1 /*
2  *  TLS 1.3 functionality shared between client and server
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 #include "common.h"
21 
22 #if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
23 
24 #include <string.h>
25 
26 #include "mbedtls/error.h"
27 #include "mbedtls/debug.h"
28 #include "mbedtls/oid.h"
29 #include "mbedtls/platform.h"
30 #include "mbedtls/constant_time.h"
31 #include <string.h>
32 
33 #include "ssl_misc.h"
34 #include "ssl_tls13_invasive.h"
35 #include "ssl_tls13_keys.h"
36 #include "ssl_debug_helpers.h"
37 
38 #include "psa/crypto.h"
39 #include "mbedtls/psa_util.h"
40 
41 const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
42                 MBEDTLS_SERVER_HELLO_RANDOM_LEN ] =
43                     { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
44                       0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
45                       0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
46                       0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C };
47 
mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context * ssl,unsigned hs_type,unsigned char ** buf,size_t * buf_len)48 int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
49                                            unsigned hs_type,
50                                            unsigned char **buf,
51                                            size_t *buf_len )
52 {
53     int ret;
54 
55     if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
56     {
57         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
58         goto cleanup;
59     }
60 
61     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
62         ssl->in_msg[0]  != hs_type )
63     {
64         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
65         MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
66                                       MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
67         ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
68         goto cleanup;
69     }
70 
71     /*
72      * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
73      *    ...
74      *    HandshakeType msg_type;
75      *    uint24 length;
76      *    ...
77      */
78     *buf = ssl->in_msg   + 4;
79     *buf_len = ssl->in_hslen - 4;
80 
81 cleanup:
82 
83     return( ret );
84 }
85 
86 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
87 /*
88  * STATE HANDLING: Read CertificateVerify
89  */
90 /* Macro to express the maximum length of the verify structure.
91  *
92  * The structure is computed per TLS 1.3 specification as:
93  *   - 64 bytes of octet 32,
94  *   - 33 bytes for the context string
95  *        (which is either "TLS 1.3, client CertificateVerify"
96  *         or "TLS 1.3, server CertificateVerify"),
97  *   - 1 byte for the octet 0x0, which serves as a separator,
98  *   - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
99  *     (depending on the size of the transcript_hash)
100  *
101  * This results in a total size of
102  * - 130 bytes for a SHA256-based transcript hash, or
103  *   (64 + 33 + 1 + 32 bytes)
104  * - 146 bytes for a SHA384-based transcript hash.
105  *   (64 + 33 + 1 + 48 bytes)
106  *
107  */
108 #define SSL_VERIFY_STRUCT_MAX_SIZE  ( 64 +                          \
109                                       33 +                          \
110                                        1 +                          \
111                                       MBEDTLS_TLS1_3_MD_MAX_SIZE    \
112                                     )
113 
114 /*
115  * The ssl_tls13_create_verify_structure() creates the verify structure.
116  * As input, it requires the transcript hash.
117  *
118  * The caller has to ensure that the buffer has size at least
119  * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
120  */
ssl_tls13_create_verify_structure(const unsigned char * transcript_hash,size_t transcript_hash_len,unsigned char * verify_buffer,size_t * verify_buffer_len,int from)121 static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
122                                                size_t transcript_hash_len,
123                                                unsigned char *verify_buffer,
124                                                size_t *verify_buffer_len,
125                                                int from )
126 {
127     size_t idx;
128 
129     /* RFC 8446, Section 4.4.3:
130      *
131      * The digital signature [in the CertificateVerify message] is then
132      * computed over the concatenation of:
133      * -  A string that consists of octet 32 (0x20) repeated 64 times
134      * -  The context string
135      * -  A single 0 byte which serves as the separator
136      * -  The content to be signed
137      */
138     memset( verify_buffer, 0x20, 64 );
139     idx = 64;
140 
141     if( from == MBEDTLS_SSL_IS_CLIENT )
142     {
143         memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
144         idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
145     }
146     else
147     { /* from == MBEDTLS_SSL_IS_SERVER */
148         memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
149         idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
150     }
151 
152     verify_buffer[idx++] = 0x0;
153 
154     memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
155     idx += transcript_hash_len;
156 
157     *verify_buffer_len = idx;
158 }
159 
160 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_certificate_verify(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end,const unsigned char * verify_buffer,size_t verify_buffer_len)161 static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
162                                                const unsigned char *buf,
163                                                const unsigned char *end,
164                                                const unsigned char *verify_buffer,
165                                                size_t verify_buffer_len )
166 {
167     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
168     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
169     const unsigned char *p = buf;
170     uint16_t algorithm;
171     size_t signature_len;
172     mbedtls_pk_type_t sig_alg;
173     mbedtls_md_type_t md_alg;
174     psa_algorithm_t hash_alg = PSA_ALG_NONE;
175     unsigned char verify_hash[PSA_HASH_MAX_SIZE];
176     size_t verify_hash_len;
177 
178     void const *options = NULL;
179 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
180     mbedtls_pk_rsassa_pss_options rsassa_pss_options;
181 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
182 
183     /*
184      * struct {
185      *     SignatureScheme algorithm;
186      *     opaque signature<0..2^16-1>;
187      * } CertificateVerify;
188      */
189     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
190     algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
191     p += 2;
192 
193     /* RFC 8446 section 4.4.3
194      *
195      * If the CertificateVerify message is sent by a server, the signature algorithm
196      * MUST be one offered in the client's "signature_algorithms" extension unless
197      * no valid certificate chain can be produced without unsupported algorithms
198      *
199      * RFC 8446 section 4.4.2.2
200      *
201      * If the client cannot construct an acceptable chain using the provided
202      * certificates and decides to abort the handshake, then it MUST abort the handshake
203      * with an appropriate certificate-related alert (by default, "unsupported_certificate").
204      *
205      * Check if algorithm is an offered signature algorithm.
206      */
207     if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
208     {
209         /* algorithm not in offered signature algorithms list */
210         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
211                                     "offered.",
212                                     ( unsigned int ) algorithm ) );
213         goto error;
214     }
215 
216     if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
217                                         algorithm, &sig_alg, &md_alg ) != 0 )
218     {
219         goto error;
220     }
221 
222     hash_alg = mbedtls_hash_info_psa_from_md( md_alg );
223     if( hash_alg == 0 )
224     {
225         goto error;
226     }
227 
228     MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
229                                 ( unsigned int ) algorithm ) );
230 
231     /*
232      * Check the certificate's key type matches the signature alg
233      */
234     if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
235     {
236         MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
237         goto error;
238     }
239 
240     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
241     signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
242     p += 2;
243     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
244 
245     status = psa_hash_compute( hash_alg,
246                                verify_buffer,
247                                verify_buffer_len,
248                                verify_hash,
249                                sizeof( verify_hash ),
250                                &verify_hash_len );
251     if( status != PSA_SUCCESS )
252     {
253         MBEDTLS_SSL_DEBUG_RET( 1, "hash computation PSA error", status );
254         goto error;
255     }
256 
257     MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
258 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
259     if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
260     {
261         rsassa_pss_options.mgf1_hash_id = md_alg;
262 
263         rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH( hash_alg );
264         options = (const void*) &rsassa_pss_options;
265     }
266 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
267 
268     if( ( ret = mbedtls_pk_verify_ext( sig_alg, options,
269                                        &ssl->session_negotiate->peer_cert->pk,
270                                        md_alg, verify_hash, verify_hash_len,
271                                        p, signature_len ) ) == 0 )
272     {
273         return( 0 );
274     }
275     MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
276 
277 error:
278     /* RFC 8446 section 4.4.3
279      *
280      * If the verification fails, the receiver MUST terminate the handshake
281      * with a "decrypt_error" alert.
282     */
283     MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
284                                   MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
285     return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
286 
287 }
288 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
289 
mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context * ssl)290 int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
291 {
292 
293 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
294     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
295     unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
296     size_t verify_buffer_len;
297     unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
298     size_t transcript_len;
299     unsigned char *buf;
300     size_t buf_len;
301 
302     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
303 
304     MBEDTLS_SSL_PROC_CHK(
305         mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
306                 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
307 
308     /* Need to calculate the hash of the transcript first
309      * before reading the message since otherwise it gets
310      * included in the transcript
311      */
312     ret = mbedtls_ssl_get_handshake_transcript( ssl,
313                             ssl->handshake->ciphersuite_info->mac,
314                             transcript, sizeof( transcript ),
315                             &transcript_len );
316     if( ret != 0 )
317     {
318         MBEDTLS_SSL_PEND_FATAL_ALERT(
319             MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
320             MBEDTLS_ERR_SSL_INTERNAL_ERROR );
321         return( ret );
322     }
323 
324     MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
325 
326     /* Create verify structure */
327     ssl_tls13_create_verify_structure( transcript,
328                                        transcript_len,
329                                        verify_buffer,
330                                        &verify_buffer_len,
331                                        ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
332                                          MBEDTLS_SSL_IS_SERVER :
333                                          MBEDTLS_SSL_IS_CLIENT );
334 
335     /* Process the message contents */
336     MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
337                             buf + buf_len, verify_buffer, verify_buffer_len ) );
338 
339     mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
340                                         buf, buf_len );
341 
342 cleanup:
343 
344     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
345     MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
346     return( ret );
347 #else
348     ((void) ssl);
349     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
350     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
351 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
352 }
353 
354 /*
355  *
356  * STATE HANDLING: Incoming Certificate.
357  *
358  */
359 
360 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
361 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
362 /*
363  * Structure of Certificate message:
364  *
365  * enum {
366  *     X509(0),
367  *     RawPublicKey(2),
368  *     (255)
369  * } CertificateType;
370  *
371  * struct {
372  *     select (certificate_type) {
373  *         case RawPublicKey:
374  *           * From RFC 7250 ASN.1_subjectPublicKeyInfo *
375  *           opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
376  *         case X509:
377  *           opaque cert_data<1..2^24-1>;
378  *     };
379  *     Extension extensions<0..2^16-1>;
380  * } CertificateEntry;
381  *
382  * struct {
383  *     opaque certificate_request_context<0..2^8-1>;
384  *     CertificateEntry certificate_list<0..2^24-1>;
385  * } Certificate;
386  *
387  */
388 
389 /* Parse certificate chain send by the server. */
390 MBEDTLS_CHECK_RETURN_CRITICAL
391 MBEDTLS_STATIC_TESTABLE
mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)392 int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
393                                          const unsigned char *buf,
394                                          const unsigned char *end )
395 {
396     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
397     size_t certificate_request_context_len = 0;
398     size_t certificate_list_len = 0;
399     const unsigned char *p = buf;
400     const unsigned char *certificate_list_end;
401     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
402 
403     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
404     certificate_request_context_len = p[0];
405     certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
406     p += 4;
407 
408     /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
409      * support anything beyond 2^16 = 64K.
410      */
411     if( ( certificate_request_context_len != 0 ) ||
412         ( certificate_list_len >= 0x10000 ) )
413     {
414         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
415         MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
416                                       MBEDTLS_ERR_SSL_DECODE_ERROR );
417         return( MBEDTLS_ERR_SSL_DECODE_ERROR );
418     }
419 
420     /* In case we tried to reuse a session but it failed */
421     if( ssl->session_negotiate->peer_cert != NULL )
422     {
423         mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
424         mbedtls_free( ssl->session_negotiate->peer_cert );
425     }
426 
427     if( certificate_list_len == 0 )
428     {
429         ssl->session_negotiate->peer_cert = NULL;
430         ret = 0;
431         goto exit;
432     }
433 
434     if( ( ssl->session_negotiate->peer_cert =
435           mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
436     {
437         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
438                                     sizeof( mbedtls_x509_crt ) ) );
439         MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
440                                       MBEDTLS_ERR_SSL_ALLOC_FAILED );
441         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
442     }
443 
444     mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
445 
446     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_list_len );
447     certificate_list_end = p + certificate_list_len;
448     while( p < certificate_list_end )
449     {
450         size_t cert_data_len, extensions_len;
451         const unsigned char *extensions_end;
452 
453         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
454         cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
455         p += 3;
456 
457         /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
458          * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
459          * check that we have a minimum of 128 bytes of data, this is not
460          * clear why we need that though.
461          */
462         if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
463         {
464             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
465             MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
466                                           MBEDTLS_ERR_SSL_DECODE_ERROR );
467             return( MBEDTLS_ERR_SSL_DECODE_ERROR );
468         }
469 
470         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
471         ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
472                                           p, cert_data_len );
473 
474         switch( ret )
475         {
476             case 0: /*ok*/
477                 break;
478             case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
479                 /* Ignore certificate with an unknown algorithm: maybe a
480                    prior certificate was already trusted. */
481                 break;
482 
483             case MBEDTLS_ERR_X509_ALLOC_FAILED:
484                 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
485                                               MBEDTLS_ERR_X509_ALLOC_FAILED );
486                 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
487                 return( ret );
488 
489             case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
490                 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
491                                               MBEDTLS_ERR_X509_UNKNOWN_VERSION );
492                 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
493                 return( ret );
494 
495             default:
496                 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
497                                               ret );
498                 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
499                 return( ret );
500         }
501 
502         p += cert_data_len;
503 
504         /* Certificate extensions length */
505         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
506         extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
507         p += 2;
508         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
509 
510         extensions_end = p + extensions_len;
511         handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
512 
513         while( p < extensions_end )
514         {
515             unsigned int extension_type;
516             size_t extension_data_len;
517 
518             /*
519             * struct {
520             *     ExtensionType extension_type; (2 bytes)
521             *     opaque extension_data<0..2^16-1>;
522             * } Extension;
523             */
524             MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
525             extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
526             extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
527             p += 4;
528 
529             MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
530 
531             ret = mbedtls_ssl_tls13_check_received_extension(
532                       ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
533                       MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT );
534             if( ret != 0 )
535                 return( ret );
536 
537             switch( extension_type )
538             {
539                 default:
540                     MBEDTLS_SSL_PRINT_EXT(
541                         3, MBEDTLS_SSL_HS_CERTIFICATE,
542                         extension_type, "( ignored )" );
543                     break;
544             }
545 
546             p += extension_data_len;
547         }
548 
549         MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE,
550                                 handshake->received_extensions );
551     }
552 
553 exit:
554     /* Check that all the message is consumed. */
555     if( p != end )
556     {
557         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
558         MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
559                                       MBEDTLS_ERR_SSL_DECODE_ERROR );
560         return( MBEDTLS_ERR_SSL_DECODE_ERROR );
561     }
562 
563     MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
564 
565     return( ret );
566 }
567 #else
568 MBEDTLS_CHECK_RETURN_CRITICAL
569 MBEDTLS_STATIC_TESTABLE
mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)570 int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
571                                          const unsigned char *buf,
572                                          const unsigned char *end )
573 {
574     ((void) ssl);
575     ((void) buf);
576     ((void) end);
577     return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
578 }
579 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
580 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
581 
582 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
583 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
584 /* Validate certificate chain sent by the server. */
585 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_validate_certificate(mbedtls_ssl_context * ssl)586 static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
587 {
588     int ret = 0;
589     int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
590     mbedtls_x509_crt *ca_chain;
591     mbedtls_x509_crl *ca_crl;
592     const char *ext_oid;
593     size_t ext_len;
594     uint32_t verify_result = 0;
595 
596     /* If SNI was used, overwrite authentication mode
597      * from the configuration. */
598 #if defined(MBEDTLS_SSL_SRV_C)
599     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
600     {
601 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
602         if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
603             authmode = ssl->handshake->sni_authmode;
604         else
605 #endif
606             authmode = ssl->conf->authmode;
607     }
608 #endif
609 
610     /*
611      * If the peer hasn't sent a certificate ( i.e. it sent
612      * an empty certificate chain ), this is reflected in the peer CRT
613      * structure being unset.
614      * Check for that and handle it depending on the
615      * authentication mode.
616      */
617     if( ssl->session_negotiate->peer_cert == NULL )
618     {
619         MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has no certificate" ) );
620 
621 #if defined(MBEDTLS_SSL_SRV_C)
622         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
623         {
624             /* The client was asked for a certificate but didn't send
625              * one. The client should know what's going on, so we
626              * don't send an alert.
627              */
628             ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
629             if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
630                 return( 0 );
631             else
632             {
633                 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT,
634                                               MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE  );
635                 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
636             }
637         }
638 #endif /* MBEDTLS_SSL_SRV_C */
639 
640 #if defined(MBEDTLS_SSL_CLI_C)
641         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
642         {
643             MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT,
644                                           MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
645             return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
646         }
647 #endif /* MBEDTLS_SSL_CLI_C */
648     }
649 
650 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
651     if( ssl->handshake->sni_ca_chain != NULL )
652     {
653         ca_chain = ssl->handshake->sni_ca_chain;
654         ca_crl = ssl->handshake->sni_ca_crl;
655     }
656     else
657 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
658     {
659         ca_chain = ssl->conf->ca_chain;
660         ca_crl = ssl->conf->ca_crl;
661     }
662 
663     /*
664      * Main check: verify certificate
665      */
666     ret = mbedtls_x509_crt_verify_with_profile(
667         ssl->session_negotiate->peer_cert,
668         ca_chain, ca_crl,
669         ssl->conf->cert_profile,
670         ssl->hostname,
671         &verify_result,
672         ssl->conf->f_vrfy, ssl->conf->p_vrfy );
673 
674     if( ret != 0 )
675     {
676         MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
677     }
678 
679     /*
680      * Secondary checks: always done, but change 'ret' only if it was 0
681      */
682     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
683     {
684         ext_oid = MBEDTLS_OID_SERVER_AUTH;
685         ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
686     }
687     else
688     {
689         ext_oid = MBEDTLS_OID_CLIENT_AUTH;
690         ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
691     }
692 
693     if( ( mbedtls_x509_crt_check_key_usage(
694               ssl->session_negotiate->peer_cert,
695               MBEDTLS_X509_KU_DIGITAL_SIGNATURE ) != 0 ) ||
696         ( mbedtls_x509_crt_check_extended_key_usage(
697               ssl->session_negotiate->peer_cert,
698               ext_oid, ext_len ) != 0 ) )
699     {
700         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
701         if( ret == 0 )
702             ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
703     }
704 
705     /* mbedtls_x509_crt_verify_with_profile is supposed to report a
706      * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
707      * with details encoded in the verification flags. All other kinds
708      * of error codes, including those from the user provided f_vrfy
709      * functions, are treated as fatal and lead to a failure of
710      * mbedtls_ssl_tls13_parse_certificate even if verification was optional.
711      */
712     if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
713         ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
714           ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
715     {
716         ret = 0;
717     }
718 
719     if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
720     {
721         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
722         ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
723     }
724 
725     if( ret != 0 )
726     {
727         /* The certificate may have been rejected for several reasons.
728            Pick one and send the corresponding alert. Which alert to send
729            may be a subject of debate in some cases. */
730         if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
731             MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
732         else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
733             MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
734         else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
735                                    MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
736                                    MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
737                                    MBEDTLS_X509_BADCERT_BAD_PK |
738                                    MBEDTLS_X509_BADCERT_BAD_KEY ) )
739             MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
740         else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
741             MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
742         else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
743             MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
744         else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
745             MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
746         else
747             MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
748     }
749 
750 #if defined(MBEDTLS_DEBUG_C)
751     if( verify_result != 0 )
752     {
753         MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
754                                     (unsigned int) verify_result ) );
755     }
756     else
757     {
758         MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
759     }
760 #endif /* MBEDTLS_DEBUG_C */
761 
762     ssl->session_negotiate->verify_result = verify_result;
763     return( ret );
764 }
765 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
766 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_validate_certificate(mbedtls_ssl_context * ssl)767 static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
768 {
769     ((void) ssl);
770     return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
771 }
772 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
773 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
774 
mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context * ssl)775 int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
776 {
777     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
778     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
779 
780 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
781     unsigned char *buf;
782     size_t buf_len;
783 
784     MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
785                           ssl, MBEDTLS_SSL_HS_CERTIFICATE,
786                           &buf, &buf_len ) );
787 
788     /* Parse the certificate chain sent by the peer. */
789     MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_parse_certificate( ssl, buf,
790                                                                buf + buf_len ) );
791     /* Validate the certificate chain and set the verification results. */
792     MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
793 
794     mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
795                                         buf, buf_len );
796 
797 cleanup:
798 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
799 
800     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
801     return( ret );
802 }
803 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
804 /*
805  *  enum {
806  *        X509(0),
807  *        RawPublicKey(2),
808  *        (255)
809  *    } CertificateType;
810  *
811  *    struct {
812  *        select (certificate_type) {
813  *            case RawPublicKey:
814  *              // From RFC 7250 ASN.1_subjectPublicKeyInfo
815  *              opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
816  *
817  *            case X509:
818  *              opaque cert_data<1..2^24-1>;
819  *        };
820  *        Extension extensions<0..2^16-1>;
821  *    } CertificateEntry;
822  *
823  *    struct {
824  *        opaque certificate_request_context<0..2^8-1>;
825  *        CertificateEntry certificate_list<0..2^24-1>;
826  *    } Certificate;
827  */
828 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)829 static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
830                                              unsigned char *buf,
831                                              unsigned char *end,
832                                              size_t *out_len )
833 {
834     const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert( ssl );
835     unsigned char *p = buf;
836     unsigned char *certificate_request_context =
837                                     ssl->handshake->certificate_request_context;
838     unsigned char certificate_request_context_len =
839                                 ssl->handshake->certificate_request_context_len;
840     unsigned char *p_certificate_list_len;
841 
842 
843     /* ...
844      * opaque certificate_request_context<0..2^8-1>;
845      * ...
846      */
847     MBEDTLS_SSL_CHK_BUF_PTR( p, end, certificate_request_context_len + 1 );
848     *p++ = certificate_request_context_len;
849     if( certificate_request_context_len > 0 )
850     {
851         memcpy( p, certificate_request_context, certificate_request_context_len );
852         p += certificate_request_context_len;
853     }
854 
855     /* ...
856      * CertificateEntry certificate_list<0..2^24-1>;
857      * ...
858      */
859     MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
860     p_certificate_list_len = p;
861     p += 3;
862 
863     MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", crt );
864 
865     while( crt != NULL )
866     {
867         size_t cert_data_len = crt->raw.len;
868 
869         MBEDTLS_SSL_CHK_BUF_PTR( p, end, cert_data_len + 3 + 2 );
870         MBEDTLS_PUT_UINT24_BE( cert_data_len, p, 0 );
871         p += 3;
872 
873         memcpy( p, crt->raw.p, cert_data_len );
874         p += cert_data_len;
875         crt = crt->next;
876 
877         /* Currently, we don't have any certificate extensions defined.
878          * Hence, we are sending an empty extension with length zero.
879          */
880         MBEDTLS_PUT_UINT16_BE( 0, p, 0 );
881         p += 2;
882     }
883 
884     MBEDTLS_PUT_UINT24_BE( p - p_certificate_list_len - 3,
885                            p_certificate_list_len, 0 );
886 
887     *out_len = p - buf;
888 
889     MBEDTLS_SSL_PRINT_EXTS(
890         3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->sent_extensions );
891 
892     return( 0 );
893 }
894 
mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context * ssl)895 int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl )
896 {
897     int ret;
898     unsigned char *buf;
899     size_t buf_len, msg_len;
900 
901     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
902 
903     MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
904                           MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) );
905 
906     MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_body( ssl,
907                                                             buf,
908                                                             buf + buf_len,
909                                                             &msg_len ) );
910 
911     mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
912                                         buf, msg_len );
913 
914     MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
915                               ssl, buf_len, msg_len ) );
916 cleanup:
917 
918     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
919     return( ret );
920 }
921 
922 /*
923  * STATE HANDLING: Output Certificate Verify
924  */
mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,mbedtls_pk_context * key)925 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
926                                                     mbedtls_pk_context *key )
927 {
928     mbedtls_pk_type_t pk_type = mbedtls_ssl_sig_from_pk( key );
929     size_t key_size = mbedtls_pk_get_bitlen( key );
930 
931     switch( pk_type )
932     {
933         case MBEDTLS_SSL_SIG_ECDSA:
934             switch( key_size )
935             {
936                 case 256:
937                     return(
938                         sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256 );
939 
940                 case 384:
941                     return(
942                         sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384 );
943 
944                 case 521:
945                     return(
946                         sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512 );
947                 default:
948                     break;
949             }
950             break;
951 
952         case MBEDTLS_SSL_SIG_RSA:
953             switch( sig_alg )
954             {
955                 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */
956                 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */
957                 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
958                     return( 1 );
959 
960                 default:
961                     break;
962             }
963             break;
964 
965         default:
966             break;
967     }
968 
969     return( 0 );
970 }
971 
972 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)973 static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
974                                                     unsigned char *buf,
975                                                     unsigned char *end,
976                                                     size_t *out_len )
977 {
978     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
979     unsigned char *p = buf;
980     mbedtls_pk_context *own_key;
981 
982     unsigned char handshake_hash[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
983     size_t handshake_hash_len;
984     unsigned char verify_buffer[ SSL_VERIFY_STRUCT_MAX_SIZE ];
985     size_t verify_buffer_len;
986 
987     uint16_t *sig_alg = ssl->handshake->received_sig_algs;
988     size_t signature_len = 0;
989 
990     *out_len = 0;
991 
992     own_key = mbedtls_ssl_own_key( ssl );
993     if( own_key == NULL )
994     {
995         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
996         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
997     }
998 
999     ret = mbedtls_ssl_get_handshake_transcript( ssl,
1000                                         ssl->handshake->ciphersuite_info->mac,
1001                                         handshake_hash,
1002                                         sizeof( handshake_hash ),
1003                                         &handshake_hash_len );
1004     if( ret != 0 )
1005         return( ret );
1006 
1007     MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash",
1008         handshake_hash,
1009         handshake_hash_len);
1010 
1011     ssl_tls13_create_verify_structure( handshake_hash, handshake_hash_len,
1012                                        verify_buffer, &verify_buffer_len,
1013                                        ssl->conf->endpoint );
1014 
1015     /*
1016      *  struct {
1017      *    SignatureScheme algorithm;
1018      *    opaque signature<0..2^16-1>;
1019      *  } CertificateVerify;
1020      */
1021     /* Check there is space for the algorithm identifier (2 bytes) and the
1022      * signature length (2 bytes).
1023      */
1024     MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
1025 
1026     for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ )
1027     {
1028         psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1029         mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
1030         mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
1031         psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
1032         unsigned char verify_hash[PSA_HASH_MAX_SIZE];
1033         size_t verify_hash_len;
1034 
1035         if( !mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) )
1036             continue;
1037 
1038         if( !mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) )
1039             continue;
1040 
1041         if( !mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) )
1042             continue;
1043 
1044         if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
1045                                         *sig_alg, &pk_type, &md_alg ) != 0 )
1046         {
1047              return( MBEDTLS_ERR_SSL_INTERNAL_ERROR  );
1048         }
1049 
1050         /* Hash verify buffer with indicated hash function */
1051         psa_algorithm = mbedtls_hash_info_psa_from_md( md_alg );
1052         status = psa_hash_compute( psa_algorithm,
1053                                    verify_buffer,
1054                                    verify_buffer_len,
1055                                    verify_hash, sizeof( verify_hash ),
1056                                    &verify_hash_len );
1057         if( status != PSA_SUCCESS )
1058             return( psa_ssl_status_to_mbedtls( status ) );
1059 
1060         MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
1061 
1062         if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
1063                         md_alg, verify_hash, verify_hash_len,
1064                         p + 4, (size_t)( end - ( p + 4 ) ), &signature_len,
1065                         ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
1066         {
1067              MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify signature failed with %s",
1068                                     mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
1069              MBEDTLS_SSL_DEBUG_RET( 2, "mbedtls_pk_sign_ext", ret );
1070 
1071              /* The signature failed. This is possible if the private key
1072               * was not suitable for the signature operation as purposely we
1073               * did not check its suitability completely. Let's try with
1074               * another signature algorithm.
1075               */
1076              continue;
1077         }
1078 
1079         MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify signature with %s",
1080                                     mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
1081 
1082         break;
1083     }
1084 
1085     if( *sig_alg == MBEDTLS_TLS1_3_SIG_NONE )
1086     {
1087         MBEDTLS_SSL_DEBUG_MSG( 1, ( "no suitable signature algorithm" ) );
1088         MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1089                                       MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1090         return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1091     }
1092 
1093     MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
1094     MBEDTLS_PUT_UINT16_BE( signature_len, p, 2 );
1095 
1096     *out_len = 4 + signature_len;
1097 
1098     return( 0 );
1099 }
1100 
mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context * ssl)1101 int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
1102 {
1103     int ret = 0;
1104     unsigned char *buf;
1105     size_t buf_len, msg_len;
1106 
1107     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1108 
1109     MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
1110                 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
1111 
1112     MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_verify_body(
1113                                 ssl, buf, buf + buf_len, &msg_len ) );
1114 
1115     mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1116                                         buf, msg_len );
1117 
1118     MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
1119                                 ssl, buf_len, msg_len ) );
1120 
1121 cleanup:
1122 
1123     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
1124     return( ret );
1125 }
1126 
1127 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1128 
1129 /*
1130  *
1131  * STATE HANDLING: Incoming Finished message.
1132  */
1133 /*
1134  * Implementation
1135  */
1136 
1137 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_preprocess_finished_message(mbedtls_ssl_context * ssl)1138 static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
1139 {
1140     int ret;
1141 
1142     ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
1143                     ssl->handshake->state_local.finished_in.digest,
1144                     sizeof( ssl->handshake->state_local.finished_in.digest ),
1145                     &ssl->handshake->state_local.finished_in.digest_len,
1146                     ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
1147                         MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
1148     if( ret != 0 )
1149     {
1150         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
1151         return( ret );
1152     }
1153 
1154     return( 0 );
1155 }
1156 
1157 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_finished_message(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1158 static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
1159                                              const unsigned char *buf,
1160                                              const unsigned char *end )
1161 {
1162     /*
1163      * struct {
1164      *     opaque verify_data[Hash.length];
1165      * } Finished;
1166      */
1167     const unsigned char *expected_verify_data =
1168         ssl->handshake->state_local.finished_in.digest;
1169     size_t expected_verify_data_len =
1170         ssl->handshake->state_local.finished_in.digest_len;
1171     /* Structural validation */
1172     if( (size_t)( end - buf ) != expected_verify_data_len )
1173     {
1174         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1175 
1176         MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1177                                       MBEDTLS_ERR_SSL_DECODE_ERROR );
1178         return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1179     }
1180 
1181     MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
1182                            expected_verify_data,
1183                            expected_verify_data_len );
1184     MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
1185                            expected_verify_data_len );
1186 
1187     /* Semantic validation */
1188     if( mbedtls_ct_memcmp( buf,
1189                            expected_verify_data,
1190                            expected_verify_data_len ) != 0 )
1191     {
1192         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1193 
1194         MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
1195                                       MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1196         return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1197     }
1198     return( 0 );
1199 }
1200 
mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context * ssl)1201 int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
1202 {
1203     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1204     unsigned char *buf;
1205     size_t buf_len;
1206 
1207     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
1208 
1209     MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
1210                                               MBEDTLS_SSL_HS_FINISHED,
1211                                               &buf, &buf_len ) );
1212 
1213     /* Preprocessing step: Compute handshake digest */
1214     MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
1215 
1216     MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
1217 
1218     mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1219                                         buf, buf_len );
1220 
1221 cleanup:
1222 
1223     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
1224     return( ret );
1225 }
1226 
1227 /*
1228  *
1229  * STATE HANDLING: Write and send Finished message.
1230  *
1231  */
1232 /*
1233  * Implement
1234  */
1235 
1236 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_prepare_finished_message(mbedtls_ssl_context * ssl)1237 static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
1238 {
1239     int ret;
1240 
1241     /* Compute transcript of handshake up to now. */
1242     ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
1243                     ssl->handshake->state_local.finished_out.digest,
1244                     sizeof( ssl->handshake->state_local.finished_out.digest ),
1245                     &ssl->handshake->state_local.finished_out.digest_len,
1246                     ssl->conf->endpoint );
1247 
1248     if( ret != 0 )
1249     {
1250         MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
1251         return( ret );
1252     }
1253 
1254     return( 0 );
1255 }
1256 
1257 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_finished_message_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)1258 static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
1259                                                   unsigned char *buf,
1260                                                   unsigned char *end,
1261                                                   size_t *out_len )
1262 {
1263     size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
1264     /*
1265      * struct {
1266      *     opaque verify_data[Hash.length];
1267      * } Finished;
1268      */
1269     MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
1270 
1271     memcpy( buf, ssl->handshake->state_local.finished_out.digest,
1272             verify_data_len );
1273 
1274     *out_len = verify_data_len;
1275     return( 0 );
1276 }
1277 
1278 /* Main entry point: orchestrates the other functions */
mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context * ssl)1279 int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1280 {
1281     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1282     unsigned char *buf;
1283     size_t buf_len, msg_len;
1284 
1285     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1286 
1287     MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1288 
1289     MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
1290                               MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1291 
1292     MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1293                               ssl, buf, buf + buf_len, &msg_len ) );
1294 
1295     mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1296                                         buf, msg_len );
1297 
1298     MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
1299                               ssl, buf_len, msg_len ) );
1300 cleanup:
1301 
1302     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1303     return( ret );
1304 }
1305 
mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context * ssl)1306 void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1307 {
1308 
1309     MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1310 
1311     MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
1312     mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
1313 
1314     MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) );
1315     mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
1316 
1317     /*
1318      * Free the previous session and switch to the current one.
1319      */
1320     if( ssl->session )
1321     {
1322         mbedtls_ssl_session_free( ssl->session );
1323         mbedtls_free( ssl->session );
1324     }
1325     ssl->session = ssl->session_negotiate;
1326     ssl->session_negotiate = NULL;
1327 
1328     MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1329 }
1330 
1331 /*
1332  *
1333  * STATE HANDLING: Write ChangeCipherSpec
1334  *
1335  */
1336 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1337 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)1338 static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
1339                                                     unsigned char *buf,
1340                                                     unsigned char *end,
1341                                                     size_t *olen )
1342 {
1343     ((void) ssl);
1344 
1345     MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 );
1346     buf[0] = 1;
1347     *olen = 1;
1348 
1349     return( 0 );
1350 }
1351 
mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context * ssl)1352 int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
1353 {
1354     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1355 
1356     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1357 
1358     /* Write CCS message */
1359     MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body(
1360                               ssl, ssl->out_msg,
1361                               ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1362                               &ssl->out_msglen ) );
1363 
1364     ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1365 
1366     /* Dispatch message */
1367     MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0 ) );
1368 
1369 cleanup:
1370 
1371     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1372     return( ret );
1373 }
1374 
1375 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1376 
1377 /* Early Data Indication Extension
1378  *
1379  * struct {
1380  *   select ( Handshake.msg_type ) {
1381  *     ...
1382  *     case client_hello:         Empty;
1383  *     case encrypted_extensions: Empty;
1384  *   };
1385  * } EarlyDataIndication;
1386  */
1387 #if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)1388 int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl,
1389                                             unsigned char *buf,
1390                                             const unsigned char *end,
1391                                             size_t *out_len )
1392 {
1393     unsigned char *p = buf;
1394     *out_len = 0;
1395     ((void) ssl);
1396 
1397     MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
1398 
1399     MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EARLY_DATA, p, 0 );
1400     MBEDTLS_PUT_UINT16_BE( 0, p, 2 );
1401 
1402     *out_len = 4;
1403 
1404     mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_EARLY_DATA );
1405 
1406     return( 0 );
1407 }
1408 #endif /* MBEDTLS_SSL_EARLY_DATA */
1409 
1410 /* Reset SSL context and update hash for handling HRR.
1411  *
1412  * Replace Transcript-Hash(X) by
1413  * Transcript-Hash( message_hash     ||
1414  *                 00 00 Hash.length ||
1415  *                 X )
1416  * A few states of the handshake are preserved, including:
1417  *   - session ID
1418  *   - session ticket
1419  *   - negotiated ciphersuite
1420  */
mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context * ssl)1421 int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
1422 {
1423     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1424     unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4];
1425     size_t hash_len;
1426     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1427     uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
1428     ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
1429 
1430     MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) );
1431 
1432     ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
1433                                                 hash_transcript + 4,
1434                                                 PSA_HASH_MAX_SIZE,
1435                                                 &hash_len );
1436     if( ret != 0 )
1437     {
1438         MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret );
1439         return( ret );
1440     }
1441 
1442     hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1443     hash_transcript[1] = 0;
1444     hash_transcript[2] = 0;
1445     hash_transcript[3] = (unsigned char) hash_len;
1446 
1447     hash_len += 4;
1448 
1449 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
1450     if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
1451     {
1452         MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
1453                                hash_transcript, hash_len );
1454 
1455 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1456         psa_hash_abort( &ssl->handshake->fin_sha256_psa );
1457         psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
1458 #else
1459         mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
1460 #endif
1461     }
1462 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
1463 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
1464     if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
1465     {
1466         MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
1467                                hash_transcript, hash_len );
1468 
1469 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1470         psa_hash_abort( &ssl->handshake->fin_sha384_psa );
1471         psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
1472 #else
1473         mbedtls_sha512_starts( &ssl->handshake->fin_sha384, 1 );
1474 #endif
1475     }
1476 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
1477 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
1478     ssl->handshake->update_checksum( ssl, hash_transcript, hash_len );
1479 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
1480 
1481     return( ret );
1482 }
1483 
1484 #if defined(MBEDTLS_ECDH_C)
1485 
mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t buf_len)1486 int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
1487                                                const unsigned char *buf,
1488                                                size_t buf_len )
1489 {
1490     uint8_t *p = (uint8_t*)buf;
1491     const uint8_t *end = buf + buf_len;
1492     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1493 
1494     /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
1495     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1496     uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1497     p += 2;
1498 
1499     /* Check if key size is consistent with given buffer length. */
1500     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, peerkey_len );
1501 
1502     /* Store peer's ECDH public key. */
1503     memcpy( handshake->ecdh_psa_peerkey, p, peerkey_len );
1504     handshake->ecdh_psa_peerkey_len = peerkey_len;
1505 
1506     return( 0 );
1507 }
1508 
mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(mbedtls_ssl_context * ssl,uint16_t named_group,unsigned char * buf,unsigned char * end,size_t * out_len)1509 int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
1510                 mbedtls_ssl_context *ssl,
1511                 uint16_t named_group,
1512                 unsigned char *buf,
1513                 unsigned char *end,
1514                 size_t *out_len )
1515 {
1516     psa_status_t status = PSA_ERROR_GENERIC_ERROR;
1517     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1518     psa_key_attributes_t key_attributes;
1519     size_t own_pubkey_len;
1520     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1521     size_t ecdh_bits = 0;
1522 
1523     MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
1524 
1525     /* Convert EC group to PSA key type. */
1526     if( ( handshake->ecdh_psa_type =
1527         mbedtls_psa_parse_tls_ecc_group( named_group, &ecdh_bits ) ) == 0 )
1528             return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1529 
1530     ssl->handshake->ecdh_bits = ecdh_bits;
1531 
1532     key_attributes = psa_key_attributes_init();
1533     psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
1534     psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
1535     psa_set_key_type( &key_attributes, handshake->ecdh_psa_type );
1536     psa_set_key_bits( &key_attributes, handshake->ecdh_bits );
1537 
1538     /* Generate ECDH private key. */
1539     status = psa_generate_key( &key_attributes,
1540                                 &handshake->ecdh_psa_privkey );
1541     if( status != PSA_SUCCESS )
1542     {
1543         ret = psa_ssl_status_to_mbedtls( status );
1544         MBEDTLS_SSL_DEBUG_RET( 1, "psa_generate_key", ret );
1545         return( ret );
1546 
1547     }
1548 
1549     /* Export the public part of the ECDH private key from PSA. */
1550     status = psa_export_public_key( handshake->ecdh_psa_privkey,
1551                                     buf, (size_t)( end - buf ),
1552                                     &own_pubkey_len );
1553     if( status != PSA_SUCCESS )
1554     {
1555         ret = psa_ssl_status_to_mbedtls( status );
1556         MBEDTLS_SSL_DEBUG_RET( 1, "psa_export_public_key", ret );
1557         return( ret );
1558 
1559     }
1560 
1561     *out_len = own_pubkey_len;
1562 
1563     return( 0 );
1564 }
1565 #endif /* MBEDTLS_ECDH_C */
1566 
1567 /* RFC 8446 section 4.2
1568  *
1569  * If an implementation receives an extension which it recognizes and which is
1570  * not specified for the message in which it appears, it MUST abort the handshake
1571  * with an "illegal_parameter" alert.
1572  *
1573  */
mbedtls_ssl_tls13_check_received_extension(mbedtls_ssl_context * ssl,int hs_msg_type,unsigned int received_extension_type,uint32_t hs_msg_allowed_extensions_mask)1574 int mbedtls_ssl_tls13_check_received_extension(
1575         mbedtls_ssl_context *ssl,
1576         int hs_msg_type,
1577         unsigned int received_extension_type,
1578         uint32_t hs_msg_allowed_extensions_mask )
1579 {
1580     uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
1581                                   received_extension_type );
1582 
1583     MBEDTLS_SSL_PRINT_EXT(
1584         3, hs_msg_type, received_extension_type, "received" );
1585 
1586     if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 )
1587     {
1588         MBEDTLS_SSL_PRINT_EXT(
1589             3, hs_msg_type, received_extension_type, "is illegal" );
1590         MBEDTLS_SSL_PEND_FATAL_ALERT(
1591             MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1592             MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1593         return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1594     }
1595 
1596     ssl->handshake->received_extensions |= extension_mask;
1597     /*
1598      * If it is a message containing extension responses, check that we
1599      * previously sent the extension.
1600      */
1601     switch( hs_msg_type )
1602     {
1603         case MBEDTLS_SSL_HS_SERVER_HELLO:
1604         case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
1605         case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
1606         case MBEDTLS_SSL_HS_CERTIFICATE:
1607             /* Check if the received extension is sent by peer message.*/
1608             if( ( ssl->handshake->sent_extensions & extension_mask ) != 0 )
1609                 return( 0 );
1610             break;
1611         default:
1612             return( 0 );
1613     }
1614 
1615     MBEDTLS_SSL_PRINT_EXT(
1616             3, hs_msg_type, received_extension_type, "is unsupported" );
1617     MBEDTLS_SSL_PEND_FATAL_ALERT(
1618         MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1619         MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1620     return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1621 }
1622 
1623 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
1624 
1625