TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1bb5a1ffe3317a329f29b292845445b148460749 / . / library / ssl_tls13_generic.c
blob: 4050d0c74b026a296d345205491189724da81209 [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]23
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]24#include <string.h>
25
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]26#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]27#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]28#include "mbedtls/oid.h"
29#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]30#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]31#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]32
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]33#include "ssl_misc.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]34#include "ssl_tls13_keys.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]35
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]36int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
37 unsigned hs_type,
38 unsigned char **buf,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]39 size_t *buf_len )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]40{
41 int ret;
42
43 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
44 {
45 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
46 goto cleanup;
47 }
48
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]49 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]50 ssl->in_msg[0] != hs_type )
51 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]52 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]53 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]54 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]55 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
56 goto cleanup;
57 }
58
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]59 /*
60 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
61 * ...
62 * HandshakeType msg_type;
63 * uint24 length;
64 * ...
65 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]66 *buf = ssl->in_msg + 4;
67 *buf_len = ssl->in_hslen - 4;
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]68
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]69cleanup:
70
71 return( ret );
72}
73
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]74int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]75 unsigned hs_type,
76 unsigned char **buf,
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]77 size_t *buf_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]78{
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]79 /*
80 * Reserve 4 bytes for hanshake header. ( Section 4,RFC 8446 )
81 * ...
82 * HandshakeType msg_type;
83 * uint24 length;
84 * ...
85 */
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]86 *buf = ssl->out_msg + 4;
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]87 *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]88
89 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
90 ssl->out_msg[0] = hs_type;
91
92 return( 0 );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]93}
94
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]95int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]96 size_t buf_len,
97 size_t msg_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]98{
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]99 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]100 size_t msg_with_header_len;
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]101 ((void) buf_len);
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]102
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]103 /* Add reserved 4 bytes for handshake header */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]104 msg_with_header_len = msg_len + 4;
105 ssl->out_msglen = msg_with_header_len;
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800[diff] [blame]106 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0 ) );
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]107
108cleanup:
109 return( ret );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]110}
111
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]112void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
113 unsigned hs_type,
114 unsigned char const *msg,
115 size_t msg_len )
Jerry Yu7bea4ba2021-09-09 15:06:18 +0800[diff] [blame]116{
117 mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len );
118 ssl->handshake->update_checksum( ssl, msg, msg_len );
119}
120
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]121void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]122 unsigned hs_type,
123 size_t total_hs_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]124{
125 unsigned char hs_hdr[4];
126
127 /* Build HS header for checksum update. */
Jerry Yu2ac64192021-08-26 18:38:58 +0800[diff] [blame]128 hs_hdr[0] = MBEDTLS_BYTE_0( hs_type );
129 hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len );
130 hs_hdr[2] = MBEDTLS_BYTE_1( total_hs_len );
131 hs_hdr[3] = MBEDTLS_BYTE_0( total_hs_len );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]132
133 ssl->handshake->update_checksum( ssl, hs_hdr, sizeof( hs_hdr ) );
134}
135
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]136#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]137/* mbedtls_ssl_tls13_parse_sig_alg_ext()
138 *
139 * enum {
140 * ....
141 * ecdsa_secp256r1_sha256( 0x0403 ),
142 * ecdsa_secp384r1_sha384( 0x0503 ),
143 * ecdsa_secp521r1_sha512( 0x0603 ),
144 * ....
145 * } SignatureScheme;
146 *
147 * struct {
148 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
149 * } SignatureSchemeList;
150 */
151int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
152 const unsigned char *buf,
153 const unsigned char *end )
154{
155 const unsigned char *p = buf;
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]156 size_t supported_sig_algs_len = 0;
157 const unsigned char *supported_sig_algs_end;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]158 uint16_t sig_alg;
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]159 uint32_t common_idx = 0;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]160
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]161 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]162 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]163 p += 2;
164
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]165 memset( ssl->handshake->received_sig_algs, 0,
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]166 sizeof(ssl->handshake->received_sig_algs) );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]167
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]168 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
169 supported_sig_algs_end = p + supported_sig_algs_len;
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]170 while( p < supported_sig_algs_end )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]171 {
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]172 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]173 sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]174 p += 2;
175
176 MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]177 sig_alg ) );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]178
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]179 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ||
180 ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
181 continue;
182
183 if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]184 {
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]185 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]186 common_idx += 1;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]187 }
188 }
189 /* Check that we consumed all the message. */
190 if( p != end )
191 {
192 MBEDTLS_SSL_DEBUG_MSG( 1,
193 ( "Signature algorithms extension length misaligned" ) );
194 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
195 MBEDTLS_ERR_SSL_DECODE_ERROR );
196 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
197 }
198
199 if( common_idx == 0 )
200 {
201 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) );
202 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
203 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
204 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
205 }
206
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000[diff] [blame]207 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS1_3_SIG_NONE;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]208 return( 0 );
209}
210
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]211/*
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]212 * STATE HANDLING: Read CertificateVerify
213 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]214/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]215 *
216 * The structure is computed per TLS 1.3 specification as:
217 * - 64 bytes of octet 32,
218 * - 33 bytes for the context string
219 * (which is either "TLS 1.3, client CertificateVerify"
220 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]221 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]222 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
223 * (depending on the size of the transcript_hash)
224 *
225 * This results in a total size of
226 * - 130 bytes for a SHA256-based transcript hash, or
227 * (64 + 33 + 1 + 32 bytes)
228 * - 146 bytes for a SHA384-based transcript hash.
229 * (64 + 33 + 1 + 48 bytes)
230 *
231 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800[diff] [blame]232#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
233 33 + \
234 1 + \
235 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]236 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]237
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]238/*
239 * The ssl_tls13_create_verify_structure() creates the verify structure.
240 * As input, it requires the transcript hash.
241 *
242 * The caller has to ensure that the buffer has size at least
243 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
244 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]245static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]246 size_t transcript_hash_len,
247 unsigned char *verify_buffer,
248 size_t *verify_buffer_len,
249 int from )
250{
251 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]252
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]253 /* RFC 8446, Section 4.4.3:
254 *
255 * The digital signature [in the CertificateVerify message] is then
256 * computed over the concatenation of:
257 * - A string that consists of octet 32 (0x20) repeated 64 times
258 * - The context string
259 * - A single 0 byte which serves as the separator
260 * - The content to be signed
261 */
262 memset( verify_buffer, 0x20, 64 );
263 idx = 64;
264
265 if( from == MBEDTLS_SSL_IS_CLIENT )
266 {
267 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
268 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
269 }
270 else
271 { /* from == MBEDTLS_SSL_IS_SERVER */
272 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
273 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
274 }
275
276 verify_buffer[idx++] = 0x0;
277
278 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
279 idx += transcript_hash_len;
280
281 *verify_buffer_len = idx;
282}
283
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]284static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]285 const unsigned char *buf,
286 const unsigned char *end,
287 const unsigned char *verify_buffer,
288 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]289{
290 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
291 const unsigned char *p = buf;
292 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]293 size_t signature_len;
294 mbedtls_pk_type_t sig_alg;
295 mbedtls_md_type_t md_alg;
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]296 unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]297 size_t verify_hash_len;
298
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]299 void const *options = NULL;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]300#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]301 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]302#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
303
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]304 /*
305 * struct {
306 * SignatureScheme algorithm;
307 * opaque signature<0..2^16-1>;
308 * } CertificateVerify;
309 */
310 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
311 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
312 p += 2;
313
314 /* RFC 8446 section 4.4.3
315 *
316 * If the CertificateVerify message is sent by a server, the signature algorithm
317 * MUST be one offered in the client's "signature_algorithms" extension unless
318 * no valid certificate chain can be produced without unsupported algorithms
319 *
320 * RFC 8446 section 4.4.2.2
321 *
322 * If the client cannot construct an acceptable chain using the provided
323 * certificates and decides to abort the handshake, then it MUST abort the handshake
324 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
325 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]326 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]327 */
Jerry Yu24811fb2022-01-19 18:02:15 +0800[diff] [blame]328 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]329 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]330 /* algorithm not in offered signature algorithms list */
331 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
332 "offered.",
333 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]334 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]335 }
336
337 /* We currently only support ECDSA-based signatures */
338 switch( algorithm )
339 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]340 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]341 md_alg = MBEDTLS_MD_SHA256;
342 sig_alg = MBEDTLS_PK_ECDSA;
343 break;
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]344 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]345 md_alg = MBEDTLS_MD_SHA384;
346 sig_alg = MBEDTLS_PK_ECDSA;
347 break;
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]348 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]349 md_alg = MBEDTLS_MD_SHA512;
350 sig_alg = MBEDTLS_PK_ECDSA;
351 break;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]352#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Bai6dc90da2021-11-26 08:11:40 +0000[diff] [blame]353 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
XiaokangQiana83014d2021-11-22 07:53:34 +0000[diff] [blame]354 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Certificate Verify: using RSA PSS" ) );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]355 md_alg = MBEDTLS_MD_SHA256;
356 sig_alg = MBEDTLS_PK_RSASSA_PSS;
357 break;
358#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]359 default:
360 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]361 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]362 }
363
364 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
365 ( unsigned int ) algorithm ) );
366
367 /*
368 * Check the certificate's key type matches the signature alg
369 */
370 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
371 {
372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]373 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]374 }
375
376 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
377 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
378 p += 2;
379 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
380
381 /* Hash verify buffer with indicated hash function */
382 switch( md_alg )
383 {
384#if defined(MBEDTLS_SHA256_C)
385 case MBEDTLS_MD_SHA256:
386 verify_hash_len = 32;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]387 ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]388 break;
389#endif /* MBEDTLS_SHA256_C */
390
391#if defined(MBEDTLS_SHA384_C)
392 case MBEDTLS_MD_SHA384:
393 verify_hash_len = 48;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]394 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]395 break;
396#endif /* MBEDTLS_SHA384_C */
397
398#if defined(MBEDTLS_SHA512_C)
399 case MBEDTLS_MD_SHA512:
400 verify_hash_len = 64;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]401 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]402 break;
403#endif /* MBEDTLS_SHA512_C */
404
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]405 default:
406 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
407 break;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]408 }
409
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]410 if( ret != 0 )
411 {
412 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]413 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]414 }
415
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]416 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]417#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
418 if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
419 {
420 const mbedtls_md_info_t* md_info;
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]421 rsassa_pss_options.mgf1_hash_id = md_alg;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]422 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
423 {
424 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
425 }
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]426 rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
427 options = (const void*) &rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]428 }
429#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]430
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]431 if( ( ret = mbedtls_pk_verify_ext( sig_alg, options,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]432 &ssl->session_negotiate->peer_cert->pk,
433 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]434 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]435 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]436 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]437 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]438 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]439
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]440error:
441 /* RFC 8446 section 4.4.3
442 *
443 * If the verification fails, the receiver MUST terminate the handshake
444 * with a "decrypt_error" alert.
445 */
446 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
447 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
448 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
449
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]450}
451#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
452
453int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
454{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]455
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]456#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
457 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
458 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
459 size_t verify_buffer_len;
460 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
461 size_t transcript_len;
462 unsigned char *buf;
463 size_t buf_len;
464
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]465 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
466
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]467 MBEDTLS_SSL_PROC_CHK(
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]468 mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]469 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]470
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]471 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]472 * before reading the message since otherwise it gets
473 * included in the transcript
474 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]475 ret = mbedtls_ssl_get_handshake_transcript( ssl,
476 ssl->handshake->ciphersuite_info->mac,
477 transcript, sizeof( transcript ),
478 &transcript_len );
479 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]480 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]481 MBEDTLS_SSL_PEND_FATAL_ALERT(
482 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
483 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
484 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]485 }
486
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]487 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
488
489 /* Create verify structure */
490 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]491 transcript_len,
492 verify_buffer,
493 &verify_buffer_len,
494 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
495 MBEDTLS_SSL_IS_SERVER :
496 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]497
498 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]499 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
500 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]501
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]502 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]503 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]504
505cleanup:
506
507 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800[diff] [blame]508 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]509 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]510#else
511 ((void) ssl);
512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
513 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
514#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]515}
516
517/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]518 *
519 * STATE HANDLING: Incoming Certificate, client-side only currently.
520 *
521 */
522
523/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]524 * Implementation
525 */
526
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]527#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
528#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
529/*
530 * Structure of Certificate message:
531 *
532 * enum {
533 * X509(0),
534 * RawPublicKey(2),
535 * (255)
536 * } CertificateType;
537 *
538 * struct {
539 * select (certificate_type) {
540 * case RawPublicKey:
541 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
542 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
543 * case X509:
544 * opaque cert_data<1..2^24-1>;
545 * };
546 * Extension extensions<0..2^16-1>;
547 * } CertificateEntry;
548 *
549 * struct {
550 * opaque certificate_request_context<0..2^8-1>;
551 * CertificateEntry certificate_list<0..2^24-1>;
552 * } Certificate;
553 *
554 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]555
556/* Parse certificate chain send by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]557static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
558 const unsigned char *buf,
559 const unsigned char *end )
560{
561 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
562 size_t certificate_request_context_len = 0;
563 size_t certificate_list_len = 0;
564 const unsigned char *p = buf;
565 const unsigned char *certificate_list_end;
566
567 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
568 certificate_request_context_len = p[0];
Jerry Yub640bf62021-10-29 10:05:32 +0800[diff] [blame]569 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]570 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]571
572 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
573 * support anything beyond 2^16 = 64K.
574 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]575 if( ( certificate_request_context_len != 0 ) ||
576 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]577 {
578 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
579 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
580 MBEDTLS_ERR_SSL_DECODE_ERROR );
581 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
582 }
583
584 /* In case we tried to reuse a session but it failed */
585 if( ssl->session_negotiate->peer_cert != NULL )
586 {
587 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
588 mbedtls_free( ssl->session_negotiate->peer_cert );
589 }
590
591 if( ( ssl->session_negotiate->peer_cert =
592 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
593 {
594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
595 sizeof( mbedtls_x509_crt ) ) );
596 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
597 MBEDTLS_ERR_SSL_ALLOC_FAILED );
598 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
599 }
600
601 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
602
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]603 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]604 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]605 {
606 size_t cert_data_len, extensions_len;
607
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]608 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]609 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]610 p += 3;
611
612 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
613 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
614 * check that we have a minimum of 128 bytes of data, this is not
615 * clear why we need that though.
616 */
617 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]618 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]619 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
620 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
621 MBEDTLS_ERR_SSL_DECODE_ERROR );
622 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
623 }
624
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]625 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]626 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
627 p, cert_data_len );
628
629 switch( ret )
630 {
631 case 0: /*ok*/
632 break;
633 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
634 /* Ignore certificate with an unknown algorithm: maybe a
635 prior certificate was already trusted. */
636 break;
637
638 case MBEDTLS_ERR_X509_ALLOC_FAILED:
639 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
640 MBEDTLS_ERR_X509_ALLOC_FAILED );
641 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
642 return( ret );
643
644 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
645 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
646 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
647 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
648 return( ret );
649
650 default:
651 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
652 ret );
653 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
654 return( ret );
655 }
656
657 p += cert_data_len;
658
659 /* Certificate extensions length */
660 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
661 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
662 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]663 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]664 p += extensions_len;
665 }
666
667 /* Check that all the message is consumed. */
668 if( p != end )
669 {
670 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
671 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
672 MBEDTLS_ERR_SSL_DECODE_ERROR );
673 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
674 }
675
676 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
677
678 return( ret );
679}
680#else
681static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
682 const unsigned char *buf,
683 const unsigned char *end )
684{
685 ((void) ssl);
686 ((void) buf);
687 ((void) end);
688 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
689}
690#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
691#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
692
693#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
694#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]695/* Validate certificate chain sent by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]696static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
697{
698 int ret = 0;
699 mbedtls_x509_crt *ca_chain;
700 mbedtls_x509_crl *ca_crl;
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]701 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]702
703#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
704 if( ssl->handshake->sni_ca_chain != NULL )
705 {
706 ca_chain = ssl->handshake->sni_ca_chain;
707 ca_crl = ssl->handshake->sni_ca_crl;
708 }
709 else
710#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
711 {
712 ca_chain = ssl->conf->ca_chain;
713 ca_crl = ssl->conf->ca_crl;
714 }
715
716 /*
717 * Main check: verify certificate
718 */
719 ret = mbedtls_x509_crt_verify_with_profile(
720 ssl->session_negotiate->peer_cert,
721 ca_chain, ca_crl,
722 ssl->conf->cert_profile,
723 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]724 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]725 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
726
727 if( ret != 0 )
728 {
729 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
730 }
731
732 /*
733 * Secondary checks: always done, but change 'ret' only if it was 0
734 */
735
736#if defined(MBEDTLS_ECP_C)
737 {
738 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
739
740 /* If certificate uses an EC key, make sure the curve is OK */
741 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
742 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
743 {
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]744 verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]745
746 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) );
747 if( ret == 0 )
748 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
749 }
750 }
751#endif /* MBEDTLS_ECP_C */
752
753 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
754 ssl->handshake->ciphersuite_info,
755 !ssl->conf->endpoint,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]756 &verify_result ) != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]757 {
758 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
759 if( ret == 0 )
760 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
761 }
762
763
764 if( ca_chain == NULL )
765 {
766 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
767 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
768 }
769
770 if( ret != 0 )
771 {
772 /* The certificate may have been rejected for several reasons.
773 Pick one and send the corresponding alert. Which alert to send
774 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]775 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]776 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]777 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]778 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]779 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
780 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
781 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
782 MBEDTLS_X509_BADCERT_BAD_PK |
783 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]784 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]785 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]786 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]787 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]788 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]789 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]790 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
791 else
792 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
793 }
794
795#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]796 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]797 {
798 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800[diff] [blame]799 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]800 }
801 else
802 {
803 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
804 }
805#endif /* MBEDTLS_DEBUG_C */
806
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]807 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]808 return( ret );
809}
810#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
811static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
812{
813 ((void) ssl);
814 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
815}
816#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
817#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
818
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]819int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]820{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]821 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
822 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
823
824#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
825 unsigned char *buf;
826 size_t buf_len;
827
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]828 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]829 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
830 &buf, &buf_len ) );
831
832 /* Parse the certificate chain sent by the peer. */
833 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, buf + buf_len ) );
834 /* Validate the certificate chain and set the verification results. */
835 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
836
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]837 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
838 buf, buf_len );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]839
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]840cleanup:
841
842 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Xiaofei Bai10aeec02021-10-26 09:50:08 +0000[diff] [blame]843#else
844 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
845 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
846#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]847 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]848}
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]849#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]850
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]851/*
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]852 * STATE HANDLING: Output Certificate
853 */
854/* Check if a certificate should be written, and if yes,
855 * if it is available.
856 * Returns a negative error code on failure ( such as no certificate
857 * being available on the server ), and otherwise
858 * SSL_WRITE_CERTIFICATE_AVAILABLE or
859 * SSL_WRITE_CERTIFICATE_SKIP
860 * indicating that a Certificate message should be written based
861 * on the configured certificate, or whether it should be silently skipped.
862 */
863#define SSL_WRITE_CERTIFICATE_AVAILABLE 0
864#define SSL_WRITE_CERTIFICATE_SKIP 1
865
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]866static int ssl_tls13_write_certificate_coordinate( mbedtls_ssl_context* ssl )
867{
868
869 /* For PSK and ECDHE-PSK ciphersuites there is no certificate to exchange. */
870 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
871 {
872 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
873 return( SSL_WRITE_CERTIFICATE_SKIP );
874 }
875
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]876#if defined(MBEDTLS_SSL_CLI_C)
877 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
878 {
879 /* The client MUST send a Certificate message if and only
880 * if the server has requested client authentication via a
881 * CertificateRequest message.
882 *
883 * client_auth indicates whether the server had requested
884 * client authentication.
885 */
886 if( ssl->handshake->client_auth == 0 )
887 {
888 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
889 return( SSL_WRITE_CERTIFICATE_SKIP );
890 }
891 }
892#endif /* MBEDTLS_SSL_CLI_C */
893
894 return( SSL_WRITE_CERTIFICATE_AVAILABLE );
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]895
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]896}
897
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]898static int ssl_tls13_write_certificate( mbedtls_ssl_context *ssl,
899 unsigned char *buf,
900 size_t buflen,
901 size_t *olen )
902{
903 size_t i=0, n, total_len;
904 const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert( ssl );
905 unsigned char *start;
906
907 /* TODO: Add bounds checks! Only then remove the next line. */
908 ((void) buflen );
909
910 /* empty certificate_request_context with length 0 */
911 buf[i] = 0;
912 /* Skip length of certificate_request_context and
913 * the length of CertificateEntry
914 */
915 i += 1;
916
917#if defined(MBEDTLS_SSL_CLI_C)
918 /* If the server requests client authentication but no suitable
919 * certificate is available, the client MUST send a
920 * Certificate message containing no certificates
921 * ( i.e., with the "certificate_list" field having length 0 ).
922 *
923 * authmode indicates whether the client configuration required authentication.
924 */
925 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
926 ( ( crt == NULL ) || ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) )
927 {
928 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write empty client certificate" ) );
929 buf[i] = 0;
930 buf[i + 1] = 0;
931 buf[i + 2] = 0;
932 i += 3;
933 *olen = i;
934 return( 0 );
935 }
936#endif /* MBEDTLS_SSL_CLI_C */
937
938 start = &buf[i];
939 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", crt );
940
941 i += 3;
942
943 while ( crt != NULL )
944 {
945 n = crt->raw.len;
946 if( n > buflen - 3 - i )
947 {
948 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %" MBEDTLS_PRINTF_SIZET " > %d",
949 i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
950 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
951 }
952
953 buf[i] = (unsigned char)( n >> 16 );
954 buf[i + 1] = (unsigned char)( n >> 8 );
955 buf[i + 2] = (unsigned char)( n );
956
957 i += 3; memcpy( buf + i, crt->raw.p, n );
958 i += n; crt = crt->next;
959
960 /* Currently, we don't have any certificate extensions defined.
961 * Hence, we are sending an empty extension with length zero.
962 */
963 buf[i] = 0;
964 buf[i + 1] = 0;
965 i += 2;
966 }
967 total_len = &buf[i] - start - 3;
968 *start++ = (unsigned char)( ( total_len ) >> 16 );
969 *start++ = (unsigned char)( ( total_len ) >> 8 );
970 *start++ = (unsigned char)( ( total_len ) );
971
972 *olen = i;
973
974 return( 0 );
975}
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]976
977/* Update the state after handling the outgoing certificate message. */
978static int ssl_tls13_finalize_write_certificate( mbedtls_ssl_context* ssl )
979{
980#if defined(MBEDTLS_SSL_CLI_C)
981 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
982 {
983 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
984 return( 0 );
985 }
986 else
987#endif /* MBEDTLS_SSL_CLI_C */
Jerry Yu32e0c2d2022-01-29 22:28:16 +0800[diff] [blame]988 ((void) ssl);
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]989 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
990}
991
992int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context* ssl )
993{
994 int ret;
995 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
996
997 /* Coordination: Check if we need to send a certificate. */
998 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_certificate_coordinate( ssl ) );
999
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1000 if( ret == SSL_WRITE_CERTIFICATE_AVAILABLE )
1001 {
1002 unsigned char *buf;
1003 size_t buf_len, msg_len;
1004
1005 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
1006 MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
1007
1008 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate( ssl, buf, buf_len,
1009 &msg_len ) );
1010
1011 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
1012 MBEDTLS_SSL_HS_CERTIFICATE,
1013 buf,
1014 msg_len );
1015
1016 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_certificate( ssl ) );
1017 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg(
1018 ssl, buf_len, msg_len ) );
1019 }
1020 else
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1021 {
1022 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1023 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_certificate( ssl ) );
1024 }
1025
1026cleanup:
1027
1028 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1029 return( ret );
1030}
1031
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1032/* Coordinate: Check whether a certificate verify message should be sent.
1033 * Returns a negative value on failure, and otherwise
1034 * - SSL_WRITE_CERTIFICATE_VERIFY_SKIP
1035 * - SSL_WRITE_CERTIFICATE_VERIFY_SEND
1036 * to indicate if the CertificateVerify message should be sent or not.
1037 */
1038#define SSL_WRITE_CERTIFICATE_VERIFY_SKIP 0
1039#define SSL_WRITE_CERTIFICATE_VERIFY_SEND 1
1040static int ssl_tls13_write_certificate_verify_coordinate(
1041 mbedtls_ssl_context* ssl )
1042{
1043 mbedtls_x509_crt *crt = mbedtls_ssl_own_cert( ssl );
1044
1045 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
1046 {
1047 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
1048 return( SSL_WRITE_CERTIFICATE_VERIFY_SKIP );
1049 }
1050
1051#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Jerry Yu32e0c2d2022-01-29 22:28:16 +0800[diff] [blame]1052#if defined(MBEDTLS_SSL_CLI_C)
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1053 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1054 {
1055 if( ssl->handshake->client_auth == 0 ||
1056 crt == NULL ||
1057 ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE )
1058 {
1059 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
1060 return( SSL_WRITE_CERTIFICATE_VERIFY_SKIP );
1061 }
1062 }
Jerry Yu32e0c2d2022-01-29 22:28:16 +0800[diff] [blame]1063#endif /* MBEDTLS_SSL_CLI_C */
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1064
1065 if( crt == NULL &&
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1066 ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE )
1067 {
1068 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate" ) );
1069 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
1070 }
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1071 return( SSL_WRITE_CERTIFICATE_VERIFY_SEND );
1072#else /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1073 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]1074 ((void) crt);
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1075 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1076
1077#endif /* !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1078}
1079
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1080static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context* ssl,
1081 unsigned char* buf,
1082 size_t buflen,
1083 size_t* olen )
1084{
1085 int ret;
1086 size_t n = 0;
1087 unsigned char verify_buffer[ SSL_VERIFY_STRUCT_MAX_SIZE ];
1088 size_t verify_buffer_len;
1089 mbedtls_pk_context *own_key;
1090 size_t own_key_size;
1091 unsigned int md_alg;
1092 int sig_alg;
1093 unsigned char verify_hash[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
1094 size_t verify_hash_len;
1095 unsigned char handshake_hash[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
1096 size_t handshake_hash_len;
1097 unsigned char *p;
1098 const mbedtls_md_info_t *md_info;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1099 unsigned char * const end = buf + buflen;
1100
1101 p = buf;
1102 if( buflen < 2 + MBEDTLS_MD_MAX_SIZE )
1103 {
1104 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too short" ) );
1105 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1106 }
1107
1108 /*
1109 * Check whether the signature scheme corresponds to the key we are using
1110 */
1111 if( mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ) !=
1112 MBEDTLS_SSL_SIG_ECDSA )
1113 {
1114 MBEDTLS_SSL_DEBUG_MSG( 1,
1115 ( "CertificateVerify: Only ECDSA signature algorithms are supported." ) );
1116
1117 MBEDTLS_SSL_DEBUG_MSG( 1,
1118 ( "%d", mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ) ) );
1119 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1120 }
1121
1122 /* Calculate the transcript hash */
1123 ret = mbedtls_ssl_get_handshake_transcript( ssl,
1124 ssl->handshake->ciphersuite_info->mac,
1125 handshake_hash,
1126 sizeof( handshake_hash ),
1127 &handshake_hash_len );
1128 if( ret != 0 )
1129 return( ret );
1130
1131 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash",
1132 handshake_hash,
1133 handshake_hash_len);
1134
1135 /* Create verify structure */
1136 ssl_tls13_create_verify_structure( handshake_hash, handshake_hash_len,
1137 verify_buffer, &verify_buffer_len,
1138 ssl->conf->endpoint );
1139
1140 /*
1141 * struct {
1142 * SignatureScheme algorithm;
1143 * opaque signature<0..2^16-1>;
1144 * } CertificateVerify;
1145 */
1146
1147 /* Determine size of key */
1148 own_key = mbedtls_ssl_own_key( ssl );
1149 if( own_key != NULL)
1150 {
1151 own_key_size = mbedtls_pk_get_bitlen( own_key );
1152 switch( own_key_size )
1153 {
1154 case 256:
1155 md_alg = MBEDTLS_MD_SHA256;
1156 sig_alg = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
1157 break;
1158 case 384:
1159 md_alg = MBEDTLS_MD_SHA384;
1160 sig_alg = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
1161 break;
1162 default:
1163 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown key size: %" MBEDTLS_PRINTF_SIZET " bits",
1164 own_key_size ) );
1165 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1166 }
1167 }
1168 else
1169 {
1170 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1171 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1172 }
1173
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1174 if( !mbedtls_ssl_sig_alg_is_received( ssl, sig_alg ) )
1175 {
1176 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1177 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1178 }
1179
1180 *(p++) = (unsigned char)( ( sig_alg >> 8 ) & 0xFF );
1181 *(p++) = (unsigned char)( ( sig_alg >> 0 ) & 0xFF );
1182
1183 /* Hash verify buffer with indicated hash function */
1184 md_info = mbedtls_md_info_from_type( md_alg );
1185 if( md_info == NULL )
1186 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1187
1188 ret = mbedtls_md( md_info, verify_buffer, verify_buffer_len, verify_hash );
1189 if( ret != 0 )
1190 return( ret );
1191
1192 verify_hash_len = mbedtls_md_get_size( md_info );
1193 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
1194
1195 if( ( ret = mbedtls_pk_sign( own_key, md_alg,
1196 verify_hash, verify_hash_len,
1197 p + 2, (size_t)( end - ( p + 2 ) ), &n,
1198 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
1199 {
1200 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
1201 return( ret );
1202 }
1203 // unsigned char * x= p;
1204 p[0] = (unsigned char)( n >> 8 );
1205 p[1] = (unsigned char)( n >> 0 );
1206
1207 p += 2 + n;
1208
1209 *olen = (size_t)( p - buf );
1210 MBEDTLS_SSL_DEBUG_BUF( 3, "xverify hash", buf, *olen );
1211 return( ret );
1212}
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1213
1214static int ssl_tls13_finalize_certificate_verify( mbedtls_ssl_context* ssl )
1215{
1216#if defined(MBEDTLS_SSL_CLI_C)
1217 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1218 {
1219 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
1220 }
1221 else
1222#endif /* MBEDTLS_SSL_CLI_C */
1223 {
1224 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1225 }
1226
1227 return( 0 );
1228}
1229
1230int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context* ssl )
1231{
1232 int ret = 0;
1233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1234
1235 /* Coordination step: Check if we need to send a CertificateVerify */
1236 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_certificate_verify_coordinate( ssl ) );
1237
1238 if( ret == SSL_WRITE_CERTIFICATE_VERIFY_SEND )
1239 {
1240 unsigned char *buf;
1241 size_t buf_len, msg_len;
1242
1243 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
1244 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
1245
1246 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_verify_body(
1247 ssl, buf, buf_len, &msg_len ) );
1248
1249 mbedtls_ssl_tls13_add_hs_msg_to_checksum(
1250 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, msg_len );
1251 /* Update state */
1252 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_certificate_verify( ssl ) );
1253
1254 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg(
1255 ssl, buf_len, msg_len ) );
1256 }
1257 else
1258 {
1259 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_certificate_verify( ssl ) );
1260 }
1261
1262cleanup:
1263
1264 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
1265 return( ret );
1266}
1267
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]1268#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1269
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1270/*
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1271 *
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1272 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1273 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1274/*
1275 * Implementation
1276 */
1277
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1278static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1279{
1280 int ret;
1281
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1282 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1283 ssl->handshake->state_local.finished_in.digest,
1284 sizeof( ssl->handshake->state_local.finished_in.digest ),
1285 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1286 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1287 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1288 if( ret != 0 )
1289 {
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1290 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1291 return( ret );
1292 }
1293
1294 return( 0 );
1295}
1296
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1297static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
1298 const unsigned char *buf,
1299 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1300{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1301 /*
1302 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1303 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1304 * } Finished;
1305 */
1306 const unsigned char *expected_verify_data =
1307 ssl->handshake->state_local.finished_in.digest;
1308 size_t expected_verify_data_len =
1309 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1310 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1311 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1312 {
1313 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1314
1315 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1316 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1317 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1318 }
1319
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1320 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1321 expected_verify_data,
1322 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1323 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1324 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1325
1326 /* Semantic validation */
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]1327 if( mbedtls_ct_memcmp( buf,
1328 expected_verify_data,
1329 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1330 {
1331 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1332
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1333 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1334 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1335 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1336 }
1337 return( 0 );
1338}
1339
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1340#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1341static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1342{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1343 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1344 mbedtls_ssl_key_set traffic_keys;
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]1345 mbedtls_ssl_transform *transform_application = NULL;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1346
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1347 ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1348 if( ret != 0 )
1349 {
1350 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1351 "mbedtls_ssl_tls13_key_schedule_stage_application", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1352 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1353 }
1354
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1355 ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1356 if( ret != 0 )
1357 {
1358 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1359 "mbedtls_ssl_tls13_generate_application_keys", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1360 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1361 }
1362
1363 transform_application =
1364 mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
1365 if( transform_application == NULL )
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1366 {
1367 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1368 goto cleanup;
1369 }
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1370
1371 ret = mbedtls_ssl_tls13_populate_transform(
1372 transform_application,
1373 ssl->conf->endpoint,
1374 ssl->session_negotiate->ciphersuite,
1375 &traffic_keys,
1376 ssl );
1377 if( ret != 0 )
1378 {
1379 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1380 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1381 }
1382
1383 ssl->transform_application = transform_application;
1384
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1385cleanup:
1386
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1387 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1388 if( ret != 0 )
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]1389 {
1390 mbedtls_free( transform_application );
1391 MBEDTLS_SSL_PEND_FATAL_ALERT(
1392 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1393 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1394 }
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]1395 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1396}
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1397#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1398
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1399static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1400{
1401
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1402#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1403 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1404 {
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1405 return( ssl_tls13_postprocess_server_finished_message( ssl ) );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1406 }
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1407#else
1408 ((void) ssl);
1409#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1410
1411 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1412}
1413
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1414int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
1415{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1416 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1417 unsigned char *buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1418 size_t buf_len;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1419
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1420 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1421
1422 /* Preprocessing step: Compute handshake digest */
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1423 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1424
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1425 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1426 MBEDTLS_SSL_HS_FINISHED,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1427 &buf, &buf_len ) );
1428 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1429 mbedtls_ssl_tls13_add_hs_msg_to_checksum(
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1430 ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len );
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1431 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1432
1433cleanup:
1434
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1436 return( ret );
1437}
1438
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1439/*
1440 *
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1441 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1442 *
1443 */
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1444/*
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1445 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1446 */
1447
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1448static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1449{
1450 int ret;
1451
1452 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1453 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1454 ssl->handshake->state_local.finished_out.digest,
1455 sizeof( ssl->handshake->state_local.finished_out.digest ),
1456 &ssl->handshake->state_local.finished_out.digest_len,
1457 ssl->conf->endpoint );
1458
1459 if( ret != 0 )
1460 {
Jerry Yu7ca30542021-12-08 15:57:57 +0800[diff] [blame]1461 MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1462 return( ret );
1463 }
1464
1465 return( 0 );
1466}
1467
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1468static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1469{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1470 // TODO: Add back resumption keys calculation after MVP.
1471 ((void) ssl);
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1472
1473 return( 0 );
1474}
1475
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1476static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1477 unsigned char *buf,
1478 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1479 size_t *out_len )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1480{
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1481 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1482 /*
1483 * struct {
1484 * opaque verify_data[Hash.length];
1485 * } Finished;
1486 */
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1487 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1488
1489 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1490 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1491
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1492 *out_len = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1493 return( 0 );
1494}
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1495
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1496/* Main entry point: orchestrates the other functions */
1497int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1498{
1499 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1500 unsigned char *buf;
1501 size_t buf_len, msg_len;
1502
1503 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1504
XiaokangQiandce82242021-11-15 06:01:26 +0000[diff] [blame]1505 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1506
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1507 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
1508 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1509
1510 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1511 ssl, buf, buf + buf_len, &msg_len ) );
1512
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1513 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1514 buf, msg_len );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1515
1516 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) );
1517 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl,
1518 buf_len, msg_len ) );
1519 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) );
1520
1521cleanup:
1522
1523 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1524 return( ret );
1525}
1526
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1527void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1528{
1529
1530 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1531
1532 /*
Jerry Yucfe64f02021-11-15 13:54:06 +0800[diff] [blame]1533 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1534 */
1535 if( ssl->session )
1536 {
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1537 mbedtls_ssl_session_free( ssl->session );
1538 mbedtls_free( ssl->session );
1539 }
1540 ssl->session = ssl->session_negotiate;
1541 ssl->session_negotiate = NULL;
1542
1543 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1544}
1545
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1546/*
1547 *
1548 * STATE HANDLING: Write ChangeCipherSpec
1549 *
1550 */
1551#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1552
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1553static int ssl_tls13_finalize_change_cipher_spec( mbedtls_ssl_context* ssl )
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]1554{
1555
1556#if defined(MBEDTLS_SSL_CLI_C)
1557 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1558 {
1559 switch( ssl->state )
1560 {
1561 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
1562 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
1563 break;
1564 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1565#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1566 if( ssl->handshake->client_auth )
1567 {
1568 mbedtls_ssl_handshake_set_state( ssl,
1569 MBEDTLS_SSL_CLIENT_CERTIFICATE );
1570 }
1571 else
1572#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1573 {
1574 mbedtls_ssl_handshake_set_state( ssl,
1575 MBEDTLS_SSL_CLIENT_FINISHED );
1576 }
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]1577 break;
1578 default:
1579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1580 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1581 }
1582 }
1583#else
1584 ((void) ssl);
1585#endif /* MBEDTLS_SSL_CLI_C */
1586
1587 return( 0 );
1588}
1589
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1590static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
1591 unsigned char *buf,
1592 unsigned char *end,
1593 size_t *olen )
1594{
1595 ((void) ssl);
1596
1597 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 );
1598 buf[0] = 1;
1599 *olen = 1;
1600
1601 return( 0 );
1602}
1603
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1604int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
1605{
1606 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1607
1608 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1609
1610 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) );
1611
1612 /* Write CCS message */
1613 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body(
1614 ssl, ssl->out_msg,
1615 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1616 &ssl->out_msglen ) );
1617
1618 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1619
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]1620 /* Update state */
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1621 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_change_cipher_spec( ssl ) );
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]1622
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1623 /* Dispatch message */
1624 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 1 ) );
1625
1626cleanup:
1627
1628 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1629 return( ret );
1630}
1631
1632#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1633
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1634/* Reset SSL context and update hash for handling HRR.
1635 *
1636 * Replace Transcript-Hash(X) by
1637 * Transcript-Hash( message_hash ||
1638 * 00 00 Hash.length ||
1639 * X )
1640 * A few states of the handshake are preserved, including:
1641 * - session ID
1642 * - session ticket
1643 * - negotiated ciphersuite
1644 */
1645int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
1646{
1647 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1648 unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ];
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1649 size_t hash_len;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1650 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1651 uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
1652 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
1653
1654 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) );
1655
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1656 ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
1657 hash_transcript + 4,
1658 MBEDTLS_MD_MAX_SIZE,
1659 &hash_len );
1660 if( ret != 0 )
1661 {
1662 MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret );
1663 return( ret );
1664 }
1665
1666 hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1667 hash_transcript[1] = 0;
1668 hash_transcript[2] = 0;
1669 hash_transcript[3] = (unsigned char) hash_len;
1670
1671 hash_len += 4;
1672
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1673 if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
1674 {
1675#if defined(MBEDTLS_SHA256_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1676 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1677 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1678
1679#if defined(MBEDTLS_USE_PSA_CRYPTO)
1680 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
1681 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
1682#else
1683 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
1684#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1685#endif /* MBEDTLS_SHA256_C */
1686 }
1687 else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
1688 {
1689#if defined(MBEDTLS_SHA384_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1690 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1691 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1692
1693#if defined(MBEDTLS_USE_PSA_CRYPTO)
1694 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
1695 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
1696#else
1697 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
1698#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1699#endif /* MBEDTLS_SHA384_C */
1700 }
1701
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1702#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C)
1703 ssl->handshake->update_checksum( ssl, hash_transcript, hash_len );
1704#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1705 return( ret );
1706}
1707
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]1708#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */