TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 6b916b1616f7994c8f7dfea2bb3754917b3964ef / . / library / ssl_tls13_generic.c
blob: a260717e13504798a9039e034e0d68334b1c6557 [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]23
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]24#include <string.h>
25
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]26#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]27#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]28#include "mbedtls/oid.h"
29#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]30#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]31#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]32
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]33#include "ssl_misc.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]34#include "ssl_tls13_keys.h"
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]35#include "ssl_debug_helpers.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]36
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]37const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
38 MBEDTLS_SERVER_HELLO_RANDOM_LEN ] =
39 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
40 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
41 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
42 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C };
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]43
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]44int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
45 unsigned hs_type,
46 unsigned char **buf,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]47 size_t *buf_len )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]48{
49 int ret;
50
51 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
52 {
53 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
54 goto cleanup;
55 }
56
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]57 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]58 ssl->in_msg[0] != hs_type )
59 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]60 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]61 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]62 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]63 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
64 goto cleanup;
65 }
66
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]67 /*
68 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
69 * ...
70 * HandshakeType msg_type;
71 * uint24 length;
72 * ...
73 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]74 *buf = ssl->in_msg + 4;
75 *buf_len = ssl->in_hslen - 4;
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]76
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]77cleanup:
78
79 return( ret );
80}
81
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]82#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]83/*
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]84 * STATE HANDLING: Read CertificateVerify
85 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]86/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]87 *
88 * The structure is computed per TLS 1.3 specification as:
89 * - 64 bytes of octet 32,
90 * - 33 bytes for the context string
91 * (which is either "TLS 1.3, client CertificateVerify"
92 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]93 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]94 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
95 * (depending on the size of the transcript_hash)
96 *
97 * This results in a total size of
98 * - 130 bytes for a SHA256-based transcript hash, or
99 * (64 + 33 + 1 + 32 bytes)
100 * - 146 bytes for a SHA384-based transcript hash.
101 * (64 + 33 + 1 + 48 bytes)
102 *
103 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800[diff] [blame]104#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
105 33 + \
106 1 + \
107 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]108 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]109
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]110/*
111 * The ssl_tls13_create_verify_structure() creates the verify structure.
112 * As input, it requires the transcript hash.
113 *
114 * The caller has to ensure that the buffer has size at least
115 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
116 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]117static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]118 size_t transcript_hash_len,
119 unsigned char *verify_buffer,
120 size_t *verify_buffer_len,
121 int from )
122{
123 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]124
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]125 /* RFC 8446, Section 4.4.3:
126 *
127 * The digital signature [in the CertificateVerify message] is then
128 * computed over the concatenation of:
129 * - A string that consists of octet 32 (0x20) repeated 64 times
130 * - The context string
131 * - A single 0 byte which serves as the separator
132 * - The content to be signed
133 */
134 memset( verify_buffer, 0x20, 64 );
135 idx = 64;
136
137 if( from == MBEDTLS_SSL_IS_CLIENT )
138 {
139 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
140 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
141 }
142 else
143 { /* from == MBEDTLS_SSL_IS_SERVER */
144 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
145 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
146 }
147
148 verify_buffer[idx++] = 0x0;
149
150 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
151 idx += transcript_hash_len;
152
153 *verify_buffer_len = idx;
154}
155
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]156/* Coordinate: Check whether a certificate verify message is expected.
157 * Returns a negative value on failure, and otherwise
158 * - SSL_CERTIFICATE_VERIFY_SKIP
159 * - SSL_CERTIFICATE_VERIFY_READ
160 * to indicate if the CertificateVerify message should be present or not.
161 */
162#define SSL_CERTIFICATE_VERIFY_SKIP 0
163#define SSL_CERTIFICATE_VERIFY_READ 1
164static int ssl_tls13_read_certificate_verify_coordinate( mbedtls_ssl_context *ssl )
165{
166 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
167 return( SSL_CERTIFICATE_VERIFY_SKIP );
168
169#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
170 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
171 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
172#else
173 if( ssl->session_negotiate->peer_cert == NULL )
174 return( SSL_CERTIFICATE_VERIFY_SKIP );
175
176 return( SSL_CERTIFICATE_VERIFY_READ );
177#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
178}
179
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]180static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]181 const unsigned char *buf,
182 const unsigned char *end,
183 const unsigned char *verify_buffer,
184 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]185{
186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
187 const unsigned char *p = buf;
188 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]189 size_t signature_len;
190 mbedtls_pk_type_t sig_alg;
191 mbedtls_md_type_t md_alg;
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]192 unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]193 size_t verify_hash_len;
194
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]195 void const *options = NULL;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]196#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]197 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]198#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
199
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]200 /*
201 * struct {
202 * SignatureScheme algorithm;
203 * opaque signature<0..2^16-1>;
204 * } CertificateVerify;
205 */
206 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
207 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
208 p += 2;
209
210 /* RFC 8446 section 4.4.3
211 *
212 * If the CertificateVerify message is sent by a server, the signature algorithm
213 * MUST be one offered in the client's "signature_algorithms" extension unless
214 * no valid certificate chain can be produced without unsupported algorithms
215 *
216 * RFC 8446 section 4.4.2.2
217 *
218 * If the client cannot construct an acceptable chain using the provided
219 * certificates and decides to abort the handshake, then it MUST abort the handshake
220 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
221 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]222 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]223 */
Jerry Yu24811fb2022-01-19 18:02:15 +0800[diff] [blame]224 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]225 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]226 /* algorithm not in offered signature algorithms list */
227 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
228 "offered.",
229 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]230 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]231 }
232
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]233 if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
Jerry Yuf8aa9a42022-03-23 20:40:28 +0800[diff] [blame]234 algorithm, &sig_alg, &md_alg ) != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]235 {
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]236 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]237 }
238
239 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
240 ( unsigned int ) algorithm ) );
241
242 /*
243 * Check the certificate's key type matches the signature alg
244 */
245 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
246 {
247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]248 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]249 }
250
251 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
252 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
253 p += 2;
254 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
255
256 /* Hash verify buffer with indicated hash function */
257 switch( md_alg )
258 {
259#if defined(MBEDTLS_SHA256_C)
260 case MBEDTLS_MD_SHA256:
261 verify_hash_len = 32;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]262 ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]263 break;
264#endif /* MBEDTLS_SHA256_C */
265
266#if defined(MBEDTLS_SHA384_C)
267 case MBEDTLS_MD_SHA384:
268 verify_hash_len = 48;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]269 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]270 break;
271#endif /* MBEDTLS_SHA384_C */
272
273#if defined(MBEDTLS_SHA512_C)
274 case MBEDTLS_MD_SHA512:
275 verify_hash_len = 64;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]276 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]277 break;
278#endif /* MBEDTLS_SHA512_C */
279
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]280 default:
281 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
282 break;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]283 }
284
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]285 if( ret != 0 )
286 {
287 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]288 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]289 }
290
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]291 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]292#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
293 if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
294 {
295 const mbedtls_md_info_t* md_info;
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]296 rsassa_pss_options.mgf1_hash_id = md_alg;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]297 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
298 {
299 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
300 }
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]301 rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
302 options = (const void*) &rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]303 }
304#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]305
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]306 if( ( ret = mbedtls_pk_verify_ext( sig_alg, options,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]307 &ssl->session_negotiate->peer_cert->pk,
308 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]309 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]310 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]311 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]312 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]313 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]314
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]315error:
316 /* RFC 8446 section 4.4.3
317 *
318 * If the verification fails, the receiver MUST terminate the handshake
319 * with a "decrypt_error" alert.
320 */
321 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
322 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
323 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
324
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]325}
326#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
327
328int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
329{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]330
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]331#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
332 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
333 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
334 size_t verify_buffer_len;
335 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
336 size_t transcript_len;
337 unsigned char *buf;
338 size_t buf_len;
339
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]340 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
341
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]342 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_verify_coordinate( ssl ) );
343 if( ret == SSL_CERTIFICATE_VERIFY_SKIP )
344 {
345 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
346 ret = 0;
347 goto cleanup;
348 }
349 else if( ret != SSL_CERTIFICATE_VERIFY_READ )
350 {
351 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
352 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
353 goto cleanup;
354 }
355
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]356 MBEDTLS_SSL_PROC_CHK(
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]357 mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]358 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]359
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]360 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]361 * before reading the message since otherwise it gets
362 * included in the transcript
363 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]364 ret = mbedtls_ssl_get_handshake_transcript( ssl,
365 ssl->handshake->ciphersuite_info->mac,
366 transcript, sizeof( transcript ),
367 &transcript_len );
368 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]369 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]370 MBEDTLS_SSL_PEND_FATAL_ALERT(
371 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
372 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
373 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]374 }
375
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]376 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
377
378 /* Create verify structure */
379 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]380 transcript_len,
381 verify_buffer,
382 &verify_buffer_len,
383 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
384 MBEDTLS_SSL_IS_SERVER :
385 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]386
387 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]388 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
389 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]390
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]391 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
392 buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]393
394cleanup:
395
396 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800[diff] [blame]397 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]398 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]399#else
400 ((void) ssl);
401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
402 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
403#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]404}
405
406/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]407 *
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]408 * STATE HANDLING: Incoming Certificate.
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]409 *
410 */
411
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]412/* Coordination: Check if a certificate is expected.
413 * Returns a negative error code on failure, and otherwise
414 * SSL_CERTIFICATE_EXPECTED or
415 * SSL_CERTIFICATE_SKIP
416 * indicating whether a Certificate message is expected or not.
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]417 */
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]418#define SSL_CERTIFICATE_EXPECTED 0
419#define SSL_CERTIFICATE_SKIP 1
420
421static int ssl_tls13_read_certificate_coordinate( mbedtls_ssl_context *ssl )
422{
423#if defined(MBEDTLS_SSL_SRV_C)
424 int authmode = ssl->conf->authmode;
425#endif /* MBEDTLS_SSL_SRV_C */
426
427#if defined(MBEDTLS_SSL_SRV_C)
428 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
429 {
430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
431
432 mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
433 }
434#endif /* MBEDTLS_SSL_SRV_C */
435
436 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
437 return( SSL_CERTIFICATE_SKIP );
438
439#if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
440 ( ( void )authmode );
441 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
442 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
443#else
444#if defined(MBEDTLS_SSL_SRV_C)
445 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
446 {
447 /* If SNI was used, overwrite authentication mode
448 * from the configuration. */
449#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
450 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
451 authmode = ssl->handshake->sni_authmode;
452#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
453
454 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
455 {
456 /* NOTE: Is it intentional that we set verify_result
457 * to SKIP_VERIFY on server-side only? */
458 ssl->session_negotiate->verify_result =
459 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
460 return( SSL_CERTIFICATE_SKIP );
461 }
462 }
463#endif /* MBEDTLS_SSL_SRV_C */
464
465 return( SSL_CERTIFICATE_EXPECTED );
466#endif /* !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
467}
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]468
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]469#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
470#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
471/*
472 * Structure of Certificate message:
473 *
474 * enum {
475 * X509(0),
476 * RawPublicKey(2),
477 * (255)
478 * } CertificateType;
479 *
480 * struct {
481 * select (certificate_type) {
482 * case RawPublicKey:
483 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
484 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
485 * case X509:
486 * opaque cert_data<1..2^24-1>;
487 * };
488 * Extension extensions<0..2^16-1>;
489 * } CertificateEntry;
490 *
491 * struct {
492 * opaque certificate_request_context<0..2^8-1>;
493 * CertificateEntry certificate_list<0..2^24-1>;
494 * } Certificate;
495 *
496 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]497
498/* Parse certificate chain send by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]499static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
500 const unsigned char *buf,
501 const unsigned char *end )
502{
503 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
504 size_t certificate_request_context_len = 0;
505 size_t certificate_list_len = 0;
506 const unsigned char *p = buf;
507 const unsigned char *certificate_list_end;
508
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]509 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]510 certificate_request_context_len = p[0];
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]511 p++;
512
513#if defined(MBEDTLS_SSL_SRV_C)
514 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
515 {
516 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end,
517 certificate_request_context_len + 3 );
518
519 /* check whether we got an empty certificate message */
520 if( memcmp( p + certificate_request_context_len , "\0\0\0", 3 ) == 0 )
521 {
522 MBEDTLS_SSL_DEBUG_MSG( 1,
523 ( "client has no certificate - empty certificate message received" ) );
524
525 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
526 if( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
527 return( 0 );
528 else
529 {
530 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client certificate required" ) );
531 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REQUIRED,
532 MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
533 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
534 }
535 }
536 }
537#endif /* MBEDTLS_SSL_SRV_C */
538
539 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 3 );
540 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 0 );
541 p += 3;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]542
543 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
544 * support anything beyond 2^16 = 64K.
545 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]546 if( ( certificate_request_context_len != 0 ) ||
547 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]548 {
549 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
550 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
551 MBEDTLS_ERR_SSL_DECODE_ERROR );
552 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
553 }
554
555 /* In case we tried to reuse a session but it failed */
556 if( ssl->session_negotiate->peer_cert != NULL )
557 {
558 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
559 mbedtls_free( ssl->session_negotiate->peer_cert );
560 }
561
562 if( ( ssl->session_negotiate->peer_cert =
563 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
564 {
565 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
566 sizeof( mbedtls_x509_crt ) ) );
567 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
568 MBEDTLS_ERR_SSL_ALLOC_FAILED );
569 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
570 }
571
572 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
573
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]574 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]575 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]576 {
577 size_t cert_data_len, extensions_len;
578
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]579 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]580 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]581 p += 3;
582
583 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
584 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
585 * check that we have a minimum of 128 bytes of data, this is not
586 * clear why we need that though.
587 */
588 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]589 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]590 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
591 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
592 MBEDTLS_ERR_SSL_DECODE_ERROR );
593 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
594 }
595
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]596 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]597 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
598 p, cert_data_len );
599
600 switch( ret )
601 {
602 case 0: /*ok*/
603 break;
604 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
605 /* Ignore certificate with an unknown algorithm: maybe a
606 prior certificate was already trusted. */
607 break;
608
609 case MBEDTLS_ERR_X509_ALLOC_FAILED:
610 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
611 MBEDTLS_ERR_X509_ALLOC_FAILED );
612 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
613 return( ret );
614
615 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
616 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
617 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
618 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
619 return( ret );
620
621 default:
622 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
623 ret );
624 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
625 return( ret );
626 }
627
628 p += cert_data_len;
629
630 /* Certificate extensions length */
631 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
632 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
633 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]634 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]635 p += extensions_len;
636 }
637
638 /* Check that all the message is consumed. */
639 if( p != end )
640 {
641 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
642 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
643 MBEDTLS_ERR_SSL_DECODE_ERROR );
644 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
645 }
646
647 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
648
649 return( ret );
650}
651#else
652static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
653 const unsigned char *buf,
654 const unsigned char *end )
655{
656 ((void) ssl);
657 ((void) buf);
658 ((void) end);
659 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
660}
661#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
662#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
663
664#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
665#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]666/* Validate certificate chain sent by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]667static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
668{
669 int ret = 0;
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]670 int authmode = ssl->conf->authmode;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]671 mbedtls_x509_crt *ca_chain;
672 mbedtls_x509_crl *ca_crl;
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]673 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]674
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]675 /* If SNI was used, overwrite authentication mode
676 * from the configuration. */
677#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
678 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
679 authmode = ssl->handshake->sni_authmode;
680#endif
681
682 /*
683 * If the client hasn't sent a certificate ( i.e. it sent
684 * an empty certificate chain ), this is reflected in the peer CRT
685 * structure being unset.
686 * Check for that and handle it depending on the
687 * server's authentication mode.
688 */
689#if defined(MBEDTLS_SSL_SRV_C)
690 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
691 ssl->session_negotiate->peer_cert == NULL )
692 {
693 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client has no certificate" ) );
694
695 /* The client was asked for a certificate but didn't send
696 one. The client should know what's going on, so we
697 don't send an alert. */
698
699 /* Note that for authmode == VERIFY_NONE we don't end up in this
700 * routine in the first place, because ssl_tls13_read_certificate_coordinate
701 * will return CERTIFICATE_SKIP. */
702 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
703 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
704 return( 0 );
705 else
706 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
707 }
708#endif /* MBEDTLS_SSL_SRV_C */
709
710 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
711 {
712 /* NOTE: This happens on client-side only, with the
713 * server-side case of VERIFY_NONE being handled earlier
714 * and leading to `ssl->verify_result` being set to
715 * MBEDTLS_X509_BADCERT_SKIP_VERIFY --
716 * is this difference intentional? */
717 return( 0 );
718 }
719
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]720#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
721 if( ssl->handshake->sni_ca_chain != NULL )
722 {
723 ca_chain = ssl->handshake->sni_ca_chain;
724 ca_crl = ssl->handshake->sni_ca_crl;
725 }
726 else
727#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
728 {
729 ca_chain = ssl->conf->ca_chain;
730 ca_crl = ssl->conf->ca_crl;
731 }
732
733 /*
734 * Main check: verify certificate
735 */
736 ret = mbedtls_x509_crt_verify_with_profile(
737 ssl->session_negotiate->peer_cert,
738 ca_chain, ca_crl,
739 ssl->conf->cert_profile,
740 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]741 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]742 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
743
744 if( ret != 0 )
745 {
746 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
747 }
748
749 /*
750 * Secondary checks: always done, but change 'ret' only if it was 0
751 */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]752 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
753 ssl->handshake->ciphersuite_info,
754 !ssl->conf->endpoint,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]755 &verify_result ) != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]756 {
757 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
758 if( ret == 0 )
759 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
760 }
761
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]762 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
763 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
764 * with details encoded in the verification flags. All other kinds
765 * of error codes, including those from the user provided f_vrfy
766 * functions, are treated as fatal and lead to a failure of
767 * ssl_tls13_parse_certificate even if verification was optional. */
768 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
769 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
770 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
771 {
772 ret = 0;
773 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]774
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]775
776 if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]777 {
778 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
779 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
780 }
781
782 if( ret != 0 )
783 {
784 /* The certificate may have been rejected for several reasons.
785 Pick one and send the corresponding alert. Which alert to send
786 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]787 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]788 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]789 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]790 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]791 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
792 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
793 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
794 MBEDTLS_X509_BADCERT_BAD_PK |
795 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]796 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]797 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]798 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]799 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]800 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]801 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]802 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
803 else
804 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
805 }
806
807#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]808 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]809 {
810 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800[diff] [blame]811 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]812 }
813 else
814 {
815 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
816 }
817#endif /* MBEDTLS_DEBUG_C */
818
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]819 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]820 return( ret );
821}
822#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
823static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
824{
825 ((void) ssl);
826 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
827}
828#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
829#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
830
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]831int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]832{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]833 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
834 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
835
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]836 /* Coordination:
837 * Check if we expect a certificate, and if yes,
838 * check if a non-empty certificate has been sent.
839 */
840 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_coordinate( ssl ) );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]841#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]842 if( ret == SSL_CERTIFICATE_EXPECTED )
843 {
844 unsigned char *buf;
845 size_t buf_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]846
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]847 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
848 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
849 &buf, &buf_len ) );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]850
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]851 /* Parse the certificate chain sent by the peer. */
852 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf,
853 buf + buf_len ) );
854 /* Validate the certificate chain and set the verification results. */
855 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]856
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame^]857 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
858 buf, buf_len );
859 }
860 else
861#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
862 if( ret == SSL_CERTIFICATE_SKIP )
863 {
864 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
865 ret = 0;
866 }
867 else
868 {
869 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
870 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
871 }
872
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]873
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]874cleanup:
875
876 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
877 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]878}
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]879#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]880/*
881 * enum {
882 * X509(0),
883 * RawPublicKey(2),
884 * (255)
885 * } CertificateType;
886 *
887 * struct {
888 * select (certificate_type) {
889 * case RawPublicKey:
890 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
891 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
892 *
893 * case X509:
894 * opaque cert_data<1..2^24-1>;
895 * };
896 * Extension extensions<0..2^16-1>;
897 * } CertificateEntry;
898 *
899 * struct {
900 * opaque certificate_request_context<0..2^8-1>;
901 * CertificateEntry certificate_list<0..2^24-1>;
902 * } Certificate;
903 */
904static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]905 unsigned char *buf,
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]906 unsigned char *end,
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]907 size_t *out_len )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]908{
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]909 const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert( ssl );
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]910 unsigned char *p = buf;
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]911 unsigned char *certificate_request_context =
912 ssl->handshake->certificate_request_context;
913 unsigned char certificate_request_context_len =
914 ssl->handshake->certificate_request_context_len;
915 unsigned char *p_certificate_list_len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]916
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]917
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]918 /* ...
919 * opaque certificate_request_context<0..2^8-1>;
920 * ...
921 */
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]922 MBEDTLS_SSL_CHK_BUF_PTR( p, end, certificate_request_context_len + 1 );
923 *p++ = certificate_request_context_len;
924 if( certificate_request_context_len > 0 )
Jerry Yu537530d2022-02-15 14:00:57 +0800[diff] [blame]925 {
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]926 memcpy( p, certificate_request_context, certificate_request_context_len );
927 p += certificate_request_context_len;
Jerry Yu537530d2022-02-15 14:00:57 +0800[diff] [blame]928 }
929
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]930 /* ...
931 * CertificateEntry certificate_list<0..2^24-1>;
932 * ...
933 */
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]934 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]935 p_certificate_list_len = p;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]936 p += 3;
937
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]938 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", crt );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]939
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]940 while( crt != NULL )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]941 {
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]942 size_t cert_data_len = crt->raw.len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]943
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]944 MBEDTLS_SSL_CHK_BUF_PTR( p, end, cert_data_len + 3 + 2 );
945 MBEDTLS_PUT_UINT24_BE( cert_data_len, p, 0 );
946 p += 3;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]947
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]948 memcpy( p, crt->raw.p, cert_data_len );
949 p += cert_data_len;
950 crt = crt->next;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]951
952 /* Currently, we don't have any certificate extensions defined.
953 * Hence, we are sending an empty extension with length zero.
954 */
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]955 MBEDTLS_PUT_UINT24_BE( 0, p, 0 );
956 p += 2;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]957 }
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]958
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]959 MBEDTLS_PUT_UINT24_BE( p - p_certificate_list_len - 3,
960 p_certificate_list_len, 0 );
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]961
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]962 *out_len = p - buf;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]963
964 return( 0 );
965}
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]966
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]967int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]968{
969 int ret;
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]970 unsigned char *buf;
971 size_t buf_len, msg_len;
972
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]973 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
974
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]975 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]976 MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]977
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]978 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_body( ssl,
979 buf,
980 buf + buf_len,
981 &msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]982
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]983 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
984 buf, msg_len );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]985
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]986 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]987 ssl, buf_len, msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]988cleanup:
989
990 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
991 return( ret );
992}
993
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]994/*
995 * STATE HANDLING: Output Certificate Verify
996 */
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]997static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
998 mbedtls_pk_context *own_key,
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]999 uint16_t *algorithm )
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1000{
1001 mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key );
1002 /* Determine the size of the key */
1003 size_t own_key_size = mbedtls_pk_get_bitlen( own_key );
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1004 *algorithm = MBEDTLS_TLS1_3_SIG_NONE;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1005 ((void) own_key_size);
1006
1007 switch( sig )
1008 {
1009#if defined(MBEDTLS_ECDSA_C)
1010 case MBEDTLS_SSL_SIG_ECDSA:
1011 switch( own_key_size )
1012 {
1013 case 256:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1014 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1015 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1016 case 384:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1017 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1018 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1019 case 521:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1020 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1021 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1022 default:
1023 MBEDTLS_SSL_DEBUG_MSG( 3,
1024 ( "unknown key size: %"
1025 MBEDTLS_PRINTF_SIZET " bits",
1026 own_key_size ) );
1027 break;
1028 }
1029 break;
1030#endif /* MBEDTLS_ECDSA_C */
1031
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]1032#if defined(MBEDTLS_RSA_C)
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1033 case MBEDTLS_SSL_SIG_RSA:
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]1034#if defined(MBEDTLS_PKCS1_V21)
1035#if defined(MBEDTLS_SHA256_C)
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1036 if( own_key_size <= 2048 &&
1037 mbedtls_ssl_sig_alg_is_received( ssl,
1038 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 ) )
1039 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1040 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1041 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1042 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]1043 else
1044#endif /* MBEDTLS_SHA256_C */
1045#if defined(MBEDTLS_SHA384_C)
1046 if( own_key_size <= 3072 &&
1047 mbedtls_ssl_sig_alg_is_received( ssl,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1048 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 ) )
1049 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1050 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1051 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1052 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]1053 else
1054#endif /* MBEDTLS_SHA384_C */
1055#if defined(MBEDTLS_SHA512_C)
1056 if( own_key_size <= 4096 &&
1057 mbedtls_ssl_sig_alg_is_received( ssl,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1058 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 ) )
1059 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1060 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1061 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1062 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]1063 else
1064#endif /* MBEDTLS_SHA512_C */
1065#endif /* MBEDTLS_PKCS1_V21 */
1066#if defined(MBEDTLS_PKCS1_V15)
1067#if defined(MBEDTLS_SHA256_C)
1068 if( own_key_size <= 2048 &&
1069 mbedtls_ssl_sig_alg_is_received( ssl,
1070 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 ) )
1071 {
1072 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]1073 return( 0 );
1074 }
1075 else
1076#endif /* MBEDTLS_SHA256_C */
1077#if defined(MBEDTLS_SHA384_C)
1078 if( own_key_size <= 3072 &&
1079 mbedtls_ssl_sig_alg_is_received( ssl,
1080 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 ) )
1081 {
1082 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]1083 return( 0 );
1084 }
1085 else
1086#endif /* MBEDTLS_SHA384_C */
1087#if defined(MBEDTLS_SHA512_C)
1088 if( own_key_size <= 4096 &&
1089 mbedtls_ssl_sig_alg_is_received( ssl,
1090 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 ) )
1091 {
1092 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]1093 return( 0 );
1094 }
1095 else
1096#endif /* MBEDTLS_SHA512_C */
1097#endif /* MBEDTLS_PKCS1_V15 */
1098 {
1099 MBEDTLS_SSL_DEBUG_MSG( 3,
1100 ( "unknown key size: %"
1101 MBEDTLS_PRINTF_SIZET " bits",
1102 own_key_size ) );
1103 }
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1104 break;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]1105#endif /* MBEDTLS_RSA_C */
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1106 default:
1107 MBEDTLS_SSL_DEBUG_MSG( 1,
Andrzej Kurek5c65c572022-04-13 14:28:52 -0400[diff] [blame]1108 ( "unknown signature type : %u", sig ) );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1109 break;
1110 }
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1111 return( -1 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1112}
1113
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1114static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
1115 unsigned char *buf,
1116 unsigned char *end,
1117 size_t *out_len )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1118{
1119 int ret;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1120 unsigned char *p = buf;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1121 mbedtls_pk_context *own_key;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1122
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1123 unsigned char handshake_hash[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
1124 size_t handshake_hash_len;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1125 unsigned char verify_buffer[ SSL_VERIFY_STRUCT_MAX_SIZE ];
1126 size_t verify_buffer_len;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1127 mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1128 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Jerry Yu78272072022-02-22 10:28:13 +0800[diff] [blame]1129 uint16_t algorithm = MBEDTLS_TLS1_3_SIG_NONE;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1130 size_t signature_len = 0;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1131 const mbedtls_md_info_t *md_info;
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1132 unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ];
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1133 size_t verify_hash_len;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1134
Jerry Yu0b7b1012022-02-23 12:23:05 +0800[diff] [blame]1135 *out_len = 0;
1136
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1137 own_key = mbedtls_ssl_own_key( ssl );
1138 if( own_key == NULL )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1139 {
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1140 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1141 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1142 }
1143
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1144 ret = mbedtls_ssl_get_handshake_transcript( ssl,
1145 ssl->handshake->ciphersuite_info->mac,
1146 handshake_hash,
1147 sizeof( handshake_hash ),
1148 &handshake_hash_len );
1149 if( ret != 0 )
1150 return( ret );
1151
1152 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash",
1153 handshake_hash,
1154 handshake_hash_len);
1155
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1156 ssl_tls13_create_verify_structure( handshake_hash, handshake_hash_len,
1157 verify_buffer, &verify_buffer_len,
1158 ssl->conf->endpoint );
1159
1160 /*
1161 * struct {
1162 * SignatureScheme algorithm;
1163 * opaque signature<0..2^16-1>;
1164 * } CertificateVerify;
1165 */
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1166 ret = ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1167 if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1168 {
Jerry Yud66409a2022-02-18 16:42:24 +0800[diff] [blame]1169 MBEDTLS_SSL_DEBUG_MSG( 1,
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]1170 ( "signature algorithm not in received or offered list." ) );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1171
1172 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Signature algorithm is %s",
1173 mbedtls_ssl_sig_alg_to_str( algorithm ) ) );
1174
Jerry Yu71f36f12022-02-23 17:34:29 +0800[diff] [blame]1175 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
Jerry Yud66409a2022-02-18 16:42:24 +0800[diff] [blame]1176 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1177 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1178 }
1179
Jerry Yu6c6f1022022-03-25 11:09:50 +0800[diff] [blame]1180 if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
1181 algorithm, &pk_type, &md_alg ) != 0 )
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1182 {
Jerry Yuf8aa9a42022-03-23 20:40:28 +0800[diff] [blame]1183 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1184 }
1185
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1186 /* Check there is space for the algorithm identifier (2 bytes) and the
1187 * signature length (2 bytes).
1188 */
1189 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1190 MBEDTLS_PUT_UINT16_BE( algorithm, p, 0 );
1191 p += 2;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1192
1193 /* Hash verify buffer with indicated hash function */
1194 md_info = mbedtls_md_info_from_type( md_alg );
1195 if( md_info == NULL )
1196 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1197
1198 ret = mbedtls_md( md_info, verify_buffer, verify_buffer_len, verify_hash );
1199 if( ret != 0 )
1200 return( ret );
1201
1202 verify_hash_len = mbedtls_md_get_size( md_info );
1203 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
1204
Jerry Yu8beb9e12022-03-12 16:23:53 +0800[diff] [blame]1205 if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
1206 md_alg, verify_hash, verify_hash_len,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1207 p + 2, (size_t)( end - ( p + 2 ) ), &signature_len,
1208 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1209 {
1210 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
1211 return( ret );
1212 }
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1213
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1214 MBEDTLS_PUT_UINT16_BE( signature_len, p, 0 );
1215 p += 2 + signature_len;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1216
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1217 *out_len = (size_t)( p - buf );
1218
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1219 return( ret );
1220}
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1221
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1222int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1223{
1224 int ret = 0;
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1225 unsigned char *buf;
1226 size_t buf_len, msg_len;
1227
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1228 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1229
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1230 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1231 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1232
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1233 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_verify_body(
1234 ssl, buf, buf + buf_len, &msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1235
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1236 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1237 buf, msg_len );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1238
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1239 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1240 ssl, buf_len, msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1241
1242cleanup:
1243
1244 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
1245 return( ret );
1246}
1247
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]1248#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1249
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1250/*
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1251 *
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1252 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1253 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1254/*
1255 * Implementation
1256 */
1257
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1258static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1259{
1260 int ret;
1261
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1262 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1263 ssl->handshake->state_local.finished_in.digest,
1264 sizeof( ssl->handshake->state_local.finished_in.digest ),
1265 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1266 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1267 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1268 if( ret != 0 )
1269 {
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1270 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1271 return( ret );
1272 }
1273
1274 return( 0 );
1275}
1276
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1277static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
1278 const unsigned char *buf,
1279 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1280{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1281 /*
1282 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1283 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1284 * } Finished;
1285 */
1286 const unsigned char *expected_verify_data =
1287 ssl->handshake->state_local.finished_in.digest;
1288 size_t expected_verify_data_len =
1289 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1290 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1291 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1292 {
1293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1294
1295 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1296 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1297 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1298 }
1299
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1300 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1301 expected_verify_data,
1302 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1303 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1304 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1305
1306 /* Semantic validation */
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]1307 if( mbedtls_ct_memcmp( buf,
1308 expected_verify_data,
1309 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1310 {
1311 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1312
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1313 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1314 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1315 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1316 }
1317 return( 0 );
1318}
1319
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1320int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
1321{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1322 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1323 unsigned char *buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1324 size_t buf_len;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1325
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1326 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1327
1328 /* Preprocessing step: Compute handshake digest */
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1329 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1330
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1331 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1332 MBEDTLS_SSL_HS_FINISHED,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1333 &buf, &buf_len ) );
1334 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1335 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1336 buf, buf_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1337
1338cleanup:
1339
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1340 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1341 return( ret );
1342}
1343
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1344/*
1345 *
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1346 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1347 *
1348 */
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1349/*
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1350 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1351 */
1352
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1353static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1354{
1355 int ret;
1356
1357 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1358 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1359 ssl->handshake->state_local.finished_out.digest,
1360 sizeof( ssl->handshake->state_local.finished_out.digest ),
1361 &ssl->handshake->state_local.finished_out.digest_len,
1362 ssl->conf->endpoint );
1363
1364 if( ret != 0 )
1365 {
Jerry Yu7ca30542021-12-08 15:57:57 +0800[diff] [blame]1366 MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1367 return( ret );
1368 }
1369
1370 return( 0 );
1371}
1372
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1373static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1374 unsigned char *buf,
1375 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1376 size_t *out_len )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1377{
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1378 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1379 /*
1380 * struct {
1381 * opaque verify_data[Hash.length];
1382 * } Finished;
1383 */
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1384 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1385
1386 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1387 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1388
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1389 *out_len = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1390 return( 0 );
1391}
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1392
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1393/* Main entry point: orchestrates the other functions */
1394int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1395{
1396 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1397 unsigned char *buf;
1398 size_t buf_len, msg_len;
1399
1400 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1401
XiaokangQiandce82242021-11-15 06:01:26 +0000[diff] [blame]1402 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1403
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1404 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1405 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1406
1407 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1408 ssl, buf, buf + buf_len, &msg_len ) );
1409
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1410 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1411 buf, msg_len );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1412
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1413 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
1414 ssl, buf_len, msg_len ) );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1415cleanup:
1416
1417 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1418 return( ret );
1419}
1420
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1421void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1422{
1423
1424 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1425
Jerry Yue8c1fca2022-05-18 14:48:56 +0800[diff] [blame]1426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
1427 mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
1428
1429 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) );
1430 mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
1431
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1432 /*
Jerry Yucfe64f02021-11-15 13:54:06 +0800[diff] [blame]1433 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1434 */
1435 if( ssl->session )
1436 {
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1437 mbedtls_ssl_session_free( ssl->session );
1438 mbedtls_free( ssl->session );
1439 }
1440 ssl->session = ssl->session_negotiate;
1441 ssl->session_negotiate = NULL;
1442
1443 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1444}
1445
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1446/*
1447 *
1448 * STATE HANDLING: Write ChangeCipherSpec
1449 *
1450 */
1451#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1452static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
1453 unsigned char *buf,
1454 unsigned char *end,
1455 size_t *olen )
1456{
1457 ((void) ssl);
1458
1459 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 );
1460 buf[0] = 1;
1461 *olen = 1;
1462
1463 return( 0 );
1464}
1465
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1466int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
1467{
1468 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1469
1470 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1471
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1472 /* Write CCS message */
1473 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body(
1474 ssl, ssl->out_msg,
1475 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1476 &ssl->out_msglen ) );
1477
1478 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1479
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1480 /* Dispatch message */
Ronald Cron66dbf912022-02-02 15:33:46 +0100[diff] [blame]1481 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0 ) );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1482
1483cleanup:
1484
1485 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1486 return( ret );
1487}
1488
1489#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1490
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1491/* Reset SSL context and update hash for handling HRR.
1492 *
1493 * Replace Transcript-Hash(X) by
1494 * Transcript-Hash( message_hash ||
1495 * 00 00 Hash.length ||
1496 * X )
1497 * A few states of the handshake are preserved, including:
1498 * - session ID
1499 * - session ticket
1500 * - negotiated ciphersuite
1501 */
1502int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
1503{
1504 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1505 unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ];
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1506 size_t hash_len;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1507 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1508 uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
1509 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
1510
1511 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) );
1512
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1513 ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
1514 hash_transcript + 4,
1515 MBEDTLS_MD_MAX_SIZE,
1516 &hash_len );
1517 if( ret != 0 )
1518 {
1519 MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret );
1520 return( ret );
1521 }
1522
1523 hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1524 hash_transcript[1] = 0;
1525 hash_transcript[2] = 0;
1526 hash_transcript[3] = (unsigned char) hash_len;
1527
1528 hash_len += 4;
1529
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1530 if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
1531 {
1532#if defined(MBEDTLS_SHA256_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1533 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1534 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1535
1536#if defined(MBEDTLS_USE_PSA_CRYPTO)
1537 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
1538 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
1539#else
1540 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
1541#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1542#endif /* MBEDTLS_SHA256_C */
1543 }
1544 else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
1545 {
1546#if defined(MBEDTLS_SHA384_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1547 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1548 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1549
1550#if defined(MBEDTLS_USE_PSA_CRYPTO)
1551 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
1552 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
1553#else
1554 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
1555#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1556#endif /* MBEDTLS_SHA384_C */
1557 }
1558
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1559#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C)
1560 ssl->handshake->update_checksum( ssl, hash_transcript, hash_len );
1561#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */
Przemyslaw Stekiel4b3fff42022-02-14 16:39:52 +0100[diff] [blame]1562
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1563 return( ret );
1564}
1565
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1566#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1567
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1568int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
1569 const unsigned char *buf,
1570 size_t buf_len )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1571{
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1572 uint8_t *p = (uint8_t*)buf;
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1573 const uint8_t *end = buf + buf_len;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1574 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1575
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1576 /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1577 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1578 uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1579 p += 2;
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]1580
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1581 /* Check if key size is consistent with given buffer length. */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1582 MBEDTLS_SSL_CHK_BUF_PTR( p, end, peerkey_len );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1583
1584 /* Store peer's ECDH public key. */
1585 memcpy( handshake->ecdh_psa_peerkey, p, peerkey_len );
1586 handshake->ecdh_psa_peerkey_len = peerkey_len;
1587
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]1588 return( 0 );
1589}
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1590
1591int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
1592 mbedtls_ssl_context *ssl,
1593 uint16_t named_group,
1594 unsigned char *buf,
1595 unsigned char *end,
1596 size_t *out_len )
1597{
1598 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
1599 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1600 psa_key_attributes_t key_attributes;
1601 size_t own_pubkey_len;
1602 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1603 size_t ecdh_bits = 0;
1604
1605 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
1606
1607 /* Convert EC group to PSA key type. */
1608 if( ( handshake->ecdh_psa_type =
1609 mbedtls_psa_parse_tls_ecc_group( named_group, &ecdh_bits ) ) == 0 )
1610 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1611
1612 ssl->handshake->ecdh_bits = ecdh_bits;
1613
1614 key_attributes = psa_key_attributes_init();
1615 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
1616 psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
1617 psa_set_key_type( &key_attributes, handshake->ecdh_psa_type );
1618 psa_set_key_bits( &key_attributes, handshake->ecdh_bits );
1619
1620 /* Generate ECDH private key. */
1621 status = psa_generate_key( &key_attributes,
1622 &handshake->ecdh_psa_privkey );
1623 if( status != PSA_SUCCESS )
1624 {
1625 ret = psa_ssl_status_to_mbedtls( status );
1626 MBEDTLS_SSL_DEBUG_RET( 1, "psa_generate_key", ret );
1627 return( ret );
1628
1629 }
1630
1631 /* Export the public part of the ECDH private key from PSA. */
1632 status = psa_export_public_key( handshake->ecdh_psa_privkey,
1633 buf, (size_t)( end - buf ),
1634 &own_pubkey_len );
1635 if( status != PSA_SUCCESS )
1636 {
1637 ret = psa_ssl_status_to_mbedtls( status );
1638 MBEDTLS_SSL_DEBUG_RET( 1, "psa_export_public_key", ret );
1639 return( ret );
1640
1641 }
1642
1643 *out_len = own_pubkey_len;
1644
1645 return( 0 );
1646}
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1647#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1648
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]1649#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */