blob: 6c4ad83a2fa905f92f8c83bdd1637f6d56f495ae [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +08001/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +080022#if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu65dd2cc2021-08-18 16:38:40 +080023
Jerry Yu30b071c2021-09-12 20:16:03 +080024#include <string.h>
25
Jerry Yuc8a392c2021-08-18 16:46:28 +080026#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +080027#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +080028#include "mbedtls/oid.h"
29#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +010030#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +000031#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +080032
Jerry Yu65dd2cc2021-08-18 16:38:40 +080033#include "ssl_misc.h"
Ronald Crone3dac4a2022-06-10 17:21:51 +020034#include "ssl_tls13_invasive.h"
Jerry Yu30b071c2021-09-12 20:16:03 +080035#include "ssl_tls13_keys.h"
Jerry Yu67eced02022-02-25 13:37:36 +080036#include "ssl_debug_helpers.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +080037
pespaceka1378102022-04-26 15:03:11 +020038#include "psa/crypto.h"
39#include "mbedtls/psa_util.h"
40
Jerry Yufbe3e642022-04-25 19:31:51 +080041const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
David Horstmann71159f42023-01-03 12:51:59 +000042 MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
43{ 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
44 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
45 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
46 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C };
Jerry Yu93a13f22022-04-11 23:00:01 +080047
David Horstmann71159f42023-01-03 12:51:59 +000048int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
49 unsigned hs_type,
50 unsigned char **buf,
51 size_t *buf_len)
XiaokangQian6b226b02021-09-24 07:51:16 +000052{
53 int ret;
54
David Horstmann71159f42023-01-03 12:51:59 +000055 if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
56 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
XiaokangQian6b226b02021-09-24 07:51:16 +000057 goto cleanup;
58 }
59
David Horstmann71159f42023-01-03 12:51:59 +000060 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
61 ssl->in_msg[0] != hs_type) {
62 MBEDTLS_SSL_DEBUG_MSG(1, ("Receive unexpected handshake message."));
63 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
64 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
XiaokangQian6b226b02021-09-24 07:51:16 +000065 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
66 goto cleanup;
67 }
68
XiaokangQian05420b12021-09-29 08:46:37 +000069 /*
70 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
71 * ...
72 * HandshakeType msg_type;
73 * uint24 length;
74 * ...
75 */
Xiaofei Baieef15042021-11-18 07:29:56 +000076 *buf = ssl->in_msg + 4;
77 *buf_len = ssl->in_hslen - 4;
XiaokangQian6b226b02021-09-24 07:51:16 +000078
XiaokangQian6b226b02021-09-24 07:51:16 +000079cleanup:
80
David Horstmann71159f42023-01-03 12:51:59 +000081 return ret;
XiaokangQian6b226b02021-09-24 07:51:16 +000082}
83
Ronald Cron928cbd32022-10-04 16:14:26 +020084#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu30b071c2021-09-12 20:16:03 +080085/*
Jerry Yu30b071c2021-09-12 20:16:03 +080086 * STATE HANDLING: Read CertificateVerify
87 */
Jerry Yud0fc5852021-10-29 11:09:06 +080088/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +080089 *
90 * The structure is computed per TLS 1.3 specification as:
91 * - 64 bytes of octet 32,
92 * - 33 bytes for the context string
93 * (which is either "TLS 1.3, client CertificateVerify"
94 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +080095 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +080096 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
97 * (depending on the size of the transcript_hash)
98 *
99 * This results in a total size of
100 * - 130 bytes for a SHA256-based transcript hash, or
101 * (64 + 33 + 1 + 32 bytes)
102 * - 146 bytes for a SHA384-based transcript hash.
103 * (64 + 33 + 1 + 48 bytes)
104 *
105 */
David Horstmann71159f42023-01-03 12:51:59 +0000106#define SSL_VERIFY_STRUCT_MAX_SIZE (64 + \
107 33 + \
108 1 + \
109 MBEDTLS_TLS1_3_MD_MAX_SIZE \
110 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800111
Jerry Yu0b32c502021-10-28 13:41:59 +0800112/*
113 * The ssl_tls13_create_verify_structure() creates the verify structure.
114 * As input, it requires the transcript hash.
115 *
116 * The caller has to ensure that the buffer has size at least
117 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
118 */
David Horstmann71159f42023-01-03 12:51:59 +0000119static void ssl_tls13_create_verify_structure(const unsigned char *transcript_hash,
120 size_t transcript_hash_len,
121 unsigned char *verify_buffer,
122 size_t *verify_buffer_len,
123 int from)
Jerry Yu0b32c502021-10-28 13:41:59 +0800124{
125 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800126
Jerry Yu0b32c502021-10-28 13:41:59 +0800127 /* RFC 8446, Section 4.4.3:
128 *
129 * The digital signature [in the CertificateVerify message] is then
130 * computed over the concatenation of:
131 * - A string that consists of octet 32 (0x20) repeated 64 times
132 * - The context string
133 * - A single 0 byte which serves as the separator
134 * - The content to be signed
135 */
David Horstmann71159f42023-01-03 12:51:59 +0000136 memset(verify_buffer, 0x20, 64);
Jerry Yu0b32c502021-10-28 13:41:59 +0800137 idx = 64;
138
David Horstmann71159f42023-01-03 12:51:59 +0000139 if (from == MBEDTLS_SSL_IS_CLIENT) {
140 memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(client_cv));
141 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv);
142 } else { /* from == MBEDTLS_SSL_IS_SERVER */
143 memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(server_cv));
144 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv);
Jerry Yu0b32c502021-10-28 13:41:59 +0800145 }
146
147 verify_buffer[idx++] = 0x0;
148
David Horstmann71159f42023-01-03 12:51:59 +0000149 memcpy(verify_buffer + idx, transcript_hash, transcript_hash_len);
Jerry Yu0b32c502021-10-28 13:41:59 +0800150 idx += transcript_hash_len;
151
152 *verify_buffer_len = idx;
153}
154
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200155MBEDTLS_CHECK_RETURN_CRITICAL
David Horstmann71159f42023-01-03 12:51:59 +0000156static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
157 const unsigned char *buf,
158 const unsigned char *end,
159 const unsigned char *verify_buffer,
160 size_t verify_buffer_len)
Jerry Yu30b071c2021-09-12 20:16:03 +0800161{
162 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
pespaceka1378102022-04-26 15:03:11 +0200163 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Jerry Yu30b071c2021-09-12 20:16:03 +0800164 const unsigned char *p = buf;
165 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800166 size_t signature_len;
167 mbedtls_pk_type_t sig_alg;
168 mbedtls_md_type_t md_alg;
pespaceka1378102022-04-26 15:03:11 +0200169 psa_algorithm_t hash_alg = PSA_ALG_NONE;
170 unsigned char verify_hash[PSA_HASH_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800171 size_t verify_hash_len;
172
Xiaofei Baid25fab62021-12-02 06:36:27 +0000173 void const *options = NULL;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000174#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000175 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000176#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
177
Jerry Yu30b071c2021-09-12 20:16:03 +0800178 /*
179 * struct {
180 * SignatureScheme algorithm;
181 * opaque signature<0..2^16-1>;
182 * } CertificateVerify;
183 */
David Horstmann71159f42023-01-03 12:51:59 +0000184 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
185 algorithm = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yu30b071c2021-09-12 20:16:03 +0800186 p += 2;
187
188 /* RFC 8446 section 4.4.3
189 *
190 * If the CertificateVerify message is sent by a server, the signature algorithm
191 * MUST be one offered in the client's "signature_algorithms" extension unless
192 * no valid certificate chain can be produced without unsupported algorithms
193 *
194 * RFC 8446 section 4.4.2.2
195 *
196 * If the client cannot construct an acceptable chain using the provided
197 * certificates and decides to abort the handshake, then it MUST abort the handshake
198 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
199 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800200 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800201 */
David Horstmann71159f42023-01-03 12:51:59 +0000202 if (!mbedtls_ssl_sig_alg_is_offered(ssl, algorithm)) {
Jerry Yu982d9e52021-10-14 15:59:37 +0800203 /* algorithm not in offered signature algorithms list */
David Horstmann71159f42023-01-03 12:51:59 +0000204 MBEDTLS_SSL_DEBUG_MSG(1, ("Received signature algorithm(%04x) is not "
205 "offered.",
206 (unsigned int) algorithm));
Jerry Yu6f87f252021-10-29 20:12:51 +0800207 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800208 }
209
David Horstmann71159f42023-01-03 12:51:59 +0000210 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
211 algorithm, &sig_alg, &md_alg) != 0) {
Jerry Yu8c338862022-03-23 13:34:04 +0800212 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800213 }
214
David Horstmann71159f42023-01-03 12:51:59 +0000215 hash_alg = mbedtls_hash_info_psa_from_md(md_alg);
216 if (hash_alg == 0) {
pespaceka1378102022-04-26 15:03:11 +0200217 goto error;
218 }
219
David Horstmann71159f42023-01-03 12:51:59 +0000220 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate Verify: Signature algorithm ( %04x )",
221 (unsigned int) algorithm));
Jerry Yu30b071c2021-09-12 20:16:03 +0800222
223 /*
224 * Check the certificate's key type matches the signature alg
225 */
David Horstmann71159f42023-01-03 12:51:59 +0000226 if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, sig_alg)) {
227 MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key"));
Jerry Yu6f87f252021-10-29 20:12:51 +0800228 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800229 }
230
David Horstmann71159f42023-01-03 12:51:59 +0000231 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
232 signature_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yu30b071c2021-09-12 20:16:03 +0800233 p += 2;
David Horstmann71159f42023-01-03 12:51:59 +0000234 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, signature_len);
Jerry Yu30b071c2021-09-12 20:16:03 +0800235
David Horstmann71159f42023-01-03 12:51:59 +0000236 status = psa_hash_compute(hash_alg,
237 verify_buffer,
238 verify_buffer_len,
239 verify_hash,
240 sizeof(verify_hash),
241 &verify_hash_len);
242 if (status != PSA_SUCCESS) {
243 MBEDTLS_SSL_DEBUG_RET(1, "hash computation PSA error", status);
Jerry Yu6f87f252021-10-29 20:12:51 +0800244 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800245 }
246
David Horstmann71159f42023-01-03 12:51:59 +0000247 MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
XiaokangQian82d34cc2021-11-03 08:51:56 +0000248#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
David Horstmann71159f42023-01-03 12:51:59 +0000249 if (sig_alg == MBEDTLS_PK_RSASSA_PSS) {
Xiaofei Baid25fab62021-12-02 06:36:27 +0000250 rsassa_pss_options.mgf1_hash_id = md_alg;
Przemek Stekiel6a5e0182022-06-27 11:53:13 +0200251
David Horstmann71159f42023-01-03 12:51:59 +0000252 rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH(hash_alg);
253 options = (const void *) &rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000254 }
255#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800256
David Horstmann71159f42023-01-03 12:51:59 +0000257 if ((ret = mbedtls_pk_verify_ext(sig_alg, options,
258 &ssl->session_negotiate->peer_cert->pk,
259 md_alg, verify_hash, verify_hash_len,
260 p, signature_len)) == 0) {
261 return 0;
Jerry Yu30b071c2021-09-12 20:16:03 +0800262 }
David Horstmann71159f42023-01-03 12:51:59 +0000263 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret);
Jerry Yu30b071c2021-09-12 20:16:03 +0800264
Jerry Yu6f87f252021-10-29 20:12:51 +0800265error:
266 /* RFC 8446 section 4.4.3
267 *
268 * If the verification fails, the receiver MUST terminate the handshake
269 * with a "decrypt_error" alert.
David Horstmann71159f42023-01-03 12:51:59 +0000270 */
271 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
272 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
273 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yu6f87f252021-10-29 20:12:51 +0800274
Jerry Yu30b071c2021-09-12 20:16:03 +0800275}
Ronald Cron928cbd32022-10-04 16:14:26 +0200276#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800277
David Horstmann71159f42023-01-03 12:51:59 +0000278int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu30b071c2021-09-12 20:16:03 +0800279{
Jerry Yu30b071c2021-09-12 20:16:03 +0800280
Ronald Cron928cbd32022-10-04 16:14:26 +0200281#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yuda8cdf22021-10-25 15:06:49 +0800282 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
283 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
284 size_t verify_buffer_len;
285 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
286 size_t transcript_len;
287 unsigned char *buf;
288 size_t buf_len;
289
David Horstmann71159f42023-01-03 12:51:59 +0000290 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Jerry Yu30b071c2021-09-12 20:16:03 +0800291
Jerry Yuda8cdf22021-10-25 15:06:49 +0800292 MBEDTLS_SSL_PROC_CHK(
David Horstmann71159f42023-01-03 12:51:59 +0000293 mbedtls_ssl_tls13_fetch_handshake_msg(ssl,
294 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len));
Jerry Yu30b071c2021-09-12 20:16:03 +0800295
Jerry Yuda8cdf22021-10-25 15:06:49 +0800296 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800297 * before reading the message since otherwise it gets
298 * included in the transcript
299 */
David Horstmann71159f42023-01-03 12:51:59 +0000300 ret = mbedtls_ssl_get_handshake_transcript(ssl,
301 ssl->handshake->ciphersuite_info->mac,
302 transcript, sizeof(transcript),
303 &transcript_len);
304 if (ret != 0) {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800305 MBEDTLS_SSL_PEND_FATAL_ALERT(
306 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
David Horstmann71159f42023-01-03 12:51:59 +0000307 MBEDTLS_ERR_SSL_INTERNAL_ERROR);
308 return ret;
Jerry Yu30b071c2021-09-12 20:16:03 +0800309 }
310
David Horstmann71159f42023-01-03 12:51:59 +0000311 MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash", transcript, transcript_len);
Jerry Yuda8cdf22021-10-25 15:06:49 +0800312
313 /* Create verify structure */
David Horstmann71159f42023-01-03 12:51:59 +0000314 ssl_tls13_create_verify_structure(transcript,
315 transcript_len,
316 verify_buffer,
317 &verify_buffer_len,
318 (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) ?
319 MBEDTLS_SSL_IS_SERVER :
320 MBEDTLS_SSL_IS_CLIENT);
Jerry Yuda8cdf22021-10-25 15:06:49 +0800321
322 /* Process the message contents */
David Horstmann71159f42023-01-03 12:51:59 +0000323 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_verify(ssl, buf,
324 buf + buf_len, verify_buffer,
325 verify_buffer_len));
Jerry Yuda8cdf22021-10-25 15:06:49 +0800326
David Horstmann71159f42023-01-03 12:51:59 +0000327 mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
328 buf, buf_len);
Jerry Yu30b071c2021-09-12 20:16:03 +0800329
330cleanup:
331
David Horstmann71159f42023-01-03 12:51:59 +0000332 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
333 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_process_certificate_verify", ret);
334 return ret;
Jerry Yuda8cdf22021-10-25 15:06:49 +0800335#else
336 ((void) ssl);
David Horstmann71159f42023-01-03 12:51:59 +0000337 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
338 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Ronald Cron928cbd32022-10-04 16:14:26 +0200339#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800340}
341
342/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000343 *
XiaokangQian6b916b12022-04-25 07:29:34 +0000344 * STATE HANDLING: Incoming Certificate.
Xiaofei Bai947571e2021-09-29 09:12:03 +0000345 *
346 */
347
Ronald Cronde08cf32022-10-04 17:15:35 +0200348#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Xiaofei Bai947571e2021-09-29 09:12:03 +0000349#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
350/*
351 * Structure of Certificate message:
352 *
353 * enum {
354 * X509(0),
355 * RawPublicKey(2),
356 * (255)
357 * } CertificateType;
358 *
359 * struct {
360 * select (certificate_type) {
361 * case RawPublicKey:
362 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
363 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
364 * case X509:
365 * opaque cert_data<1..2^24-1>;
366 * };
367 * Extension extensions<0..2^16-1>;
368 * } CertificateEntry;
369 *
370 * struct {
371 * opaque certificate_request_context<0..2^8-1>;
372 * CertificateEntry certificate_list<0..2^24-1>;
373 * } Certificate;
374 *
375 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000376
377/* Parse certificate chain send by the server. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200378MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Crone3dac4a2022-06-10 17:21:51 +0200379MBEDTLS_STATIC_TESTABLE
David Horstmann71159f42023-01-03 12:51:59 +0000380int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
381 const unsigned char *buf,
382 const unsigned char *end)
Xiaofei Bai947571e2021-09-29 09:12:03 +0000383{
384 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
385 size_t certificate_request_context_len = 0;
386 size_t certificate_list_len = 0;
387 const unsigned char *p = buf;
388 const unsigned char *certificate_list_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800389 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000390
David Horstmann71159f42023-01-03 12:51:59 +0000391 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
Xiaofei Bai947571e2021-09-29 09:12:03 +0000392 certificate_request_context_len = p[0];
David Horstmann71159f42023-01-03 12:51:59 +0000393 certificate_list_len = MBEDTLS_GET_UINT24_BE(p, 1);
XiaokangQian63e713e2022-05-15 04:26:57 +0000394 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000395
396 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
397 * support anything beyond 2^16 = 64K.
398 */
David Horstmann71159f42023-01-03 12:51:59 +0000399 if ((certificate_request_context_len != 0) ||
400 (certificate_list_len >= 0x10000)) {
401 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
402 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
403 MBEDTLS_ERR_SSL_DECODE_ERROR);
404 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000405 }
406
407 /* In case we tried to reuse a session but it failed */
David Horstmann71159f42023-01-03 12:51:59 +0000408 if (ssl->session_negotiate->peer_cert != NULL) {
409 mbedtls_x509_crt_free(ssl->session_negotiate->peer_cert);
410 mbedtls_free(ssl->session_negotiate->peer_cert);
Xiaofei Bai947571e2021-09-29 09:12:03 +0000411 }
412
David Horstmann71159f42023-01-03 12:51:59 +0000413 if (certificate_list_len == 0) {
XiaokangQianc3017f62022-05-13 05:55:41 +0000414 ssl->session_negotiate->peer_cert = NULL;
415 ret = 0;
416 goto exit;
417 }
418
David Horstmann71159f42023-01-03 12:51:59 +0000419 if ((ssl->session_negotiate->peer_cert =
420 mbedtls_calloc(1, sizeof(mbedtls_x509_crt))) == NULL) {
421 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
422 sizeof(mbedtls_x509_crt)));
423 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
424 MBEDTLS_ERR_SSL_ALLOC_FAILED);
425 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000426 }
427
David Horstmann71159f42023-01-03 12:51:59 +0000428 mbedtls_x509_crt_init(ssl->session_negotiate->peer_cert);
Xiaofei Bai947571e2021-09-29 09:12:03 +0000429
David Horstmann71159f42023-01-03 12:51:59 +0000430 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_list_len);
Xiaofei Bai947571e2021-09-29 09:12:03 +0000431 certificate_list_end = p + certificate_list_len;
David Horstmann71159f42023-01-03 12:51:59 +0000432 while (p < certificate_list_end) {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000433 size_t cert_data_len, extensions_len;
Jerry Yu2eaa7602022-08-04 17:28:15 +0800434 const unsigned char *extensions_end;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000435
David Horstmann71159f42023-01-03 12:51:59 +0000436 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 3);
437 cert_data_len = MBEDTLS_GET_UINT24_BE(p, 0);
Xiaofei Bai947571e2021-09-29 09:12:03 +0000438 p += 3;
439
440 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
441 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
442 * check that we have a minimum of 128 bytes of data, this is not
443 * clear why we need that though.
444 */
David Horstmann71159f42023-01-03 12:51:59 +0000445 if ((cert_data_len < 128) || (cert_data_len >= 0x10000)) {
446 MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message"));
447 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
448 MBEDTLS_ERR_SSL_DECODE_ERROR);
449 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000450 }
451
David Horstmann71159f42023-01-03 12:51:59 +0000452 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, cert_data_len);
453 ret = mbedtls_x509_crt_parse_der(ssl->session_negotiate->peer_cert,
454 p, cert_data_len);
Xiaofei Bai947571e2021-09-29 09:12:03 +0000455
David Horstmann71159f42023-01-03 12:51:59 +0000456 switch (ret) {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000457 case 0: /*ok*/
458 break;
459 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
460 /* Ignore certificate with an unknown algorithm: maybe a
461 prior certificate was already trusted. */
462 break;
463
464 case MBEDTLS_ERR_X509_ALLOC_FAILED:
David Horstmann71159f42023-01-03 12:51:59 +0000465 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
466 MBEDTLS_ERR_X509_ALLOC_FAILED);
467 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
468 return ret;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000469
470 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
David Horstmann71159f42023-01-03 12:51:59 +0000471 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
472 MBEDTLS_ERR_X509_UNKNOWN_VERSION);
473 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
474 return ret;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000475
476 default:
David Horstmann71159f42023-01-03 12:51:59 +0000477 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
478 ret);
479 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
480 return ret;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000481 }
482
483 p += cert_data_len;
484
485 /* Certificate extensions length */
David Horstmann71159f42023-01-03 12:51:59 +0000486 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 2);
487 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Xiaofei Bai947571e2021-09-29 09:12:03 +0000488 p += 2;
David Horstmann71159f42023-01-03 12:51:59 +0000489 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, extensions_len);
Jerry Yu2eaa7602022-08-04 17:28:15 +0800490
491 extensions_end = p + extensions_len;
Jerry Yu0d5cfb72022-10-31 14:15:48 +0800492 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu2eaa7602022-08-04 17:28:15 +0800493
David Horstmann71159f42023-01-03 12:51:59 +0000494 while (p < extensions_end) {
Jerry Yu2eaa7602022-08-04 17:28:15 +0800495 unsigned int extension_type;
496 size_t extension_data_len;
497
498 /*
David Horstmann71159f42023-01-03 12:51:59 +0000499 * struct {
500 * ExtensionType extension_type; (2 bytes)
501 * opaque extension_data<0..2^16-1>;
502 * } Extension;
503 */
504 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
505 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
506 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yu2eaa7602022-08-04 17:28:15 +0800507 p += 4;
508
David Horstmann71159f42023-01-03 12:51:59 +0000509 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
Jerry Yu2eaa7602022-08-04 17:28:15 +0800510
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800511 ret = mbedtls_ssl_tls13_check_received_extension(
David Horstmann71159f42023-01-03 12:51:59 +0000512 ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
513 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT);
514 if (ret != 0) {
515 return ret;
516 }
Jerry Yu0c354a22022-08-29 15:25:36 +0800517
David Horstmann71159f42023-01-03 12:51:59 +0000518 switch (extension_type) {
Jerry Yu2eaa7602022-08-04 17:28:15 +0800519 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800520 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu0d5cfb72022-10-31 14:15:48 +0800521 3, MBEDTLS_SSL_HS_CERTIFICATE,
David Horstmann71159f42023-01-03 12:51:59 +0000522 extension_type, "( ignored )");
Jerry Yu2eaa7602022-08-04 17:28:15 +0800523 break;
524 }
525
526 p += extension_data_len;
527 }
528
David Horstmann71159f42023-01-03 12:51:59 +0000529 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE,
530 handshake->received_extensions);
Xiaofei Bai947571e2021-09-29 09:12:03 +0000531 }
532
XiaokangQian63e713e2022-05-15 04:26:57 +0000533exit:
Xiaofei Bai947571e2021-09-29 09:12:03 +0000534 /* Check that all the message is consumed. */
David Horstmann71159f42023-01-03 12:51:59 +0000535 if (p != end) {
536 MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message"));
537 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
538 MBEDTLS_ERR_SSL_DECODE_ERROR);
539 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000540 }
541
David Horstmann71159f42023-01-03 12:51:59 +0000542 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", ssl->session_negotiate->peer_cert);
Xiaofei Bai947571e2021-09-29 09:12:03 +0000543
David Horstmann71159f42023-01-03 12:51:59 +0000544 return ret;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000545}
546#else
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200547MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Crone3dac4a2022-06-10 17:21:51 +0200548MBEDTLS_STATIC_TESTABLE
David Horstmann71159f42023-01-03 12:51:59 +0000549int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
550 const unsigned char *buf,
551 const unsigned char *end)
Xiaofei Bai947571e2021-09-29 09:12:03 +0000552{
553 ((void) ssl);
554 ((void) buf);
555 ((void) end);
David Horstmann71159f42023-01-03 12:51:59 +0000556 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000557}
558#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Ronald Cronde08cf32022-10-04 17:15:35 +0200559#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000560
Ronald Cronde08cf32022-10-04 17:15:35 +0200561#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Xiaofei Bai947571e2021-09-29 09:12:03 +0000562#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000563/* Validate certificate chain sent by the server. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200564MBEDTLS_CHECK_RETURN_CRITICAL
David Horstmann71159f42023-01-03 12:51:59 +0000565static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
Xiaofei Bai947571e2021-09-29 09:12:03 +0000566{
567 int ret = 0;
XiaokangQian989f06d2022-05-17 01:50:15 +0000568 int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000569 mbedtls_x509_crt *ca_chain;
570 mbedtls_x509_crl *ca_crl;
Ronald Cron30c5a252022-06-16 19:31:06 +0200571 const char *ext_oid;
572 size_t ext_len;
Xiaofei Baiff456022021-10-28 06:50:17 +0000573 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000574
XiaokangQian6b916b12022-04-25 07:29:34 +0000575 /* If SNI was used, overwrite authentication mode
576 * from the configuration. */
XiaokangQian989f06d2022-05-17 01:50:15 +0000577#if defined(MBEDTLS_SSL_SRV_C)
David Horstmann71159f42023-01-03 12:51:59 +0000578 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
XiaokangQian0557c942022-05-30 08:10:53 +0000579#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
David Horstmann71159f42023-01-03 12:51:59 +0000580 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
XiaokangQian0557c942022-05-30 08:10:53 +0000581 authmode = ssl->handshake->sni_authmode;
David Horstmann71159f42023-01-03 12:51:59 +0000582 } else
XiaokangQian0557c942022-05-30 08:10:53 +0000583#endif
David Horstmann71159f42023-01-03 12:51:59 +0000584 authmode = ssl->conf->authmode;
XiaokangQian0557c942022-05-30 08:10:53 +0000585 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000586#endif
587
588 /*
XiaokangQian989f06d2022-05-17 01:50:15 +0000589 * If the peer hasn't sent a certificate ( i.e. it sent
XiaokangQian6b916b12022-04-25 07:29:34 +0000590 * an empty certificate chain ), this is reflected in the peer CRT
591 * structure being unset.
592 * Check for that and handle it depending on the
XiaokangQian989f06d2022-05-17 01:50:15 +0000593 * authentication mode.
XiaokangQian6b916b12022-04-25 07:29:34 +0000594 */
David Horstmann71159f42023-01-03 12:51:59 +0000595 if (ssl->session_negotiate->peer_cert == NULL) {
596 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
XiaokangQian989f06d2022-05-17 01:50:15 +0000597
XiaokangQian63e713e2022-05-15 04:26:57 +0000598#if defined(MBEDTLS_SSL_SRV_C)
David Horstmann71159f42023-01-03 12:51:59 +0000599 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
XiaokangQian63e713e2022-05-15 04:26:57 +0000600 /* The client was asked for a certificate but didn't send
601 * one. The client should know what's going on, so we
602 * don't send an alert.
603 */
604 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
David Horstmann71159f42023-01-03 12:51:59 +0000605 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
606 return 0;
607 } else {
608 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT,
609 MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE);
610 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
XiaokangQian989f06d2022-05-17 01:50:15 +0000611 }
XiaokangQian63e713e2022-05-15 04:26:57 +0000612 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000613#endif /* MBEDTLS_SSL_SRV_C */
614
XiaokangQianc3017f62022-05-13 05:55:41 +0000615#if defined(MBEDTLS_SSL_CLI_C)
David Horstmann71159f42023-01-03 12:51:59 +0000616 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
617 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT,
618 MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE);
619 return MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE;
XiaokangQian63e713e2022-05-15 04:26:57 +0000620 }
XiaokangQianc3017f62022-05-13 05:55:41 +0000621#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQian63e713e2022-05-15 04:26:57 +0000622 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000623
Xiaofei Bai947571e2021-09-29 09:12:03 +0000624#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
David Horstmann71159f42023-01-03 12:51:59 +0000625 if (ssl->handshake->sni_ca_chain != NULL) {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000626 ca_chain = ssl->handshake->sni_ca_chain;
627 ca_crl = ssl->handshake->sni_ca_crl;
David Horstmann71159f42023-01-03 12:51:59 +0000628 } else
Xiaofei Bai947571e2021-09-29 09:12:03 +0000629#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
630 {
631 ca_chain = ssl->conf->ca_chain;
632 ca_crl = ssl->conf->ca_crl;
633 }
634
635 /*
636 * Main check: verify certificate
637 */
638 ret = mbedtls_x509_crt_verify_with_profile(
639 ssl->session_negotiate->peer_cert,
640 ca_chain, ca_crl,
641 ssl->conf->cert_profile,
642 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000643 &verify_result,
David Horstmann71159f42023-01-03 12:51:59 +0000644 ssl->conf->f_vrfy, ssl->conf->p_vrfy);
Xiaofei Bai947571e2021-09-29 09:12:03 +0000645
David Horstmann71159f42023-01-03 12:51:59 +0000646 if (ret != 0) {
647 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
Xiaofei Bai947571e2021-09-29 09:12:03 +0000648 }
649
650 /*
651 * Secondary checks: always done, but change 'ret' only if it was 0
652 */
David Horstmann71159f42023-01-03 12:51:59 +0000653 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
Ronald Cron30c5a252022-06-16 19:31:06 +0200654 ext_oid = MBEDTLS_OID_SERVER_AUTH;
David Horstmann71159f42023-01-03 12:51:59 +0000655 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
656 } else {
Ronald Cron30c5a252022-06-16 19:31:06 +0200657 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
David Horstmann71159f42023-01-03 12:51:59 +0000658 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
Ronald Cron30c5a252022-06-16 19:31:06 +0200659 }
660
David Horstmann71159f42023-01-03 12:51:59 +0000661 if ((mbedtls_x509_crt_check_key_usage(
662 ssl->session_negotiate->peer_cert,
663 MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0) ||
664 (mbedtls_x509_crt_check_extended_key_usage(
665 ssl->session_negotiate->peer_cert,
666 ext_oid, ext_len) != 0)) {
667 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
668 if (ret == 0) {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000669 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
David Horstmann71159f42023-01-03 12:51:59 +0000670 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000671 }
672
XiaokangQian6b916b12022-04-25 07:29:34 +0000673 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
674 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
675 * with details encoded in the verification flags. All other kinds
676 * of error codes, including those from the user provided f_vrfy
677 * functions, are treated as fatal and lead to a failure of
Ronald Crone3dac4a2022-06-10 17:21:51 +0200678 * mbedtls_ssl_tls13_parse_certificate even if verification was optional.
679 */
David Horstmann71159f42023-01-03 12:51:59 +0000680 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
681 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
682 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
XiaokangQian6b916b12022-04-25 07:29:34 +0000683 ret = 0;
684 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000685
David Horstmann71159f42023-01-03 12:51:59 +0000686 if (ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
687 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
Xiaofei Bai947571e2021-09-29 09:12:03 +0000688 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
689 }
690
David Horstmann71159f42023-01-03 12:51:59 +0000691 if (ret != 0) {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000692 /* The certificate may have been rejected for several reasons.
693 Pick one and send the corresponding alert. Which alert to send
694 may be a subject of debate in some cases. */
David Horstmann71159f42023-01-03 12:51:59 +0000695 if (verify_result & MBEDTLS_X509_BADCERT_OTHER) {
696 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret);
697 } else if (verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
698 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret);
699 } else if (verify_result & (MBEDTLS_X509_BADCERT_KEY_USAGE |
700 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
701 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
702 MBEDTLS_X509_BADCERT_BAD_PK |
703 MBEDTLS_X509_BADCERT_BAD_KEY)) {
704 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret);
705 } else if (verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
706 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret);
707 } else if (verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
708 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret);
709 } else if (verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
710 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret);
711 } else {
712 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret);
713 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000714 }
715
716#if defined(MBEDTLS_DEBUG_C)
David Horstmann71159f42023-01-03 12:51:59 +0000717 if (verify_result != 0) {
718 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
719 (unsigned int) verify_result));
720 } else {
721 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
Xiaofei Bai947571e2021-09-29 09:12:03 +0000722 }
723#endif /* MBEDTLS_DEBUG_C */
724
Xiaofei Baiff456022021-10-28 06:50:17 +0000725 ssl->session_negotiate->verify_result = verify_result;
David Horstmann71159f42023-01-03 12:51:59 +0000726 return ret;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000727}
728#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200729MBEDTLS_CHECK_RETURN_CRITICAL
David Horstmann71159f42023-01-03 12:51:59 +0000730static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
Xiaofei Bai947571e2021-09-29 09:12:03 +0000731{
732 ((void) ssl);
David Horstmann71159f42023-01-03 12:51:59 +0000733 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000734}
735#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Ronald Cronde08cf32022-10-04 17:15:35 +0200736#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000737
David Horstmann71159f42023-01-03 12:51:59 +0000738int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl)
Xiaofei Bai947571e2021-09-29 09:12:03 +0000739{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000740 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
David Horstmann71159f42023-01-03 12:51:59 +0000741 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000742
Ronald Cronde08cf32022-10-04 17:15:35 +0200743#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
XiaokangQianc3017f62022-05-13 05:55:41 +0000744 unsigned char *buf;
745 size_t buf_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000746
David Horstmann71159f42023-01-03 12:51:59 +0000747 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
748 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
749 &buf, &buf_len));
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000750
XiaokangQianc3017f62022-05-13 05:55:41 +0000751 /* Parse the certificate chain sent by the peer. */
David Horstmann71159f42023-01-03 12:51:59 +0000752 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_parse_certificate(ssl, buf,
753 buf + buf_len));
XiaokangQianc3017f62022-05-13 05:55:41 +0000754 /* Validate the certificate chain and set the verification results. */
David Horstmann71159f42023-01-03 12:51:59 +0000755 MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl));
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000756
David Horstmann71159f42023-01-03 12:51:59 +0000757 mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE,
758 buf, buf_len);
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000759
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000760cleanup:
Ronald Cronde08cf32022-10-04 17:15:35 +0200761#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000762
David Horstmann71159f42023-01-03 12:51:59 +0000763 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
764 return ret;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000765}
Ronald Cron928cbd32022-10-04 16:14:26 +0200766#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu7399d0d2022-01-30 17:54:19 +0800767/*
768 * enum {
769 * X509(0),
770 * RawPublicKey(2),
771 * (255)
772 * } CertificateType;
773 *
774 * struct {
775 * select (certificate_type) {
776 * case RawPublicKey:
777 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
778 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
779 *
780 * case X509:
781 * opaque cert_data<1..2^24-1>;
782 * };
783 * Extension extensions<0..2^16-1>;
784 * } CertificateEntry;
785 *
786 * struct {
787 * opaque certificate_request_context<0..2^8-1>;
788 * CertificateEntry certificate_list<0..2^24-1>;
789 * } Certificate;
790 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200791MBEDTLS_CHECK_RETURN_CRITICAL
David Horstmann71159f42023-01-03 12:51:59 +0000792static int ssl_tls13_write_certificate_body(mbedtls_ssl_context *ssl,
793 unsigned char *buf,
794 unsigned char *end,
795 size_t *out_len)
Jerry Yu5cc35062022-01-28 16:16:08 +0800796{
David Horstmann71159f42023-01-03 12:51:59 +0000797 const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert(ssl);
Jerry Yu3e536442022-02-15 11:05:59 +0800798 unsigned char *p = buf;
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800799 unsigned char *certificate_request_context =
David Horstmann71159f42023-01-03 12:51:59 +0000800 ssl->handshake->certificate_request_context;
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800801 unsigned char certificate_request_context_len =
David Horstmann71159f42023-01-03 12:51:59 +0000802 ssl->handshake->certificate_request_context_len;
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800803 unsigned char *p_certificate_list_len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800804
Jerry Yu5cc35062022-01-28 16:16:08 +0800805
Jerry Yu3391ac02022-02-16 11:21:37 +0800806 /* ...
807 * opaque certificate_request_context<0..2^8-1>;
808 * ...
809 */
David Horstmann71159f42023-01-03 12:51:59 +0000810 MBEDTLS_SSL_CHK_BUF_PTR(p, end, certificate_request_context_len + 1);
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800811 *p++ = certificate_request_context_len;
David Horstmann71159f42023-01-03 12:51:59 +0000812 if (certificate_request_context_len > 0) {
813 memcpy(p, certificate_request_context, certificate_request_context_len);
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800814 p += certificate_request_context_len;
Jerry Yu537530d2022-02-15 14:00:57 +0800815 }
816
Jerry Yu3391ac02022-02-16 11:21:37 +0800817 /* ...
818 * CertificateEntry certificate_list<0..2^24-1>;
819 * ...
820 */
David Horstmann71159f42023-01-03 12:51:59 +0000821 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800822 p_certificate_list_len = p;
Jerry Yu3e536442022-02-15 11:05:59 +0800823 p += 3;
824
David Horstmann71159f42023-01-03 12:51:59 +0000825 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", crt);
Jerry Yu5cc35062022-01-28 16:16:08 +0800826
David Horstmann71159f42023-01-03 12:51:59 +0000827 while (crt != NULL) {
Jerry Yu7399d0d2022-01-30 17:54:19 +0800828 size_t cert_data_len = crt->raw.len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800829
David Horstmann71159f42023-01-03 12:51:59 +0000830 MBEDTLS_SSL_CHK_BUF_PTR(p, end, cert_data_len + 3 + 2);
831 MBEDTLS_PUT_UINT24_BE(cert_data_len, p, 0);
Jerry Yu7399d0d2022-01-30 17:54:19 +0800832 p += 3;
Jerry Yu5cc35062022-01-28 16:16:08 +0800833
David Horstmann71159f42023-01-03 12:51:59 +0000834 memcpy(p, crt->raw.p, cert_data_len);
Jerry Yu7399d0d2022-01-30 17:54:19 +0800835 p += cert_data_len;
836 crt = crt->next;
Jerry Yu5cc35062022-01-28 16:16:08 +0800837
838 /* Currently, we don't have any certificate extensions defined.
839 * Hence, we are sending an empty extension with length zero.
840 */
David Horstmann71159f42023-01-03 12:51:59 +0000841 MBEDTLS_PUT_UINT16_BE(0, p, 0);
Jerry Yu7399d0d2022-01-30 17:54:19 +0800842 p += 2;
Jerry Yu5cc35062022-01-28 16:16:08 +0800843 }
Jerry Yu5cc35062022-01-28 16:16:08 +0800844
David Horstmann71159f42023-01-03 12:51:59 +0000845 MBEDTLS_PUT_UINT24_BE(p - p_certificate_list_len - 3,
846 p_certificate_list_len, 0);
Jerry Yu7399d0d2022-01-30 17:54:19 +0800847
Jerry Yu3e536442022-02-15 11:05:59 +0800848 *out_len = p - buf;
Jerry Yu5cc35062022-01-28 16:16:08 +0800849
Jerry Yu7de2ff02022-11-08 21:43:46 +0800850 MBEDTLS_SSL_PRINT_EXTS(
David Horstmann71159f42023-01-03 12:51:59 +0000851 3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->sent_extensions);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800852
David Horstmann71159f42023-01-03 12:51:59 +0000853 return 0;
Jerry Yu5cc35062022-01-28 16:16:08 +0800854}
Jerry Yu5cc35062022-01-28 16:16:08 +0800855
David Horstmann71159f42023-01-03 12:51:59 +0000856int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl)
Jerry Yu5cc35062022-01-28 16:16:08 +0800857{
858 int ret;
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100859 unsigned char *buf;
860 size_t buf_len, msg_len;
861
David Horstmann71159f42023-01-03 12:51:59 +0000862 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
Jerry Yu5cc35062022-01-28 16:16:08 +0800863
David Horstmann71159f42023-01-03 12:51:59 +0000864 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
865 MBEDTLS_SSL_HS_CERTIFICATE, &buf,
866 &buf_len));
Jerry Yu5cc35062022-01-28 16:16:08 +0800867
David Horstmann71159f42023-01-03 12:51:59 +0000868 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_body(ssl,
869 buf,
870 buf + buf_len,
871 &msg_len));
Jerry Yu5cc35062022-01-28 16:16:08 +0800872
David Horstmann71159f42023-01-03 12:51:59 +0000873 mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE,
874 buf, msg_len);
Jerry Yu5cc35062022-01-28 16:16:08 +0800875
David Horstmann71159f42023-01-03 12:51:59 +0000876 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
877 ssl, buf_len, msg_len));
Jerry Yu5cc35062022-01-28 16:16:08 +0800878cleanup:
879
David Horstmann71159f42023-01-03 12:51:59 +0000880 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
881 return ret;
Jerry Yu5cc35062022-01-28 16:16:08 +0800882}
883
Jerry Yu3e536442022-02-15 11:05:59 +0800884/*
885 * STATE HANDLING: Output Certificate Verify
886 */
David Horstmann71159f42023-01-03 12:51:59 +0000887int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
888 mbedtls_pk_context *key)
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800889{
David Horstmann71159f42023-01-03 12:51:59 +0000890 mbedtls_pk_type_t pk_type = mbedtls_ssl_sig_from_pk(key);
891 size_t key_size = mbedtls_pk_get_bitlen(key);
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800892
David Horstmann71159f42023-01-03 12:51:59 +0000893 switch (pk_type) {
Jerry Yu67eced02022-02-25 13:37:36 +0800894 case MBEDTLS_SSL_SIG_ECDSA:
David Horstmann71159f42023-01-03 12:51:59 +0000895 switch (key_size) {
Jerry Yu67eced02022-02-25 13:37:36 +0800896 case 256:
David Horstmann71159f42023-01-03 12:51:59 +0000897 return
898 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800899
Jerry Yu67eced02022-02-25 13:37:36 +0800900 case 384:
David Horstmann71159f42023-01-03 12:51:59 +0000901 return
902 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800903
Jerry Yu67eced02022-02-25 13:37:36 +0800904 case 521:
David Horstmann71159f42023-01-03 12:51:59 +0000905 return
906 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
Jerry Yu67eced02022-02-25 13:37:36 +0800907 default:
Jerry Yu67eced02022-02-25 13:37:36 +0800908 break;
909 }
910 break;
Jerry Yu67eced02022-02-25 13:37:36 +0800911
Jerry Yu67eced02022-02-25 13:37:36 +0800912 case MBEDTLS_SSL_SIG_RSA:
David Horstmann71159f42023-01-03 12:51:59 +0000913 switch (sig_alg) {
Ronald Cron38391bf2022-09-16 11:19:27 +0200914 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */
915 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800916 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
David Horstmann71159f42023-01-03 12:51:59 +0000917 return 1;
Jerry Yuc2e04932022-06-27 22:13:03 +0800918
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800919 default:
920 break;
Jerry Yucef3f332022-03-22 23:00:13 +0800921 }
Jerry Yu67eced02022-02-25 13:37:36 +0800922 break;
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800923
Jerry Yu67eced02022-02-25 13:37:36 +0800924 default:
Jerry Yu67eced02022-02-25 13:37:36 +0800925 break;
926 }
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800927
David Horstmann71159f42023-01-03 12:51:59 +0000928 return 0;
Jerry Yu0c6be8f2022-06-20 20:42:00 +0800929}
930
Ronald Cronce7d76e2022-07-08 18:56:49 +0200931MBEDTLS_CHECK_RETURN_CRITICAL
David Horstmann71159f42023-01-03 12:51:59 +0000932static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
933 unsigned char *buf,
934 unsigned char *end,
935 size_t *out_len)
Jerry Yu8511f122022-01-29 10:01:04 +0800936{
Ronald Cron067a1e72022-09-16 13:44:49 +0200937 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3e536442022-02-15 11:05:59 +0800938 unsigned char *p = buf;
Jerry Yu8511f122022-01-29 10:01:04 +0800939 mbedtls_pk_context *own_key;
Jerry Yu3e536442022-02-15 11:05:59 +0800940
David Horstmann71159f42023-01-03 12:51:59 +0000941 unsigned char handshake_hash[MBEDTLS_TLS1_3_MD_MAX_SIZE];
Jerry Yu8511f122022-01-29 10:01:04 +0800942 size_t handshake_hash_len;
David Horstmann71159f42023-01-03 12:51:59 +0000943 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
Jerry Yu3e536442022-02-15 11:05:59 +0800944 size_t verify_buffer_len;
Ronald Cron067a1e72022-09-16 13:44:49 +0200945
946 uint16_t *sig_alg = ssl->handshake->received_sig_algs;
Jerry Yu3e536442022-02-15 11:05:59 +0800947 size_t signature_len = 0;
Jerry Yu8511f122022-01-29 10:01:04 +0800948
Jerry Yu0b7b1012022-02-23 12:23:05 +0800949 *out_len = 0;
950
David Horstmann71159f42023-01-03 12:51:59 +0000951 own_key = mbedtls_ssl_own_key(ssl);
952 if (own_key == NULL) {
953 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
954 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu8511f122022-01-29 10:01:04 +0800955 }
956
David Horstmann71159f42023-01-03 12:51:59 +0000957 ret = mbedtls_ssl_get_handshake_transcript(ssl,
958 ssl->handshake->ciphersuite_info->mac,
959 handshake_hash,
960 sizeof(handshake_hash),
961 &handshake_hash_len);
962 if (ret != 0) {
963 return ret;
964 }
Jerry Yu8511f122022-01-29 10:01:04 +0800965
David Horstmann71159f42023-01-03 12:51:59 +0000966 MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash",
967 handshake_hash,
968 handshake_hash_len);
Jerry Yu8511f122022-01-29 10:01:04 +0800969
David Horstmann71159f42023-01-03 12:51:59 +0000970 ssl_tls13_create_verify_structure(handshake_hash, handshake_hash_len,
971 verify_buffer, &verify_buffer_len,
972 ssl->conf->endpoint);
Jerry Yu8511f122022-01-29 10:01:04 +0800973
974 /*
975 * struct {
976 * SignatureScheme algorithm;
977 * opaque signature<0..2^16-1>;
978 * } CertificateVerify;
979 */
Ronald Cron067a1e72022-09-16 13:44:49 +0200980 /* Check there is space for the algorithm identifier (2 bytes) and the
981 * signature length (2 bytes).
982 */
David Horstmann71159f42023-01-03 12:51:59 +0000983 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Ronald Cron067a1e72022-09-16 13:44:49 +0200984
David Horstmann71159f42023-01-03 12:51:59 +0000985 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
Ronald Cron067a1e72022-09-16 13:44:49 +0200986 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
987 mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
988 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
989 psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
990 unsigned char verify_hash[PSA_HASH_MAX_SIZE];
991 size_t verify_hash_len;
Jerry Yu67eced02022-02-25 13:37:36 +0800992
David Horstmann71159f42023-01-03 12:51:59 +0000993 if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {
Ronald Cron067a1e72022-09-16 13:44:49 +0200994 continue;
David Horstmann71159f42023-01-03 12:51:59 +0000995 }
Jerry Yu67eced02022-02-25 13:37:36 +0800996
David Horstmann71159f42023-01-03 12:51:59 +0000997 if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {
Ronald Cron067a1e72022-09-16 13:44:49 +0200998 continue;
David Horstmann71159f42023-01-03 12:51:59 +0000999 }
Ronald Cron067a1e72022-09-16 13:44:49 +02001000
David Horstmann71159f42023-01-03 12:51:59 +00001001 if (!mbedtls_ssl_tls13_check_sig_alg_cert_key_match(*sig_alg, own_key)) {
Ronald Cron067a1e72022-09-16 13:44:49 +02001002 continue;
David Horstmann71159f42023-01-03 12:51:59 +00001003 }
Ronald Cron067a1e72022-09-16 13:44:49 +02001004
David Horstmann71159f42023-01-03 12:51:59 +00001005 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
1006 *sig_alg, &pk_type, &md_alg) != 0) {
1007 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Ronald Cron067a1e72022-09-16 13:44:49 +02001008 }
1009
1010 /* Hash verify buffer with indicated hash function */
David Horstmann71159f42023-01-03 12:51:59 +00001011 psa_algorithm = mbedtls_hash_info_psa_from_md(md_alg);
1012 status = psa_hash_compute(psa_algorithm,
1013 verify_buffer,
1014 verify_buffer_len,
1015 verify_hash, sizeof(verify_hash),
1016 &verify_hash_len);
1017 if (status != PSA_SUCCESS) {
1018 return psa_ssl_status_to_mbedtls(status);
Ronald Cron067a1e72022-09-16 13:44:49 +02001019 }
1020
David Horstmann71159f42023-01-03 12:51:59 +00001021 MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
1022
1023 if ((ret = mbedtls_pk_sign_ext(pk_type, own_key,
1024 md_alg, verify_hash, verify_hash_len,
1025 p + 4, (size_t) (end - (p + 4)), &signature_len,
1026 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
1027 MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature failed with %s",
1028 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
1029 MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_pk_sign_ext", ret);
1030
1031 /* The signature failed. This is possible if the private key
1032 * was not suitable for the signature operation as purposely we
1033 * did not check its suitability completely. Let's try with
1034 * another signature algorithm.
1035 */
1036 continue;
1037 }
1038
1039 MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature with %s",
1040 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
Ronald Cron067a1e72022-09-16 13:44:49 +02001041
1042 break;
1043 }
1044
David Horstmann71159f42023-01-03 12:51:59 +00001045 if (*sig_alg == MBEDTLS_TLS1_3_SIG_NONE) {
1046 MBEDTLS_SSL_DEBUG_MSG(1, ("no suitable signature algorithm"));
1047 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1048 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1049 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yu8511f122022-01-29 10:01:04 +08001050 }
1051
David Horstmann71159f42023-01-03 12:51:59 +00001052 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
1053 MBEDTLS_PUT_UINT16_BE(signature_len, p, 2);
Jerry Yuf3b46b52022-06-19 16:52:27 +08001054
Ronald Cron067a1e72022-09-16 13:44:49 +02001055 *out_len = 4 + signature_len;
Jerry Yu8c338862022-03-23 13:34:04 +08001056
David Horstmann71159f42023-01-03 12:51:59 +00001057 return 0;
Jerry Yu8511f122022-01-29 10:01:04 +08001058}
Jerry Yu8511f122022-01-29 10:01:04 +08001059
David Horstmann71159f42023-01-03 12:51:59 +00001060int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu8511f122022-01-29 10:01:04 +08001061{
1062 int ret = 0;
Jerry Yuca133a32022-02-15 14:22:05 +08001063 unsigned char *buf;
1064 size_t buf_len, msg_len;
1065
David Horstmann71159f42023-01-03 12:51:59 +00001066 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
Jerry Yu8511f122022-01-29 10:01:04 +08001067
David Horstmann71159f42023-01-03 12:51:59 +00001068 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
1069 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf,
1070 &buf_len));
Jerry Yu8511f122022-01-29 10:01:04 +08001071
David Horstmann71159f42023-01-03 12:51:59 +00001072 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body(
1073 ssl, buf, buf + buf_len, &msg_len));
Jerry Yu8511f122022-01-29 10:01:04 +08001074
David Horstmann71159f42023-01-03 12:51:59 +00001075 mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1076 buf, msg_len);
Jerry Yu8511f122022-01-29 10:01:04 +08001077
David Horstmann71159f42023-01-03 12:51:59 +00001078 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
1079 ssl, buf_len, msg_len));
Jerry Yu8511f122022-01-29 10:01:04 +08001080
1081cleanup:
1082
David Horstmann71159f42023-01-03 12:51:59 +00001083 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
1084 return ret;
Jerry Yu8511f122022-01-29 10:01:04 +08001085}
1086
Ronald Cron928cbd32022-10-04 16:14:26 +02001087#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu90f152d2022-01-29 22:12:42 +08001088
Jerry Yu5cc35062022-01-28 16:16:08 +08001089/*
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001090 *
XiaokangQianc5c39d52021-11-09 11:55:10 +00001091 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001092 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001093/*
1094 * Implementation
1095 */
1096
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001097MBEDTLS_CHECK_RETURN_CRITICAL
David Horstmann71159f42023-01-03 12:51:59 +00001098static int ssl_tls13_preprocess_finished_message(mbedtls_ssl_context *ssl)
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001099{
1100 int ret;
1101
David Horstmann71159f42023-01-03 12:51:59 +00001102 ret = mbedtls_ssl_tls13_calculate_verify_data(ssl,
1103 ssl->handshake->state_local.finished_in.digest,
1104 sizeof(ssl->handshake->state_local.finished_in.
1105 digest),
1106 &ssl->handshake->state_local.finished_in.digest_len,
1107 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
1108 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT);
1109 if (ret != 0) {
1110 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_calculate_verify_data", ret);
1111 return ret;
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001112 }
1113
David Horstmann71159f42023-01-03 12:51:59 +00001114 return 0;
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001115}
1116
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001117MBEDTLS_CHECK_RETURN_CRITICAL
David Horstmann71159f42023-01-03 12:51:59 +00001118static int ssl_tls13_parse_finished_message(mbedtls_ssl_context *ssl,
1119 const unsigned char *buf,
1120 const unsigned char *end)
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001121{
XiaokangQian33062842021-11-11 03:37:45 +00001122 /*
1123 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +00001124 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +00001125 * } Finished;
1126 */
1127 const unsigned char *expected_verify_data =
1128 ssl->handshake->state_local.finished_in.digest;
1129 size_t expected_verify_data_len =
1130 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001131 /* Structural validation */
David Horstmann71159f42023-01-03 12:51:59 +00001132 if ((size_t) (end - buf) != expected_verify_data_len) {
1133 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001134
David Horstmann71159f42023-01-03 12:51:59 +00001135 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1136 MBEDTLS_ERR_SSL_DECODE_ERROR);
1137 return MBEDTLS_ERR_SSL_DECODE_ERROR;
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001138 }
1139
David Horstmann71159f42023-01-03 12:51:59 +00001140 MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (self-computed):",
1141 expected_verify_data,
1142 expected_verify_data_len);
1143 MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (received message):", buf,
1144 expected_verify_data_len);
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001145
1146 /* Semantic validation */
David Horstmann71159f42023-01-03 12:51:59 +00001147 if (mbedtls_ct_memcmp(buf,
1148 expected_verify_data,
1149 expected_verify_data_len) != 0) {
1150 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001151
David Horstmann71159f42023-01-03 12:51:59 +00001152 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
1153 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1154 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001155 }
David Horstmann71159f42023-01-03 12:51:59 +00001156 return 0;
XiaokangQianaa5f5c12021-09-18 06:20:25 +00001157}
1158
David Horstmann71159f42023-01-03 12:51:59 +00001159int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl)
XiaokangQianc5c39d52021-11-09 11:55:10 +00001160{
XiaokangQian33062842021-11-11 03:37:45 +00001161 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +00001162 unsigned char *buf;
Xiaofei Baieef15042021-11-18 07:29:56 +00001163 size_t buf_len;
XiaokangQianc5c39d52021-11-09 11:55:10 +00001164
David Horstmann71159f42023-01-03 12:51:59 +00001165 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished message"));
XiaokangQianc5c39d52021-11-09 11:55:10 +00001166
David Horstmann71159f42023-01-03 12:51:59 +00001167 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(ssl,
1168 MBEDTLS_SSL_HS_FINISHED,
1169 &buf, &buf_len));
Jerry Yu0a92d6c2022-05-16 16:54:46 +08001170
1171 /* Preprocessing step: Compute handshake digest */
David Horstmann71159f42023-01-03 12:51:59 +00001172 MBEDTLS_SSL_PROC_CHK(ssl_tls13_preprocess_finished_message(ssl));
Jerry Yu0a92d6c2022-05-16 16:54:46 +08001173
David Horstmann71159f42023-01-03 12:51:59 +00001174 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(ssl, buf, buf + buf_len));
Jerry Yu0a92d6c2022-05-16 16:54:46 +08001175
David Horstmann71159f42023-01-03 12:51:59 +00001176 mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_FINISHED,
1177 buf, buf_len);
XiaokangQianc5c39d52021-11-09 11:55:10 +00001178
1179cleanup:
1180
David Horstmann71159f42023-01-03 12:51:59 +00001181 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished message"));
1182 return ret;
XiaokangQianc5c39d52021-11-09 11:55:10 +00001183}
1184
XiaokangQian74af2a82021-09-22 07:40:30 +00001185/*
1186 *
XiaokangQiancc90c942021-11-09 12:30:09 +00001187 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +00001188 *
1189 */
XiaokangQian74af2a82021-09-22 07:40:30 +00001190/*
XiaokangQian35dc6252021-11-11 08:16:19 +00001191 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +00001192 */
1193
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001194MBEDTLS_CHECK_RETURN_CRITICAL
David Horstmann71159f42023-01-03 12:51:59 +00001195static int ssl_tls13_prepare_finished_message(mbedtls_ssl_context *ssl)
XiaokangQian74af2a82021-09-22 07:40:30 +00001196{
1197 int ret;
1198
1199 /* Compute transcript of handshake up to now. */
David Horstmann71159f42023-01-03 12:51:59 +00001200 ret = mbedtls_ssl_tls13_calculate_verify_data(ssl,
1201 ssl->handshake->state_local.finished_out.digest,
1202 sizeof(ssl->handshake->state_local.finished_out.
1203 digest),
1204 &ssl->handshake->state_local.finished_out.digest_len,
1205 ssl->conf->endpoint);
XiaokangQian74af2a82021-09-22 07:40:30 +00001206
David Horstmann71159f42023-01-03 12:51:59 +00001207 if (ret != 0) {
1208 MBEDTLS_SSL_DEBUG_RET(1, "calculate_verify_data failed", ret);
1209 return ret;
XiaokangQian74af2a82021-09-22 07:40:30 +00001210 }
1211
David Horstmann71159f42023-01-03 12:51:59 +00001212 return 0;
XiaokangQian74af2a82021-09-22 07:40:30 +00001213}
1214
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001215MBEDTLS_CHECK_RETURN_CRITICAL
David Horstmann71159f42023-01-03 12:51:59 +00001216static int ssl_tls13_write_finished_message_body(mbedtls_ssl_context *ssl,
1217 unsigned char *buf,
1218 unsigned char *end,
1219 size_t *out_len)
XiaokangQian74af2a82021-09-22 07:40:30 +00001220{
XiaokangQian8773aa02021-11-10 07:33:09 +00001221 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +00001222 /*
1223 * struct {
1224 * opaque verify_data[Hash.length];
1225 * } Finished;
1226 */
David Horstmann71159f42023-01-03 12:51:59 +00001227 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, verify_data_len);
XiaokangQian74af2a82021-09-22 07:40:30 +00001228
David Horstmann71159f42023-01-03 12:51:59 +00001229 memcpy(buf, ssl->handshake->state_local.finished_out.digest,
1230 verify_data_len);
XiaokangQian74af2a82021-09-22 07:40:30 +00001231
Xiaofei Baid25fab62021-12-02 06:36:27 +00001232 *out_len = verify_data_len;
David Horstmann71159f42023-01-03 12:51:59 +00001233 return 0;
XiaokangQian74af2a82021-09-22 07:40:30 +00001234}
XiaokangQianc5c39d52021-11-09 11:55:10 +00001235
XiaokangQian35dc6252021-11-11 08:16:19 +00001236/* Main entry point: orchestrates the other functions */
David Horstmann71159f42023-01-03 12:51:59 +00001237int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl)
XiaokangQian35dc6252021-11-11 08:16:19 +00001238{
1239 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1240 unsigned char *buf;
1241 size_t buf_len, msg_len;
1242
David Horstmann71159f42023-01-03 12:51:59 +00001243 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished message"));
XiaokangQian35dc6252021-11-11 08:16:19 +00001244
David Horstmann71159f42023-01-03 12:51:59 +00001245 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_finished_message(ssl));
XiaokangQiandce82242021-11-15 06:01:26 +00001246
David Horstmann71159f42023-01-03 12:51:59 +00001247 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
1248 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len));
XiaokangQian35dc6252021-11-11 08:16:19 +00001249
David Horstmann71159f42023-01-03 12:51:59 +00001250 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_finished_message_body(
1251 ssl, buf, buf + buf_len, &msg_len));
XiaokangQian35dc6252021-11-11 08:16:19 +00001252
David Horstmann71159f42023-01-03 12:51:59 +00001253 mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_FINISHED,
1254 buf, msg_len);
XiaokangQian35dc6252021-11-11 08:16:19 +00001255
David Horstmann71159f42023-01-03 12:51:59 +00001256 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
1257 ssl, buf_len, msg_len));
XiaokangQian35dc6252021-11-11 08:16:19 +00001258cleanup:
1259
David Horstmann71159f42023-01-03 12:51:59 +00001260 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished message"));
1261 return ret;
XiaokangQian35dc6252021-11-11 08:16:19 +00001262}
1263
David Horstmann71159f42023-01-03 12:51:59 +00001264void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
Jerry Yu378254d2021-10-30 21:44:47 +08001265{
1266
David Horstmann71159f42023-01-03 12:51:59 +00001267 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
Jerry Yu378254d2021-10-30 21:44:47 +08001268
David Horstmann71159f42023-01-03 12:51:59 +00001269 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for inbound traffic"));
1270 mbedtls_ssl_set_inbound_transform(ssl, ssl->transform_application);
Jerry Yue8c1fca2022-05-18 14:48:56 +08001271
David Horstmann71159f42023-01-03 12:51:59 +00001272 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for outbound traffic"));
1273 mbedtls_ssl_set_outbound_transform(ssl, ssl->transform_application);
Jerry Yue8c1fca2022-05-18 14:48:56 +08001274
Jerry Yu378254d2021-10-30 21:44:47 +08001275 /*
Jerry Yucfe64f02021-11-15 13:54:06 +08001276 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +08001277 */
David Horstmann71159f42023-01-03 12:51:59 +00001278 if (ssl->session) {
1279 mbedtls_ssl_session_free(ssl->session);
1280 mbedtls_free(ssl->session);
Jerry Yu378254d2021-10-30 21:44:47 +08001281 }
1282 ssl->session = ssl->session_negotiate;
1283 ssl->session_negotiate = NULL;
1284
David Horstmann71159f42023-01-03 12:51:59 +00001285 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
Jerry Yu378254d2021-10-30 21:44:47 +08001286}
1287
Ronald Cron49ad6192021-11-24 16:25:31 +01001288/*
1289 *
1290 * STATE HANDLING: Write ChangeCipherSpec
1291 *
1292 */
1293#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001294MBEDTLS_CHECK_RETURN_CRITICAL
David Horstmann71159f42023-01-03 12:51:59 +00001295static int ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context *ssl,
1296 unsigned char *buf,
1297 unsigned char *end,
1298 size_t *olen)
Ronald Cron49ad6192021-11-24 16:25:31 +01001299{
1300 ((void) ssl);
1301
David Horstmann71159f42023-01-03 12:51:59 +00001302 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1);
Ronald Cron49ad6192021-11-24 16:25:31 +01001303 buf[0] = 1;
1304 *olen = 1;
1305
David Horstmann71159f42023-01-03 12:51:59 +00001306 return 0;
Ronald Cron49ad6192021-11-24 16:25:31 +01001307}
1308
David Horstmann71159f42023-01-03 12:51:59 +00001309int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl)
Ronald Cron49ad6192021-11-24 16:25:31 +01001310{
1311 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1312
David Horstmann71159f42023-01-03 12:51:59 +00001313 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
Ronald Cron49ad6192021-11-24 16:25:31 +01001314
Ronald Cron49ad6192021-11-24 16:25:31 +01001315 /* Write CCS message */
David Horstmann71159f42023-01-03 12:51:59 +00001316 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body(
1317 ssl, ssl->out_msg,
1318 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1319 &ssl->out_msglen));
Ronald Cron49ad6192021-11-24 16:25:31 +01001320
1321 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1322
Ronald Cron49ad6192021-11-24 16:25:31 +01001323 /* Dispatch message */
David Horstmann71159f42023-01-03 12:51:59 +00001324 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl, 0));
Ronald Cron49ad6192021-11-24 16:25:31 +01001325
1326cleanup:
1327
David Horstmann71159f42023-01-03 12:51:59 +00001328 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
1329 return ret;
Ronald Cron49ad6192021-11-24 16:25:31 +01001330}
1331
1332#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1333
Xiaokang Qianecc29482022-11-02 07:52:47 +00001334/* Early Data Indication Extension
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +00001335 *
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +00001336 * struct {
1337 * select ( Handshake.msg_type ) {
Xiaokang Qianecc29482022-11-02 07:52:47 +00001338 * ...
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +00001339 * case client_hello: Empty;
1340 * case encrypted_extensions: Empty;
1341 * };
1342 * } EarlyDataIndication;
1343 */
1344#if defined(MBEDTLS_SSL_EARLY_DATA)
David Horstmann71159f42023-01-03 12:51:59 +00001345int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
1346 unsigned char *buf,
1347 const unsigned char *end,
1348 size_t *out_len)
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +00001349{
1350 unsigned char *p = buf;
1351 *out_len = 0;
1352 ((void) ssl);
1353
David Horstmann71159f42023-01-03 12:51:59 +00001354 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +00001355
David Horstmann71159f42023-01-03 12:51:59 +00001356 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EARLY_DATA, p, 0);
1357 MBEDTLS_PUT_UINT16_BE(0, p, 2);
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +00001358
1359 *out_len = 4;
Xiaokang Qian2cd5ce02022-11-15 10:33:53 +00001360
David Horstmann71159f42023-01-03 12:51:59 +00001361 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_EARLY_DATA);
Xiaokang Qian2cd5ce02022-11-15 10:33:53 +00001362
David Horstmann71159f42023-01-03 12:51:59 +00001363 return 0;
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +00001364}
1365#endif /* MBEDTLS_SSL_EARLY_DATA */
1366
XiaokangQian78b1fa72022-01-19 06:56:30 +00001367/* Reset SSL context and update hash for handling HRR.
1368 *
1369 * Replace Transcript-Hash(X) by
1370 * Transcript-Hash( message_hash ||
1371 * 00 00 Hash.length ||
1372 * X )
1373 * A few states of the handshake are preserved, including:
1374 * - session ID
1375 * - session ticket
1376 * - negotiated ciphersuite
1377 */
David Horstmann71159f42023-01-03 12:51:59 +00001378int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl)
XiaokangQian78b1fa72022-01-19 06:56:30 +00001379{
1380 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Przemyslaw Stekielda645252022-09-14 12:50:51 +02001381 unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4];
XiaokangQian0ece9982022-01-24 08:56:23 +00001382 size_t hash_len;
XiaokangQian78b1fa72022-01-19 06:56:30 +00001383 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1384 uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
David Horstmann71159f42023-01-03 12:51:59 +00001385 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
XiaokangQian78b1fa72022-01-19 06:56:30 +00001386
David Horstmann71159f42023-01-03 12:51:59 +00001387 MBEDTLS_SSL_DEBUG_MSG(3, ("Reset SSL session for HRR"));
XiaokangQian78b1fa72022-01-19 06:56:30 +00001388
David Horstmann71159f42023-01-03 12:51:59 +00001389 ret = mbedtls_ssl_get_handshake_transcript(ssl, ciphersuite_info->mac,
1390 hash_transcript + 4,
1391 PSA_HASH_MAX_SIZE,
1392 &hash_len);
1393 if (ret != 0) {
1394 MBEDTLS_SSL_DEBUG_RET(4, "mbedtls_ssl_get_handshake_transcript", ret);
1395 return ret;
XiaokangQian0ece9982022-01-24 08:56:23 +00001396 }
1397
1398 hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1399 hash_transcript[1] = 0;
1400 hash_transcript[2] = 0;
1401 hash_transcript[3] = (unsigned char) hash_len;
1402
1403 hash_len += 4;
1404
Przemek Stekiel9dfbf3a2022-09-06 07:40:46 +02001405#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
David Horstmann71159f42023-01-03 12:51:59 +00001406 if (ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
1407 MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-256 handshake transcript",
1408 hash_transcript, hash_len);
XiaokangQian78b1fa72022-01-19 06:56:30 +00001409
1410#if defined(MBEDTLS_USE_PSA_CRYPTO)
David Horstmann71159f42023-01-03 12:51:59 +00001411 psa_hash_abort(&ssl->handshake->fin_sha256_psa);
1412 psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
XiaokangQian78b1fa72022-01-19 06:56:30 +00001413#else
David Horstmann71159f42023-01-03 12:51:59 +00001414 mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0);
XiaokangQian78b1fa72022-01-19 06:56:30 +00001415#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +00001416 }
Przemek Stekiel9dfbf3a2022-09-06 07:40:46 +02001417#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
1418#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
David Horstmann71159f42023-01-03 12:51:59 +00001419 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
1420 MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-384 handshake transcript",
1421 hash_transcript, hash_len);
XiaokangQian78b1fa72022-01-19 06:56:30 +00001422
1423#if defined(MBEDTLS_USE_PSA_CRYPTO)
David Horstmann71159f42023-01-03 12:51:59 +00001424 psa_hash_abort(&ssl->handshake->fin_sha384_psa);
1425 psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
XiaokangQian78b1fa72022-01-19 06:56:30 +00001426#else
David Horstmann71159f42023-01-03 12:51:59 +00001427 mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1);
XiaokangQian78b1fa72022-01-19 06:56:30 +00001428#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +00001429 }
Przemek Stekiel9dfbf3a2022-09-06 07:40:46 +02001430#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
David Horstmann71159f42023-01-03 12:51:59 +00001431#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
1432 defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
1433 ssl->handshake->update_checksum(ssl, hash_transcript, hash_len);
1434#endif \
1435 /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
Przemyslaw Stekiel4b3fff42022-02-14 16:39:52 +01001436
David Horstmann71159f42023-01-03 12:51:59 +00001437 return ret;
XiaokangQian78b1fa72022-01-19 06:56:30 +00001438}
1439
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001440#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +00001441
David Horstmann71159f42023-01-03 12:51:59 +00001442int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
1443 const unsigned char *buf,
1444 size_t buf_len)
XiaokangQian7807f9f2022-02-15 10:04:37 +00001445{
David Horstmann71159f42023-01-03 12:51:59 +00001446 uint8_t *p = (uint8_t *) buf;
XiaokangQiancfd925f2022-04-14 07:10:37 +00001447 const uint8_t *end = buf + buf_len;
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001448 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001449
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001450 /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
David Horstmann71159f42023-01-03 12:51:59 +00001451 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1452 uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001453 p += 2;
XiaokangQian3207a322022-02-23 03:15:27 +00001454
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001455 /* Check if key size is consistent with given buffer length. */
David Horstmann71159f42023-01-03 12:51:59 +00001456 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len);
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001457
1458 /* Store peer's ECDH public key. */
David Horstmann71159f42023-01-03 12:51:59 +00001459 memcpy(handshake->ecdh_psa_peerkey, p, peerkey_len);
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001460 handshake->ecdh_psa_peerkey_len = peerkey_len;
1461
David Horstmann71159f42023-01-03 12:51:59 +00001462 return 0;
XiaokangQian3207a322022-02-23 03:15:27 +00001463}
Jerry Yu89e103c2022-03-30 22:43:29 +08001464
1465int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
David Horstmann71159f42023-01-03 12:51:59 +00001466 mbedtls_ssl_context *ssl,
1467 uint16_t named_group,
1468 unsigned char *buf,
1469 unsigned char *end,
1470 size_t *out_len)
Jerry Yu89e103c2022-03-30 22:43:29 +08001471{
1472 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
1473 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1474 psa_key_attributes_t key_attributes;
1475 size_t own_pubkey_len;
1476 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1477 size_t ecdh_bits = 0;
1478
David Horstmann71159f42023-01-03 12:51:59 +00001479 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Jerry Yu89e103c2022-03-30 22:43:29 +08001480
1481 /* Convert EC group to PSA key type. */
David Horstmann71159f42023-01-03 12:51:59 +00001482 if ((handshake->ecdh_psa_type =
1483 mbedtls_psa_parse_tls_ecc_group(named_group, &ecdh_bits)) == 0) {
1484 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1485 }
Jerry Yu89e103c2022-03-30 22:43:29 +08001486
1487 ssl->handshake->ecdh_bits = ecdh_bits;
1488
1489 key_attributes = psa_key_attributes_init();
David Horstmann71159f42023-01-03 12:51:59 +00001490 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
1491 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
1492 psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
1493 psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
Jerry Yu89e103c2022-03-30 22:43:29 +08001494
1495 /* Generate ECDH private key. */
David Horstmann71159f42023-01-03 12:51:59 +00001496 status = psa_generate_key(&key_attributes,
1497 &handshake->ecdh_psa_privkey);
1498 if (status != PSA_SUCCESS) {
1499 ret = psa_ssl_status_to_mbedtls(status);
1500 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
1501 return ret;
Jerry Yu89e103c2022-03-30 22:43:29 +08001502
1503 }
1504
1505 /* Export the public part of the ECDH private key from PSA. */
David Horstmann71159f42023-01-03 12:51:59 +00001506 status = psa_export_public_key(handshake->ecdh_psa_privkey,
1507 buf, (size_t) (end - buf),
1508 &own_pubkey_len);
1509 if (status != PSA_SUCCESS) {
1510 ret = psa_ssl_status_to_mbedtls(status);
1511 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
1512 return ret;
Jerry Yu89e103c2022-03-30 22:43:29 +08001513
1514 }
1515
1516 *out_len = own_pubkey_len;
1517
David Horstmann71159f42023-01-03 12:51:59 +00001518 return 0;
Jerry Yu89e103c2022-03-30 22:43:29 +08001519}
XiaokangQian9b5d04b2022-04-10 10:20:43 +00001520#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +00001521
Jerry Yu0c354a22022-08-29 15:25:36 +08001522/* RFC 8446 section 4.2
1523 *
1524 * If an implementation receives an extension which it recognizes and which is
1525 * not specified for the message in which it appears, it MUST abort the handshake
1526 * with an "illegal_parameter" alert.
1527 *
1528 */
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001529int mbedtls_ssl_tls13_check_received_extension(
David Horstmann71159f42023-01-03 12:51:59 +00001530 mbedtls_ssl_context *ssl,
1531 int hs_msg_type,
1532 unsigned int received_extension_type,
1533 uint32_t hs_msg_allowed_extensions_mask)
Jerry Yu0c354a22022-08-29 15:25:36 +08001534{
Jerry Yudf0ad652022-10-31 13:20:57 +08001535 uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
David Horstmann71159f42023-01-03 12:51:59 +00001536 received_extension_type);
Jerry Yu0c354a22022-08-29 15:25:36 +08001537
Jerry Yu79aa7212022-11-08 21:30:21 +08001538 MBEDTLS_SSL_PRINT_EXT(
David Horstmann71159f42023-01-03 12:51:59 +00001539 3, hs_msg_type, received_extension_type, "received");
Jerry Yu0c354a22022-08-29 15:25:36 +08001540
David Horstmann71159f42023-01-03 12:51:59 +00001541 if ((extension_mask & hs_msg_allowed_extensions_mask) == 0) {
Jerry Yu79aa7212022-11-08 21:30:21 +08001542 MBEDTLS_SSL_PRINT_EXT(
David Horstmann71159f42023-01-03 12:51:59 +00001543 3, hs_msg_type, received_extension_type, "is illegal");
Jerry Yu0c354a22022-08-29 15:25:36 +08001544 MBEDTLS_SSL_PEND_FATAL_ALERT(
1545 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
David Horstmann71159f42023-01-03 12:51:59 +00001546 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1547 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yu0c354a22022-08-29 15:25:36 +08001548 }
1549
1550 ssl->handshake->received_extensions |= extension_mask;
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001551 /*
1552 * If it is a message containing extension responses, check that we
1553 * previously sent the extension.
1554 */
David Horstmann71159f42023-01-03 12:51:59 +00001555 switch (hs_msg_type) {
Jerry Yu0c354a22022-08-29 15:25:36 +08001556 case MBEDTLS_SSL_HS_SERVER_HELLO:
Jerry Yudf0ad652022-10-31 13:20:57 +08001557 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
Jerry Yu0c354a22022-08-29 15:25:36 +08001558 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
1559 case MBEDTLS_SSL_HS_CERTIFICATE:
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001560 /* Check if the received extension is sent by peer message.*/
David Horstmann71159f42023-01-03 12:51:59 +00001561 if ((ssl->handshake->sent_extensions & extension_mask) != 0) {
1562 return 0;
1563 }
Jerry Yu0c354a22022-08-29 15:25:36 +08001564 break;
1565 default:
David Horstmann71159f42023-01-03 12:51:59 +00001566 return 0;
Jerry Yu0c354a22022-08-29 15:25:36 +08001567 }
1568
Jerry Yu79aa7212022-11-08 21:30:21 +08001569 MBEDTLS_SSL_PRINT_EXT(
David Horstmann71159f42023-01-03 12:51:59 +00001570 3, hs_msg_type, received_extension_type, "is unsupported");
Jerry Yu0c354a22022-08-29 15:25:36 +08001571 MBEDTLS_SSL_PEND_FATAL_ALERT(
1572 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
David Horstmann71159f42023-01-03 12:51:59 +00001573 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
1574 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Jerry Yu0c354a22022-08-29 15:25:36 +08001575}
1576
Jerry Yufb4b6472022-01-27 15:03:26 +08001577#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */