Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 1 | /* |
| 2 | * TLS 1.3 functionality shared between client and server |
| 3 | * |
| 4 | * Copyright The Mbed TLS Contributors |
| 5 | * SPDX-License-Identifier: Apache-2.0 |
| 6 | * |
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 8 | * not use this file except in compliance with the License. |
| 9 | * You may obtain a copy of the License at |
| 10 | * |
| 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | * |
| 13 | * Unless required by applicable law or agreed to in writing, software |
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | * See the License for the specific language governing permissions and |
| 17 | * limitations under the License. |
| 18 | */ |
| 19 | |
| 20 | #include "common.h" |
| 21 | |
| 22 | #if defined(MBEDTLS_SSL_TLS_C) |
| 23 | |
| 24 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) |
| 25 | |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 26 | #include <string.h> |
| 27 | |
Jerry Yu | c8a392c | 2021-08-18 16:46:28 +0800 | [diff] [blame] | 28 | #include "mbedtls/error.h" |
Jerry Yu | 7533635 | 2021-09-01 15:59:36 +0800 | [diff] [blame] | 29 | #include "mbedtls/debug.h" |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 30 | #include "mbedtls/oid.h" |
| 31 | #include "mbedtls/platform.h" |
Gabor Mezei | 685472b | 2021-11-24 11:17:36 +0100 | [diff] [blame] | 32 | #include "mbedtls/constant_time.h" |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 33 | #include <string.h> |
Jerry Yu | c8a392c | 2021-08-18 16:46:28 +0800 | [diff] [blame] | 34 | |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 35 | #include "ssl_misc.h" |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 36 | #include "ssl_tls13_keys.h" |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 37 | |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 38 | int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl, |
XiaokangQian | 16c61aa | 2021-09-27 09:30:17 +0000 | [diff] [blame] | 39 | unsigned hs_type, |
| 40 | unsigned char **buf, |
| 41 | size_t *buflen ) |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 42 | { |
| 43 | int ret; |
| 44 | |
| 45 | if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 ) |
| 46 | { |
| 47 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
| 48 | goto cleanup; |
| 49 | } |
| 50 | |
XiaokangQian | 16c61aa | 2021-09-27 09:30:17 +0000 | [diff] [blame] | 51 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 52 | ssl->in_msg[0] != hs_type ) |
| 53 | { |
XiaokangQian | 16c61aa | 2021-09-27 09:30:17 +0000 | [diff] [blame] | 54 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) ); |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 55 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, |
XiaokangQian | 05420b1 | 2021-09-29 08:46:37 +0000 | [diff] [blame] | 56 | MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 57 | ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| 58 | goto cleanup; |
| 59 | } |
| 60 | |
XiaokangQian | 05420b1 | 2021-09-29 08:46:37 +0000 | [diff] [blame] | 61 | /* |
| 62 | * Jump handshake header (4 bytes, see Section 4 of RFC 8446). |
| 63 | * ... |
| 64 | * HandshakeType msg_type; |
| 65 | * uint24 length; |
| 66 | * ... |
| 67 | */ |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 68 | *buf = ssl->in_msg + 4; |
| 69 | *buflen = ssl->in_hslen - 4; |
| 70 | |
XiaokangQian | 6b226b0 | 2021-09-24 07:51:16 +0000 | [diff] [blame] | 71 | cleanup: |
| 72 | |
| 73 | return( ret ); |
| 74 | } |
| 75 | |
Jerry Yu | f443681 | 2021-08-26 22:59:56 +0800 | [diff] [blame] | 76 | int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl, |
Jerry Yu | eecfbf0 | 2021-08-30 18:32:07 +0800 | [diff] [blame] | 77 | unsigned hs_type, |
| 78 | unsigned char **buf, |
Jerry Yu | 0c63af6 | 2021-09-02 12:59:12 +0800 | [diff] [blame] | 79 | size_t *buf_len ) |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 80 | { |
Jerry Yu | 1bc2c1f | 2021-09-01 12:57:29 +0800 | [diff] [blame] | 81 | /* |
| 82 | * Reserve 4 bytes for hanshake header. ( Section 4,RFC 8446 ) |
| 83 | * ... |
| 84 | * HandshakeType msg_type; |
| 85 | * uint24 length; |
| 86 | * ... |
| 87 | */ |
Jerry Yu | c8a392c | 2021-08-18 16:46:28 +0800 | [diff] [blame] | 88 | *buf = ssl->out_msg + 4; |
Jerry Yu | 0c63af6 | 2021-09-02 12:59:12 +0800 | [diff] [blame] | 89 | *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4; |
Jerry Yu | c8a392c | 2021-08-18 16:46:28 +0800 | [diff] [blame] | 90 | |
| 91 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 92 | ssl->out_msg[0] = hs_type; |
| 93 | |
| 94 | return( 0 ); |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 95 | } |
| 96 | |
Jerry Yu | f443681 | 2021-08-26 22:59:56 +0800 | [diff] [blame] | 97 | int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl, |
Jerry Yu | eecfbf0 | 2021-08-30 18:32:07 +0800 | [diff] [blame] | 98 | size_t buf_len, |
| 99 | size_t msg_len ) |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 100 | { |
Jerry Yu | c8a392c | 2021-08-18 16:46:28 +0800 | [diff] [blame] | 101 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Jerry Yu | dbfb7bd | 2021-09-04 09:58:58 +0800 | [diff] [blame] | 102 | size_t msg_len_with_header; |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 103 | ((void) buf_len); |
Jerry Yu | c8a392c | 2021-08-18 16:46:28 +0800 | [diff] [blame] | 104 | |
Jerry Yu | 1bc2c1f | 2021-09-01 12:57:29 +0800 | [diff] [blame] | 105 | /* Add reserved 4 bytes for handshake header */ |
Jerry Yu | dbfb7bd | 2021-09-04 09:58:58 +0800 | [diff] [blame] | 106 | msg_len_with_header = msg_len + 4; |
| 107 | ssl->out_msglen = msg_len_with_header; |
Jerry Yu | 2c0fbf3 | 2021-09-02 13:53:46 +0800 | [diff] [blame] | 108 | MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0 ) ); |
Jerry Yu | c8a392c | 2021-08-18 16:46:28 +0800 | [diff] [blame] | 109 | |
| 110 | cleanup: |
| 111 | return( ret ); |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 112 | } |
| 113 | |
Jerry Yu | 4836952 | 2021-09-18 16:09:01 +0800 | [diff] [blame] | 114 | void mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, |
| 115 | unsigned hs_type, |
| 116 | unsigned char const *msg, |
| 117 | size_t msg_len ) |
Jerry Yu | 7bea4ba | 2021-09-09 15:06:18 +0800 | [diff] [blame] | 118 | { |
| 119 | mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len ); |
| 120 | ssl->handshake->update_checksum( ssl, msg, msg_len ); |
| 121 | } |
| 122 | |
Jerry Yu | f443681 | 2021-08-26 22:59:56 +0800 | [diff] [blame] | 123 | void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, |
Jerry Yu | eecfbf0 | 2021-08-30 18:32:07 +0800 | [diff] [blame] | 124 | unsigned hs_type, |
| 125 | size_t total_hs_len ) |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 126 | { |
| 127 | unsigned char hs_hdr[4]; |
| 128 | |
| 129 | /* Build HS header for checksum update. */ |
Jerry Yu | 2ac6419 | 2021-08-26 18:38:58 +0800 | [diff] [blame] | 130 | hs_hdr[0] = MBEDTLS_BYTE_0( hs_type ); |
| 131 | hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len ); |
| 132 | hs_hdr[2] = MBEDTLS_BYTE_1( total_hs_len ); |
| 133 | hs_hdr[3] = MBEDTLS_BYTE_0( total_hs_len ); |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 134 | |
| 135 | ssl->handshake->update_checksum( ssl, hs_hdr, sizeof( hs_hdr ) ); |
| 136 | } |
| 137 | |
Jerry Yu | bc20bdd | 2021-08-24 15:59:48 +0800 | [diff] [blame] | 138 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| 139 | |
| 140 | /* |
Jerry Yu | e41dec0 | 2021-08-31 10:57:07 +0800 | [diff] [blame] | 141 | * mbedtls_ssl_tls13_write_sig_alg_ext( ) |
Jerry Yu | bc20bdd | 2021-08-24 15:59:48 +0800 | [diff] [blame] | 142 | * |
| 143 | * enum { |
| 144 | * .... |
| 145 | * ecdsa_secp256r1_sha256( 0x0403 ), |
| 146 | * ecdsa_secp384r1_sha384( 0x0503 ), |
| 147 | * ecdsa_secp521r1_sha512( 0x0603 ), |
| 148 | * .... |
| 149 | * } SignatureScheme; |
| 150 | * |
| 151 | * struct { |
| 152 | * SignatureScheme supported_signature_algorithms<2..2^16-2>; |
| 153 | * } SignatureSchemeList; |
| 154 | * |
| 155 | * Only if we handle at least one key exchange that needs signatures. |
| 156 | */ |
Jerry Yu | e41dec0 | 2021-08-31 10:57:07 +0800 | [diff] [blame] | 157 | int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl, |
| 158 | unsigned char *buf, |
| 159 | unsigned char *end, |
| 160 | size_t *olen ) |
Jerry Yu | bc20bdd | 2021-08-24 15:59:48 +0800 | [diff] [blame] | 161 | { |
Jerry Yu | 7236994 | 2021-08-31 15:41:21 +0800 | [diff] [blame] | 162 | unsigned char *p = buf; |
Jerry Yu | b60e3cf | 2021-09-08 16:41:02 +0800 | [diff] [blame] | 163 | unsigned char *supported_sig_alg_ptr; /* Start of supported_signature_algorithms */ |
| 164 | size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */ |
Jerry Yu | 7236994 | 2021-08-31 15:41:21 +0800 | [diff] [blame] | 165 | |
Jerry Yu | 7533635 | 2021-09-01 15:59:36 +0800 | [diff] [blame] | 166 | *olen = 0; |
Jerry Yu | 7236994 | 2021-08-31 15:41:21 +0800 | [diff] [blame] | 167 | |
| 168 | /* Skip the extension on the client if all allowed key exchanges |
| 169 | * are PSK-based. */ |
| 170 | #if defined(MBEDTLS_SSL_CLI_C) |
| 171 | if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && |
| 172 | !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) |
| 173 | { |
| 174 | return( 0 ); |
| 175 | } |
| 176 | #endif /* MBEDTLS_SSL_CLI_C */ |
| 177 | |
| 178 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding signature_algorithms extension" ) ); |
| 179 | |
Jerry Yu | b60e3cf | 2021-09-08 16:41:02 +0800 | [diff] [blame] | 180 | /* Check if we have space for header and length field: |
| 181 | * - extension_type (2 bytes) |
| 182 | * - extension_data_length (2 bytes) |
| 183 | * - supported_signature_algorithms_length (2 bytes) |
| 184 | */ |
Jerry Yu | 7236994 | 2021-08-31 15:41:21 +0800 | [diff] [blame] | 185 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 ); |
| 186 | p += 6; |
| 187 | |
| 188 | /* |
| 189 | * Write supported_signature_algorithms |
| 190 | */ |
Jerry Yu | b60e3cf | 2021-09-08 16:41:02 +0800 | [diff] [blame] | 191 | supported_sig_alg_ptr = p; |
Jerry Yu | 7236994 | 2021-08-31 15:41:21 +0800 | [diff] [blame] | 192 | for( const uint16_t *sig_alg = ssl->conf->tls13_sig_algs; |
| 193 | *sig_alg != MBEDTLS_TLS13_SIG_NONE; sig_alg++ ) |
| 194 | { |
| 195 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); |
| 196 | MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 ); |
| 197 | p += 2; |
| 198 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) ); |
| 199 | } |
| 200 | |
Jerry Yu | b60e3cf | 2021-09-08 16:41:02 +0800 | [diff] [blame] | 201 | /* Length of supported_signature_algorithms */ |
| 202 | supported_sig_alg_len = p - supported_sig_alg_ptr; |
| 203 | if( supported_sig_alg_len == 0 ) |
Jerry Yu | 7236994 | 2021-08-31 15:41:21 +0800 | [diff] [blame] | 204 | { |
| 205 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "No signature algorithms defined." ) ); |
| 206 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 207 | } |
| 208 | |
| 209 | /* Write extension_type */ |
| 210 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SIG_ALG, buf, 0 ); |
| 211 | /* Write extension_data_length */ |
Jerry Yu | b60e3cf | 2021-09-08 16:41:02 +0800 | [diff] [blame] | 212 | MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len + 2, buf, 2 ); |
Jerry Yu | 7236994 | 2021-08-31 15:41:21 +0800 | [diff] [blame] | 213 | /* Write length of supported_signature_algorithms */ |
Jerry Yu | b60e3cf | 2021-09-08 16:41:02 +0800 | [diff] [blame] | 214 | MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len, buf, 4 ); |
Jerry Yu | 7236994 | 2021-08-31 15:41:21 +0800 | [diff] [blame] | 215 | |
| 216 | /* Output the total length of signature algorithms extension. */ |
| 217 | *olen = p - buf; |
| 218 | |
| 219 | ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG; |
Jerry Yu | 7533635 | 2021-09-01 15:59:36 +0800 | [diff] [blame] | 220 | return( 0 ); |
Jerry Yu | bc20bdd | 2021-08-24 15:59:48 +0800 | [diff] [blame] | 221 | } |
| 222 | |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 223 | /* |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 224 | * STATE HANDLING: Read CertificateVerify |
| 225 | */ |
Jerry Yu | d0fc585 | 2021-10-29 11:09:06 +0800 | [diff] [blame] | 226 | /* Macro to express the maximum length of the verify structure. |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 227 | * |
| 228 | * The structure is computed per TLS 1.3 specification as: |
| 229 | * - 64 bytes of octet 32, |
| 230 | * - 33 bytes for the context string |
| 231 | * (which is either "TLS 1.3, client CertificateVerify" |
| 232 | * or "TLS 1.3, server CertificateVerify"), |
Jerry Yu | d0fc585 | 2021-10-29 11:09:06 +0800 | [diff] [blame] | 233 | * - 1 byte for the octet 0x0, which serves as a separator, |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 234 | * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate) |
| 235 | * (depending on the size of the transcript_hash) |
| 236 | * |
| 237 | * This results in a total size of |
| 238 | * - 130 bytes for a SHA256-based transcript hash, or |
| 239 | * (64 + 33 + 1 + 32 bytes) |
| 240 | * - 146 bytes for a SHA384-based transcript hash. |
| 241 | * (64 + 33 + 1 + 48 bytes) |
| 242 | * |
| 243 | */ |
Jerry Yu | 26c2d11 | 2021-10-25 12:42:58 +0800 | [diff] [blame] | 244 | #define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \ |
| 245 | 33 + \ |
| 246 | 1 + \ |
| 247 | MBEDTLS_TLS1_3_MD_MAX_SIZE \ |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 248 | ) |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 249 | |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 250 | /* |
| 251 | * The ssl_tls13_create_verify_structure() creates the verify structure. |
| 252 | * As input, it requires the transcript hash. |
| 253 | * |
| 254 | * The caller has to ensure that the buffer has size at least |
| 255 | * SSL_VERIFY_STRUCT_MAX_SIZE bytes. |
| 256 | */ |
Jerry Yu | d0fc585 | 2021-10-29 11:09:06 +0800 | [diff] [blame] | 257 | static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash, |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 258 | size_t transcript_hash_len, |
| 259 | unsigned char *verify_buffer, |
| 260 | size_t *verify_buffer_len, |
| 261 | int from ) |
| 262 | { |
| 263 | size_t idx; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 264 | |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 265 | /* RFC 8446, Section 4.4.3: |
| 266 | * |
| 267 | * The digital signature [in the CertificateVerify message] is then |
| 268 | * computed over the concatenation of: |
| 269 | * - A string that consists of octet 32 (0x20) repeated 64 times |
| 270 | * - The context string |
| 271 | * - A single 0 byte which serves as the separator |
| 272 | * - The content to be signed |
| 273 | */ |
| 274 | memset( verify_buffer, 0x20, 64 ); |
| 275 | idx = 64; |
| 276 | |
| 277 | if( from == MBEDTLS_SSL_IS_CLIENT ) |
| 278 | { |
| 279 | memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) ); |
| 280 | idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv ); |
| 281 | } |
| 282 | else |
| 283 | { /* from == MBEDTLS_SSL_IS_SERVER */ |
| 284 | memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) ); |
| 285 | idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv ); |
| 286 | } |
| 287 | |
| 288 | verify_buffer[idx++] = 0x0; |
| 289 | |
| 290 | memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len ); |
| 291 | idx += transcript_hash_len; |
| 292 | |
| 293 | *verify_buffer_len = idx; |
| 294 | } |
| 295 | |
Jerry Yu | d0fc585 | 2021-10-29 11:09:06 +0800 | [diff] [blame] | 296 | static int ssl_tls13_sig_alg_is_offered( const mbedtls_ssl_context *ssl, |
| 297 | uint16_t sig_alg ) |
Jerry Yu | 982d9e5 | 2021-10-14 15:59:37 +0800 | [diff] [blame] | 298 | { |
| 299 | const uint16_t *tls13_sig_alg = ssl->conf->tls13_sig_algs; |
| 300 | |
Jerry Yu | d0fc585 | 2021-10-29 11:09:06 +0800 | [diff] [blame] | 301 | for( ; *tls13_sig_alg != MBEDTLS_TLS13_SIG_NONE ; tls13_sig_alg++ ) |
Jerry Yu | 982d9e5 | 2021-10-14 15:59:37 +0800 | [diff] [blame] | 302 | { |
| 303 | if( *tls13_sig_alg == sig_alg ) |
Jerry Yu | d0fc585 | 2021-10-29 11:09:06 +0800 | [diff] [blame] | 304 | return( 1 ); |
Jerry Yu | 982d9e5 | 2021-10-14 15:59:37 +0800 | [diff] [blame] | 305 | } |
Jerry Yu | d0fc585 | 2021-10-29 11:09:06 +0800 | [diff] [blame] | 306 | return( 0 ); |
Jerry Yu | 982d9e5 | 2021-10-14 15:59:37 +0800 | [diff] [blame] | 307 | } |
| 308 | |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 309 | static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl, |
Jerry Yu | d0fc585 | 2021-10-29 11:09:06 +0800 | [diff] [blame] | 310 | const unsigned char *buf, |
| 311 | const unsigned char *end, |
| 312 | const unsigned char *verify_buffer, |
| 313 | size_t verify_buffer_len ) |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 314 | { |
| 315 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 316 | const unsigned char *p = buf; |
| 317 | uint16_t algorithm; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 318 | size_t signature_len; |
| 319 | mbedtls_pk_type_t sig_alg; |
| 320 | mbedtls_md_type_t md_alg; |
Jerry Yu | d0fc585 | 2021-10-29 11:09:06 +0800 | [diff] [blame] | 321 | unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE]; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 322 | size_t verify_hash_len; |
| 323 | |
XiaokangQian | 82d34cc | 2021-11-03 08:51:56 +0000 | [diff] [blame] | 324 | void const *opts_ptr = NULL; |
| 325 | #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) |
| 326 | mbedtls_pk_rsassa_pss_options opts; |
| 327 | #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ |
| 328 | |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 329 | /* |
| 330 | * struct { |
| 331 | * SignatureScheme algorithm; |
| 332 | * opaque signature<0..2^16-1>; |
| 333 | * } CertificateVerify; |
| 334 | */ |
| 335 | MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); |
| 336 | algorithm = MBEDTLS_GET_UINT16_BE( p, 0 ); |
| 337 | p += 2; |
| 338 | |
| 339 | /* RFC 8446 section 4.4.3 |
| 340 | * |
| 341 | * If the CertificateVerify message is sent by a server, the signature algorithm |
| 342 | * MUST be one offered in the client's "signature_algorithms" extension unless |
| 343 | * no valid certificate chain can be produced without unsupported algorithms |
| 344 | * |
| 345 | * RFC 8446 section 4.4.2.2 |
| 346 | * |
| 347 | * If the client cannot construct an acceptable chain using the provided |
| 348 | * certificates and decides to abort the handshake, then it MUST abort the handshake |
| 349 | * with an appropriate certificate-related alert (by default, "unsupported_certificate"). |
| 350 | * |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 351 | * Check if algorithm is an offered signature algorithm. |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 352 | */ |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 353 | if( ! ssl_tls13_sig_alg_is_offered( ssl, algorithm ) ) |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 354 | { |
Jerry Yu | 982d9e5 | 2021-10-14 15:59:37 +0800 | [diff] [blame] | 355 | /* algorithm not in offered signature algorithms list */ |
| 356 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not " |
| 357 | "offered.", |
| 358 | ( unsigned int ) algorithm ) ); |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 359 | goto error; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 360 | } |
| 361 | |
| 362 | /* We currently only support ECDSA-based signatures */ |
| 363 | switch( algorithm ) |
| 364 | { |
| 365 | case MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256: |
| 366 | md_alg = MBEDTLS_MD_SHA256; |
| 367 | sig_alg = MBEDTLS_PK_ECDSA; |
| 368 | break; |
| 369 | case MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384: |
| 370 | md_alg = MBEDTLS_MD_SHA384; |
| 371 | sig_alg = MBEDTLS_PK_ECDSA; |
| 372 | break; |
| 373 | case MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512: |
| 374 | md_alg = MBEDTLS_MD_SHA512; |
| 375 | sig_alg = MBEDTLS_PK_ECDSA; |
| 376 | break; |
XiaokangQian | 82d34cc | 2021-11-03 08:51:56 +0000 | [diff] [blame] | 377 | #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) |
| 378 | case MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256: |
XiaokangQian | a83014d | 2021-11-22 07:53:34 +0000 | [diff] [blame^] | 379 | MBEDTLS_SSL_DEBUG_MSG( 4, ( "Certificate Verify: using RSA PSS" ) ); |
XiaokangQian | 82d34cc | 2021-11-03 08:51:56 +0000 | [diff] [blame] | 380 | md_alg = MBEDTLS_MD_SHA256; |
| 381 | sig_alg = MBEDTLS_PK_RSASSA_PSS; |
| 382 | break; |
| 383 | #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ |
XiaokangQian | a83014d | 2021-11-22 07:53:34 +0000 | [diff] [blame^] | 384 | case MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA256: |
| 385 | MBEDTLS_SSL_DEBUG_MSG( 4, ( "Certificate Verify: using RSA PKCS1 V1.5" ) ); |
| 386 | md_alg = MBEDTLS_MD_SHA256; |
| 387 | sig_alg = MBEDTLS_PK_RSA; |
| 388 | break; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 389 | default: |
| 390 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) ); |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 391 | goto error; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 392 | } |
| 393 | |
| 394 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )", |
| 395 | ( unsigned int ) algorithm ) ); |
| 396 | |
| 397 | /* |
| 398 | * Check the certificate's key type matches the signature alg |
| 399 | */ |
| 400 | if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) ) |
| 401 | { |
| 402 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) ); |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 403 | goto error; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 404 | } |
| 405 | |
| 406 | MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); |
| 407 | signature_len = MBEDTLS_GET_UINT16_BE( p, 0 ); |
| 408 | p += 2; |
| 409 | MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len ); |
| 410 | |
| 411 | /* Hash verify buffer with indicated hash function */ |
| 412 | switch( md_alg ) |
| 413 | { |
| 414 | #if defined(MBEDTLS_SHA256_C) |
| 415 | case MBEDTLS_MD_SHA256: |
| 416 | verify_hash_len = 32; |
Jerry Yu | 133690c | 2021-10-25 14:01:13 +0800 | [diff] [blame] | 417 | ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 ); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 418 | break; |
| 419 | #endif /* MBEDTLS_SHA256_C */ |
| 420 | |
| 421 | #if defined(MBEDTLS_SHA384_C) |
| 422 | case MBEDTLS_MD_SHA384: |
| 423 | verify_hash_len = 48; |
Jerry Yu | 133690c | 2021-10-25 14:01:13 +0800 | [diff] [blame] | 424 | ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 ); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 425 | break; |
| 426 | #endif /* MBEDTLS_SHA384_C */ |
| 427 | |
| 428 | #if defined(MBEDTLS_SHA512_C) |
| 429 | case MBEDTLS_MD_SHA512: |
| 430 | verify_hash_len = 64; |
Jerry Yu | 133690c | 2021-10-25 14:01:13 +0800 | [diff] [blame] | 431 | ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 ); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 432 | break; |
| 433 | #endif /* MBEDTLS_SHA512_C */ |
| 434 | |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 435 | default: |
| 436 | ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 437 | break; |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 438 | } |
| 439 | |
Jerry Yu | 133690c | 2021-10-25 14:01:13 +0800 | [diff] [blame] | 440 | if( ret != 0 ) |
| 441 | { |
| 442 | MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret ); |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 443 | goto error; |
Jerry Yu | 133690c | 2021-10-25 14:01:13 +0800 | [diff] [blame] | 444 | } |
| 445 | |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 446 | MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len ); |
XiaokangQian | 82d34cc | 2021-11-03 08:51:56 +0000 | [diff] [blame] | 447 | #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) |
| 448 | if( sig_alg == MBEDTLS_PK_RSASSA_PSS ) |
| 449 | { |
| 450 | const mbedtls_md_info_t* md_info; |
| 451 | opts.mgf1_hash_id = md_alg; |
| 452 | if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) |
| 453 | { |
| 454 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 455 | } |
| 456 | opts.expected_salt_len = mbedtls_md_get_size( md_info ); |
| 457 | opts_ptr = (const void*) &opts; |
| 458 | } |
| 459 | #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 460 | |
XiaokangQian | 82d34cc | 2021-11-03 08:51:56 +0000 | [diff] [blame] | 461 | if( ( ret = mbedtls_pk_verify_ext( sig_alg, opts_ptr, |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 462 | &ssl->session_negotiate->peer_cert->pk, |
| 463 | md_alg, verify_hash, verify_hash_len, |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 464 | p, signature_len ) ) == 0 ) |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 465 | { |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 466 | return( 0 ); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 467 | } |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 468 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret ); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 469 | |
Jerry Yu | 6f87f25 | 2021-10-29 20:12:51 +0800 | [diff] [blame] | 470 | error: |
| 471 | /* RFC 8446 section 4.4.3 |
| 472 | * |
| 473 | * If the verification fails, the receiver MUST terminate the handshake |
| 474 | * with a "decrypt_error" alert. |
| 475 | */ |
| 476 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, |
| 477 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| 478 | return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| 479 | |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 480 | } |
| 481 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| 482 | |
| 483 | int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl ) |
| 484 | { |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 485 | |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 486 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| 487 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 488 | unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE]; |
| 489 | size_t verify_buffer_len; |
| 490 | unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; |
| 491 | size_t transcript_len; |
| 492 | unsigned char *buf; |
| 493 | size_t buf_len; |
| 494 | |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 495 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); |
| 496 | |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 497 | MBEDTLS_SSL_PROC_CHK( |
| 498 | mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl, |
| 499 | MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) ); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 500 | |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 501 | /* Need to calculate the hash of the transcript first |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 502 | * before reading the message since otherwise it gets |
| 503 | * included in the transcript |
| 504 | */ |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 505 | ret = mbedtls_ssl_get_handshake_transcript( ssl, |
| 506 | ssl->handshake->ciphersuite_info->mac, |
| 507 | transcript, sizeof( transcript ), |
| 508 | &transcript_len ); |
| 509 | if( ret != 0 ) |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 510 | { |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 511 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
| 512 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, |
| 513 | MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 514 | return( ret ); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 515 | } |
| 516 | |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 517 | MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len ); |
| 518 | |
| 519 | /* Create verify structure */ |
| 520 | ssl_tls13_create_verify_structure( transcript, |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 521 | transcript_len, |
| 522 | verify_buffer, |
| 523 | &verify_buffer_len, |
| 524 | ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ? |
| 525 | MBEDTLS_SSL_IS_SERVER : |
| 526 | MBEDTLS_SSL_IS_CLIENT ); |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 527 | |
| 528 | /* Process the message contents */ |
Jerry Yu | 0b32c50 | 2021-10-28 13:41:59 +0800 | [diff] [blame] | 529 | MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf, |
| 530 | buf + buf_len, verify_buffer, verify_buffer_len ) ); |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 531 | |
| 532 | mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl, |
| 533 | MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, buf_len ); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 534 | |
| 535 | cleanup: |
| 536 | |
| 537 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); |
Jerry Yu | 5398c10 | 2021-11-05 13:32:38 +0800 | [diff] [blame] | 538 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret ); |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 539 | return( ret ); |
Jerry Yu | da8cdf2 | 2021-10-25 15:06:49 +0800 | [diff] [blame] | 540 | #else |
| 541 | ((void) ssl); |
| 542 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 543 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 544 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 545 | } |
| 546 | |
| 547 | /* |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 548 | * |
| 549 | * STATE HANDLING: Incoming Certificate, client-side only currently. |
| 550 | * |
| 551 | */ |
| 552 | |
| 553 | /* |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 554 | * Implementation |
| 555 | */ |
| 556 | |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 557 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| 558 | #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 559 | /* |
| 560 | * Structure of Certificate message: |
| 561 | * |
| 562 | * enum { |
| 563 | * X509(0), |
| 564 | * RawPublicKey(2), |
| 565 | * (255) |
| 566 | * } CertificateType; |
| 567 | * |
| 568 | * struct { |
| 569 | * select (certificate_type) { |
| 570 | * case RawPublicKey: |
| 571 | * * From RFC 7250 ASN.1_subjectPublicKeyInfo * |
| 572 | * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>; |
| 573 | * case X509: |
| 574 | * opaque cert_data<1..2^24-1>; |
| 575 | * }; |
| 576 | * Extension extensions<0..2^16-1>; |
| 577 | * } CertificateEntry; |
| 578 | * |
| 579 | * struct { |
| 580 | * opaque certificate_request_context<0..2^8-1>; |
| 581 | * CertificateEntry certificate_list<0..2^24-1>; |
| 582 | * } Certificate; |
| 583 | * |
| 584 | */ |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 585 | |
| 586 | /* Parse certificate chain send by the server. */ |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 587 | static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, |
| 588 | const unsigned char *buf, |
| 589 | const unsigned char *end ) |
| 590 | { |
| 591 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 592 | size_t certificate_request_context_len = 0; |
| 593 | size_t certificate_list_len = 0; |
| 594 | const unsigned char *p = buf; |
| 595 | const unsigned char *certificate_list_end; |
| 596 | |
| 597 | MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 ); |
| 598 | certificate_request_context_len = p[0]; |
Jerry Yu | b640bf6 | 2021-10-29 10:05:32 +0800 | [diff] [blame] | 599 | certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 ); |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 600 | p += 4; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 601 | |
| 602 | /* In theory, the certificate list can be up to 2^24 Bytes, but we don't |
| 603 | * support anything beyond 2^16 = 64K. |
| 604 | */ |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 605 | if( ( certificate_request_context_len != 0 ) || |
| 606 | ( certificate_list_len >= 0x10000 ) ) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 607 | { |
| 608 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); |
| 609 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
| 610 | MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| 611 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| 612 | } |
| 613 | |
| 614 | /* In case we tried to reuse a session but it failed */ |
| 615 | if( ssl->session_negotiate->peer_cert != NULL ) |
| 616 | { |
| 617 | mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); |
| 618 | mbedtls_free( ssl->session_negotiate->peer_cert ); |
| 619 | } |
| 620 | |
| 621 | if( ( ssl->session_negotiate->peer_cert = |
| 622 | mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL ) |
| 623 | { |
| 624 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed", |
| 625 | sizeof( mbedtls_x509_crt ) ) ); |
| 626 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, |
| 627 | MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
| 628 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
| 629 | } |
| 630 | |
| 631 | mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); |
| 632 | |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 633 | certificate_list_end = p + certificate_list_len; |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 634 | while( p < certificate_list_end ) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 635 | { |
| 636 | size_t cert_data_len, extensions_len; |
| 637 | |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 638 | MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 ); |
Xiaofei Bai | f93cbd2 | 2021-10-29 02:39:30 +0000 | [diff] [blame] | 639 | cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 ); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 640 | p += 3; |
| 641 | |
| 642 | /* In theory, the CRT can be up to 2^24 Bytes, but we don't support |
| 643 | * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code, |
| 644 | * check that we have a minimum of 128 bytes of data, this is not |
| 645 | * clear why we need that though. |
| 646 | */ |
| 647 | if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) ) |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 648 | { |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 649 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) ); |
| 650 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
| 651 | MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| 652 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| 653 | } |
| 654 | |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 655 | MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len ); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 656 | ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert, |
| 657 | p, cert_data_len ); |
| 658 | |
| 659 | switch( ret ) |
| 660 | { |
| 661 | case 0: /*ok*/ |
| 662 | break; |
| 663 | case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: |
| 664 | /* Ignore certificate with an unknown algorithm: maybe a |
| 665 | prior certificate was already trusted. */ |
| 666 | break; |
| 667 | |
| 668 | case MBEDTLS_ERR_X509_ALLOC_FAILED: |
| 669 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, |
| 670 | MBEDTLS_ERR_X509_ALLOC_FAILED ); |
| 671 | MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); |
| 672 | return( ret ); |
| 673 | |
| 674 | case MBEDTLS_ERR_X509_UNKNOWN_VERSION: |
| 675 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, |
| 676 | MBEDTLS_ERR_X509_UNKNOWN_VERSION ); |
| 677 | MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); |
| 678 | return( ret ); |
| 679 | |
| 680 | default: |
| 681 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, |
| 682 | ret ); |
| 683 | MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); |
| 684 | return( ret ); |
| 685 | } |
| 686 | |
| 687 | p += cert_data_len; |
| 688 | |
| 689 | /* Certificate extensions length */ |
| 690 | MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 ); |
| 691 | extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); |
| 692 | p += 2; |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 693 | MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len ); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 694 | p += extensions_len; |
| 695 | } |
| 696 | |
| 697 | /* Check that all the message is consumed. */ |
| 698 | if( p != end ) |
| 699 | { |
| 700 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) ); |
| 701 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ |
| 702 | MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| 703 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| 704 | } |
| 705 | |
| 706 | MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); |
| 707 | |
| 708 | return( ret ); |
| 709 | } |
| 710 | #else |
| 711 | static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, |
| 712 | const unsigned char *buf, |
| 713 | const unsigned char *end ) |
| 714 | { |
| 715 | ((void) ssl); |
| 716 | ((void) buf); |
| 717 | ((void) end); |
| 718 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| 719 | } |
| 720 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 721 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
| 722 | |
| 723 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| 724 | #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 725 | /* Validate certificate chain sent by the server. */ |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 726 | static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl ) |
| 727 | { |
| 728 | int ret = 0; |
| 729 | mbedtls_x509_crt *ca_chain; |
| 730 | mbedtls_x509_crl *ca_crl; |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 731 | uint32_t verify_result = 0; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 732 | |
| 733 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 734 | if( ssl->handshake->sni_ca_chain != NULL ) |
| 735 | { |
| 736 | ca_chain = ssl->handshake->sni_ca_chain; |
| 737 | ca_crl = ssl->handshake->sni_ca_crl; |
| 738 | } |
| 739 | else |
| 740 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
| 741 | { |
| 742 | ca_chain = ssl->conf->ca_chain; |
| 743 | ca_crl = ssl->conf->ca_crl; |
| 744 | } |
| 745 | |
| 746 | /* |
| 747 | * Main check: verify certificate |
| 748 | */ |
| 749 | ret = mbedtls_x509_crt_verify_with_profile( |
| 750 | ssl->session_negotiate->peer_cert, |
| 751 | ca_chain, ca_crl, |
| 752 | ssl->conf->cert_profile, |
| 753 | ssl->hostname, |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 754 | &verify_result, |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 755 | ssl->conf->f_vrfy, ssl->conf->p_vrfy ); |
| 756 | |
| 757 | if( ret != 0 ) |
| 758 | { |
| 759 | MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); |
| 760 | } |
| 761 | |
| 762 | /* |
| 763 | * Secondary checks: always done, but change 'ret' only if it was 0 |
| 764 | */ |
| 765 | |
| 766 | #if defined(MBEDTLS_ECP_C) |
| 767 | { |
| 768 | const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk; |
| 769 | |
| 770 | /* If certificate uses an EC key, make sure the curve is OK */ |
| 771 | if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && |
| 772 | mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 ) |
| 773 | { |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 774 | verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 775 | |
| 776 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) ); |
| 777 | if( ret == 0 ) |
| 778 | ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; |
| 779 | } |
| 780 | } |
| 781 | #endif /* MBEDTLS_ECP_C */ |
| 782 | |
| 783 | if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, |
| 784 | ssl->handshake->ciphersuite_info, |
| 785 | !ssl->conf->endpoint, |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 786 | &verify_result ) != 0 ) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 787 | { |
| 788 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) ); |
| 789 | if( ret == 0 ) |
| 790 | ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; |
| 791 | } |
| 792 | |
| 793 | |
| 794 | if( ca_chain == NULL ) |
| 795 | { |
| 796 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); |
| 797 | ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; |
| 798 | } |
| 799 | |
| 800 | if( ret != 0 ) |
| 801 | { |
| 802 | /* The certificate may have been rejected for several reasons. |
| 803 | Pick one and send the corresponding alert. Which alert to send |
| 804 | may be a subject of debate in some cases. */ |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 805 | if( verify_result & MBEDTLS_X509_BADCERT_OTHER ) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 806 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret ); |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 807 | else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH ) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 808 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret ); |
Xiaofei Bai | f93cbd2 | 2021-10-29 02:39:30 +0000 | [diff] [blame] | 809 | else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE | |
| 810 | MBEDTLS_X509_BADCERT_EXT_KEY_USAGE | |
| 811 | MBEDTLS_X509_BADCERT_NS_CERT_TYPE | |
| 812 | MBEDTLS_X509_BADCERT_BAD_PK | |
| 813 | MBEDTLS_X509_BADCERT_BAD_KEY ) ) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 814 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret ); |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 815 | else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED ) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 816 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret ); |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 817 | else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED ) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 818 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret ); |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 819 | else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 820 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret ); |
| 821 | else |
| 822 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret ); |
| 823 | } |
| 824 | |
| 825 | #if defined(MBEDTLS_DEBUG_C) |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 826 | if( verify_result != 0 ) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 827 | { |
| 828 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x", |
Jerry Yu | 83bb131 | 2021-10-28 22:16:33 +0800 | [diff] [blame] | 829 | (unsigned int) verify_result ) ); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 830 | } |
| 831 | else |
| 832 | { |
| 833 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) ); |
| 834 | } |
| 835 | #endif /* MBEDTLS_DEBUG_C */ |
| 836 | |
Xiaofei Bai | ff45602 | 2021-10-28 06:50:17 +0000 | [diff] [blame] | 837 | ssl->session_negotiate->verify_result = verify_result; |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 838 | return( ret ); |
| 839 | } |
| 840 | #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 841 | static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl ) |
| 842 | { |
| 843 | ((void) ssl); |
| 844 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| 845 | } |
| 846 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 847 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
| 848 | |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 849 | int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl ) |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 850 | { |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 851 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 852 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); |
| 853 | |
| 854 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| 855 | unsigned char *buf; |
| 856 | size_t buf_len; |
| 857 | |
| 858 | MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( |
| 859 | ssl, MBEDTLS_SSL_HS_CERTIFICATE, |
| 860 | &buf, &buf_len ) ); |
| 861 | |
| 862 | /* Parse the certificate chain sent by the peer. */ |
| 863 | MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, buf + buf_len ) ); |
| 864 | /* Validate the certificate chain and set the verification results. */ |
| 865 | MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) ); |
| 866 | |
| 867 | mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE, |
| 868 | buf, buf_len ); |
| 869 | |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 870 | cleanup: |
| 871 | |
| 872 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); |
Xiaofei Bai | 10aeec0 | 2021-10-26 09:50:08 +0000 | [diff] [blame] | 873 | #else |
| 874 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 875 | ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 876 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
Xiaofei Bai | 79595ac | 2021-10-26 07:16:45 +0000 | [diff] [blame] | 877 | return( ret ); |
Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 878 | } |
| 879 | |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 880 | /* |
| 881 | * |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 882 | * STATE HANDLING: Incoming Finished message. |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 883 | */ |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 884 | /* |
| 885 | * Implementation |
| 886 | */ |
| 887 | |
XiaokangQian | aaa0e19 | 2021-11-10 03:07:04 +0000 | [diff] [blame] | 888 | static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl ) |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 889 | { |
| 890 | int ret; |
| 891 | |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 892 | ret = mbedtls_ssl_tls13_calculate_verify_data( ssl, |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 893 | ssl->handshake->state_local.finished_in.digest, |
| 894 | sizeof( ssl->handshake->state_local.finished_in.digest ), |
| 895 | &ssl->handshake->state_local.finished_in.digest_len, |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 896 | ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ? |
XiaokangQian | c13f935 | 2021-11-11 06:13:22 +0000 | [diff] [blame] | 897 | MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT ); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 898 | if( ret != 0 ) |
| 899 | { |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 900 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret ); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 901 | return( ret ); |
| 902 | } |
| 903 | |
| 904 | return( 0 ); |
| 905 | } |
| 906 | |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 907 | static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl, |
| 908 | const unsigned char *buf, |
| 909 | const unsigned char *end ) |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 910 | { |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 911 | /* |
| 912 | * struct { |
XiaokangQian | c13f935 | 2021-11-11 06:13:22 +0000 | [diff] [blame] | 913 | * opaque verify_data[Hash.length]; |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 914 | * } Finished; |
| 915 | */ |
| 916 | const unsigned char *expected_verify_data = |
| 917 | ssl->handshake->state_local.finished_in.digest; |
| 918 | size_t expected_verify_data_len = |
| 919 | ssl->handshake->state_local.finished_in.digest_len; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 920 | /* Structural validation */ |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 921 | if( (size_t)( end - buf ) != expected_verify_data_len ) |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 922 | { |
| 923 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); |
| 924 | |
| 925 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
XiaokangQian | c13f935 | 2021-11-11 06:13:22 +0000 | [diff] [blame] | 926 | MBEDTLS_ERR_SSL_DECODE_ERROR ); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 927 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| 928 | } |
| 929 | |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 930 | MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):", |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 931 | expected_verify_data, |
| 932 | expected_verify_data_len ); |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 933 | MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf, |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 934 | expected_verify_data_len ); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 935 | |
| 936 | /* Semantic validation */ |
Gabor Mezei | 685472b | 2021-11-24 11:17:36 +0100 | [diff] [blame] | 937 | if( mbedtls_ct_memcmp( buf, |
| 938 | expected_verify_data, |
| 939 | expected_verify_data_len ) != 0 ) |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 940 | { |
| 941 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); |
| 942 | |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 943 | MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, |
XiaokangQian | c13f935 | 2021-11-11 06:13:22 +0000 | [diff] [blame] | 944 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 945 | return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| 946 | } |
| 947 | return( 0 ); |
| 948 | } |
| 949 | |
XiaokangQian | c13f935 | 2021-11-11 06:13:22 +0000 | [diff] [blame] | 950 | #if defined(MBEDTLS_SSL_CLI_C) |
XiaokangQian | aaa0e19 | 2021-11-10 03:07:04 +0000 | [diff] [blame] | 951 | static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl ) |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 952 | { |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 953 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 954 | mbedtls_ssl_key_set traffic_keys; |
XiaokangQian | 1aef02e | 2021-10-28 09:54:34 +0000 | [diff] [blame] | 955 | mbedtls_ssl_transform *transform_application = NULL; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 956 | |
XiaokangQian | 4cab024 | 2021-10-12 08:43:37 +0000 | [diff] [blame] | 957 | ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl ); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 958 | if( ret != 0 ) |
| 959 | { |
| 960 | MBEDTLS_SSL_DEBUG_RET( 1, |
XiaokangQian | 4cab024 | 2021-10-12 08:43:37 +0000 | [diff] [blame] | 961 | "mbedtls_ssl_tls13_key_schedule_stage_application", ret ); |
XiaokangQian | 61bdbbc | 2021-10-28 08:03:38 +0000 | [diff] [blame] | 962 | goto cleanup; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 963 | } |
| 964 | |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 965 | ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys ); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 966 | if( ret != 0 ) |
| 967 | { |
| 968 | MBEDTLS_SSL_DEBUG_RET( 1, |
XiaokangQian | d0aa3e9 | 2021-11-10 06:17:40 +0000 | [diff] [blame] | 969 | "mbedtls_ssl_tls13_generate_application_keys", ret ); |
XiaokangQian | 61bdbbc | 2021-10-28 08:03:38 +0000 | [diff] [blame] | 970 | goto cleanup; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 971 | } |
| 972 | |
| 973 | transform_application = |
| 974 | mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); |
| 975 | if( transform_application == NULL ) |
XiaokangQian | 61bdbbc | 2021-10-28 08:03:38 +0000 | [diff] [blame] | 976 | { |
| 977 | ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| 978 | goto cleanup; |
| 979 | } |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 980 | |
| 981 | ret = mbedtls_ssl_tls13_populate_transform( |
| 982 | transform_application, |
| 983 | ssl->conf->endpoint, |
| 984 | ssl->session_negotiate->ciphersuite, |
| 985 | &traffic_keys, |
| 986 | ssl ); |
| 987 | if( ret != 0 ) |
| 988 | { |
| 989 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret ); |
XiaokangQian | 61bdbbc | 2021-10-28 08:03:38 +0000 | [diff] [blame] | 990 | goto cleanup; |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 991 | } |
| 992 | |
| 993 | ssl->transform_application = transform_application; |
| 994 | |
XiaokangQian | 61bdbbc | 2021-10-28 08:03:38 +0000 | [diff] [blame] | 995 | cleanup: |
| 996 | |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 997 | mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) ); |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 998 | if( ret != 0 ) |
XiaokangQian | 1aef02e | 2021-10-28 09:54:34 +0000 | [diff] [blame] | 999 | { |
| 1000 | mbedtls_free( transform_application ); |
| 1001 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
| 1002 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, |
| 1003 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| 1004 | } |
XiaokangQian | 61bdbbc | 2021-10-28 08:03:38 +0000 | [diff] [blame] | 1005 | return( ret ); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1006 | } |
XiaokangQian | c13f935 | 2021-11-11 06:13:22 +0000 | [diff] [blame] | 1007 | #endif /* MBEDTLS_SSL_CLI_C */ |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1008 | |
XiaokangQian | cc90c94 | 2021-11-09 12:30:09 +0000 | [diff] [blame] | 1009 | static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl ) |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1010 | { |
| 1011 | |
XiaokangQian | c13f935 | 2021-11-11 06:13:22 +0000 | [diff] [blame] | 1012 | #if defined(MBEDTLS_SSL_CLI_C) |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1013 | if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) |
| 1014 | { |
XiaokangQian | aaa0e19 | 2021-11-10 03:07:04 +0000 | [diff] [blame] | 1015 | return( ssl_tls13_postprocess_server_finished_message( ssl ) ); |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1016 | } |
XiaokangQian | c13f935 | 2021-11-11 06:13:22 +0000 | [diff] [blame] | 1017 | #else |
| 1018 | ((void) ssl); |
| 1019 | #endif /* MBEDTLS_SSL_CLI_C */ |
XiaokangQian | aa5f5c1 | 2021-09-18 06:20:25 +0000 | [diff] [blame] | 1020 | |
| 1021 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 1022 | } |
| 1023 | |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1024 | int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl ) |
| 1025 | { |
XiaokangQian | 3306284 | 2021-11-11 03:37:45 +0000 | [diff] [blame] | 1026 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1027 | unsigned char *buf; |
| 1028 | size_t buflen; |
| 1029 | |
XiaokangQian | d0aa3e9 | 2021-11-10 06:17:40 +0000 | [diff] [blame] | 1030 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) ); |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1031 | |
| 1032 | /* Preprocessing step: Compute handshake digest */ |
XiaokangQian | aaa0e19 | 2021-11-10 03:07:04 +0000 | [diff] [blame] | 1033 | MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) ); |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1034 | |
| 1035 | MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl, |
| 1036 | MBEDTLS_SSL_HS_FINISHED, |
| 1037 | &buf, &buflen ) ); |
| 1038 | MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buflen ) ); |
| 1039 | mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( |
| 1040 | ssl, MBEDTLS_SSL_HS_FINISHED, buf, buflen ); |
XiaokangQian | aaa0e19 | 2021-11-10 03:07:04 +0000 | [diff] [blame] | 1041 | MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) ); |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1042 | |
| 1043 | cleanup: |
| 1044 | |
XiaokangQian | d0aa3e9 | 2021-11-10 06:17:40 +0000 | [diff] [blame] | 1045 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) ); |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1046 | return( ret ); |
| 1047 | } |
| 1048 | |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1049 | /* |
| 1050 | * |
XiaokangQian | cc90c94 | 2021-11-09 12:30:09 +0000 | [diff] [blame] | 1051 | * STATE HANDLING: Write and send Finished message. |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1052 | * |
| 1053 | */ |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1054 | /* |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1055 | * Implement |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1056 | */ |
| 1057 | |
XiaokangQian | 8773aa0 | 2021-11-10 07:33:09 +0000 | [diff] [blame] | 1058 | static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl ) |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1059 | { |
| 1060 | int ret; |
| 1061 | |
| 1062 | /* Compute transcript of handshake up to now. */ |
XiaokangQian | cc90c94 | 2021-11-09 12:30:09 +0000 | [diff] [blame] | 1063 | ret = mbedtls_ssl_tls13_calculate_verify_data( ssl, |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1064 | ssl->handshake->state_local.finished_out.digest, |
| 1065 | sizeof( ssl->handshake->state_local.finished_out.digest ), |
| 1066 | &ssl->handshake->state_local.finished_out.digest_len, |
| 1067 | ssl->conf->endpoint ); |
| 1068 | |
| 1069 | if( ret != 0 ) |
| 1070 | { |
XiaokangQian | 9ec8fcf | 2021-11-15 08:24:08 +0000 | [diff] [blame] | 1071 | MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret ); |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1072 | return( ret ); |
| 1073 | } |
| 1074 | |
| 1075 | return( 0 ); |
| 1076 | } |
| 1077 | |
XiaokangQian | cc90c94 | 2021-11-09 12:30:09 +0000 | [diff] [blame] | 1078 | static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl ) |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1079 | { |
XiaokangQian | 0fa6643 | 2021-11-15 03:33:57 +0000 | [diff] [blame] | 1080 | // TODO: Add back resumption keys calculation after MVP. |
| 1081 | ((void) ssl); |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1082 | |
| 1083 | return( 0 ); |
| 1084 | } |
| 1085 | |
XiaokangQian | 8773aa0 | 2021-11-10 07:33:09 +0000 | [diff] [blame] | 1086 | static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl, |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1087 | unsigned char *buf, |
| 1088 | unsigned char *end, |
| 1089 | size_t *olen ) |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1090 | { |
XiaokangQian | 8773aa0 | 2021-11-10 07:33:09 +0000 | [diff] [blame] | 1091 | size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len; |
XiaokangQian | 0fa6643 | 2021-11-15 03:33:57 +0000 | [diff] [blame] | 1092 | /* |
| 1093 | * struct { |
| 1094 | * opaque verify_data[Hash.length]; |
| 1095 | * } Finished; |
| 1096 | */ |
XiaokangQian | 8773aa0 | 2021-11-10 07:33:09 +0000 | [diff] [blame] | 1097 | MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len ); |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1098 | |
| 1099 | memcpy( buf, ssl->handshake->state_local.finished_out.digest, |
XiaokangQian | 8773aa0 | 2021-11-10 07:33:09 +0000 | [diff] [blame] | 1100 | verify_data_len ); |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1101 | |
XiaokangQian | 8773aa0 | 2021-11-10 07:33:09 +0000 | [diff] [blame] | 1102 | *olen = verify_data_len; |
XiaokangQian | 74af2a8 | 2021-09-22 07:40:30 +0000 | [diff] [blame] | 1103 | return( 0 ); |
| 1104 | } |
XiaokangQian | c5c39d5 | 2021-11-09 11:55:10 +0000 | [diff] [blame] | 1105 | |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1106 | /* Main entry point: orchestrates the other functions */ |
| 1107 | int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl ) |
| 1108 | { |
| 1109 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 1110 | unsigned char *buf; |
| 1111 | size_t buf_len, msg_len; |
| 1112 | |
| 1113 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) ); |
| 1114 | |
XiaokangQian | dce8224 | 2021-11-15 06:01:26 +0000 | [diff] [blame] | 1115 | MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) ); |
| 1116 | |
XiaokangQian | 35dc625 | 2021-11-11 08:16:19 +0000 | [diff] [blame] | 1117 | MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, |
| 1118 | MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) ); |
| 1119 | |
| 1120 | MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body( |
| 1121 | ssl, buf, buf + buf_len, &msg_len ) ); |
| 1122 | |
| 1123 | mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED, |
| 1124 | buf, msg_len ); |
| 1125 | |
| 1126 | MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) ); |
| 1127 | MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl, |
| 1128 | buf_len, msg_len ) ); |
| 1129 | MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); |
| 1130 | |
| 1131 | cleanup: |
| 1132 | |
| 1133 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) ); |
| 1134 | return( ret ); |
| 1135 | } |
| 1136 | |
Jerry Yu | 378254d | 2021-10-30 21:44:47 +0800 | [diff] [blame] | 1137 | void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) |
| 1138 | { |
| 1139 | |
| 1140 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); |
| 1141 | |
| 1142 | /* |
Jerry Yu | cfe64f0 | 2021-11-15 13:54:06 +0800 | [diff] [blame] | 1143 | * Free the previous session and switch to the current one. |
Jerry Yu | 378254d | 2021-10-30 21:44:47 +0800 | [diff] [blame] | 1144 | */ |
| 1145 | if( ssl->session ) |
| 1146 | { |
Jerry Yu | 378254d | 2021-10-30 21:44:47 +0800 | [diff] [blame] | 1147 | mbedtls_ssl_session_free( ssl->session ); |
| 1148 | mbedtls_free( ssl->session ); |
| 1149 | } |
| 1150 | ssl->session = ssl->session_negotiate; |
| 1151 | ssl->session_negotiate = NULL; |
| 1152 | |
| 1153 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); |
| 1154 | } |
| 1155 | |
Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 1156 | #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ |
| 1157 | |
| 1158 | #endif /* MBEDTLS_SSL_TLS_C */ |