ssl_tls13_generic.c (60811B)
1 /* 2 * TLS 1.3 functionality shared between client and server 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 8 #include "common.h" 9 10 #if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 11 12 #include <string.h> 13 14 #include "mbedtls/error.h" 15 #include "debug_internal.h" 16 #include "mbedtls/oid.h" 17 #include "mbedtls/platform.h" 18 #include "mbedtls/constant_time.h" 19 #include "psa/crypto.h" 20 #include "mbedtls/psa_util.h" 21 22 #include "ssl_misc.h" 23 #include "ssl_tls13_invasive.h" 24 #include "ssl_tls13_keys.h" 25 #include "ssl_debug_helpers.h" 26 27 #include "psa/crypto.h" 28 #include "psa_util_internal.h" 29 30 /* Define a local translating function to save code size by not using too many 31 * arguments in each translating place. */ 32 static int local_err_translation(psa_status_t status) 33 { 34 return psa_status_to_mbedtls(status, psa_to_ssl_errors, 35 ARRAY_LENGTH(psa_to_ssl_errors), 36 psa_generic_status_to_mbedtls); 37 } 38 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) 39 40 int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl) 41 { 42 psa_status_t status = psa_crypto_init(); 43 if (status != PSA_SUCCESS) { 44 (void) ssl; // unused when debugging is disabled 45 MBEDTLS_SSL_DEBUG_RET(1, "psa_crypto_init", status); 46 } 47 return PSA_TO_MBEDTLS_ERR(status); 48 } 49 50 const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[ 51 MBEDTLS_SERVER_HELLO_RANDOM_LEN] = 52 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 53 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, 54 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 55 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C }; 56 57 int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl, 58 unsigned hs_type, 59 unsigned char **buf, 60 size_t *buf_len) 61 { 62 int ret; 63 64 if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) { 65 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 66 goto cleanup; 67 } 68 69 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || 70 ssl->in_msg[0] != hs_type) { 71 MBEDTLS_SSL_DEBUG_MSG(1, ("Receive unexpected handshake message.")); 72 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, 73 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); 74 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 75 goto cleanup; 76 } 77 78 /* 79 * Jump handshake header (4 bytes, see Section 4 of RFC 8446). 80 * ... 81 * HandshakeType msg_type; 82 * uint24 length; 83 * ... 84 */ 85 *buf = ssl->in_msg + 4; 86 *buf_len = ssl->in_hslen - 4; 87 88 cleanup: 89 90 return ret; 91 } 92 93 int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts( 94 mbedtls_ssl_context *ssl, 95 const unsigned char *buf, const unsigned char *end, 96 const unsigned char **supported_versions_data, 97 const unsigned char **supported_versions_data_end) 98 { 99 const unsigned char *p = buf; 100 size_t extensions_len; 101 const unsigned char *extensions_end; 102 103 *supported_versions_data = NULL; 104 *supported_versions_data_end = NULL; 105 106 /* Case of no extension */ 107 if (p == end) { 108 return 0; 109 } 110 111 /* ... 112 * Extension extensions<x..2^16-1>; 113 * ... 114 * struct { 115 * ExtensionType extension_type; (2 bytes) 116 * opaque extension_data<0..2^16-1>; 117 * } Extension; 118 */ 119 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 120 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); 121 p += 2; 122 123 /* Check extensions do not go beyond the buffer of data. */ 124 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len); 125 extensions_end = p + extensions_len; 126 127 while (p < extensions_end) { 128 unsigned int extension_type; 129 size_t extension_data_len; 130 131 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4); 132 extension_type = MBEDTLS_GET_UINT16_BE(p, 0); 133 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2); 134 p += 4; 135 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len); 136 137 if (extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS) { 138 *supported_versions_data = p; 139 *supported_versions_data_end = p + extension_data_len; 140 return 1; 141 } 142 p += extension_data_len; 143 } 144 145 return 0; 146 } 147 148 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 149 /* 150 * STATE HANDLING: Read CertificateVerify 151 */ 152 /* Macro to express the maximum length of the verify structure. 153 * 154 * The structure is computed per TLS 1.3 specification as: 155 * - 64 bytes of octet 32, 156 * - 33 bytes for the context string 157 * (which is either "TLS 1.3, client CertificateVerify" 158 * or "TLS 1.3, server CertificateVerify"), 159 * - 1 byte for the octet 0x0, which serves as a separator, 160 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate) 161 * (depending on the size of the transcript_hash) 162 * 163 * This results in a total size of 164 * - 130 bytes for a SHA256-based transcript hash, or 165 * (64 + 33 + 1 + 32 bytes) 166 * - 146 bytes for a SHA384-based transcript hash. 167 * (64 + 33 + 1 + 48 bytes) 168 * 169 */ 170 #define SSL_VERIFY_STRUCT_MAX_SIZE (64 + \ 171 33 + \ 172 1 + \ 173 MBEDTLS_TLS1_3_MD_MAX_SIZE \ 174 ) 175 176 /* 177 * The ssl_tls13_create_verify_structure() creates the verify structure. 178 * As input, it requires the transcript hash. 179 * 180 * The caller has to ensure that the buffer has size at least 181 * SSL_VERIFY_STRUCT_MAX_SIZE bytes. 182 */ 183 static void ssl_tls13_create_verify_structure(const unsigned char *transcript_hash, 184 size_t transcript_hash_len, 185 unsigned char *verify_buffer, 186 size_t *verify_buffer_len, 187 int from) 188 { 189 size_t idx; 190 191 /* RFC 8446, Section 4.4.3: 192 * 193 * The digital signature [in the CertificateVerify message] is then 194 * computed over the concatenation of: 195 * - A string that consists of octet 32 (0x20) repeated 64 times 196 * - The context string 197 * - A single 0 byte which serves as the separator 198 * - The content to be signed 199 */ 200 memset(verify_buffer, 0x20, 64); 201 idx = 64; 202 203 if (from == MBEDTLS_SSL_IS_CLIENT) { 204 memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.client_cv, 205 MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv)); 206 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv); 207 } else { /* from == MBEDTLS_SSL_IS_SERVER */ 208 memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.server_cv, 209 MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv)); 210 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv); 211 } 212 213 verify_buffer[idx++] = 0x0; 214 215 memcpy(verify_buffer + idx, transcript_hash, transcript_hash_len); 216 idx += transcript_hash_len; 217 218 *verify_buffer_len = idx; 219 } 220 221 MBEDTLS_CHECK_RETURN_CRITICAL 222 static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, 223 const unsigned char *buf, 224 const unsigned char *end, 225 const unsigned char *verify_buffer, 226 size_t verify_buffer_len) 227 { 228 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 229 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 230 const unsigned char *p = buf; 231 uint16_t algorithm; 232 size_t signature_len; 233 mbedtls_pk_type_t sig_alg; 234 mbedtls_md_type_t md_alg; 235 psa_algorithm_t hash_alg = PSA_ALG_NONE; 236 unsigned char verify_hash[PSA_HASH_MAX_SIZE]; 237 size_t verify_hash_len; 238 239 void const *options = NULL; 240 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 241 mbedtls_pk_rsassa_pss_options rsassa_pss_options; 242 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ 243 244 /* 245 * struct { 246 * SignatureScheme algorithm; 247 * opaque signature<0..2^16-1>; 248 * } CertificateVerify; 249 */ 250 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 251 algorithm = MBEDTLS_GET_UINT16_BE(p, 0); 252 p += 2; 253 254 /* RFC 8446 section 4.4.3 255 * 256 * If the CertificateVerify message is sent by a server, the signature 257 * algorithm MUST be one offered in the client's "signature_algorithms" 258 * extension unless no valid certificate chain can be produced without 259 * unsupported algorithms 260 * 261 * RFC 8446 section 4.4.2.2 262 * 263 * If the client cannot construct an acceptable chain using the provided 264 * certificates and decides to abort the handshake, then it MUST abort the 265 * handshake with an appropriate certificate-related alert 266 * (by default, "unsupported_certificate"). 267 * 268 * Check if algorithm is an offered signature algorithm. 269 */ 270 if (!mbedtls_ssl_sig_alg_is_offered(ssl, algorithm)) { 271 /* algorithm not in offered signature algorithms list */ 272 MBEDTLS_SSL_DEBUG_MSG(1, ("Received signature algorithm(%04x) is not " 273 "offered.", 274 (unsigned int) algorithm)); 275 goto error; 276 } 277 278 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( 279 algorithm, &sig_alg, &md_alg) != 0) { 280 goto error; 281 } 282 283 hash_alg = mbedtls_md_psa_alg_from_type(md_alg); 284 if (hash_alg == 0) { 285 goto error; 286 } 287 288 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate Verify: Signature algorithm ( %04x )", 289 (unsigned int) algorithm)); 290 291 /* 292 * Check the certificate's key type matches the signature alg 293 */ 294 if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, sig_alg)) { 295 MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key")); 296 goto error; 297 } 298 299 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 300 signature_len = MBEDTLS_GET_UINT16_BE(p, 0); 301 p += 2; 302 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, signature_len); 303 304 status = psa_hash_compute(hash_alg, 305 verify_buffer, 306 verify_buffer_len, 307 verify_hash, 308 sizeof(verify_hash), 309 &verify_hash_len); 310 if (status != PSA_SUCCESS) { 311 MBEDTLS_SSL_DEBUG_RET(1, "hash computation PSA error", status); 312 goto error; 313 } 314 315 MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); 316 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 317 if (sig_alg == MBEDTLS_PK_RSASSA_PSS) { 318 rsassa_pss_options.mgf1_hash_id = md_alg; 319 320 rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH(hash_alg); 321 options = (const void *) &rsassa_pss_options; 322 } 323 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ 324 325 if ((ret = mbedtls_pk_verify_ext(sig_alg, options, 326 &ssl->session_negotiate->peer_cert->pk, 327 md_alg, verify_hash, verify_hash_len, 328 p, signature_len)) == 0) { 329 return 0; 330 } 331 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret); 332 333 error: 334 /* RFC 8446 section 4.4.3 335 * 336 * If the verification fails, the receiver MUST terminate the handshake 337 * with a "decrypt_error" alert. 338 */ 339 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, 340 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 341 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 342 343 } 344 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 345 346 int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl) 347 { 348 349 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 350 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 351 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE]; 352 size_t verify_buffer_len; 353 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 354 size_t transcript_len; 355 unsigned char *buf; 356 size_t buf_len; 357 358 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); 359 360 MBEDTLS_SSL_PROC_CHK( 361 mbedtls_ssl_tls13_fetch_handshake_msg( 362 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len)); 363 364 /* Need to calculate the hash of the transcript first 365 * before reading the message since otherwise it gets 366 * included in the transcript 367 */ 368 ret = mbedtls_ssl_get_handshake_transcript( 369 ssl, 370 (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac, 371 transcript, sizeof(transcript), 372 &transcript_len); 373 if (ret != 0) { 374 MBEDTLS_SSL_PEND_FATAL_ALERT( 375 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, 376 MBEDTLS_ERR_SSL_INTERNAL_ERROR); 377 return ret; 378 } 379 380 MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash", transcript, transcript_len); 381 382 /* Create verify structure */ 383 ssl_tls13_create_verify_structure(transcript, 384 transcript_len, 385 verify_buffer, 386 &verify_buffer_len, 387 (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) ? 388 MBEDTLS_SSL_IS_SERVER : 389 MBEDTLS_SSL_IS_CLIENT); 390 391 /* Process the message contents */ 392 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_verify( 393 ssl, buf, buf + buf_len, 394 verify_buffer, verify_buffer_len)); 395 396 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( 397 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, 398 buf, buf_len)); 399 400 cleanup: 401 402 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify")); 403 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_process_certificate_verify", ret); 404 return ret; 405 #else 406 ((void) ssl); 407 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 408 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 409 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 410 } 411 412 /* 413 * 414 * STATE HANDLING: Incoming Certificate. 415 * 416 */ 417 418 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 419 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 420 /* 421 * Structure of Certificate message: 422 * 423 * enum { 424 * X509(0), 425 * RawPublicKey(2), 426 * (255) 427 * } CertificateType; 428 * 429 * struct { 430 * select (certificate_type) { 431 * case RawPublicKey: 432 * * From RFC 7250 ASN.1_subjectPublicKeyInfo * 433 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>; 434 * case X509: 435 * opaque cert_data<1..2^24-1>; 436 * }; 437 * Extension extensions<0..2^16-1>; 438 * } CertificateEntry; 439 * 440 * struct { 441 * opaque certificate_request_context<0..2^8-1>; 442 * CertificateEntry certificate_list<0..2^24-1>; 443 * } Certificate; 444 * 445 */ 446 447 /* Parse certificate chain send by the server. */ 448 MBEDTLS_CHECK_RETURN_CRITICAL 449 MBEDTLS_STATIC_TESTABLE 450 int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl, 451 const unsigned char *buf, 452 const unsigned char *end) 453 { 454 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 455 size_t certificate_request_context_len = 0; 456 size_t certificate_list_len = 0; 457 const unsigned char *p = buf; 458 const unsigned char *certificate_list_end; 459 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 460 461 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4); 462 certificate_request_context_len = p[0]; 463 certificate_list_len = MBEDTLS_GET_UINT24_BE(p, 1); 464 p += 4; 465 466 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't 467 * support anything beyond 2^16 = 64K. 468 */ 469 if ((certificate_request_context_len != 0) || 470 (certificate_list_len >= 0x10000)) { 471 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 472 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, 473 MBEDTLS_ERR_SSL_DECODE_ERROR); 474 return MBEDTLS_ERR_SSL_DECODE_ERROR; 475 } 476 477 /* In case we tried to reuse a session but it failed */ 478 if (ssl->session_negotiate->peer_cert != NULL) { 479 mbedtls_x509_crt_free(ssl->session_negotiate->peer_cert); 480 mbedtls_free(ssl->session_negotiate->peer_cert); 481 } 482 483 /* This is used by ssl_tls13_validate_certificate() */ 484 if (certificate_list_len == 0) { 485 ssl->session_negotiate->peer_cert = NULL; 486 ret = 0; 487 goto exit; 488 } 489 490 if ((ssl->session_negotiate->peer_cert = 491 mbedtls_calloc(1, sizeof(mbedtls_x509_crt))) == NULL) { 492 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed", 493 sizeof(mbedtls_x509_crt))); 494 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, 495 MBEDTLS_ERR_SSL_ALLOC_FAILED); 496 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 497 } 498 499 mbedtls_x509_crt_init(ssl->session_negotiate->peer_cert); 500 501 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_list_len); 502 certificate_list_end = p + certificate_list_len; 503 while (p < certificate_list_end) { 504 size_t cert_data_len, extensions_len; 505 const unsigned char *extensions_end; 506 507 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 3); 508 cert_data_len = MBEDTLS_GET_UINT24_BE(p, 0); 509 p += 3; 510 511 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support 512 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code, 513 * check that we have a minimum of 128 bytes of data, this is not 514 * clear why we need that though. 515 */ 516 if ((cert_data_len < 128) || (cert_data_len >= 0x10000)) { 517 MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message")); 518 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, 519 MBEDTLS_ERR_SSL_DECODE_ERROR); 520 return MBEDTLS_ERR_SSL_DECODE_ERROR; 521 } 522 523 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, cert_data_len); 524 ret = mbedtls_x509_crt_parse_der(ssl->session_negotiate->peer_cert, 525 p, cert_data_len); 526 527 switch (ret) { 528 case 0: /*ok*/ 529 break; 530 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: 531 /* Ignore certificate with an unknown algorithm: maybe a 532 prior certificate was already trusted. */ 533 break; 534 535 case MBEDTLS_ERR_X509_ALLOC_FAILED: 536 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, 537 MBEDTLS_ERR_X509_ALLOC_FAILED); 538 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); 539 return ret; 540 541 case MBEDTLS_ERR_X509_UNKNOWN_VERSION: 542 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, 543 MBEDTLS_ERR_X509_UNKNOWN_VERSION); 544 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); 545 return ret; 546 547 default: 548 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT, 549 ret); 550 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); 551 return ret; 552 } 553 554 p += cert_data_len; 555 556 /* Certificate extensions length */ 557 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 2); 558 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); 559 p += 2; 560 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, extensions_len); 561 562 extensions_end = p + extensions_len; 563 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; 564 565 while (p < extensions_end) { 566 unsigned int extension_type; 567 size_t extension_data_len; 568 569 /* 570 * struct { 571 * ExtensionType extension_type; (2 bytes) 572 * opaque extension_data<0..2^16-1>; 573 * } Extension; 574 */ 575 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4); 576 extension_type = MBEDTLS_GET_UINT16_BE(p, 0); 577 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2); 578 p += 4; 579 580 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len); 581 582 ret = mbedtls_ssl_tls13_check_received_extension( 583 ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type, 584 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT); 585 if (ret != 0) { 586 return ret; 587 } 588 589 switch (extension_type) { 590 default: 591 MBEDTLS_SSL_PRINT_EXT( 592 3, MBEDTLS_SSL_HS_CERTIFICATE, 593 extension_type, "( ignored )"); 594 break; 595 } 596 597 p += extension_data_len; 598 } 599 600 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE, 601 handshake->received_extensions); 602 } 603 604 exit: 605 /* Check that all the message is consumed. */ 606 if (p != end) { 607 MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message")); 608 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, 609 MBEDTLS_ERR_SSL_DECODE_ERROR); 610 return MBEDTLS_ERR_SSL_DECODE_ERROR; 611 } 612 613 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", 614 ssl->session_negotiate->peer_cert); 615 616 return ret; 617 } 618 #else 619 MBEDTLS_CHECK_RETURN_CRITICAL 620 MBEDTLS_STATIC_TESTABLE 621 int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl, 622 const unsigned char *buf, 623 const unsigned char *end) 624 { 625 ((void) ssl); 626 ((void) buf); 627 ((void) end); 628 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 629 } 630 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 631 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 632 633 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 634 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 635 /* Validate certificate chain sent by the server. */ 636 MBEDTLS_CHECK_RETURN_CRITICAL 637 static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl) 638 { 639 /* Authmode: precedence order is SNI if used else configuration */ 640 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 641 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET 642 ? ssl->handshake->sni_authmode 643 : ssl->conf->authmode; 644 #else 645 const int authmode = ssl->conf->authmode; 646 #endif 647 648 /* 649 * If the peer hasn't sent a certificate ( i.e. it sent 650 * an empty certificate chain ), this is reflected in the peer CRT 651 * structure being unset. 652 * Check for that and handle it depending on the 653 * authentication mode. 654 */ 655 if (ssl->session_negotiate->peer_cert == NULL) { 656 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate")); 657 658 #if defined(MBEDTLS_SSL_SRV_C) 659 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 660 /* The client was asked for a certificate but didn't send 661 * one. The client should know what's going on, so we 662 * don't send an alert. 663 */ 664 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 665 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) { 666 return 0; 667 } else { 668 MBEDTLS_SSL_PEND_FATAL_ALERT( 669 MBEDTLS_SSL_ALERT_MSG_NO_CERT, 670 MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE); 671 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; 672 } 673 } 674 #endif /* MBEDTLS_SSL_SRV_C */ 675 676 #if defined(MBEDTLS_SSL_CLI_C) 677 /* Regardless of authmode, the server is not allowed to send an empty 678 * certificate chain. (Last paragraph before 4.4.2.1 in RFC 8446: "The 679 * server's certificate_list MUST always be non-empty.") With authmode 680 * optional/none, we continue the handshake if we can't validate the 681 * server's cert, but we still break it if no certificate was sent. */ 682 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 683 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT, 684 MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE); 685 return MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE; 686 } 687 #endif /* MBEDTLS_SSL_CLI_C */ 688 } 689 690 return mbedtls_ssl_verify_certificate(ssl, authmode, 691 ssl->session_negotiate->peer_cert, 692 NULL, NULL); 693 } 694 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 695 MBEDTLS_CHECK_RETURN_CRITICAL 696 static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl) 697 { 698 ((void) ssl); 699 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 700 } 701 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 702 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 703 704 int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl) 705 { 706 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 707 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); 708 709 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 710 unsigned char *buf; 711 size_t buf_len; 712 713 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( 714 ssl, MBEDTLS_SSL_HS_CERTIFICATE, 715 &buf, &buf_len)); 716 717 /* Parse the certificate chain sent by the peer. */ 718 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_parse_certificate(ssl, buf, 719 buf + buf_len)); 720 /* Validate the certificate chain and set the verification results. */ 721 MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl)); 722 723 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( 724 ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, buf_len)); 725 726 cleanup: 727 #else /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 728 (void) ssl; 729 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 730 731 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate")); 732 return ret; 733 } 734 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 735 /* 736 * enum { 737 * X509(0), 738 * RawPublicKey(2), 739 * (255) 740 * } CertificateType; 741 * 742 * struct { 743 * select (certificate_type) { 744 * case RawPublicKey: 745 * // From RFC 7250 ASN.1_subjectPublicKeyInfo 746 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>; 747 * 748 * case X509: 749 * opaque cert_data<1..2^24-1>; 750 * }; 751 * Extension extensions<0..2^16-1>; 752 * } CertificateEntry; 753 * 754 * struct { 755 * opaque certificate_request_context<0..2^8-1>; 756 * CertificateEntry certificate_list<0..2^24-1>; 757 * } Certificate; 758 */ 759 MBEDTLS_CHECK_RETURN_CRITICAL 760 static int ssl_tls13_write_certificate_body(mbedtls_ssl_context *ssl, 761 unsigned char *buf, 762 unsigned char *end, 763 size_t *out_len) 764 { 765 const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert(ssl); 766 unsigned char *p = buf; 767 unsigned char *certificate_request_context = 768 ssl->handshake->certificate_request_context; 769 unsigned char certificate_request_context_len = 770 ssl->handshake->certificate_request_context_len; 771 unsigned char *p_certificate_list_len; 772 773 774 /* ... 775 * opaque certificate_request_context<0..2^8-1>; 776 * ... 777 */ 778 MBEDTLS_SSL_CHK_BUF_PTR(p, end, certificate_request_context_len + 1); 779 *p++ = certificate_request_context_len; 780 if (certificate_request_context_len > 0) { 781 memcpy(p, certificate_request_context, certificate_request_context_len); 782 p += certificate_request_context_len; 783 } 784 785 /* ... 786 * CertificateEntry certificate_list<0..2^24-1>; 787 * ... 788 */ 789 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3); 790 p_certificate_list_len = p; 791 p += 3; 792 793 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", crt); 794 795 while (crt != NULL) { 796 size_t cert_data_len = crt->raw.len; 797 798 MBEDTLS_SSL_CHK_BUF_PTR(p, end, cert_data_len + 3 + 2); 799 MBEDTLS_PUT_UINT24_BE(cert_data_len, p, 0); 800 p += 3; 801 802 memcpy(p, crt->raw.p, cert_data_len); 803 p += cert_data_len; 804 crt = crt->next; 805 806 /* Currently, we don't have any certificate extensions defined. 807 * Hence, we are sending an empty extension with length zero. 808 */ 809 MBEDTLS_PUT_UINT16_BE(0, p, 0); 810 p += 2; 811 } 812 813 MBEDTLS_PUT_UINT24_BE(p - p_certificate_list_len - 3, 814 p_certificate_list_len, 0); 815 816 *out_len = p - buf; 817 818 MBEDTLS_SSL_PRINT_EXTS( 819 3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->sent_extensions); 820 821 return 0; 822 } 823 824 int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl) 825 { 826 int ret; 827 unsigned char *buf; 828 size_t buf_len, msg_len; 829 830 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); 831 832 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( 833 ssl, MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len)); 834 835 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_body(ssl, 836 buf, 837 buf + buf_len, 838 &msg_len)); 839 840 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( 841 ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, msg_len)); 842 843 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( 844 ssl, buf_len, msg_len)); 845 cleanup: 846 847 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate")); 848 return ret; 849 } 850 851 /* 852 * STATE HANDLING: Output Certificate Verify 853 */ 854 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg, 855 mbedtls_pk_context *key) 856 { 857 mbedtls_pk_type_t pk_type = (mbedtls_pk_type_t) mbedtls_ssl_sig_from_pk(key); 858 size_t key_size = mbedtls_pk_get_bitlen(key); 859 860 switch (pk_type) { 861 case MBEDTLS_SSL_SIG_ECDSA: 862 switch (key_size) { 863 case 256: 864 return 865 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256; 866 867 case 384: 868 return 869 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384; 870 871 case 521: 872 return 873 sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512; 874 default: 875 break; 876 } 877 break; 878 879 case MBEDTLS_SSL_SIG_RSA: 880 switch (sig_alg) { 881 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */ 882 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */ 883 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 884 return 1; 885 886 default: 887 break; 888 } 889 break; 890 891 default: 892 break; 893 } 894 895 return 0; 896 } 897 898 MBEDTLS_CHECK_RETURN_CRITICAL 899 static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl, 900 unsigned char *buf, 901 unsigned char *end, 902 size_t *out_len) 903 { 904 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 905 unsigned char *p = buf; 906 mbedtls_pk_context *own_key; 907 908 unsigned char handshake_hash[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 909 size_t handshake_hash_len; 910 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE]; 911 size_t verify_buffer_len; 912 913 uint16_t *sig_alg = ssl->handshake->received_sig_algs; 914 size_t signature_len = 0; 915 916 *out_len = 0; 917 918 own_key = mbedtls_ssl_own_key(ssl); 919 if (own_key == NULL) { 920 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 921 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 922 } 923 924 ret = mbedtls_ssl_get_handshake_transcript( 925 ssl, (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac, 926 handshake_hash, sizeof(handshake_hash), &handshake_hash_len); 927 if (ret != 0) { 928 return ret; 929 } 930 931 MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash", 932 handshake_hash, 933 handshake_hash_len); 934 935 ssl_tls13_create_verify_structure(handshake_hash, handshake_hash_len, 936 verify_buffer, &verify_buffer_len, 937 ssl->conf->endpoint); 938 939 /* 940 * struct { 941 * SignatureScheme algorithm; 942 * opaque signature<0..2^16-1>; 943 * } CertificateVerify; 944 */ 945 /* Check there is space for the algorithm identifier (2 bytes) and the 946 * signature length (2 bytes). 947 */ 948 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); 949 950 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) { 951 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 952 mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE; 953 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 954 psa_algorithm_t psa_algorithm = PSA_ALG_NONE; 955 unsigned char verify_hash[PSA_HASH_MAX_SIZE]; 956 size_t verify_hash_len; 957 958 if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) { 959 continue; 960 } 961 962 if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) { 963 continue; 964 } 965 966 if (!mbedtls_ssl_tls13_check_sig_alg_cert_key_match(*sig_alg, own_key)) { 967 continue; 968 } 969 970 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( 971 *sig_alg, &pk_type, &md_alg) != 0) { 972 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 973 } 974 975 /* Hash verify buffer with indicated hash function */ 976 psa_algorithm = mbedtls_md_psa_alg_from_type(md_alg); 977 status = psa_hash_compute(psa_algorithm, 978 verify_buffer, 979 verify_buffer_len, 980 verify_hash, sizeof(verify_hash), 981 &verify_hash_len); 982 if (status != PSA_SUCCESS) { 983 return PSA_TO_MBEDTLS_ERR(status); 984 } 985 986 MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); 987 988 if ((ret = mbedtls_pk_sign_ext(pk_type, own_key, 989 md_alg, verify_hash, verify_hash_len, 990 p + 4, (size_t) (end - (p + 4)), &signature_len, 991 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 992 MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature failed with %s", 993 mbedtls_ssl_sig_alg_to_str(*sig_alg))); 994 MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_pk_sign_ext", ret); 995 996 /* The signature failed. This is possible if the private key 997 * was not suitable for the signature operation as purposely we 998 * did not check its suitability completely. Let's try with 999 * another signature algorithm. 1000 */ 1001 continue; 1002 } 1003 1004 MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature with %s", 1005 mbedtls_ssl_sig_alg_to_str(*sig_alg))); 1006 1007 break; 1008 } 1009 1010 if (*sig_alg == MBEDTLS_TLS1_3_SIG_NONE) { 1011 MBEDTLS_SSL_DEBUG_MSG(1, ("no suitable signature algorithm")); 1012 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, 1013 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 1014 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1015 } 1016 1017 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0); 1018 MBEDTLS_PUT_UINT16_BE(signature_len, p, 2); 1019 1020 *out_len = 4 + signature_len; 1021 1022 return 0; 1023 } 1024 1025 int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl) 1026 { 1027 int ret = 0; 1028 unsigned char *buf; 1029 size_t buf_len, msg_len; 1030 1031 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); 1032 1033 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( 1034 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, 1035 &buf, &buf_len)); 1036 1037 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body( 1038 ssl, buf, buf + buf_len, &msg_len)); 1039 1040 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( 1041 ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, 1042 buf, msg_len)); 1043 1044 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( 1045 ssl, buf_len, msg_len)); 1046 1047 cleanup: 1048 1049 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify")); 1050 return ret; 1051 } 1052 1053 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 1054 1055 /* 1056 * 1057 * STATE HANDLING: Incoming Finished message. 1058 */ 1059 /* 1060 * Implementation 1061 */ 1062 1063 MBEDTLS_CHECK_RETURN_CRITICAL 1064 static int ssl_tls13_preprocess_finished_message(mbedtls_ssl_context *ssl) 1065 { 1066 int ret; 1067 1068 ret = mbedtls_ssl_tls13_calculate_verify_data( 1069 ssl, 1070 ssl->handshake->state_local.finished_in.digest, 1071 sizeof(ssl->handshake->state_local.finished_in.digest), 1072 &ssl->handshake->state_local.finished_in.digest_len, 1073 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ? 1074 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT); 1075 if (ret != 0) { 1076 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_calculate_verify_data", ret); 1077 return ret; 1078 } 1079 1080 return 0; 1081 } 1082 1083 MBEDTLS_CHECK_RETURN_CRITICAL 1084 static int ssl_tls13_parse_finished_message(mbedtls_ssl_context *ssl, 1085 const unsigned char *buf, 1086 const unsigned char *end) 1087 { 1088 /* 1089 * struct { 1090 * opaque verify_data[Hash.length]; 1091 * } Finished; 1092 */ 1093 const unsigned char *expected_verify_data = 1094 ssl->handshake->state_local.finished_in.digest; 1095 size_t expected_verify_data_len = 1096 ssl->handshake->state_local.finished_in.digest_len; 1097 /* Structural validation */ 1098 if ((size_t) (end - buf) != expected_verify_data_len) { 1099 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 1100 1101 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, 1102 MBEDTLS_ERR_SSL_DECODE_ERROR); 1103 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1104 } 1105 1106 MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (self-computed):", 1107 expected_verify_data, 1108 expected_verify_data_len); 1109 MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (received message):", buf, 1110 expected_verify_data_len); 1111 1112 /* Semantic validation */ 1113 if (mbedtls_ct_memcmp(buf, 1114 expected_verify_data, 1115 expected_verify_data_len) != 0) { 1116 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 1117 1118 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, 1119 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 1120 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1121 } 1122 return 0; 1123 } 1124 1125 int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl) 1126 { 1127 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1128 unsigned char *buf; 1129 size_t buf_len; 1130 1131 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished message")); 1132 1133 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( 1134 ssl, MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len)); 1135 1136 /* Preprocessing step: Compute handshake digest */ 1137 MBEDTLS_SSL_PROC_CHK(ssl_tls13_preprocess_finished_message(ssl)); 1138 1139 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message( 1140 ssl, buf, buf + buf_len)); 1141 1142 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( 1143 ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len)); 1144 1145 cleanup: 1146 1147 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished message")); 1148 return ret; 1149 } 1150 1151 /* 1152 * 1153 * STATE HANDLING: Write and send Finished message. 1154 * 1155 */ 1156 /* 1157 * Implement 1158 */ 1159 1160 MBEDTLS_CHECK_RETURN_CRITICAL 1161 static int ssl_tls13_prepare_finished_message(mbedtls_ssl_context *ssl) 1162 { 1163 int ret; 1164 1165 /* Compute transcript of handshake up to now. */ 1166 ret = mbedtls_ssl_tls13_calculate_verify_data(ssl, 1167 ssl->handshake->state_local.finished_out.digest, 1168 sizeof(ssl->handshake->state_local.finished_out. 1169 digest), 1170 &ssl->handshake->state_local.finished_out.digest_len, 1171 ssl->conf->endpoint); 1172 1173 if (ret != 0) { 1174 MBEDTLS_SSL_DEBUG_RET(1, "calculate_verify_data failed", ret); 1175 return ret; 1176 } 1177 1178 return 0; 1179 } 1180 1181 MBEDTLS_CHECK_RETURN_CRITICAL 1182 static int ssl_tls13_write_finished_message_body(mbedtls_ssl_context *ssl, 1183 unsigned char *buf, 1184 unsigned char *end, 1185 size_t *out_len) 1186 { 1187 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len; 1188 /* 1189 * struct { 1190 * opaque verify_data[Hash.length]; 1191 * } Finished; 1192 */ 1193 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, verify_data_len); 1194 1195 memcpy(buf, ssl->handshake->state_local.finished_out.digest, 1196 verify_data_len); 1197 1198 *out_len = verify_data_len; 1199 return 0; 1200 } 1201 1202 /* Main entry point: orchestrates the other functions */ 1203 int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl) 1204 { 1205 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1206 unsigned char *buf; 1207 size_t buf_len, msg_len; 1208 1209 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished message")); 1210 1211 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_finished_message(ssl)); 1212 1213 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, 1214 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len)); 1215 1216 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_finished_message_body( 1217 ssl, buf, buf + buf_len, &msg_len)); 1218 1219 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, 1220 MBEDTLS_SSL_HS_FINISHED, buf, msg_len)); 1221 1222 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( 1223 ssl, buf_len, msg_len)); 1224 cleanup: 1225 1226 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished message")); 1227 return ret; 1228 } 1229 1230 void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) 1231 { 1232 1233 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup")); 1234 1235 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for inbound traffic")); 1236 mbedtls_ssl_set_inbound_transform(ssl, ssl->transform_application); 1237 1238 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for outbound traffic")); 1239 mbedtls_ssl_set_outbound_transform(ssl, ssl->transform_application); 1240 1241 /* 1242 * Free the previous session and switch to the current one. 1243 */ 1244 if (ssl->session) { 1245 mbedtls_ssl_session_free(ssl->session); 1246 mbedtls_free(ssl->session); 1247 } 1248 ssl->session = ssl->session_negotiate; 1249 ssl->session_negotiate = NULL; 1250 1251 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup")); 1252 } 1253 1254 /* 1255 * 1256 * STATE HANDLING: Write ChangeCipherSpec 1257 * 1258 */ 1259 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 1260 MBEDTLS_CHECK_RETURN_CRITICAL 1261 static int ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context *ssl, 1262 unsigned char *buf, 1263 unsigned char *end, 1264 size_t *olen) 1265 { 1266 ((void) ssl); 1267 1268 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1); 1269 buf[0] = 1; 1270 *olen = 1; 1271 1272 return 0; 1273 } 1274 1275 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl) 1276 { 1277 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1278 1279 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec")); 1280 1281 /* Only one CCS to send. */ 1282 if (ssl->handshake->ccs_sent) { 1283 ret = 0; 1284 goto cleanup; 1285 } 1286 1287 /* Write CCS message */ 1288 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body( 1289 ssl, ssl->out_msg, 1290 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, 1291 &ssl->out_msglen)); 1292 1293 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; 1294 1295 /* Dispatch message */ 1296 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl, 0)); 1297 1298 ssl->handshake->ccs_sent = 1; 1299 1300 cleanup: 1301 1302 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec")); 1303 return ret; 1304 } 1305 1306 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ 1307 1308 /* Early Data Indication Extension 1309 * 1310 * struct { 1311 * select ( Handshake.msg_type ) { 1312 * case new_session_ticket: uint32 max_early_data_size; 1313 * case client_hello: Empty; 1314 * case encrypted_extensions: Empty; 1315 * }; 1316 * } EarlyDataIndication; 1317 */ 1318 #if defined(MBEDTLS_SSL_EARLY_DATA) 1319 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, 1320 int in_new_session_ticket, 1321 unsigned char *buf, 1322 const unsigned char *end, 1323 size_t *out_len) 1324 { 1325 unsigned char *p = buf; 1326 1327 #if defined(MBEDTLS_SSL_SRV_C) 1328 const size_t needed = in_new_session_ticket ? 8 : 4; 1329 #else 1330 const size_t needed = 4; 1331 ((void) in_new_session_ticket); 1332 #endif 1333 1334 *out_len = 0; 1335 1336 MBEDTLS_SSL_CHK_BUF_PTR(p, end, needed); 1337 1338 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EARLY_DATA, p, 0); 1339 MBEDTLS_PUT_UINT16_BE(needed - 4, p, 2); 1340 1341 #if defined(MBEDTLS_SSL_SRV_C) 1342 if (in_new_session_ticket) { 1343 MBEDTLS_PUT_UINT32_BE(ssl->conf->max_early_data_size, p, 4); 1344 MBEDTLS_SSL_DEBUG_MSG( 1345 4, ("Sent max_early_data_size=%u", 1346 (unsigned int) ssl->conf->max_early_data_size)); 1347 } 1348 #endif 1349 1350 *out_len = needed; 1351 1352 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_EARLY_DATA); 1353 1354 return 0; 1355 } 1356 1357 #if defined(MBEDTLS_SSL_SRV_C) 1358 int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, 1359 size_t early_data_len) 1360 { 1361 /* 1362 * This function should be called only while an handshake is in progress 1363 * and thus a session under negotiation. Add a sanity check to detect a 1364 * misuse. 1365 */ 1366 if (ssl->session_negotiate == NULL) { 1367 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 1368 } 1369 1370 /* RFC 8446 section 4.6.1 1371 * 1372 * A server receiving more than max_early_data_size bytes of 0-RTT data 1373 * SHOULD terminate the connection with an "unexpected_message" alert. 1374 * Note that if it is still possible to send early_data_len bytes of early 1375 * data, it means that early_data_len is smaller than max_early_data_size 1376 * (type uint32_t) and can fit in an uint32_t. We use this further 1377 * down. 1378 */ 1379 if (early_data_len > 1380 (ssl->session_negotiate->max_early_data_size - 1381 ssl->total_early_data_size)) { 1382 1383 MBEDTLS_SSL_DEBUG_MSG( 1384 2, ("EarlyData: Too much early data received, " 1385 "%lu + %" MBEDTLS_PRINTF_SIZET " > %lu", 1386 (unsigned long) ssl->total_early_data_size, 1387 early_data_len, 1388 (unsigned long) ssl->session_negotiate->max_early_data_size)); 1389 1390 MBEDTLS_SSL_PEND_FATAL_ALERT( 1391 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, 1392 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); 1393 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 1394 } 1395 1396 /* 1397 * early_data_len has been checked to be less than max_early_data_size 1398 * that is uint32_t. Its cast to an uint32_t below is thus safe. We need 1399 * the cast to appease some compilers. 1400 */ 1401 ssl->total_early_data_size += (uint32_t) early_data_len; 1402 1403 return 0; 1404 } 1405 #endif /* MBEDTLS_SSL_SRV_C */ 1406 #endif /* MBEDTLS_SSL_EARLY_DATA */ 1407 1408 /* Reset SSL context and update hash for handling HRR. 1409 * 1410 * Replace Transcript-Hash(X) by 1411 * Transcript-Hash( message_hash || 1412 * 00 00 Hash.length || 1413 * X ) 1414 * A few states of the handshake are preserved, including: 1415 * - session ID 1416 * - session ticket 1417 * - negotiated ciphersuite 1418 */ 1419 int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl) 1420 { 1421 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1422 unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4]; 1423 size_t hash_len; 1424 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 1425 ssl->handshake->ciphersuite_info; 1426 1427 MBEDTLS_SSL_DEBUG_MSG(3, ("Reset SSL session for HRR")); 1428 1429 ret = mbedtls_ssl_get_handshake_transcript(ssl, (mbedtls_md_type_t) ciphersuite_info->mac, 1430 hash_transcript + 4, 1431 PSA_HASH_MAX_SIZE, 1432 &hash_len); 1433 if (ret != 0) { 1434 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_handshake_transcript", ret); 1435 return ret; 1436 } 1437 1438 hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH; 1439 hash_transcript[1] = 0; 1440 hash_transcript[2] = 0; 1441 hash_transcript[3] = (unsigned char) hash_len; 1442 1443 hash_len += 4; 1444 1445 MBEDTLS_SSL_DEBUG_BUF(4, "Truncated handshake transcript", 1446 hash_transcript, hash_len); 1447 1448 /* Reset running hash and replace it with a hash of the transcript */ 1449 ret = mbedtls_ssl_reset_checksum(ssl); 1450 if (ret != 0) { 1451 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret); 1452 return ret; 1453 } 1454 ret = ssl->handshake->update_checksum(ssl, hash_transcript, hash_len); 1455 if (ret != 0) { 1456 MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret); 1457 return ret; 1458 } 1459 1460 return ret; 1461 } 1462 1463 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) 1464 1465 int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl, 1466 const unsigned char *buf, 1467 size_t buf_len) 1468 { 1469 uint8_t *p = (uint8_t *) buf; 1470 const uint8_t *end = buf + buf_len; 1471 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 1472 1473 /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */ 1474 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 1475 uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE(p, 0); 1476 p += 2; 1477 1478 /* Check if key size is consistent with given buffer length. */ 1479 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len); 1480 1481 /* Store peer's ECDH/FFDH public key. */ 1482 if (peerkey_len > sizeof(handshake->xxdh_psa_peerkey)) { 1483 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %u > %" MBEDTLS_PRINTF_SIZET, 1484 (unsigned) peerkey_len, 1485 sizeof(handshake->xxdh_psa_peerkey))); 1486 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1487 } 1488 memcpy(handshake->xxdh_psa_peerkey, p, peerkey_len); 1489 handshake->xxdh_psa_peerkey_len = peerkey_len; 1490 1491 return 0; 1492 } 1493 1494 #if defined(PSA_WANT_ALG_FFDH) 1495 static psa_status_t mbedtls_ssl_get_psa_ffdh_info_from_tls_id( 1496 uint16_t tls_id, size_t *bits, psa_key_type_t *key_type) 1497 { 1498 switch (tls_id) { 1499 #if defined(PSA_WANT_DH_RFC7919_2048) 1500 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048: 1501 *bits = 2048; 1502 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); 1503 return PSA_SUCCESS; 1504 #endif /* PSA_WANT_DH_RFC7919_2048 */ 1505 #if defined(PSA_WANT_DH_RFC7919_3072) 1506 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072: 1507 *bits = 3072; 1508 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); 1509 return PSA_SUCCESS; 1510 #endif /* PSA_WANT_DH_RFC7919_3072 */ 1511 #if defined(PSA_WANT_DH_RFC7919_4096) 1512 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096: 1513 *bits = 4096; 1514 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); 1515 return PSA_SUCCESS; 1516 #endif /* PSA_WANT_DH_RFC7919_4096 */ 1517 #if defined(PSA_WANT_DH_RFC7919_6144) 1518 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144: 1519 *bits = 6144; 1520 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); 1521 return PSA_SUCCESS; 1522 #endif /* PSA_WANT_DH_RFC7919_6144 */ 1523 #if defined(PSA_WANT_DH_RFC7919_8192) 1524 case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192: 1525 *bits = 8192; 1526 *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); 1527 return PSA_SUCCESS; 1528 #endif /* PSA_WANT_DH_RFC7919_8192 */ 1529 default: 1530 return PSA_ERROR_NOT_SUPPORTED; 1531 } 1532 } 1533 #endif /* PSA_WANT_ALG_FFDH */ 1534 1535 int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange( 1536 mbedtls_ssl_context *ssl, 1537 uint16_t named_group, 1538 unsigned char *buf, 1539 unsigned char *end, 1540 size_t *out_len) 1541 { 1542 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 1543 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1544 psa_key_attributes_t key_attributes; 1545 size_t own_pubkey_len; 1546 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 1547 size_t bits = 0; 1548 psa_key_type_t key_type = PSA_KEY_TYPE_NONE; 1549 psa_algorithm_t alg = PSA_ALG_NONE; 1550 size_t buf_size = (size_t) (end - buf); 1551 1552 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH/FFDH computation.")); 1553 1554 /* Convert EC's TLS ID to PSA key type. */ 1555 #if defined(PSA_WANT_ALG_ECDH) 1556 if (mbedtls_ssl_get_psa_curve_info_from_tls_id( 1557 named_group, &key_type, &bits) == PSA_SUCCESS) { 1558 alg = PSA_ALG_ECDH; 1559 } 1560 #endif 1561 #if defined(PSA_WANT_ALG_FFDH) 1562 if (mbedtls_ssl_get_psa_ffdh_info_from_tls_id(named_group, &bits, 1563 &key_type) == PSA_SUCCESS) { 1564 alg = PSA_ALG_FFDH; 1565 } 1566 #endif 1567 1568 if (key_type == PSA_KEY_TYPE_NONE) { 1569 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1570 } 1571 1572 if (buf_size < PSA_BITS_TO_BYTES(bits)) { 1573 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 1574 } 1575 1576 handshake->xxdh_psa_type = key_type; 1577 ssl->handshake->xxdh_psa_bits = bits; 1578 1579 key_attributes = psa_key_attributes_init(); 1580 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 1581 psa_set_key_algorithm(&key_attributes, alg); 1582 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type); 1583 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits); 1584 1585 /* Generate ECDH/FFDH private key. */ 1586 status = psa_generate_key(&key_attributes, 1587 &handshake->xxdh_psa_privkey); 1588 if (status != PSA_SUCCESS) { 1589 ret = PSA_TO_MBEDTLS_ERR(status); 1590 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret); 1591 return ret; 1592 1593 } 1594 1595 /* Export the public part of the ECDH/FFDH private key from PSA. */ 1596 status = psa_export_public_key(handshake->xxdh_psa_privkey, 1597 buf, buf_size, 1598 &own_pubkey_len); 1599 1600 if (status != PSA_SUCCESS) { 1601 ret = PSA_TO_MBEDTLS_ERR(status); 1602 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret); 1603 return ret; 1604 } 1605 1606 *out_len = own_pubkey_len; 1607 1608 return 0; 1609 } 1610 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */ 1611 1612 /* RFC 8446 section 4.2 1613 * 1614 * If an implementation receives an extension which it recognizes and which is 1615 * not specified for the message in which it appears, it MUST abort the handshake 1616 * with an "illegal_parameter" alert. 1617 * 1618 */ 1619 int mbedtls_ssl_tls13_check_received_extension( 1620 mbedtls_ssl_context *ssl, 1621 int hs_msg_type, 1622 unsigned int received_extension_type, 1623 uint32_t hs_msg_allowed_extensions_mask) 1624 { 1625 uint32_t extension_mask = mbedtls_ssl_get_extension_mask( 1626 received_extension_type); 1627 1628 MBEDTLS_SSL_PRINT_EXT( 1629 3, hs_msg_type, received_extension_type, "received"); 1630 1631 if ((extension_mask & hs_msg_allowed_extensions_mask) == 0) { 1632 MBEDTLS_SSL_PRINT_EXT( 1633 3, hs_msg_type, received_extension_type, "is illegal"); 1634 MBEDTLS_SSL_PEND_FATAL_ALERT( 1635 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 1636 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 1637 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1638 } 1639 1640 ssl->handshake->received_extensions |= extension_mask; 1641 /* 1642 * If it is a message containing extension responses, check that we 1643 * previously sent the extension. 1644 */ 1645 switch (hs_msg_type) { 1646 case MBEDTLS_SSL_HS_SERVER_HELLO: 1647 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST: 1648 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: 1649 case MBEDTLS_SSL_HS_CERTIFICATE: 1650 /* Check if the received extension is sent by peer message.*/ 1651 if ((ssl->handshake->sent_extensions & extension_mask) != 0) { 1652 return 0; 1653 } 1654 break; 1655 default: 1656 return 0; 1657 } 1658 1659 MBEDTLS_SSL_PRINT_EXT( 1660 3, hs_msg_type, received_extension_type, "is unsupported"); 1661 MBEDTLS_SSL_PEND_FATAL_ALERT( 1662 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, 1663 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION); 1664 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; 1665 } 1666 1667 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 1668 1669 /* RFC 8449, section 4: 1670 * 1671 * The ExtensionData of the "record_size_limit" extension is 1672 * RecordSizeLimit: 1673 * uint16 RecordSizeLimit; 1674 */ 1675 MBEDTLS_CHECK_RETURN_CRITICAL 1676 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl, 1677 const unsigned char *buf, 1678 const unsigned char *end) 1679 { 1680 const unsigned char *p = buf; 1681 uint16_t record_size_limit; 1682 const size_t extension_data_len = end - buf; 1683 1684 if (extension_data_len != 1685 MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH) { 1686 MBEDTLS_SSL_DEBUG_MSG(2, 1687 ("record_size_limit extension has invalid length: %" 1688 MBEDTLS_PRINTF_SIZET " Bytes", 1689 extension_data_len)); 1690 1691 MBEDTLS_SSL_PEND_FATAL_ALERT( 1692 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 1693 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 1694 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1695 } 1696 1697 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 1698 record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0); 1699 1700 MBEDTLS_SSL_DEBUG_MSG(2, ("RecordSizeLimit: %u Bytes", record_size_limit)); 1701 1702 /* RFC 8449, section 4: 1703 * 1704 * Endpoints MUST NOT send a "record_size_limit" extension with a value 1705 * smaller than 64. An endpoint MUST treat receipt of a smaller value 1706 * as a fatal error and generate an "illegal_parameter" alert. 1707 */ 1708 if (record_size_limit < MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN) { 1709 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid record size limit : %u Bytes", 1710 record_size_limit)); 1711 MBEDTLS_SSL_PEND_FATAL_ALERT( 1712 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 1713 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 1714 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1715 } 1716 1717 ssl->session_negotiate->record_size_limit = record_size_limit; 1718 1719 return 0; 1720 } 1721 1722 MBEDTLS_CHECK_RETURN_CRITICAL 1723 int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl, 1724 unsigned char *buf, 1725 const unsigned char *end, 1726 size_t *out_len) 1727 { 1728 unsigned char *p = buf; 1729 *out_len = 0; 1730 1731 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_IN_CONTENT_LEN >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN, 1732 "MBEDTLS_SSL_IN_CONTENT_LEN is less than the " 1733 "minimum record size limit"); 1734 1735 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); 1736 1737 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT, p, 0); 1738 MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH, 1739 p, 2); 1740 MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_IN_CONTENT_LEN, p, 4); 1741 1742 *out_len = 6; 1743 1744 MBEDTLS_SSL_DEBUG_MSG(2, ("Sent RecordSizeLimit: %d Bytes", 1745 MBEDTLS_SSL_IN_CONTENT_LEN)); 1746 1747 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT); 1748 1749 return 0; 1750 } 1751 1752 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 1753 1754 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */