TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / c4b8c99a38e2201598c839483c307ba5073fe1e8 / . / library / ssl_tls13_generic.c
blob: 18a66ecb8b50e931669e16d1bc39c5d82b4fb676 [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]23
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]24#include <string.h>
25
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]26#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]27#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]28#include "mbedtls/oid.h"
29#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]30#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]31#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]32
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]33#include "ecp_internal.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]34#include "ssl_misc.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]35#include "ssl_tls13_keys.h"
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]36#include "ssl_debug_helpers.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]37
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]38int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
39 unsigned hs_type,
40 unsigned char **buf,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]41 size_t *buf_len )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]42{
43 int ret;
44
45 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
46 {
47 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
48 goto cleanup;
49 }
50
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]51 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]52 ssl->in_msg[0] != hs_type )
53 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]54 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]55 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]56 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]57 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
58 goto cleanup;
59 }
60
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]61 /*
62 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
63 * ...
64 * HandshakeType msg_type;
65 * uint24 length;
66 * ...
67 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]68 *buf = ssl->in_msg + 4;
69 *buf_len = ssl->in_hslen - 4;
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]70
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]71cleanup:
72
73 return( ret );
74}
75
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]76#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]77/* mbedtls_ssl_tls13_parse_sig_alg_ext()
78 *
79 * enum {
80 * ....
81 * ecdsa_secp256r1_sha256( 0x0403 ),
82 * ecdsa_secp384r1_sha384( 0x0503 ),
83 * ecdsa_secp521r1_sha512( 0x0603 ),
84 * ....
85 * } SignatureScheme;
86 *
87 * struct {
88 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
89 * } SignatureSchemeList;
90 */
91int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
92 const unsigned char *buf,
93 const unsigned char *end )
94{
95 const unsigned char *p = buf;
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]96 size_t supported_sig_algs_len = 0;
97 const unsigned char *supported_sig_algs_end;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]98 uint16_t sig_alg;
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]99 uint32_t common_idx = 0;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]100
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]101 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]102 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]103 p += 2;
104
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]105 memset( ssl->handshake->received_sig_algs, 0,
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]106 sizeof(ssl->handshake->received_sig_algs) );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]107
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]108 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
109 supported_sig_algs_end = p + supported_sig_algs_len;
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]110 while( p < supported_sig_algs_end )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]111 {
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]112 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]113 sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]114 p += 2;
115
116 MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]117 sig_alg ) );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]118
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]119 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ||
120 ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
121 continue;
122
123 if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]124 {
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]125 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]126 common_idx += 1;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]127 }
128 }
129 /* Check that we consumed all the message. */
130 if( p != end )
131 {
132 MBEDTLS_SSL_DEBUG_MSG( 1,
133 ( "Signature algorithms extension length misaligned" ) );
134 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
135 MBEDTLS_ERR_SSL_DECODE_ERROR );
136 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
137 }
138
139 if( common_idx == 0 )
140 {
141 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) );
142 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
143 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
144 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
145 }
146
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]147 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS1_3_SIG_NONE;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]148 return( 0 );
149}
150
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]151/*
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]152 * STATE HANDLING: Read CertificateVerify
153 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]154/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]155 *
156 * The structure is computed per TLS 1.3 specification as:
157 * - 64 bytes of octet 32,
158 * - 33 bytes for the context string
159 * (which is either "TLS 1.3, client CertificateVerify"
160 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]161 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]162 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
163 * (depending on the size of the transcript_hash)
164 *
165 * This results in a total size of
166 * - 130 bytes for a SHA256-based transcript hash, or
167 * (64 + 33 + 1 + 32 bytes)
168 * - 146 bytes for a SHA384-based transcript hash.
169 * (64 + 33 + 1 + 48 bytes)
170 *
171 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800[diff] [blame]172#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
173 33 + \
174 1 + \
175 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]176 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]177
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]178/*
179 * The ssl_tls13_create_verify_structure() creates the verify structure.
180 * As input, it requires the transcript hash.
181 *
182 * The caller has to ensure that the buffer has size at least
183 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
184 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]185static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]186 size_t transcript_hash_len,
187 unsigned char *verify_buffer,
188 size_t *verify_buffer_len,
189 int from )
190{
191 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]192
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]193 /* RFC 8446, Section 4.4.3:
194 *
195 * The digital signature [in the CertificateVerify message] is then
196 * computed over the concatenation of:
197 * - A string that consists of octet 32 (0x20) repeated 64 times
198 * - The context string
199 * - A single 0 byte which serves as the separator
200 * - The content to be signed
201 */
202 memset( verify_buffer, 0x20, 64 );
203 idx = 64;
204
205 if( from == MBEDTLS_SSL_IS_CLIENT )
206 {
207 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
208 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
209 }
210 else
211 { /* from == MBEDTLS_SSL_IS_SERVER */
212 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
213 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
214 }
215
216 verify_buffer[idx++] = 0x0;
217
218 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
219 idx += transcript_hash_len;
220
221 *verify_buffer_len = idx;
222}
223
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]224static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]225 const unsigned char *buf,
226 const unsigned char *end,
227 const unsigned char *verify_buffer,
228 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]229{
230 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
231 const unsigned char *p = buf;
232 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]233 size_t signature_len;
234 mbedtls_pk_type_t sig_alg;
235 mbedtls_md_type_t md_alg;
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]236 unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]237 size_t verify_hash_len;
238
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]239 void const *options = NULL;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]240#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]241 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]242#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
243
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]244 /*
245 * struct {
246 * SignatureScheme algorithm;
247 * opaque signature<0..2^16-1>;
248 * } CertificateVerify;
249 */
250 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
251 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
252 p += 2;
253
254 /* RFC 8446 section 4.4.3
255 *
256 * If the CertificateVerify message is sent by a server, the signature algorithm
257 * MUST be one offered in the client's "signature_algorithms" extension unless
258 * no valid certificate chain can be produced without unsupported algorithms
259 *
260 * RFC 8446 section 4.4.2.2
261 *
262 * If the client cannot construct an acceptable chain using the provided
263 * certificates and decides to abort the handshake, then it MUST abort the handshake
264 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
265 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]266 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]267 */
Jerry Yu24811fb2022-01-19 18:02:15 +0800[diff] [blame]268 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]269 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]270 /* algorithm not in offered signature algorithms list */
271 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
272 "offered.",
273 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]274 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]275 }
276
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]277 if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
Jerry Yuf8aa9a42022-03-23 20:40:28 +0800[diff] [blame]278 algorithm, &sig_alg, &md_alg ) != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]279 {
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]280 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]281 }
282
283 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
284 ( unsigned int ) algorithm ) );
285
286 /*
287 * Check the certificate's key type matches the signature alg
288 */
289 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
290 {
291 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]292 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]293 }
294
295 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
296 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
297 p += 2;
298 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
299
300 /* Hash verify buffer with indicated hash function */
301 switch( md_alg )
302 {
303#if defined(MBEDTLS_SHA256_C)
304 case MBEDTLS_MD_SHA256:
305 verify_hash_len = 32;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]306 ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]307 break;
308#endif /* MBEDTLS_SHA256_C */
309
310#if defined(MBEDTLS_SHA384_C)
311 case MBEDTLS_MD_SHA384:
312 verify_hash_len = 48;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]313 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]314 break;
315#endif /* MBEDTLS_SHA384_C */
316
317#if defined(MBEDTLS_SHA512_C)
318 case MBEDTLS_MD_SHA512:
319 verify_hash_len = 64;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]320 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]321 break;
322#endif /* MBEDTLS_SHA512_C */
323
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]324 default:
325 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
326 break;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]327 }
328
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]329 if( ret != 0 )
330 {
331 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]332 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]333 }
334
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]335 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]336#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
337 if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
338 {
339 const mbedtls_md_info_t* md_info;
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]340 rsassa_pss_options.mgf1_hash_id = md_alg;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]341 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
342 {
343 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
344 }
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]345 rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
346 options = (const void*) &rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]347 }
348#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]349
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]350 if( ( ret = mbedtls_pk_verify_ext( sig_alg, options,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]351 &ssl->session_negotiate->peer_cert->pk,
352 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]353 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]354 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]355 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]356 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]357 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]358
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]359error:
360 /* RFC 8446 section 4.4.3
361 *
362 * If the verification fails, the receiver MUST terminate the handshake
363 * with a "decrypt_error" alert.
364 */
365 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
366 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
367 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
368
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]369}
370#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
371
372int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
373{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]374
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]375#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
376 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
377 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
378 size_t verify_buffer_len;
379 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
380 size_t transcript_len;
381 unsigned char *buf;
382 size_t buf_len;
383
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]384 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
385
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]386 MBEDTLS_SSL_PROC_CHK(
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]387 mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]388 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]389
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]390 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]391 * before reading the message since otherwise it gets
392 * included in the transcript
393 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]394 ret = mbedtls_ssl_get_handshake_transcript( ssl,
395 ssl->handshake->ciphersuite_info->mac,
396 transcript, sizeof( transcript ),
397 &transcript_len );
398 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]399 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]400 MBEDTLS_SSL_PEND_FATAL_ALERT(
401 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
402 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
403 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]404 }
405
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]406 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
407
408 /* Create verify structure */
409 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]410 transcript_len,
411 verify_buffer,
412 &verify_buffer_len,
413 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
414 MBEDTLS_SSL_IS_SERVER :
415 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]416
417 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]418 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
419 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]420
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]421 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
422 buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]423
424cleanup:
425
426 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800[diff] [blame]427 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]428 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]429#else
430 ((void) ssl);
431 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
432 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
433#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]434}
435
436/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]437 *
438 * STATE HANDLING: Incoming Certificate, client-side only currently.
439 *
440 */
441
442/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]443 * Implementation
444 */
445
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]446#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
447#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
448/*
449 * Structure of Certificate message:
450 *
451 * enum {
452 * X509(0),
453 * RawPublicKey(2),
454 * (255)
455 * } CertificateType;
456 *
457 * struct {
458 * select (certificate_type) {
459 * case RawPublicKey:
460 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
461 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
462 * case X509:
463 * opaque cert_data<1..2^24-1>;
464 * };
465 * Extension extensions<0..2^16-1>;
466 * } CertificateEntry;
467 *
468 * struct {
469 * opaque certificate_request_context<0..2^8-1>;
470 * CertificateEntry certificate_list<0..2^24-1>;
471 * } Certificate;
472 *
473 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]474
475/* Parse certificate chain send by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]476static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
477 const unsigned char *buf,
478 const unsigned char *end )
479{
480 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
481 size_t certificate_request_context_len = 0;
482 size_t certificate_list_len = 0;
483 const unsigned char *p = buf;
484 const unsigned char *certificate_list_end;
485
486 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
487 certificate_request_context_len = p[0];
Jerry Yub640bf62021-10-29 10:05:32 +0800[diff] [blame]488 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]489 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]490
491 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
492 * support anything beyond 2^16 = 64K.
493 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]494 if( ( certificate_request_context_len != 0 ) ||
495 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]496 {
497 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
498 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
499 MBEDTLS_ERR_SSL_DECODE_ERROR );
500 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
501 }
502
503 /* In case we tried to reuse a session but it failed */
504 if( ssl->session_negotiate->peer_cert != NULL )
505 {
506 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
507 mbedtls_free( ssl->session_negotiate->peer_cert );
508 }
509
510 if( ( ssl->session_negotiate->peer_cert =
511 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
512 {
513 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
514 sizeof( mbedtls_x509_crt ) ) );
515 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
516 MBEDTLS_ERR_SSL_ALLOC_FAILED );
517 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
518 }
519
520 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
521
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]522 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]523 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]524 {
525 size_t cert_data_len, extensions_len;
526
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]527 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]528 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]529 p += 3;
530
531 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
532 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
533 * check that we have a minimum of 128 bytes of data, this is not
534 * clear why we need that though.
535 */
536 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]537 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]538 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
539 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
540 MBEDTLS_ERR_SSL_DECODE_ERROR );
541 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
542 }
543
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]544 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]545 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
546 p, cert_data_len );
547
548 switch( ret )
549 {
550 case 0: /*ok*/
551 break;
552 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
553 /* Ignore certificate with an unknown algorithm: maybe a
554 prior certificate was already trusted. */
555 break;
556
557 case MBEDTLS_ERR_X509_ALLOC_FAILED:
558 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
559 MBEDTLS_ERR_X509_ALLOC_FAILED );
560 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
561 return( ret );
562
563 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
564 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
565 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
566 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
567 return( ret );
568
569 default:
570 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
571 ret );
572 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
573 return( ret );
574 }
575
576 p += cert_data_len;
577
578 /* Certificate extensions length */
579 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
580 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
581 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]582 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]583 p += extensions_len;
584 }
585
586 /* Check that all the message is consumed. */
587 if( p != end )
588 {
589 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
590 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
591 MBEDTLS_ERR_SSL_DECODE_ERROR );
592 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
593 }
594
595 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
596
597 return( ret );
598}
599#else
600static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
601 const unsigned char *buf,
602 const unsigned char *end )
603{
604 ((void) ssl);
605 ((void) buf);
606 ((void) end);
607 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
608}
609#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
610#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
611
612#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
613#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]614/* Validate certificate chain sent by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]615static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
616{
617 int ret = 0;
618 mbedtls_x509_crt *ca_chain;
619 mbedtls_x509_crl *ca_crl;
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]620 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]621
622#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
623 if( ssl->handshake->sni_ca_chain != NULL )
624 {
625 ca_chain = ssl->handshake->sni_ca_chain;
626 ca_crl = ssl->handshake->sni_ca_crl;
627 }
628 else
629#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
630 {
631 ca_chain = ssl->conf->ca_chain;
632 ca_crl = ssl->conf->ca_crl;
633 }
634
635 /*
636 * Main check: verify certificate
637 */
638 ret = mbedtls_x509_crt_verify_with_profile(
639 ssl->session_negotiate->peer_cert,
640 ca_chain, ca_crl,
641 ssl->conf->cert_profile,
642 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]643 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]644 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
645
646 if( ret != 0 )
647 {
648 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
649 }
650
651 /*
652 * Secondary checks: always done, but change 'ret' only if it was 0
653 */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]654 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
655 ssl->handshake->ciphersuite_info,
656 !ssl->conf->endpoint,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]657 &verify_result ) != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]658 {
659 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
660 if( ret == 0 )
661 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
662 }
663
664
665 if( ca_chain == NULL )
666 {
667 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
668 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
669 }
670
671 if( ret != 0 )
672 {
673 /* The certificate may have been rejected for several reasons.
674 Pick one and send the corresponding alert. Which alert to send
675 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]676 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]677 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]678 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]679 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]680 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
681 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
682 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
683 MBEDTLS_X509_BADCERT_BAD_PK |
684 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]685 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]686 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]687 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]688 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]689 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]690 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]691 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
692 else
693 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
694 }
695
696#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]697 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]698 {
699 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800[diff] [blame]700 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]701 }
702 else
703 {
704 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
705 }
706#endif /* MBEDTLS_DEBUG_C */
707
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]708 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]709 return( ret );
710}
711#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
712static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
713{
714 ((void) ssl);
715 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
716}
717#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
718#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
719
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]720int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]721{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]722 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
723 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
724
725#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
726 unsigned char *buf;
727 size_t buf_len;
728
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]729 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]730 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
731 &buf, &buf_len ) );
732
733 /* Parse the certificate chain sent by the peer. */
734 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, buf + buf_len ) );
735 /* Validate the certificate chain and set the verification results. */
736 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
737
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]738 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
739 buf, buf_len );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]740
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]741cleanup:
742
743 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Xiaofei Bai10aeec02021-10-26 09:50:08 +0000[diff] [blame]744#else
745 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
746 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
747#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]748 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]749}
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]750#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]751/*
752 * enum {
753 * X509(0),
754 * RawPublicKey(2),
755 * (255)
756 * } CertificateType;
757 *
758 * struct {
759 * select (certificate_type) {
760 * case RawPublicKey:
761 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
762 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
763 *
764 * case X509:
765 * opaque cert_data<1..2^24-1>;
766 * };
767 * Extension extensions<0..2^16-1>;
768 * } CertificateEntry;
769 *
770 * struct {
771 * opaque certificate_request_context<0..2^8-1>;
772 * CertificateEntry certificate_list<0..2^24-1>;
773 * } Certificate;
774 */
775static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]776 unsigned char *buf,
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]777 unsigned char *end,
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]778 size_t *out_len )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]779{
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]780 const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert( ssl );
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]781 unsigned char *p = buf;
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]782 unsigned char *certificate_request_context =
783 ssl->handshake->certificate_request_context;
784 unsigned char certificate_request_context_len =
785 ssl->handshake->certificate_request_context_len;
786 unsigned char *p_certificate_list_len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]787
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]788
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]789 /* ...
790 * opaque certificate_request_context<0..2^8-1>;
791 * ...
792 */
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]793 MBEDTLS_SSL_CHK_BUF_PTR( p, end, certificate_request_context_len + 1 );
794 *p++ = certificate_request_context_len;
795 if( certificate_request_context_len > 0 )
Jerry Yu537530d2022-02-15 14:00:57 +0800[diff] [blame]796 {
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]797 memcpy( p, certificate_request_context, certificate_request_context_len );
798 p += certificate_request_context_len;
Jerry Yu537530d2022-02-15 14:00:57 +0800[diff] [blame]799 }
800
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]801 /* ...
802 * CertificateEntry certificate_list<0..2^24-1>;
803 * ...
804 */
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]805 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]806 p_certificate_list_len = p;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]807 p += 3;
808
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]809 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", crt );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]810
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]811 while( crt != NULL )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]812 {
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]813 size_t cert_data_len = crt->raw.len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]814
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]815 MBEDTLS_SSL_CHK_BUF_PTR( p, end, cert_data_len + 3 + 2 );
816 MBEDTLS_PUT_UINT24_BE( cert_data_len, p, 0 );
817 p += 3;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]818
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]819 memcpy( p, crt->raw.p, cert_data_len );
820 p += cert_data_len;
821 crt = crt->next;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]822
823 /* Currently, we don't have any certificate extensions defined.
824 * Hence, we are sending an empty extension with length zero.
825 */
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]826 MBEDTLS_PUT_UINT24_BE( 0, p, 0 );
827 p += 2;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]828 }
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]829
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]830 MBEDTLS_PUT_UINT24_BE( p - p_certificate_list_len - 3,
831 p_certificate_list_len, 0 );
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]832
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]833 *out_len = p - buf;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]834
835 return( 0 );
836}
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]837
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]838int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]839{
840 int ret;
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]841 unsigned char *buf;
842 size_t buf_len, msg_len;
843
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]844 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
845
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]846 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]847 MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]848
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]849 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_body( ssl,
850 buf,
851 buf + buf_len,
852 &msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]853
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]854 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
855 buf, msg_len );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]856
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]857 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]858 ssl, buf_len, msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]859cleanup:
860
861 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
862 return( ret );
863}
864
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]865/*
866 * STATE HANDLING: Output Certificate Verify
867 */
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]868static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
869 mbedtls_pk_context *own_key,
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]870 uint16_t *algorithm )
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]871{
872 mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key );
873 /* Determine the size of the key */
874 size_t own_key_size = mbedtls_pk_get_bitlen( own_key );
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]875 *algorithm = MBEDTLS_TLS1_3_SIG_NONE;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]876 ((void) own_key_size);
877
878 switch( sig )
879 {
880#if defined(MBEDTLS_ECDSA_C)
881 case MBEDTLS_SSL_SIG_ECDSA:
882 switch( own_key_size )
883 {
884 case 256:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]885 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]886 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]887 case 384:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]888 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]889 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]890 case 521:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]891 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]892 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]893 default:
894 MBEDTLS_SSL_DEBUG_MSG( 3,
895 ( "unknown key size: %"
896 MBEDTLS_PRINTF_SIZET " bits",
897 own_key_size ) );
898 break;
899 }
900 break;
901#endif /* MBEDTLS_ECDSA_C */
902
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]903#if defined(MBEDTLS_RSA_C)
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]904 case MBEDTLS_SSL_SIG_RSA:
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]905#if defined(MBEDTLS_PKCS1_V21)
906#if defined(MBEDTLS_SHA256_C)
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]907 if( own_key_size <= 2048 &&
908 mbedtls_ssl_sig_alg_is_received( ssl,
909 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 ) )
910 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]911 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]912 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]913 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]914 else
915#endif /* MBEDTLS_SHA256_C */
916#if defined(MBEDTLS_SHA384_C)
917 if( own_key_size <= 3072 &&
918 mbedtls_ssl_sig_alg_is_received( ssl,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]919 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 ) )
920 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]921 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]922 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]923 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]924 else
925#endif /* MBEDTLS_SHA384_C */
926#if defined(MBEDTLS_SHA512_C)
927 if( own_key_size <= 4096 &&
928 mbedtls_ssl_sig_alg_is_received( ssl,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]929 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 ) )
930 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]931 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]932 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]933 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]934 else
935#endif /* MBEDTLS_SHA512_C */
936#endif /* MBEDTLS_PKCS1_V21 */
937#if defined(MBEDTLS_PKCS1_V15)
938#if defined(MBEDTLS_SHA256_C)
939 if( own_key_size <= 2048 &&
940 mbedtls_ssl_sig_alg_is_received( ssl,
941 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 ) )
942 {
943 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]944 return( 0 );
945 }
946 else
947#endif /* MBEDTLS_SHA256_C */
948#if defined(MBEDTLS_SHA384_C)
949 if( own_key_size <= 3072 &&
950 mbedtls_ssl_sig_alg_is_received( ssl,
951 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 ) )
952 {
953 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]954 return( 0 );
955 }
956 else
957#endif /* MBEDTLS_SHA384_C */
958#if defined(MBEDTLS_SHA512_C)
959 if( own_key_size <= 4096 &&
960 mbedtls_ssl_sig_alg_is_received( ssl,
961 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 ) )
962 {
963 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]964 return( 0 );
965 }
966 else
967#endif /* MBEDTLS_SHA512_C */
968#endif /* MBEDTLS_PKCS1_V15 */
969 {
970 MBEDTLS_SSL_DEBUG_MSG( 3,
971 ( "unknown key size: %"
972 MBEDTLS_PRINTF_SIZET " bits",
973 own_key_size ) );
974 }
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]975 break;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]976#endif /* MBEDTLS_RSA_C */
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]977 default:
978 MBEDTLS_SSL_DEBUG_MSG( 1,
979 ( "unkown signature type : %u", sig ) );
980 break;
981 }
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]982 return( -1 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]983}
984
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]985static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
986 unsigned char *buf,
987 unsigned char *end,
988 size_t *out_len )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]989{
990 int ret;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]991 unsigned char *p = buf;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]992 mbedtls_pk_context *own_key;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]993
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]994 unsigned char handshake_hash[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
995 size_t handshake_hash_len;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]996 unsigned char verify_buffer[ SSL_VERIFY_STRUCT_MAX_SIZE ];
997 size_t verify_buffer_len;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]998 mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]999 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Jerry Yu78272072022-02-22 10:28:13 +0800[diff] [blame]1000 uint16_t algorithm = MBEDTLS_TLS1_3_SIG_NONE;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1001 size_t signature_len = 0;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1002 const mbedtls_md_info_t *md_info;
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1003 unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ];
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1004 size_t verify_hash_len;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1005
Jerry Yu0b7b1012022-02-23 12:23:05 +0800[diff] [blame]1006 *out_len = 0;
1007
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1008 own_key = mbedtls_ssl_own_key( ssl );
1009 if( own_key == NULL )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1010 {
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1011 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1012 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1013 }
1014
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1015 ret = mbedtls_ssl_get_handshake_transcript( ssl,
1016 ssl->handshake->ciphersuite_info->mac,
1017 handshake_hash,
1018 sizeof( handshake_hash ),
1019 &handshake_hash_len );
1020 if( ret != 0 )
1021 return( ret );
1022
1023 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash",
1024 handshake_hash,
1025 handshake_hash_len);
1026
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1027 ssl_tls13_create_verify_structure( handshake_hash, handshake_hash_len,
1028 verify_buffer, &verify_buffer_len,
1029 ssl->conf->endpoint );
1030
1031 /*
1032 * struct {
1033 * SignatureScheme algorithm;
1034 * opaque signature<0..2^16-1>;
1035 * } CertificateVerify;
1036 */
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1037 ret = ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1038 if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1039 {
Jerry Yud66409a2022-02-18 16:42:24 +0800[diff] [blame]1040 MBEDTLS_SSL_DEBUG_MSG( 1,
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]1041 ( "signature algorithm not in received or offered list." ) );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1042
1043 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Signature algorithm is %s",
1044 mbedtls_ssl_sig_alg_to_str( algorithm ) ) );
1045
Jerry Yu71f36f12022-02-23 17:34:29 +0800[diff] [blame]1046 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
Jerry Yud66409a2022-02-18 16:42:24 +0800[diff] [blame]1047 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1048 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1049 }
1050
Jerry Yu6c6f1022022-03-25 11:09:50 +0800[diff] [blame]1051 if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
1052 algorithm, &pk_type, &md_alg ) != 0 )
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1053 {
Jerry Yuf8aa9a42022-03-23 20:40:28 +0800[diff] [blame]1054 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1055 }
1056
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1057 /* Check there is space for the algorithm identifier (2 bytes) and the
1058 * signature length (2 bytes).
1059 */
1060 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1061 MBEDTLS_PUT_UINT16_BE( algorithm, p, 0 );
1062 p += 2;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1063
1064 /* Hash verify buffer with indicated hash function */
1065 md_info = mbedtls_md_info_from_type( md_alg );
1066 if( md_info == NULL )
1067 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1068
1069 ret = mbedtls_md( md_info, verify_buffer, verify_buffer_len, verify_hash );
1070 if( ret != 0 )
1071 return( ret );
1072
1073 verify_hash_len = mbedtls_md_get_size( md_info );
1074 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
1075
Jerry Yu8beb9e12022-03-12 16:23:53 +0800[diff] [blame]1076 if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
1077 md_alg, verify_hash, verify_hash_len,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1078 p + 2, (size_t)( end - ( p + 2 ) ), &signature_len,
1079 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1080 {
1081 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
1082 return( ret );
1083 }
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1084
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1085 MBEDTLS_PUT_UINT16_BE( signature_len, p, 0 );
1086 p += 2 + signature_len;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1087
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1088 *out_len = (size_t)( p - buf );
1089
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1090 return( ret );
1091}
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1092
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1093int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1094{
1095 int ret = 0;
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1096 unsigned char *buf;
1097 size_t buf_len, msg_len;
1098
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1099 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1100
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1101 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1102 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1103
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1104 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_verify_body(
1105 ssl, buf, buf + buf_len, &msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1106
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1107 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1108 buf, msg_len );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1109
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1110 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1111 ssl, buf_len, msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1112
1113cleanup:
1114
1115 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
1116 return( ret );
1117}
1118
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]1119#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1120
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1121/*
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1122 *
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1123 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1124 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1125/*
1126 * Implementation
1127 */
1128
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1129static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1130{
1131 int ret;
1132
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1133 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1134 ssl->handshake->state_local.finished_in.digest,
1135 sizeof( ssl->handshake->state_local.finished_in.digest ),
1136 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1137 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1138 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1139 if( ret != 0 )
1140 {
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1141 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1142 return( ret );
1143 }
1144
1145 return( 0 );
1146}
1147
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1148static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
1149 const unsigned char *buf,
1150 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1151{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1152 /*
1153 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1154 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1155 * } Finished;
1156 */
1157 const unsigned char *expected_verify_data =
1158 ssl->handshake->state_local.finished_in.digest;
1159 size_t expected_verify_data_len =
1160 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1161 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1162 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1163 {
1164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1165
1166 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1167 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1168 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1169 }
1170
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1171 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1172 expected_verify_data,
1173 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1174 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1175 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1176
1177 /* Semantic validation */
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]1178 if( mbedtls_ct_memcmp( buf,
1179 expected_verify_data,
1180 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1181 {
1182 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1183
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1184 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1185 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1186 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1187 }
1188 return( 0 );
1189}
1190
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1191#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1192static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1193{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1194 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1195 mbedtls_ssl_key_set traffic_keys;
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]1196 mbedtls_ssl_transform *transform_application = NULL;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1197
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1198 ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1199 if( ret != 0 )
1200 {
1201 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1202 "mbedtls_ssl_tls13_key_schedule_stage_application", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1203 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1204 }
1205
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1206 ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1207 if( ret != 0 )
1208 {
1209 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1210 "mbedtls_ssl_tls13_generate_application_keys", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1211 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1212 }
1213
1214 transform_application =
1215 mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
1216 if( transform_application == NULL )
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1217 {
1218 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1219 goto cleanup;
1220 }
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1221
1222 ret = mbedtls_ssl_tls13_populate_transform(
1223 transform_application,
1224 ssl->conf->endpoint,
1225 ssl->session_negotiate->ciphersuite,
1226 &traffic_keys,
1227 ssl );
1228 if( ret != 0 )
1229 {
1230 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1231 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1232 }
1233
1234 ssl->transform_application = transform_application;
1235
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1236cleanup:
1237
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1238 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1239 if( ret != 0 )
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]1240 {
1241 mbedtls_free( transform_application );
1242 MBEDTLS_SSL_PEND_FATAL_ALERT(
1243 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1244 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1245 }
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1246 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1247}
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1248#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1249
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1250static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1251{
1252
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1253#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1254 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1255 {
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1256 return( ssl_tls13_postprocess_server_finished_message( ssl ) );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1257 }
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1258#else
1259 ((void) ssl);
1260#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1261
1262 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1263}
1264
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1265int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
1266{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1267 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1268 unsigned char *buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1269 size_t buf_len;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1270
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1271 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1272
1273 /* Preprocessing step: Compute handshake digest */
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1274 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1275
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1276 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1277 MBEDTLS_SSL_HS_FINISHED,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1278 &buf, &buf_len ) );
1279 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1280 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1281 buf, buf_len );
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1282 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1283
1284cleanup:
1285
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1286 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1287 return( ret );
1288}
1289
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1290/*
1291 *
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1292 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1293 *
1294 */
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1295/*
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1296 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1297 */
1298
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1299static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1300{
1301 int ret;
1302
1303 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1304 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1305 ssl->handshake->state_local.finished_out.digest,
1306 sizeof( ssl->handshake->state_local.finished_out.digest ),
1307 &ssl->handshake->state_local.finished_out.digest_len,
1308 ssl->conf->endpoint );
1309
1310 if( ret != 0 )
1311 {
Jerry Yu7ca30542021-12-08 15:57:57 +0800[diff] [blame]1312 MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1313 return( ret );
1314 }
1315
1316 return( 0 );
1317}
1318
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1319static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1320{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1321 // TODO: Add back resumption keys calculation after MVP.
1322 ((void) ssl);
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1323
1324 return( 0 );
1325}
1326
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1327static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1328 unsigned char *buf,
1329 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1330 size_t *out_len )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1331{
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1332 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1333 /*
1334 * struct {
1335 * opaque verify_data[Hash.length];
1336 * } Finished;
1337 */
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1338 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1339
1340 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1341 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1342
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1343 *out_len = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1344 return( 0 );
1345}
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1346
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1347/* Main entry point: orchestrates the other functions */
1348int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1349{
1350 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1351 unsigned char *buf;
1352 size_t buf_len, msg_len;
1353
1354 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1355
XiaokangQiandce82242021-11-15 06:01:26 +0000[diff] [blame]1356 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1357
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1358 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1359 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1360
1361 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1362 ssl, buf, buf + buf_len, &msg_len ) );
1363
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1364 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1365 buf, msg_len );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1366
1367 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) );
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1368 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
1369 ssl, buf_len, msg_len ) );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1370cleanup:
1371
1372 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1373 return( ret );
1374}
1375
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1376void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1377{
1378
1379 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1380
1381 /*
Jerry Yucfe64f02021-11-15 13:54:06 +0800[diff] [blame]1382 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1383 */
1384 if( ssl->session )
1385 {
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1386 mbedtls_ssl_session_free( ssl->session );
1387 mbedtls_free( ssl->session );
1388 }
1389 ssl->session = ssl->session_negotiate;
1390 ssl->session_negotiate = NULL;
1391
1392 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1393}
1394
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1395/*
1396 *
1397 * STATE HANDLING: Write ChangeCipherSpec
1398 *
1399 */
1400#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1401static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
1402 unsigned char *buf,
1403 unsigned char *end,
1404 size_t *olen )
1405{
1406 ((void) ssl);
1407
1408 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 );
1409 buf[0] = 1;
1410 *olen = 1;
1411
1412 return( 0 );
1413}
1414
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1415int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
1416{
1417 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1418
1419 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1420
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1421 /* Write CCS message */
1422 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body(
1423 ssl, ssl->out_msg,
1424 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1425 &ssl->out_msglen ) );
1426
1427 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1428
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1429 /* Dispatch message */
Ronald Cron66dbf912022-02-02 15:33:46 +0100[diff] [blame]1430 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0 ) );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1431
1432cleanup:
1433
1434 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1435 return( ret );
1436}
1437
1438#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1439
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1440/* Reset SSL context and update hash for handling HRR.
1441 *
1442 * Replace Transcript-Hash(X) by
1443 * Transcript-Hash( message_hash ||
1444 * 00 00 Hash.length ||
1445 * X )
1446 * A few states of the handshake are preserved, including:
1447 * - session ID
1448 * - session ticket
1449 * - negotiated ciphersuite
1450 */
1451int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
1452{
1453 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1454 unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ];
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1455 size_t hash_len;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1456 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1457 uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
1458 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
1459
1460 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) );
1461
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1462 ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
1463 hash_transcript + 4,
1464 MBEDTLS_MD_MAX_SIZE,
1465 &hash_len );
1466 if( ret != 0 )
1467 {
1468 MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret );
1469 return( ret );
1470 }
1471
1472 hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1473 hash_transcript[1] = 0;
1474 hash_transcript[2] = 0;
1475 hash_transcript[3] = (unsigned char) hash_len;
1476
1477 hash_len += 4;
1478
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1479 if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
1480 {
1481#if defined(MBEDTLS_SHA256_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1482 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1483 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1484
1485#if defined(MBEDTLS_USE_PSA_CRYPTO)
1486 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
1487 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
1488#else
1489 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
1490#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1491#endif /* MBEDTLS_SHA256_C */
1492 }
1493 else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
1494 {
1495#if defined(MBEDTLS_SHA384_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1496 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1497 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1498
1499#if defined(MBEDTLS_USE_PSA_CRYPTO)
1500 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
1501 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
1502#else
1503 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
1504#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1505#endif /* MBEDTLS_SHA384_C */
1506 }
1507
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1508#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C)
1509 ssl->handshake->update_checksum( ssl, hash_transcript, hash_len );
1510#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */
Przemyslaw Stekiel4b3fff42022-02-14 16:39:52 +0100[diff] [blame]1511
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1512 return( ret );
1513}
1514
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1515#define ECDH_VALIDATE_RET( cond ) \
1516 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
1517
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1518#if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1519static int ecdh_import_public_raw( mbedtls_ecdh_context_mbed *ctx,
1520 const unsigned char *buf,
1521 const unsigned char *end )
1522{
1523 return( mbedtls_ecp_point_read_binary( &ctx->grp, &ctx->Qp,
1524 buf, end - buf ) );
1525}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1526#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1527
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]1528#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
1529static int everest_import_public_raw( mbedtls_x25519_context *ctx,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]1530 const unsigned char *buf,
1531 const unsigned char *end )
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]1532{
1533 if( end - buf != MBEDTLS_X25519_KEY_SIZE_BYTES )
1534 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
1535
1536 memcpy( ctx->peer_point, buf, MBEDTLS_X25519_KEY_SIZE_BYTES );
1537 return( 0 );
1538}
1539#endif /* MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED */
1540
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1541int mbedtls_ecdh_import_public_raw( mbedtls_ecdh_context *ctx,
1542 const unsigned char *buf,
1543 const unsigned char *end )
1544{
1545 ECDH_VALIDATE_RET( ctx != NULL );
1546 ECDH_VALIDATE_RET( buf != NULL );
1547 ECDH_VALIDATE_RET( end != NULL );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1548#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1549 ((void) ctx);
1550 ((void) buf);
1551 ((void) end);
1552 return ( 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1553#else
1554 switch( ctx->var )
1555 {
1556#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
1557 case MBEDTLS_ECDH_VARIANT_EVEREST:
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1558 return( everest_import_public_raw( &ctx->ctx.everest_ecdh.ctx,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1559 buf, end) );
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1560#endif /* MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1561 case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
1562 return( ecdh_import_public_raw( &ctx->ctx.mbed_ecdh,
1563 buf, end ) );
1564 default:
1565 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
1566 }
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1567#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1568}
1569
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]1570#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */