1 /*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #include "ssl_misc.h"
9
10 #if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
11
12 #include <string.h>
13
14 #include "mbedtls/error.h"
15 #include "debug_internal.h"
16 #include "mbedtls/oid.h"
17 #include "mbedtls/platform.h"
18 #include "mbedtls/constant_time.h"
19 #include "psa/crypto.h"
20 #include "mbedtls/psa_util.h"
21
22 #include "ssl_tls13_invasive.h"
23 #include "ssl_tls13_keys.h"
24 #include "ssl_debug_helpers.h"
25
26 #include "psa/crypto.h"
27 #include "psa_util_internal.h"
28
29 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
30 /* Define a local translating function to save code size by not using too many
31 * arguments in each translating place. */
local_err_translation(psa_status_t status)32 static int local_err_translation(psa_status_t status)
33 {
34 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
35 ARRAY_LENGTH(psa_to_ssl_errors),
36 psa_generic_status_to_mbedtls);
37 }
38 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
39 #endif
40
41 const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
42 MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
43 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
44 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
45 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
46 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C };
47
mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context * ssl,unsigned hs_type,unsigned char ** buf,size_t * buf_len)48 int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
49 unsigned hs_type,
50 unsigned char **buf,
51 size_t *buf_len)
52 {
53 int ret;
54
55 if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
56 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
57 goto cleanup;
58 }
59
60 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
61 ssl->in_msg[0] != hs_type) {
62 MBEDTLS_SSL_DEBUG_MSG(1, ("Receive unexpected handshake message."));
63 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
64 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
65 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
66 goto cleanup;
67 }
68
69 /*
70 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
71 * ...
72 * HandshakeType msg_type;
73 * uint24 length;
74 * ...
75 */
76 *buf = ssl->in_msg + 4;
77 *buf_len = ssl->in_hslen - 4;
78
79 cleanup:
80
81 return ret;
82 }
83
mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end,const unsigned char ** supported_versions_data,const unsigned char ** supported_versions_data_end)84 int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
85 mbedtls_ssl_context *ssl,
86 const unsigned char *buf, const unsigned char *end,
87 const unsigned char **supported_versions_data,
88 const unsigned char **supported_versions_data_end)
89 {
90 const unsigned char *p = buf;
91 size_t extensions_len;
92 const unsigned char *extensions_end;
93
94 *supported_versions_data = NULL;
95 *supported_versions_data_end = NULL;
96
97 /* Case of no extension */
98 if (p == end) {
99 return 0;
100 }
101
102 /* ...
103 * Extension extensions<x..2^16-1>;
104 * ...
105 * struct {
106 * ExtensionType extension_type; (2 bytes)
107 * opaque extension_data<0..2^16-1>;
108 * } Extension;
109 */
110 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
111 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
112 p += 2;
113
114 /* Check extensions do not go beyond the buffer of data. */
115 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
116 extensions_end = p + extensions_len;
117
118 while (p < extensions_end) {
119 unsigned int extension_type;
120 size_t extension_data_len;
121
122 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
123 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
124 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
125 p += 4;
126 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
127
128 if (extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS) {
129 *supported_versions_data = p;
130 *supported_versions_data_end = p + extension_data_len;
131 return 1;
132 }
133 p += extension_data_len;
134 }
135
136 return 0;
137 }
138
139 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
140 /*
141 * STATE HANDLING: Read CertificateVerify
142 */
143 /* Macro to express the maximum length of the verify structure.
144 *
145 * The structure is computed per TLS 1.3 specification as:
146 * - 64 bytes of octet 32,
147 * - 33 bytes for the context string
148 * (which is either "TLS 1.3, client CertificateVerify"
149 * or "TLS 1.3, server CertificateVerify"),
150 * - 1 byte for the octet 0x0, which serves as a separator,
151 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
152 * (depending on the size of the transcript_hash)
153 *
154 * This results in a total size of
155 * - 130 bytes for a SHA256-based transcript hash, or
156 * (64 + 33 + 1 + 32 bytes)
157 * - 146 bytes for a SHA384-based transcript hash.
158 * (64 + 33 + 1 + 48 bytes)
159 *
160 */
161 #define SSL_VERIFY_STRUCT_MAX_SIZE (64 + \
162 33 + \
163 1 + \
164 MBEDTLS_TLS1_3_MD_MAX_SIZE \
165 )
166
167 /*
168 * The ssl_tls13_create_verify_structure() creates the verify structure.
169 * As input, it requires the transcript hash.
170 *
171 * The caller has to ensure that the buffer has size at least
172 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
173 */
ssl_tls13_create_verify_structure(const unsigned char * transcript_hash,size_t transcript_hash_len,unsigned char * verify_buffer,size_t * verify_buffer_len,int from)174 static void ssl_tls13_create_verify_structure(const unsigned char *transcript_hash,
175 size_t transcript_hash_len,
176 unsigned char *verify_buffer,
177 size_t *verify_buffer_len,
178 int from)
179 {
180 size_t idx;
181
182 /* RFC 8446, Section 4.4.3:
183 *
184 * The digital signature [in the CertificateVerify message] is then
185 * computed over the concatenation of:
186 * - A string that consists of octet 32 (0x20) repeated 64 times
187 * - The context string
188 * - A single 0 byte which serves as the separator
189 * - The content to be signed
190 */
191 memset(verify_buffer, 0x20, 64);
192 idx = 64;
193
194 if (from == MBEDTLS_SSL_IS_CLIENT) {
195 memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.client_cv,
196 MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv));
197 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv);
198 } else { /* from == MBEDTLS_SSL_IS_SERVER */
199 memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.server_cv,
200 MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv));
201 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv);
202 }
203
204 verify_buffer[idx++] = 0x0;
205
206 memcpy(verify_buffer + idx, transcript_hash, transcript_hash_len);
207 idx += transcript_hash_len;
208
209 *verify_buffer_len = idx;
210 }
211
212 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_certificate_verify(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end,const unsigned char * verify_buffer,size_t verify_buffer_len)213 static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
214 const unsigned char *buf,
215 const unsigned char *end,
216 const unsigned char *verify_buffer,
217 size_t verify_buffer_len)
218 {
219 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
220 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
221 const unsigned char *p = buf;
222 uint16_t algorithm;
223 size_t signature_len;
224 mbedtls_pk_type_t sig_alg;
225 mbedtls_md_type_t md_alg;
226 psa_algorithm_t hash_alg = PSA_ALG_NONE;
227 unsigned char verify_hash[PSA_HASH_MAX_SIZE];
228 size_t verify_hash_len;
229
230 /*
231 * struct {
232 * SignatureScheme algorithm;
233 * opaque signature<0..2^16-1>;
234 * } CertificateVerify;
235 */
236 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
237 algorithm = MBEDTLS_GET_UINT16_BE(p, 0);
238 p += 2;
239
240 /* RFC 8446 section 4.4.3
241 *
242 * If the CertificateVerify message is sent by a server, the signature
243 * algorithm MUST be one offered in the client's "signature_algorithms"
244 * extension unless no valid certificate chain can be produced without
245 * unsupported algorithms
246 *
247 * RFC 8446 section 4.4.2.2
248 *
249 * If the client cannot construct an acceptable chain using the provided
250 * certificates and decides to abort the handshake, then it MUST abort the
251 * handshake with an appropriate certificate-related alert
252 * (by default, "unsupported_certificate").
253 *
254 * Check if algorithm is an offered signature algorithm.
255 */
256 if (!mbedtls_ssl_sig_alg_is_offered(ssl, algorithm)) {
257 /* algorithm not in offered signature algorithms list */
258 MBEDTLS_SSL_DEBUG_MSG(1, ("Received signature algorithm(%04x) is not "
259 "offered.",
260 (unsigned int) algorithm));
261 goto error;
262 }
263
264 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
265 algorithm, &sig_alg, &md_alg) != 0) {
266 goto error;
267 }
268
269 hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
270 if (hash_alg == 0) {
271 goto error;
272 }
273
274 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate Verify: Signature algorithm ( %04x )",
275 (unsigned int) algorithm));
276
277 /*
278 * Check the certificate's key type matches the signature alg
279 */
280 if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, sig_alg)) {
281 MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key"));
282 goto error;
283 }
284
285 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
286 signature_len = MBEDTLS_GET_UINT16_BE(p, 0);
287 p += 2;
288 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, signature_len);
289
290 status = psa_hash_compute(hash_alg,
291 verify_buffer,
292 verify_buffer_len,
293 verify_hash,
294 sizeof(verify_hash),
295 &verify_hash_len);
296 if (status != PSA_SUCCESS) {
297 MBEDTLS_SSL_DEBUG_RET(1, "hash computation PSA error", status);
298 goto error;
299 }
300
301 MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
302
303 if ((ret = mbedtls_pk_verify_new(sig_alg,
304 &ssl->session_negotiate->peer_cert->pk,
305 md_alg, verify_hash, verify_hash_len,
306 p, signature_len)) == 0) {
307 return 0;
308 }
309 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_new", ret);
310
311 error:
312 /* RFC 8446 section 4.4.3
313 *
314 * If the verification fails, the receiver MUST terminate the handshake
315 * with a "decrypt_error" alert.
316 */
317 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
318 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
319 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
320
321 }
322 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
323
mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context * ssl)324 int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
325 {
326
327 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
328 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
329 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
330 size_t verify_buffer_len;
331 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
332 size_t transcript_len;
333 unsigned char *buf;
334 size_t buf_len;
335
336 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
337
338 MBEDTLS_SSL_PROC_CHK(
339 mbedtls_ssl_tls13_fetch_handshake_msg(
340 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len));
341
342 /* Need to calculate the hash of the transcript first
343 * before reading the message since otherwise it gets
344 * included in the transcript
345 */
346 ret = mbedtls_ssl_get_handshake_transcript(
347 ssl,
348 (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac,
349 transcript, sizeof(transcript),
350 &transcript_len);
351 if (ret != 0) {
352 MBEDTLS_SSL_PEND_FATAL_ALERT(
353 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
354 MBEDTLS_ERR_SSL_INTERNAL_ERROR);
355 return ret;
356 }
357
358 MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash", transcript, transcript_len);
359
360 /* Create verify structure */
361 ssl_tls13_create_verify_structure(transcript,
362 transcript_len,
363 verify_buffer,
364 &verify_buffer_len,
365 (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) ?
366 MBEDTLS_SSL_IS_SERVER :
367 MBEDTLS_SSL_IS_CLIENT);
368
369 /* Process the message contents */
370 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_verify(
371 ssl, buf, buf + buf_len,
372 verify_buffer, verify_buffer_len));
373
374 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
375 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
376 buf, buf_len));
377
378 cleanup:
379
380 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
381 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_process_certificate_verify", ret);
382 return ret;
383 #else
384 ((void) ssl);
385 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
386 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
387 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
388 }
389
390 /*
391 *
392 * STATE HANDLING: Incoming Certificate.
393 *
394 */
395
396 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
397 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
398 /*
399 * Structure of Certificate message:
400 *
401 * enum {
402 * X509(0),
403 * RawPublicKey(2),
404 * (255)
405 * } CertificateType;
406 *
407 * struct {
408 * select (certificate_type) {
409 * case RawPublicKey:
410 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
411 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
412 * case X509:
413 * opaque cert_data<1..2^24-1>;
414 * };
415 * Extension extensions<0..2^16-1>;
416 * } CertificateEntry;
417 *
418 * struct {
419 * opaque certificate_request_context<0..2^8-1>;
420 * CertificateEntry certificate_list<0..2^24-1>;
421 * } Certificate;
422 *
423 */
424
425 /* Parse certificate chain send by the server. */
426 MBEDTLS_CHECK_RETURN_CRITICAL
427 MBEDTLS_STATIC_TESTABLE
mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)428 int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
429 const unsigned char *buf,
430 const unsigned char *end)
431 {
432 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
433 size_t certificate_request_context_len = 0;
434 size_t certificate_list_len = 0;
435 const unsigned char *p = buf;
436 const unsigned char *certificate_list_end;
437 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
438
439 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
440 certificate_request_context_len = p[0];
441 certificate_list_len = MBEDTLS_GET_UINT24_BE(p, 1);
442 p += 4;
443
444 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
445 * support anything beyond 2^16 = 64K.
446 */
447 if ((certificate_request_context_len != 0) ||
448 (certificate_list_len >= 0x10000)) {
449 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
450 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
451 MBEDTLS_ERR_SSL_DECODE_ERROR);
452 return MBEDTLS_ERR_SSL_DECODE_ERROR;
453 }
454
455 /* In case we tried to reuse a session but it failed */
456 if (ssl->session_negotiate->peer_cert != NULL) {
457 mbedtls_x509_crt_free(ssl->session_negotiate->peer_cert);
458 mbedtls_free(ssl->session_negotiate->peer_cert);
459 }
460
461 /* This is used by ssl_tls13_validate_certificate() */
462 if (certificate_list_len == 0) {
463 ssl->session_negotiate->peer_cert = NULL;
464 ret = 0;
465 goto exit;
466 }
467
468 if ((ssl->session_negotiate->peer_cert =
469 mbedtls_calloc(1, sizeof(mbedtls_x509_crt))) == NULL) {
470 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
471 sizeof(mbedtls_x509_crt)));
472 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
473 MBEDTLS_ERR_SSL_ALLOC_FAILED);
474 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
475 }
476
477 mbedtls_x509_crt_init(ssl->session_negotiate->peer_cert);
478
479 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_list_len);
480 certificate_list_end = p + certificate_list_len;
481 while (p < certificate_list_end) {
482 size_t cert_data_len, extensions_len;
483 const unsigned char *extensions_end;
484
485 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 3);
486 cert_data_len = MBEDTLS_GET_UINT24_BE(p, 0);
487 p += 3;
488
489 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
490 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
491 * check that we have a minimum of 128 bytes of data, this is not
492 * clear why we need that though.
493 */
494 if ((cert_data_len < 128) || (cert_data_len >= 0x10000)) {
495 MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message"));
496 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
497 MBEDTLS_ERR_SSL_DECODE_ERROR);
498 return MBEDTLS_ERR_SSL_DECODE_ERROR;
499 }
500
501 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, cert_data_len);
502 ret = mbedtls_x509_crt_parse_der(ssl->session_negotiate->peer_cert,
503 p, cert_data_len);
504
505 switch (ret) {
506 case 0: /*ok*/
507 break;
508 case MBEDTLS_ERR_X509_UNKNOWN_OID:
509 /* Ignore certificate with an unknown algorithm: maybe a
510 prior certificate was already trusted. */
511 break;
512
513 case MBEDTLS_ERR_X509_ALLOC_FAILED:
514 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
515 MBEDTLS_ERR_X509_ALLOC_FAILED);
516 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
517 return ret;
518
519 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
520 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
521 MBEDTLS_ERR_X509_UNKNOWN_VERSION);
522 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
523 return ret;
524
525 default:
526 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
527 ret);
528 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
529 return ret;
530 }
531
532 p += cert_data_len;
533
534 /* Certificate extensions length */
535 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 2);
536 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
537 p += 2;
538 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, extensions_len);
539
540 extensions_end = p + extensions_len;
541 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
542
543 while (p < extensions_end) {
544 unsigned int extension_type;
545 size_t extension_data_len;
546
547 /*
548 * struct {
549 * ExtensionType extension_type; (2 bytes)
550 * opaque extension_data<0..2^16-1>;
551 * } Extension;
552 */
553 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
554 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
555 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
556 p += 4;
557
558 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
559
560 ret = mbedtls_ssl_tls13_check_received_extension(
561 ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
562 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT);
563 if (ret != 0) {
564 return ret;
565 }
566
567 switch (extension_type) {
568 default:
569 MBEDTLS_SSL_PRINT_EXT(
570 3, MBEDTLS_SSL_HS_CERTIFICATE,
571 extension_type, "( ignored )");
572 break;
573 }
574
575 p += extension_data_len;
576 }
577
578 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE,
579 handshake->received_extensions);
580 }
581
582 exit:
583 /* Check that all the message is consumed. */
584 if (p != end) {
585 MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message"));
586 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
587 MBEDTLS_ERR_SSL_DECODE_ERROR);
588 return MBEDTLS_ERR_SSL_DECODE_ERROR;
589 }
590
591 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate",
592 ssl->session_negotiate->peer_cert);
593
594 return ret;
595 }
596 #else
597 MBEDTLS_CHECK_RETURN_CRITICAL
598 MBEDTLS_STATIC_TESTABLE
mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)599 int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
600 const unsigned char *buf,
601 const unsigned char *end)
602 {
603 ((void) ssl);
604 ((void) buf);
605 ((void) end);
606 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
607 }
608 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
609 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
610
611 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
612 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
613 /* Validate certificate chain sent by the server. */
614 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_validate_certificate(mbedtls_ssl_context * ssl)615 static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
616 {
617 /* Authmode: precedence order is SNI if used else configuration */
618 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
619 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
620 ? ssl->handshake->sni_authmode
621 : ssl->conf->authmode;
622 #else
623 const int authmode = ssl->conf->authmode;
624 #endif
625
626 /*
627 * If the peer hasn't sent a certificate ( i.e. it sent
628 * an empty certificate chain ), this is reflected in the peer CRT
629 * structure being unset.
630 * Check for that and handle it depending on the
631 * authentication mode.
632 */
633 if (ssl->session_negotiate->peer_cert == NULL) {
634 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
635
636 #if defined(MBEDTLS_SSL_SRV_C)
637 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
638 /* The client was asked for a certificate but didn't send
639 * one. The client should know what's going on, so we
640 * don't send an alert.
641 */
642 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
643 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
644 return 0;
645 } else {
646 MBEDTLS_SSL_PEND_FATAL_ALERT(
647 MBEDTLS_SSL_ALERT_MSG_NO_CERT,
648 MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE);
649 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
650 }
651 }
652 #endif /* MBEDTLS_SSL_SRV_C */
653
654 #if defined(MBEDTLS_SSL_CLI_C)
655 /* Regardless of authmode, the server is not allowed to send an empty
656 * certificate chain. (Last paragraph before 4.4.2.1 in RFC 8446: "The
657 * server's certificate_list MUST always be non-empty.") With authmode
658 * optional/none, we continue the handshake if we can't validate the
659 * server's cert, but we still break it if no certificate was sent. */
660 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
661 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT,
662 MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE);
663 return MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE;
664 }
665 #endif /* MBEDTLS_SSL_CLI_C */
666 }
667
668 return mbedtls_ssl_verify_certificate(ssl, authmode,
669 ssl->session_negotiate->peer_cert,
670 NULL, NULL);
671 }
672 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
673 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_validate_certificate(mbedtls_ssl_context * ssl)674 static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
675 {
676 ((void) ssl);
677 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
678 }
679 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
680 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
681
mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context * ssl)682 int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl)
683 {
684 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
685 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
686
687 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
688 unsigned char *buf;
689 size_t buf_len;
690
691 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
692 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
693 &buf, &buf_len));
694
695 /* Parse the certificate chain sent by the peer. */
696 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_parse_certificate(ssl, buf,
697 buf + buf_len));
698 /* Validate the certificate chain and set the verification results. */
699 MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl));
700
701 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
702 ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, buf_len));
703
704 cleanup:
705 #else /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
706 (void) ssl;
707 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
708
709 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
710 return ret;
711 }
712 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
713 /*
714 * enum {
715 * X509(0),
716 * RawPublicKey(2),
717 * (255)
718 * } CertificateType;
719 *
720 * struct {
721 * select (certificate_type) {
722 * case RawPublicKey:
723 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
724 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
725 *
726 * case X509:
727 * opaque cert_data<1..2^24-1>;
728 * };
729 * Extension extensions<0..2^16-1>;
730 * } CertificateEntry;
731 *
732 * struct {
733 * opaque certificate_request_context<0..2^8-1>;
734 * CertificateEntry certificate_list<0..2^24-1>;
735 * } Certificate;
736 */
737 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)738 static int ssl_tls13_write_certificate_body(mbedtls_ssl_context *ssl,
739 unsigned char *buf,
740 unsigned char *end,
741 size_t *out_len)
742 {
743 const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert(ssl);
744 unsigned char *p = buf;
745 unsigned char *certificate_request_context =
746 ssl->handshake->certificate_request_context;
747 unsigned char certificate_request_context_len =
748 ssl->handshake->certificate_request_context_len;
749 unsigned char *p_certificate_list_len;
750
751
752 /* ...
753 * opaque certificate_request_context<0..2^8-1>;
754 * ...
755 */
756 MBEDTLS_SSL_CHK_BUF_PTR(p, end, certificate_request_context_len + 1);
757 *p++ = certificate_request_context_len;
758 if (certificate_request_context_len > 0) {
759 memcpy(p, certificate_request_context, certificate_request_context_len);
760 p += certificate_request_context_len;
761 }
762
763 /* ...
764 * CertificateEntry certificate_list<0..2^24-1>;
765 * ...
766 */
767 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
768 p_certificate_list_len = p;
769 p += 3;
770
771 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", crt);
772
773 while (crt != NULL) {
774 size_t cert_data_len = crt->raw.len;
775
776 MBEDTLS_SSL_CHK_BUF_PTR(p, end, cert_data_len + 3 + 2);
777 MBEDTLS_PUT_UINT24_BE(cert_data_len, p, 0);
778 p += 3;
779
780 memcpy(p, crt->raw.p, cert_data_len);
781 p += cert_data_len;
782 crt = crt->next;
783
784 /* Currently, we don't have any certificate extensions defined.
785 * Hence, we are sending an empty extension with length zero.
786 */
787 MBEDTLS_PUT_UINT16_BE(0, p, 0);
788 p += 2;
789 }
790
791 MBEDTLS_PUT_UINT24_BE(p - p_certificate_list_len - 3,
792 p_certificate_list_len, 0);
793
794 *out_len = p - buf;
795
796 MBEDTLS_SSL_PRINT_EXTS(
797 3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->sent_extensions);
798
799 return 0;
800 }
801
mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context * ssl)802 int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl)
803 {
804 int ret;
805 unsigned char *buf;
806 size_t buf_len, msg_len;
807
808 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
809
810 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
811 ssl, MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len));
812
813 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_body(ssl,
814 buf,
815 buf + buf_len,
816 &msg_len));
817
818 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
819 ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, msg_len));
820
821 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
822 ssl, buf_len, msg_len));
823 cleanup:
824
825 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
826 return ret;
827 }
828
829 /*
830 * STATE HANDLING: Output Certificate Verify
831 */
mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,mbedtls_pk_context * key)832 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
833 mbedtls_pk_context *key)
834 {
835 mbedtls_pk_type_t pk_type = (mbedtls_pk_type_t) mbedtls_ssl_sig_from_pk(key);
836 size_t key_size = mbedtls_pk_get_bitlen(key);
837
838 switch (pk_type) {
839 case MBEDTLS_SSL_SIG_ECDSA:
840 switch (key_size) {
841 case 256:
842 return
843 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
844
845 case 384:
846 return
847 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
848
849 case 521:
850 return
851 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
852 default:
853 break;
854 }
855 break;
856
857 case MBEDTLS_SSL_SIG_RSA:
858 switch (sig_alg) {
859 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */
860 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */
861 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
862 return 1;
863
864 default:
865 break;
866 }
867 break;
868
869 default:
870 break;
871 }
872
873 return 0;
874 }
875
876 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)877 static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
878 unsigned char *buf,
879 unsigned char *end,
880 size_t *out_len)
881 {
882 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
883 unsigned char *p = buf;
884 mbedtls_pk_context *own_key;
885
886 unsigned char handshake_hash[MBEDTLS_TLS1_3_MD_MAX_SIZE];
887 size_t handshake_hash_len;
888 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
889 size_t verify_buffer_len;
890
891 uint16_t *sig_alg = ssl->handshake->received_sig_algs;
892 size_t signature_len = 0;
893
894 *out_len = 0;
895
896 own_key = mbedtls_ssl_own_key(ssl);
897 if (own_key == NULL) {
898 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
899 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
900 }
901
902 ret = mbedtls_ssl_get_handshake_transcript(
903 ssl, (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac,
904 handshake_hash, sizeof(handshake_hash), &handshake_hash_len);
905 if (ret != 0) {
906 return ret;
907 }
908
909 MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash",
910 handshake_hash,
911 handshake_hash_len);
912
913 ssl_tls13_create_verify_structure(handshake_hash, handshake_hash_len,
914 verify_buffer, &verify_buffer_len,
915 ssl->conf->endpoint);
916
917 /*
918 * struct {
919 * SignatureScheme algorithm;
920 * opaque signature<0..2^16-1>;
921 * } CertificateVerify;
922 */
923 /* Check there is space for the algorithm identifier (2 bytes) and the
924 * signature length (2 bytes).
925 */
926 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
927
928 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
929 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
930 mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
931 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
932 psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
933 unsigned char verify_hash[PSA_HASH_MAX_SIZE];
934 size_t verify_hash_len;
935
936 if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {
937 continue;
938 }
939
940 if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {
941 continue;
942 }
943
944 if (!mbedtls_ssl_tls13_check_sig_alg_cert_key_match(*sig_alg, own_key)) {
945 continue;
946 }
947
948 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
949 *sig_alg, &pk_type, &md_alg) != 0) {
950 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
951 }
952
953 /* Hash verify buffer with indicated hash function */
954 psa_algorithm = mbedtls_md_psa_alg_from_type(md_alg);
955 status = psa_hash_compute(psa_algorithm,
956 verify_buffer,
957 verify_buffer_len,
958 verify_hash, sizeof(verify_hash),
959 &verify_hash_len);
960 if (status != PSA_SUCCESS) {
961 return PSA_TO_MBEDTLS_ERR(status);
962 }
963
964 MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
965
966 if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) pk_type, own_key,
967 md_alg, verify_hash, verify_hash_len,
968 p + 4, (size_t) (end - (p + 4)), &signature_len)) != 0) {
969 MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature failed with %s",
970 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
971 MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_pk_sign_ext", ret);
972
973 /* The signature failed. This is possible if the private key
974 * was not suitable for the signature operation as purposely we
975 * did not check its suitability completely. Let's try with
976 * another signature algorithm.
977 */
978 continue;
979 }
980
981 MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature with %s",
982 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
983
984 break;
985 }
986
987 if (*sig_alg == MBEDTLS_TLS1_3_SIG_NONE) {
988 MBEDTLS_SSL_DEBUG_MSG(1, ("no suitable signature algorithm"));
989 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
990 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
991 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
992 }
993
994 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
995 MBEDTLS_PUT_UINT16_BE(signature_len, p, 2);
996
997 *out_len = 4 + signature_len;
998
999 return 0;
1000 }
1001
mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context * ssl)1002 int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
1003 {
1004 int ret = 0;
1005 unsigned char *buf;
1006 size_t buf_len, msg_len;
1007
1008 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
1009
1010 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
1011 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1012 &buf, &buf_len));
1013
1014 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body(
1015 ssl, buf, buf + buf_len, &msg_len));
1016
1017 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1018 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
1019 buf, msg_len));
1020
1021 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
1022 ssl, buf_len, msg_len));
1023
1024 cleanup:
1025
1026 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
1027 return ret;
1028 }
1029
1030 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1031
1032 /*
1033 *
1034 * STATE HANDLING: Incoming Finished message.
1035 */
1036 /*
1037 * Implementation
1038 */
1039
1040 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_preprocess_finished_message(mbedtls_ssl_context * ssl)1041 static int ssl_tls13_preprocess_finished_message(mbedtls_ssl_context *ssl)
1042 {
1043 int ret;
1044
1045 ret = mbedtls_ssl_tls13_calculate_verify_data(
1046 ssl,
1047 ssl->handshake->state_local.finished_in.digest,
1048 sizeof(ssl->handshake->state_local.finished_in.digest),
1049 &ssl->handshake->state_local.finished_in.digest_len,
1050 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
1051 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT);
1052 if (ret != 0) {
1053 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_calculate_verify_data", ret);
1054 return ret;
1055 }
1056
1057 return 0;
1058 }
1059
1060 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_finished_message(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1061 static int ssl_tls13_parse_finished_message(mbedtls_ssl_context *ssl,
1062 const unsigned char *buf,
1063 const unsigned char *end)
1064 {
1065 /*
1066 * struct {
1067 * opaque verify_data[Hash.length];
1068 * } Finished;
1069 */
1070 const unsigned char *expected_verify_data =
1071 ssl->handshake->state_local.finished_in.digest;
1072 size_t expected_verify_data_len =
1073 ssl->handshake->state_local.finished_in.digest_len;
1074 /* Structural validation */
1075 if ((size_t) (end - buf) != expected_verify_data_len) {
1076 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
1077
1078 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1079 MBEDTLS_ERR_SSL_DECODE_ERROR);
1080 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1081 }
1082
1083 MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (self-computed):",
1084 expected_verify_data,
1085 expected_verify_data_len);
1086 MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (received message):", buf,
1087 expected_verify_data_len);
1088
1089 /* Semantic validation */
1090 if (mbedtls_ct_memcmp(buf,
1091 expected_verify_data,
1092 expected_verify_data_len) != 0) {
1093 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
1094
1095 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
1096 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1097 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1098 }
1099 return 0;
1100 }
1101
mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context * ssl)1102 int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl)
1103 {
1104 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1105 unsigned char *buf;
1106 size_t buf_len;
1107
1108 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished message"));
1109
1110 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1111 ssl, MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len));
1112
1113 /* Preprocessing step: Compute handshake digest */
1114 MBEDTLS_SSL_PROC_CHK(ssl_tls13_preprocess_finished_message(ssl));
1115
1116 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(
1117 ssl, buf, buf + buf_len));
1118
1119 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1120 ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len));
1121
1122 cleanup:
1123
1124 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished message"));
1125 return ret;
1126 }
1127
1128 /*
1129 *
1130 * STATE HANDLING: Write and send Finished message.
1131 *
1132 */
1133 /*
1134 * Implement
1135 */
1136
1137 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_prepare_finished_message(mbedtls_ssl_context * ssl)1138 static int ssl_tls13_prepare_finished_message(mbedtls_ssl_context *ssl)
1139 {
1140 int ret;
1141
1142 /* Compute transcript of handshake up to now. */
1143 ret = mbedtls_ssl_tls13_calculate_verify_data(ssl,
1144 ssl->handshake->state_local.finished_out.digest,
1145 sizeof(ssl->handshake->state_local.finished_out.
1146 digest),
1147 &ssl->handshake->state_local.finished_out.
1148 digest_len,
1149 ssl->conf->endpoint);
1150
1151 if (ret != 0) {
1152 MBEDTLS_SSL_DEBUG_RET(1, "calculate_verify_data failed", ret);
1153 return ret;
1154 }
1155
1156 return 0;
1157 }
1158
1159 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_finished_message_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)1160 static int ssl_tls13_write_finished_message_body(mbedtls_ssl_context *ssl,
1161 unsigned char *buf,
1162 unsigned char *end,
1163 size_t *out_len)
1164 {
1165 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
1166 /*
1167 * struct {
1168 * opaque verify_data[Hash.length];
1169 * } Finished;
1170 */
1171 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, verify_data_len);
1172
1173 memcpy(buf, ssl->handshake->state_local.finished_out.digest,
1174 verify_data_len);
1175
1176 *out_len = verify_data_len;
1177 return 0;
1178 }
1179
1180 /* Main entry point: orchestrates the other functions */
mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context * ssl)1181 int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl)
1182 {
1183 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1184 unsigned char *buf;
1185 size_t buf_len, msg_len;
1186
1187 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished message"));
1188
1189 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_finished_message(ssl));
1190
1191 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
1192 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len));
1193
1194 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_finished_message_body(
1195 ssl, buf, buf + buf_len, &msg_len));
1196
1197 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
1198 MBEDTLS_SSL_HS_FINISHED, buf, msg_len));
1199
1200 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
1201 ssl, buf_len, msg_len));
1202 cleanup:
1203
1204 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished message"));
1205 return ret;
1206 }
1207
mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context * ssl)1208 void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
1209 {
1210
1211 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
1212
1213 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for inbound traffic"));
1214 mbedtls_ssl_set_inbound_transform(ssl, ssl->transform_application);
1215
1216 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for outbound traffic"));
1217 mbedtls_ssl_set_outbound_transform(ssl, ssl->transform_application);
1218
1219 /*
1220 * Free the previous session and switch to the current one.
1221 */
1222 if (ssl->session) {
1223 mbedtls_ssl_session_free(ssl->session);
1224 mbedtls_free(ssl->session);
1225 }
1226 ssl->session = ssl->session_negotiate;
1227 ssl->session_negotiate = NULL;
1228
1229 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
1230 }
1231
1232 /*
1233 *
1234 * STATE HANDLING: Write ChangeCipherSpec
1235 *
1236 */
1237 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1238 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)1239 static int ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context *ssl,
1240 unsigned char *buf,
1241 unsigned char *end,
1242 size_t *olen)
1243 {
1244 ((void) ssl);
1245
1246 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1);
1247 buf[0] = 1;
1248 *olen = 1;
1249
1250 return 0;
1251 }
1252
mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context * ssl)1253 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl)
1254 {
1255 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1256
1257 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
1258
1259 /* Only one CCS to send. */
1260 if (ssl->handshake->ccs_sent) {
1261 ret = 0;
1262 goto cleanup;
1263 }
1264
1265 /* Write CCS message */
1266 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body(
1267 ssl, ssl->out_msg,
1268 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1269 &ssl->out_msglen));
1270
1271 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1272
1273 /* Dispatch message */
1274 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl, 0));
1275
1276 ssl->handshake->ccs_sent = 1;
1277
1278 cleanup:
1279
1280 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
1281 return ret;
1282 }
1283
1284 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1285
1286 /* Early Data Indication Extension
1287 *
1288 * struct {
1289 * select ( Handshake.msg_type ) {
1290 * case new_session_ticket: uint32 max_early_data_size;
1291 * case client_hello: Empty;
1292 * case encrypted_extensions: Empty;
1293 * };
1294 * } EarlyDataIndication;
1295 */
1296 #if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context * ssl,int in_new_session_ticket,unsigned char * buf,const unsigned char * end,size_t * out_len)1297 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
1298 int in_new_session_ticket,
1299 unsigned char *buf,
1300 const unsigned char *end,
1301 size_t *out_len)
1302 {
1303 unsigned char *p = buf;
1304
1305 #if defined(MBEDTLS_SSL_SRV_C)
1306 const size_t needed = in_new_session_ticket ? 8 : 4;
1307 #else
1308 const size_t needed = 4;
1309 ((void) in_new_session_ticket);
1310 #endif
1311
1312 *out_len = 0;
1313
1314 MBEDTLS_SSL_CHK_BUF_PTR(p, end, needed);
1315
1316 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EARLY_DATA, p, 0);
1317 MBEDTLS_PUT_UINT16_BE(needed - 4, p, 2);
1318
1319 #if defined(MBEDTLS_SSL_SRV_C)
1320 if (in_new_session_ticket) {
1321 MBEDTLS_PUT_UINT32_BE(ssl->conf->max_early_data_size, p, 4);
1322 MBEDTLS_SSL_DEBUG_MSG(
1323 4, ("Sent max_early_data_size=%u",
1324 (unsigned int) ssl->conf->max_early_data_size));
1325 }
1326 #endif
1327
1328 *out_len = needed;
1329
1330 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_EARLY_DATA);
1331
1332 return 0;
1333 }
1334
1335 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context * ssl,size_t early_data_len)1336 int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
1337 size_t early_data_len)
1338 {
1339 /*
1340 * This function should be called only while an handshake is in progress
1341 * and thus a session under negotiation. Add a sanity check to detect a
1342 * misuse.
1343 */
1344 if (ssl->session_negotiate == NULL) {
1345 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1346 }
1347
1348 /* RFC 8446 section 4.6.1
1349 *
1350 * A server receiving more than max_early_data_size bytes of 0-RTT data
1351 * SHOULD terminate the connection with an "unexpected_message" alert.
1352 * Note that if it is still possible to send early_data_len bytes of early
1353 * data, it means that early_data_len is smaller than max_early_data_size
1354 * (type uint32_t) and can fit in an uint32_t. We use this further
1355 * down.
1356 */
1357 if (early_data_len >
1358 (ssl->session_negotiate->max_early_data_size -
1359 ssl->total_early_data_size)) {
1360
1361 MBEDTLS_SSL_DEBUG_MSG(
1362 2, ("EarlyData: Too much early data received, "
1363 "%lu + %" MBEDTLS_PRINTF_SIZET " > %lu",
1364 (unsigned long) ssl->total_early_data_size,
1365 early_data_len,
1366 (unsigned long) ssl->session_negotiate->max_early_data_size));
1367
1368 MBEDTLS_SSL_PEND_FATAL_ALERT(
1369 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1370 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
1371 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1372 }
1373
1374 /*
1375 * early_data_len has been checked to be less than max_early_data_size
1376 * that is uint32_t. Its cast to an uint32_t below is thus safe. We need
1377 * the cast to appease some compilers.
1378 */
1379 ssl->total_early_data_size += (uint32_t) early_data_len;
1380
1381 return 0;
1382 }
1383 #endif /* MBEDTLS_SSL_SRV_C */
1384 #endif /* MBEDTLS_SSL_EARLY_DATA */
1385
1386 /* Reset SSL context and update hash for handling HRR.
1387 *
1388 * Replace Transcript-Hash(X) by
1389 * Transcript-Hash( message_hash ||
1390 * 00 00 Hash.length ||
1391 * X )
1392 * A few states of the handshake are preserved, including:
1393 * - session ID
1394 * - session ticket
1395 * - negotiated ciphersuite
1396 */
mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context * ssl)1397 int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl)
1398 {
1399 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1400 unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4];
1401 size_t hash_len;
1402 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1403 ssl->handshake->ciphersuite_info;
1404
1405 MBEDTLS_SSL_DEBUG_MSG(3, ("Reset SSL session for HRR"));
1406
1407 ret = mbedtls_ssl_get_handshake_transcript(ssl, (mbedtls_md_type_t) ciphersuite_info->mac,
1408 hash_transcript + 4,
1409 PSA_HASH_MAX_SIZE,
1410 &hash_len);
1411 if (ret != 0) {
1412 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_handshake_transcript", ret);
1413 return ret;
1414 }
1415
1416 hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
1417 hash_transcript[1] = 0;
1418 hash_transcript[2] = 0;
1419 hash_transcript[3] = (unsigned char) hash_len;
1420
1421 hash_len += 4;
1422
1423 MBEDTLS_SSL_DEBUG_BUF(4, "Truncated handshake transcript",
1424 hash_transcript, hash_len);
1425
1426 /* Reset running hash and replace it with a hash of the transcript */
1427 ret = mbedtls_ssl_reset_checksum(ssl);
1428 if (ret != 0) {
1429 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1430 return ret;
1431 }
1432 ret = ssl->handshake->update_checksum(ssl, hash_transcript, hash_len);
1433 if (ret != 0) {
1434 MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
1435 return ret;
1436 }
1437
1438 return ret;
1439 }
1440
1441 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1442
mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t buf_len)1443 int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
1444 const unsigned char *buf,
1445 size_t buf_len)
1446 {
1447 uint8_t *p = (uint8_t *) buf;
1448 const uint8_t *end = buf + buf_len;
1449 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1450
1451 /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
1452 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1453 uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE(p, 0);
1454 p += 2;
1455
1456 /* Check if key size is consistent with given buffer length. */
1457 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len);
1458
1459 /* Store peer's ECDH/FFDH public key. */
1460 if (peerkey_len > sizeof(handshake->xxdh_psa_peerkey)) {
1461 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %u > %" MBEDTLS_PRINTF_SIZET,
1462 (unsigned) peerkey_len,
1463 sizeof(handshake->xxdh_psa_peerkey)));
1464 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1465 }
1466 memcpy(handshake->xxdh_psa_peerkey, p, peerkey_len);
1467 handshake->xxdh_psa_peerkey_len = peerkey_len;
1468
1469 return 0;
1470 }
1471
1472 #if defined(PSA_WANT_ALG_FFDH)
mbedtls_ssl_get_psa_ffdh_info_from_tls_id(uint16_t tls_id,size_t * bits,psa_key_type_t * key_type)1473 static psa_status_t mbedtls_ssl_get_psa_ffdh_info_from_tls_id(
1474 uint16_t tls_id, size_t *bits, psa_key_type_t *key_type)
1475 {
1476 switch (tls_id) {
1477 #if defined(PSA_WANT_DH_RFC7919_2048)
1478 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:
1479 *bits = 2048;
1480 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1481 return PSA_SUCCESS;
1482 #endif /* PSA_WANT_DH_RFC7919_2048 */
1483 #if defined(PSA_WANT_DH_RFC7919_3072)
1484 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:
1485 *bits = 3072;
1486 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1487 return PSA_SUCCESS;
1488 #endif /* PSA_WANT_DH_RFC7919_3072 */
1489 #if defined(PSA_WANT_DH_RFC7919_4096)
1490 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:
1491 *bits = 4096;
1492 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1493 return PSA_SUCCESS;
1494 #endif /* PSA_WANT_DH_RFC7919_4096 */
1495 #if defined(PSA_WANT_DH_RFC7919_6144)
1496 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:
1497 *bits = 6144;
1498 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1499 return PSA_SUCCESS;
1500 #endif /* PSA_WANT_DH_RFC7919_6144 */
1501 #if defined(PSA_WANT_DH_RFC7919_8192)
1502 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:
1503 *bits = 8192;
1504 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
1505 return PSA_SUCCESS;
1506 #endif /* PSA_WANT_DH_RFC7919_8192 */
1507 default:
1508 return PSA_ERROR_NOT_SUPPORTED;
1509 }
1510 }
1511 #endif /* PSA_WANT_ALG_FFDH */
1512
mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(mbedtls_ssl_context * ssl,uint16_t named_group,unsigned char * buf,unsigned char * end,size_t * out_len)1513 int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
1514 mbedtls_ssl_context *ssl,
1515 uint16_t named_group,
1516 unsigned char *buf,
1517 unsigned char *end,
1518 size_t *out_len)
1519 {
1520 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
1521 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1522 psa_key_attributes_t key_attributes;
1523 size_t own_pubkey_len;
1524 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1525 size_t bits = 0;
1526 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
1527 psa_algorithm_t alg = PSA_ALG_NONE;
1528 size_t buf_size = (size_t) (end - buf);
1529
1530 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH/FFDH computation."));
1531
1532 /* Convert EC's TLS ID to PSA key type. */
1533 #if defined(PSA_WANT_ALG_ECDH)
1534 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(
1535 named_group, &key_type, &bits) == PSA_SUCCESS) {
1536 alg = PSA_ALG_ECDH;
1537 }
1538 #endif
1539 #if defined(PSA_WANT_ALG_FFDH)
1540 if (mbedtls_ssl_get_psa_ffdh_info_from_tls_id(named_group, &bits,
1541 &key_type) == PSA_SUCCESS) {
1542 alg = PSA_ALG_FFDH;
1543 }
1544 #endif
1545
1546 if (key_type == PSA_KEY_TYPE_NONE) {
1547 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1548 }
1549
1550 if (buf_size < PSA_BITS_TO_BYTES(bits)) {
1551 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
1552 }
1553
1554 handshake->xxdh_psa_type = key_type;
1555 ssl->handshake->xxdh_psa_bits = bits;
1556
1557 key_attributes = psa_key_attributes_init();
1558 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
1559 psa_set_key_algorithm(&key_attributes, alg);
1560 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
1561 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
1562
1563 /* Generate ECDH/FFDH private key. */
1564 status = psa_generate_key(&key_attributes,
1565 &handshake->xxdh_psa_privkey);
1566 if (status != PSA_SUCCESS) {
1567 ret = PSA_TO_MBEDTLS_ERR(status);
1568 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
1569 return ret;
1570
1571 }
1572
1573 /* Export the public part of the ECDH/FFDH private key from PSA. */
1574 status = psa_export_public_key(handshake->xxdh_psa_privkey,
1575 buf, buf_size,
1576 &own_pubkey_len);
1577
1578 if (status != PSA_SUCCESS) {
1579 ret = PSA_TO_MBEDTLS_ERR(status);
1580 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
1581 return ret;
1582 }
1583
1584 *out_len = own_pubkey_len;
1585
1586 return 0;
1587 }
1588 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
1589
1590 /* RFC 8446 section 4.2
1591 *
1592 * If an implementation receives an extension which it recognizes and which is
1593 * not specified for the message in which it appears, it MUST abort the handshake
1594 * with an "illegal_parameter" alert.
1595 *
1596 */
mbedtls_ssl_tls13_check_received_extension(mbedtls_ssl_context * ssl,int hs_msg_type,unsigned int received_extension_type,uint32_t hs_msg_allowed_extensions_mask)1597 int mbedtls_ssl_tls13_check_received_extension(
1598 mbedtls_ssl_context *ssl,
1599 int hs_msg_type,
1600 unsigned int received_extension_type,
1601 uint32_t hs_msg_allowed_extensions_mask)
1602 {
1603 uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
1604 received_extension_type);
1605
1606 MBEDTLS_SSL_PRINT_EXT(
1607 3, hs_msg_type, received_extension_type, "received");
1608
1609 if ((extension_mask & hs_msg_allowed_extensions_mask) == 0) {
1610 MBEDTLS_SSL_PRINT_EXT(
1611 3, hs_msg_type, received_extension_type, "is illegal");
1612 MBEDTLS_SSL_PEND_FATAL_ALERT(
1613 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1614 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1615 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1616 }
1617
1618 ssl->handshake->received_extensions |= extension_mask;
1619 /*
1620 * If it is a message containing extension responses, check that we
1621 * previously sent the extension.
1622 */
1623 switch (hs_msg_type) {
1624 case MBEDTLS_SSL_HS_SERVER_HELLO:
1625 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
1626 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
1627 case MBEDTLS_SSL_HS_CERTIFICATE:
1628 /* Check if the received extension is sent by peer message.*/
1629 if ((ssl->handshake->sent_extensions & extension_mask) != 0) {
1630 return 0;
1631 }
1632 break;
1633 default:
1634 return 0;
1635 }
1636
1637 MBEDTLS_SSL_PRINT_EXT(
1638 3, hs_msg_type, received_extension_type, "is unsupported");
1639 MBEDTLS_SSL_PEND_FATAL_ALERT(
1640 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1641 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
1642 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1643 }
1644
1645 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1646
1647 /* RFC 8449, section 4:
1648 *
1649 * The ExtensionData of the "record_size_limit" extension is
1650 * RecordSizeLimit:
1651 * uint16 RecordSizeLimit;
1652 */
1653 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1654 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
1655 const unsigned char *buf,
1656 const unsigned char *end)
1657 {
1658 const unsigned char *p = buf;
1659 uint16_t record_size_limit;
1660 const size_t extension_data_len = end - buf;
1661
1662 if (extension_data_len !=
1663 MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH) {
1664 MBEDTLS_SSL_DEBUG_MSG(2,
1665 ("record_size_limit extension has invalid length: %"
1666 MBEDTLS_PRINTF_SIZET " Bytes",
1667 extension_data_len));
1668
1669 MBEDTLS_SSL_PEND_FATAL_ALERT(
1670 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1671 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1672 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1673 }
1674
1675 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1676 record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
1677
1678 MBEDTLS_SSL_DEBUG_MSG(2, ("RecordSizeLimit: %u Bytes", record_size_limit));
1679
1680 /* RFC 8449, section 4:
1681 *
1682 * Endpoints MUST NOT send a "record_size_limit" extension with a value
1683 * smaller than 64. An endpoint MUST treat receipt of a smaller value
1684 * as a fatal error and generate an "illegal_parameter" alert.
1685 */
1686 if (record_size_limit < MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN) {
1687 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid record size limit : %u Bytes",
1688 record_size_limit));
1689 MBEDTLS_SSL_PEND_FATAL_ALERT(
1690 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1691 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1692 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1693 }
1694
1695 ssl->session_negotiate->record_size_limit = record_size_limit;
1696
1697 return 0;
1698 }
1699
1700 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)1701 int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
1702 unsigned char *buf,
1703 const unsigned char *end,
1704 size_t *out_len)
1705 {
1706 unsigned char *p = buf;
1707 *out_len = 0;
1708
1709 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_IN_CONTENT_LEN >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN,
1710 "MBEDTLS_SSL_IN_CONTENT_LEN is less than the "
1711 "minimum record size limit");
1712
1713 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
1714
1715 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT, p, 0);
1716 MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH,
1717 p, 2);
1718 MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_IN_CONTENT_LEN, p, 4);
1719
1720 *out_len = 6;
1721
1722 MBEDTLS_SSL_DEBUG_MSG(2, ("Sent RecordSizeLimit: %d Bytes",
1723 MBEDTLS_SSL_IN_CONTENT_LEN));
1724
1725 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT);
1726
1727 return 0;
1728 }
1729
1730 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
1731
1732 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
1733