1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15 #include <string.h>
16 #include "hitls_build.h"
17 #include "securec.h"
18 #include "tls_binlog_id.h"
19 #include "bsl_log_internal.h"
20 #include "bsl_log.h"
21 #include "bsl_err_internal.h"
22 #include "bsl_sal.h"
23 #include "hitls_error.h"
24 #include "hs_kx.h"
25 #include "transcript_hash.h"
26 #include "hs_verify.h"
27
28 #define HS_VERIFY_DATA_LEN 12u
29
30 #define CLIENT_FINISHED_LABEL "client finished"
31 #define SERVER_FINISHED_LABEL "server finished"
32
33 #ifdef HITLS_TLS_PROTO_TLS13
34 #define MSG_HASH_HEADER_SIZE 4 /* message_hash message header length */
35 #define MAX_MSG_HASH_SIZE (MAX_DIGEST_SIZE + MSG_HASH_HEADER_SIZE) /* Maximum message_hash message length */
36 #endif /* HITLS_TLS_PROTO_TLS13 */
37 #ifdef HITLS_TLS_PROTO_TLS13
38 #define TLS13_CLIENT_CERT_VERIFY_LABEL "TLS 1.3, client CertificateVerify"
39 #define TLS13_SERVER_CERT_VERIFY_LABEL "TLS 1.3, server CertificateVerify"
40
41 #define TLS13_CERT_VERIFY_PREFIX 0x20 /* The signature data in TLS 1.3 is firstly filled with 64 0x20s */
42 #define TLS13_CERT_VERIFY_PREFIX_LEN 64
43 #endif /* #ifdef HITLS_TLS_PROTO_TLS13 */
44
VERIFY_Init(HS_Ctx * hsCtx)45 int32_t VERIFY_Init(HS_Ctx *hsCtx)
46 {
47 VERIFY_Deinit(hsCtx);
48 VerifyCtx *verifyCtx = (VerifyCtx *)BSL_SAL_Calloc(1u, sizeof(VerifyCtx));
49 if (verifyCtx == NULL) {
50 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15475, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
51 "Verify init error: out of memory.", 0, 0, 0, 0);
52 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
53 return HITLS_MEMALLOC_FAIL;
54 }
55
56 verifyCtx->dataBuf = (HsMsgCache *)BSL_SAL_Calloc(1u, sizeof(HsMsgCache));
57 if (verifyCtx->dataBuf == NULL) {
58 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15476, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
59 "Verify databuf malloc error: out of memory.", 0, 0, 0, 0);
60 BSL_SAL_FREE(verifyCtx);
61 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
62 return HITLS_MEMALLOC_FAIL;
63 }
64 hsCtx->verifyCtx = verifyCtx;
65 return HITLS_SUCCESS;
66 }
67
VERIFY_Deinit(HS_Ctx * hsCtx)68 void VERIFY_Deinit(HS_Ctx *hsCtx)
69 {
70 if (hsCtx == NULL) {
71 return;
72 }
73 VerifyCtx *verifyCtx = hsCtx->verifyCtx;
74 if (verifyCtx == NULL) {
75 return;
76 }
77 if (verifyCtx->hashCtx != NULL) {
78 SAL_CRYPT_DigestFree(verifyCtx->hashCtx);
79 }
80 VERIFY_FreeMsgCache(verifyCtx);
81 BSL_SAL_FREE(verifyCtx);
82 hsCtx->verifyCtx = NULL;
83 return;
84 }
85 #ifdef HITLS_TLS_FEATURE_RENEGOTIATION
SaveVerifyData(TLS_Ctx * ctx,bool isClient)86 static int32_t SaveVerifyData(TLS_Ctx *ctx, bool isClient)
87 {
88 VerifyCtx *verifyCtx = ctx->hsCtx->verifyCtx;
89 uint8_t *verifyData = isClient ? ctx->negotiatedInfo.clientVerifyData : ctx->negotiatedInfo.serverVerifyData;
90 if (memcpy_s(verifyData, MAX_DIGEST_SIZE, verifyCtx->verifyData, verifyCtx->verifyDataSize) != EOK) {
91 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15909, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
92 "copy verifyData fail.", 0, 0, 0, 0);
93 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
94 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
95 return HITLS_MEMCPY_FAIL;
96 }
97 if (isClient) {
98 ctx->negotiatedInfo.clientVerifyDataSize = verifyCtx->verifyDataSize;
99 } else {
100 ctx->negotiatedInfo.serverVerifyDataSize = verifyCtx->verifyDataSize;
101 }
102 return HITLS_SUCCESS;
103 }
104 #endif /* HITLS_TLS_FEATURE_RENEGOTIATION */
VERIFY_CalcVerifyData(TLS_Ctx * ctx,bool isClient,const uint8_t * masterSecret,uint32_t masterSecretLen)105 int32_t VERIFY_CalcVerifyData(TLS_Ctx *ctx, bool isClient, const uint8_t *masterSecret, uint32_t masterSecretLen)
106 {
107 int32_t ret = HITLS_SUCCESS;
108 uint32_t digestLen = MAX_DIGEST_SIZE;
109 uint8_t digest[MAX_DIGEST_SIZE] = {0};
110 VerifyCtx *verifyCtx = ctx->hsCtx->verifyCtx;
111
112 ret = VERIFY_CalcSessionHash(verifyCtx, digest, &digestLen);
113 if (ret != HITLS_SUCCESS) {
114 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15477, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
115 "Verify data calculate error: calc session hash fail.", 0, 0, 0, 0);
116 return ret;
117 }
118
119 CRYPT_KeyDeriveParameters deriveInfo;
120 deriveInfo.hashAlgo = verifyCtx->hashAlgo;
121 deriveInfo.secret = masterSecret;
122 deriveInfo.secretLen = masterSecretLen;
123 deriveInfo.label = isClient ? ((const uint8_t *)CLIENT_FINISHED_LABEL) : ((const uint8_t *)SERVER_FINISHED_LABEL);
124 deriveInfo.labelLen = isClient ? strlen(CLIENT_FINISHED_LABEL) : strlen(SERVER_FINISHED_LABEL);
125 deriveInfo.seed = digest;
126 deriveInfo.seedLen = digestLen;
127 deriveInfo.libCtx = LIBCTX_FROM_CTX(ctx);
128 deriveInfo.attrName = ATTRIBUTE_FROM_CTX(ctx);
129 ret = SAL_CRYPT_PRF(&deriveInfo, verifyCtx->verifyData, HS_VERIFY_DATA_LEN);
130 if (ret != HITLS_SUCCESS) {
131 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15478, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
132 "Verify data calculate error: PRF fail.", 0, 0, 0, 0);
133 return ret;
134 }
135 verifyCtx->verifyDataSize = HS_VERIFY_DATA_LEN;
136 #ifdef HITLS_TLS_FEATURE_RENEGOTIATION
137 ret = SaveVerifyData(ctx, isClient);
138 #endif /* HITLS_TLS_FEATURE_RENEGOTIATION */
139 return ret;
140 }
141
GetHsDataLen(const VerifyCtx * ctx)142 static uint32_t GetHsDataLen(const VerifyCtx *ctx)
143 {
144 uint32_t len = 0;
145 const HsMsgCache *block = ctx->dataBuf;
146 /* Calculate the signature data length */
147 while (block != NULL) {
148 len += block->dataSize;
149 block = block->next;
150 }
151 return len;
152 }
153
LoopBlocks(const HsMsgCache * block,uint8_t * data,uint32_t len)154 static void LoopBlocks(const HsMsgCache *block, uint8_t *data, uint32_t len)
155 {
156 uint32_t offset = 0;
157 while ((block != NULL) && (block->dataSize > 0)) {
158 (void) memcpy_s(data + offset, len - offset, block->data, block->dataSize);
159 offset += block->dataSize;
160 block = block->next;
161 }
162 }
163
GetHsData(VerifyCtx * ctx,uint8_t ** data,uint32_t * dataLen)164 static int32_t GetHsData(VerifyCtx *ctx, uint8_t **data, uint32_t *dataLen)
165 {
166 uint32_t hsDataLen = GetHsDataLen(ctx);
167 if (hsDataLen == 0) {
168 *dataLen = 0;
169 *data = NULL;
170 return HITLS_SUCCESS;
171 }
172 uint8_t *hsData = BSL_SAL_Malloc(hsDataLen);
173 if (hsData == NULL) {
174 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16847, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Malloc fail", 0, 0, 0, 0);
175 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
176 return HITLS_MEMALLOC_FAIL;
177 }
178 const HsMsgCache *block = ctx->dataBuf;
179 LoopBlocks(block, hsData, hsDataLen);
180 *dataLen = hsDataLen;
181 *data = hsData;
182 return HITLS_SUCCESS;
183 }
184
185 #ifdef HITLS_TLS_PROTO_TLS13
186 /* The sender packs the data, calculates the binder, and then appends verified data.
187 * The receiver parses the data, and then calculates the binder. */
GetHsDataForBinder(VerifyCtx * ctx,uint32_t * dataLen,bool isClient,uint8_t ** data)188 static int32_t GetHsDataForBinder(VerifyCtx *ctx, uint32_t *dataLen, bool isClient, uint8_t **data)
189 {
190 if (isClient) {
191 return GetHsData(ctx, data, dataLen);
192 }
193
194 const HsMsgCache *block = ctx->dataBuf;
195 if (block == NULL || block->next == NULL || block->next->data == 0) {
196 return HITLS_SUCCESS;
197 }
198 uint32_t lenExcludeLastBlock = 0;
199 /* Calculate the total length excluding the last block. */
200 while (block->next != NULL && block->next->dataSize != 0) {
201 lenExcludeLastBlock += block->dataSize;
202 block = block->next;
203 }
204 uint32_t lastBlockLen = block->dataSize;
205 if (lenExcludeLastBlock == 0) {
206 *data = NULL;
207 *dataLen = lenExcludeLastBlock;
208 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15479, BSL_LOG_LEVEL_INFO, BSL_LOG_BINLOG_TYPE_RUN, "In verify ctx, empty data.",
209 0, 0, 0, 0);
210 return HITLS_SUCCESS;
211 }
212 uint8_t *hsData = BSL_SAL_Malloc(lenExcludeLastBlock + lastBlockLen);
213 if (hsData == NULL) {
214 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16869, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Malloc fail", 0, 0, 0, 0);
215 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
216 return HITLS_MEMALLOC_FAIL;
217 }
218 (void)LoopBlocks(ctx->dataBuf, hsData, lenExcludeLastBlock + lastBlockLen);
219 *dataLen = lenExcludeLastBlock;
220 *data = hsData;
221 return HITLS_SUCCESS;
222 }
223
GetCertVerifyLabel(bool isClient,uint32_t * len)224 static const char *GetCertVerifyLabel(bool isClient, uint32_t *len)
225 {
226 if (isClient) {
227 *len = strlen(TLS13_CLIENT_CERT_VERIFY_LABEL);
228 return TLS13_CLIENT_CERT_VERIFY_LABEL;
229 }
230 *len = strlen(TLS13_SERVER_CERT_VERIFY_LABEL);
231 return TLS13_SERVER_CERT_VERIFY_LABEL;
232 }
233
Tls13GetUnsignData(TLS_Ctx * ctx,uint32_t * dataLen,bool isClient)234 static uint8_t *Tls13GetUnsignData(TLS_Ctx *ctx, uint32_t *dataLen, bool isClient)
235 {
236 VerifyCtx *verifyCtx = ctx->hsCtx->verifyCtx;
237 uint32_t digestLen = MAX_DIGEST_SIZE;
238 uint8_t digest[MAX_DIGEST_SIZE] = {0};
239 int32_t ret = VERIFY_CalcSessionHash(verifyCtx, digest, &digestLen);
240 if (ret != HITLS_SUCCESS) {
241 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15480, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
242 "calc session hash fail when get unsign data.", 0, 0, 0, 0);
243 return NULL;
244 }
245
246 uint32_t labelLen = 0;
247 const char *label = GetCertVerifyLabel(isClient, &labelLen);
248
249 /* sixty-four 0x20 s + label + 0x00 + SessionHash */
250 uint32_t unsignDataLen = TLS13_CERT_VERIFY_PREFIX_LEN + labelLen + 1 + digestLen;
251 uint8_t *unsignData = BSL_SAL_Malloc(unsignDataLen);
252 if (unsignData == NULL) {
253 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
254 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15481, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
255 "malloc unsignData fail when get unsign data.", 0, 0, 0, 0);
256 return NULL;
257 }
258
259 uint32_t offset = 0;
260 /* Filled prefix: sixty-four 0x20 s */
261 (void)memset_s(unsignData, unsignDataLen, TLS13_CERT_VERIFY_PREFIX, TLS13_CERT_VERIFY_PREFIX_LEN);
262 offset += TLS13_CERT_VERIFY_PREFIX_LEN;
263
264 /* Filled labels */
265 if (memcpy_s(&unsignData[offset], unsignDataLen - offset, label, labelLen) != EOK) {
266 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16870, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "memcpy fail", 0, 0, 0, 0);
267 BSL_SAL_FREE(unsignData);
268 return NULL;
269 }
270 offset += labelLen;
271
272 /* Filled with one 0 */
273 unsignData[offset] = 0;
274 offset++;
275
276 /* Filled SessionHash */
277 if (memcpy_s(&unsignData[offset], unsignDataLen - offset, digest, digestLen) != EOK) {
278 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16871, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "memcpy fail", 0, 0, 0, 0);
279 BSL_SAL_FREE(unsignData);
280 return NULL;
281 }
282
283 *dataLen = unsignDataLen;
284 return unsignData;
285 }
286 #endif /* HITLS_TLS_PROTO_TLS13 */
287 #ifdef HITLS_TLS_PROTO_TLCP11
TlcpGetUnsignData(TLS_Ctx * ctx,uint32_t * dataLen)288 static uint8_t *TlcpGetUnsignData(TLS_Ctx *ctx, uint32_t *dataLen)
289 {
290 int32_t ret = HITLS_SUCCESS;
291 uint32_t unsignDataLen = MAX_DIGEST_SIZE;
292 uint8_t *unsignData = BSL_SAL_Malloc(unsignDataLen);
293 if (unsignData == NULL) {
294 BSL_ERR_PUSH_ERROR(HITLS_INTERNAL_EXCEPTION);
295 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16214, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
296 "malloc unsignData fail when get unsign data", 0, 0, 0, 0);
297 return NULL;
298 }
299 VerifyCtx *verifyCtx = ctx->hsCtx->verifyCtx;
300 ret = VERIFY_CalcSessionHash(verifyCtx, unsignData, &unsignDataLen);
301 if (ret != HITLS_SUCCESS) {
302 BSL_ERR_PUSH_ERROR(HITLS_INTERNAL_EXCEPTION);
303 BSL_SAL_Free(unsignData);
304 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16215, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
305 "calc session hash fail when get unsign data", 0, 0, 0, 0);
306 return NULL;
307 }
308
309 *dataLen = unsignDataLen;
310 return unsignData;
311 }
312 #endif
313
GetUnsignData(TLS_Ctx * ctx,uint32_t * dataLen,bool isClient,HITLS_HashAlgo hashAlgo)314 static uint8_t *GetUnsignData(TLS_Ctx *ctx, uint32_t *dataLen, bool isClient, HITLS_HashAlgo hashAlgo)
315 {
316 (void)isClient;
317 (void)hashAlgo;
318 #ifdef HITLS_TLS_PROTO_TLS13
319 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
320 return Tls13GetUnsignData(ctx, dataLen, isClient);
321 }
322 #endif /* HITLS_TLS_PROTO_TLS13 */
323 #ifdef HITLS_TLS_PROTO_TLCP11
324 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLCP_DTLCP11) {
325 return TlcpGetUnsignData(ctx, dataLen);
326 }
327 #endif
328 uint8_t *data = NULL;
329 (void)GetHsData(ctx->hsCtx->verifyCtx, &data, dataLen);
330 return data;
331 }
332
VERIFY_CalcSignData(TLS_Ctx * ctx,HITLS_CERT_Key * privateKey,HITLS_SignHashAlgo signScheme)333 int32_t VERIFY_CalcSignData(TLS_Ctx *ctx, HITLS_CERT_Key *privateKey, HITLS_SignHashAlgo signScheme)
334 {
335 int32_t ret = HITLS_SUCCESS;
336 HITLS_SignAlgo signAlgo = 0;
337 HITLS_HashAlgo hashAlgo = 0;
338 VerifyCtx *verifyCtx = ctx->hsCtx->verifyCtx;
339
340 if (CFG_GetSignParamBySchemes(ctx, signScheme, &signAlgo, &hashAlgo) != true) {
341 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15482, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
342 "get sign parm fail.", 0, 0, 0, 0);
343 BSL_ERR_PUSH_ERROR(HITLS_PACK_SIGNATURE_ERR);
344 return HITLS_PACK_SIGNATURE_ERR;
345 }
346 /* Obtaining the data to be signed */
347 uint32_t dataLen = 0u;
348 uint8_t *data = GetUnsignData(ctx, &dataLen, ctx->isClient, hashAlgo); // 签名的时候使用的是本端的isClient
349 if (data == NULL) {
350 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16872, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
351 "GetUnsignData fail", 0, 0, 0, 0);
352 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
353 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_GET_UNSIGN_DATA_FAIL);
354 return HITLS_MSG_HANDLE_GET_UNSIGN_DATA_FAIL;
355 }
356
357 CERT_SignParam signParam = {0};
358 signParam.signAlgo = signAlgo;
359 signParam.hashAlgo = hashAlgo;
360 signParam.data = data;
361 signParam.dataLen = dataLen;
362 signParam.sign = verifyCtx->verifyData;
363 signParam.signLen = MAX_SIGN_SIZE;
364
365 ret = SAL_CERT_CreateSign(ctx, privateKey, &signParam);
366 if ((ret != HITLS_SUCCESS) || (signParam.signLen > MAX_SIGN_SIZE)) {
367 BSL_SAL_FREE(data);
368 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15483, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
369 "create signature fail.", 0, 0, 0, 0);
370 BSL_ERR_PUSH_ERROR(HITLS_PACK_SIGNATURE_ERR);
371 return HITLS_PACK_SIGNATURE_ERR;
372 }
373 verifyCtx->verifyDataSize = signParam.signLen;
374
375 BSL_SAL_FREE(data);
376 return HITLS_SUCCESS;
377 }
378
VERIFY_VerifySignData(TLS_Ctx * ctx,HITLS_CERT_Key * pubkey,HITLS_SignHashAlgo signScheme,const uint8_t * signData,uint16_t signDataLen)379 int32_t VERIFY_VerifySignData(TLS_Ctx *ctx, HITLS_CERT_Key *pubkey, HITLS_SignHashAlgo signScheme,
380 const uint8_t *signData, uint16_t signDataLen)
381 {
382 int32_t ret = HITLS_SUCCESS;
383 HITLS_SignAlgo signAlgo = 0;
384 HITLS_HashAlgo hashAlgo = 0;
385
386 if (CFG_GetSignParamBySchemes(ctx, signScheme, &signAlgo, &hashAlgo) != true) {
387 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15484, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
388 "get sign parm fail.", 0, 0, 0, 0);
389 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
390 BSL_ERR_PUSH_ERROR(HITLS_PACK_SIGNATURE_ERR);
391 return HITLS_PACK_SIGNATURE_ERR;
392 }
393 /* Obtain the data to be signed */
394 uint32_t dataLen = 0;
395 uint8_t *data = GetUnsignData(ctx, &dataLen, !ctx->isClient, hashAlgo);
396 if (data == NULL) {
397 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16873, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "get data fail", 0, 0, 0, 0);
398 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
399 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_GET_UNSIGN_DATA_FAIL);
400 return HITLS_MSG_HANDLE_GET_UNSIGN_DATA_FAIL;
401 }
402
403 CERT_SignParam signParam = {.signAlgo = signAlgo, .hashAlgo = hashAlgo, .data = data, .dataLen = dataLen};
404 signParam.sign = BSL_SAL_Dump(signData, signDataLen);
405 if (signParam.sign == NULL) {
406 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16874, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "dump fail", 0, 0, 0, 0);
407 BSL_SAL_FREE(data);
408 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
409 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
410 return HITLS_MEMALLOC_FAIL;
411 }
412 signParam.signLen = signDataLen;
413
414 ret = SAL_CERT_VerifySign(ctx, pubkey, &signParam);
415 BSL_SAL_FREE(signParam.sign);
416 BSL_SAL_FREE(data);
417 if (ret != HITLS_SUCCESS) {
418 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_DECRYPT_ERROR);
419 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15485, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
420 "verify signature fail.", 0, 0, 0, 0);
421 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_VERIFY_SIGN_FAIL);
422 return HITLS_MSG_HANDLE_VERIFY_SIGN_FAIL;
423 }
424 return HITLS_SUCCESS;
425 }
426
VERIFY_GetVerifyData(const VerifyCtx * ctx,uint8_t * verifyData,uint32_t * verifyDataLen)427 int32_t VERIFY_GetVerifyData(const VerifyCtx *ctx, uint8_t *verifyData, uint32_t *verifyDataLen)
428 {
429 if (ctx->verifyDataSize > MAX_DIGEST_SIZE) {
430 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15488, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
431 "Get verify data error: incorrect digest size.", 0, 0, 0, 0);
432 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_INCORRECT_DIGEST_LEN);
433 return HITLS_MSG_HANDLE_INCORRECT_DIGEST_LEN;
434 }
435
436 if (memcpy_s(verifyData, *verifyDataLen, ctx->verifyData, ctx->verifyDataSize) != EOK) {
437 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15489, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
438 "Get verify data error: memcpy fail.", 0, 0, 0, 0);
439 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
440 return HITLS_MEMCPY_FAIL;
441 }
442 *verifyDataLen = ctx->verifyDataSize;
443 return HITLS_SUCCESS;
444 }
445 #ifdef HITLS_TLS_PROTO_TLS13
GetBaseKey(TLS_Ctx * ctx,bool isClient)446 static uint8_t *GetBaseKey(TLS_Ctx *ctx, bool isClient)
447 {
448 uint8_t *baseKey = NULL;
449 #ifdef HITLS_TLS_FEATURE_PHA
450 if (ctx->phaState == PHA_REQUESTED) {
451 baseKey = isClient ? ctx->clientAppTrafficSecret : ctx->serverAppTrafficSecret;
452 } else
453 #endif /* HITLS_TLS_FEATURE_PHA */
454 {
455 baseKey = isClient ? ctx->hsCtx->clientHsTrafficSecret : ctx->hsCtx->serverHsTrafficSecret;
456 }
457 return baseKey;
458 }
459
VERIFY_Tls13CalcVerifyData(TLS_Ctx * ctx,bool isClient)460 int32_t VERIFY_Tls13CalcVerifyData(TLS_Ctx *ctx, bool isClient)
461 {
462 int32_t ret = HITLS_SUCCESS;
463 HITLS_HashAlgo hashAlg = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg;
464 uint32_t hashLen = SAL_CRYPT_DigestSize(hashAlg);
465 if (hashLen == 0) {
466 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16875, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
467 return HITLS_CRYPT_ERR_DIGEST;
468 }
469 uint8_t finishedKey[MAX_DIGEST_SIZE] = {0};
470 uint8_t *baseKey = NULL;
471
472 baseKey = GetBaseKey(ctx, isClient);
473
474 /* finished_key = HKDF-Expand-Label(BaseKey, "finished", "", Hash.length) */
475 ret = HS_TLS13DeriveFinishedKey(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
476 hashAlg, baseKey, hashLen, finishedKey, hashLen);
477 if (ret != HITLS_SUCCESS) {
478 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16876, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
479 "DeriveFinishedKey fail", 0, 0, 0, 0);
480 return ret;
481 }
482
483 VerifyCtx *verifyCtx = ctx->hsCtx->verifyCtx;
484 uint32_t digestLen = MAX_DIGEST_SIZE;
485 uint8_t digest[MAX_DIGEST_SIZE] = {0};
486 ret = VERIFY_CalcSessionHash(verifyCtx, digest, &digestLen);
487 if (ret != HITLS_SUCCESS) {
488 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15490, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
489 "calc session hash fail when calc tls13 verify data.", 0, 0, 0, 0);
490 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
491 return ret;
492 }
493
494 /* verify_data = HMAC(finished_key, Transcript-Hash(Handshake Context, Certificate*, CertificateVerify*)) */
495 verifyCtx->verifyDataSize = hashLen;
496 ret = SAL_CRYPT_Hmac(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
497 hashAlg, finishedKey, hashLen, digest, digestLen, verifyCtx->verifyData, &verifyCtx->verifyDataSize);
498 if (ret != HITLS_SUCCESS) {
499 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15910, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
500 "SAL_CRYPT_Hmac fail when calc tls13 verify data.", 0, 0, 0, 0);
501 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
502 }
503 return ret;
504 }
505
ConstructMsgHash(HITLS_Lib_Ctx * libCtx,const char * attrName,HITLS_HashAlgo hashAlgo,HsMsgCache * dataBuf,uint8_t * out,uint32_t * outLen)506 static int32_t ConstructMsgHash(HITLS_Lib_Ctx *libCtx, const char *attrName, HITLS_HashAlgo hashAlgo, HsMsgCache *dataBuf,
507 uint8_t *out, uint32_t *outLen)
508 {
509 int32_t ret = HITLS_SUCCESS;
510 uint32_t digestLen = *outLen - MSG_HASH_HEADER_SIZE;
511 uint32_t inLen = dataBuf->dataSize;
512 uint8_t *in = BSL_SAL_Dump(dataBuf->data, dataBuf->dataSize);
513 if (in == NULL) {
514 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16877, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Dump fail", 0, 0, 0, 0);
515 BSL_ERR_PUSH_ERROR(BSL_UIO_MEM_ALLOC_FAIL);
516 return BSL_UIO_MEM_ALLOC_FAIL;
517 }
518 ret = SAL_CRYPT_Digest(libCtx, attrName, hashAlgo, in, inLen, &out[MSG_HASH_HEADER_SIZE], &digestLen);
519 BSL_SAL_FREE(in);
520 if (ret != HITLS_SUCCESS) {
521 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16878, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Digest fail", 0, 0, 0, 0);
522 return ret;
523 }
524
525 uint32_t offset = 0;
526 out[offset++] = MESSAGE_HASH;
527 out[offset++] = 0;
528 out[offset++] = 0;
529 out[offset] = (uint8_t)digestLen;
530 *outLen = digestLen + MSG_HASH_HEADER_SIZE;
531
532 return HITLS_SUCCESS;
533 }
534
ReinitVerify(TLS_Ctx * ctx,uint8_t * msgHash,uint32_t msgHashLen,uint8_t * hrr,uint32_t hrrLen)535 static int32_t ReinitVerify(TLS_Ctx *ctx, uint8_t *msgHash, uint32_t msgHashLen, uint8_t *hrr, uint32_t hrrLen)
536 {
537 int32_t ret = HITLS_SUCCESS;
538
539 VERIFY_Deinit(ctx->hsCtx);
540
541 ret = VERIFY_Init(ctx->hsCtx);
542 if (ret != HITLS_SUCCESS) {
543 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16879, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
544 "VERIFY_Init fail", 0, 0, 0, 0);
545 return ret;
546 }
547 VerifyCtx *verifyCtx = ctx->hsCtx->verifyCtx;
548
549 ret = VERIFY_Append(verifyCtx, msgHash, msgHashLen);
550 if (ret != HITLS_SUCCESS) {
551 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16880, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
552 "VERIFY_Append fail", 0, 0, 0, 0);
553 return ret;
554 }
555
556 return VERIFY_Append(verifyCtx, hrr, hrrLen);
557 }
558
VERIFY_HelloRetryRequestVerifyProcess(TLS_Ctx * ctx)559 int32_t VERIFY_HelloRetryRequestVerifyProcess(TLS_Ctx *ctx)
560 {
561 int32_t ret = HITLS_SUCCESS;
562 uint32_t msgHashLen = MAX_MSG_HASH_SIZE;
563 uint8_t msgHash[MAX_MSG_HASH_SIZE] = {0};
564 VerifyCtx *verifyCtx = ctx->hsCtx->verifyCtx;
565 HsMsgCache *dataBuf = verifyCtx->dataBuf;
566
567 /** Set the verify information. */
568 ret = VERIFY_SetHash(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
569 ctx->hsCtx->verifyCtx, ctx->negotiatedInfo.cipherSuiteInfo.hashAlg);
570 if (ret != HITLS_SUCCESS) {
571 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15491, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
572 "set verify info fail.", 0, 0, 0, 0);
573 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
574 return ret;
575 }
576
577 ret = ConstructMsgHash(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
578 verifyCtx->hashAlgo, dataBuf, msgHash, &msgHashLen);
579 if (ret != HITLS_SUCCESS) {
580 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15493, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
581 "construct msg hash fail.", 0, 0, 0, 0);
582 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
583 return ret;
584 }
585
586 dataBuf = dataBuf->next;
587 uint32_t helloRetryRequestLen = dataBuf->dataSize;
588 uint8_t *helloRetryRequest = BSL_SAL_Dump(dataBuf->data, dataBuf->dataSize);
589 if (helloRetryRequest == NULL) {
590 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15494, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
591 "malloc helloRetryRequest fail when process hrr verify.", 0, 0, 0, 0);
592 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
593 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
594 return HITLS_MEMALLOC_FAIL;
595 }
596
597 ret = ReinitVerify(ctx, msgHash, msgHashLen, helloRetryRequest, helloRetryRequestLen);
598 if (ret != HITLS_SUCCESS) {
599 BSL_SAL_FREE(helloRetryRequest);
600 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
601 return ret;
602 }
603 BSL_SAL_FREE(helloRetryRequest);
604
605 return HITLS_SUCCESS;
606 }
607
608 /*
609 Transcript-Hash(Truncate(ClientHello1))
610 Where Truncate() removes the binders list from the ClientHello
611 If the server responds with a HelloRetryRequest and the client then sends ClientHello2,
612 its binder will be computed over:
613 Transcript-Hash(ClientHello1, HelloRetryRequest, Truncate(ClientHello2))
614 */
VERIFY_CalcPskBinder(const TLS_Ctx * ctx,HITLS_HashAlgo hashAlgo,bool isExternalPsk,uint8_t * psk,uint32_t pskLen,const uint8_t * msg,uint32_t msgLen,uint8_t * binder,uint32_t binderLen)615 int32_t VERIFY_CalcPskBinder(const TLS_Ctx *ctx, HITLS_HashAlgo hashAlgo, bool isExternalPsk, uint8_t *psk,
616 uint32_t pskLen, const uint8_t *msg, uint32_t msgLen, uint8_t *binder, uint32_t binderLen)
617 {
618 int32_t ret = HITLS_SUCCESS;
619 HITLS_HASH_Ctx *hashCtx = NULL;
620 uint8_t *hsData = NULL;
621 uint8_t earlySecret[MAX_DIGEST_SIZE] = {0};
622 uint8_t binderKey[MAX_DIGEST_SIZE] = {0};
623 uint8_t finishedKey[MAX_DIGEST_SIZE] = {0};
624 uint8_t transcriptHash[MAX_DIGEST_SIZE] = {0};
625 uint32_t hashLen = SAL_CRYPT_DigestSize(hashAlgo);
626 uint32_t hsDataLen = 0u;
627 uint32_t calcBinderLen = binderLen;
628 if (hashLen == 0) {
629 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16881, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
630 return HITLS_CRYPT_ERR_DIGEST;
631 }
632 // HKDF.Extract PSK to compute EarlySecret
633 ret = HS_TLS13DeriveEarlySecret(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx), hashAlgo, psk, pskLen, earlySecret, &hashLen);
634 if (ret != HITLS_SUCCESS) {
635 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16882, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
636 "DeriveEarlySecret fail", 0, 0, 0, 0);
637 goto EXIT;
638 }
639 // HKDF.Expand EarlySecret to compute BinderKey
640 ret = HS_TLS13DeriveBinderKey(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
641 hashAlgo, isExternalPsk, earlySecret, hashLen, binderKey, hashLen);
642 if (ret != HITLS_SUCCESS) {
643 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16883, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
644 "DeriveBinderKey fail", 0, 0, 0, 0);
645 goto EXIT;
646 }
647 // HKDF.Expand BinderKey to compute Binder Finished Key
648 ret = HS_TLS13DeriveFinishedKey(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
649 hashAlgo, binderKey, hashLen, finishedKey, hashLen);
650 if (ret != HITLS_SUCCESS) {
651 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16884, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
652 "DeriveFinishedKey fail", 0, 0, 0, 0);
653 goto EXIT;
654 }
655
656 hashCtx = SAL_CRYPT_DigestInit(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx), hashAlgo);
657 if (hashCtx == NULL) {
658 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16885, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
659 "DigestInit fail", 0, 0, 0, 0);
660 ret = HITLS_CRYPT_ERR_DIGEST;
661 goto EXIT;
662 }
663
664 ret = GetHsDataForBinder(ctx->hsCtx->verifyCtx, &hsDataLen, ctx->isClient, &hsData);
665 if (ret != HITLS_SUCCESS) {
666 goto EXIT;
667 }
668 if (hsData != NULL) {
669 ret = SAL_CRYPT_DigestUpdate(hashCtx, hsData, hsDataLen);
670 if (ret != HITLS_SUCCESS) {
671 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16886, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
672 "DigestUpdate fail", 0, 0, 0, 0);
673 goto EXIT;
674 }
675 }
676
677 if (SAL_CRYPT_DigestUpdate(hashCtx, msg, msgLen) != HITLS_SUCCESS ||
678 SAL_CRYPT_DigestFinal(hashCtx, transcriptHash, &hashLen) != HITLS_SUCCESS) {
679 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16887, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
680 "DigestUpdate or DigestFinal fail", 0, 0, 0, 0);
681 ret = HITLS_CRYPT_ERR_DIGEST;
682 goto EXIT;
683 }
684
685 ret = SAL_CRYPT_Hmac(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
686 hashAlgo, finishedKey, hashLen, transcriptHash, hashLen, binder, &calcBinderLen);
687
688 EXIT:
689 BSL_SAL_CleanseData(earlySecret, MAX_DIGEST_SIZE);
690 BSL_SAL_CleanseData(binderKey, MAX_DIGEST_SIZE);
691 BSL_SAL_CleanseData(finishedKey, MAX_DIGEST_SIZE);
692 BSL_SAL_FREE(hsData);
693 SAL_CRYPT_DigestFree(hashCtx);
694 return ret;
695 }
696
697 #endif /* HITLS_TLS_PROTO_TLS13 */