1 /*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #include "common.h"
9
10 #if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
11
12 #include <string.h>
13
14 #include "mbedtls/error.h"
15 #include "debug_internal.h"
16 #include "mbedtls/oid.h"
17 #include "mbedtls/platform.h"
18 #include "mbedtls/constant_time.h"
19 #include "psa/crypto.h"
20 #include "mbedtls/psa_util.h"
21
22 #include "ssl_misc.h"
23 #include "ssl_tls13_invasive.h"
24 #include "ssl_tls13_keys.h"
25 #include "ssl_debug_helpers.h"
26
27 #include "psa/crypto.h"
28 #include "psa_util_internal.h"
29
30 /* Define a local translating function to save code size by not using too many
31 * arguments in each translating place. */
local_err_translation(psa_status_t status)32 static int local_err_translation(psa_status_t status)
33 {
34 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
35 ARRAY_LENGTH(psa_to_ssl_errors),
36 psa_generic_status_to_mbedtls);
37 }
38 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
39
mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context * ssl)40 int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl)
41 {
42 psa_status_t status = psa_crypto_init();
43 if (status != PSA_SUCCESS) {
44 (void) ssl; // unused when debugging is disabled
45 MBEDTLS_SSL_DEBUG_RET(1, "psa_crypto_init", status);
46 }
47 return PSA_TO_MBEDTLS_ERR(status);
48 }
49
50 const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
51 MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
52 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
53 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
54 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
55 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C };
56
mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context * ssl,unsigned hs_type,unsigned char ** buf,size_t * buf_len)57 int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
58 unsigned hs_type,
59 unsigned char **buf,
60 size_t *buf_len)
61 {
62 int ret;
63
64 if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
65 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
66 goto cleanup;
67 }
68
69 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
70 ssl->in_msg[0] != hs_type) {
71 MBEDTLS_SSL_DEBUG_MSG(1, ("Receive unexpected handshake message."));
72 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
73 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
74 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
75 goto cleanup;
76 }
77
78 /*
79 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
80 * ...
81 * HandshakeType msg_type;
82 * uint24 length;
83 * ...
84 */
85 *buf = ssl->in_msg + 4;
86 *buf_len = ssl->in_hslen - 4;
87
88 cleanup:
89
90 return ret;
91 }
92
mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end,const unsigned char ** supported_versions_data,const unsigned char ** supported_versions_data_end)93 int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
94 mbedtls_ssl_context *ssl,
95 const unsigned char *buf, const unsigned char *end,
96 const unsigned char **supported_versions_data,
97 const unsigned char **supported_versions_data_end)
98 {
99 const unsigned char *p = buf;
100 size_t extensions_len;
101 const unsigned char *extensions_end;
102
103 *supported_versions_data = NULL;
104 *supported_versions_data_end = NULL;
105
106 /* Case of no extension */
107 if (p == end) {
108 return 0;
109 }
110
111 /* ...
112 * Extension extensions<x..2^16-1>;
113 * ...
114 * struct {
115 * ExtensionType extension_type; (2 bytes)
116 * opaque extension_data<0..2^16-1>;
117 * } Extension;
118 */
119 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
120 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
121 p += 2;
122
123 /* Check extensions do not go beyond the buffer of data. */
124 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
125 extensions_end = p + extensions_len;
126
127 while (p < extensions_end) {
128 unsigned int extension_type;
129 size_t extension_data_len;
130
131 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
132 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
133 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
134 p += 4;
135 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
136
137 if (extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS) {
138 *supported_versions_data = p;
139 *supported_versions_data_end = p + extension_data_len;
140 return 1;
141 }
142 p += extension_data_len;
143 }
144
145 return 0;
146 }
147
148 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
149 /*
150 * STATE HANDLING: Read CertificateVerify
151 */
152 /* Macro to express the maximum length of the verify structure.
153 *
154 * The structure is computed per TLS 1.3 specification as:
155 * - 64 bytes of octet 32,
156 * - 33 bytes for the context string
157 * (which is either "TLS 1.3, client CertificateVerify"
158 * or "TLS 1.3, server CertificateVerify"),
159 * - 1 byte for the octet 0x0, which serves as a separator,
160 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
161 * (depending on the size of the transcript_hash)
162 *
163 * This results in a total size of
164 * - 130 bytes for a SHA256-based transcript hash, or
165 * (64 + 33 + 1 + 32 bytes)
166 * - 146 bytes for a SHA384-based transcript hash.
167 * (64 + 33 + 1 + 48 bytes)
168 *
169 */
170 #define SSL_VERIFY_STRUCT_MAX_SIZE (64 + \
171 33 + \
172 1 + \
173 MBEDTLS_TLS1_3_MD_MAX_SIZE \
174 )
175
176 /*
177 * The ssl_tls13_create_verify_structure() creates the verify structure.
178 * As input, it requires the transcript hash.
179 *
180 * The caller has to ensure that the buffer has size at least
181 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
182 */
ssl_tls13_create_verify_structure(const unsigned char * transcript_hash,size_t transcript_hash_len,unsigned char * verify_buffer,size_t * verify_buffer_len,int from)183 static void ssl_tls13_create_verify_structure(const unsigned char *transcript_hash,
184 size_t transcript_hash_len,
185 unsigned char *verify_buffer,
186 size_t *verify_buffer_len,
187 int from)
188 {
189 size_t idx;
190
191 /* RFC 8446, Section 4.4.3:
192 *
193 * The digital signature [in the CertificateVerify message] is then
194 * computed over the concatenation of:
195 * - A string that consists of octet 32 (0x20) repeated 64 times
196 * - The context string
197 * - A single 0 byte which serves as the separator
198 * - The content to be signed
199 */
200 memset(verify_buffer, 0x20, 64);
201 idx = 64;
202
203 if (from == MBEDTLS_SSL_IS_CLIENT) {
204 memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.client_cv,
205 MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv));
206 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv);
207 } else { /* from == MBEDTLS_SSL_IS_SERVER */
208 memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.server_cv,
209 MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv));
210 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv);
211 }
212
213 verify_buffer[idx++] = 0x0;
214
215 memcpy(verify_buffer + idx, transcript_hash, transcript_hash_len);
216 idx += transcript_hash_len;
217
218 *verify_buffer_len = idx;
219 }
220
221 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_certificate_verify(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end,const unsigned char * verify_buffer,size_t verify_buffer_len)222 static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
223 const unsigned char *buf,
224 const unsigned char *end,
225 const unsigned char *verify_buffer,
226 size_t verify_buffer_len)
227 {
228 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
229 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
230 const unsigned char *p = buf;
231 uint16_t algorithm;
232 size_t signature_len;
233 mbedtls_pk_type_t sig_alg;
234 mbedtls_md_type_t md_alg;
235 psa_algorithm_t hash_alg = PSA_ALG_NONE;
236 unsigned char verify_hash[PSA_HASH_MAX_SIZE];
237 size_t verify_hash_len;
238
239 void const *options = NULL;
240 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
241 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
242 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
243
244 /*
245 * struct {
246 * SignatureScheme algorithm;
247 * opaque signature<0..2^16-1>;
248 * } CertificateVerify;
249 */
250 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
251 algorithm = MBEDTLS_GET_UINT16_BE(p, 0);
252 p += 2;
253
254 /* RFC 8446 section 4.4.3
255 *
256 * If the CertificateVerify message is sent by a server, the signature
257 * algorithm MUST be one offered in the client's "signature_algorithms"
258 * extension unless no valid certificate chain can be produced without
259 * unsupported algorithms
260 *
261 * RFC 8446 section 4.4.2.2
262 *
263 * If the client cannot construct an acceptable chain using the provided
264 * certificates and decides to abort the handshake, then it MUST abort the
265 * handshake with an appropriate certificate-related alert
266 * (by default, "unsupported_certificate").
267 *
268 * Check if algorithm is an offered signature algorithm.
269 */
270 if (!mbedtls_ssl_sig_alg_is_offered(ssl, algorithm)) {
271 /* algorithm not in offered signature algorithms list */
272 MBEDTLS_SSL_DEBUG_MSG(1, ("Received signature algorithm(%04x) is not "
273 "offered.",
274 (unsigned int) algorithm));
275 goto error;
276 }
277
278 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
279 algorithm, &sig_alg, &md_alg) != 0) {
280 goto error;
281 }
282
283 hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
284 if (hash_alg == 0) {
285 goto error;
286 }
287
288 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate Verify: Signature algorithm ( %04x )",
289 (unsigned int) algorithm));
290
291 /*
292 * Check the certificate's key type matches the signature alg
293 */
294 if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, sig_alg)) {
295 MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key"));
296 goto error;
297 }
298
299 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
300 signature_len = MBEDTLS_GET_UINT16_BE(p, 0);
301 p += 2;
302 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, signature_len);
303
304 status = psa_hash_compute(hash_alg,
305 verify_buffer,
306 verify_buffer_len,
307 verify_hash,
308 sizeof(verify_hash),
309 &verify_hash_len);
310 if (status != PSA_SUCCESS) {
311 MBEDTLS_SSL_DEBUG_RET(1, "hash computation PSA error", status);
312 goto error;
313 }
314
315 MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
316 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
317 if (sig_alg == MBEDTLS_PK_RSASSA_PSS) {
318 rsassa_pss_options.mgf1_hash_id = md_alg;
319
320 rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH(hash_alg);
321 options = (const void *) &rsassa_pss_options;
322 }
323 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
324
325 if ((ret = mbedtls_pk_verify_ext(sig_alg, options,
326 &ssl->session_negotiate->peer_cert->pk,
327 md_alg, verify_hash, verify_hash_len,
328 p, signature_len)) == 0) {
329 return 0;
330 }
331 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret);
332
333 error:
334 /* RFC 8446 section 4.4.3
335 *
336 * If the verification fails, the receiver MUST terminate the handshake
337 * with a "decrypt_error" alert.
338 */
339 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
340 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
341 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
342
343 }
344 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
345
mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context * ssl)346 int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
347 {
348
349 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
350 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
351 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
352 size_t verify_buffer_len;
353 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
354 size_t transcript_len;
355 unsigned char *buf;
356 size_t buf_len;
357
358 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
359
360 MBEDTLS_SSL_PROC_CHK(
361 mbedtls_ssl_tls13_fetch_handshake_msg(
362 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len));
363
364 /* Need to calculate the hash of the transcript first
365 * before reading the message since otherwise it gets
366 * included in the transcript
367 */
368 ret = mbedtls_ssl_get_handshake_transcript(
369 ssl,
370 (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac,
371 transcript, sizeof(transcript),
372 &transcript_len);
373 if (ret != 0) {
374 MBEDTLS_SSL_PEND_FATAL_ALERT(
375 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
376 MBEDTLS_ERR_SSL_INTERNAL_ERROR);
377 return ret;
378 }
379
380 MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash", transcript, transcript_len);
381
382 /* Create verify structure */
383 ssl_tls13_create_verify_structure(transcript,
384 transcript_len,
385 verify_buffer,
386 &verify_buffer_len,
387 (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) ?
388 MBEDTLS_SSL_IS_SERVER :
389 MBEDTLS_SSL_IS_CLIENT);
390
391 /* Process the message contents */
392 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_verify(
393 ssl, buf, buf + buf_len,
394 verify_buffer, verify_buffer_len));
395
396 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
397 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
398 buf, buf_len));
399
400 cleanup:
401
402 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
403 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_process_certificate_verify", ret);
404 return ret;
405 #else
406 ((void) ssl);
407 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
408 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
409 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
410 }
411
412 /*
413 *
414 * STATE HANDLING: Incoming Certificate.
415 *
416 */
417
418 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
419 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
420 /*
421 * Structure of Certificate message:
422 *
423 * enum {
424 * X509(0),
425 * RawPublicKey(2),
426 * (255)
427 * } CertificateType;
428 *
429 * struct {
430 * select (certificate_type) {
431 * case RawPublicKey:
432 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
433 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
434 * case X509:
435 * opaque cert_data<1..2^24-1>;
436 * };
437 * Extension extensions<0..2^16-1>;
438 * } CertificateEntry;
439 *
440 * struct {
441 * opaque certificate_request_context<0..2^8-1>;
442 * CertificateEntry certificate_list<0..2^24-1>;
443 * } Certificate;
444 *
445 */
446
447 /* Parse certificate chain send by the server. */
448 MBEDTLS_CHECK_RETURN_CRITICAL
449 MBEDTLS_STATIC_TESTABLE
mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)450 int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
451 const unsigned char *buf,
452 const unsigned char *end)
453 {
454 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
455 size_t certificate_request_context_len = 0;
456 size_t certificate_list_len = 0;
457 const unsigned char *p = buf;
458 const unsigned char *certificate_list_end;
459 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
460
461 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
462 certificate_request_context_len = p[0];
463 certificate_list_len = MBEDTLS_GET_UINT24_BE(p, 1);
464 p += 4;
465
466 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
467 * support anything beyond 2^16 = 64K.
468 */
469 if ((certificate_request_context_len != 0) ||
470 (certificate_list_len >= 0x10000)) {
471 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
472 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
473 MBEDTLS_ERR_SSL_DECODE_ERROR);
474 return MBEDTLS_ERR_SSL_DECODE_ERROR;
475 }
476
477 /* In case we tried to reuse a session but it failed */
478 if (ssl->session_negotiate->peer_cert != NULL) {
479 mbedtls_x509_crt_free(ssl->session_negotiate->peer_cert);
480 mbedtls_free(ssl->session_negotiate->peer_cert);
481 }
482
483 /* This is used by ssl_tls13_validate_certificate() */
484 if (certificate_list_len == 0) {
485 ssl->session_negotiate->peer_cert = NULL;
486 ret = 0;
487 goto exit;
488 }
489
490 if ((ssl->session_negotiate->peer_cert =
491 mbedtls_calloc(1, sizeof(mbedtls_x509_crt))) == NULL) {
492 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
493 sizeof(mbedtls_x509_crt)));
494 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
495 MBEDTLS_ERR_SSL_ALLOC_FAILED);
496 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
497 }
498
499 mbedtls_x509_crt_init(ssl->session_negotiate->peer_cert);
500
501 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_list_len);
502 certificate_list_end = p + certificate_list_len;
503 while (p < certificate_list_end) {
504 size_t cert_data_len, extensions_len;
505 const unsigned char *extensions_end;
506
507 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 3);
508 cert_data_len = MBEDTLS_GET_UINT24_BE(p, 0);
509 p += 3;
510
511 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
512 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
513 * check that we have a minimum of 128 bytes of data, this is not
514 * clear why we need that though.
515 */
516 if ((cert_data_len < 128) || (cert_data_len >= 0x10000)) {
517 MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message"));
518 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
519 MBEDTLS_ERR_SSL_DECODE_ERROR);
520 return MBEDTLS_ERR_SSL_DECODE_ERROR;
521 }
522
523 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, cert_data_len);
524 ret = mbedtls_x509_crt_parse_der(ssl->session_negotiate->peer_cert,
525 p, cert_data_len);
526
527 switch (ret) {
528 case 0: /*ok*/
529 break;
530 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
531 /* Ignore certificate with an unknown algorithm: maybe a
532 prior certificate was already trusted. */
533 break;
534
535 case MBEDTLS_ERR_X509_ALLOC_FAILED:
536 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
537 MBEDTLS_ERR_X509_ALLOC_FAILED);
538 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
539 return ret;
540
541 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
542 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
543 MBEDTLS_ERR_X509_UNKNOWN_VERSION);
544 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
545 return ret;
546
547 default:
548 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
549 ret);
550 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
551 return ret;
552 }
553
554 p += cert_data_len;
555
556 /* Certificate extensions length */
557 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 2);
558 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
559 p += 2;
560 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, extensions_len);
561
562 extensions_end = p + extensions_len;
563 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
564
565 while (p < extensions_end) {
566 unsigned int extension_type;
567 size_t extension_data_len;
568
569 /*
570 * struct {
571 * ExtensionType extension_type; (2 bytes)
572 * opaque extension_data<0..2^16-1>;
573 * } Extension;
574 */
575 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
576 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
577 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
578 p += 4;
579
580 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
581
582 ret = mbedtls_ssl_tls13_check_received_extension(
583 ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
584 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT);
585 if (ret != 0) {
586 return ret;
587 }
588
589 switch (extension_type) {
590 default:
591 MBEDTLS_SSL_PRINT_EXT(
592 3, MBEDTLS_SSL_HS_CERTIFICATE,
593 extension_type, "( ignored )");
594 break;
595 }
596
597 p += extension_data_len;
598 }
599
600 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE,
601 handshake->received_extensions);
602 }
603
604 exit:
605 /* Check that all the message is consumed. */
606 if (p != end) {
607 MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message"));
608 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
609 MBEDTLS_ERR_SSL_DECODE_ERROR);
610 return MBEDTLS_ERR_SSL_DECODE_ERROR;
611 }
612
613 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate",
614 ssl->session_negotiate->peer_cert);
615
616 return ret;
617 }
618 #else
619 MBEDTLS_CHECK_RETURN_CRITICAL
620 MBEDTLS_STATIC_TESTABLE
mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)621 int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
622 const unsigned char *buf,
623 const unsigned char *end)
624 {
625 ((void) ssl);
626 ((void) buf);
627 ((void) end);
628 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
629 }
630 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
631 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
632
633 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
634 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
635 /* Validate certificate chain sent by the server. */
636 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_validate_certificate(mbedtls_ssl_context * ssl)637 static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
638 {
639 /* Authmode: precedence order is SNI if used else configuration */
640 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
641 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
642 ? ssl->handshake->sni_authmode
643 : ssl->conf->authmode;
644 #else
645 const int authmode = ssl->conf->authmode;
646 #endif
647
648 /*
649 * If the peer hasn't sent a certificate ( i.e. it sent
650 * an empty certificate chain ), this is reflected in the peer CRT
651 * structure being unset.
652 * Check for that and handle it depending on the
653 * authentication mode.
654 */
655 if (ssl->session_negotiate->peer_cert == NULL) {
656 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
657
658 #if defined(MBEDTLS_SSL_SRV_C)
659 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
660 /* The client was asked for a certificate but didn't send
661 * one. The client should know what's going on, so we
662 * don't send an alert.
663 */
664 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
665 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
666 return 0;
667 } else {
668 MBEDTLS_SSL_PEND_FATAL_ALERT(
669 MBEDTLS_SSL_ALERT_MSG_NO_CERT,
670 MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE);
671 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
672 }
673 }
674 #endif /* MBEDTLS_SSL_SRV_C */
675
676 #if defined(MBEDTLS_SSL_CLI_C)
677 /* Regardless of authmode, the server is not allowed to send an empty
678 * certificate chain. (Last paragraph before 4.4.2.1 in RFC 8446: "The
679 * server's certificate_list MUST always be non-empty.") With authmode
680 * optional/none, we continue the handshake if we can't validate the
681 * server's cert, but we still break it if no certificate was sent. */
682 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
683 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT,
684 MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE);
685 return MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE;
686 }
687 #endif /* MBEDTLS_SSL_CLI_C */
688 }
689
690 return mbedtls_ssl_verify_certificate(ssl, authmode,
691 ssl->session_negotiate->peer_cert,
692 NULL, NULL);
693 }
694 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
695 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_validate_certificate(mbedtls_ssl_context * ssl)696 static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
697 {
698 ((void) ssl);
699 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
700 }
701 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
702 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
703
mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context * ssl)704 int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl)
705 {
706 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
707 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
708
709 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
710 unsigned char *buf;
711 size_t buf_len;
712
713 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
714 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
715 &buf, &buf_len));
716
717 /* Parse the certificate chain sent by the peer. */
718 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_parse_certificate(ssl, buf,
719 buf + buf_len));
720 /* Validate the certificate chain and set the verification results. */
721 MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl));
722
723 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
724 ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, buf_len));
725
726 cleanup:
727 #else /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
728 (void) ssl;
729 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
730
731 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
732 return ret;
733 }
734 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
735 /*
736 * enum {
737 * X509(0),
738 * RawPublicKey(2),
739 * (255)
740 * } CertificateType;
741 *
742 * struct {
743 * select (certificate_type) {
744 * case RawPublicKey:
745 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
746 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
747 *
748 * case X509:
749 * opaque cert_data<1..2^24-1>;
750 * };
751 * Extension extensions<0..2^16-1>;
752 * } CertificateEntry;
753 *
754 * struct {
755 * opaque certificate_request_context<0..2^8-1>;
756 * CertificateEntry certificate_list<0..2^24-1>;
757 * } Certificate;
758 */
759 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)760 static int ssl_tls13_write_certificate_body(mbedtls_ssl_context *ssl,
761 unsigned char *buf,
762 unsigned char *end,
763 size_t *out_len)
764 {
765 const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert(ssl);
766 unsigned char *p = buf;
767 unsigned char *certificate_request_context =
768 ssl->handshake->certificate_request_context;
769 unsigned char certificate_request_context_len =
770 ssl->handshake->certificate_request_context_len;
771 unsigned char *p_certificate_list_len;
772
773
774 /* ...
775 * opaque certificate_request_context<0..2^8-1>;
776 * ...
777 */
778 MBEDTLS_SSL_CHK_BUF_PTR(p, end, certificate_request_context_len + 1);
779 *p++ = certificate_request_context_len;
780 if (certificate_request_context_len > 0) {
781 memcpy(p, certificate_request_context, certificate_request_context_len);
782 p += certificate_request_context_len;
783 }
784
785 /* ...
786 * CertificateEntry certificate_list<0..2^24-1>;
787 * ...
788 */
789 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
790 p_certificate_list_len = p;
791 p += 3;
792
793 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", crt);
794
795 while (crt != NULL) {
796 size_t cert_data_len = crt->raw.len;
797
798 MBEDTLS_SSL_CHK_BUF_PTR(p, end, cert_data_len + 3 + 2);
799 MBEDTLS_PUT_UINT24_BE(cert_data_len, p, 0);
800 p += 3;
801
802 memcpy(p, crt->raw.p, cert_data_len);
803 p += cert_data_len;
804 crt = crt->next;
805
806 /* Currently, we don't have any certificate extensions defined.
807 * Hence, we are sending an empty extension with length zero.
808 */
809 MBEDTLS_PUT_UINT16_BE(0, p, 0);
810 p += 2;
811 }
812
813 MBEDTLS_PUT_UINT24_BE(p - p_certificate_list_len - 3,
814 p_certificate_list_len, 0);
815
816 *out_len = p - buf;
817
818 MBEDTLS_SSL_PRINT_EXTS(
819 3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->sent_extensions);
820
821 return 0;
822 }
823
mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context * ssl)824 int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl)
825 {
826 int ret;
827 unsigned char *buf;
828 size_t buf_len, msg_len;
829
830 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
831
832 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
833 ssl, MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len));
834
835 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_body(ssl,
836 buf,
837 buf + buf_len,
838 &msg_len));
839
840 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
841 ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, msg_len));
842
843 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
844 ssl, buf_len, msg_len));
845 cleanup:
846
847 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
848 return ret;
849 }
850
851 /*
852 * STATE HANDLING: Output Certificate Verify
853 */
mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,mbedtls_pk_context * key)854 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
855 mbedtls_pk_context *key)
856 {
857 mbedtls_pk_type_t pk_type = (mbedtls_pk_type_t) mbedtls_ssl_sig_from_pk(key);
858 size_t key_size = mbedtls_pk_get_bitlen(key);
859
860 switch (pk_type) {
861 case MBEDTLS_SSL_SIG_ECDSA:
862 switch (key_size) {
863 case 256:
864 return
865 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
866
867 case 384:
868 return
869 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
870
871 case 521:
872 return
873 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
874 default:
875 break;
876 }
877 break;
878
879 case MBEDTLS_SSL_SIG_RSA:
880 switch (sig_alg) {
881 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */
882 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */
883 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
884 return 1;
885
886 default:
887 break;
888 }
889 break;
890
891 default:
892 break;
893 }
894
895 return 0;
896 }
897
898 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)899 static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
900 unsigned char *buf,
901 unsigned char *end,
902 size_t *out_len)
903 {
904 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
905 unsigned char *p = buf;
906 mbedtls_pk_context *own_key;
907
908 unsigned char handshake_hash[MBEDTLS_TLS1_3_MD_MAX_SIZE];
909 size_t handshake_hash_len;
910 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
911 size_t verify_buffer_len;
912
913 uint16_t *sig_alg = ssl->handshake->received_sig_algs;
914 size_t signature_len = 0;
915
916 *out_len = 0;
917
918 own_key = mbedtls_ssl_own_key(ssl);
919 if (own_key == NULL) {
920 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
921 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
922 }
923
924 ret = mbedtls_ssl_get_handshake_transcript(
925 ssl, (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac,
926 handshake_hash, sizeof(handshake_hash), &handshake_hash_len);
927 if (ret != 0) {
928 return ret;
929 }
930
931 MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash",
932 handshake_hash,
933 handshake_hash_len);
934
935 ssl_tls13_create_verify_structure(handshake_hash, handshake_hash_len,
936 verify_buffer, &verify_buffer_len,
937 ssl->conf->endpoint);
938
939 /*
940 * struct {
941 * SignatureScheme algorithm;
942 * opaque signature<0..2^16-1>;
943 * } CertificateVerify;
944 */
945 /* Check there is space for the algorithm identifier (2 bytes) and the
946 * signature length (2 bytes).
947 */
948 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
949
950 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
951 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
952 mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
953 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
954 psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
955 unsigned char verify_hash[PSA_HASH_MAX_SIZE];
956 size_t verify_hash_len;
957
958 if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {
959 continue;
960 }
961
962 if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {
963 continue;
964 }
965
966 if (!mbedtls_ssl_tls13_check_sig_alg_cert_key_match(*sig_alg, own_key)) {
967 continue;
968 }
969
970 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
971 *sig_alg, &pk_type, &md_alg) != 0) {
972 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
973 }
974
975 /* Hash verify buffer with indicated hash function */
976 psa_algorithm = mbedtls_md_psa_alg_from_type(md_alg);
977 status = psa_hash_compute(psa_algorithm,
978 verify_buffer,
979 verify_buffer_len,
980 verify_hash, sizeof(verify_hash),
981 &verify_hash_len);
982 if (status != PSA_SUCCESS) {
983 return PSA_TO_MBEDTLS_ERR(status);
984 }
985
986 MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
987
988 if ((ret = mbedtls_pk_sign_ext(pk_type, own_key,
989 md_alg, verify_hash, verify_hash_len,
990 p + 4, (size_t) (end - (p + 4)), &signature_len,
991 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
992 MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature failed with %s",
993 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
994 MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_pk_sign_ext", ret);
995
996 /* The signature failed. This is possible if the private key
997 * was not suitable for the signature operation as purposely we
998 * did not check its suitability completely. Let's try with
999 * another signature algorithm.
1000 */
1001 continue;
1002 }
1003
1004 MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature with %s",
1005 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
1006
1007 break;
1008 }
1009
1010 if (*sig_alg == MBEDTLS_TLS1_3_SIG_NONE) {
1011 MBEDTLS_SSL_DEBUG_MSG(1, ("no suitable signature algorithm"));
1012 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1013 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1014 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1015 }
1016
1017 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
1018 MBEDTLS_PUT_UINT16_BE(signature_len, p, 2);
1019
1020 *out_len = 4 + signature_len;
1021
1022 return 0;
1023 }
1024
mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context * ssl)1025 int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
1026 {
1027 int ret = 0;
1028 unsigned char *buf;
1029 size_t buf_len, msg_len;
1030
1031 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
1032
1033 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
1034 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1035 &buf, &buf_len));
1036
1037 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body(
1038 ssl, buf, buf + buf_len, &msg_len));
1039
1040 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1041 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1042 buf, msg_len));
1043
1044 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
1045 ssl, buf_len, msg_len));
1046
1047 cleanup:
1048
1049 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
1050 return ret;
1051 }
1052
1053 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1054
1055 /*
1056 *
1057 * STATE HANDLING: Incoming Finished message.
1058 */
1059 /*
1060 * Implementation
1061 */
1062
1063 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_preprocess_finished_message(mbedtls_ssl_context * ssl)1064 static int ssl_tls13_preprocess_finished_message(mbedtls_ssl_context *ssl)
1065 {
1066 int ret;
1067
1068 ret = mbedtls_ssl_tls13_calculate_verify_data(
1069 ssl,
1070 ssl->handshake->state_local.finished_in.digest,
1071 sizeof(ssl->handshake->state_local.finished_in.digest),
1072 &ssl->handshake->state_local.finished_in.digest_len,
1073 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
1074 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT);
1075 if (ret != 0) {
1076 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_calculate_verify_data", ret);
1077 return ret;
1078 }
1079
1080 return 0;
1081 }
1082
1083 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_finished_message(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1084 static int ssl_tls13_parse_finished_message(mbedtls_ssl_context *ssl,
1085 const unsigned char *buf,
1086 const unsigned char *end)
1087 {
1088 /*
1089 * struct {
1090 * opaque verify_data[Hash.length];
1091 * } Finished;
1092 */
1093 const unsigned char *expected_verify_data =
1094 ssl->handshake->state_local.finished_in.digest;
1095 size_t expected_verify_data_len =
1096 ssl->handshake->state_local.finished_in.digest_len;
1097 /* Structural validation */
1098 if ((size_t) (end - buf) != expected_verify_data_len) {
1099 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
1100
1101 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1102 MBEDTLS_ERR_SSL_DECODE_ERROR);
1103 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1104 }
1105
1106 MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (self-computed):",
1107 expected_verify_data,
1108 expected_verify_data_len);
1109 MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (received message):", buf,
1110 expected_verify_data_len);
1111
1112 /* Semantic validation */
1113 if (mbedtls_ct_memcmp(buf,
1114 expected_verify_data,
1115 expected_verify_data_len) != 0) {
1116 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
1117
1118 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
1119 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1120 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1121 }
1122 return 0;
1123 }
1124
mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context * ssl)1125 int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl)
1126 {
1127 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1128 unsigned char *buf;
1129 size_t buf_len;
1130
1131 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished message"));
1132
1133 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1134 ssl, MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len));
1135
1136 /* Preprocessing step: Compute handshake digest */
1137 MBEDTLS_SSL_PROC_CHK(ssl_tls13_preprocess_finished_message(ssl));
1138
1139 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(
1140 ssl, buf, buf + buf_len));
1141
1142 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1143 ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len));
1144
1145 cleanup:
1146
1147 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished message"));
1148 return ret;
1149 }
1150
1151 /*
1152 *
1153 * STATE HANDLING: Write and send Finished message.
1154 *
1155 */
1156 /*
1157 * Implement
1158 */
1159
1160 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_prepare_finished_message(mbedtls_ssl_context * ssl)1161 static int ssl_tls13_prepare_finished_message(mbedtls_ssl_context *ssl)
1162 {
1163 int ret;
1164
1165 /* Compute transcript of handshake up to now. */
1166 ret = mbedtls_ssl_tls13_calculate_verify_data(ssl,
1167 ssl->handshake->state_local.finished_out.digest,
1168 sizeof(ssl->handshake->state_local.finished_out.
1169 digest),
1170 &ssl->handshake->state_local.finished_out.digest_len,
1171 ssl->conf->endpoint);
1172
1173 if (ret != 0) {
1174 MBEDTLS_SSL_DEBUG_RET(1, "calculate_verify_data failed", ret);
1175 return ret;
1176 }
1177
1178 return 0;
1179 }
1180
1181 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_finished_message_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)1182 static int ssl_tls13_write_finished_message_body(mbedtls_ssl_context *ssl,
1183 unsigned char *buf,
1184 unsigned char *end,
1185 size_t *out_len)
1186 {
1187 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
1188 /*
1189 * struct {
1190 * opaque verify_data[Hash.length];
1191 * } Finished;
1192 */
1193 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, verify_data_len);
1194
1195 memcpy(buf, ssl->handshake->state_local.finished_out.digest,
1196 verify_data_len);
1197
1198 *out_len = verify_data_len;
1199 return 0;
1200 }
1201
1202 /* Main entry point: orchestrates the other functions */
mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context * ssl)1203 int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl)
1204 {
1205 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1206 unsigned char *buf;
1207 size_t buf_len, msg_len;
1208
1209 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished message"));
1210
1211 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_finished_message(ssl));
1212
1213 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
1214 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len));
1215
1216 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_finished_message_body(
1217 ssl, buf, buf + buf_len, &msg_len));
1218
1219 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
1220 MBEDTLS_SSL_HS_FINISHED, buf, msg_len));
1221
1222 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
1223 ssl, buf_len, msg_len));
1224 cleanup:
1225
1226 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished message"));
1227 return ret;
1228 }
1229
mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context * ssl)1230 void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
1231 {
1232
1233 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
1234
1235 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for inbound traffic"));
1236 mbedtls_ssl_set_inbound_transform(ssl, ssl->transform_application);
1237
1238 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for outbound traffic"));
1239 mbedtls_ssl_set_outbound_transform(ssl, ssl->transform_application);
1240
1241 /*
1242 * Free the previous session and switch to the current one.
1243 */
1244 if (ssl->session) {
1245 mbedtls_ssl_session_free(ssl->session);
1246 mbedtls_free(ssl->session);
1247 }
1248 ssl->session = ssl->session_negotiate;
1249 ssl->session_negotiate = NULL;
1250
1251 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
1252 }
1253
1254 /*
1255 *
1256 * STATE HANDLING: Write ChangeCipherSpec
1257 *
1258 */
1259 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1260 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)1261 static int ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context *ssl,
1262 unsigned char *buf,
1263 unsigned char *end,
1264 size_t *olen)
1265 {
1266 ((void) ssl);
1267
1268 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1);
1269 buf[0] = 1;
1270 *olen = 1;
1271
1272 return 0;
1273 }
1274
mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context * ssl)1275 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl)
1276 {
1277 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1278
1279 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
1280
1281 /* Only one CCS to send. */
1282 if (ssl->handshake->ccs_sent) {
1283 ret = 0;
1284 goto cleanup;
1285 }
1286
1287 /* Write CCS message */
1288 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body(
1289 ssl, ssl->out_msg,
1290 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1291 &ssl->out_msglen));
1292
1293 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1294
1295 /* Dispatch message */
1296 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl, 0));
1297
1298 ssl->handshake->ccs_sent = 1;
1299
1300 cleanup:
1301
1302 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
1303 return ret;
1304 }
1305
1306 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1307
1308 /* Early Data Indication Extension
1309 *
1310 * struct {
1311 * select ( Handshake.msg_type ) {
1312 * case new_session_ticket: uint32 max_early_data_size;
1313 * case client_hello: Empty;
1314 * case encrypted_extensions: Empty;
1315 * };
1316 * } EarlyDataIndication;
1317 */
1318 #if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context * ssl,int in_new_session_ticket,unsigned char * buf,const unsigned char * end,size_t * out_len)1319 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
1320 int in_new_session_ticket,
1321 unsigned char *buf,
1322 const unsigned char *end,
1323 size_t *out_len)
1324 {
1325 unsigned char *p = buf;
1326
1327 #if defined(MBEDTLS_SSL_SRV_C)
1328 const size_t needed = in_new_session_ticket ? 8 : 4;
1329 #else
1330 const size_t needed = 4;
1331 ((void) in_new_session_ticket);
1332 #endif
1333
1334 *out_len = 0;
1335
1336 MBEDTLS_SSL_CHK_BUF_PTR(p, end, needed);
1337
1338 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EARLY_DATA, p, 0);
1339 MBEDTLS_PUT_UINT16_BE(needed - 4, p, 2);
1340
1341 #if defined(MBEDTLS_SSL_SRV_C)
1342 if (in_new_session_ticket) {
1343 MBEDTLS_PUT_UINT32_BE(ssl->conf->max_early_data_size, p, 4);
1344 MBEDTLS_SSL_DEBUG_MSG(
1345 4, ("Sent max_early_data_size=%u",
1346 (unsigned int) ssl->conf->max_early_data_size));
1347 }
1348 #endif
1349
1350 *out_len = needed;
1351
1352 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_EARLY_DATA);
1353
1354 return 0;
1355 }
1356
1357 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context * ssl,size_t early_data_len)1358 int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
1359 size_t early_data_len)
1360 {
1361 /*
1362 * This function should be called only while an handshake is in progress
1363 * and thus a session under negotiation. Add a sanity check to detect a
1364 * misuse.
1365 */
1366 if (ssl->session_negotiate == NULL) {
1367 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1368 }
1369
1370 /* RFC 8446 section 4.6.1
1371 *
1372 * A server receiving more than max_early_data_size bytes of 0-RTT data
1373 * SHOULD terminate the connection with an "unexpected_message" alert.
1374 * Note that if it is still possible to send early_data_len bytes of early
1375 * data, it means that early_data_len is smaller than max_early_data_size
1376 * (type uint32_t) and can fit in an uint32_t. We use this further
1377 * down.
1378 */
1379 if (early_data_len >
1380 (ssl->session_negotiate->max_early_data_size -
1381 ssl->total_early_data_size)) {
1382
1383 MBEDTLS_SSL_DEBUG_MSG(
1384 2, ("EarlyData: Too much early data received, "
1385 "%lu + %" MBEDTLS_PRINTF_SIZET " > %lu",
1386 (unsigned long) ssl->total_early_data_size,
1387 early_data_len,
1388 (unsigned long) ssl->session_negotiate->max_early_data_size));
1389
1390 MBEDTLS_SSL_PEND_FATAL_ALERT(
1391 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1392 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
1393 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1394 }
1395
1396 /*
1397 * early_data_len has been checked to be less than max_early_data_size
1398 * that is uint32_t. Its cast to an uint32_t below is thus safe. We need
1399 * the cast to appease some compilers.
1400 */
1401 ssl->total_early_data_size += (uint32_t) early_data_len;
1402
1403 return 0;
1404 }
1405 #endif /* MBEDTLS_SSL_SRV_C */
1406 #endif /* MBEDTLS_SSL_EARLY_DATA */
1407
1408 /* Reset SSL context and update hash for handling HRR.
1409 *
1410 * Replace Transcript-Hash(X) by
1411 * Transcript-Hash( message_hash ||
1412 * 00 00 Hash.length ||
1413 * X )
1414 * A few states of the handshake are preserved, including:
1415 * - session ID
1416 * - session ticket
1417 * - negotiated ciphersuite
1418 */
mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context * ssl)1419 int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl)
1420 {
1421 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1422 unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4];
1423 size_t hash_len;
1424 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1425 ssl->handshake->ciphersuite_info;
1426
1427 MBEDTLS_SSL_DEBUG_MSG(3, ("Reset SSL session for HRR"));
1428
1429 ret = mbedtls_ssl_get_handshake_transcript(ssl, (mbedtls_md_type_t) ciphersuite_info->mac,
1430 hash_transcript + 4,
1431 PSA_HASH_MAX_SIZE,
1432 &hash_len);
1433 if (ret != 0) {
1434 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_handshake_transcript", ret);
1435 return ret;
1436 }
1437
1438 hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1439 hash_transcript[1] = 0;
1440 hash_transcript[2] = 0;
1441 hash_transcript[3] = (unsigned char) hash_len;
1442
1443 hash_len += 4;
1444
1445 MBEDTLS_SSL_DEBUG_BUF(4, "Truncated handshake transcript",
1446 hash_transcript, hash_len);
1447
1448 /* Reset running hash and replace it with a hash of the transcript */
1449 ret = mbedtls_ssl_reset_checksum(ssl);
1450 if (ret != 0) {
1451 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1452 return ret;
1453 }
1454 ret = ssl->handshake->update_checksum(ssl, hash_transcript, hash_len);
1455 if (ret != 0) {
1456 MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
1457 return ret;
1458 }
1459
1460 return ret;
1461 }
1462
1463 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1464
mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t buf_len)1465 int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
1466 const unsigned char *buf,
1467 size_t buf_len)
1468 {
1469 uint8_t *p = (uint8_t *) buf;
1470 const uint8_t *end = buf + buf_len;
1471 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1472
1473 /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
1474 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1475 uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE(p, 0);
1476 p += 2;
1477
1478 /* Check if key size is consistent with given buffer length. */
1479 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len);
1480
1481 /* Store peer's ECDH/FFDH public key. */
1482 if (peerkey_len > sizeof(handshake->xxdh_psa_peerkey)) {
1483 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %u > %" MBEDTLS_PRINTF_SIZET,
1484 (unsigned) peerkey_len,
1485 sizeof(handshake->xxdh_psa_peerkey)));
1486 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1487 }
1488 memcpy(handshake->xxdh_psa_peerkey, p, peerkey_len);
1489 handshake->xxdh_psa_peerkey_len = peerkey_len;
1490
1491 return 0;
1492 }
1493
1494 #if defined(PSA_WANT_ALG_FFDH)
mbedtls_ssl_get_psa_ffdh_info_from_tls_id(uint16_t tls_id,size_t * bits,psa_key_type_t * key_type)1495 static psa_status_t mbedtls_ssl_get_psa_ffdh_info_from_tls_id(
1496 uint16_t tls_id, size_t *bits, psa_key_type_t *key_type)
1497 {
1498 switch (tls_id) {
1499 #if defined(PSA_WANT_DH_RFC7919_2048)
1500 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:
1501 *bits = 2048;
1502 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1503 return PSA_SUCCESS;
1504 #endif /* PSA_WANT_DH_RFC7919_2048 */
1505 #if defined(PSA_WANT_DH_RFC7919_3072)
1506 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:
1507 *bits = 3072;
1508 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1509 return PSA_SUCCESS;
1510 #endif /* PSA_WANT_DH_RFC7919_3072 */
1511 #if defined(PSA_WANT_DH_RFC7919_4096)
1512 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:
1513 *bits = 4096;
1514 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1515 return PSA_SUCCESS;
1516 #endif /* PSA_WANT_DH_RFC7919_4096 */
1517 #if defined(PSA_WANT_DH_RFC7919_6144)
1518 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:
1519 *bits = 6144;
1520 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1521 return PSA_SUCCESS;
1522 #endif /* PSA_WANT_DH_RFC7919_6144 */
1523 #if defined(PSA_WANT_DH_RFC7919_8192)
1524 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:
1525 *bits = 8192;
1526 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1527 return PSA_SUCCESS;
1528 #endif /* PSA_WANT_DH_RFC7919_8192 */
1529 default:
1530 return PSA_ERROR_NOT_SUPPORTED;
1531 }
1532 }
1533 #endif /* PSA_WANT_ALG_FFDH */
1534
mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(mbedtls_ssl_context * ssl,uint16_t named_group,unsigned char * buf,unsigned char * end,size_t * out_len)1535 int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
1536 mbedtls_ssl_context *ssl,
1537 uint16_t named_group,
1538 unsigned char *buf,
1539 unsigned char *end,
1540 size_t *out_len)
1541 {
1542 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
1543 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1544 psa_key_attributes_t key_attributes;
1545 size_t own_pubkey_len;
1546 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1547 size_t bits = 0;
1548 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
1549 psa_algorithm_t alg = PSA_ALG_NONE;
1550 size_t buf_size = (size_t) (end - buf);
1551
1552 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH/FFDH computation."));
1553
1554 /* Convert EC's TLS ID to PSA key type. */
1555 #if defined(PSA_WANT_ALG_ECDH)
1556 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(
1557 named_group, &key_type, &bits) == PSA_SUCCESS) {
1558 alg = PSA_ALG_ECDH;
1559 }
1560 #endif
1561 #if defined(PSA_WANT_ALG_FFDH)
1562 if (mbedtls_ssl_get_psa_ffdh_info_from_tls_id(named_group, &bits,
1563 &key_type) == PSA_SUCCESS) {
1564 alg = PSA_ALG_FFDH;
1565 }
1566 #endif
1567
1568 if (key_type == PSA_KEY_TYPE_NONE) {
1569 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1570 }
1571
1572 if (buf_size < PSA_BITS_TO_BYTES(bits)) {
1573 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
1574 }
1575
1576 handshake->xxdh_psa_type = key_type;
1577 ssl->handshake->xxdh_psa_bits = bits;
1578
1579 key_attributes = psa_key_attributes_init();
1580 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
1581 psa_set_key_algorithm(&key_attributes, alg);
1582 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
1583 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
1584
1585 /* Generate ECDH/FFDH private key. */
1586 status = psa_generate_key(&key_attributes,
1587 &handshake->xxdh_psa_privkey);
1588 if (status != PSA_SUCCESS) {
1589 ret = PSA_TO_MBEDTLS_ERR(status);
1590 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
1591 return ret;
1592
1593 }
1594
1595 /* Export the public part of the ECDH/FFDH private key from PSA. */
1596 status = psa_export_public_key(handshake->xxdh_psa_privkey,
1597 buf, buf_size,
1598 &own_pubkey_len);
1599
1600 if (status != PSA_SUCCESS) {
1601 ret = PSA_TO_MBEDTLS_ERR(status);
1602 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
1603 return ret;
1604 }
1605
1606 *out_len = own_pubkey_len;
1607
1608 return 0;
1609 }
1610 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
1611
1612 /* RFC 8446 section 4.2
1613 *
1614 * If an implementation receives an extension which it recognizes and which is
1615 * not specified for the message in which it appears, it MUST abort the handshake
1616 * with an "illegal_parameter" alert.
1617 *
1618 */
mbedtls_ssl_tls13_check_received_extension(mbedtls_ssl_context * ssl,int hs_msg_type,unsigned int received_extension_type,uint32_t hs_msg_allowed_extensions_mask)1619 int mbedtls_ssl_tls13_check_received_extension(
1620 mbedtls_ssl_context *ssl,
1621 int hs_msg_type,
1622 unsigned int received_extension_type,
1623 uint32_t hs_msg_allowed_extensions_mask)
1624 {
1625 uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
1626 received_extension_type);
1627
1628 MBEDTLS_SSL_PRINT_EXT(
1629 3, hs_msg_type, received_extension_type, "received");
1630
1631 if ((extension_mask & hs_msg_allowed_extensions_mask) == 0) {
1632 MBEDTLS_SSL_PRINT_EXT(
1633 3, hs_msg_type, received_extension_type, "is illegal");
1634 MBEDTLS_SSL_PEND_FATAL_ALERT(
1635 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1636 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1637 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1638 }
1639
1640 ssl->handshake->received_extensions |= extension_mask;
1641 /*
1642 * If it is a message containing extension responses, check that we
1643 * previously sent the extension.
1644 */
1645 switch (hs_msg_type) {
1646 case MBEDTLS_SSL_HS_SERVER_HELLO:
1647 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
1648 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
1649 case MBEDTLS_SSL_HS_CERTIFICATE:
1650 /* Check if the received extension is sent by peer message.*/
1651 if ((ssl->handshake->sent_extensions & extension_mask) != 0) {
1652 return 0;
1653 }
1654 break;
1655 default:
1656 return 0;
1657 }
1658
1659 MBEDTLS_SSL_PRINT_EXT(
1660 3, hs_msg_type, received_extension_type, "is unsupported");
1661 MBEDTLS_SSL_PEND_FATAL_ALERT(
1662 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1663 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
1664 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1665 }
1666
1667 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1668
1669 /* RFC 8449, section 4:
1670 *
1671 * The ExtensionData of the "record_size_limit" extension is
1672 * RecordSizeLimit:
1673 * uint16 RecordSizeLimit;
1674 */
1675 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1676 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
1677 const unsigned char *buf,
1678 const unsigned char *end)
1679 {
1680 const unsigned char *p = buf;
1681 uint16_t record_size_limit;
1682 const size_t extension_data_len = end - buf;
1683
1684 if (extension_data_len !=
1685 MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH) {
1686 MBEDTLS_SSL_DEBUG_MSG(2,
1687 ("record_size_limit extension has invalid length: %"
1688 MBEDTLS_PRINTF_SIZET " Bytes",
1689 extension_data_len));
1690
1691 MBEDTLS_SSL_PEND_FATAL_ALERT(
1692 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1693 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1694 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1695 }
1696
1697 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1698 record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
1699
1700 MBEDTLS_SSL_DEBUG_MSG(2, ("RecordSizeLimit: %u Bytes", record_size_limit));
1701
1702 /* RFC 8449, section 4:
1703 *
1704 * Endpoints MUST NOT send a "record_size_limit" extension with a value
1705 * smaller than 64. An endpoint MUST treat receipt of a smaller value
1706 * as a fatal error and generate an "illegal_parameter" alert.
1707 */
1708 if (record_size_limit < MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN) {
1709 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid record size limit : %u Bytes",
1710 record_size_limit));
1711 MBEDTLS_SSL_PEND_FATAL_ALERT(
1712 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1713 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1714 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1715 }
1716
1717 ssl->session_negotiate->record_size_limit = record_size_limit;
1718
1719 return 0;
1720 }
1721
1722 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)1723 int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
1724 unsigned char *buf,
1725 const unsigned char *end,
1726 size_t *out_len)
1727 {
1728 unsigned char *p = buf;
1729 *out_len = 0;
1730
1731 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_IN_CONTENT_LEN >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN,
1732 "MBEDTLS_SSL_IN_CONTENT_LEN is less than the "
1733 "minimum record size limit");
1734
1735 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
1736
1737 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT, p, 0);
1738 MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH,
1739 p, 2);
1740 MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_IN_CONTENT_LEN, p, 4);
1741
1742 *out_len = 6;
1743
1744 MBEDTLS_SSL_DEBUG_MSG(2, ("Sent RecordSizeLimit: %d Bytes",
1745 MBEDTLS_SSL_IN_CONTENT_LEN));
1746
1747 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT);
1748
1749 return 0;
1750 }
1751
1752 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
1753
1754 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
1755
