TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 82f0a9a1dbd7761b5e600a0cc1bbe064cac0ea9a / . / library / ssl_tls13_generic.c
blob: 2f4d04e10fa9bd81a0383bc81d92e7adc78368c6 [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
22#if defined(MBEDTLS_SSL_TLS_C)
23
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]24#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]25
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]26#include <string.h>
27
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]28#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]29#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]30#include "mbedtls/oid.h"
31#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]32#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]33#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]34
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]35#include "ssl_misc.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]36#include "ssl_tls13_keys.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]37
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]38int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
39 unsigned hs_type,
40 unsigned char **buf,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]41 size_t *buf_len )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]42{
43 int ret;
44
45 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
46 {
47 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
48 goto cleanup;
49 }
50
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]51 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]52 ssl->in_msg[0] != hs_type )
53 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]54 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]55 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]56 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]57 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
58 goto cleanup;
59 }
60
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]61 /*
62 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
63 * ...
64 * HandshakeType msg_type;
65 * uint24 length;
66 * ...
67 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]68 *buf = ssl->in_msg + 4;
69 *buf_len = ssl->in_hslen - 4;
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]70
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]71cleanup:
72
73 return( ret );
74}
75
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]76int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]77 unsigned hs_type,
78 unsigned char **buf,
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]79 size_t *buf_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]80{
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]81 /*
82 * Reserve 4 bytes for hanshake header. ( Section 4,RFC 8446 )
83 * ...
84 * HandshakeType msg_type;
85 * uint24 length;
86 * ...
87 */
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]88 *buf = ssl->out_msg + 4;
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]89 *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]90
91 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
92 ssl->out_msg[0] = hs_type;
93
94 return( 0 );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]95}
96
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]97int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]98 size_t buf_len,
99 size_t msg_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]100{
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]101 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]102 size_t msg_with_header_len;
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]103 ((void) buf_len);
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]104
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]105 /* Add reserved 4 bytes for handshake header */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]106 msg_with_header_len = msg_len + 4;
107 ssl->out_msglen = msg_with_header_len;
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800[diff] [blame]108 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0 ) );
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]109
110cleanup:
111 return( ret );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]112}
113
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]114void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
115 unsigned hs_type,
116 unsigned char const *msg,
117 size_t msg_len )
Jerry Yu7bea4ba2021-09-09 15:06:18 +0800[diff] [blame]118{
119 mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len );
120 ssl->handshake->update_checksum( ssl, msg, msg_len );
121}
122
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]123void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]124 unsigned hs_type,
125 size_t total_hs_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]126{
127 unsigned char hs_hdr[4];
128
129 /* Build HS header for checksum update. */
Jerry Yu2ac64192021-08-26 18:38:58 +0800[diff] [blame]130 hs_hdr[0] = MBEDTLS_BYTE_0( hs_type );
131 hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len );
132 hs_hdr[2] = MBEDTLS_BYTE_1( total_hs_len );
133 hs_hdr[3] = MBEDTLS_BYTE_0( total_hs_len );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]134
135 ssl->handshake->update_checksum( ssl, hs_hdr, sizeof( hs_hdr ) );
136}
137
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]138#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]139/* mbedtls_ssl_tls13_parse_sig_alg_ext()
140 *
141 * enum {
142 * ....
143 * ecdsa_secp256r1_sha256( 0x0403 ),
144 * ecdsa_secp384r1_sha384( 0x0503 ),
145 * ecdsa_secp521r1_sha512( 0x0603 ),
146 * ....
147 * } SignatureScheme;
148 *
149 * struct {
150 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
151 * } SignatureSchemeList;
152 */
153int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
154 const unsigned char *buf,
155 const unsigned char *end )
156{
157 const unsigned char *p = buf;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame^]158 size_t sig_algs_len = 0;
159 uint16_t *sig_algs;
160 const unsigned char *sig_algs_end;
161 uint16_t sig_alg;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]162 uint32_t common_idx = 0; /* iterate through received signature schemes list */
163
164 /* skip 2 bytes of signature algorithms length */
165 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame^]166 sig_algs_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]167 p += 2;
168
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame^]169 sig_algs = mbedtls_calloc( MBEDTLS_SIG_ALGS_SIZE, sizeof( uint16_t ) );
170 if( sig_algs == NULL )
171 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]172
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame^]173 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, sig_algs_len );
174 sig_algs_end = p + sig_algs_len;
175 while( p < sig_algs_end && common_idx + 1 < MBEDTLS_SIG_ALGS_SIZE )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]176 {
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame^]177 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, sig_algs_end, 2 );
178 sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]179 p += 2;
180
181 MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame^]182 sig_alg ) );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]183
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame^]184 if( mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) &&
185 mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]186 {
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame^]187 sig_algs[common_idx] = sig_alg;
188 common_idx += 1;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]189 }
190 }
191 /* Check that we consumed all the message. */
192 if( p != end )
193 {
194 MBEDTLS_SSL_DEBUG_MSG( 1,
195 ( "Signature algorithms extension length misaligned" ) );
196 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
197 MBEDTLS_ERR_SSL_DECODE_ERROR );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame^]198 mbedtls_free( sig_algs );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]199 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
200 }
201
202 if( common_idx == 0 )
203 {
204 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) );
205 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
206 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame^]207 mbedtls_free( sig_algs );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]208 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
209 }
210
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame^]211 sig_algs[common_idx] = MBEDTLS_TLS1_3_SIG_NONE;
212 ssl->handshake->sig_algs = sig_algs;
213 ssl->handshake->sig_algs_heap_allocated = 1;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]214 return( 0 );
215}
216
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]217/*
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]218 * STATE HANDLING: Read CertificateVerify
219 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]220/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]221 *
222 * The structure is computed per TLS 1.3 specification as:
223 * - 64 bytes of octet 32,
224 * - 33 bytes for the context string
225 * (which is either "TLS 1.3, client CertificateVerify"
226 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]227 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]228 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
229 * (depending on the size of the transcript_hash)
230 *
231 * This results in a total size of
232 * - 130 bytes for a SHA256-based transcript hash, or
233 * (64 + 33 + 1 + 32 bytes)
234 * - 146 bytes for a SHA384-based transcript hash.
235 * (64 + 33 + 1 + 48 bytes)
236 *
237 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800[diff] [blame]238#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
239 33 + \
240 1 + \
241 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]242 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]243
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]244/*
245 * The ssl_tls13_create_verify_structure() creates the verify structure.
246 * As input, it requires the transcript hash.
247 *
248 * The caller has to ensure that the buffer has size at least
249 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
250 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]251static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]252 size_t transcript_hash_len,
253 unsigned char *verify_buffer,
254 size_t *verify_buffer_len,
255 int from )
256{
257 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]258
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]259 /* RFC 8446, Section 4.4.3:
260 *
261 * The digital signature [in the CertificateVerify message] is then
262 * computed over the concatenation of:
263 * - A string that consists of octet 32 (0x20) repeated 64 times
264 * - The context string
265 * - A single 0 byte which serves as the separator
266 * - The content to be signed
267 */
268 memset( verify_buffer, 0x20, 64 );
269 idx = 64;
270
271 if( from == MBEDTLS_SSL_IS_CLIENT )
272 {
273 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
274 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
275 }
276 else
277 { /* from == MBEDTLS_SSL_IS_SERVER */
278 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
279 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
280 }
281
282 verify_buffer[idx++] = 0x0;
283
284 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
285 idx += transcript_hash_len;
286
287 *verify_buffer_len = idx;
288}
289
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]290static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]291 const unsigned char *buf,
292 const unsigned char *end,
293 const unsigned char *verify_buffer,
294 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]295{
296 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
297 const unsigned char *p = buf;
298 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]299 size_t signature_len;
300 mbedtls_pk_type_t sig_alg;
301 mbedtls_md_type_t md_alg;
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]302 unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]303 size_t verify_hash_len;
304
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]305 void const *options = NULL;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]306#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]307 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]308#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
309
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]310 /*
311 * struct {
312 * SignatureScheme algorithm;
313 * opaque signature<0..2^16-1>;
314 * } CertificateVerify;
315 */
316 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
317 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
318 p += 2;
319
320 /* RFC 8446 section 4.4.3
321 *
322 * If the CertificateVerify message is sent by a server, the signature algorithm
323 * MUST be one offered in the client's "signature_algorithms" extension unless
324 * no valid certificate chain can be produced without unsupported algorithms
325 *
326 * RFC 8446 section 4.4.2.2
327 *
328 * If the client cannot construct an acceptable chain using the provided
329 * certificates and decides to abort the handshake, then it MUST abort the handshake
330 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
331 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]332 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]333 */
Jerry Yu24811fb2022-01-19 18:02:15 +0800[diff] [blame]334 if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]335 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]336 /* algorithm not in offered signature algorithms list */
337 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
338 "offered.",
339 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]340 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]341 }
342
343 /* We currently only support ECDSA-based signatures */
344 switch( algorithm )
345 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]346 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]347 md_alg = MBEDTLS_MD_SHA256;
348 sig_alg = MBEDTLS_PK_ECDSA;
349 break;
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]350 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]351 md_alg = MBEDTLS_MD_SHA384;
352 sig_alg = MBEDTLS_PK_ECDSA;
353 break;
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]354 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]355 md_alg = MBEDTLS_MD_SHA512;
356 sig_alg = MBEDTLS_PK_ECDSA;
357 break;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]358#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Bai6dc90da2021-11-26 08:11:40 +0000[diff] [blame]359 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
XiaokangQiana83014d2021-11-22 07:53:34 +0000[diff] [blame]360 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Certificate Verify: using RSA PSS" ) );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]361 md_alg = MBEDTLS_MD_SHA256;
362 sig_alg = MBEDTLS_PK_RSASSA_PSS;
363 break;
364#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]365 default:
366 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]367 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]368 }
369
370 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
371 ( unsigned int ) algorithm ) );
372
373 /*
374 * Check the certificate's key type matches the signature alg
375 */
376 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
377 {
378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]379 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]380 }
381
382 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
383 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
384 p += 2;
385 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
386
387 /* Hash verify buffer with indicated hash function */
388 switch( md_alg )
389 {
390#if defined(MBEDTLS_SHA256_C)
391 case MBEDTLS_MD_SHA256:
392 verify_hash_len = 32;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]393 ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]394 break;
395#endif /* MBEDTLS_SHA256_C */
396
397#if defined(MBEDTLS_SHA384_C)
398 case MBEDTLS_MD_SHA384:
399 verify_hash_len = 48;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]400 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]401 break;
402#endif /* MBEDTLS_SHA384_C */
403
404#if defined(MBEDTLS_SHA512_C)
405 case MBEDTLS_MD_SHA512:
406 verify_hash_len = 64;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]407 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]408 break;
409#endif /* MBEDTLS_SHA512_C */
410
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]411 default:
412 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
413 break;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]414 }
415
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]416 if( ret != 0 )
417 {
418 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]419 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]420 }
421
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]422 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]423#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
424 if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
425 {
426 const mbedtls_md_info_t* md_info;
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]427 rsassa_pss_options.mgf1_hash_id = md_alg;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]428 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
429 {
430 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
431 }
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]432 rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
433 options = (const void*) &rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]434 }
435#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]436
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]437 if( ( ret = mbedtls_pk_verify_ext( sig_alg, options,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]438 &ssl->session_negotiate->peer_cert->pk,
439 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]440 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]441 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]442 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]443 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]444 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]445
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]446error:
447 /* RFC 8446 section 4.4.3
448 *
449 * If the verification fails, the receiver MUST terminate the handshake
450 * with a "decrypt_error" alert.
451 */
452 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
453 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
454 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
455
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]456}
457#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
458
459int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
460{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]461
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]462#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
463 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
464 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
465 size_t verify_buffer_len;
466 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
467 size_t transcript_len;
468 unsigned char *buf;
469 size_t buf_len;
470
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]471 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
472
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]473 MBEDTLS_SSL_PROC_CHK(
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]474 mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]475 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]476
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]477 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]478 * before reading the message since otherwise it gets
479 * included in the transcript
480 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]481 ret = mbedtls_ssl_get_handshake_transcript( ssl,
482 ssl->handshake->ciphersuite_info->mac,
483 transcript, sizeof( transcript ),
484 &transcript_len );
485 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]486 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]487 MBEDTLS_SSL_PEND_FATAL_ALERT(
488 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
489 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
490 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]491 }
492
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]493 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
494
495 /* Create verify structure */
496 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]497 transcript_len,
498 verify_buffer,
499 &verify_buffer_len,
500 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
501 MBEDTLS_SSL_IS_SERVER :
502 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]503
504 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]505 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
506 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]507
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]508 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]509 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]510
511cleanup:
512
513 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800[diff] [blame]514 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]515 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]516#else
517 ((void) ssl);
518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
519 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
520#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]521}
522
523/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]524 *
525 * STATE HANDLING: Incoming Certificate, client-side only currently.
526 *
527 */
528
529/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]530 * Implementation
531 */
532
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]533#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
534#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
535/*
536 * Structure of Certificate message:
537 *
538 * enum {
539 * X509(0),
540 * RawPublicKey(2),
541 * (255)
542 * } CertificateType;
543 *
544 * struct {
545 * select (certificate_type) {
546 * case RawPublicKey:
547 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
548 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
549 * case X509:
550 * opaque cert_data<1..2^24-1>;
551 * };
552 * Extension extensions<0..2^16-1>;
553 * } CertificateEntry;
554 *
555 * struct {
556 * opaque certificate_request_context<0..2^8-1>;
557 * CertificateEntry certificate_list<0..2^24-1>;
558 * } Certificate;
559 *
560 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]561
562/* Parse certificate chain send by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]563static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
564 const unsigned char *buf,
565 const unsigned char *end )
566{
567 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]568 size_t certificate_request_context_len = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]569 size_t certificate_list_len = 0;
570 const unsigned char *p = buf;
571 const unsigned char *certificate_list_end;
572
573 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]574 certificate_request_context_len = p[0];
Jerry Yub640bf62021-10-29 10:05:32 +0800[diff] [blame]575 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]576 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]577
578 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
579 * support anything beyond 2^16 = 64K.
580 */
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]581 if( ( certificate_request_context_len != 0 ) ||
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]582 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]583 {
584 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
585 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
586 MBEDTLS_ERR_SSL_DECODE_ERROR );
587 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
588 }
589
590 /* In case we tried to reuse a session but it failed */
591 if( ssl->session_negotiate->peer_cert != NULL )
592 {
593 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
594 mbedtls_free( ssl->session_negotiate->peer_cert );
595 }
596
597 if( ( ssl->session_negotiate->peer_cert =
598 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
599 {
600 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
601 sizeof( mbedtls_x509_crt ) ) );
602 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
603 MBEDTLS_ERR_SSL_ALLOC_FAILED );
604 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
605 }
606
607 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
608
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]609 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]610 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]611 {
612 size_t cert_data_len, extensions_len;
613
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]614 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]615 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]616 p += 3;
617
618 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
619 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
620 * check that we have a minimum of 128 bytes of data, this is not
621 * clear why we need that though.
622 */
623 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]624 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]625 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
626 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
627 MBEDTLS_ERR_SSL_DECODE_ERROR );
628 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
629 }
630
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]631 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]632 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
633 p, cert_data_len );
634
635 switch( ret )
636 {
637 case 0: /*ok*/
638 break;
639 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
640 /* Ignore certificate with an unknown algorithm: maybe a
641 prior certificate was already trusted. */
642 break;
643
644 case MBEDTLS_ERR_X509_ALLOC_FAILED:
645 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
646 MBEDTLS_ERR_X509_ALLOC_FAILED );
647 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
648 return( ret );
649
650 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
651 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
652 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
653 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
654 return( ret );
655
656 default:
657 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
658 ret );
659 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
660 return( ret );
661 }
662
663 p += cert_data_len;
664
665 /* Certificate extensions length */
666 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
667 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
668 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]669 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]670 p += extensions_len;
671 }
672
673 /* Check that all the message is consumed. */
674 if( p != end )
675 {
676 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
677 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
678 MBEDTLS_ERR_SSL_DECODE_ERROR );
679 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
680 }
681
682 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
683
684 return( ret );
685}
686#else
687static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
688 const unsigned char *buf,
689 const unsigned char *end )
690{
691 ((void) ssl);
692 ((void) buf);
693 ((void) end);
694 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
695}
696#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
697#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
698
699#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
700#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]701/* Validate certificate chain sent by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]702static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
703{
704 int ret = 0;
705 mbedtls_x509_crt *ca_chain;
706 mbedtls_x509_crl *ca_crl;
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]707 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]708
709#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
710 if( ssl->handshake->sni_ca_chain != NULL )
711 {
712 ca_chain = ssl->handshake->sni_ca_chain;
713 ca_crl = ssl->handshake->sni_ca_crl;
714 }
715 else
716#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
717 {
718 ca_chain = ssl->conf->ca_chain;
719 ca_crl = ssl->conf->ca_crl;
720 }
721
722 /*
723 * Main check: verify certificate
724 */
725 ret = mbedtls_x509_crt_verify_with_profile(
726 ssl->session_negotiate->peer_cert,
727 ca_chain, ca_crl,
728 ssl->conf->cert_profile,
729 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]730 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]731 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
732
733 if( ret != 0 )
734 {
735 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
736 }
737
738 /*
739 * Secondary checks: always done, but change 'ret' only if it was 0
740 */
741
742#if defined(MBEDTLS_ECP_C)
743 {
744 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
745
746 /* If certificate uses an EC key, make sure the curve is OK */
747 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
748 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
749 {
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]750 verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]751
752 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) );
753 if( ret == 0 )
754 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
755 }
756 }
757#endif /* MBEDTLS_ECP_C */
758
759 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
760 ssl->handshake->ciphersuite_info,
761 !ssl->conf->endpoint,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]762 &verify_result ) != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]763 {
764 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
765 if( ret == 0 )
766 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
767 }
768
769
770 if( ca_chain == NULL )
771 {
772 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
773 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
774 }
775
776 if( ret != 0 )
777 {
778 /* The certificate may have been rejected for several reasons.
779 Pick one and send the corresponding alert. Which alert to send
780 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]781 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]782 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]783 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]784 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]785 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
786 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
787 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
788 MBEDTLS_X509_BADCERT_BAD_PK |
789 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]790 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]791 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]792 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]793 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]794 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]795 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]796 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
797 else
798 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
799 }
800
801#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]802 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]803 {
804 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800[diff] [blame]805 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]806 }
807 else
808 {
809 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
810 }
811#endif /* MBEDTLS_DEBUG_C */
812
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]813 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]814 return( ret );
815}
816#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
817static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
818{
819 ((void) ssl);
820 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
821}
822#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
823#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
824
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]825int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]826{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]827 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
828 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
829
830#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
831 unsigned char *buf;
832 size_t buf_len;
833
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]834 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]835 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
836 &buf, &buf_len ) );
837
838 /* Parse the certificate chain sent by the peer. */
839 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, buf + buf_len ) );
840 /* Validate the certificate chain and set the verification results. */
841 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
842
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]843 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
844 buf, buf_len );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]845
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]846cleanup:
847
848 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Xiaofei Bai10aeec02021-10-26 09:50:08 +0000[diff] [blame]849#else
850 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
851 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
852#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]853 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]854}
855
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]856/*
857 *
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]858 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]859 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]860/*
861 * Implementation
862 */
863
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]864static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]865{
866 int ret;
867
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]868 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]869 ssl->handshake->state_local.finished_in.digest,
870 sizeof( ssl->handshake->state_local.finished_in.digest ),
871 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]872 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]873 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]874 if( ret != 0 )
875 {
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]876 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]877 return( ret );
878 }
879
880 return( 0 );
881}
882
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]883static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
884 const unsigned char *buf,
885 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]886{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]887 /*
888 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]889 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]890 * } Finished;
891 */
892 const unsigned char *expected_verify_data =
893 ssl->handshake->state_local.finished_in.digest;
894 size_t expected_verify_data_len =
895 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]896 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]897 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]898 {
899 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
900
901 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]902 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]903 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
904 }
905
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]906 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]907 expected_verify_data,
908 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]909 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]910 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]911
912 /* Semantic validation */
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]913 if( mbedtls_ct_memcmp( buf,
914 expected_verify_data,
915 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]916 {
917 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
918
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]919 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]920 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]921 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
922 }
923 return( 0 );
924}
925
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]926#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]927static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]928{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]929 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]930 mbedtls_ssl_key_set traffic_keys;
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]931 mbedtls_ssl_transform *transform_application = NULL;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]932
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]933 ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]934 if( ret != 0 )
935 {
936 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]937 "mbedtls_ssl_tls13_key_schedule_stage_application", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]938 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]939 }
940
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]941 ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]942 if( ret != 0 )
943 {
944 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]945 "mbedtls_ssl_tls13_generate_application_keys", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]946 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]947 }
948
949 transform_application =
950 mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
951 if( transform_application == NULL )
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]952 {
953 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
954 goto cleanup;
955 }
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]956
957 ret = mbedtls_ssl_tls13_populate_transform(
958 transform_application,
959 ssl->conf->endpoint,
960 ssl->session_negotiate->ciphersuite,
961 &traffic_keys,
962 ssl );
963 if( ret != 0 )
964 {
965 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]966 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]967 }
968
969 ssl->transform_application = transform_application;
970
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]971cleanup:
972
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]973 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]974 if( ret != 0 )
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]975 {
976 mbedtls_free( transform_application );
977 MBEDTLS_SSL_PEND_FATAL_ALERT(
978 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
979 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
980 }
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]981 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]982}
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]983#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]984
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]985static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]986{
987
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]988#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]989 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
990 {
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]991 return( ssl_tls13_postprocess_server_finished_message( ssl ) );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]992 }
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]993#else
994 ((void) ssl);
995#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]996
997 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
998}
999
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1000int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
1001{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1002 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1003 unsigned char *buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1004 size_t buf_len;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1005
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1006 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1007
1008 /* Preprocessing step: Compute handshake digest */
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1009 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1010
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1011 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1012 MBEDTLS_SSL_HS_FINISHED,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1013 &buf, &buf_len ) );
1014 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1015 mbedtls_ssl_tls13_add_hs_msg_to_checksum(
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1016 ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len );
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1017 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1018
1019cleanup:
1020
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1021 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1022 return( ret );
1023}
1024
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1025/*
1026 *
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1027 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1028 *
1029 */
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1030/*
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1031 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1032 */
1033
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1034static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1035{
1036 int ret;
1037
1038 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1039 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1040 ssl->handshake->state_local.finished_out.digest,
1041 sizeof( ssl->handshake->state_local.finished_out.digest ),
1042 &ssl->handshake->state_local.finished_out.digest_len,
1043 ssl->conf->endpoint );
1044
1045 if( ret != 0 )
1046 {
Jerry Yu7ca30542021-12-08 15:57:57 +0800[diff] [blame]1047 MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1048 return( ret );
1049 }
1050
1051 return( 0 );
1052}
1053
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1054static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1055{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1056 // TODO: Add back resumption keys calculation after MVP.
1057 ((void) ssl);
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1058
1059 return( 0 );
1060}
1061
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1062static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1063 unsigned char *buf,
1064 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1065 size_t *out_len )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1066{
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1067 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1068 /*
1069 * struct {
1070 * opaque verify_data[Hash.length];
1071 * } Finished;
1072 */
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1073 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1074
1075 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1076 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1077
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1078 *out_len = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1079 return( 0 );
1080}
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1081
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1082/* Main entry point: orchestrates the other functions */
1083int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1084{
1085 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1086 unsigned char *buf;
1087 size_t buf_len, msg_len;
1088
1089 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1090
XiaokangQiandce82242021-11-15 06:01:26 +0000[diff] [blame]1091 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1092
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1093 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
1094 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1095
1096 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1097 ssl, buf, buf + buf_len, &msg_len ) );
1098
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1099 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1100 buf, msg_len );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1101
1102 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) );
1103 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl,
1104 buf_len, msg_len ) );
1105 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) );
1106
1107cleanup:
1108
1109 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1110 return( ret );
1111}
1112
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1113void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1114{
1115
1116 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1117
1118 /*
Jerry Yucfe64f02021-11-15 13:54:06 +0800[diff] [blame]1119 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1120 */
1121 if( ssl->session )
1122 {
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1123 mbedtls_ssl_session_free( ssl->session );
1124 mbedtls_free( ssl->session );
1125 }
1126 ssl->session = ssl->session_negotiate;
1127 ssl->session_negotiate = NULL;
1128
1129 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1130}
1131
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1132/*
1133 *
1134 * STATE HANDLING: Write ChangeCipherSpec
1135 *
1136 */
1137#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1138
1139static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
1140 unsigned char *buf,
1141 unsigned char *end,
1142 size_t *olen )
1143{
1144 ((void) ssl);
1145
1146 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 );
1147 buf[0] = 1;
1148 *olen = 1;
1149
1150 return( 0 );
1151}
1152
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1153int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
1154{
1155 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1156
1157 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1158
1159 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) );
1160
1161 /* Write CCS message */
1162 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body(
1163 ssl, ssl->out_msg,
1164 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1165 &ssl->out_msglen ) );
1166
1167 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1168
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1169 /* Dispatch message */
1170 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 1 ) );
1171
1172cleanup:
1173
1174 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1175 return( ret );
1176}
1177
1178#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1179
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]1180#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1181
1182#endif /* MBEDTLS_SSL_TLS_C */