TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 9a4e1dd8a6945373ea11e51ebb9b94e57fbba637 / . / library / ssl_tls13_generic.c
blob: 17efa8c22b0b82cba1f6b17da82dce49b81f5b22 [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]23
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]24#include <string.h>
25
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]26#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]27#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]28#include "mbedtls/oid.h"
29#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]30#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]31#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]32
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]33#include "ssl_misc.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]34#include "ssl_tls13_keys.h"
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]35#include "ssl_debug_helpers.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]36
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]37const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
38 MBEDTLS_SERVER_HELLO_RANDOM_LEN ] =
39 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
40 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
41 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
42 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C };
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]43
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]44int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
45 unsigned hs_type,
46 unsigned char **buf,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]47 size_t *buf_len )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]48{
49 int ret;
50
51 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
52 {
53 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
54 goto cleanup;
55 }
56
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]57 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]58 ssl->in_msg[0] != hs_type )
59 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]60 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]61 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]62 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]63 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
64 goto cleanup;
65 }
66
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]67 /*
68 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
69 * ...
70 * HandshakeType msg_type;
71 * uint24 length;
72 * ...
73 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]74 *buf = ssl->in_msg + 4;
75 *buf_len = ssl->in_hslen - 4;
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]76
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]77cleanup:
78
79 return( ret );
80}
81
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]82#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]83/*
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]84 * STATE HANDLING: Read CertificateVerify
85 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]86/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]87 *
88 * The structure is computed per TLS 1.3 specification as:
89 * - 64 bytes of octet 32,
90 * - 33 bytes for the context string
91 * (which is either "TLS 1.3, client CertificateVerify"
92 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]93 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]94 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
95 * (depending on the size of the transcript_hash)
96 *
97 * This results in a total size of
98 * - 130 bytes for a SHA256-based transcript hash, or
99 * (64 + 33 + 1 + 32 bytes)
100 * - 146 bytes for a SHA384-based transcript hash.
101 * (64 + 33 + 1 + 48 bytes)
102 *
103 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800[diff] [blame]104#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
105 33 + \
106 1 + \
107 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]108 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]109
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]110/*
111 * The ssl_tls13_create_verify_structure() creates the verify structure.
112 * As input, it requires the transcript hash.
113 *
114 * The caller has to ensure that the buffer has size at least
115 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
116 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]117static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]118 size_t transcript_hash_len,
119 unsigned char *verify_buffer,
120 size_t *verify_buffer_len,
121 int from )
122{
123 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]124
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]125 /* RFC 8446, Section 4.4.3:
126 *
127 * The digital signature [in the CertificateVerify message] is then
128 * computed over the concatenation of:
129 * - A string that consists of octet 32 (0x20) repeated 64 times
130 * - The context string
131 * - A single 0 byte which serves as the separator
132 * - The content to be signed
133 */
134 memset( verify_buffer, 0x20, 64 );
135 idx = 64;
136
137 if( from == MBEDTLS_SSL_IS_CLIENT )
138 {
139 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
140 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
141 }
142 else
143 { /* from == MBEDTLS_SSL_IS_SERVER */
144 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
145 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
146 }
147
148 verify_buffer[idx++] = 0x0;
149
150 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
151 idx += transcript_hash_len;
152
153 *verify_buffer_len = idx;
154}
155
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]156static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]157 const unsigned char *buf,
158 const unsigned char *end,
159 const unsigned char *verify_buffer,
160 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]161{
162 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
163 const unsigned char *p = buf;
164 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]165 size_t signature_len;
166 mbedtls_pk_type_t sig_alg;
167 mbedtls_md_type_t md_alg;
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]168 unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]169 size_t verify_hash_len;
170
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]171 void const *options = NULL;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]172#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]173 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]174#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
175
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]176 /*
177 * struct {
178 * SignatureScheme algorithm;
179 * opaque signature<0..2^16-1>;
180 * } CertificateVerify;
181 */
182 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
183 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
184 p += 2;
185
186 /* RFC 8446 section 4.4.3
187 *
188 * If the CertificateVerify message is sent by a server, the signature algorithm
189 * MUST be one offered in the client's "signature_algorithms" extension unless
190 * no valid certificate chain can be produced without unsupported algorithms
191 *
192 * RFC 8446 section 4.4.2.2
193 *
194 * If the client cannot construct an acceptable chain using the provided
195 * certificates and decides to abort the handshake, then it MUST abort the handshake
196 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
197 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]198 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]199 */
Jerry Yu24811fb2022-01-19 18:02:15 +0800[diff] [blame]200 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]201 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]202 /* algorithm not in offered signature algorithms list */
203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
204 "offered.",
205 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]206 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]207 }
208
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]209 if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
Jerry Yuf8aa9a42022-03-23 20:40:28 +0800[diff] [blame]210 algorithm, &sig_alg, &md_alg ) != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]211 {
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]212 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]213 }
214
215 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
216 ( unsigned int ) algorithm ) );
217
218 /*
219 * Check the certificate's key type matches the signature alg
220 */
221 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
222 {
223 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]224 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]225 }
226
227 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
228 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
229 p += 2;
230 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
231
232 /* Hash verify buffer with indicated hash function */
233 switch( md_alg )
234 {
235#if defined(MBEDTLS_SHA256_C)
236 case MBEDTLS_MD_SHA256:
237 verify_hash_len = 32;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]238 ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]239 break;
240#endif /* MBEDTLS_SHA256_C */
241
242#if defined(MBEDTLS_SHA384_C)
243 case MBEDTLS_MD_SHA384:
244 verify_hash_len = 48;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]245 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]246 break;
247#endif /* MBEDTLS_SHA384_C */
248
249#if defined(MBEDTLS_SHA512_C)
250 case MBEDTLS_MD_SHA512:
251 verify_hash_len = 64;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]252 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]253 break;
254#endif /* MBEDTLS_SHA512_C */
255
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]256 default:
257 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
258 break;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]259 }
260
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]261 if( ret != 0 )
262 {
263 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]264 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]265 }
266
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]267 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]268#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
269 if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
270 {
271 const mbedtls_md_info_t* md_info;
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]272 rsassa_pss_options.mgf1_hash_id = md_alg;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]273 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
274 {
275 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
276 }
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]277 rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
278 options = (const void*) &rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]279 }
280#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]281
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]282 if( ( ret = mbedtls_pk_verify_ext( sig_alg, options,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]283 &ssl->session_negotiate->peer_cert->pk,
284 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]285 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]286 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]287 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]288 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]289 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]290
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]291error:
292 /* RFC 8446 section 4.4.3
293 *
294 * If the verification fails, the receiver MUST terminate the handshake
295 * with a "decrypt_error" alert.
296 */
297 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
298 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
299 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
300
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]301}
302#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
303
304int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
305{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]306
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]307#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
308 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
309 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
310 size_t verify_buffer_len;
311 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
312 size_t transcript_len;
313 unsigned char *buf;
314 size_t buf_len;
315
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]316 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
317
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]318 MBEDTLS_SSL_PROC_CHK(
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]319 mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]320 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]321
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]322 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]323 * before reading the message since otherwise it gets
324 * included in the transcript
325 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]326 ret = mbedtls_ssl_get_handshake_transcript( ssl,
327 ssl->handshake->ciphersuite_info->mac,
328 transcript, sizeof( transcript ),
329 &transcript_len );
330 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]331 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]332 MBEDTLS_SSL_PEND_FATAL_ALERT(
333 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
334 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
335 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]336 }
337
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]338 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
339
340 /* Create verify structure */
341 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]342 transcript_len,
343 verify_buffer,
344 &verify_buffer_len,
345 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
346 MBEDTLS_SSL_IS_SERVER :
347 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]348
349 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]350 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
351 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]352
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]353 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
354 buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]355
356cleanup:
357
358 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800[diff] [blame]359 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]360 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]361#else
362 ((void) ssl);
363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
364 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
365#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]366}
367
368/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]369 *
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]370 * STATE HANDLING: Incoming Certificate.
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]371 *
372 */
373
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]374#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
375#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
376/*
377 * Structure of Certificate message:
378 *
379 * enum {
380 * X509(0),
381 * RawPublicKey(2),
382 * (255)
383 * } CertificateType;
384 *
385 * struct {
386 * select (certificate_type) {
387 * case RawPublicKey:
388 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
389 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
390 * case X509:
391 * opaque cert_data<1..2^24-1>;
392 * };
393 * Extension extensions<0..2^16-1>;
394 * } CertificateEntry;
395 *
396 * struct {
397 * opaque certificate_request_context<0..2^8-1>;
398 * CertificateEntry certificate_list<0..2^24-1>;
399 * } Certificate;
400 *
401 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]402
403/* Parse certificate chain send by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]404static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
405 const unsigned char *buf,
406 const unsigned char *end )
407{
408 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
409 size_t certificate_request_context_len = 0;
410 size_t certificate_list_len = 0;
411 const unsigned char *p = buf;
412 const unsigned char *certificate_list_end;
413
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]414 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]415 certificate_request_context_len = p[0];
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]416 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
417 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]418
419 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
420 * support anything beyond 2^16 = 64K.
421 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]422 if( ( certificate_request_context_len != 0 ) ||
423 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]424 {
425 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
426 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
427 MBEDTLS_ERR_SSL_DECODE_ERROR );
428 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
429 }
430
431 /* In case we tried to reuse a session but it failed */
432 if( ssl->session_negotiate->peer_cert != NULL )
433 {
434 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
435 mbedtls_free( ssl->session_negotiate->peer_cert );
436 }
437
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]438 if( certificate_list_len == 0 )
439 {
440 ssl->session_negotiate->peer_cert = NULL;
441 ret = 0;
442 goto exit;
443 }
444
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]445 if( ( ssl->session_negotiate->peer_cert =
446 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
447 {
448 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
449 sizeof( mbedtls_x509_crt ) ) );
450 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
451 MBEDTLS_ERR_SSL_ALLOC_FAILED );
452 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
453 }
454
455 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
456
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]457 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]458 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]459 {
460 size_t cert_data_len, extensions_len;
461
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]462 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]463 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]464 p += 3;
465
466 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
467 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
468 * check that we have a minimum of 128 bytes of data, this is not
469 * clear why we need that though.
470 */
471 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]472 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]473 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
474 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
475 MBEDTLS_ERR_SSL_DECODE_ERROR );
476 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
477 }
478
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]479 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]480 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
481 p, cert_data_len );
482
483 switch( ret )
484 {
485 case 0: /*ok*/
486 break;
487 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
488 /* Ignore certificate with an unknown algorithm: maybe a
489 prior certificate was already trusted. */
490 break;
491
492 case MBEDTLS_ERR_X509_ALLOC_FAILED:
493 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
494 MBEDTLS_ERR_X509_ALLOC_FAILED );
495 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
496 return( ret );
497
498 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
499 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
500 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
501 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
502 return( ret );
503
504 default:
505 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
506 ret );
507 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
508 return( ret );
509 }
510
511 p += cert_data_len;
512
513 /* Certificate extensions length */
514 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
515 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
516 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]517 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]518 p += extensions_len;
519 }
520
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]521exit:
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]522 /* Check that all the message is consumed. */
523 if( p != end )
524 {
525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
526 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
527 MBEDTLS_ERR_SSL_DECODE_ERROR );
528 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
529 }
530
531 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
532
533 return( ret );
534}
535#else
536static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
537 const unsigned char *buf,
538 const unsigned char *end )
539{
540 ((void) ssl);
541 ((void) buf);
542 ((void) end);
543 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
544}
545#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
546#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
547
548#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
549#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]550/* Validate certificate chain sent by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]551static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
552{
553 int ret = 0;
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]554 int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]555 mbedtls_x509_crt *ca_chain;
556 mbedtls_x509_crl *ca_crl;
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]557 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]558
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]559 /* If SNI was used, overwrite authentication mode
560 * from the configuration. */
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]561#if defined(MBEDTLS_SSL_SRV_C)
562 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
563 {
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]564#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]565 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
566 authmode = ssl->handshake->sni_authmode;
567 else
568#endif
569 authmode = ssl->conf->authmode;
570 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]571#endif
572
573 /*
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]574 * If the peer hasn't sent a certificate ( i.e. it sent
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]575 * an empty certificate chain ), this is reflected in the peer CRT
576 * structure being unset.
577 * Check for that and handle it depending on the
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]578 * authentication mode.
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]579 */
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]580 if( ssl->session_negotiate->peer_cert == NULL )
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]581 {
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]582 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has not sent a certificate" ) );
583
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]584#if defined(MBEDTLS_SSL_SRV_C)
585 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
586 {
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]587 /* The client was asked for a certificate but didn't send
588 * one. The client should know what's going on, so we
589 * don't send an alert.
590 */
591 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
592 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
593 return( 0 );
594 else
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]595 {
596 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT,
XiaokangQianaca90482022-05-19 07:19:31 +0000[diff] [blame]597 MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
598 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
XiaokangQian989f06d2022-05-17 01:50:15 +0000[diff] [blame]599 }
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]600 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]601#endif /* MBEDTLS_SSL_SRV_C */
602
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]603#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]604 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
605 {
606 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT,
607 MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
608 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
609 }
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]610#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQian63e713e2022-05-15 04:26:57 +0000[diff] [blame]611 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]612
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]613#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
614 if( ssl->handshake->sni_ca_chain != NULL )
615 {
616 ca_chain = ssl->handshake->sni_ca_chain;
617 ca_crl = ssl->handshake->sni_ca_crl;
618 }
619 else
620#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
621 {
622 ca_chain = ssl->conf->ca_chain;
623 ca_crl = ssl->conf->ca_crl;
624 }
625
626 /*
627 * Main check: verify certificate
628 */
629 ret = mbedtls_x509_crt_verify_with_profile(
630 ssl->session_negotiate->peer_cert,
631 ca_chain, ca_crl,
632 ssl->conf->cert_profile,
633 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]634 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]635 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
636
637 if( ret != 0 )
638 {
639 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
640 }
641
642 /*
643 * Secondary checks: always done, but change 'ret' only if it was 0
644 */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]645 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
646 ssl->handshake->ciphersuite_info,
647 !ssl->conf->endpoint,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]648 &verify_result ) != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]649 {
650 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
651 if( ret == 0 )
652 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
653 }
654
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]655 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
656 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
657 * with details encoded in the verification flags. All other kinds
658 * of error codes, including those from the user provided f_vrfy
659 * functions, are treated as fatal and lead to a failure of
660 * ssl_tls13_parse_certificate even if verification was optional. */
661 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
662 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
663 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
664 {
665 ret = 0;
666 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]667
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]668 if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]669 {
670 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
671 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
672 }
673
674 if( ret != 0 )
675 {
676 /* The certificate may have been rejected for several reasons.
677 Pick one and send the corresponding alert. Which alert to send
678 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]679 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]680 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]681 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]682 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]683 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
684 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
685 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
686 MBEDTLS_X509_BADCERT_BAD_PK |
687 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]688 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]689 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]690 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]691 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]692 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]693 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]694 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
695 else
696 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
697 }
698
699#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]700 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]701 {
702 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800[diff] [blame]703 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]704 }
705 else
706 {
707 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
708 }
709#endif /* MBEDTLS_DEBUG_C */
710
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]711 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]712 return( ret );
713}
714#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
715static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
716{
717 ((void) ssl);
718 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
719}
720#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
721#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
722
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]723int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]724{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]725 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
726 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
727
728#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]729 unsigned char *buf;
730 size_t buf_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]731
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]732 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
733 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
734 &buf, &buf_len ) );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]735
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]736 /* Parse the certificate chain sent by the peer. */
737 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf,
738 buf + buf_len ) );
739 /* Validate the certificate chain and set the verification results. */
740 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]741
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]742 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
743 buf, buf_len );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]744
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]745cleanup:
XiaokangQianaca90482022-05-19 07:19:31 +0000[diff] [blame]746#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]747
748 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
749 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]750}
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]751#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]752/*
753 * enum {
754 * X509(0),
755 * RawPublicKey(2),
756 * (255)
757 * } CertificateType;
758 *
759 * struct {
760 * select (certificate_type) {
761 * case RawPublicKey:
762 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
763 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
764 *
765 * case X509:
766 * opaque cert_data<1..2^24-1>;
767 * };
768 * Extension extensions<0..2^16-1>;
769 * } CertificateEntry;
770 *
771 * struct {
772 * opaque certificate_request_context<0..2^8-1>;
773 * CertificateEntry certificate_list<0..2^24-1>;
774 * } Certificate;
775 */
776static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]777 unsigned char *buf,
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]778 unsigned char *end,
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]779 size_t *out_len )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]780{
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]781 const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert( ssl );
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]782 unsigned char *p = buf;
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]783 unsigned char *certificate_request_context =
784 ssl->handshake->certificate_request_context;
785 unsigned char certificate_request_context_len =
786 ssl->handshake->certificate_request_context_len;
787 unsigned char *p_certificate_list_len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]788
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]789
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]790 /* ...
791 * opaque certificate_request_context<0..2^8-1>;
792 * ...
793 */
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]794 MBEDTLS_SSL_CHK_BUF_PTR( p, end, certificate_request_context_len + 1 );
795 *p++ = certificate_request_context_len;
796 if( certificate_request_context_len > 0 )
Jerry Yu537530d2022-02-15 14:00:57 +0800[diff] [blame]797 {
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]798 memcpy( p, certificate_request_context, certificate_request_context_len );
799 p += certificate_request_context_len;
Jerry Yu537530d2022-02-15 14:00:57 +0800[diff] [blame]800 }
801
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]802 /* ...
803 * CertificateEntry certificate_list<0..2^24-1>;
804 * ...
805 */
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]806 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]807 p_certificate_list_len = p;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]808 p += 3;
809
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]810 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", crt );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]811
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]812 while( crt != NULL )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]813 {
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]814 size_t cert_data_len = crt->raw.len;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]815
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]816 MBEDTLS_SSL_CHK_BUF_PTR( p, end, cert_data_len + 3 + 2 );
817 MBEDTLS_PUT_UINT24_BE( cert_data_len, p, 0 );
818 p += 3;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]819
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]820 memcpy( p, crt->raw.p, cert_data_len );
821 p += cert_data_len;
822 crt = crt->next;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]823
824 /* Currently, we don't have any certificate extensions defined.
825 * Hence, we are sending an empty extension with length zero.
826 */
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]827 MBEDTLS_PUT_UINT24_BE( 0, p, 0 );
828 p += 2;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]829 }
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]830
Jerry Yuc8d8d4e2022-02-18 12:10:03 +0800[diff] [blame]831 MBEDTLS_PUT_UINT24_BE( p - p_certificate_list_len - 3,
832 p_certificate_list_len, 0 );
Jerry Yu7399d0d2022-01-30 17:54:19 +0800[diff] [blame]833
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]834 *out_len = p - buf;
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]835
836 return( 0 );
837}
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]838
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]839int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl )
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]840{
841 int ret;
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]842 unsigned char *buf;
843 size_t buf_len, msg_len;
844
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]845 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
846
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]847 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]848 MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]849
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]850 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_body( ssl,
851 buf,
852 buf + buf_len,
853 &msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]854
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]855 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
856 buf, msg_len );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]857
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]858 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]859 ssl, buf_len, msg_len ) );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]860cleanup:
861
862 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
863 return( ret );
864}
865
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]866/*
867 * STATE HANDLING: Output Certificate Verify
868 */
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]869static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
870 mbedtls_pk_context *own_key,
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]871 uint16_t *algorithm )
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]872{
873 mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key );
874 /* Determine the size of the key */
875 size_t own_key_size = mbedtls_pk_get_bitlen( own_key );
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]876 *algorithm = MBEDTLS_TLS1_3_SIG_NONE;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]877 ((void) own_key_size);
878
879 switch( sig )
880 {
881#if defined(MBEDTLS_ECDSA_C)
882 case MBEDTLS_SSL_SIG_ECDSA:
883 switch( own_key_size )
884 {
885 case 256:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]886 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]887 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]888 case 384:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]889 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]890 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]891 case 521:
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]892 *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]893 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]894 default:
895 MBEDTLS_SSL_DEBUG_MSG( 3,
896 ( "unknown key size: %"
897 MBEDTLS_PRINTF_SIZET " bits",
898 own_key_size ) );
899 break;
900 }
901 break;
902#endif /* MBEDTLS_ECDSA_C */
903
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]904#if defined(MBEDTLS_RSA_C)
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]905 case MBEDTLS_SSL_SIG_RSA:
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]906#if defined(MBEDTLS_PKCS1_V21)
907#if defined(MBEDTLS_SHA256_C)
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]908 if( own_key_size <= 2048 &&
909 mbedtls_ssl_sig_alg_is_received( ssl,
910 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 ) )
911 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]912 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]913 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]914 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]915 else
916#endif /* MBEDTLS_SHA256_C */
917#if defined(MBEDTLS_SHA384_C)
918 if( own_key_size <= 3072 &&
919 mbedtls_ssl_sig_alg_is_received( ssl,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]920 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 ) )
921 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]922 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]923 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]924 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]925 else
926#endif /* MBEDTLS_SHA384_C */
927#if defined(MBEDTLS_SHA512_C)
928 if( own_key_size <= 4096 &&
929 mbedtls_ssl_sig_alg_is_received( ssl,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]930 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 ) )
931 {
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]932 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]933 return( 0 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]934 }
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]935 else
936#endif /* MBEDTLS_SHA512_C */
937#endif /* MBEDTLS_PKCS1_V21 */
938#if defined(MBEDTLS_PKCS1_V15)
939#if defined(MBEDTLS_SHA256_C)
940 if( own_key_size <= 2048 &&
941 mbedtls_ssl_sig_alg_is_received( ssl,
942 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 ) )
943 {
944 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]945 return( 0 );
946 }
947 else
948#endif /* MBEDTLS_SHA256_C */
949#if defined(MBEDTLS_SHA384_C)
950 if( own_key_size <= 3072 &&
951 mbedtls_ssl_sig_alg_is_received( ssl,
952 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 ) )
953 {
954 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]955 return( 0 );
956 }
957 else
958#endif /* MBEDTLS_SHA384_C */
959#if defined(MBEDTLS_SHA512_C)
960 if( own_key_size <= 4096 &&
961 mbedtls_ssl_sig_alg_is_received( ssl,
962 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 ) )
963 {
964 *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]965 return( 0 );
966 }
967 else
968#endif /* MBEDTLS_SHA512_C */
969#endif /* MBEDTLS_PKCS1_V15 */
970 {
971 MBEDTLS_SSL_DEBUG_MSG( 3,
972 ( "unknown key size: %"
973 MBEDTLS_PRINTF_SIZET " bits",
974 own_key_size ) );
975 }
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]976 break;
Jerry Yucef3f332022-03-22 23:00:13 +0800[diff] [blame]977#endif /* MBEDTLS_RSA_C */
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]978 default:
979 MBEDTLS_SSL_DEBUG_MSG( 1,
Andrzej Kurek5c65c572022-04-13 14:28:52 -0400[diff] [blame]980 ( "unknown signature type : %u", sig ) );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]981 break;
982 }
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]983 return( -1 );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]984}
985
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]986static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
987 unsigned char *buf,
988 unsigned char *end,
989 size_t *out_len )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]990{
991 int ret;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]992 unsigned char *p = buf;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]993 mbedtls_pk_context *own_key;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]994
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]995 unsigned char handshake_hash[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
996 size_t handshake_hash_len;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]997 unsigned char verify_buffer[ SSL_VERIFY_STRUCT_MAX_SIZE ];
998 size_t verify_buffer_len;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]999 mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1000 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Jerry Yu78272072022-02-22 10:28:13 +0800[diff] [blame]1001 uint16_t algorithm = MBEDTLS_TLS1_3_SIG_NONE;
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1002 size_t signature_len = 0;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1003 const mbedtls_md_info_t *md_info;
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1004 unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ];
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1005 size_t verify_hash_len;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1006
Jerry Yu0b7b1012022-02-23 12:23:05 +0800[diff] [blame]1007 *out_len = 0;
1008
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1009 own_key = mbedtls_ssl_own_key( ssl );
1010 if( own_key == NULL )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1011 {
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1012 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1013 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1014 }
1015
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1016 ret = mbedtls_ssl_get_handshake_transcript( ssl,
1017 ssl->handshake->ciphersuite_info->mac,
1018 handshake_hash,
1019 sizeof( handshake_hash ),
1020 &handshake_hash_len );
1021 if( ret != 0 )
1022 return( ret );
1023
1024 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash",
1025 handshake_hash,
1026 handshake_hash_len);
1027
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1028 ssl_tls13_create_verify_structure( handshake_hash, handshake_hash_len,
1029 verify_buffer, &verify_buffer_len,
1030 ssl->conf->endpoint );
1031
1032 /*
1033 * struct {
1034 * SignatureScheme algorithm;
1035 * opaque signature<0..2^16-1>;
1036 * } CertificateVerify;
1037 */
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1038 ret = ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
Jerry Yue91a51a2022-03-22 21:42:50 +0800[diff] [blame]1039 if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1040 {
Jerry Yud66409a2022-02-18 16:42:24 +0800[diff] [blame]1041 MBEDTLS_SSL_DEBUG_MSG( 1,
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]1042 ( "signature algorithm not in received or offered list." ) );
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1043
1044 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Signature algorithm is %s",
1045 mbedtls_ssl_sig_alg_to_str( algorithm ) ) );
1046
Jerry Yu71f36f12022-02-23 17:34:29 +0800[diff] [blame]1047 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
Jerry Yud66409a2022-02-18 16:42:24 +0800[diff] [blame]1048 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1049 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1050 }
1051
Jerry Yu6c6f1022022-03-25 11:09:50 +0800[diff] [blame]1052 if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
1053 algorithm, &pk_type, &md_alg ) != 0 )
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1054 {
Jerry Yuf8aa9a42022-03-23 20:40:28 +0800[diff] [blame]1055 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu8c338862022-03-23 13:34:04 +0800[diff] [blame]1056 }
1057
Jerry Yu3391ac02022-02-16 11:21:37 +0800[diff] [blame]1058 /* Check there is space for the algorithm identifier (2 bytes) and the
1059 * signature length (2 bytes).
1060 */
1061 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1062 MBEDTLS_PUT_UINT16_BE( algorithm, p, 0 );
1063 p += 2;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1064
1065 /* Hash verify buffer with indicated hash function */
1066 md_info = mbedtls_md_info_from_type( md_alg );
1067 if( md_info == NULL )
1068 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1069
1070 ret = mbedtls_md( md_info, verify_buffer, verify_buffer_len, verify_hash );
1071 if( ret != 0 )
1072 return( ret );
1073
1074 verify_hash_len = mbedtls_md_get_size( md_info );
1075 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
1076
Jerry Yu8beb9e12022-03-12 16:23:53 +0800[diff] [blame]1077 if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
1078 md_alg, verify_hash, verify_hash_len,
Jerry Yu67eced02022-02-25 13:37:36 +0800[diff] [blame]1079 p + 2, (size_t)( end - ( p + 2 ) ), &signature_len,
1080 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1081 {
1082 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
1083 return( ret );
1084 }
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1085
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1086 MBEDTLS_PUT_UINT16_BE( signature_len, p, 0 );
1087 p += 2 + signature_len;
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1088
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1089 *out_len = (size_t)( p - buf );
1090
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1091 return( ret );
1092}
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1093
Jerry Yu3e536442022-02-15 11:05:59 +0800[diff] [blame]1094int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1095{
1096 int ret = 0;
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1097 unsigned char *buf;
1098 size_t buf_len, msg_len;
1099
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1100 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1101
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1102 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1103 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1104
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1105 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_verify_body(
1106 ssl, buf, buf + buf_len, &msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1107
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1108 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1109 buf, msg_len );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1110
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1111 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1112 ssl, buf_len, msg_len ) );
Jerry Yu8511f122022-01-29 10:01:04 +0800[diff] [blame]1113
1114cleanup:
1115
1116 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
1117 return( ret );
1118}
1119
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]1120#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1121
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1122/*
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1123 *
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1124 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1125 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1126/*
1127 * Implementation
1128 */
1129
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1130static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1131{
1132 int ret;
1133
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1134 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1135 ssl->handshake->state_local.finished_in.digest,
1136 sizeof( ssl->handshake->state_local.finished_in.digest ),
1137 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1138 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1139 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1140 if( ret != 0 )
1141 {
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1142 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1143 return( ret );
1144 }
1145
1146 return( 0 );
1147}
1148
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1149static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
1150 const unsigned char *buf,
1151 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1152{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1153 /*
1154 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1155 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1156 * } Finished;
1157 */
1158 const unsigned char *expected_verify_data =
1159 ssl->handshake->state_local.finished_in.digest;
1160 size_t expected_verify_data_len =
1161 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1162 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1163 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1164 {
1165 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1166
1167 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1168 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1169 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1170 }
1171
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1172 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1173 expected_verify_data,
1174 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1175 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1176 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1177
1178 /* Semantic validation */
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]1179 if( mbedtls_ct_memcmp( buf,
1180 expected_verify_data,
1181 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1182 {
1183 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1184
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1185 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1186 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1187 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1188 }
1189 return( 0 );
1190}
1191
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1192int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
1193{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1194 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1195 unsigned char *buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1196 size_t buf_len;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1197
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1198 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1199
1200 /* Preprocessing step: Compute handshake digest */
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1201 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1202
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1203 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1204 MBEDTLS_SSL_HS_FINISHED,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1205 &buf, &buf_len ) );
1206 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1207 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1208 buf, buf_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1209
1210cleanup:
1211
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1213 return( ret );
1214}
1215
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1216/*
1217 *
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1218 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1219 *
1220 */
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1221/*
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1222 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1223 */
1224
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1225static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1226{
1227 int ret;
1228
1229 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1230 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1231 ssl->handshake->state_local.finished_out.digest,
1232 sizeof( ssl->handshake->state_local.finished_out.digest ),
1233 &ssl->handshake->state_local.finished_out.digest_len,
1234 ssl->conf->endpoint );
1235
1236 if( ret != 0 )
1237 {
Jerry Yu7ca30542021-12-08 15:57:57 +0800[diff] [blame]1238 MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1239 return( ret );
1240 }
1241
1242 return( 0 );
1243}
1244
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1245static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1246 unsigned char *buf,
1247 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1248 size_t *out_len )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1249{
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1250 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1251 /*
1252 * struct {
1253 * opaque verify_data[Hash.length];
1254 * } Finished;
1255 */
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1256 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1257
1258 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1259 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1260
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1261 *out_len = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1262 return( 0 );
1263}
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1264
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1265/* Main entry point: orchestrates the other functions */
1266int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1267{
1268 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1269 unsigned char *buf;
1270 size_t buf_len, msg_len;
1271
1272 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1273
XiaokangQiandce82242021-11-15 06:01:26 +0000[diff] [blame]1274 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1275
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1276 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1277 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1278
1279 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1280 ssl, buf, buf + buf_len, &msg_len ) );
1281
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1282 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1283 buf, msg_len );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1284
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1285 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
1286 ssl, buf_len, msg_len ) );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1287cleanup:
1288
1289 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1290 return( ret );
1291}
1292
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1293void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1294{
1295
1296 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1297
Jerry Yue8c1fca2022-05-18 14:48:56 +0800[diff] [blame]1298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
1299 mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
1300
1301 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) );
1302 mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
1303
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1304 /*
Jerry Yucfe64f02021-11-15 13:54:06 +0800[diff] [blame]1305 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1306 */
1307 if( ssl->session )
1308 {
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1309 mbedtls_ssl_session_free( ssl->session );
1310 mbedtls_free( ssl->session );
1311 }
1312 ssl->session = ssl->session_negotiate;
1313 ssl->session_negotiate = NULL;
1314
1315 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1316}
1317
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1318/*
1319 *
1320 * STATE HANDLING: Write ChangeCipherSpec
1321 *
1322 */
1323#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1324static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
1325 unsigned char *buf,
1326 unsigned char *end,
1327 size_t *olen )
1328{
1329 ((void) ssl);
1330
1331 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 );
1332 buf[0] = 1;
1333 *olen = 1;
1334
1335 return( 0 );
1336}
1337
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1338int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
1339{
1340 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1341
1342 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1343
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1344 /* Write CCS message */
1345 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body(
1346 ssl, ssl->out_msg,
1347 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1348 &ssl->out_msglen ) );
1349
1350 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1351
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1352 /* Dispatch message */
Ronald Cron66dbf912022-02-02 15:33:46 +0100[diff] [blame]1353 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0 ) );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1354
1355cleanup:
1356
1357 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1358 return( ret );
1359}
1360
1361#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1362
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1363/* Reset SSL context and update hash for handling HRR.
1364 *
1365 * Replace Transcript-Hash(X) by
1366 * Transcript-Hash( message_hash ||
1367 * 00 00 Hash.length ||
1368 * X )
1369 * A few states of the handshake are preserved, including:
1370 * - session ID
1371 * - session ticket
1372 * - negotiated ciphersuite
1373 */
1374int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
1375{
1376 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1377 unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ];
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1378 size_t hash_len;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1379 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1380 uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
1381 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
1382
1383 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) );
1384
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1385 ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
1386 hash_transcript + 4,
1387 MBEDTLS_MD_MAX_SIZE,
1388 &hash_len );
1389 if( ret != 0 )
1390 {
1391 MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret );
1392 return( ret );
1393 }
1394
1395 hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1396 hash_transcript[1] = 0;
1397 hash_transcript[2] = 0;
1398 hash_transcript[3] = (unsigned char) hash_len;
1399
1400 hash_len += 4;
1401
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1402 if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
1403 {
1404#if defined(MBEDTLS_SHA256_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1405 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1406 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1407
1408#if defined(MBEDTLS_USE_PSA_CRYPTO)
1409 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
1410 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
1411#else
1412 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
1413#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1414#endif /* MBEDTLS_SHA256_C */
1415 }
1416 else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
1417 {
1418#if defined(MBEDTLS_SHA384_C)
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1419 MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1420 hash_transcript, hash_len );
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1421
1422#if defined(MBEDTLS_USE_PSA_CRYPTO)
1423 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
1424 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
1425#else
1426 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
1427#endif
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1428#endif /* MBEDTLS_SHA384_C */
1429 }
1430
XiaokangQian0ece9982022-01-24 08:56:23 +0000[diff] [blame]1431#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C)
1432 ssl->handshake->update_checksum( ssl, hash_transcript, hash_len );
1433#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */
Przemyslaw Stekiel4b3fff42022-02-14 16:39:52 +0100[diff] [blame]1434
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1435 return( ret );
1436}
1437
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1438#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1439
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1440int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
1441 const unsigned char *buf,
1442 size_t buf_len )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1443{
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1444 uint8_t *p = (uint8_t*)buf;
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1445 const uint8_t *end = buf + buf_len;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1446 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1447
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1448 /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1449 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1450 uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1451 p += 2;
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]1452
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1453 /* Check if key size is consistent with given buffer length. */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1454 MBEDTLS_SSL_CHK_BUF_PTR( p, end, peerkey_len );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1455
1456 /* Store peer's ECDH public key. */
1457 memcpy( handshake->ecdh_psa_peerkey, p, peerkey_len );
1458 handshake->ecdh_psa_peerkey_len = peerkey_len;
1459
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]1460 return( 0 );
1461}
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1462
1463int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
1464 mbedtls_ssl_context *ssl,
1465 uint16_t named_group,
1466 unsigned char *buf,
1467 unsigned char *end,
1468 size_t *out_len )
1469{
1470 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
1471 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1472 psa_key_attributes_t key_attributes;
1473 size_t own_pubkey_len;
1474 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1475 size_t ecdh_bits = 0;
1476
1477 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
1478
1479 /* Convert EC group to PSA key type. */
1480 if( ( handshake->ecdh_psa_type =
1481 mbedtls_psa_parse_tls_ecc_group( named_group, &ecdh_bits ) ) == 0 )
1482 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1483
1484 ssl->handshake->ecdh_bits = ecdh_bits;
1485
1486 key_attributes = psa_key_attributes_init();
1487 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
1488 psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
1489 psa_set_key_type( &key_attributes, handshake->ecdh_psa_type );
1490 psa_set_key_bits( &key_attributes, handshake->ecdh_bits );
1491
1492 /* Generate ECDH private key. */
1493 status = psa_generate_key( &key_attributes,
1494 &handshake->ecdh_psa_privkey );
1495 if( status != PSA_SUCCESS )
1496 {
1497 ret = psa_ssl_status_to_mbedtls( status );
1498 MBEDTLS_SSL_DEBUG_RET( 1, "psa_generate_key", ret );
1499 return( ret );
1500
1501 }
1502
1503 /* Export the public part of the ECDH private key from PSA. */
1504 status = psa_export_public_key( handshake->ecdh_psa_privkey,
1505 buf, (size_t)( end - buf ),
1506 &own_pubkey_len );
1507 if( status != PSA_SUCCESS )
1508 {
1509 ret = psa_ssl_status_to_mbedtls( status );
1510 MBEDTLS_SSL_DEBUG_RET( 1, "psa_export_public_key", ret );
1511 return( ret );
1512
1513 }
1514
1515 *out_len = own_pubkey_len;
1516
1517 return( 0 );
1518}
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]1519#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1520
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]1521#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */