Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 1 | /* |
| 2 | * TLS 1.3 functionality shared between client and server |
| 3 | * |
| 4 | * Copyright The Mbed TLS Contributors |
| 5 | * SPDX-License-Identifier: Apache-2.0 |
| 6 | * |
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 8 | * not use this file except in compliance with the License. |
| 9 | * You may obtain a copy of the License at |
| 10 | * |
| 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | * |
| 13 | * Unless required by applicable law or agreed to in writing, software |
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | * See the License for the specific language governing permissions and |
| 17 | * limitations under the License. |
| 18 | */ |
| 19 | |
| 20 | #include "common.h" |
| 21 | |
Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 22 | #if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 23 | |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 24 | #include <string.h> |
| 25 | |
Jerry Yu | c8a392c | 2021-08-18 16:46:28 +0800 | [diff] [blame] | 26 | #include "mbedtls/error.h" |
Jerry Yu | 7533635 | 2021-09-01 15:59:36 +0800 | [diff] [blame] | 27 | #include "mbedtls/debug.h" |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 28 | #include "mbedtls/oid.h" |
| 29 | #include "mbedtls/platform.h" |
Gabor Mezei | 685472b | 2021-11-24 11:17:36 +0100 | [diff] [blame] | 30 | #include "mbedtls/constant_time.h" |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 31 | #include <string.h> |
Jerry Yu | c8a392c | 2021-08-18 16:46:28 +0800 | [diff] [blame] | 32 | |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 33 | #include "ssl_misc.h" |
Ronald Cron | e3dac4a | 2022-06-10 17:21:51 +0200 | [diff] [blame] | 34 | #include "ssl_tls13_invasive.h" |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 35 | #include "ssl_tls13_keys.h" |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 36 | #include "ssl_debug_helpers.h" |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 37 | |
pespacek | a137810 | 2022-04-26 15:03:11 +0200 | [diff] [blame] | 38 | #include "psa/crypto.h" |
| 39 | #include "mbedtls/psa_util.h" |
| 40 | |
Jerry Yu | fbe3e64 | 2022-04-25 19:31:51 +0800 | [diff] [blame] | 41 | const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 42 | MBEDTLS_SERVER_HELLO_RANDOM_LEN] = |
| 43 | { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, |
| 44 | 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, |
| 45 | 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, |
| 46 | 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C }; |
Jerry Yu | 93a13f2 | 2022-04-11 23:00:01 +0800 | [diff] [blame] | 47 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 48 | int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl, |
| 49 | unsigned hs_type, |
| 50 | unsigned char **buf, |
| 51 | size_t *buf_len) |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 52 | { |
| 53 | int ret; |
| 54 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 55 | if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) { |
| 56 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 57 | goto cleanup; |
| 58 | } |
| 59 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 60 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || |
| 61 | ssl->in_msg[0] != hs_type) { |
| 62 | MBEDTLS_SSL_DEBUG_MSG(1, ("Receive unexpected handshake message.")); |
| 63 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, |
| 64 | MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 65 | ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| 66 | goto cleanup; |
| 67 | } |
| 68 | |
XiaokangQian | 05420b1 | 2021-09-29 08:46:37 +0000 | [diff] [blame] | 69 | /* |
| 70 | * Jump handshake header (4 bytes, see Section 4 of RFC 8446). |
| 71 | * ... |
| 72 | * HandshakeType msg_type; |
| 73 | * uint24 length; |
| 74 | * ... |
| 75 | */ |
Xiaofei Bai | eef1504 | 2021-11-18 07:29:56 +0000 | [diff] [blame] | 76 | *buf = ssl->in_msg + 4; |
| 77 | *buf_len = ssl->in_hslen - 4; |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 78 | |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 79 | cleanup: |
| 80 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 81 | return ret; |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 82 | } |
| 83 | |
Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 84 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 85 | /* |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 86 | * STATE HANDLING: Read CertificateVerify |
| 87 | */ |
Jerry Yu | d0fc585 | 2021-10-29 11:09:06 +0800 | [diff] [blame] | 88 | /* Macro to express the maximum length of the verify structure. |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 89 | * |
| 90 | * The structure is computed per TLS 1.3 specification as: |
| 91 | * - 64 bytes of octet 32, |
| 92 | * - 33 bytes for the context string |
| 93 | * (which is either "TLS 1.3, client CertificateVerify" |
| 94 | * or "TLS 1.3, server CertificateVerify"), |
Jerry Yu | d0fc585 | 2021-10-29 11:09:06 +0800 | [diff] [blame] | 95 | * - 1 byte for the octet 0x0, which serves as a separator, |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 96 | * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate) |
| 97 | * (depending on the size of the transcript_hash) |
| 98 | * |
| 99 | * This results in a total size of |
| 100 | * - 130 bytes for a SHA256-based transcript hash, or |
| 101 | * (64 + 33 + 1 + 32 bytes) |
| 102 | * - 146 bytes for a SHA384-based transcript hash. |
| 103 | * (64 + 33 + 1 + 48 bytes) |
| 104 | * |
| 105 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 106 | #define SSL_VERIFY_STRUCT_MAX_SIZE (64 + \ |
| 107 | 33 + \ |
| 108 | 1 + \ |
| 109 | MBEDTLS_TLS1_3_MD_MAX_SIZE \ |
| 110 | ) |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 111 | |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 112 | /* |
| 113 | * The ssl_tls13_create_verify_structure() creates the verify structure. |
| 114 | * As input, it requires the transcript hash. |
| 115 | * |
| 116 | * The caller has to ensure that the buffer has size at least |
| 117 | * SSL_VERIFY_STRUCT_MAX_SIZE bytes. |
| 118 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 119 | static void ssl_tls13_create_verify_structure(const unsigned char *transcript_hash, |
| 120 | size_t transcript_hash_len, |
| 121 | unsigned char *verify_buffer, |
| 122 | size_t *verify_buffer_len, |
| 123 | int from) |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 124 | { |
| 125 | size_t idx; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 126 | |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 127 | /* RFC 8446, Section 4.4.3: |
| 128 | * |
| 129 | * The digital signature [in the CertificateVerify message] is then |
| 130 | * computed over the concatenation of: |
| 131 | * - A string that consists of octet 32 (0x20) repeated 64 times |
| 132 | * - The context string |
| 133 | * - A single 0 byte which serves as the separator |
| 134 | * - The content to be signed |
| 135 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 136 | memset(verify_buffer, 0x20, 64); |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 137 | idx = 64; |
| 138 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 139 | if (from == MBEDTLS_SSL_IS_CLIENT) { |
| 140 | memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(client_cv)); |
| 141 | idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv); |
| 142 | } else { /* from == MBEDTLS_SSL_IS_SERVER */ |
| 143 | memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(server_cv)); |
| 144 | idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv); |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 145 | } |
| 146 | |
| 147 | verify_buffer[idx++] = 0x0; |
| 148 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 149 | memcpy(verify_buffer + idx, transcript_hash, transcript_hash_len); |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 150 | idx += transcript_hash_len; |
| 151 | |
| 152 | *verify_buffer_len = idx; |
| 153 | } |
| 154 | |
Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 155 | MBEDTLS_CHECK_RETURN_CRITICAL |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 156 | static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, |
| 157 | const unsigned char *buf, |
| 158 | const unsigned char *end, |
| 159 | const unsigned char *verify_buffer, |
| 160 | size_t verify_buffer_len) |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 161 | { |
| 162 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
pespacek | a137810 | 2022-04-26 15:03:11 +0200 | [diff] [blame] | 163 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 164 | const unsigned char *p = buf; |
| 165 | uint16_t algorithm; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 166 | size_t signature_len; |
| 167 | mbedtls_pk_type_t sig_alg; |
| 168 | mbedtls_md_type_t md_alg; |
pespacek | a137810 | 2022-04-26 15:03:11 +0200 | [diff] [blame] | 169 | psa_algorithm_t hash_alg = PSA_ALG_NONE; |
| 170 | unsigned char verify_hash[PSA_HASH_MAX_SIZE]; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 171 | size_t verify_hash_len; |
| 172 | |
Xiaofei Bai | d25fab6 | 2021-12-02 06:36:27 +0000 | [diff] [blame] | 173 | void const *options = NULL; |
XiaokangQian | 82d34cc | 2021-11-03 08:51:56 +0000 | [diff] [blame] | 174 | #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) |
Xiaofei Bai | d25fab6 | 2021-12-02 06:36:27 +0000 | [diff] [blame] | 175 | mbedtls_pk_rsassa_pss_options rsassa_pss_options; |
XiaokangQian | 82d34cc | 2021-11-03 08:51:56 +0000 | [diff] [blame] | 176 | #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ |
| 177 | |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 178 | /* |
| 179 | * struct { |
| 180 | * SignatureScheme algorithm; |
| 181 | * opaque signature<0..2^16-1>; |
| 182 | * } CertificateVerify; |
| 183 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 184 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 185 | algorithm = MBEDTLS_GET_UINT16_BE(p, 0); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 186 | p += 2; |
| 187 | |
| 188 | /* RFC 8446 section 4.4.3 |
| 189 | * |
| 190 | * If the CertificateVerify message is sent by a server, the signature algorithm |
| 191 | * MUST be one offered in the client's "signature_algorithms" extension unless |
| 192 | * no valid certificate chain can be produced without unsupported algorithms |
| 193 | * |
| 194 | * RFC 8446 section 4.4.2.2 |
| 195 | * |
| 196 | * If the client cannot construct an acceptable chain using the provided |
| 197 | * certificates and decides to abort the handshake, then it MUST abort the handshake |
| 198 | * with an appropriate certificate-related alert (by default, "unsupported_certificate"). |
| 199 | * |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 200 | * Check if algorithm is an offered signature algorithm. |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 201 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 202 | if (!mbedtls_ssl_sig_alg_is_offered(ssl, algorithm)) { |
Jerry Yu | 982d9e5 | 2021-10-14 15:59:37 +0800 | [diff] [blame] | 203 | /* algorithm not in offered signature algorithms list */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 204 | MBEDTLS_SSL_DEBUG_MSG(1, ("Received signature algorithm(%04x) is not " |
| 205 | "offered.", |
| 206 | (unsigned int) algorithm)); |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 207 | goto error; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 208 | } |
| 209 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 210 | if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( |
| 211 | algorithm, &sig_alg, &md_alg) != 0) { |
Jerry Yu | 8c33886 | 2022-03-23 13:34:04 +0800 | [diff] [blame] | 212 | goto error; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 213 | } |
| 214 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 215 | hash_alg = mbedtls_hash_info_psa_from_md(md_alg); |
| 216 | if (hash_alg == 0) { |
pespacek | a137810 | 2022-04-26 15:03:11 +0200 | [diff] [blame] | 217 | goto error; |
| 218 | } |
| 219 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 220 | MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate Verify: Signature algorithm ( %04x )", |
| 221 | (unsigned int) algorithm)); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 222 | |
| 223 | /* |
| 224 | * Check the certificate's key type matches the signature alg |
| 225 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 226 | if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, sig_alg)) { |
| 227 | MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key")); |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 228 | goto error; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 229 | } |
| 230 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 231 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 232 | signature_len = MBEDTLS_GET_UINT16_BE(p, 0); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 233 | p += 2; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 234 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, signature_len); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 235 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 236 | status = psa_hash_compute(hash_alg, |
| 237 | verify_buffer, |
| 238 | verify_buffer_len, |
| 239 | verify_hash, |
| 240 | sizeof(verify_hash), |
| 241 | &verify_hash_len); |
| 242 | if (status != PSA_SUCCESS) { |
| 243 | MBEDTLS_SSL_DEBUG_RET(1, "hash computation PSA error", status); |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 244 | goto error; |
Jerry Yu | 133690c | 2021-10-25 14:01:13 +0800 | [diff] [blame] | 245 | } |
| 246 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 247 | MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); |
XiaokangQian | 82d34cc | 2021-11-03 08:51:56 +0000 | [diff] [blame] | 248 | #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 249 | if (sig_alg == MBEDTLS_PK_RSASSA_PSS) { |
Xiaofei Bai | d25fab6 | 2021-12-02 06:36:27 +0000 | [diff] [blame] | 250 | rsassa_pss_options.mgf1_hash_id = md_alg; |
Przemek Stekiel | 6a5e018 | 2022-06-27 11:53:13 +0200 | [diff] [blame] | 251 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 252 | rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH(hash_alg); |
| 253 | options = (const void *) &rsassa_pss_options; |
XiaokangQian | 82d34cc | 2021-11-03 08:51:56 +0000 | [diff] [blame] | 254 | } |
| 255 | #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 256 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 257 | if ((ret = mbedtls_pk_verify_ext(sig_alg, options, |
| 258 | &ssl->session_negotiate->peer_cert->pk, |
| 259 | md_alg, verify_hash, verify_hash_len, |
| 260 | p, signature_len)) == 0) { |
| 261 | return 0; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 262 | } |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 263 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 264 | |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 265 | error: |
| 266 | /* RFC 8446 section 4.4.3 |
| 267 | * |
| 268 | * If the verification fails, the receiver MUST terminate the handshake |
| 269 | * with a "decrypt_error" alert. |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 270 | */ |
| 271 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, |
| 272 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
| 273 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 274 | |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 275 | } |
Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 276 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 277 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 278 | int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl) |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 279 | { |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 280 | |
Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 281 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 282 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 283 | unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE]; |
| 284 | size_t verify_buffer_len; |
| 285 | unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; |
| 286 | size_t transcript_len; |
| 287 | unsigned char *buf; |
| 288 | size_t buf_len; |
| 289 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 290 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 291 | |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 292 | MBEDTLS_SSL_PROC_CHK( |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 293 | mbedtls_ssl_tls13_fetch_handshake_msg(ssl, |
| 294 | MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len)); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 295 | |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 296 | /* Need to calculate the hash of the transcript first |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 297 | * before reading the message since otherwise it gets |
| 298 | * included in the transcript |
| 299 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 300 | ret = mbedtls_ssl_get_handshake_transcript(ssl, |
| 301 | ssl->handshake->ciphersuite_info->mac, |
| 302 | transcript, sizeof(transcript), |
| 303 | &transcript_len); |
| 304 | if (ret != 0) { |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 305 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
| 306 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 307 | MBEDTLS_ERR_SSL_INTERNAL_ERROR); |
| 308 | return ret; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 309 | } |
| 310 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 311 | MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash", transcript, transcript_len); |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 312 | |
| 313 | /* Create verify structure */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 314 | ssl_tls13_create_verify_structure(transcript, |
| 315 | transcript_len, |
| 316 | verify_buffer, |
| 317 | &verify_buffer_len, |
| 318 | (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) ? |
| 319 | MBEDTLS_SSL_IS_SERVER : |
| 320 | MBEDTLS_SSL_IS_CLIENT); |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 321 | |
| 322 | /* Process the message contents */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 323 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_verify(ssl, buf, |
| 324 | buf + buf_len, verify_buffer, |
| 325 | verify_buffer_len)); |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 326 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 327 | mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, |
| 328 | buf, buf_len); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 329 | |
| 330 | cleanup: |
| 331 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 332 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify")); |
| 333 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_process_certificate_verify", ret); |
| 334 | return ret; |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 335 | #else |
| 336 | ((void) ssl); |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 337 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 338 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 339 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 340 | } |
| 341 | |
| 342 | /* |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 343 | * |
XiaokangQian | 6b916b1 | 2022-04-25 07:29:34 +0000 | [diff] [blame] | 344 | * STATE HANDLING: Incoming Certificate. |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 345 | * |
| 346 | */ |
| 347 | |
Ronald Cron | de08cf3 | 2022-10-04 17:15:35 +0200 | [diff] [blame] | 348 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 349 | #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 350 | /* |
| 351 | * Structure of Certificate message: |
| 352 | * |
| 353 | * enum { |
| 354 | * X509(0), |
| 355 | * RawPublicKey(2), |
| 356 | * (255) |
| 357 | * } CertificateType; |
| 358 | * |
| 359 | * struct { |
| 360 | * select (certificate_type) { |
| 361 | * case RawPublicKey: |
| 362 | * * From RFC 7250 ASN.1_subjectPublicKeyInfo * |
| 363 | * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>; |
| 364 | * case X509: |
| 365 | * opaque cert_data<1..2^24-1>; |
| 366 | * }; |
| 367 | * Extension extensions<0..2^16-1>; |
| 368 | * } CertificateEntry; |
| 369 | * |
| 370 | * struct { |
| 371 | * opaque certificate_request_context<0..2^8-1>; |
| 372 | * CertificateEntry certificate_list<0..2^24-1>; |
| 373 | * } Certificate; |
| 374 | * |
| 375 | */ |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 376 | |
| 377 | /* Parse certificate chain send by the server. */ |
Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 378 | MBEDTLS_CHECK_RETURN_CRITICAL |
Ronald Cron | e3dac4a | 2022-06-10 17:21:51 +0200 | [diff] [blame] | 379 | MBEDTLS_STATIC_TESTABLE |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 380 | int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl, |
| 381 | const unsigned char *buf, |
| 382 | const unsigned char *end) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 383 | { |
| 384 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 385 | size_t certificate_request_context_len = 0; |
| 386 | size_t certificate_list_len = 0; |
| 387 | const unsigned char *p = buf; |
| 388 | const unsigned char *certificate_list_end; |
Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 389 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 390 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 391 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 392 | certificate_request_context_len = p[0]; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 393 | certificate_list_len = MBEDTLS_GET_UINT24_BE(p, 1); |
XiaokangQian | 63e713e | 2022-05-15 04:26:57 +0000 | [diff] [blame] | 394 | p += 4; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 395 | |
| 396 | /* In theory, the certificate list can be up to 2^24 Bytes, but we don't |
| 397 | * support anything beyond 2^16 = 64K. |
| 398 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 399 | if ((certificate_request_context_len != 0) || |
| 400 | (certificate_list_len >= 0x10000)) { |
| 401 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); |
| 402 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
| 403 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
| 404 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 405 | } |
| 406 | |
| 407 | /* In case we tried to reuse a session but it failed */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 408 | if (ssl->session_negotiate->peer_cert != NULL) { |
| 409 | mbedtls_x509_crt_free(ssl->session_negotiate->peer_cert); |
| 410 | mbedtls_free(ssl->session_negotiate->peer_cert); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 411 | } |
| 412 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 413 | if (certificate_list_len == 0) { |
XiaokangQian | c3017f6 | 2022-05-13 05:55:41 +0000 | [diff] [blame] | 414 | ssl->session_negotiate->peer_cert = NULL; |
| 415 | ret = 0; |
| 416 | goto exit; |
| 417 | } |
| 418 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 419 | if ((ssl->session_negotiate->peer_cert = |
| 420 | mbedtls_calloc(1, sizeof(mbedtls_x509_crt))) == NULL) { |
| 421 | MBEDTLS_SSL_DEBUG_MSG(1, ("alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed", |
| 422 | sizeof(mbedtls_x509_crt))); |
| 423 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, |
| 424 | MBEDTLS_ERR_SSL_ALLOC_FAILED); |
| 425 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 426 | } |
| 427 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 428 | mbedtls_x509_crt_init(ssl->session_negotiate->peer_cert); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 429 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 430 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_list_len); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 431 | certificate_list_end = p + certificate_list_len; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 432 | while (p < certificate_list_end) { |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 433 | size_t cert_data_len, extensions_len; |
Jerry Yu | 2eaa760 | 2022-08-04 17:28:15 +0800 | [diff] [blame] | 434 | const unsigned char *extensions_end; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 435 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 436 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 3); |
| 437 | cert_data_len = MBEDTLS_GET_UINT24_BE(p, 0); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 438 | p += 3; |
| 439 | |
| 440 | /* In theory, the CRT can be up to 2^24 Bytes, but we don't support |
| 441 | * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code, |
| 442 | * check that we have a minimum of 128 bytes of data, this is not |
| 443 | * clear why we need that though. |
| 444 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 445 | if ((cert_data_len < 128) || (cert_data_len >= 0x10000)) { |
| 446 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message")); |
| 447 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
| 448 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
| 449 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 450 | } |
| 451 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 452 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, cert_data_len); |
| 453 | ret = mbedtls_x509_crt_parse_der(ssl->session_negotiate->peer_cert, |
| 454 | p, cert_data_len); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 455 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 456 | switch (ret) { |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 457 | case 0: /*ok*/ |
| 458 | break; |
| 459 | case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: |
| 460 | /* Ignore certificate with an unknown algorithm: maybe a |
| 461 | prior certificate was already trusted. */ |
| 462 | break; |
| 463 | |
| 464 | case MBEDTLS_ERR_X509_ALLOC_FAILED: |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 465 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, |
| 466 | MBEDTLS_ERR_X509_ALLOC_FAILED); |
| 467 | MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); |
| 468 | return ret; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 469 | |
| 470 | case MBEDTLS_ERR_X509_UNKNOWN_VERSION: |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 471 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, |
| 472 | MBEDTLS_ERR_X509_UNKNOWN_VERSION); |
| 473 | MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); |
| 474 | return ret; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 475 | |
| 476 | default: |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 477 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT, |
| 478 | ret); |
| 479 | MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); |
| 480 | return ret; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 481 | } |
| 482 | |
| 483 | p += cert_data_len; |
| 484 | |
| 485 | /* Certificate extensions length */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 486 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 2); |
| 487 | extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 488 | p += 2; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 489 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, extensions_len); |
Jerry Yu | 2eaa760 | 2022-08-04 17:28:15 +0800 | [diff] [blame] | 490 | |
| 491 | extensions_end = p + extensions_len; |
Jerry Yu | 0d5cfb7 | 2022-10-31 14:15:48 +0800 | [diff] [blame] | 492 | handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; |
Jerry Yu | 2eaa760 | 2022-08-04 17:28:15 +0800 | [diff] [blame] | 493 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 494 | while (p < extensions_end) { |
Jerry Yu | 2eaa760 | 2022-08-04 17:28:15 +0800 | [diff] [blame] | 495 | unsigned int extension_type; |
| 496 | size_t extension_data_len; |
| 497 | |
| 498 | /* |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 499 | * struct { |
| 500 | * ExtensionType extension_type; (2 bytes) |
| 501 | * opaque extension_data<0..2^16-1>; |
| 502 | * } Extension; |
| 503 | */ |
| 504 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4); |
| 505 | extension_type = MBEDTLS_GET_UINT16_BE(p, 0); |
| 506 | extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2); |
Jerry Yu | 2eaa760 | 2022-08-04 17:28:15 +0800 | [diff] [blame] | 507 | p += 4; |
| 508 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 509 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len); |
Jerry Yu | 2eaa760 | 2022-08-04 17:28:15 +0800 | [diff] [blame] | 510 | |
Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 511 | ret = mbedtls_ssl_tls13_check_received_extension( |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 512 | ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type, |
| 513 | MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT); |
| 514 | if (ret != 0) { |
| 515 | return ret; |
| 516 | } |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 517 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 518 | switch (extension_type) { |
Jerry Yu | 2eaa760 | 2022-08-04 17:28:15 +0800 | [diff] [blame] | 519 | default: |
Jerry Yu | 79aa721 | 2022-11-08 21:30:21 +0800 | [diff] [blame] | 520 | MBEDTLS_SSL_PRINT_EXT( |
Jerry Yu | 0d5cfb7 | 2022-10-31 14:15:48 +0800 | [diff] [blame] | 521 | 3, MBEDTLS_SSL_HS_CERTIFICATE, |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 522 | extension_type, "( ignored )"); |
Jerry Yu | 2eaa760 | 2022-08-04 17:28:15 +0800 | [diff] [blame] | 523 | break; |
| 524 | } |
| 525 | |
| 526 | p += extension_data_len; |
| 527 | } |
| 528 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 529 | MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE, |
| 530 | handshake->received_extensions); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 531 | } |
| 532 | |
XiaokangQian | 63e713e | 2022-05-15 04:26:57 +0000 | [diff] [blame] | 533 | exit: |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 534 | /* Check that all the message is consumed. */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 535 | if (p != end) { |
| 536 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message")); |
| 537 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
| 538 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
| 539 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 540 | } |
| 541 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 542 | MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", ssl->session_negotiate->peer_cert); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 543 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 544 | return ret; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 545 | } |
| 546 | #else |
Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 547 | MBEDTLS_CHECK_RETURN_CRITICAL |
Ronald Cron | e3dac4a | 2022-06-10 17:21:51 +0200 | [diff] [blame] | 548 | MBEDTLS_STATIC_TESTABLE |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 549 | int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl, |
| 550 | const unsigned char *buf, |
| 551 | const unsigned char *end) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 552 | { |
| 553 | ((void) ssl); |
| 554 | ((void) buf); |
| 555 | ((void) end); |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 556 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 557 | } |
| 558 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
Ronald Cron | de08cf3 | 2022-10-04 17:15:35 +0200 | [diff] [blame] | 559 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 560 | |
Ronald Cron | de08cf3 | 2022-10-04 17:15:35 +0200 | [diff] [blame] | 561 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 562 | #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 563 | /* Validate certificate chain sent by the server. */ |
Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 564 | MBEDTLS_CHECK_RETURN_CRITICAL |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 565 | static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 566 | { |
| 567 | int ret = 0; |
XiaokangQian | 989f06d | 2022-05-17 01:50:15 +0000 | [diff] [blame] | 568 | int authmode = MBEDTLS_SSL_VERIFY_REQUIRED; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 569 | mbedtls_x509_crt *ca_chain; |
| 570 | mbedtls_x509_crl *ca_crl; |
Ronald Cron | 30c5a25 | 2022-06-16 19:31:06 +0200 | [diff] [blame] | 571 | const char *ext_oid; |
| 572 | size_t ext_len; |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 573 | uint32_t verify_result = 0; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 574 | |
XiaokangQian | 6b916b1 | 2022-04-25 07:29:34 +0000 | [diff] [blame] | 575 | /* If SNI was used, overwrite authentication mode |
| 576 | * from the configuration. */ |
XiaokangQian | 989f06d | 2022-05-17 01:50:15 +0000 | [diff] [blame] | 577 | #if defined(MBEDTLS_SSL_SRV_C) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 578 | if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { |
XiaokangQian | 0557c94 | 2022-05-30 08:10:53 +0000 | [diff] [blame] | 579 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 580 | if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) { |
XiaokangQian | 0557c94 | 2022-05-30 08:10:53 +0000 | [diff] [blame] | 581 | authmode = ssl->handshake->sni_authmode; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 582 | } else |
XiaokangQian | 0557c94 | 2022-05-30 08:10:53 +0000 | [diff] [blame] | 583 | #endif |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 584 | authmode = ssl->conf->authmode; |
XiaokangQian | 0557c94 | 2022-05-30 08:10:53 +0000 | [diff] [blame] | 585 | } |
XiaokangQian | 6b916b1 | 2022-04-25 07:29:34 +0000 | [diff] [blame] | 586 | #endif |
| 587 | |
| 588 | /* |
XiaokangQian | 989f06d | 2022-05-17 01:50:15 +0000 | [diff] [blame] | 589 | * If the peer hasn't sent a certificate ( i.e. it sent |
XiaokangQian | 6b916b1 | 2022-04-25 07:29:34 +0000 | [diff] [blame] | 590 | * an empty certificate chain ), this is reflected in the peer CRT |
| 591 | * structure being unset. |
| 592 | * Check for that and handle it depending on the |
XiaokangQian | 989f06d | 2022-05-17 01:50:15 +0000 | [diff] [blame] | 593 | * authentication mode. |
XiaokangQian | 6b916b1 | 2022-04-25 07:29:34 +0000 | [diff] [blame] | 594 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 595 | if (ssl->session_negotiate->peer_cert == NULL) { |
| 596 | MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate")); |
XiaokangQian | 989f06d | 2022-05-17 01:50:15 +0000 | [diff] [blame] | 597 | |
XiaokangQian | 63e713e | 2022-05-15 04:26:57 +0000 | [diff] [blame] | 598 | #if defined(MBEDTLS_SSL_SRV_C) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 599 | if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { |
XiaokangQian | 63e713e | 2022-05-15 04:26:57 +0000 | [diff] [blame] | 600 | /* The client was asked for a certificate but didn't send |
| 601 | * one. The client should know what's going on, so we |
| 602 | * don't send an alert. |
| 603 | */ |
| 604 | ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 605 | if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) { |
| 606 | return 0; |
| 607 | } else { |
| 608 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT, |
| 609 | MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE); |
| 610 | return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; |
XiaokangQian | 989f06d | 2022-05-17 01:50:15 +0000 | [diff] [blame] | 611 | } |
XiaokangQian | 63e713e | 2022-05-15 04:26:57 +0000 | [diff] [blame] | 612 | } |
XiaokangQian | 6b916b1 | 2022-04-25 07:29:34 +0000 | [diff] [blame] | 613 | #endif /* MBEDTLS_SSL_SRV_C */ |
| 614 | |
XiaokangQian | c3017f6 | 2022-05-13 05:55:41 +0000 | [diff] [blame] | 615 | #if defined(MBEDTLS_SSL_CLI_C) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 616 | if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { |
| 617 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT, |
| 618 | MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE); |
| 619 | return MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE; |
XiaokangQian | 63e713e | 2022-05-15 04:26:57 +0000 | [diff] [blame] | 620 | } |
XiaokangQian | c3017f6 | 2022-05-13 05:55:41 +0000 | [diff] [blame] | 621 | #endif /* MBEDTLS_SSL_CLI_C */ |
XiaokangQian | 63e713e | 2022-05-15 04:26:57 +0000 | [diff] [blame] | 622 | } |
XiaokangQian | 6b916b1 | 2022-04-25 07:29:34 +0000 | [diff] [blame] | 623 | |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 624 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 625 | if (ssl->handshake->sni_ca_chain != NULL) { |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 626 | ca_chain = ssl->handshake->sni_ca_chain; |
| 627 | ca_crl = ssl->handshake->sni_ca_crl; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 628 | } else |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 629 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
| 630 | { |
| 631 | ca_chain = ssl->conf->ca_chain; |
| 632 | ca_crl = ssl->conf->ca_crl; |
| 633 | } |
| 634 | |
| 635 | /* |
| 636 | * Main check: verify certificate |
| 637 | */ |
| 638 | ret = mbedtls_x509_crt_verify_with_profile( |
| 639 | ssl->session_negotiate->peer_cert, |
| 640 | ca_chain, ca_crl, |
| 641 | ssl->conf->cert_profile, |
| 642 | ssl->hostname, |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 643 | &verify_result, |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 644 | ssl->conf->f_vrfy, ssl->conf->p_vrfy); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 645 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 646 | if (ret != 0) { |
| 647 | MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 648 | } |
| 649 | |
| 650 | /* |
| 651 | * Secondary checks: always done, but change 'ret' only if it was 0 |
| 652 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 653 | if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { |
Ronald Cron | 30c5a25 | 2022-06-16 19:31:06 +0200 | [diff] [blame] | 654 | ext_oid = MBEDTLS_OID_SERVER_AUTH; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 655 | ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); |
| 656 | } else { |
Ronald Cron | 30c5a25 | 2022-06-16 19:31:06 +0200 | [diff] [blame] | 657 | ext_oid = MBEDTLS_OID_CLIENT_AUTH; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 658 | ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); |
Ronald Cron | 30c5a25 | 2022-06-16 19:31:06 +0200 | [diff] [blame] | 659 | } |
| 660 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 661 | if ((mbedtls_x509_crt_check_key_usage( |
| 662 | ssl->session_negotiate->peer_cert, |
| 663 | MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0) || |
| 664 | (mbedtls_x509_crt_check_extended_key_usage( |
| 665 | ssl->session_negotiate->peer_cert, |
| 666 | ext_oid, ext_len) != 0)) { |
| 667 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); |
| 668 | if (ret == 0) { |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 669 | ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 670 | } |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 671 | } |
| 672 | |
XiaokangQian | 6b916b1 | 2022-04-25 07:29:34 +0000 | [diff] [blame] | 673 | /* mbedtls_x509_crt_verify_with_profile is supposed to report a |
| 674 | * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, |
| 675 | * with details encoded in the verification flags. All other kinds |
| 676 | * of error codes, including those from the user provided f_vrfy |
| 677 | * functions, are treated as fatal and lead to a failure of |
Ronald Cron | e3dac4a | 2022-06-10 17:21:51 +0200 | [diff] [blame] | 678 | * mbedtls_ssl_tls13_parse_certificate even if verification was optional. |
| 679 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 680 | if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && |
| 681 | (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || |
| 682 | ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) { |
XiaokangQian | 6b916b1 | 2022-04-25 07:29:34 +0000 | [diff] [blame] | 683 | ret = 0; |
| 684 | } |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 685 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 686 | if (ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { |
| 687 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 688 | ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; |
| 689 | } |
| 690 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 691 | if (ret != 0) { |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 692 | /* The certificate may have been rejected for several reasons. |
| 693 | Pick one and send the corresponding alert. Which alert to send |
| 694 | may be a subject of debate in some cases. */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 695 | if (verify_result & MBEDTLS_X509_BADCERT_OTHER) { |
| 696 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret); |
| 697 | } else if (verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) { |
| 698 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret); |
| 699 | } else if (verify_result & (MBEDTLS_X509_BADCERT_KEY_USAGE | |
| 700 | MBEDTLS_X509_BADCERT_EXT_KEY_USAGE | |
| 701 | MBEDTLS_X509_BADCERT_NS_CERT_TYPE | |
| 702 | MBEDTLS_X509_BADCERT_BAD_PK | |
| 703 | MBEDTLS_X509_BADCERT_BAD_KEY)) { |
| 704 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret); |
| 705 | } else if (verify_result & MBEDTLS_X509_BADCERT_EXPIRED) { |
| 706 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret); |
| 707 | } else if (verify_result & MBEDTLS_X509_BADCERT_REVOKED) { |
| 708 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret); |
| 709 | } else if (verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { |
| 710 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret); |
| 711 | } else { |
| 712 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret); |
| 713 | } |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 714 | } |
| 715 | |
| 716 | #if defined(MBEDTLS_DEBUG_C) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 717 | if (verify_result != 0) { |
| 718 | MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x", |
| 719 | (unsigned int) verify_result)); |
| 720 | } else { |
| 721 | MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear")); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 722 | } |
| 723 | #endif /* MBEDTLS_DEBUG_C */ |
| 724 | |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 725 | ssl->session_negotiate->verify_result = verify_result; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 726 | return ret; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 727 | } |
| 728 | #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 729 | MBEDTLS_CHECK_RETURN_CRITICAL |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 730 | static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 731 | { |
| 732 | ((void) ssl); |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 733 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 734 | } |
| 735 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
Ronald Cron | de08cf3 | 2022-10-04 17:15:35 +0200 | [diff] [blame] | 736 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 737 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 738 | int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 739 | { |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 740 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 741 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 742 | |
Ronald Cron | de08cf3 | 2022-10-04 17:15:35 +0200 | [diff] [blame] | 743 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
XiaokangQian | c3017f6 | 2022-05-13 05:55:41 +0000 | [diff] [blame] | 744 | unsigned char *buf; |
| 745 | size_t buf_len; |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 746 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 747 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( |
| 748 | ssl, MBEDTLS_SSL_HS_CERTIFICATE, |
| 749 | &buf, &buf_len)); |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 750 | |
XiaokangQian | c3017f6 | 2022-05-13 05:55:41 +0000 | [diff] [blame] | 751 | /* Parse the certificate chain sent by the peer. */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 752 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_parse_certificate(ssl, buf, |
| 753 | buf + buf_len)); |
XiaokangQian | c3017f6 | 2022-05-13 05:55:41 +0000 | [diff] [blame] | 754 | /* Validate the certificate chain and set the verification results. */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 755 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl)); |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 756 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 757 | mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE, |
| 758 | buf, buf_len); |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 759 | |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 760 | cleanup: |
Ronald Cron | de08cf3 | 2022-10-04 17:15:35 +0200 | [diff] [blame] | 761 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 762 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 763 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate")); |
| 764 | return ret; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 765 | } |
Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 766 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
Jerry Yu | 7399d0d | 2022-01-30 17:54:19 +0800 | [diff] [blame] | 767 | /* |
| 768 | * enum { |
| 769 | * X509(0), |
| 770 | * RawPublicKey(2), |
| 771 | * (255) |
| 772 | * } CertificateType; |
| 773 | * |
| 774 | * struct { |
| 775 | * select (certificate_type) { |
| 776 | * case RawPublicKey: |
| 777 | * // From RFC 7250 ASN.1_subjectPublicKeyInfo |
| 778 | * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>; |
| 779 | * |
| 780 | * case X509: |
| 781 | * opaque cert_data<1..2^24-1>; |
| 782 | * }; |
| 783 | * Extension extensions<0..2^16-1>; |
| 784 | * } CertificateEntry; |
| 785 | * |
| 786 | * struct { |
| 787 | * opaque certificate_request_context<0..2^8-1>; |
| 788 | * CertificateEntry certificate_list<0..2^24-1>; |
| 789 | * } Certificate; |
| 790 | */ |
Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 791 | MBEDTLS_CHECK_RETURN_CRITICAL |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 792 | static int ssl_tls13_write_certificate_body(mbedtls_ssl_context *ssl, |
| 793 | unsigned char *buf, |
| 794 | unsigned char *end, |
| 795 | size_t *out_len) |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 796 | { |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 797 | const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert(ssl); |
Jerry Yu | 3e53644 | 2022-02-15 11:05:59 +0800 | [diff] [blame] | 798 | unsigned char *p = buf; |
Jerry Yu | c8d8d4e | 2022-02-18 12:10:03 +0800 | [diff] [blame] | 799 | unsigned char *certificate_request_context = |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 800 | ssl->handshake->certificate_request_context; |
Jerry Yu | c8d8d4e | 2022-02-18 12:10:03 +0800 | [diff] [blame] | 801 | unsigned char certificate_request_context_len = |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 802 | ssl->handshake->certificate_request_context_len; |
Jerry Yu | c8d8d4e | 2022-02-18 12:10:03 +0800 | [diff] [blame] | 803 | unsigned char *p_certificate_list_len; |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 804 | |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 805 | |
Jerry Yu | 3391ac0 | 2022-02-16 11:21:37 +0800 | [diff] [blame] | 806 | /* ... |
| 807 | * opaque certificate_request_context<0..2^8-1>; |
| 808 | * ... |
| 809 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 810 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, certificate_request_context_len + 1); |
Jerry Yu | c8d8d4e | 2022-02-18 12:10:03 +0800 | [diff] [blame] | 811 | *p++ = certificate_request_context_len; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 812 | if (certificate_request_context_len > 0) { |
| 813 | memcpy(p, certificate_request_context, certificate_request_context_len); |
Jerry Yu | c8d8d4e | 2022-02-18 12:10:03 +0800 | [diff] [blame] | 814 | p += certificate_request_context_len; |
Jerry Yu | 537530d | 2022-02-15 14:00:57 +0800 | [diff] [blame] | 815 | } |
| 816 | |
Jerry Yu | 3391ac0 | 2022-02-16 11:21:37 +0800 | [diff] [blame] | 817 | /* ... |
| 818 | * CertificateEntry certificate_list<0..2^24-1>; |
| 819 | * ... |
| 820 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 821 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3); |
Jerry Yu | c8d8d4e | 2022-02-18 12:10:03 +0800 | [diff] [blame] | 822 | p_certificate_list_len = p; |
Jerry Yu | 3e53644 | 2022-02-15 11:05:59 +0800 | [diff] [blame] | 823 | p += 3; |
| 824 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 825 | MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", crt); |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 826 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 827 | while (crt != NULL) { |
Jerry Yu | 7399d0d | 2022-01-30 17:54:19 +0800 | [diff] [blame] | 828 | size_t cert_data_len = crt->raw.len; |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 829 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 830 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, cert_data_len + 3 + 2); |
| 831 | MBEDTLS_PUT_UINT24_BE(cert_data_len, p, 0); |
Jerry Yu | 7399d0d | 2022-01-30 17:54:19 +0800 | [diff] [blame] | 832 | p += 3; |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 833 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 834 | memcpy(p, crt->raw.p, cert_data_len); |
Jerry Yu | 7399d0d | 2022-01-30 17:54:19 +0800 | [diff] [blame] | 835 | p += cert_data_len; |
| 836 | crt = crt->next; |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 837 | |
| 838 | /* Currently, we don't have any certificate extensions defined. |
| 839 | * Hence, we are sending an empty extension with length zero. |
| 840 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 841 | MBEDTLS_PUT_UINT16_BE(0, p, 0); |
Jerry Yu | 7399d0d | 2022-01-30 17:54:19 +0800 | [diff] [blame] | 842 | p += 2; |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 843 | } |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 844 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 845 | MBEDTLS_PUT_UINT24_BE(p - p_certificate_list_len - 3, |
| 846 | p_certificate_list_len, 0); |
Jerry Yu | 7399d0d | 2022-01-30 17:54:19 +0800 | [diff] [blame] | 847 | |
Jerry Yu | 3e53644 | 2022-02-15 11:05:59 +0800 | [diff] [blame] | 848 | *out_len = p - buf; |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 849 | |
Jerry Yu | 7de2ff0 | 2022-11-08 21:43:46 +0800 | [diff] [blame] | 850 | MBEDTLS_SSL_PRINT_EXTS( |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 851 | 3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->sent_extensions); |
Jerry Yu | 4b8f2f7 | 2022-10-31 13:31:22 +0800 | [diff] [blame] | 852 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 853 | return 0; |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 854 | } |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 855 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 856 | int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl) |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 857 | { |
| 858 | int ret; |
Ronald Cron | 5bb8fc8 | 2022-03-09 07:00:13 +0100 | [diff] [blame] | 859 | unsigned char *buf; |
| 860 | size_t buf_len, msg_len; |
| 861 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 862 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 863 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 864 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, |
| 865 | MBEDTLS_SSL_HS_CERTIFICATE, &buf, |
| 866 | &buf_len)); |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 867 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 868 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_body(ssl, |
| 869 | buf, |
| 870 | buf + buf_len, |
| 871 | &msg_len)); |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 872 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 873 | mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE, |
| 874 | buf, msg_len); |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 875 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 876 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( |
| 877 | ssl, buf_len, msg_len)); |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 878 | cleanup: |
| 879 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 880 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate")); |
| 881 | return ret; |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 882 | } |
| 883 | |
Jerry Yu | 3e53644 | 2022-02-15 11:05:59 +0800 | [diff] [blame] | 884 | /* |
| 885 | * STATE HANDLING: Output Certificate Verify |
| 886 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 887 | int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg, |
| 888 | mbedtls_pk_context *key) |
Jerry Yu | 0c6be8f | 2022-06-20 20:42:00 +0800 | [diff] [blame] | 889 | { |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 890 | mbedtls_pk_type_t pk_type = mbedtls_ssl_sig_from_pk(key); |
| 891 | size_t key_size = mbedtls_pk_get_bitlen(key); |
Jerry Yu | 0c6be8f | 2022-06-20 20:42:00 +0800 | [diff] [blame] | 892 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 893 | switch (pk_type) { |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 894 | case MBEDTLS_SSL_SIG_ECDSA: |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 895 | switch (key_size) { |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 896 | case 256: |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 897 | return |
| 898 | sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256; |
Jerry Yu | 0c6be8f | 2022-06-20 20:42:00 +0800 | [diff] [blame] | 899 | |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 900 | case 384: |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 901 | return |
| 902 | sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384; |
Jerry Yu | 0c6be8f | 2022-06-20 20:42:00 +0800 | [diff] [blame] | 903 | |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 904 | case 521: |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 905 | return |
| 906 | sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512; |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 907 | default: |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 908 | break; |
| 909 | } |
| 910 | break; |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 911 | |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 912 | case MBEDTLS_SSL_SIG_RSA: |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 913 | switch (sig_alg) { |
Ronald Cron | 38391bf | 2022-09-16 11:19:27 +0200 | [diff] [blame] | 914 | case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */ |
| 915 | case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */ |
Jerry Yu | 0c6be8f | 2022-06-20 20:42:00 +0800 | [diff] [blame] | 916 | case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 917 | return 1; |
Jerry Yu | c2e0493 | 2022-06-27 22:13:03 +0800 | [diff] [blame] | 918 | |
Jerry Yu | 0c6be8f | 2022-06-20 20:42:00 +0800 | [diff] [blame] | 919 | default: |
| 920 | break; |
Jerry Yu | cef3f33 | 2022-03-22 23:00:13 +0800 | [diff] [blame] | 921 | } |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 922 | break; |
Jerry Yu | 0c6be8f | 2022-06-20 20:42:00 +0800 | [diff] [blame] | 923 | |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 924 | default: |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 925 | break; |
| 926 | } |
Jerry Yu | 0c6be8f | 2022-06-20 20:42:00 +0800 | [diff] [blame] | 927 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 928 | return 0; |
Jerry Yu | 0c6be8f | 2022-06-20 20:42:00 +0800 | [diff] [blame] | 929 | } |
| 930 | |
Ronald Cron | ce7d76e | 2022-07-08 18:56:49 +0200 | [diff] [blame] | 931 | MBEDTLS_CHECK_RETURN_CRITICAL |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 932 | static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl, |
| 933 | unsigned char *buf, |
| 934 | unsigned char *end, |
| 935 | size_t *out_len) |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 936 | { |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 937 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Jerry Yu | 3e53644 | 2022-02-15 11:05:59 +0800 | [diff] [blame] | 938 | unsigned char *p = buf; |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 939 | mbedtls_pk_context *own_key; |
Jerry Yu | 3e53644 | 2022-02-15 11:05:59 +0800 | [diff] [blame] | 940 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 941 | unsigned char handshake_hash[MBEDTLS_TLS1_3_MD_MAX_SIZE]; |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 942 | size_t handshake_hash_len; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 943 | unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE]; |
Jerry Yu | 3e53644 | 2022-02-15 11:05:59 +0800 | [diff] [blame] | 944 | size_t verify_buffer_len; |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 945 | |
| 946 | uint16_t *sig_alg = ssl->handshake->received_sig_algs; |
Jerry Yu | 3e53644 | 2022-02-15 11:05:59 +0800 | [diff] [blame] | 947 | size_t signature_len = 0; |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 948 | |
Jerry Yu | 0b7b101 | 2022-02-23 12:23:05 +0800 | [diff] [blame] | 949 | *out_len = 0; |
| 950 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 951 | own_key = mbedtls_ssl_own_key(ssl); |
| 952 | if (own_key == NULL) { |
| 953 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 954 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 955 | } |
| 956 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 957 | ret = mbedtls_ssl_get_handshake_transcript(ssl, |
| 958 | ssl->handshake->ciphersuite_info->mac, |
| 959 | handshake_hash, |
| 960 | sizeof(handshake_hash), |
| 961 | &handshake_hash_len); |
| 962 | if (ret != 0) { |
| 963 | return ret; |
| 964 | } |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 965 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 966 | MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash", |
| 967 | handshake_hash, |
| 968 | handshake_hash_len); |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 969 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 970 | ssl_tls13_create_verify_structure(handshake_hash, handshake_hash_len, |
| 971 | verify_buffer, &verify_buffer_len, |
| 972 | ssl->conf->endpoint); |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 973 | |
| 974 | /* |
| 975 | * struct { |
| 976 | * SignatureScheme algorithm; |
| 977 | * opaque signature<0..2^16-1>; |
| 978 | * } CertificateVerify; |
| 979 | */ |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 980 | /* Check there is space for the algorithm identifier (2 bytes) and the |
| 981 | * signature length (2 bytes). |
| 982 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 983 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 984 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 985 | for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) { |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 986 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| 987 | mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE; |
| 988 | mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; |
| 989 | psa_algorithm_t psa_algorithm = PSA_ALG_NONE; |
| 990 | unsigned char verify_hash[PSA_HASH_MAX_SIZE]; |
| 991 | size_t verify_hash_len; |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 992 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 993 | if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) { |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 994 | continue; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 995 | } |
Jerry Yu | 67eced0 | 2022-02-25 13:37:36 +0800 | [diff] [blame] | 996 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 997 | if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) { |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 998 | continue; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 999 | } |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 1000 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1001 | if (!mbedtls_ssl_tls13_check_sig_alg_cert_key_match(*sig_alg, own_key)) { |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 1002 | continue; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1003 | } |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 1004 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1005 | if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( |
| 1006 | *sig_alg, &pk_type, &md_alg) != 0) { |
| 1007 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 1008 | } |
| 1009 | |
| 1010 | /* Hash verify buffer with indicated hash function */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1011 | psa_algorithm = mbedtls_hash_info_psa_from_md(md_alg); |
| 1012 | status = psa_hash_compute(psa_algorithm, |
| 1013 | verify_buffer, |
| 1014 | verify_buffer_len, |
| 1015 | verify_hash, sizeof(verify_hash), |
| 1016 | &verify_hash_len); |
| 1017 | if (status != PSA_SUCCESS) { |
| 1018 | return psa_ssl_status_to_mbedtls(status); |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 1019 | } |
| 1020 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1021 | MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); |
| 1022 | |
| 1023 | if ((ret = mbedtls_pk_sign_ext(pk_type, own_key, |
| 1024 | md_alg, verify_hash, verify_hash_len, |
| 1025 | p + 4, (size_t) (end - (p + 4)), &signature_len, |
| 1026 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 1027 | MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature failed with %s", |
| 1028 | mbedtls_ssl_sig_alg_to_str(*sig_alg))); |
| 1029 | MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_pk_sign_ext", ret); |
| 1030 | |
| 1031 | /* The signature failed. This is possible if the private key |
| 1032 | * was not suitable for the signature operation as purposely we |
| 1033 | * did not check its suitability completely. Let's try with |
| 1034 | * another signature algorithm. |
| 1035 | */ |
| 1036 | continue; |
| 1037 | } |
| 1038 | |
| 1039 | MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature with %s", |
| 1040 | mbedtls_ssl_sig_alg_to_str(*sig_alg))); |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 1041 | |
| 1042 | break; |
| 1043 | } |
| 1044 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1045 | if (*sig_alg == MBEDTLS_TLS1_3_SIG_NONE) { |
| 1046 | MBEDTLS_SSL_DEBUG_MSG(1, ("no suitable signature algorithm")); |
| 1047 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, |
| 1048 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
| 1049 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 1050 | } |
| 1051 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1052 | MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0); |
| 1053 | MBEDTLS_PUT_UINT16_BE(signature_len, p, 2); |
Jerry Yu | f3b46b5 | 2022-06-19 16:52:27 +0800 | [diff] [blame] | 1054 | |
Ronald Cron | 067a1e7 | 2022-09-16 13:44:49 +0200 | [diff] [blame] | 1055 | *out_len = 4 + signature_len; |
Jerry Yu | 8c33886 | 2022-03-23 13:34:04 +0800 | [diff] [blame] | 1056 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1057 | return 0; |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 1058 | } |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 1059 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1060 | int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl) |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 1061 | { |
| 1062 | int ret = 0; |
Jerry Yu | ca133a3 | 2022-02-15 14:22:05 +0800 | [diff] [blame] | 1063 | unsigned char *buf; |
| 1064 | size_t buf_len, msg_len; |
| 1065 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1066 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 1067 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1068 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, |
| 1069 | MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, |
| 1070 | &buf_len)); |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 1071 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1072 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body( |
| 1073 | ssl, buf, buf + buf_len, &msg_len)); |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 1074 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1075 | mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, |
| 1076 | buf, msg_len); |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 1077 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1078 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( |
| 1079 | ssl, buf_len, msg_len)); |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 1080 | |
| 1081 | cleanup: |
| 1082 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1083 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify")); |
| 1084 | return ret; |
Jerry Yu | 8511f12 | 2022-01-29 10:01:04 +0800 | [diff] [blame] | 1085 | } |
| 1086 | |
Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 1087 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
Jerry Yu | 90f152d | 2022-01-29 22:12:42 +0800 | [diff] [blame] | 1088 | |
Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 1089 | /* |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1090 | * |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1091 | * STATE HANDLING: Incoming Finished message. |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1092 | */ |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1093 | /* |
| 1094 | * Implementation |
| 1095 | */ |
| 1096 | |
Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1097 | MBEDTLS_CHECK_RETURN_CRITICAL |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1098 | static int ssl_tls13_preprocess_finished_message(mbedtls_ssl_context *ssl) |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1099 | { |
| 1100 | int ret; |
| 1101 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1102 | ret = mbedtls_ssl_tls13_calculate_verify_data(ssl, |
| 1103 | ssl->handshake->state_local.finished_in.digest, |
| 1104 | sizeof(ssl->handshake->state_local.finished_in. |
| 1105 | digest), |
| 1106 | &ssl->handshake->state_local.finished_in.digest_len, |
| 1107 | ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ? |
| 1108 | MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT); |
| 1109 | if (ret != 0) { |
| 1110 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_calculate_verify_data", ret); |
| 1111 | return ret; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1112 | } |
| 1113 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1114 | return 0; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1115 | } |
| 1116 | |
Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1117 | MBEDTLS_CHECK_RETURN_CRITICAL |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1118 | static int ssl_tls13_parse_finished_message(mbedtls_ssl_context *ssl, |
| 1119 | const unsigned char *buf, |
| 1120 | const unsigned char *end) |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1121 | { |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 1122 | /* |
| 1123 | * struct { |
XiaokangQian | c13f935 | 2021-11-11 06:13:22 +0000 | [diff] [blame] | 1124 | * opaque verify_data[Hash.length]; |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 1125 | * } Finished; |
| 1126 | */ |
| 1127 | const unsigned char *expected_verify_data = |
| 1128 | ssl->handshake->state_local.finished_in.digest; |
| 1129 | size_t expected_verify_data_len = |
| 1130 | ssl->handshake->state_local.finished_in.digest_len; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1131 | /* Structural validation */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1132 | if ((size_t) (end - buf) != expected_verify_data_len) { |
| 1133 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1134 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1135 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
| 1136 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
| 1137 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1138 | } |
| 1139 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1140 | MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (self-computed):", |
| 1141 | expected_verify_data, |
| 1142 | expected_verify_data_len); |
| 1143 | MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (received message):", buf, |
| 1144 | expected_verify_data_len); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1145 | |
| 1146 | /* Semantic validation */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1147 | if (mbedtls_ct_memcmp(buf, |
| 1148 | expected_verify_data, |
| 1149 | expected_verify_data_len) != 0) { |
| 1150 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1151 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1152 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, |
| 1153 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
| 1154 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1155 | } |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1156 | return 0; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1157 | } |
| 1158 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1159 | int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl) |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1160 | { |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 1161 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1162 | unsigned char *buf; |
Xiaofei Bai | eef1504 | 2021-11-18 07:29:56 +0000 | [diff] [blame] | 1163 | size_t buf_len; |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1164 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1165 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished message")); |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1166 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1167 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(ssl, |
| 1168 | MBEDTLS_SSL_HS_FINISHED, |
| 1169 | &buf, &buf_len)); |
Jerry Yu | 0a92d6c | 2022-05-16 16:54:46 +0800 | [diff] [blame] | 1170 | |
| 1171 | /* Preprocessing step: Compute handshake digest */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1172 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_preprocess_finished_message(ssl)); |
Jerry Yu | 0a92d6c | 2022-05-16 16:54:46 +0800 | [diff] [blame] | 1173 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1174 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(ssl, buf, buf + buf_len)); |
Jerry Yu | 0a92d6c | 2022-05-16 16:54:46 +0800 | [diff] [blame] | 1175 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1176 | mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_FINISHED, |
| 1177 | buf, buf_len); |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1178 | |
| 1179 | cleanup: |
| 1180 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1181 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished message")); |
| 1182 | return ret; |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1183 | } |
| 1184 | |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1185 | /* |
| 1186 | * |
XiaokangQian | cc90c94 | 2021-11-09 12:30:09 +0000 | [diff] [blame] | 1187 | * STATE HANDLING: Write and send Finished message. |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1188 | * |
| 1189 | */ |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1190 | /* |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1191 | * Implement |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1192 | */ |
| 1193 | |
Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1194 | MBEDTLS_CHECK_RETURN_CRITICAL |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1195 | static int ssl_tls13_prepare_finished_message(mbedtls_ssl_context *ssl) |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1196 | { |
| 1197 | int ret; |
| 1198 | |
| 1199 | /* Compute transcript of handshake up to now. */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1200 | ret = mbedtls_ssl_tls13_calculate_verify_data(ssl, |
| 1201 | ssl->handshake->state_local.finished_out.digest, |
| 1202 | sizeof(ssl->handshake->state_local.finished_out. |
| 1203 | digest), |
| 1204 | &ssl->handshake->state_local.finished_out.digest_len, |
| 1205 | ssl->conf->endpoint); |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1206 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1207 | if (ret != 0) { |
| 1208 | MBEDTLS_SSL_DEBUG_RET(1, "calculate_verify_data failed", ret); |
| 1209 | return ret; |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1210 | } |
| 1211 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1212 | return 0; |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1213 | } |
| 1214 | |
Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1215 | MBEDTLS_CHECK_RETURN_CRITICAL |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1216 | static int ssl_tls13_write_finished_message_body(mbedtls_ssl_context *ssl, |
| 1217 | unsigned char *buf, |
| 1218 | unsigned char *end, |
| 1219 | size_t *out_len) |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1220 | { |
XiaokangQian | 8773aa0 | 2021-11-10 07:33:09 +0000 | [diff] [blame] | 1221 | size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len; |
XiaokangQian | 0fa6643 | 2021-11-15 03:33:57 +0000 | [diff] [blame] | 1222 | /* |
| 1223 | * struct { |
| 1224 | * opaque verify_data[Hash.length]; |
| 1225 | * } Finished; |
| 1226 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1227 | MBEDTLS_SSL_CHK_BUF_PTR(buf, end, verify_data_len); |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1228 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1229 | memcpy(buf, ssl->handshake->state_local.finished_out.digest, |
| 1230 | verify_data_len); |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1231 | |
Xiaofei Bai | d25fab6 | 2021-12-02 06:36:27 +0000 | [diff] [blame] | 1232 | *out_len = verify_data_len; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1233 | return 0; |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1234 | } |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1235 | |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1236 | /* Main entry point: orchestrates the other functions */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1237 | int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl) |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1238 | { |
| 1239 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 1240 | unsigned char *buf; |
| 1241 | size_t buf_len, msg_len; |
| 1242 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1243 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished message")); |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1244 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1245 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_finished_message(ssl)); |
XiaokangQian | dce8224 | 2021-11-15 06:01:26 +0000 | [diff] [blame] | 1246 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1247 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, |
| 1248 | MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len)); |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1249 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1250 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_finished_message_body( |
| 1251 | ssl, buf, buf + buf_len, &msg_len)); |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1252 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1253 | mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_FINISHED, |
| 1254 | buf, msg_len); |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1255 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1256 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( |
| 1257 | ssl, buf_len, msg_len)); |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1258 | cleanup: |
| 1259 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1260 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished message")); |
| 1261 | return ret; |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1262 | } |
| 1263 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1264 | void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) |
Jerry Yu | 378254d | 2021-10-30 21:44:47 +0800 | [diff] [blame] | 1265 | { |
| 1266 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1267 | MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup")); |
Jerry Yu | 378254d | 2021-10-30 21:44:47 +0800 | [diff] [blame] | 1268 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1269 | MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for inbound traffic")); |
| 1270 | mbedtls_ssl_set_inbound_transform(ssl, ssl->transform_application); |
Jerry Yu | e8c1fca | 2022-05-18 14:48:56 +0800 | [diff] [blame] | 1271 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1272 | MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for outbound traffic")); |
| 1273 | mbedtls_ssl_set_outbound_transform(ssl, ssl->transform_application); |
Jerry Yu | e8c1fca | 2022-05-18 14:48:56 +0800 | [diff] [blame] | 1274 | |
Jerry Yu | 378254d | 2021-10-30 21:44:47 +0800 | [diff] [blame] | 1275 | /* |
Jerry Yu | cfe64f0 | 2021-11-15 13:54:06 +0800 | [diff] [blame] | 1276 | * Free the previous session and switch to the current one. |
Jerry Yu | 378254d | 2021-10-30 21:44:47 +0800 | [diff] [blame] | 1277 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1278 | if (ssl->session) { |
| 1279 | mbedtls_ssl_session_free(ssl->session); |
| 1280 | mbedtls_free(ssl->session); |
Jerry Yu | 378254d | 2021-10-30 21:44:47 +0800 | [diff] [blame] | 1281 | } |
| 1282 | ssl->session = ssl->session_negotiate; |
| 1283 | ssl->session_negotiate = NULL; |
| 1284 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1285 | MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup")); |
Jerry Yu | 378254d | 2021-10-30 21:44:47 +0800 | [diff] [blame] | 1286 | } |
| 1287 | |
Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 1288 | /* |
| 1289 | * |
| 1290 | * STATE HANDLING: Write ChangeCipherSpec |
| 1291 | * |
| 1292 | */ |
| 1293 | #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) |
Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1294 | MBEDTLS_CHECK_RETURN_CRITICAL |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1295 | static int ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context *ssl, |
| 1296 | unsigned char *buf, |
| 1297 | unsigned char *end, |
| 1298 | size_t *olen) |
Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 1299 | { |
| 1300 | ((void) ssl); |
| 1301 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1302 | MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1); |
Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 1303 | buf[0] = 1; |
| 1304 | *olen = 1; |
| 1305 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1306 | return 0; |
Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 1307 | } |
| 1308 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1309 | int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl) |
Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 1310 | { |
| 1311 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 1312 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1313 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec")); |
Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 1314 | |
Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 1315 | /* Write CCS message */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1316 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body( |
| 1317 | ssl, ssl->out_msg, |
| 1318 | ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, |
| 1319 | &ssl->out_msglen)); |
Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 1320 | |
| 1321 | ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; |
| 1322 | |
Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 1323 | /* Dispatch message */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1324 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl, 0)); |
Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 1325 | |
| 1326 | cleanup: |
| 1327 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1328 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec")); |
| 1329 | return ret; |
Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 1330 | } |
| 1331 | |
| 1332 | #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ |
| 1333 | |
Xiaokang Qian | ecc2948 | 2022-11-02 07:52:47 +0000 | [diff] [blame] | 1334 | /* Early Data Indication Extension |
Xiaokang Qian | 0e97d4d | 2022-10-24 11:12:51 +0000 | [diff] [blame] | 1335 | * |
Xiaokang Qian | 0e97d4d | 2022-10-24 11:12:51 +0000 | [diff] [blame] | 1336 | * struct { |
| 1337 | * select ( Handshake.msg_type ) { |
Xiaokang Qian | ecc2948 | 2022-11-02 07:52:47 +0000 | [diff] [blame] | 1338 | * ... |
Xiaokang Qian | 0e97d4d | 2022-10-24 11:12:51 +0000 | [diff] [blame] | 1339 | * case client_hello: Empty; |
| 1340 | * case encrypted_extensions: Empty; |
| 1341 | * }; |
| 1342 | * } EarlyDataIndication; |
| 1343 | */ |
| 1344 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1345 | int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, |
| 1346 | unsigned char *buf, |
| 1347 | const unsigned char *end, |
| 1348 | size_t *out_len) |
Xiaokang Qian | 0e97d4d | 2022-10-24 11:12:51 +0000 | [diff] [blame] | 1349 | { |
| 1350 | unsigned char *p = buf; |
| 1351 | *out_len = 0; |
| 1352 | ((void) ssl); |
| 1353 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1354 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
Xiaokang Qian | 0e97d4d | 2022-10-24 11:12:51 +0000 | [diff] [blame] | 1355 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1356 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EARLY_DATA, p, 0); |
| 1357 | MBEDTLS_PUT_UINT16_BE(0, p, 2); |
Xiaokang Qian | 0e97d4d | 2022-10-24 11:12:51 +0000 | [diff] [blame] | 1358 | |
| 1359 | *out_len = 4; |
Xiaokang Qian | 2cd5ce0 | 2022-11-15 10:33:53 +0000 | [diff] [blame] | 1360 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1361 | mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_EARLY_DATA); |
Xiaokang Qian | 2cd5ce0 | 2022-11-15 10:33:53 +0000 | [diff] [blame] | 1362 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1363 | return 0; |
Xiaokang Qian | 0e97d4d | 2022-10-24 11:12:51 +0000 | [diff] [blame] | 1364 | } |
| 1365 | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
| 1366 | |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1367 | /* Reset SSL context and update hash for handling HRR. |
| 1368 | * |
| 1369 | * Replace Transcript-Hash(X) by |
| 1370 | * Transcript-Hash( message_hash || |
| 1371 | * 00 00 Hash.length || |
| 1372 | * X ) |
| 1373 | * A few states of the handshake are preserved, including: |
| 1374 | * - session ID |
| 1375 | * - session ticket |
| 1376 | * - negotiated ciphersuite |
| 1377 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1378 | int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl) |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1379 | { |
| 1380 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Przemyslaw Stekiel | da64525 | 2022-09-14 12:50:51 +0200 | [diff] [blame] | 1381 | unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4]; |
XiaokangQian | 0ece998 | 2022-01-24 08:56:23 +0000 | [diff] [blame] | 1382 | size_t hash_len; |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1383 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| 1384 | uint16_t cipher_suite = ssl->session_negotiate->ciphersuite; |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1385 | ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite); |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1386 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1387 | MBEDTLS_SSL_DEBUG_MSG(3, ("Reset SSL session for HRR")); |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1388 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1389 | ret = mbedtls_ssl_get_handshake_transcript(ssl, ciphersuite_info->mac, |
| 1390 | hash_transcript + 4, |
| 1391 | PSA_HASH_MAX_SIZE, |
| 1392 | &hash_len); |
| 1393 | if (ret != 0) { |
| 1394 | MBEDTLS_SSL_DEBUG_RET(4, "mbedtls_ssl_get_handshake_transcript", ret); |
| 1395 | return ret; |
XiaokangQian | 0ece998 | 2022-01-24 08:56:23 +0000 | [diff] [blame] | 1396 | } |
| 1397 | |
| 1398 | hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH; |
| 1399 | hash_transcript[1] = 0; |
| 1400 | hash_transcript[2] = 0; |
| 1401 | hash_transcript[3] = (unsigned char) hash_len; |
| 1402 | |
| 1403 | hash_len += 4; |
| 1404 | |
Przemek Stekiel | 9dfbf3a | 2022-09-06 07:40:46 +0200 | [diff] [blame] | 1405 | #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1406 | if (ciphersuite_info->mac == MBEDTLS_MD_SHA256) { |
| 1407 | MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-256 handshake transcript", |
| 1408 | hash_transcript, hash_len); |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1409 | |
| 1410 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1411 | psa_hash_abort(&ssl->handshake->fin_sha256_psa); |
| 1412 | psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256); |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1413 | #else |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1414 | mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0); |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1415 | #endif |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1416 | } |
Przemek Stekiel | 9dfbf3a | 2022-09-06 07:40:46 +0200 | [diff] [blame] | 1417 | #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ |
| 1418 | #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1419 | if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) { |
| 1420 | MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-384 handshake transcript", |
| 1421 | hash_transcript, hash_len); |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1422 | |
| 1423 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1424 | psa_hash_abort(&ssl->handshake->fin_sha384_psa); |
| 1425 | psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384); |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1426 | #else |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1427 | mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1); |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1428 | #endif |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1429 | } |
Przemek Stekiel | 9dfbf3a | 2022-09-06 07:40:46 +0200 | [diff] [blame] | 1430 | #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1431 | #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \ |
| 1432 | defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) |
| 1433 | ssl->handshake->update_checksum(ssl, hash_transcript, hash_len); |
| 1434 | #endif \ |
| 1435 | /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ |
Przemyslaw Stekiel | 4b3fff4 | 2022-02-14 16:39:52 +0100 | [diff] [blame] | 1436 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1437 | return ret; |
XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1438 | } |
| 1439 | |
XiaokangQian | 9b5d04b | 2022-04-10 10:20:43 +0000 | [diff] [blame] | 1440 | #if defined(MBEDTLS_ECDH_C) |
XiaokangQian | 7807f9f | 2022-02-15 10:04:37 +0000 | [diff] [blame] | 1441 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1442 | int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl, |
| 1443 | const unsigned char *buf, |
| 1444 | size_t buf_len) |
XiaokangQian | 7807f9f | 2022-02-15 10:04:37 +0000 | [diff] [blame] | 1445 | { |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1446 | uint8_t *p = (uint8_t *) buf; |
XiaokangQian | cfd925f | 2022-04-14 07:10:37 +0000 | [diff] [blame] | 1447 | const uint8_t *end = buf + buf_len; |
XiaokangQian | 9b5d04b | 2022-04-10 10:20:43 +0000 | [diff] [blame] | 1448 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
XiaokangQian | 7807f9f | 2022-02-15 10:04:37 +0000 | [diff] [blame] | 1449 | |
XiaokangQian | 9b5d04b | 2022-04-10 10:20:43 +0000 | [diff] [blame] | 1450 | /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1451 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 1452 | uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE(p, 0); |
XiaokangQian | 9b5d04b | 2022-04-10 10:20:43 +0000 | [diff] [blame] | 1453 | p += 2; |
XiaokangQian | 3207a32 | 2022-02-23 03:15:27 +0000 | [diff] [blame] | 1454 | |
XiaokangQian | 9b5d04b | 2022-04-10 10:20:43 +0000 | [diff] [blame] | 1455 | /* Check if key size is consistent with given buffer length. */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1456 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len); |
XiaokangQian | 9b5d04b | 2022-04-10 10:20:43 +0000 | [diff] [blame] | 1457 | |
| 1458 | /* Store peer's ECDH public key. */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1459 | memcpy(handshake->ecdh_psa_peerkey, p, peerkey_len); |
XiaokangQian | 9b5d04b | 2022-04-10 10:20:43 +0000 | [diff] [blame] | 1460 | handshake->ecdh_psa_peerkey_len = peerkey_len; |
| 1461 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1462 | return 0; |
XiaokangQian | 3207a32 | 2022-02-23 03:15:27 +0000 | [diff] [blame] | 1463 | } |
Jerry Yu | 89e103c | 2022-03-30 22:43:29 +0800 | [diff] [blame] | 1464 | |
| 1465 | int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1466 | mbedtls_ssl_context *ssl, |
| 1467 | uint16_t named_group, |
| 1468 | unsigned char *buf, |
| 1469 | unsigned char *end, |
| 1470 | size_t *out_len) |
Jerry Yu | 89e103c | 2022-03-30 22:43:29 +0800 | [diff] [blame] | 1471 | { |
| 1472 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
| 1473 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| 1474 | psa_key_attributes_t key_attributes; |
| 1475 | size_t own_pubkey_len; |
| 1476 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 1477 | size_t ecdh_bits = 0; |
| 1478 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1479 | MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); |
Jerry Yu | 89e103c | 2022-03-30 22:43:29 +0800 | [diff] [blame] | 1480 | |
| 1481 | /* Convert EC group to PSA key type. */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1482 | if ((handshake->ecdh_psa_type = |
| 1483 | mbedtls_psa_parse_tls_ecc_group(named_group, &ecdh_bits)) == 0) { |
| 1484 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1485 | } |
Jerry Yu | 89e103c | 2022-03-30 22:43:29 +0800 | [diff] [blame] | 1486 | |
| 1487 | ssl->handshake->ecdh_bits = ecdh_bits; |
| 1488 | |
| 1489 | key_attributes = psa_key_attributes_init(); |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1490 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 1491 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 1492 | psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); |
| 1493 | psa_set_key_bits(&key_attributes, handshake->ecdh_bits); |
Jerry Yu | 89e103c | 2022-03-30 22:43:29 +0800 | [diff] [blame] | 1494 | |
| 1495 | /* Generate ECDH private key. */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1496 | status = psa_generate_key(&key_attributes, |
| 1497 | &handshake->ecdh_psa_privkey); |
| 1498 | if (status != PSA_SUCCESS) { |
| 1499 | ret = psa_ssl_status_to_mbedtls(status); |
| 1500 | MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret); |
| 1501 | return ret; |
Jerry Yu | 89e103c | 2022-03-30 22:43:29 +0800 | [diff] [blame] | 1502 | |
| 1503 | } |
| 1504 | |
| 1505 | /* Export the public part of the ECDH private key from PSA. */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1506 | status = psa_export_public_key(handshake->ecdh_psa_privkey, |
| 1507 | buf, (size_t) (end - buf), |
| 1508 | &own_pubkey_len); |
| 1509 | if (status != PSA_SUCCESS) { |
| 1510 | ret = psa_ssl_status_to_mbedtls(status); |
| 1511 | MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret); |
| 1512 | return ret; |
Jerry Yu | 89e103c | 2022-03-30 22:43:29 +0800 | [diff] [blame] | 1513 | |
| 1514 | } |
| 1515 | |
| 1516 | *out_len = own_pubkey_len; |
| 1517 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1518 | return 0; |
Jerry Yu | 89e103c | 2022-03-30 22:43:29 +0800 | [diff] [blame] | 1519 | } |
XiaokangQian | 9b5d04b | 2022-04-10 10:20:43 +0000 | [diff] [blame] | 1520 | #endif /* MBEDTLS_ECDH_C */ |
XiaokangQian | 7807f9f | 2022-02-15 10:04:37 +0000 | [diff] [blame] | 1521 | |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1522 | /* RFC 8446 section 4.2 |
| 1523 | * |
| 1524 | * If an implementation receives an extension which it recognizes and which is |
| 1525 | * not specified for the message in which it appears, it MUST abort the handshake |
| 1526 | * with an "illegal_parameter" alert. |
| 1527 | * |
| 1528 | */ |
Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 1529 | int mbedtls_ssl_tls13_check_received_extension( |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1530 | mbedtls_ssl_context *ssl, |
| 1531 | int hs_msg_type, |
| 1532 | unsigned int received_extension_type, |
| 1533 | uint32_t hs_msg_allowed_extensions_mask) |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1534 | { |
Jerry Yu | df0ad65 | 2022-10-31 13:20:57 +0800 | [diff] [blame] | 1535 | uint32_t extension_mask = mbedtls_ssl_get_extension_mask( |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1536 | received_extension_type); |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1537 | |
Jerry Yu | 79aa721 | 2022-11-08 21:30:21 +0800 | [diff] [blame] | 1538 | MBEDTLS_SSL_PRINT_EXT( |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1539 | 3, hs_msg_type, received_extension_type, "received"); |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1540 | |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1541 | if ((extension_mask & hs_msg_allowed_extensions_mask) == 0) { |
Jerry Yu | 79aa721 | 2022-11-08 21:30:21 +0800 | [diff] [blame] | 1542 | MBEDTLS_SSL_PRINT_EXT( |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1543 | 3, hs_msg_type, received_extension_type, "is illegal"); |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1544 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
| 1545 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1546 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
| 1547 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1548 | } |
| 1549 | |
| 1550 | ssl->handshake->received_extensions |= extension_mask; |
Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 1551 | /* |
| 1552 | * If it is a message containing extension responses, check that we |
| 1553 | * previously sent the extension. |
| 1554 | */ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1555 | switch (hs_msg_type) { |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1556 | case MBEDTLS_SSL_HS_SERVER_HELLO: |
Jerry Yu | df0ad65 | 2022-10-31 13:20:57 +0800 | [diff] [blame] | 1557 | case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST: |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1558 | case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: |
| 1559 | case MBEDTLS_SSL_HS_CERTIFICATE: |
Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 1560 | /* Check if the received extension is sent by peer message.*/ |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1561 | if ((ssl->handshake->sent_extensions & extension_mask) != 0) { |
| 1562 | return 0; |
| 1563 | } |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1564 | break; |
| 1565 | default: |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1566 | return 0; |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1567 | } |
| 1568 | |
Jerry Yu | 79aa721 | 2022-11-08 21:30:21 +0800 | [diff] [blame] | 1569 | MBEDTLS_SSL_PRINT_EXT( |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1570 | 3, hs_msg_type, received_extension_type, "is unsupported"); |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1571 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
| 1572 | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, |
David Horstmann | 71159f4 | 2023-01-03 12:51:59 +0000 | [diff] [blame^] | 1573 | MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION); |
| 1574 | return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1575 | } |
| 1576 | |
Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 1577 | #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */ |