffer_len,
1020 ssl->conf->endpoint );
1021
1022 /*
1023 * struct {
1024 * SignatureScheme algorithm;
1025 * opaque signature<0..2^16-1>;
1026 * } CertificateVerify;
1027 */
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1028 ret = ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1029 if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1030 {
Jerry Yud66409a2022-02-18 16:42:24 +0800[diff] [blame]1031 MBEDTLS_SSL_DEBUG_MSG( 1,
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]1032 ( "signature algorithm not in received or offered list." ) );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1033
1034 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Signature algorithm is %s",
1035 mbedtls_ssl_sig_alg_to_str( algorithm ) ) );
1036
Jerry Yu71f36f12022-02-23 17:34:29 +0800[diff] [blame]1037 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
Jerry Yud66409a2022-02-18 16:42:24 +0800[diff] [blame]1038 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1039 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1040 }
1041
Jerry Yu6c6f1022022-03-25 11:09:50 +0800[diff] [blame]1042 if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
1043 algorithm, &pk_type, &md_alg ) != 0 )
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1044 {
Jerry Yuf8aa9a42022-03-23 20:40:28 +0800[diff] [blame]1045 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1046 }
1047
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1048 /* Check there is space for the algorithm identifier (2 bytes) and the
1049 * signature length (2 bytes).
1050 */
1051 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1052 MBEDTLS_PUT_UINT16_BE( algorithm, p, 0 );
1053 p += 2;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1054
1055 /* Hash verify buffer with indicated hash function */
pespacek34935872022-05-20 15:43:32 +0200[diff] [blame]1056 psa_algorithm = mbedtls_psa_translate_md( md_alg );
pespacekb06acd72022-06-07 13:07:21 +0200[diff] [blame]1057 status = psa_hash_compute( psa_algorithm,
1058 verify_buffer,
1059 verify_buffer_len,
1060 verify_hash,sizeof( verify_hash ),
1061 &verify_hash_len );
1062 if( status != PSA_SUCCESS )
pespacek670913f2022-06-07 10:53:39 +0200[diff] [blame]1063 return( psa_ssl_status_to_mbedtls( status ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1064
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1065 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
1066
Jerry Yu8beb9e12022-03-12 16:23:53 +0800[diff] [blame]1067 if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
1068 md_alg, verify_hash, verify_hash_len,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1069 p + 2, (size_t)( end - ( p + 2 ) ), &signature_len,
1070 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1071 {
1072 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
1073 return( ret );
1074 }
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1075
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1076 MBEDTLS_PUT_UINT16_BE( signature_len, p, 0 );
1077 p += 2 + signature_len;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1078
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1079 *out_len = (size_t)( p - buf );
1080
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1081 return( ret );
1082}
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1083
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1084int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1085{
1086 int ret = 0;
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1087 unsigned char *buf;
1088 size_t buf_len, msg_len;
1089
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1090 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1091
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1092 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1093 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1094
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1095 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_verify_body(
1096 ssl, buf, buf + buf_len, &msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1097
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1098 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1099 buf, msg_len );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1100
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1101 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1102 ssl, buf_len, msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1103
1104cleanup:
1105
1106 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
1107 return( ret );
1108}
1109
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]1110#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1111
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1112/*
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1113 *
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1114 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1115 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1116/*
1117 * Implementation
1118 */
1119
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]1120MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1121static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1122{
1123 int ret;
1124
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1125 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1126 ssl->handshake->state_local.finished_in.digest,
1127 sizeof( ssl->handshake->state_local.finished_in.digest ),
1128 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1129 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1130 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1131 if( ret != 0 )
1132 {
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1133 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1134 return( ret );
1135 }
1136
1137 return( 0 );
1138}
1139
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]1140MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1141static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
1142 const unsigned char *buf,
1143 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1144{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1145 /*
1146 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1147 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1148 * } Finished;
1149 */
1150 const unsigned char *expected_verify_data =
1151 ssl->handshake->state_local.finished_in.digest;
1152 size_t expected_verify_data_len =
1153 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1154 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1155 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1156 {
1157 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1158
1159 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1160 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1161 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1162 }
1163
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1164 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1165 expected_verify_data,
1166 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1167 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1168 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1169
1170 /* Semantic validation */
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]1171 if( mbedtls_ct_memcmp( buf,
1172 expected_verify_data,
1173 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1174 {
1175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1176
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1177 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1178 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1179 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1180 }
1181 return( 0 );
1182}
1183
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1184int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
1185{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1187 unsigned char *buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1188 size_t buf_len;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1189
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1190 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1191
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1192 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1193 MBEDTLS_SSL_HS_FINISHED,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1194 &buf, &buf_len ) );
Jerry Yu0a92d6c2022-05-16 16:54:46 +0800[diff] [blame]1195
1196 /* Preprocessing step: Compute handshake digest */
1197 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
1198
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1199 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
Jerry Yu0a92d6c2022-05-16 16:54:46 +0800[diff] [blame]1200
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1201 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1202 buf, buf_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1203
1204cleanup:
1205
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1206 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1207 return( ret );
1208}
1209
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1210/*
1211 *
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1212 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1213 *
1214 */
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1215/*
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1216 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1217 */
1218
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]1219MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1220static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1221{
1222 int ret;
1223
1224 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1225 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1226 ssl->handshake->state_local.finished_out.digest,
1227 sizeof( ssl->handshake->state_local.finished_out.digest ),
1228 &ssl->handshake->state_local.finished_out.digest_len,
1229 ssl->conf->endpoint );
1230
1231 if( ret != 0 )
1232 {
Jerry Yu7ca30542021-12-08 15:57:57 +0800[diff] [blame]1233 MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1234 return( ret );
1235 }
1236
1237 return( 0 );
1238}
1239
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]1240MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1241static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1242 unsigned char *buf,
1243 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1244 size_t *out_len )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1245{
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1246 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1247 /*
1248 * struct {
1249 * opaque verify_data[Hash.length];
1250 * } Finished;
1251 */
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1252 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1253
1254 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1255 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1256
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1257 *out_len = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1258 return( 0 );
1259}
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1260
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1261/* Main entry point: orchestrates the other functions */
1262int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1263{
1264 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1265 unsigned char *buf;
1266 size_t buf_len, msg_len;
1267
1268 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1269
XiaokangQiandce82242021-11-15 06:01:26 +0000[diff] [blame]1270 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1271
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1272 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1273 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1274
1275 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1276 ssl, buf, buf + buf_len, &msg_len ) );
1277
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1278 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1279 buf, msg_len );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1280
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1281 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
1282 ssl, buf_len, msg_len ) );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1283cleanup:
1284
1285 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1286 return( ret );
1287}
1288
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1289void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1290{
1291
1292 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1293
Jerry Yue8c1fca2022-05-18 14:48:56 +0800[diff] [blame]1294 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
1295 mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
1296
1297 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) );
1298 mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
1299
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1300 /*
Jerry Yucfe64f02021-11-15 13:54:06 +0800[diff] [blame]1301 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1302 */
1303 if( ssl->session )
1304 {
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1305 mbedtls_ssl_session_free( ssl->session );
1306 mbedtls_free( ssl->session );
1307 }
1308 ssl->session = ssl->session_negotiate;
1309 ssl->session_negotiate = NULL;
1310
1311 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1312}
1313
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1314/*
1315 *
1316 * STATE HANDLING: Write ChangeCipherSpec
1317 *
1318 */
1319#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame^]1320MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1321static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
1322 unsigned char *buf,
1323 unsigned char *end,
1324 size_t *olen )
1325{
1326 ((void) ssl);
1327
1328 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 );
1329 buf[0] = 1;
1330 *olen = 1;
1331
1332 return( 0 );
1333}
1334
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1335int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
1336{
1337 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1338
1339 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1340
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1341 /* Write CCS message */
1342 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body(
1343 ssl, ssl->out_msg,
1344 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1345 &ssl->out_msglen ) );
1346
1347 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1348
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1349 /* Dispatch message */
Ronald Cron66dbf912022-02-02 15:33:46 +0100[diff] [blame]1350 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0 ) );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1351
1352cleanup:
1353
1354 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1355 return( ret );
1356}
1357
1358#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1359
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1360/* Reset SSL context and update hash for handling HRR.
1361 *
1362 * Replace Transcript-Hash(X) by
1363 * Transcript-Hash( message_hash ||
1364 * 00 00 Hash.length ||
1365 * X )
1366 * A few states of the handshake are preserved, including:
1367 * - session ID
1368 * - session ticket
1369 * - negotiated ciphersuite
1370 */
1371int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
1372{
1373 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1374 unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ];
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1375 size_t hash_len;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1376 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1377 uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
1378 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
1379
1380 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) );
1381
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1382 ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
1383 hash_transcript + 4,
1384 MBEDTLS_MD_MAX_SIZE,
1385 &hash_len );
1386 if( ret != 0 )
1387 {
1388 MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret );
1389 return( ret );
1390 }
1391
1392 hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1393 hash_transcript[1] = 0;
1394 hash_transcript[2] = 0;
1395 hash_transcript[3] = (unsigned char) hash_len;
1396
1397 hash_len += 4;
1398
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1399 if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
1400 {
1401#if defined(MBEDTLS_SHA256_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1402 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1403 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1404
1405#if defined(MBEDTLS_USE_PSA_CRYPTO)
1406 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
1407 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
1408#else
1409 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
1410#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1411#endif /* MBEDTLS_SHA256_C */
1412 }
1413 else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
1414 {
1415#if defined(MBEDTLS_SHA384_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1416 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1417 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1418
1419#if defined(MBEDTLS_USE_PSA_CRYPTO)
1420 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
1421 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
1422#else
1423 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
1424#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1425#endif /* MBEDTLS_SHA384_C */
1426 }
1427
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1428#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C)
1429 ssl->handshake->update_checksum( ssl, hash_transcript, hash_len );
1430#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */
Przemyslaw Stekiel4b3fff42022-02-14 16:39:52 +0100[diff] [blame]1431
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1432 return( ret );
1433}
1434
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1435#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1436
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1437int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
1438 const unsigned char *buf,
1439 size_t buf_len )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1440{
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1441 uint8_t *p = (uint8_t*)buf;
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1442 const uint8_t *end = buf + buf_len;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1443 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1444
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1445 /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1446 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1447 uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1448 p += 2;
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]1449
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1450 /* Check if key size is consistent with given buffer length. */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1451 MBEDTLS_SSL_CHK_BUF_PTR( p, end, peerkey_len );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1452
1453 /* Store peer's ECDH public key. */
1454 memcpy( handshake->ecdh_psa_peerkey, p, peerkey_len );
1455 handshake->ecdh_psa_peerkey_len = peerkey_len;
1456
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]1457 return( 0 );
1458}
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1459
1460int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
1461 mbedtls_ssl_context *ssl,
1462 uint16_t named_group,
1463 unsigned char *buf,
1464 unsigned char *end,
1465 size_t *out_len )
1466{
1467 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
1468 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1469 psa_key_attributes_t key_attributes;
1470 size_t own_pubkey_len;
1471 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1472 size_t ecdh_bits = 0;
1473
1474 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
1475
1476 /* Convert EC group to PSA key type. */
1477 if( ( handshake->ecdh_psa_type =
1478 mbedtls_psa_parse_tls_ecc_group( named_group, &ecdh_bits ) ) == 0 )
1479 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1480
1481 ssl->handshake->ecdh_bits = ecdh_bits;
1482
1483 key_attributes = psa_key_attributes_init();
1484 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
1485 psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
1486 psa_set_key_type( &key_attributes, handshake->ecdh_psa_type );
1487 psa_set_key_bits( &key_attributes, handshake->ecdh_bits );
1488
1489 /* Generate ECDH private key. */
1490 status = psa_generate_key( &key_attributes,
1491 &handshake->ecdh_psa_privkey );
1492 if( status != PSA_SUCCESS )
1493 {
1494 ret = psa_ssl_status_to_mbedtls( status );
1495 MBEDTLS_SSL_DEBUG_RET( 1, "psa_generate_key", ret );
1496 return( ret );
1497
1498 }
1499
1500 /* Export the public part of the ECDH private key from PSA. */
1501 status = psa_export_public_key( handshake->ecdh_psa_privkey,
1502 buf, (size_t)( end - buf ),
1503 &own_pubkey_len );
1504 if( status != PSA_SUCCESS )
1505 {
1506 ret = psa_ssl_status_to_mbedtls( status );
1507 MBEDTLS_SSL_DEBUG_RET( 1, "psa_export_public_key", ret );
1508 return( ret );
1509
1510 }
1511
1512 *out_len = own_pubkey_len;
1513
1514 return( 0 );
1515}
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1516#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1517
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]1518#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */