TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 207505051c368276555a20587449d9fe88e6ac31 / . / lib / libmbedtls / mbedtls / library / ssl_msg.c
blob: 1352b4943e4dc97069835caadb48e36f15da2a34 [file] [log] [blame]
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1/*
2 * Generic SSL/TLS messaging layer functions
3 * (record layer + retransmission state machine)
4 *
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]5 * Copyright The Mbed TLS Contributors
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]19 */
20/*
21 * The SSL 3.0 specification was drafted by Netscape in 1996,
22 * and became an IETF standard in 1999.
23 *
24 * http://wp.netscape.com/eng/ssl3/
25 * http://www.ietf.org/rfc/rfc2246.txt
26 * http://www.ietf.org/rfc/rfc4346.txt
27 */
28
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]29#include "common.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]30
31#if defined(MBEDTLS_SSL_TLS_C)
32
33#if defined(MBEDTLS_PLATFORM_C)
34#include "mbedtls/platform.h"
35#else
36#include <stdlib.h>
37#define mbedtls_calloc calloc
38#define mbedtls_free free
39#endif
40
41#include "mbedtls/ssl.h"
42#include "mbedtls/ssl_internal.h"
43#include "mbedtls/debug.h"
44#include "mbedtls/error.h"
45#include "mbedtls/platform_util.h"
46#include "mbedtls/version.h"
47
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]48#include "ssl_invasive.h"
49
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]50#include <string.h>
51
52#if defined(MBEDTLS_USE_PSA_CRYPTO)
53#include "mbedtls/psa_util.h"
54#include "psa/crypto.h"
55#endif
56
57#if defined(MBEDTLS_X509_CRT_PARSE_C)
58#include "mbedtls/oid.h"
59#endif
60
61static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
62
63/*
64 * Start a timer.
65 * Passing millisecs = 0 cancels a running timer.
66 */
67void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
68{
69 if( ssl->f_set_timer == NULL )
70 return;
71
72 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
73 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
74}
75
76/*
77 * Return -1 is timer is expired, 0 if it isn't.
78 */
79int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
80{
81 if( ssl->f_get_timer == NULL )
82 return( 0 );
83
84 if( ssl->f_get_timer( ssl->p_timer ) == 2 )
85 {
86 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
87 return( -1 );
88 }
89
90 return( 0 );
91}
92
93#if defined(MBEDTLS_SSL_RECORD_CHECKING)
94static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
95 unsigned char *buf,
96 size_t len,
97 mbedtls_record *rec );
98
99int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
100 unsigned char *buf,
101 size_t buflen )
102{
103 int ret = 0;
104 MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
105 MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
106
107 /* We don't support record checking in TLS because
108 * (a) there doesn't seem to be a usecase for it, and
109 * (b) In SSLv3 and TLS 1.0, CBC record decryption has state
110 * and we'd need to backup the transform here.
111 */
112 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
113 {
114 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
115 goto exit;
116 }
117#if defined(MBEDTLS_SSL_PROTO_DTLS)
118 else
119 {
120 mbedtls_record rec;
121
122 ret = ssl_parse_record_header( ssl, buf, buflen, &rec );
123 if( ret != 0 )
124 {
125 MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret );
126 goto exit;
127 }
128
129 if( ssl->transform_in != NULL )
130 {
131 ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec );
132 if( ret != 0 )
133 {
134 MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret );
135 goto exit;
136 }
137 }
138 }
139#endif /* MBEDTLS_SSL_PROTO_DTLS */
140
141exit:
142 /* On success, we have decrypted the buffer in-place, so make
143 * sure we don't leak any plaintext data. */
144 mbedtls_platform_zeroize( buf, buflen );
145
146 /* For the purpose of this API, treat messages with unexpected CID
147 * as well as such from future epochs as unexpected. */
148 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
149 ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
150 {
151 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
152 }
153
154 MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
155 return( ret );
156}
157#endif /* MBEDTLS_SSL_RECORD_CHECKING */
158
159#define SSL_DONT_FORCE_FLUSH 0
160#define SSL_FORCE_FLUSH 1
161
162#if defined(MBEDTLS_SSL_PROTO_DTLS)
163
164/* Forward declarations for functions related to message buffering. */
165static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
166 uint8_t slot );
167static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
168static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
169static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
170static int ssl_buffer_message( mbedtls_ssl_context *ssl );
171static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
172 mbedtls_record const *rec );
173static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
174
175static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
176{
177 size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
178#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
179 size_t out_buf_len = ssl->out_buf_len;
180#else
181 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
182#endif
183
184 if( mtu != 0 && mtu < out_buf_len )
185 return( mtu );
186
187 return( out_buf_len );
188}
189
190static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
191{
192 size_t const bytes_written = ssl->out_left;
193 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
194
195 /* Double-check that the write-index hasn't gone
196 * past what we can transmit in a single datagram. */
197 if( bytes_written > mtu )
198 {
199 /* Should never happen... */
200 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
201 }
202
203 return( (int) ( mtu - bytes_written ) );
204}
205
206static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
207{
208 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
209 size_t remaining, expansion;
210 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
211
212#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
213 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
214
215 if( max_len > mfl )
216 max_len = mfl;
217
218 /* By the standard (RFC 6066 Sect. 4), the MFL extension
219 * only limits the maximum record payload size, so in theory
220 * we would be allowed to pack multiple records of payload size
221 * MFL into a single datagram. However, this would mean that there's
222 * no way to explicitly communicate MTU restrictions to the peer.
223 *
224 * The following reduction of max_len makes sure that we never
225 * write datagrams larger than MFL + Record Expansion Overhead.
226 */
227 if( max_len <= ssl->out_left )
228 return( 0 );
229
230 max_len -= ssl->out_left;
231#endif
232
233 ret = ssl_get_remaining_space_in_datagram( ssl );
234 if( ret < 0 )
235 return( ret );
236 remaining = (size_t) ret;
237
238 ret = mbedtls_ssl_get_record_expansion( ssl );
239 if( ret < 0 )
240 return( ret );
241 expansion = (size_t) ret;
242
243 if( remaining <= expansion )
244 return( 0 );
245
246 remaining -= expansion;
247 if( remaining >= max_len )
248 remaining = max_len;
249
250 return( (int) remaining );
251}
252
253/*
254 * Double the retransmit timeout value, within the allowed range,
255 * returning -1 if the maximum value has already been reached.
256 */
257static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
258{
259 uint32_t new_timeout;
260
261 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
262 return( -1 );
263
264 /* Implement the final paragraph of RFC 6347 section 4.1.1.1
265 * in the following way: after the initial transmission and a first
266 * retransmission, back off to a temporary estimated MTU of 508 bytes.
267 * This value is guaranteed to be deliverable (if not guaranteed to be
268 * delivered) of any compliant IPv4 (and IPv6) network, and should work
269 * on most non-IP stacks too. */
270 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
271 {
272 ssl->handshake->mtu = 508;
273 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
274 }
275
276 new_timeout = 2 * ssl->handshake->retransmit_timeout;
277
278 /* Avoid arithmetic overflow and range overflow */
279 if( new_timeout < ssl->handshake->retransmit_timeout ||
280 new_timeout > ssl->conf->hs_timeout_max )
281 {
282 new_timeout = ssl->conf->hs_timeout_max;
283 }
284
285 ssl->handshake->retransmit_timeout = new_timeout;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]286 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs",
287 (unsigned long) ssl->handshake->retransmit_timeout ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]288
289 return( 0 );
290}
291
292static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
293{
294 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]295 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs",
296 (unsigned long) ssl->handshake->retransmit_timeout ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]297}
298#endif /* MBEDTLS_SSL_PROTO_DTLS */
299
300#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
301int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
302 const unsigned char *key_enc, const unsigned char *key_dec,
303 size_t keylen,
304 const unsigned char *iv_enc, const unsigned char *iv_dec,
305 size_t ivlen,
306 const unsigned char *mac_enc, const unsigned char *mac_dec,
307 size_t maclen ) = NULL;
308int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
309int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
310int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
311int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
312int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
313#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
314
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]315/*
316 * Encryption/decryption functions
317 */
318
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]319#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || \
320 defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
321
322static size_t ssl_compute_padding_length( size_t len,
323 size_t granularity )
324{
325 return( ( granularity - ( len + 1 ) % granularity ) % granularity );
326}
327
328/* This functions transforms a (D)TLS plaintext fragment and a record content
329 * type into an instance of the (D)TLSInnerPlaintext structure. This is used
330 * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
331 * a record's content type.
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]332 *
333 * struct {
334 * opaque content[DTLSPlaintext.length];
335 * ContentType real_type;
336 * uint8 zeros[length_of_padding];
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]337 * } (D)TLSInnerPlaintext;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]338 *
339 * Input:
340 * - `content`: The beginning of the buffer holding the
341 * plaintext to be wrapped.
342 * - `*content_size`: The length of the plaintext in Bytes.
343 * - `max_len`: The number of Bytes available starting from
344 * `content`. This must be `>= *content_size`.
345 * - `rec_type`: The desired record content type.
346 *
347 * Output:
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]348 * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
349 * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]350 *
351 * Returns:
352 * - `0` on success.
353 * - A negative error code if `max_len` didn't offer enough space
354 * for the expansion.
355 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]356static int ssl_build_inner_plaintext( unsigned char *content,
357 size_t *content_size,
358 size_t remaining,
359 uint8_t rec_type,
360 size_t pad )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]361{
362 size_t len = *content_size;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]363
364 /* Write real content type */
365 if( remaining == 0 )
366 return( -1 );
367 content[ len ] = rec_type;
368 len++;
369 remaining--;
370
371 if( remaining < pad )
372 return( -1 );
373 memset( content + len, 0, pad );
374 len += pad;
375 remaining -= pad;
376
377 *content_size = len;
378 return( 0 );
379}
380
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]381/* This function parses a (D)TLSInnerPlaintext structure.
382 * See ssl_build_inner_plaintext() for details. */
383static int ssl_parse_inner_plaintext( unsigned char const *content,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]384 size_t *content_size,
385 uint8_t *rec_type )
386{
387 size_t remaining = *content_size;
388
389 /* Determine length of padding by skipping zeroes from the back. */
390 do
391 {
392 if( remaining == 0 )
393 return( -1 );
394 remaining--;
395 } while( content[ remaining ] == 0 );
396
397 *content_size = remaining;
398 *rec_type = content[ remaining ];
399
400 return( 0 );
401}
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]402#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID ||
403 MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]404
405/* `add_data` must have size 13 Bytes if the CID extension is disabled,
406 * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */
407static void ssl_extract_add_data_from_record( unsigned char* add_data,
408 size_t *add_data_len,
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]409 mbedtls_record *rec,
410 unsigned minor_ver )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]411{
412 /* Quoting RFC 5246 (TLS 1.2):
413 *
414 * additional_data = seq_num + TLSCompressed.type +
415 * TLSCompressed.version + TLSCompressed.length;
416 *
417 * For the CID extension, this is extended as follows
418 * (quoting draft-ietf-tls-dtls-connection-id-05,
419 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05):
420 *
421 * additional_data = seq_num + DTLSPlaintext.type +
422 * DTLSPlaintext.version +
423 * cid +
424 * cid_length +
425 * length_of_DTLSInnerPlaintext;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]426 *
427 * For TLS 1.3, the record sequence number is dropped from the AAD
428 * and encoded within the nonce of the AEAD operation instead.
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]429 */
430
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]431 unsigned char *cur = add_data;
432
433#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
434 if( minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 )
435#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
436 {
437 ((void) minor_ver);
438 memcpy( cur, rec->ctr, sizeof( rec->ctr ) );
439 cur += sizeof( rec->ctr );
440 }
441
442 *cur = rec->type;
443 cur++;
444
445 memcpy( cur, rec->ver, sizeof( rec->ver ) );
446 cur += sizeof( rec->ver );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]447
448#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
449 if( rec->cid_len != 0 )
450 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]451 memcpy( cur, rec->cid, rec->cid_len );
452 cur += rec->cid_len;
453
454 *cur = rec->cid_len;
455 cur++;
456
457 cur[0] = ( rec->data_len >> 8 ) & 0xFF;
458 cur[1] = ( rec->data_len >> 0 ) & 0xFF;
459 cur += 2;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]460 }
461 else
462#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
463 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]464 cur[0] = ( rec->data_len >> 8 ) & 0xFF;
465 cur[1] = ( rec->data_len >> 0 ) & 0xFF;
466 cur += 2;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]467 }
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]468
469 *add_data_len = cur - add_data;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]470}
471
472#if defined(MBEDTLS_SSL_PROTO_SSL3)
473
474#define SSL3_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */
475
476/*
477 * SSLv3.0 MAC functions
478 */
479static void ssl_mac( mbedtls_md_context_t *md_ctx,
480 const unsigned char *secret,
481 const unsigned char *buf, size_t len,
482 const unsigned char *ctr, int type,
483 unsigned char out[SSL3_MAC_MAX_BYTES] )
484{
485 unsigned char header[11];
486 unsigned char padding[48];
487 int padlen;
488 int md_size = mbedtls_md_get_size( md_ctx->md_info );
489 int md_type = mbedtls_md_get_type( md_ctx->md_info );
490
491 /* Only MD5 and SHA-1 supported */
492 if( md_type == MBEDTLS_MD_MD5 )
493 padlen = 48;
494 else
495 padlen = 40;
496
497 memcpy( header, ctr, 8 );
498 header[ 8] = (unsigned char) type;
499 header[ 9] = (unsigned char)( len >> 8 );
500 header[10] = (unsigned char)( len );
501
502 memset( padding, 0x36, padlen );
503 mbedtls_md_starts( md_ctx );
504 mbedtls_md_update( md_ctx, secret, md_size );
505 mbedtls_md_update( md_ctx, padding, padlen );
506 mbedtls_md_update( md_ctx, header, 11 );
507 mbedtls_md_update( md_ctx, buf, len );
508 mbedtls_md_finish( md_ctx, out );
509
510 memset( padding, 0x5C, padlen );
511 mbedtls_md_starts( md_ctx );
512 mbedtls_md_update( md_ctx, secret, md_size );
513 mbedtls_md_update( md_ctx, padding, padlen );
514 mbedtls_md_update( md_ctx, out, md_size );
515 mbedtls_md_finish( md_ctx, out );
516}
517#endif /* MBEDTLS_SSL_PROTO_SSL3 */
518
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]519#if defined(MBEDTLS_GCM_C) || \
520 defined(MBEDTLS_CCM_C) || \
521 defined(MBEDTLS_CHACHAPOLY_C)
522static int ssl_transform_aead_dynamic_iv_is_explicit(
523 mbedtls_ssl_transform const *transform )
524{
525 return( transform->ivlen != transform->fixed_ivlen );
526}
527
528/* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV )
529 *
530 * Concretely, this occurs in two variants:
531 *
532 * a) Fixed and dynamic IV lengths add up to total IV length, giving
533 * IV = fixed_iv || dynamic_iv
534 *
535 * This variant is used in TLS 1.2 when used with GCM or CCM.
536 *
537 * b) Fixed IV lengths matches total IV length, giving
538 * IV = fixed_iv XOR ( 0 || dynamic_iv )
539 *
540 * This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly.
541 *
542 * See also the documentation of mbedtls_ssl_transform.
543 *
544 * This function has the precondition that
545 *
546 * dst_iv_len >= max( fixed_iv_len, dynamic_iv_len )
547 *
548 * which has to be ensured by the caller. If this precondition
549 * violated, the behavior of this function is undefined.
550 */
551static void ssl_build_record_nonce( unsigned char *dst_iv,
552 size_t dst_iv_len,
553 unsigned char const *fixed_iv,
554 size_t fixed_iv_len,
555 unsigned char const *dynamic_iv,
556 size_t dynamic_iv_len )
557{
558 size_t i;
559
560 /* Start with Fixed IV || 0 */
561 memset( dst_iv, 0, dst_iv_len );
562 memcpy( dst_iv, fixed_iv, fixed_iv_len );
563
564 dst_iv += dst_iv_len - dynamic_iv_len;
565 for( i = 0; i < dynamic_iv_len; i++ )
566 dst_iv[i] ^= dynamic_iv[i];
567}
568#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
569
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]570int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
571 mbedtls_ssl_transform *transform,
572 mbedtls_record *rec,
573 int (*f_rng)(void *, unsigned char *, size_t),
574 void *p_rng )
575{
576 mbedtls_cipher_mode_t mode;
577 int auth_done = 0;
578 unsigned char * data;
579 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
580 size_t add_data_len;
581 size_t post_avail;
582
583 /* The SSL context is only used for debugging purposes! */
584#if !defined(MBEDTLS_DEBUG_C)
585 ssl = NULL; /* make sure we don't use it except for debug */
586 ((void) ssl);
587#endif
588
589 /* The PRNG is used for dynamic IV generation that's used
590 * for CBC transformations in TLS 1.1 and TLS 1.2. */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]591#if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]592 ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) )
593 ((void) f_rng);
594 ((void) p_rng);
595#endif
596
597 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
598
599 if( transform == NULL )
600 {
601 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) );
602 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
603 }
604 if( rec == NULL
605 || rec->buf == NULL
606 || rec->buf_len < rec->data_offset
607 || rec->buf_len - rec->data_offset < rec->data_len
608#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
609 || rec->cid_len != 0
610#endif
611 )
612 {
613 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) );
614 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
615 }
616
617 data = rec->buf + rec->data_offset;
618 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
619 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
620 data, rec->data_len );
621
622 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc );
623
624 if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
625 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]626 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %" MBEDTLS_PRINTF_SIZET
627 " too large, maximum %" MBEDTLS_PRINTF_SIZET,
628 rec->data_len,
629 (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]630 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
631 }
632
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]633 /* The following two code paths implement the (D)TLSInnerPlaintext
634 * structure present in TLS 1.3 and DTLS 1.2 + CID.
635 *
636 * See ssl_build_inner_plaintext() for more information.
637 *
638 * Note that this changes `rec->data_len`, and hence
639 * `post_avail` needs to be recalculated afterwards.
640 *
641 * Note also that the two code paths cannot occur simultaneously
642 * since they apply to different versions of the protocol. There
643 * is hence no risk of double-addition of the inner plaintext.
644 */
645#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
646 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
647 {
648 size_t padding =
649 ssl_compute_padding_length( rec->data_len,
650 MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY );
651 if( ssl_build_inner_plaintext( data,
652 &rec->data_len,
653 post_avail,
654 rec->type,
655 padding ) != 0 )
656 {
657 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
658 }
659
660 rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
661 }
662#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
663
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]664#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
665 /*
666 * Add CID information
667 */
668 rec->cid_len = transform->out_cid_len;
669 memcpy( rec->cid, transform->out_cid, transform->out_cid_len );
670 MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );
671
672 if( rec->cid_len != 0 )
673 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]674 size_t padding =
675 ssl_compute_padding_length( rec->data_len,
676 MBEDTLS_SSL_CID_PADDING_GRANULARITY );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]677 /*
678 * Wrap plaintext into DTLSInnerPlaintext structure.
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]679 * See ssl_build_inner_plaintext() for more information.
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]680 *
681 * Note that this changes `rec->data_len`, and hence
682 * `post_avail` needs to be recalculated afterwards.
683 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]684 if( ssl_build_inner_plaintext( data,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]685 &rec->data_len,
686 post_avail,
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]687 rec->type,
688 padding ) != 0 )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]689 {
690 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
691 }
692
693 rec->type = MBEDTLS_SSL_MSG_CID;
694 }
695#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
696
697 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
698
699 /*
700 * Add MAC before if needed
701 */
702#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
703 if( mode == MBEDTLS_MODE_STREAM ||
704 ( mode == MBEDTLS_MODE_CBC
705#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
706 && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
707#endif
708 ) )
709 {
710 if( post_avail < transform->maclen )
711 {
712 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
713 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
714 }
715
716#if defined(MBEDTLS_SSL_PROTO_SSL3)
717 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
718 {
719 unsigned char mac[SSL3_MAC_MAX_BYTES];
720 ssl_mac( &transform->md_ctx_enc, transform->mac_enc,
721 data, rec->data_len, rec->ctr, rec->type, mac );
722 memcpy( data + rec->data_len, mac, transform->maclen );
723 }
724 else
725#endif
726#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
727 defined(MBEDTLS_SSL_PROTO_TLS1_2)
728 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
729 {
730 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
731
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]732 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
733 transform->minor_ver );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]734
735 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
736 add_data_len );
737 mbedtls_md_hmac_update( &transform->md_ctx_enc,
738 data, rec->data_len );
739 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
740 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
741
742 memcpy( data + rec->data_len, mac, transform->maclen );
743 }
744 else
745#endif
746 {
747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
748 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
749 }
750
751 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len,
752 transform->maclen );
753
754 rec->data_len += transform->maclen;
755 post_avail -= transform->maclen;
756 auth_done++;
757 }
758#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
759
760 /*
761 * Encrypt
762 */
763#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
764 if( mode == MBEDTLS_MODE_STREAM )
765 {
766 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
767 size_t olen;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]769 "including %d bytes of padding",
770 rec->data_len, 0 ) );
771
772 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
773 transform->iv_enc, transform->ivlen,
774 data, rec->data_len,
775 data, &olen ) ) != 0 )
776 {
777 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
778 return( ret );
779 }
780
781 if( rec->data_len != olen )
782 {
783 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
784 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
785 }
786 }
787 else
788#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
789
790#if defined(MBEDTLS_GCM_C) || \
791 defined(MBEDTLS_CCM_C) || \
792 defined(MBEDTLS_CHACHAPOLY_C)
793 if( mode == MBEDTLS_MODE_GCM ||
794 mode == MBEDTLS_MODE_CCM ||
795 mode == MBEDTLS_MODE_CHACHAPOLY )
796 {
797 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
798 unsigned char iv[12];
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]799 unsigned char *dynamic_iv;
800 size_t dynamic_iv_len;
801 int dynamic_iv_is_explicit =
802 ssl_transform_aead_dynamic_iv_is_explicit( transform );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]803
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]804 /* Check that there's space for the authentication tag. */
805 if( post_avail < transform->taglen )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]806 {
807 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
808 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
809 }
810
811 /*
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]812 * Build nonce for AEAD encryption.
813 *
814 * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
815 * part of the IV is prepended to the ciphertext and
816 * can be chosen freely - in particular, it need not
817 * agree with the record sequence number.
818 * However, since ChaChaPoly as well as all AEAD modes
819 * in TLS 1.3 use the record sequence number as the
820 * dynamic part of the nonce, we uniformly use the
821 * record sequence number here in all cases.
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]822 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]823 dynamic_iv = rec->ctr;
824 dynamic_iv_len = sizeof( rec->ctr );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]825
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]826 ssl_build_record_nonce( iv, sizeof( iv ),
827 transform->iv_enc,
828 transform->fixed_ivlen,
829 dynamic_iv,
830 dynamic_iv_len );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]831
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]832 /*
833 * Build additional data for AEAD encryption.
834 * This depends on the TLS version.
835 */
836 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
837 transform->minor_ver );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]838
839 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]840 iv, transform->ivlen );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]841 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]842 dynamic_iv,
843 dynamic_iv_is_explicit ? dynamic_iv_len : 0 );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]844 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
845 add_data, add_data_len );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]846 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]847 "including 0 bytes of padding",
848 rec->data_len ) );
849
850 /*
851 * Encrypt and authenticate
852 */
853
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]854 if( ( ret = mbedtls_cipher_auth_encrypt_ext( &transform->cipher_ctx_enc,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]855 iv, transform->ivlen,
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]856 add_data, add_data_len,
857 data, rec->data_len, /* src */
858 data, rec->buf_len - (data - rec->buf), /* dst */
859 &rec->data_len,
860 transform->taglen ) ) != 0 )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]861 {
862 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
863 return( ret );
864 }
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]865 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]866 data + rec->data_len - transform->taglen,
867 transform->taglen );
868 /* Account for authentication tag. */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]869 post_avail -= transform->taglen;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]870
871 /*
872 * Prefix record content with dynamic IV in case it is explicit.
873 */
874 if( dynamic_iv_is_explicit != 0 )
875 {
876 if( rec->data_offset < dynamic_iv_len )
877 {
878 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
879 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
880 }
881
882 memcpy( data - dynamic_iv_len, dynamic_iv, dynamic_iv_len );
883 rec->data_offset -= dynamic_iv_len;
884 rec->data_len += dynamic_iv_len;
885 }
886
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]887 auth_done++;
888 }
889 else
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]890#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
891#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]892 if( mode == MBEDTLS_MODE_CBC )
893 {
894 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
895 size_t padlen, i;
896 size_t olen;
897
898 /* Currently we're always using minimal padding
899 * (up to 255 bytes would be allowed). */
900 padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen;
901 if( padlen == transform->ivlen )
902 padlen = 0;
903
904 /* Check there's enough space in the buffer for the padding. */
905 if( post_avail < padlen + 1 )
906 {
907 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
908 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
909 }
910
911 for( i = 0; i <= padlen; i++ )
912 data[rec->data_len + i] = (unsigned char) padlen;
913
914 rec->data_len += padlen + 1;
915 post_avail -= padlen + 1;
916
917#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
918 /*
919 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
920 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
921 */
922 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
923 {
924 if( f_rng == NULL )
925 {
926 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) );
927 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
928 }
929
930 if( rec->data_offset < transform->ivlen )
931 {
932 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
933 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
934 }
935
936 /*
937 * Generate IV
938 */
939 ret = f_rng( p_rng, transform->iv_enc, transform->ivlen );
940 if( ret != 0 )
941 return( ret );
942
943 memcpy( data - transform->ivlen, transform->iv_enc,
944 transform->ivlen );
945
946 }
947#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
948
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]949 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
950 "including %" MBEDTLS_PRINTF_SIZET
951 " bytes of IV and %" MBEDTLS_PRINTF_SIZET " bytes of padding",
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]952 rec->data_len, transform->ivlen,
953 padlen + 1 ) );
954
955 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
956 transform->iv_enc,
957 transform->ivlen,
958 data, rec->data_len,
959 data, &olen ) ) != 0 )
960 {
961 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
962 return( ret );
963 }
964
965 if( rec->data_len != olen )
966 {
967 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
968 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
969 }
970
971#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
972 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
973 {
974 /*
975 * Save IV in SSL3 and TLS1
976 */
977 memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv,
978 transform->ivlen );
979 }
980 else
981#endif
982 {
983 data -= transform->ivlen;
984 rec->data_offset -= transform->ivlen;
985 rec->data_len += transform->ivlen;
986 }
987
988#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
989 if( auth_done == 0 )
990 {
991 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
992
993 /*
994 * MAC(MAC_write_key, seq_num +
995 * TLSCipherText.type +
996 * TLSCipherText.version +
997 * length_of( (IV +) ENC(...) ) +
998 * IV + // except for TLS 1.0
999 * ENC(content + padding + padding_length));
1000 */
1001
1002 if( post_avail < transform->maclen)
1003 {
1004 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
1005 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1006 }
1007
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1008 ssl_extract_add_data_from_record( add_data, &add_data_len,
1009 rec, transform->minor_ver );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1010
1011 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1012 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
1013 add_data_len );
1014
1015 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
1016 add_data_len );
1017 mbedtls_md_hmac_update( &transform->md_ctx_enc,
1018 data, rec->data_len );
1019 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
1020 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
1021
1022 memcpy( data + rec->data_len, mac, transform->maclen );
1023
1024 rec->data_len += transform->maclen;
1025 post_avail -= transform->maclen;
1026 auth_done++;
1027 }
1028#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1029 }
1030 else
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1031#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1032 {
1033 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1034 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1035 }
1036
1037 /* Make extra sure authentication was performed, exactly once */
1038 if( auth_done != 1 )
1039 {
1040 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1041 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1042 }
1043
1044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1045
1046 return( 0 );
1047}
1048
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1049#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
1050/*
1051 * Turn a bit into a mask:
1052 * - if bit == 1, return the all-bits 1 mask, aka (size_t) -1
1053 * - if bit == 0, return the all-bits 0 mask, aka 0
1054 *
1055 * This function can be used to write constant-time code by replacing branches
1056 * with bit operations using masks.
1057 *
1058 * This function is implemented without using comparison operators, as those
1059 * might be translated to branches by some compilers on some platforms.
1060 */
1061static size_t mbedtls_ssl_cf_mask_from_bit( size_t bit )
1062{
1063 /* MSVC has a warning about unary minus on unsigned integer types,
1064 * but this is well-defined and precisely what we want to do here. */
1065#if defined(_MSC_VER)
1066#pragma warning( push )
1067#pragma warning( disable : 4146 )
1068#endif
1069 return -bit;
1070#if defined(_MSC_VER)
1071#pragma warning( pop )
1072#endif
1073}
1074
1075/*
1076 * Constant-flow mask generation for "less than" comparison:
1077 * - if x < y, return all bits 1, that is (size_t) -1
1078 * - otherwise, return all bits 0, that is 0
1079 *
1080 * This function can be used to write constant-time code by replacing branches
1081 * with bit operations using masks.
1082 *
1083 * This function is implemented without using comparison operators, as those
1084 * might be translated to branches by some compilers on some platforms.
1085 */
1086static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y )
1087{
1088 /* This has the most significant bit set if and only if x < y */
1089 const size_t sub = x - y;
1090
1091 /* sub1 = (x < y) ? 1 : 0 */
1092 const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 );
1093
1094 /* mask = (x < y) ? 0xff... : 0x00... */
1095 const size_t mask = mbedtls_ssl_cf_mask_from_bit( sub1 );
1096
1097 return( mask );
1098}
1099
1100/*
1101 * Constant-flow mask generation for "greater or equal" comparison:
1102 * - if x >= y, return all bits 1, that is (size_t) -1
1103 * - otherwise, return all bits 0, that is 0
1104 *
1105 * This function can be used to write constant-time code by replacing branches
1106 * with bit operations using masks.
1107 *
1108 * This function is implemented without using comparison operators, as those
1109 * might be translated to branches by some compilers on some platforms.
1110 */
1111static size_t mbedtls_ssl_cf_mask_ge( size_t x, size_t y )
1112{
1113 return( ~mbedtls_ssl_cf_mask_lt( x, y ) );
1114}
1115
1116/*
1117 * Constant-flow boolean "equal" comparison:
1118 * return x == y
1119 *
1120 * This function can be used to write constant-time code by replacing branches
1121 * with bit operations - it can be used in conjunction with
1122 * mbedtls_ssl_cf_mask_from_bit().
1123 *
1124 * This function is implemented without using comparison operators, as those
1125 * might be translated to branches by some compilers on some platforms.
1126 */
1127static size_t mbedtls_ssl_cf_bool_eq( size_t x, size_t y )
1128{
1129 /* diff = 0 if x == y, non-zero otherwise */
1130 const size_t diff = x ^ y;
1131
1132 /* MSVC has a warning about unary minus on unsigned integer types,
1133 * but this is well-defined and precisely what we want to do here. */
1134#if defined(_MSC_VER)
1135#pragma warning( push )
1136#pragma warning( disable : 4146 )
1137#endif
1138
1139 /* diff_msb's most significant bit is equal to x != y */
1140 const size_t diff_msb = ( diff | -diff );
1141
1142#if defined(_MSC_VER)
1143#pragma warning( pop )
1144#endif
1145
1146 /* diff1 = (x != y) ? 1 : 0 */
1147 const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
1148
1149 return( 1 ^ diff1 );
1150}
1151
1152/*
1153 * Constant-flow conditional memcpy:
1154 * - if c1 == c2, equivalent to memcpy(dst, src, len),
1155 * - otherwise, a no-op,
1156 * but with execution flow independent of the values of c1 and c2.
1157 *
1158 * This function is implemented without using comparison operators, as those
1159 * might be translated to branches by some compilers on some platforms.
1160 */
1161static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst,
1162 const unsigned char *src,
1163 size_t len,
1164 size_t c1, size_t c2 )
1165{
1166 /* mask = c1 == c2 ? 0xff : 0x00 */
1167 const size_t equal = mbedtls_ssl_cf_bool_eq( c1, c2 );
1168 const unsigned char mask = (unsigned char) mbedtls_ssl_cf_mask_from_bit( equal );
1169
1170 /* dst[i] = c1 == c2 ? src[i] : dst[i] */
1171 for( size_t i = 0; i < len; i++ )
1172 dst[i] = ( src[i] & mask ) | ( dst[i] & ~mask );
1173}
1174
1175/*
1176 * Compute HMAC of variable-length data with constant flow.
1177 *
1178 * Only works with MD-5, SHA-1, SHA-256 and SHA-384.
1179 * (Otherwise, computation of block_size needs to be adapted.)
1180 */
1181MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac(
1182 mbedtls_md_context_t *ctx,
1183 const unsigned char *add_data, size_t add_data_len,
1184 const unsigned char *data, size_t data_len_secret,
1185 size_t min_data_len, size_t max_data_len,
1186 unsigned char *output )
1187{
1188 /*
1189 * This function breaks the HMAC abstraction and uses the md_clone()
1190 * extension to the MD API in order to get constant-flow behaviour.
1191 *
1192 * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
1193 * concatenation, and okey/ikey are the XOR of the key with some fixed bit
1194 * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
1195 *
1196 * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
1197 * minlen, then cloning the context, and for each byte up to maxlen
1198 * finishing up the hash computation, keeping only the correct result.
1199 *
1200 * Then we only need to compute HASH(okey + inner_hash) and we're done.
1201 */
1202 const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info );
1203 /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5,
1204 * all of which have the same block size except SHA-384. */
1205 const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
1206 const unsigned char * const ikey = ctx->hmac_ctx;
1207 const unsigned char * const okey = ikey + block_size;
1208 const size_t hash_size = mbedtls_md_get_size( ctx->md_info );
1209
1210 unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
1211 mbedtls_md_context_t aux;
1212 size_t offset;
1213 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1214
1215 mbedtls_md_init( &aux );
1216
1217#define MD_CHK( func_call ) \
1218 do { \
1219 ret = (func_call); \
1220 if( ret != 0 ) \
1221 goto cleanup; \
1222 } while( 0 )
1223
1224 MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) );
1225
1226 /* After hmac_start() of hmac_reset(), ikey has already been hashed,
1227 * so we can start directly with the message */
1228 MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
1229 MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
1230
1231 /* For each possible length, compute the hash up to that point */
1232 for( offset = min_data_len; offset <= max_data_len; offset++ )
1233 {
1234 MD_CHK( mbedtls_md_clone( &aux, ctx ) );
1235 MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
1236 /* Keep only the correct inner_hash in the output buffer */
1237 mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size,
1238 offset, data_len_secret );
1239
1240 if( offset < max_data_len )
1241 MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
1242 }
1243
1244 /* The context needs to finish() before it starts() again */
1245 MD_CHK( mbedtls_md_finish( ctx, aux_out ) );
1246
1247 /* Now compute HASH(okey + inner_hash) */
1248 MD_CHK( mbedtls_md_starts( ctx ) );
1249 MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );
1250 MD_CHK( mbedtls_md_update( ctx, output, hash_size ) );
1251 MD_CHK( mbedtls_md_finish( ctx, output ) );
1252
1253 /* Done, get ready for next time */
1254 MD_CHK( mbedtls_md_hmac_reset( ctx ) );
1255
1256#undef MD_CHK
1257
1258cleanup:
1259 mbedtls_md_free( &aux );
1260 return( ret );
1261}
1262
1263/*
1264 * Constant-flow memcpy from variable position in buffer.
1265 * - functionally equivalent to memcpy(dst, src + offset_secret, len)
1266 * - but with execution flow independent from the value of offset_secret.
1267 */
1268MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset(
1269 unsigned char *dst,
1270 const unsigned char *src_base,
1271 size_t offset_secret,
1272 size_t offset_min, size_t offset_max,
1273 size_t len )
1274{
1275 size_t offset;
1276
1277 for( offset = offset_min; offset <= offset_max; offset++ )
1278 {
1279 mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len,
1280 offset, offset_secret );
1281 }
1282}
1283#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
1284
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1285int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
1286 mbedtls_ssl_transform *transform,
1287 mbedtls_record *rec )
1288{
1289 size_t olen;
1290 mbedtls_cipher_mode_t mode;
1291 int ret, auth_done = 0;
1292#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
1293 size_t padlen = 0, correct = 1;
1294#endif
1295 unsigned char* data;
1296 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ];
1297 size_t add_data_len;
1298
1299#if !defined(MBEDTLS_DEBUG_C)
1300 ssl = NULL; /* make sure we don't use it except for debug */
1301 ((void) ssl);
1302#endif
1303
1304 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1305 if( rec == NULL ||
1306 rec->buf == NULL ||
1307 rec->buf_len < rec->data_offset ||
1308 rec->buf_len - rec->data_offset < rec->data_len )
1309 {
1310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) );
1311 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1312 }
1313
1314 data = rec->buf + rec->data_offset;
1315 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec );
1316
1317#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1318 /*
1319 * Match record's CID with incoming CID.
1320 */
1321 if( rec->cid_len != transform->in_cid_len ||
1322 memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
1323 {
1324 return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
1325 }
1326#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1327
1328#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1329 if( mode == MBEDTLS_MODE_STREAM )
1330 {
1331 padlen = 0;
1332 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1333 transform->iv_dec,
1334 transform->ivlen,
1335 data, rec->data_len,
1336 data, &olen ) ) != 0 )
1337 {
1338 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1339 return( ret );
1340 }
1341
1342 if( rec->data_len != olen )
1343 {
1344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1345 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1346 }
1347 }
1348 else
1349#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
1350#if defined(MBEDTLS_GCM_C) || \
1351 defined(MBEDTLS_CCM_C) || \
1352 defined(MBEDTLS_CHACHAPOLY_C)
1353 if( mode == MBEDTLS_MODE_GCM ||
1354 mode == MBEDTLS_MODE_CCM ||
1355 mode == MBEDTLS_MODE_CHACHAPOLY )
1356 {
1357 unsigned char iv[12];
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1358 unsigned char *dynamic_iv;
1359 size_t dynamic_iv_len;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1360
1361 /*
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1362 * Extract dynamic part of nonce for AEAD decryption.
1363 *
1364 * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
1365 * part of the IV is prepended to the ciphertext and
1366 * can be chosen freely - in particular, it need not
1367 * agree with the record sequence number.
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1368 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1369 dynamic_iv_len = sizeof( rec->ctr );
1370 if( ssl_transform_aead_dynamic_iv_is_explicit( transform ) == 1 )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1371 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1372 if( rec->data_len < dynamic_iv_len )
1373 {
1374 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1375 " ) < explicit_iv_len (%" MBEDTLS_PRINTF_SIZET ") ",
1376 rec->data_len,
1377 dynamic_iv_len ) );
1378 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1379 }
1380 dynamic_iv = data;
1381
1382 data += dynamic_iv_len;
1383 rec->data_offset += dynamic_iv_len;
1384 rec->data_len -= dynamic_iv_len;
1385 }
1386 else
1387 {
1388 dynamic_iv = rec->ctr;
1389 }
1390
1391 /* Check that there's space for the authentication tag. */
1392 if( rec->data_len < transform->taglen )
1393 {
1394 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1395 ") < taglen (%" MBEDTLS_PRINTF_SIZET ") ",
1396 rec->data_len,
1397 transform->taglen ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1398 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1399 }
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1400 rec->data_len -= transform->taglen;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1401
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1402 /*
1403 * Prepare nonce from dynamic and static parts.
1404 */
1405 ssl_build_record_nonce( iv, sizeof( iv ),
1406 transform->iv_dec,
1407 transform->fixed_ivlen,
1408 dynamic_iv,
1409 dynamic_iv_len );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1410
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1411 /*
1412 * Build additional data for AEAD encryption.
1413 * This depends on the TLS version.
1414 */
1415 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1416 transform->minor_ver );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1417 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1418 add_data, add_data_len );
1419
1420 /* Because of the check above, we know that there are
1421 * explicit_iv_len Bytes preceeding data, and taglen
1422 * bytes following data + data_len. This justifies
1423 * the debug message and the invocation of
1424 * mbedtls_cipher_auth_decrypt() below. */
1425
1426 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
1427 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len,
1428 transform->taglen );
1429
1430 /*
1431 * Decrypt and authenticate
1432 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1433 if( ( ret = mbedtls_cipher_auth_decrypt_ext( &transform->cipher_ctx_dec,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1434 iv, transform->ivlen,
1435 add_data, add_data_len,
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1436 data, rec->data_len + transform->taglen, /* src */
1437 data, rec->buf_len - (data - rec->buf), &olen, /* dst */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1438 transform->taglen ) ) != 0 )
1439 {
1440 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
1441
1442 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
1443 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1444
1445 return( ret );
1446 }
1447 auth_done++;
1448
1449 /* Double-check that AEAD decryption doesn't change content length. */
1450 if( olen != rec->data_len )
1451 {
1452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1453 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1454 }
1455 }
1456 else
1457#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1458#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1459 if( mode == MBEDTLS_MODE_CBC )
1460 {
1461 size_t minlen = 0;
1462
1463 /*
1464 * Check immediate ciphertext sanity
1465 */
1466#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1467 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
1468 {
1469 /* The ciphertext is prefixed with the CBC IV. */
1470 minlen += transform->ivlen;
1471 }
1472#endif
1473
1474 /* Size considerations:
1475 *
1476 * - The CBC cipher text must not be empty and hence
1477 * at least of size transform->ivlen.
1478 *
1479 * Together with the potential IV-prefix, this explains
1480 * the first of the two checks below.
1481 *
1482 * - The record must contain a MAC, either in plain or
1483 * encrypted, depending on whether Encrypt-then-MAC
1484 * is used or not.
1485 * - If it is, the message contains the IV-prefix,
1486 * the CBC ciphertext, and the MAC.
1487 * - If it is not, the padded plaintext, and hence
1488 * the CBC ciphertext, has at least length maclen + 1
1489 * because there is at least the padding length byte.
1490 *
1491 * As the CBC ciphertext is not empty, both cases give the
1492 * lower bound minlen + maclen + 1 on the record size, which
1493 * we test for in the second check below.
1494 */
1495 if( rec->data_len < minlen + transform->ivlen ||
1496 rec->data_len < minlen + transform->maclen + 1 )
1497 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1498 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1499 ") < max( ivlen(%" MBEDTLS_PRINTF_SIZET
1500 "), maclen (%" MBEDTLS_PRINTF_SIZET ") "
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1501 "+ 1 ) ( + expl IV )", rec->data_len,
1502 transform->ivlen,
1503 transform->maclen ) );
1504 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1505 }
1506
1507 /*
1508 * Authenticate before decrypt if enabled
1509 */
1510#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1511 if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
1512 {
1513 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
1514
1515 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1516
1517 /* Update data_len in tandem with add_data.
1518 *
1519 * The subtraction is safe because of the previous check
1520 * data_len >= minlen + maclen + 1.
1521 *
1522 * Afterwards, we know that data + data_len is followed by at
1523 * least maclen Bytes, which justifies the call to
1524 * mbedtls_ssl_safer_memcmp() below.
1525 *
1526 * Further, we still know that data_len > minlen */
1527 rec->data_len -= transform->maclen;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1528 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1529 transform->minor_ver );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1530
1531 /* Calculate expected MAC. */
1532 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
1533 add_data_len );
1534 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1535 add_data_len );
1536 mbedtls_md_hmac_update( &transform->md_ctx_dec,
1537 data, rec->data_len );
1538 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
1539 mbedtls_md_hmac_reset( &transform->md_ctx_dec );
1540
1541 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len,
1542 transform->maclen );
1543 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
1544 transform->maclen );
1545
1546 /* Compare expected MAC with MAC at the end of the record. */
1547 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
1548 transform->maclen ) != 0 )
1549 {
1550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1551 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1552 }
1553 auth_done++;
1554 }
1555#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1556
1557 /*
1558 * Check length sanity
1559 */
1560
1561 /* We know from above that data_len > minlen >= 0,
1562 * so the following check in particular implies that
1563 * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
1564 if( rec->data_len % transform->ivlen != 0 )
1565 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1566 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1567 ") %% ivlen (%" MBEDTLS_PRINTF_SIZET ") != 0",
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1568 rec->data_len, transform->ivlen ) );
1569 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1570 }
1571
1572#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1573 /*
1574 * Initialize for prepended IV for block cipher in TLS v1.1 and up
1575 */
1576 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
1577 {
1578 /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
1579 memcpy( transform->iv_dec, data, transform->ivlen );
1580
1581 data += transform->ivlen;
1582 rec->data_offset += transform->ivlen;
1583 rec->data_len -= transform->ivlen;
1584 }
1585#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
1586
1587 /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
1588
1589 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1590 transform->iv_dec, transform->ivlen,
1591 data, rec->data_len, data, &olen ) ) != 0 )
1592 {
1593 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1594 return( ret );
1595 }
1596
1597 /* Double-check that length hasn't changed during decryption. */
1598 if( rec->data_len != olen )
1599 {
1600 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1601 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1602 }
1603
1604#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
1605 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
1606 {
1607 /*
1608 * Save IV in SSL3 and TLS1, where CBC decryption of consecutive
1609 * records is equivalent to CBC decryption of the concatenation
1610 * of the records; in other words, IVs are maintained across
1611 * record decryptions.
1612 */
1613 memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv,
1614 transform->ivlen );
1615 }
1616#endif
1617
1618 /* Safe since data_len >= minlen + maclen + 1, so after having
1619 * subtracted at most minlen and maclen up to this point,
1620 * data_len > 0 (because of data_len % ivlen == 0, it's actually
1621 * >= ivlen ). */
1622 padlen = data[rec->data_len - 1];
1623
1624 if( auth_done == 1 )
1625 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1626 const size_t mask = mbedtls_ssl_cf_mask_ge(
1627 rec->data_len,
1628 padlen + 1 );
1629 correct &= mask;
1630 padlen &= mask;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1631 }
1632 else
1633 {
1634#if defined(MBEDTLS_SSL_DEBUG_ALL)
1635 if( rec->data_len < transform->maclen + padlen + 1 )
1636 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1638 ") < maclen (%" MBEDTLS_PRINTF_SIZET
1639 ") + padlen (%" MBEDTLS_PRINTF_SIZET ")",
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1640 rec->data_len,
1641 transform->maclen,
1642 padlen + 1 ) );
1643 }
1644#endif
1645
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1646 const size_t mask = mbedtls_ssl_cf_mask_ge(
1647 rec->data_len,
1648 transform->maclen + padlen + 1 );
1649 correct &= mask;
1650 padlen &= mask;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1651 }
1652
1653 padlen++;
1654
1655 /* Regardless of the validity of the padding,
1656 * we have data_len >= padlen here. */
1657
1658#if defined(MBEDTLS_SSL_PROTO_SSL3)
1659 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
1660 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1661 /* This is the SSL 3.0 path, we don't have to worry about Lucky
1662 * 13, because there's a strictly worse padding attack built in
1663 * the protocol (known as part of POODLE), so we don't care if the
1664 * code is not constant-time, in particular branches are OK. */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1665 if( padlen > transform->ivlen )
1666 {
1667#if defined(MBEDTLS_SSL_DEBUG_ALL)
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1668 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %" MBEDTLS_PRINTF_SIZET ", "
1669 "should be no more than %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1670 padlen, transform->ivlen ) );
1671#endif
1672 correct = 0;
1673 }
1674 }
1675 else
1676#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1677#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1678 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1679 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
1680 {
1681 /* The padding check involves a series of up to 256
1682 * consecutive memory reads at the end of the record
1683 * plaintext buffer. In order to hide the length and
1684 * validity of the padding, always perform exactly
1685 * `min(256,plaintext_len)` reads (but take into account
1686 * only the last `padlen` bytes for the padding check). */
1687 size_t pad_count = 0;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1688 volatile unsigned char* const check = data;
1689
1690 /* Index of first padding byte; it has been ensured above
1691 * that the subtraction is safe. */
1692 size_t const padding_idx = rec->data_len - padlen;
1693 size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
1694 size_t const start_idx = rec->data_len - num_checks;
1695 size_t idx;
1696
1697 for( idx = start_idx; idx < rec->data_len; idx++ )
1698 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1699 /* pad_count += (idx >= padding_idx) &&
1700 * (check[idx] == padlen - 1);
1701 */
1702 const size_t mask = mbedtls_ssl_cf_mask_ge( idx, padding_idx );
1703 const size_t equal = mbedtls_ssl_cf_bool_eq( check[idx],
1704 padlen - 1 );
1705 pad_count += mask & equal;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1706 }
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1707 correct &= mbedtls_ssl_cf_bool_eq( pad_count, padlen );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1708
1709#if defined(MBEDTLS_SSL_DEBUG_ALL)
1710 if( padlen > 0 && correct == 0 )
1711 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1712#endif
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1713 padlen &= mbedtls_ssl_cf_mask_from_bit( correct );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1714 }
1715 else
1716#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1717 MBEDTLS_SSL_PROTO_TLS1_2 */
1718 {
1719 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1720 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1721 }
1722
1723 /* If the padding was found to be invalid, padlen == 0
1724 * and the subtraction is safe. If the padding was found valid,
1725 * padlen hasn't been changed and the previous assertion
1726 * data_len >= padlen still holds. */
1727 rec->data_len -= padlen;
1728 }
1729 else
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1730#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1731 {
1732 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1733 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1734 }
1735
1736#if defined(MBEDTLS_SSL_DEBUG_ALL)
1737 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1738 data, rec->data_len );
1739#endif
1740
1741 /*
1742 * Authenticate if not done yet.
1743 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
1744 */
1745#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
1746 if( auth_done == 0 )
1747 {
1748 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1749 unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1750
1751 /* If the initial value of padlen was such that
1752 * data_len < maclen + padlen + 1, then padlen
1753 * got reset to 1, and the initial check
1754 * data_len >= minlen + maclen + 1
1755 * guarantees that at this point we still
1756 * have at least data_len >= maclen.
1757 *
1758 * If the initial value of padlen was such that
1759 * data_len >= maclen + padlen + 1, then we have
1760 * subtracted either padlen + 1 (if the padding was correct)
1761 * or 0 (if the padding was incorrect) since then,
1762 * hence data_len >= maclen in any case.
1763 */
1764 rec->data_len -= transform->maclen;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1765 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1766 transform->minor_ver );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1767
1768#if defined(MBEDTLS_SSL_PROTO_SSL3)
1769 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
1770 {
1771 ssl_mac( &transform->md_ctx_dec,
1772 transform->mac_dec,
1773 data, rec->data_len,
1774 rec->ctr, rec->type,
1775 mac_expect );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1776 memcpy( mac_peer, data + rec->data_len, transform->maclen );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1777 }
1778 else
1779#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1780#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1781 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1782 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
1783 {
1784 /*
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1785 * The next two sizes are the minimum and maximum values of
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1786 * data_len over all padlen values.
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1787 *
1788 * They're independent of padlen, since we previously did
1789 * data_len -= padlen.
1790 *
1791 * Note that max_len + maclen is never more than the buffer
1792 * length, as we previously did in_msglen -= maclen too.
1793 */
1794 const size_t max_len = rec->data_len + padlen;
1795 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
1796
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1797 ret = mbedtls_ssl_cf_hmac( &transform->md_ctx_dec,
1798 add_data, add_data_len,
1799 data, rec->data_len, min_len, max_len,
1800 mac_expect );
1801 if( ret != 0 )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1802 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1803 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret );
1804 return( ret );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1805 }
1806
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1807 mbedtls_ssl_cf_memcpy_offset( mac_peer, data,
1808 rec->data_len,
1809 min_len, max_len,
1810 transform->maclen );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1811 }
1812 else
1813#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1814 MBEDTLS_SSL_PROTO_TLS1_2 */
1815 {
1816 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1817 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1818 }
1819
1820#if defined(MBEDTLS_SSL_DEBUG_ALL)
1821 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1822 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1823#endif
1824
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1825 if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1826 transform->maclen ) != 0 )
1827 {
1828#if defined(MBEDTLS_SSL_DEBUG_ALL)
1829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1830#endif
1831 correct = 0;
1832 }
1833 auth_done++;
1834 }
1835
1836 /*
1837 * Finally check the correct flag
1838 */
1839 if( correct == 0 )
1840 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1841#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
1842
1843 /* Make extra sure authentication was performed, exactly once */
1844 if( auth_done != 1 )
1845 {
1846 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1847 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1848 }
1849
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1850#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
1851 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
1852 {
1853 /* Remove inner padding and infer true content type. */
1854 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1855 &rec->type );
1856
1857 if( ret != 0 )
1858 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1859 }
1860#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1861
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1862#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1863 if( rec->cid_len != 0 )
1864 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1865 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1866 &rec->type );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1867 if( ret != 0 )
1868 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1869 }
1870#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1871
1872 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1873
1874 return( 0 );
1875}
1876
1877#undef MAC_NONE
1878#undef MAC_PLAINTEXT
1879#undef MAC_CIPHERTEXT
1880
1881#if defined(MBEDTLS_ZLIB_SUPPORT)
1882/*
1883 * Compression/decompression functions
1884 */
1885static int ssl_compress_buf( mbedtls_ssl_context *ssl )
1886{
1887 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1888 unsigned char *msg_post = ssl->out_msg;
1889 ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
1890 size_t len_pre = ssl->out_msglen;
1891 unsigned char *msg_pre = ssl->compress_buf;
1892#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1893 size_t out_buf_len = ssl->out_buf_len;
1894#else
1895 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1896#endif
1897
1898 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1899
1900 if( len_pre == 0 )
1901 return( 0 );
1902
1903 memcpy( msg_pre, ssl->out_msg, len_pre );
1904
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1905 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1906 ssl->out_msglen ) );
1907
1908 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
1909 ssl->out_msg, ssl->out_msglen );
1910
1911 ssl->transform_out->ctx_deflate.next_in = msg_pre;
1912 ssl->transform_out->ctx_deflate.avail_in = len_pre;
1913 ssl->transform_out->ctx_deflate.next_out = msg_post;
1914 ssl->transform_out->ctx_deflate.avail_out = out_buf_len - bytes_written;
1915
1916 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1917 if( ret != Z_OK )
1918 {
1919 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1920 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
1921 }
1922
1923 ssl->out_msglen = out_buf_len -
1924 ssl->transform_out->ctx_deflate.avail_out - bytes_written;
1925
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1926 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1927 ssl->out_msglen ) );
1928
1929 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
1930 ssl->out_msg, ssl->out_msglen );
1931
1932 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1933
1934 return( 0 );
1935}
1936
1937static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
1938{
1939 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1940 unsigned char *msg_post = ssl->in_msg;
1941 ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
1942 size_t len_pre = ssl->in_msglen;
1943 unsigned char *msg_pre = ssl->compress_buf;
1944#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1945 size_t in_buf_len = ssl->in_buf_len;
1946#else
1947 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1948#endif
1949
1950 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1951
1952 if( len_pre == 0 )
1953 return( 0 );
1954
1955 memcpy( msg_pre, ssl->in_msg, len_pre );
1956
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1957 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1958 ssl->in_msglen ) );
1959
1960 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
1961 ssl->in_msg, ssl->in_msglen );
1962
1963 ssl->transform_in->ctx_inflate.next_in = msg_pre;
1964 ssl->transform_in->ctx_inflate.avail_in = len_pre;
1965 ssl->transform_in->ctx_inflate.next_out = msg_post;
1966 ssl->transform_in->ctx_inflate.avail_out = in_buf_len - header_bytes;
1967
1968 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1969 if( ret != Z_OK )
1970 {
1971 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1972 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
1973 }
1974
1975 ssl->in_msglen = in_buf_len -
1976 ssl->transform_in->ctx_inflate.avail_out - header_bytes;
1977
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1978 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1979 ssl->in_msglen ) );
1980
1981 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
1982 ssl->in_msg, ssl->in_msglen );
1983
1984 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1985
1986 return( 0 );
1987}
1988#endif /* MBEDTLS_ZLIB_SUPPORT */
1989
1990/*
1991 * Fill the input message buffer by appending data to it.
1992 * The amount of data already fetched is in ssl->in_left.
1993 *
1994 * If we return 0, is it guaranteed that (at least) nb_want bytes are
1995 * available (from this read and/or a previous one). Otherwise, an error code
1996 * is returned (possibly EOF or WANT_READ).
1997 *
1998 * With stream transport (TLS) on success ssl->in_left == nb_want, but
1999 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
2000 * since we always read a whole datagram at once.
2001 *
2002 * For DTLS, it is up to the caller to set ssl->next_record_offset when
2003 * they're done reading a record.
2004 */
2005int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
2006{
2007 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2008 size_t len;
2009#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2010 size_t in_buf_len = ssl->in_buf_len;
2011#else
2012 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
2013#endif
2014
2015 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
2016
2017 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
2018 {
2019 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
2020 "or mbedtls_ssl_set_bio()" ) );
2021 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2022 }
2023
2024 if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
2025 {
2026 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
2027 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2028 }
2029
2030#if defined(MBEDTLS_SSL_PROTO_DTLS)
2031 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2032 {
2033 uint32_t timeout;
2034
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2035 /*
2036 * The point is, we need to always read a full datagram at once, so we
2037 * sometimes read more then requested, and handle the additional data.
2038 * It could be the rest of the current record (while fetching the
2039 * header) and/or some other records in the same datagram.
2040 */
2041
2042 /*
2043 * Move to the next record in the already read datagram if applicable
2044 */
2045 if( ssl->next_record_offset != 0 )
2046 {
2047 if( ssl->in_left < ssl->next_record_offset )
2048 {
2049 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2050 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2051 }
2052
2053 ssl->in_left -= ssl->next_record_offset;
2054
2055 if( ssl->in_left != 0 )
2056 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2057 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %"
2058 MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2059 ssl->next_record_offset ) );
2060 memmove( ssl->in_hdr,
2061 ssl->in_hdr + ssl->next_record_offset,
2062 ssl->in_left );
2063 }
2064
2065 ssl->next_record_offset = 0;
2066 }
2067
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2068 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
2069 ", nb_want: %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2070 ssl->in_left, nb_want ) );
2071
2072 /*
2073 * Done if we already have enough data.
2074 */
2075 if( nb_want <= ssl->in_left)
2076 {
2077 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2078 return( 0 );
2079 }
2080
2081 /*
2082 * A record can't be split across datagrams. If we need to read but
2083 * are not at the beginning of a new record, the caller did something
2084 * wrong.
2085 */
2086 if( ssl->in_left != 0 )
2087 {
2088 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2089 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2090 }
2091
2092 /*
2093 * Don't even try to read if time's out already.
2094 * This avoids by-passing the timer when repeatedly receiving messages
2095 * that will end up being dropped.
2096 */
2097 if( mbedtls_ssl_check_timer( ssl ) != 0 )
2098 {
2099 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
2100 ret = MBEDTLS_ERR_SSL_TIMEOUT;
2101 }
2102 else
2103 {
2104 len = in_buf_len - ( ssl->in_hdr - ssl->in_buf );
2105
2106 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
2107 timeout = ssl->handshake->retransmit_timeout;
2108 else
2109 timeout = ssl->conf->read_timeout;
2110
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2111 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %lu ms", (unsigned long) timeout ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2112
2113 if( ssl->f_recv_timeout != NULL )
2114 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
2115 timeout );
2116 else
2117 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
2118
2119 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
2120
2121 if( ret == 0 )
2122 return( MBEDTLS_ERR_SSL_CONN_EOF );
2123 }
2124
2125 if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
2126 {
2127 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
2128 mbedtls_ssl_set_timer( ssl, 0 );
2129
2130 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
2131 {
2132 if( ssl_double_retransmit_timeout( ssl ) != 0 )
2133 {
2134 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
2135 return( MBEDTLS_ERR_SSL_TIMEOUT );
2136 }
2137
2138 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
2139 {
2140 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
2141 return( ret );
2142 }
2143
2144 return( MBEDTLS_ERR_SSL_WANT_READ );
2145 }
2146#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2147 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
2148 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
2149 {
2150 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
2151 {
2152 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
2153 ret );
2154 return( ret );
2155 }
2156
2157 return( MBEDTLS_ERR_SSL_WANT_READ );
2158 }
2159#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
2160 }
2161
2162 if( ret < 0 )
2163 return( ret );
2164
2165 ssl->in_left = ret;
2166 }
2167 else
2168#endif
2169 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2170 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
2171 ", nb_want: %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2172 ssl->in_left, nb_want ) );
2173
2174 while( ssl->in_left < nb_want )
2175 {
2176 len = nb_want - ssl->in_left;
2177
2178 if( mbedtls_ssl_check_timer( ssl ) != 0 )
2179 ret = MBEDTLS_ERR_SSL_TIMEOUT;
2180 else
2181 {
2182 if( ssl->f_recv_timeout != NULL )
2183 {
2184 ret = ssl->f_recv_timeout( ssl->p_bio,
2185 ssl->in_hdr + ssl->in_left, len,
2186 ssl->conf->read_timeout );
2187 }
2188 else
2189 {
2190 ret = ssl->f_recv( ssl->p_bio,
2191 ssl->in_hdr + ssl->in_left, len );
2192 }
2193 }
2194
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2195 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
2196 ", nb_want: %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2197 ssl->in_left, nb_want ) );
2198 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
2199
2200 if( ret == 0 )
2201 return( MBEDTLS_ERR_SSL_CONN_EOF );
2202
2203 if( ret < 0 )
2204 return( ret );
2205
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2206 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2207 {
2208 MBEDTLS_SSL_DEBUG_MSG( 1,
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2209 ( "f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " were requested",
2210 ret, len ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2211 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2212 }
2213
2214 ssl->in_left += ret;
2215 }
2216 }
2217
2218 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2219
2220 return( 0 );
2221}
2222
2223/*
2224 * Flush any data not yet written
2225 */
2226int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
2227{
2228 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2229 unsigned char *buf;
2230
2231 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
2232
2233 if( ssl->f_send == NULL )
2234 {
2235 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
2236 "or mbedtls_ssl_set_bio()" ) );
2237 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2238 }
2239
2240 /* Avoid incrementing counter if data is flushed */
2241 if( ssl->out_left == 0 )
2242 {
2243 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2244 return( 0 );
2245 }
2246
2247 while( ssl->out_left > 0 )
2248 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2249 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %" MBEDTLS_PRINTF_SIZET
2250 ", out_left: %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2251 mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
2252
2253 buf = ssl->out_hdr - ssl->out_left;
2254 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
2255
2256 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
2257
2258 if( ret <= 0 )
2259 return( ret );
2260
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2261 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2262 {
2263 MBEDTLS_SSL_DEBUG_MSG( 1,
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2264 ( "f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " bytes were sent",
2265 ret, ssl->out_left ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2266 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2267 }
2268
2269 ssl->out_left -= ret;
2270 }
2271
2272#if defined(MBEDTLS_SSL_PROTO_DTLS)
2273 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2274 {
2275 ssl->out_hdr = ssl->out_buf;
2276 }
2277 else
2278#endif
2279 {
2280 ssl->out_hdr = ssl->out_buf + 8;
2281 }
2282 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
2283
2284 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2285
2286 return( 0 );
2287}
2288
2289/*
2290 * Functions to handle the DTLS retransmission state machine
2291 */
2292#if defined(MBEDTLS_SSL_PROTO_DTLS)
2293/*
2294 * Append current handshake message to current outgoing flight
2295 */
2296static int ssl_flight_append( mbedtls_ssl_context *ssl )
2297{
2298 mbedtls_ssl_flight_item *msg;
2299 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
2300 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
2301 ssl->out_msg, ssl->out_msglen );
2302
2303 /* Allocate space for current message */
2304 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
2305 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2306 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2307 sizeof( mbedtls_ssl_flight_item ) ) );
2308 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2309 }
2310
2311 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
2312 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2313 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
2314 ssl->out_msglen ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2315 mbedtls_free( msg );
2316 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2317 }
2318
2319 /* Copy current handshake message with headers */
2320 memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
2321 msg->len = ssl->out_msglen;
2322 msg->type = ssl->out_msgtype;
2323 msg->next = NULL;
2324
2325 /* Append to the current flight */
2326 if( ssl->handshake->flight == NULL )
2327 ssl->handshake->flight = msg;
2328 else
2329 {
2330 mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
2331 while( cur->next != NULL )
2332 cur = cur->next;
2333 cur->next = msg;
2334 }
2335
2336 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
2337 return( 0 );
2338}
2339
2340/*
2341 * Free the current flight of handshake messages
2342 */
2343void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight )
2344{
2345 mbedtls_ssl_flight_item *cur = flight;
2346 mbedtls_ssl_flight_item *next;
2347
2348 while( cur != NULL )
2349 {
2350 next = cur->next;
2351
2352 mbedtls_free( cur->p );
2353 mbedtls_free( cur );
2354
2355 cur = next;
2356 }
2357}
2358
2359/*
2360 * Swap transform_out and out_ctr with the alternative ones
2361 */
2362static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
2363{
2364 mbedtls_ssl_transform *tmp_transform;
2365 unsigned char tmp_out_ctr[8];
2366
2367 if( ssl->transform_out == ssl->handshake->alt_transform_out )
2368 {
2369 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
2370 return( 0 );
2371 }
2372
2373 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
2374
2375 /* Swap transforms */
2376 tmp_transform = ssl->transform_out;
2377 ssl->transform_out = ssl->handshake->alt_transform_out;
2378 ssl->handshake->alt_transform_out = tmp_transform;
2379
2380 /* Swap epoch + sequence_number */
2381 memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 );
2382 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 );
2383 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
2384
2385 /* Adjust to the newly activated transform */
2386 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
2387
2388#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2389 if( mbedtls_ssl_hw_record_activate != NULL )
2390 {
2391 int ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND );
2392 if( ret != 0 )
2393 {
2394 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
2395 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
2396 }
2397 }
2398#endif
2399
2400 return( 0 );
2401}
2402
2403/*
2404 * Retransmit the current flight of messages.
2405 */
2406int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
2407{
2408 int ret = 0;
2409
2410 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
2411
2412 ret = mbedtls_ssl_flight_transmit( ssl );
2413
2414 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
2415
2416 return( ret );
2417}
2418
2419/*
2420 * Transmit or retransmit the current flight of messages.
2421 *
2422 * Need to remember the current message in case flush_output returns
2423 * WANT_WRITE, causing us to exit this function and come back later.
2424 * This function must be called until state is no longer SENDING.
2425 */
2426int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
2427{
2428 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2429 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
2430
2431 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
2432 {
2433 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
2434
2435 ssl->handshake->cur_msg = ssl->handshake->flight;
2436 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
2437 ret = ssl_swap_epochs( ssl );
2438 if( ret != 0 )
2439 return( ret );
2440
2441 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
2442 }
2443
2444 while( ssl->handshake->cur_msg != NULL )
2445 {
2446 size_t max_frag_len;
2447 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
2448
2449 int const is_finished =
2450 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
2451 cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
2452
2453 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
2454 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
2455
2456 /* Swap epochs before sending Finished: we can't do it after
2457 * sending ChangeCipherSpec, in case write returns WANT_READ.
2458 * Must be done before copying, may change out_msg pointer */
2459 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
2460 {
2461 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
2462 ret = ssl_swap_epochs( ssl );
2463 if( ret != 0 )
2464 return( ret );
2465 }
2466
2467 ret = ssl_get_remaining_payload_in_datagram( ssl );
2468 if( ret < 0 )
2469 return( ret );
2470 max_frag_len = (size_t) ret;
2471
2472 /* CCS is copied as is, while HS messages may need fragmentation */
2473 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2474 {
2475 if( max_frag_len == 0 )
2476 {
2477 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2478 return( ret );
2479
2480 continue;
2481 }
2482
2483 memcpy( ssl->out_msg, cur->p, cur->len );
2484 ssl->out_msglen = cur->len;
2485 ssl->out_msgtype = cur->type;
2486
2487 /* Update position inside current message */
2488 ssl->handshake->cur_msg_p += cur->len;
2489 }
2490 else
2491 {
2492 const unsigned char * const p = ssl->handshake->cur_msg_p;
2493 const size_t hs_len = cur->len - 12;
2494 const size_t frag_off = p - ( cur->p + 12 );
2495 const size_t rem_len = hs_len - frag_off;
2496 size_t cur_hs_frag_len, max_hs_frag_len;
2497
2498 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
2499 {
2500 if( is_finished )
2501 {
2502 ret = ssl_swap_epochs( ssl );
2503 if( ret != 0 )
2504 return( ret );
2505 }
2506
2507 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2508 return( ret );
2509
2510 continue;
2511 }
2512 max_hs_frag_len = max_frag_len - 12;
2513
2514 cur_hs_frag_len = rem_len > max_hs_frag_len ?
2515 max_hs_frag_len : rem_len;
2516
2517 if( frag_off == 0 && cur_hs_frag_len != hs_len )
2518 {
2519 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
2520 (unsigned) cur_hs_frag_len,
2521 (unsigned) max_hs_frag_len ) );
2522 }
2523
2524 /* Messages are stored with handshake headers as if not fragmented,
2525 * copy beginning of headers then fill fragmentation fields.
2526 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
2527 memcpy( ssl->out_msg, cur->p, 6 );
2528
2529 ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
2530 ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
2531 ssl->out_msg[8] = ( ( frag_off ) & 0xff );
2532
2533 ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
2534 ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
2535 ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
2536
2537 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
2538
2539 /* Copy the handshake message content and set records fields */
2540 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
2541 ssl->out_msglen = cur_hs_frag_len + 12;
2542 ssl->out_msgtype = cur->type;
2543
2544 /* Update position inside current message */
2545 ssl->handshake->cur_msg_p += cur_hs_frag_len;
2546 }
2547
2548 /* If done with the current message move to the next one if any */
2549 if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
2550 {
2551 if( cur->next != NULL )
2552 {
2553 ssl->handshake->cur_msg = cur->next;
2554 ssl->handshake->cur_msg_p = cur->next->p + 12;
2555 }
2556 else
2557 {
2558 ssl->handshake->cur_msg = NULL;
2559 ssl->handshake->cur_msg_p = NULL;
2560 }
2561 }
2562
2563 /* Actually send the message out */
2564 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
2565 {
2566 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
2567 return( ret );
2568 }
2569 }
2570
2571 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2572 return( ret );
2573
2574 /* Update state and set timer */
2575 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
2576 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2577 else
2578 {
2579 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
2580 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
2581 }
2582
2583 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
2584
2585 return( 0 );
2586}
2587
2588/*
2589 * To be called when the last message of an incoming flight is received.
2590 */
2591void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
2592{
2593 /* We won't need to resend that one any more */
2594 mbedtls_ssl_flight_free( ssl->handshake->flight );
2595 ssl->handshake->flight = NULL;
2596 ssl->handshake->cur_msg = NULL;
2597
2598 /* The next incoming flight will start with this msg_seq */
2599 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
2600
2601 /* We don't want to remember CCS's across flight boundaries. */
2602 ssl->handshake->buffering.seen_ccs = 0;
2603
2604 /* Clear future message buffering structure. */
2605 mbedtls_ssl_buffering_free( ssl );
2606
2607 /* Cancel timer */
2608 mbedtls_ssl_set_timer( ssl, 0 );
2609
2610 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2611 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
2612 {
2613 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2614 }
2615 else
2616 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
2617}
2618
2619/*
2620 * To be called when the last message of an outgoing flight is send.
2621 */
2622void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
2623{
2624 ssl_reset_retransmit_timeout( ssl );
2625 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
2626
2627 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2628 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
2629 {
2630 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2631 }
2632 else
2633 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
2634}
2635#endif /* MBEDTLS_SSL_PROTO_DTLS */
2636
2637/*
2638 * Handshake layer functions
2639 */
2640
2641/*
2642 * Write (DTLS: or queue) current handshake (including CCS) message.
2643 *
2644 * - fill in handshake headers
2645 * - update handshake checksum
2646 * - DTLS: save message for resending
2647 * - then pass to the record layer
2648 *
2649 * DTLS: except for HelloRequest, messages are only queued, and will only be
2650 * actually sent when calling flight_transmit() or resend().
2651 *
2652 * Inputs:
2653 * - ssl->out_msglen: 4 + actual handshake message len
2654 * (4 is the size of handshake headers for TLS)
2655 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
2656 * - ssl->out_msg + 4: the handshake message body
2657 *
2658 * Outputs, ie state before passing to flight_append() or write_record():
2659 * - ssl->out_msglen: the length of the record contents
2660 * (including handshake headers but excluding record headers)
2661 * - ssl->out_msg: the record contents (handshake headers + content)
2662 */
2663int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
2664{
2665 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2666 const size_t hs_len = ssl->out_msglen - 4;
2667 const unsigned char hs_type = ssl->out_msg[0];
2668
2669 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
2670
2671 /*
2672 * Sanity checks
2673 */
2674 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
2675 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2676 {
2677 /* In SSLv3, the client might send a NoCertificate alert. */
2678#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
2679 if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
2680 ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
2681 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
2682#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
2683 {
2684 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2685 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2686 }
2687 }
2688
2689 /* Whenever we send anything different from a
2690 * HelloRequest we should be in a handshake - double check. */
2691 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2692 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
2693 ssl->handshake == NULL )
2694 {
2695 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2696 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2697 }
2698
2699#if defined(MBEDTLS_SSL_PROTO_DTLS)
2700 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2701 ssl->handshake != NULL &&
2702 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
2703 {
2704 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2705 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2706 }
2707#endif
2708
2709 /* Double-check that we did not exceed the bounds
2710 * of the outgoing record buffer.
2711 * This should never fail as the various message
2712 * writing functions must obey the bounds of the
2713 * outgoing record buffer, but better be safe.
2714 *
2715 * Note: We deliberately do not check for the MTU or MFL here.
2716 */
2717 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
2718 {
2719 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2720 "size %" MBEDTLS_PRINTF_SIZET
2721 ", maximum %" MBEDTLS_PRINTF_SIZET,
2722 ssl->out_msglen,
2723 (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2724 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2725 }
2726
2727 /*
2728 * Fill handshake headers
2729 */
2730 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
2731 {
2732 ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
2733 ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );
2734 ssl->out_msg[3] = (unsigned char)( hs_len );
2735
2736 /*
2737 * DTLS has additional fields in the Handshake layer,
2738 * between the length field and the actual payload:
2739 * uint16 message_seq;
2740 * uint24 fragment_offset;
2741 * uint24 fragment_length;
2742 */
2743#if defined(MBEDTLS_SSL_PROTO_DTLS)
2744 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2745 {
2746 /* Make room for the additional DTLS fields */
2747 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
2748 {
2749 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2750 "size %" MBEDTLS_PRINTF_SIZET ", maximum %" MBEDTLS_PRINTF_SIZET,
2751 hs_len,
2752 (size_t) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2753 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2754 }
2755
2756 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
2757 ssl->out_msglen += 8;
2758
2759 /* Write message_seq and update it, except for HelloRequest */
2760 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
2761 {
2762 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
2763 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
2764 ++( ssl->handshake->out_msg_seq );
2765 }
2766 else
2767 {
2768 ssl->out_msg[4] = 0;
2769 ssl->out_msg[5] = 0;
2770 }
2771
2772 /* Handshake hashes are computed without fragmentation,
2773 * so set frag_offset = 0 and frag_len = hs_len for now */
2774 memset( ssl->out_msg + 6, 0x00, 3 );
2775 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
2776 }
2777#endif /* MBEDTLS_SSL_PROTO_DTLS */
2778
2779 /* Update running hashes of handshake messages seen */
2780 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
2781 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
2782 }
2783
2784 /* Either send now, or just save to be sent (and resent) later */
2785#if defined(MBEDTLS_SSL_PROTO_DTLS)
2786 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2787 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2788 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
2789 {
2790 if( ( ret = ssl_flight_append( ssl ) ) != 0 )
2791 {
2792 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
2793 return( ret );
2794 }
2795 }
2796 else
2797#endif
2798 {
2799 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
2800 {
2801 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2802 return( ret );
2803 }
2804 }
2805
2806 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
2807
2808 return( 0 );
2809}
2810
2811/*
2812 * Record layer functions
2813 */
2814
2815/*
2816 * Write current record.
2817 *
2818 * Uses:
2819 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
2820 * - ssl->out_msglen: length of the record content (excl headers)
2821 * - ssl->out_msg: record content
2822 */
2823int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
2824{
2825 int ret, done = 0;
2826 size_t len = ssl->out_msglen;
2827 uint8_t flush = force_flush;
2828
2829 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
2830
2831#if defined(MBEDTLS_ZLIB_SUPPORT)
2832 if( ssl->transform_out != NULL &&
2833 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
2834 {
2835 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
2836 {
2837 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
2838 return( ret );
2839 }
2840
2841 len = ssl->out_msglen;
2842 }
2843#endif /*MBEDTLS_ZLIB_SUPPORT */
2844
2845#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2846 if( mbedtls_ssl_hw_record_write != NULL )
2847 {
2848 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
2849
2850 ret = mbedtls_ssl_hw_record_write( ssl );
2851 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2852 {
2853 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
2854 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
2855 }
2856
2857 if( ret == 0 )
2858 done = 1;
2859 }
2860#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
2861 if( !done )
2862 {
2863 unsigned i;
2864 size_t protected_record_size;
2865#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2866 size_t out_buf_len = ssl->out_buf_len;
2867#else
2868 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
2869#endif
2870 /* Skip writing the record content type to after the encryption,
2871 * as it may change when using the CID extension. */
2872
2873 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2874 ssl->conf->transport, ssl->out_hdr + 1 );
2875
2876 memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
2877 ssl->out_len[0] = (unsigned char)( len >> 8 );
2878 ssl->out_len[1] = (unsigned char)( len );
2879
2880 if( ssl->transform_out != NULL )
2881 {
2882 mbedtls_record rec;
2883
2884 rec.buf = ssl->out_iv;
2885 rec.buf_len = out_buf_len - ( ssl->out_iv - ssl->out_buf );
2886 rec.data_len = ssl->out_msglen;
2887 rec.data_offset = ssl->out_msg - rec.buf;
2888
2889 memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
2890 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2891 ssl->conf->transport, rec.ver );
2892 rec.type = ssl->out_msgtype;
2893
2894#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2895 /* The CID is set by mbedtls_ssl_encrypt_buf(). */
2896 rec.cid_len = 0;
2897#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2898
2899 if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec,
2900 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2901 {
2902 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
2903 return( ret );
2904 }
2905
2906 if( rec.data_offset != 0 )
2907 {
2908 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2909 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2910 }
2911
2912 /* Update the record content type and CID. */
2913 ssl->out_msgtype = rec.type;
2914#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID )
2915 memcpy( ssl->out_cid, rec.cid, rec.cid_len );
2916#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2917 ssl->out_msglen = len = rec.data_len;
2918 ssl->out_len[0] = (unsigned char)( rec.data_len >> 8 );
2919 ssl->out_len[1] = (unsigned char)( rec.data_len );
2920 }
2921
2922 protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl );
2923
2924#if defined(MBEDTLS_SSL_PROTO_DTLS)
2925 /* In case of DTLS, double-check that we don't exceed
2926 * the remaining space in the datagram. */
2927 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2928 {
2929 ret = ssl_get_remaining_space_in_datagram( ssl );
2930 if( ret < 0 )
2931 return( ret );
2932
2933 if( protected_record_size > (size_t) ret )
2934 {
2935 /* Should never happen */
2936 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2937 }
2938 }
2939#endif /* MBEDTLS_SSL_PROTO_DTLS */
2940
2941 /* Now write the potentially updated record content type. */
2942 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2943
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]2944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %u, "
2945 "version = [%u:%u], msglen = %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2946 ssl->out_hdr[0], ssl->out_hdr[1],
2947 ssl->out_hdr[2], len ) );
2948
2949 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
2950 ssl->out_hdr, protected_record_size );
2951
2952 ssl->out_left += protected_record_size;
2953 ssl->out_hdr += protected_record_size;
2954 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
2955
2956 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
2957 if( ++ssl->cur_out_ctr[i - 1] != 0 )
2958 break;
2959
2960 /* The loop goes to its end iff the counter is wrapping */
2961 if( i == mbedtls_ssl_ep_len( ssl ) )
2962 {
2963 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
2964 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2965 }
2966 }
2967
2968#if defined(MBEDTLS_SSL_PROTO_DTLS)
2969 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2970 flush == SSL_DONT_FORCE_FLUSH )
2971 {
2972 size_t remaining;
2973 ret = ssl_get_remaining_payload_in_datagram( ssl );
2974 if( ret < 0 )
2975 {
2976 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
2977 ret );
2978 return( ret );
2979 }
2980
2981 remaining = (size_t) ret;
2982 if( remaining == 0 )
2983 {
2984 flush = SSL_FORCE_FLUSH;
2985 }
2986 else
2987 {
2988 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
2989 }
2990 }
2991#endif /* MBEDTLS_SSL_PROTO_DTLS */
2992
2993 if( ( flush == SSL_FORCE_FLUSH ) &&
2994 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2995 {
2996 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
2997 return( ret );
2998 }
2999
3000 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
3001
3002 return( 0 );
3003}
3004
3005#if defined(MBEDTLS_SSL_PROTO_DTLS)
3006
3007static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
3008{
3009 if( ssl->in_msglen < ssl->in_hslen ||
3010 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
3011 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
3012 {
3013 return( 1 );
3014 }
3015 return( 0 );
3016}
3017
3018static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
3019{
3020 return( ( ssl->in_msg[9] << 16 ) |
3021 ( ssl->in_msg[10] << 8 ) |
3022 ssl->in_msg[11] );
3023}
3024
3025static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
3026{
3027 return( ( ssl->in_msg[6] << 16 ) |
3028 ( ssl->in_msg[7] << 8 ) |
3029 ssl->in_msg[8] );
3030}
3031
3032static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
3033{
3034 uint32_t msg_len, frag_off, frag_len;
3035
3036 msg_len = ssl_get_hs_total_len( ssl );
3037 frag_off = ssl_get_hs_frag_off( ssl );
3038 frag_len = ssl_get_hs_frag_len( ssl );
3039
3040 if( frag_off > msg_len )
3041 return( -1 );
3042
3043 if( frag_len > msg_len - frag_off )
3044 return( -1 );
3045
3046 if( frag_len + 12 > ssl->in_msglen )
3047 return( -1 );
3048
3049 return( 0 );
3050}
3051
3052/*
3053 * Mark bits in bitmask (used for DTLS HS reassembly)
3054 */
3055static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
3056{
3057 unsigned int start_bits, end_bits;
3058
3059 start_bits = 8 - ( offset % 8 );
3060 if( start_bits != 8 )
3061 {
3062 size_t first_byte_idx = offset / 8;
3063
3064 /* Special case */
3065 if( len <= start_bits )
3066 {
3067 for( ; len != 0; len-- )
3068 mask[first_byte_idx] |= 1 << ( start_bits - len );
3069
3070 /* Avoid potential issues with offset or len becoming invalid */
3071 return;
3072 }
3073
3074 offset += start_bits; /* Now offset % 8 == 0 */
3075 len -= start_bits;
3076
3077 for( ; start_bits != 0; start_bits-- )
3078 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
3079 }
3080
3081 end_bits = len % 8;
3082 if( end_bits != 0 )
3083 {
3084 size_t last_byte_idx = ( offset + len ) / 8;
3085
3086 len -= end_bits; /* Now len % 8 == 0 */
3087
3088 for( ; end_bits != 0; end_bits-- )
3089 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
3090 }
3091
3092 memset( mask + offset / 8, 0xFF, len / 8 );
3093}
3094
3095/*
3096 * Check that bitmask is full
3097 */
3098static int ssl_bitmask_check( unsigned char *mask, size_t len )
3099{
3100 size_t i;
3101
3102 for( i = 0; i < len / 8; i++ )
3103 if( mask[i] != 0xFF )
3104 return( -1 );
3105
3106 for( i = 0; i < len % 8; i++ )
3107 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
3108 return( -1 );
3109
3110 return( 0 );
3111}
3112
3113/* msg_len does not include the handshake header */
3114static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
3115 unsigned add_bitmap )
3116{
3117 size_t alloc_len;
3118
3119 alloc_len = 12; /* Handshake header */
3120 alloc_len += msg_len; /* Content buffer */
3121
3122 if( add_bitmap )
3123 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
3124
3125 return( alloc_len );
3126}
3127
3128#endif /* MBEDTLS_SSL_PROTO_DTLS */
3129
3130static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
3131{
3132 return( ( ssl->in_msg[1] << 16 ) |
3133 ( ssl->in_msg[2] << 8 ) |
3134 ssl->in_msg[3] );
3135}
3136
3137int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
3138{
3139 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
3140 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]3141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3142 ssl->in_msglen ) );
3143 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3144 }
3145
3146 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
3147
3148 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]3149 " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3150 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
3151
3152#if defined(MBEDTLS_SSL_PROTO_DTLS)
3153 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3154 {
3155 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3156 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
3157
3158 if( ssl_check_hs_header( ssl ) != 0 )
3159 {
3160 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
3161 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3162 }
3163
3164 if( ssl->handshake != NULL &&
3165 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
3166 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
3167 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3168 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
3169 {
3170 if( recv_msg_seq > ssl->handshake->in_msg_seq )
3171 {
3172 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
3173 recv_msg_seq,
3174 ssl->handshake->in_msg_seq ) );
3175 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3176 }
3177
3178 /* Retransmit only on last message from previous flight, to avoid
3179 * too many retransmissions.
3180 * Besides, No sane server ever retransmits HelloVerifyRequest */
3181 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
3182 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
3183 {
3184 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]3185 "message_seq = %u, start_of_flight = %u",
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3186 recv_msg_seq,
3187 ssl->handshake->in_flight_start_seq ) );
3188
3189 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
3190 {
3191 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
3192 return( ret );
3193 }
3194 }
3195 else
3196 {
3197 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]3198 "message_seq = %u, expected = %u",
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3199 recv_msg_seq,
3200 ssl->handshake->in_msg_seq ) );
3201 }
3202
3203 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
3204 }
3205 /* Wait until message completion to increment in_msg_seq */
3206
3207 /* Message reassembly is handled alongside buffering of future
3208 * messages; the commonality is that both handshake fragments and
3209 * future messages cannot be forwarded immediately to the
3210 * handshake logic layer. */
3211 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
3212 {
3213 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
3214 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3215 }
3216 }
3217 else
3218#endif /* MBEDTLS_SSL_PROTO_DTLS */
3219 /* With TLS we don't handle fragmentation (for now) */
3220 if( ssl->in_msglen < ssl->in_hslen )
3221 {
3222 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
3223 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3224 }
3225
3226 return( 0 );
3227}
3228
3229void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
3230{
3231 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3232
3233 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
3234 {
3235 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
3236 }
3237
3238 /* Handshake message is complete, increment counter */
3239#if defined(MBEDTLS_SSL_PROTO_DTLS)
3240 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3241 ssl->handshake != NULL )
3242 {
3243 unsigned offset;
3244 mbedtls_ssl_hs_buffer *hs_buf;
3245
3246 /* Increment handshake sequence number */
3247 hs->in_msg_seq++;
3248
3249 /*
3250 * Clear up handshake buffering and reassembly structure.
3251 */
3252
3253 /* Free first entry */
3254 ssl_buffering_free_slot( ssl, 0 );
3255
3256 /* Shift all other entries */
3257 for( offset = 0, hs_buf = &hs->buffering.hs[0];
3258 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
3259 offset++, hs_buf++ )
3260 {
3261 *hs_buf = *(hs_buf + 1);
3262 }
3263
3264 /* Create a fresh last entry */
3265 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
3266 }
3267#endif
3268}
3269
3270/*
3271 * DTLS anti-replay: RFC 6347 4.1.2.6
3272 *
3273 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
3274 * Bit n is set iff record number in_window_top - n has been seen.
3275 *
3276 * Usually, in_window_top is the last record number seen and the lsb of
3277 * in_window is set. The only exception is the initial state (record number 0
3278 * not seen yet).
3279 */
3280#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3281void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
3282{
3283 ssl->in_window_top = 0;
3284 ssl->in_window = 0;
3285}
3286
3287static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
3288{
3289 return( ( (uint64_t) buf[0] << 40 ) |
3290 ( (uint64_t) buf[1] << 32 ) |
3291 ( (uint64_t) buf[2] << 24 ) |
3292 ( (uint64_t) buf[3] << 16 ) |
3293 ( (uint64_t) buf[4] << 8 ) |
3294 ( (uint64_t) buf[5] ) );
3295}
3296
3297static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr )
3298{
3299 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3300 unsigned char *original_in_ctr;
3301
3302 // save original in_ctr
3303 original_in_ctr = ssl->in_ctr;
3304
3305 // use counter from record
3306 ssl->in_ctr = record_in_ctr;
3307
3308 ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl );
3309
3310 // restore the counter
3311 ssl->in_ctr = original_in_ctr;
3312
3313 return ret;
3314}
3315
3316/*
3317 * Return 0 if sequence number is acceptable, -1 otherwise
3318 */
3319int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl )
3320{
3321 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3322 uint64_t bit;
3323
3324 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3325 return( 0 );
3326
3327 if( rec_seqnum > ssl->in_window_top )
3328 return( 0 );
3329
3330 bit = ssl->in_window_top - rec_seqnum;
3331
3332 if( bit >= 64 )
3333 return( -1 );
3334
3335 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
3336 return( -1 );
3337
3338 return( 0 );
3339}
3340
3341/*
3342 * Update replay window on new validated record
3343 */
3344void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
3345{
3346 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3347
3348 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3349 return;
3350
3351 if( rec_seqnum > ssl->in_window_top )
3352 {
3353 /* Update window_top and the contents of the window */
3354 uint64_t shift = rec_seqnum - ssl->in_window_top;
3355
3356 if( shift >= 64 )
3357 ssl->in_window = 1;
3358 else
3359 {
3360 ssl->in_window <<= shift;
3361 ssl->in_window |= 1;
3362 }
3363
3364 ssl->in_window_top = rec_seqnum;
3365 }
3366 else
3367 {
3368 /* Mark that number as seen in the current window */
3369 uint64_t bit = ssl->in_window_top - rec_seqnum;
3370
3371 if( bit < 64 ) /* Always true, but be extra sure */
3372 ssl->in_window |= (uint64_t) 1 << bit;
3373 }
3374}
3375#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
3376
3377#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3378/*
3379 * Without any SSL context, check if a datagram looks like a ClientHello with
3380 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
3381 * Both input and output include full DTLS headers.
3382 *
3383 * - if cookie is valid, return 0
3384 * - if ClientHello looks superficially valid but cookie is not,
3385 * fill obuf and set olen, then
3386 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3387 * - otherwise return a specific error code
3388 */
3389static int ssl_check_dtls_clihlo_cookie(
3390 mbedtls_ssl_cookie_write_t *f_cookie_write,
3391 mbedtls_ssl_cookie_check_t *f_cookie_check,
3392 void *p_cookie,
3393 const unsigned char *cli_id, size_t cli_id_len,
3394 const unsigned char *in, size_t in_len,
3395 unsigned char *obuf, size_t buf_len, size_t *olen )
3396{
3397 size_t sid_len, cookie_len;
3398 unsigned char *p;
3399
3400 /*
3401 * Structure of ClientHello with record and handshake headers,
3402 * and expected values. We don't need to check a lot, more checks will be
3403 * done when actually parsing the ClientHello - skipping those checks
3404 * avoids code duplication and does not make cookie forging any easier.
3405 *
3406 * 0-0 ContentType type; copied, must be handshake
3407 * 1-2 ProtocolVersion version; copied
3408 * 3-4 uint16 epoch; copied, must be 0
3409 * 5-10 uint48 sequence_number; copied
3410 * 11-12 uint16 length; (ignored)
3411 *
3412 * 13-13 HandshakeType msg_type; (ignored)
3413 * 14-16 uint24 length; (ignored)
3414 * 17-18 uint16 message_seq; copied
3415 * 19-21 uint24 fragment_offset; copied, must be 0
3416 * 22-24 uint24 fragment_length; (ignored)
3417 *
3418 * 25-26 ProtocolVersion client_version; (ignored)
3419 * 27-58 Random random; (ignored)
3420 * 59-xx SessionID session_id; 1 byte len + sid_len content
3421 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
3422 * ...
3423 *
3424 * Minimum length is 61 bytes.
3425 */
3426 if( in_len < 61 ||
3427 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
3428 in[3] != 0 || in[4] != 0 ||
3429 in[19] != 0 || in[20] != 0 || in[21] != 0 )
3430 {
3431 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3432 }
3433
3434 sid_len = in[59];
3435 if( sid_len > in_len - 61 )
3436 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3437
3438 cookie_len = in[60 + sid_len];
3439 if( cookie_len > in_len - 60 )
3440 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3441
3442 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
3443 cli_id, cli_id_len ) == 0 )
3444 {
3445 /* Valid cookie */
3446 return( 0 );
3447 }
3448
3449 /*
3450 * If we get here, we've got an invalid cookie, let's prepare HVR.
3451 *
3452 * 0-0 ContentType type; copied
3453 * 1-2 ProtocolVersion version; copied
3454 * 3-4 uint16 epoch; copied
3455 * 5-10 uint48 sequence_number; copied
3456 * 11-12 uint16 length; olen - 13
3457 *
3458 * 13-13 HandshakeType msg_type; hello_verify_request
3459 * 14-16 uint24 length; olen - 25
3460 * 17-18 uint16 message_seq; copied
3461 * 19-21 uint24 fragment_offset; copied
3462 * 22-24 uint24 fragment_length; olen - 25
3463 *
3464 * 25-26 ProtocolVersion server_version; 0xfe 0xff
3465 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
3466 *
3467 * Minimum length is 28.
3468 */
3469 if( buf_len < 28 )
3470 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3471
3472 /* Copy most fields and adapt others */
3473 memcpy( obuf, in, 25 );
3474 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
3475 obuf[25] = 0xfe;
3476 obuf[26] = 0xff;
3477
3478 /* Generate and write actual cookie */
3479 p = obuf + 28;
3480 if( f_cookie_write( p_cookie,
3481 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
3482 {
3483 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3484 }
3485
3486 *olen = p - obuf;
3487
3488 /* Go back and fill length fields */
3489 obuf[27] = (unsigned char)( *olen - 28 );
3490
3491 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
3492 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
3493 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
3494
3495 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
3496 obuf[12] = (unsigned char)( ( *olen - 13 ) );
3497
3498 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
3499}
3500
3501/*
3502 * Handle possible client reconnect with the same UDP quadruplet
3503 * (RFC 6347 Section 4.2.8).
3504 *
3505 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
3506 * that looks like a ClientHello.
3507 *
3508 * - if the input looks like a ClientHello without cookies,
3509 * send back HelloVerifyRequest, then return 0
3510 * - if the input looks like a ClientHello with a valid cookie,
3511 * reset the session of the current context, and
3512 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
3513 * - if anything goes wrong, return a specific error code
3514 *
3515 * This function is called (through ssl_check_client_reconnect()) when an
3516 * unexpected record is found in ssl_get_next_record(), which will discard the
3517 * record if we return 0, and bubble up the return value otherwise (this
3518 * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
3519 * errors, and is the right thing to do in both cases).
3520 */
3521static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
3522{
3523 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3524 size_t len;
3525
3526 if( ssl->conf->f_cookie_write == NULL ||
3527 ssl->conf->f_cookie_check == NULL )
3528 {
3529 /* If we can't use cookies to verify reachability of the peer,
3530 * drop the record. */
3531 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no cookie callbacks, "
3532 "can't check reconnect validity" ) );
3533 return( 0 );
3534 }
3535
3536 ret = ssl_check_dtls_clihlo_cookie(
3537 ssl->conf->f_cookie_write,
3538 ssl->conf->f_cookie_check,
3539 ssl->conf->p_cookie,
3540 ssl->cli_id, ssl->cli_id_len,
3541 ssl->in_buf, ssl->in_left,
3542 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
3543
3544 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
3545
3546 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
3547 {
3548 int send_ret;
3549 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) );
3550 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
3551 ssl->out_buf, len );
3552 /* Don't check write errors as we can't do anything here.
3553 * If the error is permanent we'll catch it later,
3554 * if it's not, then hopefully it'll work next time. */
3555 send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len );
3556 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret );
3557 (void) send_ret;
3558
3559 return( 0 );
3560 }
3561
3562 if( ret == 0 )
3563 {
3564 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) );
3565 if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 )
3566 {
3567 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
3568 return( ret );
3569 }
3570
3571 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
3572 }
3573
3574 return( ret );
3575}
3576#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3577
3578static int ssl_check_record_type( uint8_t record_type )
3579{
3580 if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
3581 record_type != MBEDTLS_SSL_MSG_ALERT &&
3582 record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
3583 record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3584 {
3585 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3586 }
3587
3588 return( 0 );
3589}
3590
3591/*
3592 * ContentType type;
3593 * ProtocolVersion version;
3594 * uint16 epoch; // DTLS only
3595 * uint48 sequence_number; // DTLS only
3596 * uint16 length;
3597 *
3598 * Return 0 if header looks sane (and, for DTLS, the record is expected)
3599 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
3600 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
3601 *
3602 * With DTLS, mbedtls_ssl_read_record() will:
3603 * 1. proceed with the record if this function returns 0
3604 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
3605 * 3. return CLIENT_RECONNECT if this function return that value
3606 * 4. drop the whole datagram if this function returns anything else.
3607 * Point 2 is needed when the peer is resending, and we have already received
3608 * the first record from a datagram but are still waiting for the others.
3609 */
3610static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
3611 unsigned char *buf,
3612 size_t len,
3613 mbedtls_record *rec )
3614{
3615 int major_ver, minor_ver;
3616
3617 size_t const rec_hdr_type_offset = 0;
3618 size_t const rec_hdr_type_len = 1;
3619
3620 size_t const rec_hdr_version_offset = rec_hdr_type_offset +
3621 rec_hdr_type_len;
3622 size_t const rec_hdr_version_len = 2;
3623
3624 size_t const rec_hdr_ctr_len = 8;
3625#if defined(MBEDTLS_SSL_PROTO_DTLS)
3626 uint32_t rec_epoch;
3627 size_t const rec_hdr_ctr_offset = rec_hdr_version_offset +
3628 rec_hdr_version_len;
3629
3630#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3631 size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset +
3632 rec_hdr_ctr_len;
3633 size_t rec_hdr_cid_len = 0;
3634#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3635#endif /* MBEDTLS_SSL_PROTO_DTLS */
3636
3637 size_t rec_hdr_len_offset; /* To be determined */
3638 size_t const rec_hdr_len_len = 2;
3639
3640 /*
3641 * Check minimum lengths for record header.
3642 */
3643
3644#if defined(MBEDTLS_SSL_PROTO_DTLS)
3645 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3646 {
3647 rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len;
3648 }
3649 else
3650#endif /* MBEDTLS_SSL_PROTO_DTLS */
3651 {
3652 rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len;
3653 }
3654
3655 if( len < rec_hdr_len_offset + rec_hdr_len_len )
3656 {
3657 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header of length %u",
3658 (unsigned) len,
3659 (unsigned)( rec_hdr_len_len + rec_hdr_len_len ) ) );
3660 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3661 }
3662
3663 /*
3664 * Parse and validate record content type
3665 */
3666
3667 rec->type = buf[ rec_hdr_type_offset ];
3668
3669 /* Check record content type */
3670#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3671 rec->cid_len = 0;
3672
3673 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3674 ssl->conf->cid_len != 0 &&
3675 rec->type == MBEDTLS_SSL_MSG_CID )
3676 {
3677 /* Shift pointers to account for record header including CID
3678 * struct {
3679 * ContentType special_type = tls12_cid;
3680 * ProtocolVersion version;
3681 * uint16 epoch;
3682 * uint48 sequence_number;
3683 * opaque cid[cid_length]; // Additional field compared to
3684 * // default DTLS record format
3685 * uint16 length;
3686 * opaque enc_content[DTLSCiphertext.length];
3687 * } DTLSCiphertext;
3688 */
3689
3690 /* So far, we only support static CID lengths
3691 * fixed in the configuration. */
3692 rec_hdr_cid_len = ssl->conf->cid_len;
3693 rec_hdr_len_offset += rec_hdr_cid_len;
3694
3695 if( len < rec_hdr_len_offset + rec_hdr_len_len )
3696 {
3697 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header including CID, length %u",
3698 (unsigned) len,
3699 (unsigned)( rec_hdr_len_offset + rec_hdr_len_len ) ) );
3700 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3701 }
3702
3703 /* configured CID len is guaranteed at most 255, see
3704 * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */
3705 rec->cid_len = (uint8_t) rec_hdr_cid_len;
3706 memcpy( rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len );
3707 }
3708 else
3709#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3710 {
3711 if( ssl_check_record_type( rec->type ) )
3712 {
3713 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type %u",
3714 (unsigned) rec->type ) );
3715 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3716 }
3717 }
3718
3719 /*
3720 * Parse and validate record version
3721 */
3722
3723 rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
3724 rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
3725 mbedtls_ssl_read_version( &major_ver, &minor_ver,
3726 ssl->conf->transport,
3727 &rec->ver[0] );
3728
3729 if( major_ver != ssl->major_ver )
3730 {
3731 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
3732 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3733 }
3734
3735 if( minor_ver > ssl->conf->max_minor_ver )
3736 {
3737 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
3738 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3739 }
3740
3741 /*
3742 * Parse/Copy record sequence number.
3743 */
3744
3745#if defined(MBEDTLS_SSL_PROTO_DTLS)
3746 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3747 {
3748 /* Copy explicit record sequence number from input buffer. */
3749 memcpy( &rec->ctr[0], buf + rec_hdr_ctr_offset,
3750 rec_hdr_ctr_len );
3751 }
3752 else
3753#endif /* MBEDTLS_SSL_PROTO_DTLS */
3754 {
3755 /* Copy implicit record sequence number from SSL context structure. */
3756 memcpy( &rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len );
3757 }
3758
3759 /*
3760 * Parse record length.
3761 */
3762
3763 rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
3764 rec->data_len = ( (size_t) buf[ rec_hdr_len_offset + 0 ] << 8 ) |
3765 ( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 );
3766 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset );
3767
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]3768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %u, "
3769 "version = [%d:%d], msglen = %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3770 rec->type,
3771 major_ver, minor_ver, rec->data_len ) );
3772
3773 rec->buf = buf;
3774 rec->buf_len = rec->data_offset + rec->data_len;
3775
3776 if( rec->data_len == 0 )
3777 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3778
3779 /*
3780 * DTLS-related tests.
3781 * Check epoch before checking length constraint because
3782 * the latter varies with the epoch. E.g., if a ChangeCipherSpec
3783 * message gets duplicated before the corresponding Finished message,
3784 * the second ChangeCipherSpec should be discarded because it belongs
3785 * to an old epoch, but not because its length is shorter than
3786 * the minimum record length for packets using the new record transform.
3787 * Note that these two kinds of failures are handled differently,
3788 * as an unexpected record is silently skipped but an invalid
3789 * record leads to the entire datagram being dropped.
3790 */
3791#if defined(MBEDTLS_SSL_PROTO_DTLS)
3792 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3793 {
3794 rec_epoch = ( rec->ctr[0] << 8 ) | rec->ctr[1];
3795
3796 /* Check that the datagram is large enough to contain a record
3797 * of the advertised length. */
3798 if( len < rec->data_offset + rec->data_len )
3799 {
3800 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram of length %u too small to contain record of advertised length %u.",
3801 (unsigned) len,
3802 (unsigned)( rec->data_offset + rec->data_len ) ) );
3803 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3804 }
3805
3806 /* Records from other, non-matching epochs are silently discarded.
3807 * (The case of same-port Client reconnects must be considered in
3808 * the caller). */
3809 if( rec_epoch != ssl->in_epoch )
3810 {
3811 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]3812 "expected %u, received %lu",
3813 ssl->in_epoch, (unsigned long) rec_epoch ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3814
3815 /* Records from the next epoch are considered for buffering
3816 * (concretely: early Finished messages). */
3817 if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
3818 {
3819 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
3820 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3821 }
3822
3823 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3824 }
3825#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3826 /* For records from the correct epoch, check whether their
3827 * sequence number has been seen before. */
3828 else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl,
3829 &rec->ctr[0] ) != 0 )
3830 {
3831 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
3832 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3833 }
3834#endif
3835 }
3836#endif /* MBEDTLS_SSL_PROTO_DTLS */
3837
3838 return( 0 );
3839}
3840
3841
3842#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3843static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
3844{
3845 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
3846
3847 /*
3848 * Check for an epoch 0 ClientHello. We can't use in_msg here to
3849 * access the first byte of record content (handshake type), as we
3850 * have an active transform (possibly iv_len != 0), so use the
3851 * fact that the record header len is 13 instead.
3852 */
3853 if( rec_epoch == 0 &&
3854 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
3855 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3856 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3857 ssl->in_left > 13 &&
3858 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
3859 {
3860 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
3861 "from the same port" ) );
3862 return( ssl_handle_possible_reconnect( ssl ) );
3863 }
3864
3865 return( 0 );
3866}
3867#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3868
3869/*
3870 * If applicable, decrypt record content
3871 */
3872static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
3873 mbedtls_record *rec )
3874{
3875 int ret, done = 0;
3876
3877 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
3878 rec->buf, rec->buf_len );
3879
3880#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3881 if( mbedtls_ssl_hw_record_read != NULL )
3882 {
3883 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
3884
3885 ret = mbedtls_ssl_hw_record_read( ssl );
3886 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
3887 {
3888 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
3889 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3890 }
3891
3892 if( ret == 0 )
3893 done = 1;
3894 }
3895#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
3896 if( !done && ssl->transform_in != NULL )
3897 {
3898 unsigned char const old_msg_type = rec->type;
3899
3900 if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
3901 rec ) ) != 0 )
3902 {
3903 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
3904
3905#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3906 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
3907 ssl->conf->ignore_unexpected_cid
3908 == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
3909 {
3910 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
3911 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
3912 }
3913#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3914
3915 return( ret );
3916 }
3917
3918 if( old_msg_type != rec->type )
3919 {
3920 MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d",
3921 old_msg_type, rec->type ) );
3922 }
3923
3924 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
3925 rec->buf + rec->data_offset, rec->data_len );
3926
3927#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3928 /* We have already checked the record content type
3929 * in ssl_parse_record_header(), failing or silently
3930 * dropping the record in the case of an unknown type.
3931 *
3932 * Since with the use of CIDs, the record content type
3933 * might change during decryption, re-check the record
3934 * content type, but treat a failure as fatal this time. */
3935 if( ssl_check_record_type( rec->type ) )
3936 {
3937 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
3938 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3939 }
3940#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3941
3942 if( rec->data_len == 0 )
3943 {
3944#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3945 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
3946 && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3947 {
3948 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
3949 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
3950 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3951 }
3952#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3953
3954 ssl->nb_zero++;
3955
3956 /*
3957 * Three or more empty messages may be a DoS attack
3958 * (excessive CPU consumption).
3959 */
3960 if( ssl->nb_zero > 3 )
3961 {
3962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
3963 "messages, possible DoS attack" ) );
3964 /* Treat the records as if they were not properly authenticated,
3965 * thereby failing the connection if we see more than allowed
3966 * by the configured bad MAC threshold. */
3967 return( MBEDTLS_ERR_SSL_INVALID_MAC );
3968 }
3969 }
3970 else
3971 ssl->nb_zero = 0;
3972
3973#if defined(MBEDTLS_SSL_PROTO_DTLS)
3974 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3975 {
3976 ; /* in_ctr read from peer, not maintained internally */
3977 }
3978 else
3979#endif
3980 {
3981 unsigned i;
3982 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
3983 if( ++ssl->in_ctr[i - 1] != 0 )
3984 break;
3985
3986 /* The loop goes to its end iff the counter is wrapping */
3987 if( i == mbedtls_ssl_ep_len( ssl ) )
3988 {
3989 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
3990 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3991 }
3992 }
3993
3994 }
3995
3996#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3997 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3998 {
3999 mbedtls_ssl_dtls_replay_update( ssl );
4000 }
4001#endif
4002
4003 /* Check actual (decrypted) record content length against
4004 * configured maximum. */
4005 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
4006 {
4007 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4008 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4009 }
4010
4011 return( 0 );
4012}
4013
4014/*
4015 * Read a record.
4016 *
4017 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
4018 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
4019 *
4020 */
4021
4022/* Helper functions for mbedtls_ssl_read_record(). */
4023static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
4024static int ssl_get_next_record( mbedtls_ssl_context *ssl );
4025static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
4026
4027int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
4028 unsigned update_hs_digest )
4029{
4030 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4031
4032 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
4033
4034 if( ssl->keep_current_message == 0 )
4035 {
4036 do {
4037
4038 ret = ssl_consume_current_message( ssl );
4039 if( ret != 0 )
4040 return( ret );
4041
4042 if( ssl_record_is_in_progress( ssl ) == 0 )
4043 {
4044#if defined(MBEDTLS_SSL_PROTO_DTLS)
4045 int have_buffered = 0;
4046
4047 /* We only check for buffered messages if the
4048 * current datagram is fully consumed. */
4049 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4050 ssl_next_record_is_in_datagram( ssl ) == 0 )
4051 {
4052 if( ssl_load_buffered_message( ssl ) == 0 )
4053 have_buffered = 1;
4054 }
4055
4056 if( have_buffered == 0 )
4057#endif /* MBEDTLS_SSL_PROTO_DTLS */
4058 {
4059 ret = ssl_get_next_record( ssl );
4060 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
4061 continue;
4062
4063 if( ret != 0 )
4064 {
4065 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
4066 return( ret );
4067 }
4068 }
4069 }
4070
4071 ret = mbedtls_ssl_handle_message_type( ssl );
4072
4073#if defined(MBEDTLS_SSL_PROTO_DTLS)
4074 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4075 {
4076 /* Buffer future message */
4077 ret = ssl_buffer_message( ssl );
4078 if( ret != 0 )
4079 return( ret );
4080
4081 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
4082 }
4083#endif /* MBEDTLS_SSL_PROTO_DTLS */
4084
4085 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||
4086 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
4087
4088 if( 0 != ret )
4089 {
4090 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
4091 return( ret );
4092 }
4093
4094 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
4095 update_hs_digest == 1 )
4096 {
4097 mbedtls_ssl_update_handshake_status( ssl );
4098 }
4099 }
4100 else
4101 {
4102 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
4103 ssl->keep_current_message = 0;
4104 }
4105
4106 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
4107
4108 return( 0 );
4109}
4110
4111#if defined(MBEDTLS_SSL_PROTO_DTLS)
4112static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
4113{
4114 if( ssl->in_left > ssl->next_record_offset )
4115 return( 1 );
4116
4117 return( 0 );
4118}
4119
4120static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
4121{
4122 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4123 mbedtls_ssl_hs_buffer * hs_buf;
4124 int ret = 0;
4125
4126 if( hs == NULL )
4127 return( -1 );
4128
4129 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
4130
4131 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
4132 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4133 {
4134 /* Check if we have seen a ChangeCipherSpec before.
4135 * If yes, synthesize a CCS record. */
4136 if( !hs->buffering.seen_ccs )
4137 {
4138 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
4139 ret = -1;
4140 goto exit;
4141 }
4142
4143 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
4144 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
4145 ssl->in_msglen = 1;
4146 ssl->in_msg[0] = 1;
4147
4148 /* As long as they are equal, the exact value doesn't matter. */
4149 ssl->in_left = 0;
4150 ssl->next_record_offset = 0;
4151
4152 hs->buffering.seen_ccs = 0;
4153 goto exit;
4154 }
4155
4156#if defined(MBEDTLS_DEBUG_C)
4157 /* Debug only */
4158 {
4159 unsigned offset;
4160 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
4161 {
4162 hs_buf = &hs->buffering.hs[offset];
4163 if( hs_buf->is_valid == 1 )
4164 {
4165 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
4166 hs->in_msg_seq + offset,
4167 hs_buf->is_complete ? "fully" : "partially" ) );
4168 }
4169 }
4170 }
4171#endif /* MBEDTLS_DEBUG_C */
4172
4173 /* Check if we have buffered and/or fully reassembled the
4174 * next handshake message. */
4175 hs_buf = &hs->buffering.hs[0];
4176 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
4177 {
4178 /* Synthesize a record containing the buffered HS message. */
4179 size_t msg_len = ( hs_buf->data[1] << 16 ) |
4180 ( hs_buf->data[2] << 8 ) |
4181 hs_buf->data[3];
4182
4183 /* Double-check that we haven't accidentally buffered
4184 * a message that doesn't fit into the input buffer. */
4185 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
4186 {
4187 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4188 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4189 }
4190
4191 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
4192 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
4193 hs_buf->data, msg_len + 12 );
4194
4195 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4196 ssl->in_hslen = msg_len + 12;
4197 ssl->in_msglen = msg_len + 12;
4198 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
4199
4200 ret = 0;
4201 goto exit;
4202 }
4203 else
4204 {
4205 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
4206 hs->in_msg_seq ) );
4207 }
4208
4209 ret = -1;
4210
4211exit:
4212
4213 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
4214 return( ret );
4215}
4216
4217static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
4218 size_t desired )
4219{
4220 int offset;
4221 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4222 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
4223 (unsigned) desired ) );
4224
4225 /* Get rid of future records epoch first, if such exist. */
4226 ssl_free_buffered_record( ssl );
4227
4228 /* Check if we have enough space available now. */
4229 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4230 hs->buffering.total_bytes_buffered ) )
4231 {
4232 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
4233 return( 0 );
4234 }
4235
4236 /* We don't have enough space to buffer the next expected handshake
4237 * message. Remove buffers used for future messages to gain space,
4238 * starting with the most distant one. */
4239 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
4240 offset >= 0; offset-- )
4241 {
4242 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
4243 offset ) );
4244
4245 ssl_buffering_free_slot( ssl, (uint8_t) offset );
4246
4247 /* Check if we have enough space available now. */
4248 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4249 hs->buffering.total_bytes_buffered ) )
4250 {
4251 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
4252 return( 0 );
4253 }
4254 }
4255
4256 return( -1 );
4257}
4258
4259static int ssl_buffer_message( mbedtls_ssl_context *ssl )
4260{
4261 int ret = 0;
4262 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4263
4264 if( hs == NULL )
4265 return( 0 );
4266
4267 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
4268
4269 switch( ssl->in_msgtype )
4270 {
4271 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
4272 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
4273
4274 hs->buffering.seen_ccs = 1;
4275 break;
4276
4277 case MBEDTLS_SSL_MSG_HANDSHAKE:
4278 {
4279 unsigned recv_msg_seq_offset;
4280 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
4281 mbedtls_ssl_hs_buffer *hs_buf;
4282 size_t msg_len = ssl->in_hslen - 12;
4283
4284 /* We should never receive an old handshake
4285 * message - double-check nonetheless. */
4286 if( recv_msg_seq < ssl->handshake->in_msg_seq )
4287 {
4288 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4289 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4290 }
4291
4292 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
4293 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
4294 {
4295 /* Silently ignore -- message too far in the future */
4296 MBEDTLS_SSL_DEBUG_MSG( 2,
4297 ( "Ignore future HS message with sequence number %u, "
4298 "buffering window %u - %u",
4299 recv_msg_seq, ssl->handshake->in_msg_seq,
4300 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
4301
4302 goto exit;
4303 }
4304
4305 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
4306 recv_msg_seq, recv_msg_seq_offset ) );
4307
4308 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
4309
4310 /* Check if the buffering for this seq nr has already commenced. */
4311 if( !hs_buf->is_valid )
4312 {
4313 size_t reassembly_buf_sz;
4314
4315 hs_buf->is_fragmented =
4316 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
4317
4318 /* We copy the message back into the input buffer
4319 * after reassembly, so check that it's not too large.
4320 * This is an implementation-specific limitation
4321 * and not one from the standard, hence it is not
4322 * checked in ssl_check_hs_header(). */
4323 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
4324 {
4325 /* Ignore message */
4326 goto exit;
4327 }
4328
4329 /* Check if we have enough space to buffer the message. */
4330 if( hs->buffering.total_bytes_buffered >
4331 MBEDTLS_SSL_DTLS_MAX_BUFFERING )
4332 {
4333 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4334 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4335 }
4336
4337 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
4338 hs_buf->is_fragmented );
4339
4340 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4341 hs->buffering.total_bytes_buffered ) )
4342 {
4343 if( recv_msg_seq_offset > 0 )
4344 {
4345 /* If we can't buffer a future message because
4346 * of space limitations -- ignore. */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4347 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
4348 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
4349 " (already %" MBEDTLS_PRINTF_SIZET
4350 " bytes buffered) -- ignore\n",
4351 msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4352 hs->buffering.total_bytes_buffered ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]4353 goto exit;
4354 }
4355 else
4356 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4357 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
4358 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
4359 " (already %" MBEDTLS_PRINTF_SIZET
4360 " bytes buffered) -- attempt to make space by freeing buffered future messages\n",
4361 msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4362 hs->buffering.total_bytes_buffered ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]4363 }
4364
4365 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
4366 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4367 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %" MBEDTLS_PRINTF_SIZET
4368 " (%" MBEDTLS_PRINTF_SIZET " with bitmap) would exceed"
4369 " the compile-time limit %" MBEDTLS_PRINTF_SIZET
4370 " (already %" MBEDTLS_PRINTF_SIZET
4371 " bytes buffered) -- fail\n",
4372 msg_len,
4373 reassembly_buf_sz,
4374 (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4375 hs->buffering.total_bytes_buffered ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]4376 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4377 goto exit;
4378 }
4379 }
4380
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4381 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]4382 msg_len ) );
4383
4384 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
4385 if( hs_buf->data == NULL )
4386 {
4387 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
4388 goto exit;
4389 }
4390 hs_buf->data_len = reassembly_buf_sz;
4391
4392 /* Prepare final header: copy msg_type, length and message_seq,
4393 * then add standardised fragment_offset and fragment_length */
4394 memcpy( hs_buf->data, ssl->in_msg, 6 );
4395 memset( hs_buf->data + 6, 0, 3 );
4396 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
4397
4398 hs_buf->is_valid = 1;
4399
4400 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
4401 }
4402 else
4403 {
4404 /* Make sure msg_type and length are consistent */
4405 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
4406 {
4407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
4408 /* Ignore */
4409 goto exit;
4410 }
4411 }
4412
4413 if( !hs_buf->is_complete )
4414 {
4415 size_t frag_len, frag_off;
4416 unsigned char * const msg = hs_buf->data + 12;
4417
4418 /*
4419 * Check and copy current fragment
4420 */
4421
4422 /* Validation of header fields already done in
4423 * mbedtls_ssl_prepare_handshake_record(). */
4424 frag_off = ssl_get_hs_frag_off( ssl );
4425 frag_len = ssl_get_hs_frag_len( ssl );
4426
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4427 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %" MBEDTLS_PRINTF_SIZET
4428 ", length = %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]4429 frag_off, frag_len ) );
4430 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
4431
4432 if( hs_buf->is_fragmented )
4433 {
4434 unsigned char * const bitmask = msg + msg_len;
4435 ssl_bitmask_set( bitmask, frag_off, frag_len );
4436 hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
4437 msg_len ) == 0 );
4438 }
4439 else
4440 {
4441 hs_buf->is_complete = 1;
4442 }
4443
4444 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
4445 hs_buf->is_complete ? "" : "not yet " ) );
4446 }
4447
4448 break;
4449 }
4450
4451 default:
4452 /* We don't buffer other types of messages. */
4453 break;
4454 }
4455
4456exit:
4457
4458 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
4459 return( ret );
4460}
4461#endif /* MBEDTLS_SSL_PROTO_DTLS */
4462
4463static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
4464{
4465 /*
4466 * Consume last content-layer message and potentially
4467 * update in_msglen which keeps track of the contents'
4468 * consumption state.
4469 *
4470 * (1) Handshake messages:
4471 * Remove last handshake message, move content
4472 * and adapt in_msglen.
4473 *
4474 * (2) Alert messages:
4475 * Consume whole record content, in_msglen = 0.
4476 *
4477 * (3) Change cipher spec:
4478 * Consume whole record content, in_msglen = 0.
4479 *
4480 * (4) Application data:
4481 * Don't do anything - the record layer provides
4482 * the application data as a stream transport
4483 * and consumes through mbedtls_ssl_read only.
4484 *
4485 */
4486
4487 /* Case (1): Handshake messages */
4488 if( ssl->in_hslen != 0 )
4489 {
4490 /* Hard assertion to be sure that no application data
4491 * is in flight, as corrupting ssl->in_msglen during
4492 * ssl->in_offt != NULL is fatal. */
4493 if( ssl->in_offt != NULL )
4494 {
4495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4496 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4497 }
4498
4499 /*
4500 * Get next Handshake message in the current record
4501 */
4502
4503 /* Notes:
4504 * (1) in_hslen is not necessarily the size of the
4505 * current handshake content: If DTLS handshake
4506 * fragmentation is used, that's the fragment
4507 * size instead. Using the total handshake message
4508 * size here is faulty and should be changed at
4509 * some point.
4510 * (2) While it doesn't seem to cause problems, one
4511 * has to be very careful not to assume that in_hslen
4512 * is always <= in_msglen in a sensible communication.
4513 * Again, it's wrong for DTLS handshake fragmentation.
4514 * The following check is therefore mandatory, and
4515 * should not be treated as a silently corrected assertion.
4516 * Additionally, ssl->in_hslen might be arbitrarily out of
4517 * bounds after handling a DTLS message with an unexpected
4518 * sequence number, see mbedtls_ssl_prepare_handshake_record.
4519 */
4520 if( ssl->in_hslen < ssl->in_msglen )
4521 {
4522 ssl->in_msglen -= ssl->in_hslen;
4523 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
4524 ssl->in_msglen );
4525
4526 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
4527 ssl->in_msg, ssl->in_msglen );
4528 }
4529 else
4530 {
4531 ssl->in_msglen = 0;
4532 }
4533
4534 ssl->in_hslen = 0;
4535 }
4536 /* Case (4): Application data */
4537 else if( ssl->in_offt != NULL )
4538 {
4539 return( 0 );
4540 }
4541 /* Everything else (CCS & Alerts) */
4542 else
4543 {
4544 ssl->in_msglen = 0;
4545 }
4546
4547 return( 0 );
4548}
4549
4550static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
4551{
4552 if( ssl->in_msglen > 0 )
4553 return( 1 );
4554
4555 return( 0 );
4556}
4557
4558#if defined(MBEDTLS_SSL_PROTO_DTLS)
4559
4560static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
4561{
4562 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4563 if( hs == NULL )
4564 return;
4565
4566 if( hs->buffering.future_record.data != NULL )
4567 {
4568 hs->buffering.total_bytes_buffered -=
4569 hs->buffering.future_record.len;
4570
4571 mbedtls_free( hs->buffering.future_record.data );
4572 hs->buffering.future_record.data = NULL;
4573 }
4574}
4575
4576static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
4577{
4578 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4579 unsigned char * rec;
4580 size_t rec_len;
4581 unsigned rec_epoch;
4582#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4583 size_t in_buf_len = ssl->in_buf_len;
4584#else
4585 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
4586#endif
4587 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4588 return( 0 );
4589
4590 if( hs == NULL )
4591 return( 0 );
4592
4593 rec = hs->buffering.future_record.data;
4594 rec_len = hs->buffering.future_record.len;
4595 rec_epoch = hs->buffering.future_record.epoch;
4596
4597 if( rec == NULL )
4598 return( 0 );
4599
4600 /* Only consider loading future records if the
4601 * input buffer is empty. */
4602 if( ssl_next_record_is_in_datagram( ssl ) == 1 )
4603 return( 0 );
4604
4605 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
4606
4607 if( rec_epoch != ssl->in_epoch )
4608 {
4609 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
4610 goto exit;
4611 }
4612
4613 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
4614
4615 /* Double-check that the record is not too large */
4616 if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
4617 {
4618 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4619 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4620 }
4621
4622 memcpy( ssl->in_hdr, rec, rec_len );
4623 ssl->in_left = rec_len;
4624 ssl->next_record_offset = 0;
4625
4626 ssl_free_buffered_record( ssl );
4627
4628exit:
4629 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
4630 return( 0 );
4631}
4632
4633static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
4634 mbedtls_record const *rec )
4635{
4636 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4637
4638 /* Don't buffer future records outside handshakes. */
4639 if( hs == NULL )
4640 return( 0 );
4641
4642 /* Only buffer handshake records (we are only interested
4643 * in Finished messages). */
4644 if( rec->type != MBEDTLS_SSL_MSG_HANDSHAKE )
4645 return( 0 );
4646
4647 /* Don't buffer more than one future epoch record. */
4648 if( hs->buffering.future_record.data != NULL )
4649 return( 0 );
4650
4651 /* Don't buffer record if there's not enough buffering space remaining. */
4652 if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4653 hs->buffering.total_bytes_buffered ) )
4654 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4655 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %" MBEDTLS_PRINTF_SIZET
4656 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
4657 " (already %" MBEDTLS_PRINTF_SIZET
4658 " bytes buffered) -- ignore\n",
4659 rec->buf_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4660 hs->buffering.total_bytes_buffered ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]4661 return( 0 );
4662 }
4663
4664 /* Buffer record */
4665 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4666 ssl->in_epoch + 1U ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]4667 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len );
4668
4669 /* ssl_parse_record_header() only considers records
4670 * of the next epoch as candidates for buffering. */
4671 hs->buffering.future_record.epoch = ssl->in_epoch + 1;
4672 hs->buffering.future_record.len = rec->buf_len;
4673
4674 hs->buffering.future_record.data =
4675 mbedtls_calloc( 1, hs->buffering.future_record.len );
4676 if( hs->buffering.future_record.data == NULL )
4677 {
4678 /* If we run out of RAM trying to buffer a
4679 * record from the next epoch, just ignore. */
4680 return( 0 );
4681 }
4682
4683 memcpy( hs->buffering.future_record.data, rec->buf, rec->buf_len );
4684
4685 hs->buffering.total_bytes_buffered += rec->buf_len;
4686 return( 0 );
4687}
4688
4689#endif /* MBEDTLS_SSL_PROTO_DTLS */
4690
4691static int ssl_get_next_record( mbedtls_ssl_context *ssl )
4692{
4693 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4694 mbedtls_record rec;
4695
4696#if defined(MBEDTLS_SSL_PROTO_DTLS)
4697 /* We might have buffered a future record; if so,
4698 * and if the epoch matches now, load it.
4699 * On success, this call will set ssl->in_left to
4700 * the length of the buffered record, so that
4701 * the calls to ssl_fetch_input() below will
4702 * essentially be no-ops. */
4703 ret = ssl_load_buffered_record( ssl );
4704 if( ret != 0 )
4705 return( ret );
4706#endif /* MBEDTLS_SSL_PROTO_DTLS */
4707
4708 /* Ensure that we have enough space available for the default form
4709 * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,
4710 * with no space for CIDs counted in). */
4711 ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) );
4712 if( ret != 0 )
4713 {
4714 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4715 return( ret );
4716 }
4717
4718 ret = ssl_parse_record_header( ssl, ssl->in_hdr, ssl->in_left, &rec );
4719 if( ret != 0 )
4720 {
4721#if defined(MBEDTLS_SSL_PROTO_DTLS)
4722 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4723 {
4724 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4725 {
4726 ret = ssl_buffer_future_record( ssl, &rec );
4727 if( ret != 0 )
4728 return( ret );
4729
4730 /* Fall through to handling of unexpected records */
4731 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
4732 }
4733
4734 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
4735 {
4736#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
4737 /* Reset in pointers to default state for TLS/DTLS records,
4738 * assuming no CID and no offset between record content and
4739 * record plaintext. */
4740 mbedtls_ssl_update_in_pointers( ssl );
4741
4742 /* Setup internal message pointers from record structure. */
4743 ssl->in_msgtype = rec.type;
4744#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4745 ssl->in_len = ssl->in_cid + rec.cid_len;
4746#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4747 ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
4748 ssl->in_msglen = rec.data_len;
4749
4750 ret = ssl_check_client_reconnect( ssl );
4751 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_client_reconnect", ret );
4752 if( ret != 0 )
4753 return( ret );
4754#endif
4755
4756 /* Skip unexpected record (but not whole datagram) */
4757 ssl->next_record_offset = rec.buf_len;
4758
4759 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
4760 "(header)" ) );
4761 }
4762 else
4763 {
4764 /* Skip invalid record and the rest of the datagram */
4765 ssl->next_record_offset = 0;
4766 ssl->in_left = 0;
4767
4768 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
4769 "(header)" ) );
4770 }
4771
4772 /* Get next record */
4773 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
4774 }
4775 else
4776#endif
4777 {
4778 return( ret );
4779 }
4780 }
4781
4782#if defined(MBEDTLS_SSL_PROTO_DTLS)
4783 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4784 {
4785 /* Remember offset of next record within datagram. */
4786 ssl->next_record_offset = rec.buf_len;
4787 if( ssl->next_record_offset < ssl->in_left )
4788 {
4789 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
4790 }
4791 }
4792 else
4793#endif
4794 {
4795 /*
4796 * Fetch record contents from underlying transport.
4797 */
4798 ret = mbedtls_ssl_fetch_input( ssl, rec.buf_len );
4799 if( ret != 0 )
4800 {
4801 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4802 return( ret );
4803 }
4804
4805 ssl->in_left = 0;
4806 }
4807
4808 /*
4809 * Decrypt record contents.
4810 */
4811
4812 if( ( ret = ssl_prepare_record_content( ssl, &rec ) ) != 0 )
4813 {
4814#if defined(MBEDTLS_SSL_PROTO_DTLS)
4815 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4816 {
4817 /* Silently discard invalid records */
4818 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4819 {
4820 /* Except when waiting for Finished as a bad mac here
4821 * probably means something went wrong in the handshake
4822 * (eg wrong psk used, mitm downgrade attempt, etc.) */
4823 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
4824 ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
4825 {
4826#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4827 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4828 {
4829 mbedtls_ssl_send_alert_message( ssl,
4830 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4831 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4832 }
4833#endif
4834 return( ret );
4835 }
4836
4837#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
4838 if( ssl->conf->badmac_limit != 0 &&
4839 ++ssl->badmac_seen >= ssl->conf->badmac_limit )
4840 {
4841 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
4842 return( MBEDTLS_ERR_SSL_INVALID_MAC );
4843 }
4844#endif
4845
4846 /* As above, invalid records cause
4847 * dismissal of the whole datagram. */
4848
4849 ssl->next_record_offset = 0;
4850 ssl->in_left = 0;
4851
4852 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
4853 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
4854 }
4855
4856 return( ret );
4857 }
4858 else
4859#endif
4860 {
4861 /* Error out (and send alert) on invalid records */
4862#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4863 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4864 {
4865 mbedtls_ssl_send_alert_message( ssl,
4866 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4867 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4868 }
4869#endif
4870 return( ret );
4871 }
4872 }
4873
4874
4875 /* Reset in pointers to default state for TLS/DTLS records,
4876 * assuming no CID and no offset between record content and
4877 * record plaintext. */
4878 mbedtls_ssl_update_in_pointers( ssl );
4879#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4880 ssl->in_len = ssl->in_cid + rec.cid_len;
4881#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4882 ssl->in_iv = ssl->in_len + 2;
4883
4884 /* The record content type may change during decryption,
4885 * so re-read it. */
4886 ssl->in_msgtype = rec.type;
4887 /* Also update the input buffer, because unfortunately
4888 * the server-side ssl_parse_client_hello() reparses the
4889 * record header when receiving a ClientHello initiating
4890 * a renegotiation. */
4891 ssl->in_hdr[0] = rec.type;
4892 ssl->in_msg = rec.buf + rec.data_offset;
4893 ssl->in_msglen = rec.data_len;
4894 ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 );
4895 ssl->in_len[1] = (unsigned char)( rec.data_len );
4896
4897#if defined(MBEDTLS_ZLIB_SUPPORT)
4898 if( ssl->transform_in != NULL &&
4899 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
4900 {
4901 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
4902 {
4903 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
4904 return( ret );
4905 }
4906
4907 /* Check actual (decompress) record content length against
4908 * configured maximum. */
4909 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
4910 {
4911 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4912 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4913 }
4914 }
4915#endif /* MBEDTLS_ZLIB_SUPPORT */
4916
4917 return( 0 );
4918}
4919
4920int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
4921{
4922 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4923
4924 /*
4925 * Handle particular types of records
4926 */
4927 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
4928 {
4929 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
4930 {
4931 return( ret );
4932 }
4933 }
4934
4935 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
4936 {
4937 if( ssl->in_msglen != 1 )
4938 {
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4939 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]4940 ssl->in_msglen ) );
4941 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4942 }
4943
4944 if( ssl->in_msg[0] != 1 )
4945 {
4946 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
4947 ssl->in_msg[0] ) );
4948 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4949 }
4950
4951#if defined(MBEDTLS_SSL_PROTO_DTLS)
4952 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4953 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
4954 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4955 {
4956 if( ssl->handshake == NULL )
4957 {
4958 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
4959 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4960 }
4961
4962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
4963 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4964 }
4965#endif
4966 }
4967
4968 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
4969 {
4970 if( ssl->in_msglen != 2 )
4971 {
4972 /* Note: Standard allows for more than one 2 byte alert
4973 to be packed in a single message, but Mbed TLS doesn't
4974 currently support this. */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4975 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]4976 ssl->in_msglen ) );
4977 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4978 }
4979
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4980 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%u:%u]",
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]4981 ssl->in_msg[0], ssl->in_msg[1] ) );
4982
4983 /*
4984 * Ignore non-fatal alerts, except close_notify and no_renegotiation
4985 */
4986 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
4987 {
4988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
4989 ssl->in_msg[1] ) );
4990 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
4991 }
4992
4993 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4994 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
4995 {
4996 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
4997 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
4998 }
4999
5000#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
5001 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5002 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
5003 {
5004 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
5005 /* Will be handled when trying to parse ServerHello */
5006 return( 0 );
5007 }
5008#endif
5009
5010#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
5011 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
5012 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5013 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5014 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
5015 {
5016 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
5017 /* Will be handled in mbedtls_ssl_parse_certificate() */
5018 return( 0 );
5019 }
5020#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
5021
5022 /* Silently ignore: fetch new message */
5023 return MBEDTLS_ERR_SSL_NON_FATAL;
5024 }
5025
5026#if defined(MBEDTLS_SSL_PROTO_DTLS)
5027 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5028 {
5029 /* Drop unexpected ApplicationData records,
5030 * except at the beginning of renegotiations */
5031 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
5032 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
5033#if defined(MBEDTLS_SSL_RENEGOTIATION)
5034 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
5035 ssl->state == MBEDTLS_SSL_SERVER_HELLO )
5036#endif
5037 )
5038 {
5039 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
5040 return( MBEDTLS_ERR_SSL_NON_FATAL );
5041 }
5042
5043 if( ssl->handshake != NULL &&
5044 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5045 {
5046 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
5047 }
5048 }
5049#endif /* MBEDTLS_SSL_PROTO_DTLS */
5050
5051 return( 0 );
5052}
5053
5054int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
5055{
5056 return( mbedtls_ssl_send_alert_message( ssl,
5057 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5058 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) );
5059}
5060
5061int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
5062 unsigned char level,
5063 unsigned char message )
5064{
5065 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5066
5067 if( ssl == NULL || ssl->conf == NULL )
5068 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5069
5070 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
5071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
5072
5073 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
5074 ssl->out_msglen = 2;
5075 ssl->out_msg[0] = level;
5076 ssl->out_msg[1] = message;
5077
5078 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
5079 {
5080 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
5081 return( ret );
5082 }
5083 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
5084
5085 return( 0 );
5086}
5087
5088int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
5089{
5090 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5091
5092 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
5093
5094 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
5095 ssl->out_msglen = 1;
5096 ssl->out_msg[0] = 1;
5097
5098 ssl->state++;
5099
5100 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
5101 {
5102 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
5103 return( ret );
5104 }
5105
5106 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
5107
5108 return( 0 );
5109}
5110
5111int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
5112{
5113 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5114
5115 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
5116
5117 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
5118 {
5119 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5120 return( ret );
5121 }
5122
5123 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
5124 {
5125 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
5126 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5127 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
5128 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5129 }
5130
5131 /* CCS records are only accepted if they have length 1 and content '1',
5132 * so we don't need to check this here. */
5133
5134 /*
5135 * Switch to our negotiated transform and session parameters for inbound
5136 * data.
5137 */
5138 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
5139 ssl->transform_in = ssl->transform_negotiate;
5140 ssl->session_in = ssl->session_negotiate;
5141
5142#if defined(MBEDTLS_SSL_PROTO_DTLS)
5143 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5144 {
5145#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5146 mbedtls_ssl_dtls_replay_reset( ssl );
5147#endif
5148
5149 /* Increment epoch */
5150 if( ++ssl->in_epoch == 0 )
5151 {
5152 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
5153 /* This is highly unlikely to happen for legitimate reasons, so
5154 treat it as an attack and don't send an alert. */
5155 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
5156 }
5157 }
5158 else
5159#endif /* MBEDTLS_SSL_PROTO_DTLS */
5160 memset( ssl->in_ctr, 0, 8 );
5161
5162 mbedtls_ssl_update_in_pointers( ssl );
5163
5164#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
5165 if( mbedtls_ssl_hw_record_activate != NULL )
5166 {
5167 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
5168 {
5169 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
5170 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5171 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
5172 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
5173 }
5174 }
5175#endif
5176
5177 ssl->state++;
5178
5179 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
5180
5181 return( 0 );
5182}
5183
5184/* Once ssl->out_hdr as the address of the beginning of the
5185 * next outgoing record is set, deduce the other pointers.
5186 *
5187 * Note: For TLS, we save the implicit record sequence number
5188 * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
5189 * and the caller has to make sure there's space for this.
5190 */
5191
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]5192static size_t ssl_transform_get_explicit_iv_len(
5193 mbedtls_ssl_transform const *transform )
5194{
5195 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
5196 return( 0 );
5197
5198 return( transform->ivlen - transform->fixed_ivlen );
5199}
5200
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]5201void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
5202 mbedtls_ssl_transform *transform )
5203{
5204#if defined(MBEDTLS_SSL_PROTO_DTLS)
5205 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5206 {
5207 ssl->out_ctr = ssl->out_hdr + 3;
5208#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5209 ssl->out_cid = ssl->out_ctr + 8;
5210 ssl->out_len = ssl->out_cid;
5211 if( transform != NULL )
5212 ssl->out_len += transform->out_cid_len;
5213#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5214 ssl->out_len = ssl->out_ctr + 8;
5215#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5216 ssl->out_iv = ssl->out_len + 2;
5217 }
5218 else
5219#endif
5220 {
5221 ssl->out_ctr = ssl->out_hdr - 8;
5222 ssl->out_len = ssl->out_hdr + 3;
5223#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5224 ssl->out_cid = ssl->out_len;
5225#endif
5226 ssl->out_iv = ssl->out_hdr + 5;
5227 }
5228
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]5229 ssl->out_msg = ssl->out_iv;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]5230 /* Adjust out_msg to make space for explicit IV, if used. */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]5231 if( transform != NULL )
5232 ssl->out_msg += ssl_transform_get_explicit_iv_len( transform );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]5233}
5234
5235/* Once ssl->in_hdr as the address of the beginning of the
5236 * next incoming record is set, deduce the other pointers.
5237 *
5238 * Note: For TLS, we save the implicit record sequence number
5239 * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
5240 * and the caller has to make sure there's space for this.
5241 */
5242
5243void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl )
5244{
5245 /* This function sets the pointers to match the case
5246 * of unprotected TLS/DTLS records, with both ssl->in_iv
5247 * and ssl->in_msg pointing to the beginning of the record
5248 * content.
5249 *
5250 * When decrypting a protected record, ssl->in_msg
5251 * will be shifted to point to the beginning of the
5252 * record plaintext.
5253 */
5254
5255#if defined(MBEDTLS_SSL_PROTO_DTLS)
5256 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5257 {
5258 /* This sets the header pointers to match records
5259 * without CID. When we receive a record containing
5260 * a CID, the fields are shifted accordingly in
5261 * ssl_parse_record_header(). */
5262 ssl->in_ctr = ssl->in_hdr + 3;
5263#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5264 ssl->in_cid = ssl->in_ctr + 8;
5265 ssl->in_len = ssl->in_cid; /* Default: no CID */
5266#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5267 ssl->in_len = ssl->in_ctr + 8;
5268#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5269 ssl->in_iv = ssl->in_len + 2;
5270 }
5271 else
5272#endif
5273 {
5274 ssl->in_ctr = ssl->in_hdr - 8;
5275 ssl->in_len = ssl->in_hdr + 3;
5276#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5277 ssl->in_cid = ssl->in_len;
5278#endif
5279 ssl->in_iv = ssl->in_hdr + 5;
5280 }
5281
5282 /* This will be adjusted at record decryption time. */
5283 ssl->in_msg = ssl->in_iv;
5284}
5285
5286/*
5287 * Setup an SSL context
5288 */
5289
5290void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
5291{
5292 /* Set the incoming and outgoing record pointers. */
5293#if defined(MBEDTLS_SSL_PROTO_DTLS)
5294 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5295 {
5296 ssl->out_hdr = ssl->out_buf;
5297 ssl->in_hdr = ssl->in_buf;
5298 }
5299 else
5300#endif /* MBEDTLS_SSL_PROTO_DTLS */
5301 {
5302 ssl->out_hdr = ssl->out_buf + 8;
5303 ssl->in_hdr = ssl->in_buf + 8;
5304 }
5305
5306 /* Derive other internal pointers. */
5307 mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
5308 mbedtls_ssl_update_in_pointers ( ssl );
5309}
5310
5311/*
5312 * SSL get accessors
5313 */
5314size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
5315{
5316 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
5317}
5318
5319int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
5320{
5321 /*
5322 * Case A: We're currently holding back
5323 * a message for further processing.
5324 */
5325
5326 if( ssl->keep_current_message == 1 )
5327 {
5328 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
5329 return( 1 );
5330 }
5331
5332 /*
5333 * Case B: Further records are pending in the current datagram.
5334 */
5335
5336#if defined(MBEDTLS_SSL_PROTO_DTLS)
5337 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5338 ssl->in_left > ssl->next_record_offset )
5339 {
5340 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
5341 return( 1 );
5342 }
5343#endif /* MBEDTLS_SSL_PROTO_DTLS */
5344
5345 /*
5346 * Case C: A handshake message is being processed.
5347 */
5348
5349 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
5350 {
5351 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
5352 return( 1 );
5353 }
5354
5355 /*
5356 * Case D: An application data message is being processed
5357 */
5358 if( ssl->in_offt != NULL )
5359 {
5360 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
5361 return( 1 );
5362 }
5363
5364 /*
5365 * In all other cases, the rest of the message can be dropped.
5366 * As in ssl_get_next_record, this needs to be adapted if
5367 * we implement support for multiple alerts in single records.
5368 */
5369
5370 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
5371 return( 0 );
5372}
5373
5374
5375int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
5376{
5377 size_t transform_expansion = 0;
5378 const mbedtls_ssl_transform *transform = ssl->transform_out;
5379 unsigned block_size;
5380
5381 size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl );
5382
5383 if( transform == NULL )
5384 return( (int) out_hdr_len );
5385
5386#if defined(MBEDTLS_ZLIB_SUPPORT)
5387 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
5388 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
5389#endif
5390
5391 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
5392 {
5393 case MBEDTLS_MODE_GCM:
5394 case MBEDTLS_MODE_CCM:
5395 case MBEDTLS_MODE_CHACHAPOLY:
5396 case MBEDTLS_MODE_STREAM:
5397 transform_expansion = transform->minlen;
5398 break;
5399
5400 case MBEDTLS_MODE_CBC:
5401
5402 block_size = mbedtls_cipher_get_block_size(
5403 &transform->cipher_ctx_enc );
5404
5405 /* Expansion due to the addition of the MAC. */
5406 transform_expansion += transform->maclen;
5407
5408 /* Expansion due to the addition of CBC padding;
5409 * Theoretically up to 256 bytes, but we never use
5410 * more than the block size of the underlying cipher. */
5411 transform_expansion += block_size;
5412
5413 /* For TLS 1.1 or higher, an explicit IV is added
5414 * after the record header. */
5415#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
5416 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
5417 transform_expansion += block_size;
5418#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
5419
5420 break;
5421
5422 default:
5423 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5424 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5425 }
5426
5427#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5428 if( transform->out_cid_len != 0 )
5429 transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
5430#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5431
5432 return( (int)( out_hdr_len + transform_expansion ) );
5433}
5434
5435#if defined(MBEDTLS_SSL_RENEGOTIATION)
5436/*
5437 * Check record counters and renegotiate if they're above the limit.
5438 */
5439static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
5440{
5441 size_t ep_len = mbedtls_ssl_ep_len( ssl );
5442 int in_ctr_cmp;
5443 int out_ctr_cmp;
5444
5445 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
5446 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
5447 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
5448 {
5449 return( 0 );
5450 }
5451
5452 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
5453 ssl->conf->renego_period + ep_len, 8 - ep_len );
5454 out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
5455 ssl->conf->renego_period + ep_len, 8 - ep_len );
5456
5457 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
5458 {
5459 return( 0 );
5460 }
5461
5462 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
5463 return( mbedtls_ssl_renegotiate( ssl ) );
5464}
5465#endif /* MBEDTLS_SSL_RENEGOTIATION */
5466
5467/*
5468 * Receive application data decrypted from the SSL layer
5469 */
5470int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
5471{
5472 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5473 size_t n;
5474
5475 if( ssl == NULL || ssl->conf == NULL )
5476 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5477
5478 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
5479
5480#if defined(MBEDTLS_SSL_PROTO_DTLS)
5481 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5482 {
5483 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
5484 return( ret );
5485
5486 if( ssl->handshake != NULL &&
5487 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
5488 {
5489 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
5490 return( ret );
5491 }
5492 }
5493#endif
5494
5495 /*
5496 * Check if renegotiation is necessary and/or handshake is
5497 * in process. If yes, perform/continue, and fall through
5498 * if an unexpected packet is received while the client
5499 * is waiting for the ServerHello.
5500 *
5501 * (There is no equivalent to the last condition on
5502 * the server-side as it is not treated as within
5503 * a handshake while waiting for the ClientHello
5504 * after a renegotiation request.)
5505 */
5506
5507#if defined(MBEDTLS_SSL_RENEGOTIATION)
5508 ret = ssl_check_ctr_renegotiate( ssl );
5509 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5510 ret != 0 )
5511 {
5512 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
5513 return( ret );
5514 }
5515#endif
5516
5517 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5518 {
5519 ret = mbedtls_ssl_handshake( ssl );
5520 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5521 ret != 0 )
5522 {
5523 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
5524 return( ret );
5525 }
5526 }
5527
5528 /* Loop as long as no application data record is available */
5529 while( ssl->in_offt == NULL )
5530 {
5531 /* Start timer if not already running */
5532 if( ssl->f_get_timer != NULL &&
5533 ssl->f_get_timer( ssl->p_timer ) == -1 )
5534 {
5535 mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout );
5536 }
5537
5538 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
5539 {
5540 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5541 return( 0 );
5542
5543 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5544 return( ret );
5545 }
5546
5547 if( ssl->in_msglen == 0 &&
5548 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
5549 {
5550 /*
5551 * OpenSSL sends empty messages to randomize the IV
5552 */
5553 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
5554 {
5555 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5556 return( 0 );
5557
5558 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5559 return( ret );
5560 }
5561 }
5562
5563 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
5564 {
5565 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
5566
5567 /*
5568 * - For client-side, expect SERVER_HELLO_REQUEST.
5569 * - For server-side, expect CLIENT_HELLO.
5570 * - Fail (TLS) or silently drop record (DTLS) in other cases.
5571 */
5572
5573#if defined(MBEDTLS_SSL_CLI_C)
5574 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
5575 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
5576 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
5577 {
5578 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
5579
5580 /* With DTLS, drop the packet (probably from last handshake) */
5581#if defined(MBEDTLS_SSL_PROTO_DTLS)
5582 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5583 {
5584 continue;
5585 }
5586#endif
5587 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5588 }
5589#endif /* MBEDTLS_SSL_CLI_C */
5590
5591#if defined(MBEDTLS_SSL_SRV_C)
5592 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5593 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
5594 {
5595 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
5596
5597 /* With DTLS, drop the packet (probably from last handshake) */
5598#if defined(MBEDTLS_SSL_PROTO_DTLS)
5599 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5600 {
5601 continue;
5602 }
5603#endif
5604 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5605 }
5606#endif /* MBEDTLS_SSL_SRV_C */
5607
5608#if defined(MBEDTLS_SSL_RENEGOTIATION)
5609 /* Determine whether renegotiation attempt should be accepted */
5610 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5611 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
5612 ssl->conf->allow_legacy_renegotiation ==
5613 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
5614 {
5615 /*
5616 * Accept renegotiation request
5617 */
5618
5619 /* DTLS clients need to know renego is server-initiated */
5620#if defined(MBEDTLS_SSL_PROTO_DTLS)
5621 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5622 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5623 {
5624 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
5625 }
5626#endif
5627 ret = mbedtls_ssl_start_renegotiation( ssl );
5628 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5629 ret != 0 )
5630 {
5631 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation",
5632 ret );
5633 return( ret );
5634 }
5635 }
5636 else
5637#endif /* MBEDTLS_SSL_RENEGOTIATION */
5638 {
5639 /*
5640 * Refuse renegotiation
5641 */
5642
5643 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
5644
5645#if defined(MBEDTLS_SSL_PROTO_SSL3)
5646 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
5647 {
5648 /* SSLv3 does not have a "no_renegotiation" warning, so
5649 we send a fatal alert and abort the connection. */
5650 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5651 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
5652 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5653 }
5654 else
5655#endif /* MBEDTLS_SSL_PROTO_SSL3 */
5656#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
5657 defined(MBEDTLS_SSL_PROTO_TLS1_2)
5658 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
5659 {
5660 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5661 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5662 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
5663 {
5664 return( ret );
5665 }
5666 }
5667 else
5668#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
5669 MBEDTLS_SSL_PROTO_TLS1_2 */
5670 {
5671 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5672 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5673 }
5674 }
5675
5676 /* At this point, we don't know whether the renegotiation has been
5677 * completed or not. The cases to consider are the following:
5678 * 1) The renegotiation is complete. In this case, no new record
5679 * has been read yet.
5680 * 2) The renegotiation is incomplete because the client received
5681 * an application data record while awaiting the ServerHello.
5682 * 3) The renegotiation is incomplete because the client received
5683 * a non-handshake, non-application data message while awaiting
5684 * the ServerHello.
5685 * In each of these case, looping will be the proper action:
5686 * - For 1), the next iteration will read a new record and check
5687 * if it's application data.
5688 * - For 2), the loop condition isn't satisfied as application data
5689 * is present, hence continue is the same as break
5690 * - For 3), the loop condition is satisfied and read_record
5691 * will re-deliver the message that was held back by the client
5692 * when expecting the ServerHello.
5693 */
5694 continue;
5695 }
5696#if defined(MBEDTLS_SSL_RENEGOTIATION)
5697 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
5698 {
5699 if( ssl->conf->renego_max_records >= 0 )
5700 {
5701 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
5702 {
5703 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
5704 "but not honored by client" ) );
5705 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5706 }
5707 }
5708 }
5709#endif /* MBEDTLS_SSL_RENEGOTIATION */
5710
5711 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
5712 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
5713 {
5714 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
5715 return( MBEDTLS_ERR_SSL_WANT_READ );
5716 }
5717
5718 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
5719 {
5720 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
5721 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5722 }
5723
5724 ssl->in_offt = ssl->in_msg;
5725
5726 /* We're going to return something now, cancel timer,
5727 * except if handshake (renegotiation) is in progress */
5728 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5729 mbedtls_ssl_set_timer( ssl, 0 );
5730
5731#if defined(MBEDTLS_SSL_PROTO_DTLS)
5732 /* If we requested renego but received AppData, resend HelloRequest.
5733 * Do it now, after setting in_offt, to avoid taking this branch
5734 * again if ssl_write_hello_request() returns WANT_WRITE */
5735#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
5736 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5737 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
5738 {
5739 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
5740 {
5741 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
5742 ret );
5743 return( ret );
5744 }
5745 }
5746#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
5747#endif /* MBEDTLS_SSL_PROTO_DTLS */
5748 }
5749
5750 n = ( len < ssl->in_msglen )
5751 ? len : ssl->in_msglen;
5752
5753 memcpy( buf, ssl->in_offt, n );
5754 ssl->in_msglen -= n;
5755
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]5756 /* Zeroising the plaintext buffer to erase unused application data
5757 from the memory. */
5758 mbedtls_platform_zeroize( ssl->in_offt, n );
5759
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]5760 if( ssl->in_msglen == 0 )
5761 {
5762 /* all bytes consumed */
5763 ssl->in_offt = NULL;
5764 ssl->keep_current_message = 0;
5765 }
5766 else
5767 {
5768 /* more data available */
5769 ssl->in_offt += n;
5770 }
5771
5772 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
5773
5774 return( (int) n );
5775}
5776
5777/*
5778 * Send application data to be encrypted by the SSL layer, taking care of max
5779 * fragment length and buffer size.
5780 *
5781 * According to RFC 5246 Section 6.2.1:
5782 *
5783 * Zero-length fragments of Application data MAY be sent as they are
5784 * potentially useful as a traffic analysis countermeasure.
5785 *
5786 * Therefore, it is possible that the input message length is 0 and the
5787 * corresponding return code is 0 on success.
5788 */
5789static int ssl_write_real( mbedtls_ssl_context *ssl,
5790 const unsigned char *buf, size_t len )
5791{
5792 int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
5793 const size_t max_len = (size_t) ret;
5794
5795 if( ret < 0 )
5796 {
5797 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
5798 return( ret );
5799 }
5800
5801 if( len > max_len )
5802 {
5803#if defined(MBEDTLS_SSL_PROTO_DTLS)
5804 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5805 {
5806 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]5807 "maximum fragment length: %" MBEDTLS_PRINTF_SIZET
5808 " > %" MBEDTLS_PRINTF_SIZET,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]5809 len, max_len ) );
5810 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5811 }
5812 else
5813#endif
5814 len = max_len;
5815 }
5816
5817 if( ssl->out_left != 0 )
5818 {
5819 /*
5820 * The user has previously tried to send the data and
5821 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
5822 * written. In this case, we expect the high-level write function
5823 * (e.g. mbedtls_ssl_write()) to be called with the same parameters
5824 */
5825 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
5826 {
5827 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
5828 return( ret );
5829 }
5830 }
5831 else
5832 {
5833 /*
5834 * The user is trying to send a message the first time, so we need to
5835 * copy the data into the internal buffers and setup the data structure
5836 * to keep track of partial writes
5837 */
5838 ssl->out_msglen = len;
5839 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
5840 memcpy( ssl->out_msg, buf, len );
5841
5842 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
5843 {
5844 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
5845 return( ret );
5846 }
5847 }
5848
5849 return( (int) len );
5850}
5851
5852/*
5853 * Write application data, doing 1/n-1 splitting if necessary.
5854 *
5855 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
5856 * then the caller will call us again with the same arguments, so
5857 * remember whether we already did the split or not.
5858 */
5859#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
5860static int ssl_write_split( mbedtls_ssl_context *ssl,
5861 const unsigned char *buf, size_t len )
5862{
5863 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5864
5865 if( ssl->conf->cbc_record_splitting ==
5866 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
5867 len <= 1 ||
5868 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
5869 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
5870 != MBEDTLS_MODE_CBC )
5871 {
5872 return( ssl_write_real( ssl, buf, len ) );
5873 }
5874
5875 if( ssl->split_done == 0 )
5876 {
5877 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
5878 return( ret );
5879 ssl->split_done = 1;
5880 }
5881
5882 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
5883 return( ret );
5884 ssl->split_done = 0;
5885
5886 return( ret + 1 );
5887}
5888#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
5889
5890/*
5891 * Write application data (public-facing wrapper)
5892 */
5893int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
5894{
5895 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5896
5897 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
5898
5899 if( ssl == NULL || ssl->conf == NULL )
5900 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5901
5902#if defined(MBEDTLS_SSL_RENEGOTIATION)
5903 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
5904 {
5905 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
5906 return( ret );
5907 }
5908#endif
5909
5910 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5911 {
5912 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
5913 {
5914 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
5915 return( ret );
5916 }
5917 }
5918
5919#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
5920 ret = ssl_write_split( ssl, buf, len );
5921#else
5922 ret = ssl_write_real( ssl, buf, len );
5923#endif
5924
5925 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
5926
5927 return( ret );
5928}
5929
5930/*
5931 * Notify the peer that the connection is being closed
5932 */
5933int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
5934{
5935 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5936
5937 if( ssl == NULL || ssl->conf == NULL )
5938 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5939
5940 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
5941
5942 if( ssl->out_left != 0 )
5943 return( mbedtls_ssl_flush_output( ssl ) );
5944
5945 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5946 {
5947 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5948 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5949 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
5950 {
5951 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
5952 return( ret );
5953 }
5954 }
5955
5956 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
5957
5958 return( 0 );
5959}
5960
5961void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
5962{
5963 if( transform == NULL )
5964 return;
5965
5966#if defined(MBEDTLS_ZLIB_SUPPORT)
5967 deflateEnd( &transform->ctx_deflate );
5968 inflateEnd( &transform->ctx_inflate );
5969#endif
5970
5971 mbedtls_cipher_free( &transform->cipher_ctx_enc );
5972 mbedtls_cipher_free( &transform->cipher_ctx_dec );
5973
5974#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
5975 mbedtls_md_free( &transform->md_ctx_enc );
5976 mbedtls_md_free( &transform->md_ctx_dec );
5977#endif
5978
5979 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
5980}
5981
5982#if defined(MBEDTLS_SSL_PROTO_DTLS)
5983
5984void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl )
5985{
5986 unsigned offset;
5987 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5988
5989 if( hs == NULL )
5990 return;
5991
5992 ssl_free_buffered_record( ssl );
5993
5994 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
5995 ssl_buffering_free_slot( ssl, offset );
5996}
5997
5998static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
5999 uint8_t slot )
6000{
6001 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
6002 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
6003
6004 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
6005 return;
6006
6007 if( hs_buf->is_valid == 1 )
6008 {
6009 hs->buffering.total_bytes_buffered -= hs_buf->data_len;
6010 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
6011 mbedtls_free( hs_buf->data );
6012 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
6013 }
6014}
6015
6016#endif /* MBEDTLS_SSL_PROTO_DTLS */
6017
6018/*
6019 * Convert version numbers to/from wire format
6020 * and, for DTLS, to/from TLS equivalent.
6021 *
6022 * For TLS this is the identity.
6023 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
6024 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
6025 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
6026 */
6027void mbedtls_ssl_write_version( int major, int minor, int transport,
6028 unsigned char ver[2] )
6029{
6030#if defined(MBEDTLS_SSL_PROTO_DTLS)
6031 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6032 {
6033 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
6034 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
6035
6036 ver[0] = (unsigned char)( 255 - ( major - 2 ) );
6037 ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
6038 }
6039 else
6040#else
6041 ((void) transport);
6042#endif
6043 {
6044 ver[0] = (unsigned char) major;
6045 ver[1] = (unsigned char) minor;
6046 }
6047}
6048
6049void mbedtls_ssl_read_version( int *major, int *minor, int transport,
6050 const unsigned char ver[2] )
6051{
6052#if defined(MBEDTLS_SSL_PROTO_DTLS)
6053 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6054 {
6055 *major = 255 - ver[0] + 2;
6056 *minor = 255 - ver[1] + 1;
6057
6058 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
6059 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
6060 }
6061 else
6062#else
6063 ((void) transport);
6064#endif
6065 {
6066 *major = ver[0];
6067 *minor = ver[1];
6068 }
6069}
6070
6071#endif /* MBEDTLS_SSL_TLS_C */