Blame - lib/libmbedtls/mbedtls/library/ssl_tls.c - OP-TEE/optee_os

blob: 976a87c5145938963d978faf0270128ba77a43eb [file] [log] [blame]

Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1	/*
				2	* SSLv3/TLSv1 shared functions
				3	*
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
				5	* SPDX-License-Identifier: Apache-2.0
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	18	*/
				19	/*
				20	* The SSL 3.0 specification was drafted by Netscape in 1996,
				21	* and became an IETF standard in 1999.
				22	*
				23	* http://wp.netscape.com/eng/ssl3/
				24	* http://www.ietf.org/rfc/rfc2246.txt
				25	* http://www.ietf.org/rfc/rfc4346.txt
				26	*/
				27
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	28	#include "common.h"
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	29
				30	#if defined(MBEDTLS_SSL_TLS_C)
				31
				32	#if defined(MBEDTLS_PLATFORM_C)
				33	#include "mbedtls/platform.h"
				34	#else
				35	#include <stdlib.h>
				36	#define mbedtls_calloc calloc
				37	#define mbedtls_free free
				38	#endif
				39
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	40	#include "mbedtls/ssl.h"
				41	#include "mbedtls/ssl_internal.h"
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	42	#include "mbedtls/debug.h"
				43	#include "mbedtls/error.h"
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	44	#include "mbedtls/platform_util.h"
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	45	#include "mbedtls/version.h"
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	46
				47	#include <string.h>
				48
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	49	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				50	#include "mbedtls/psa_util.h"
				51	#include "psa/crypto.h"
				52	#endif
				53
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	54	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				55	#include "mbedtls/oid.h"
				56	#endif
				57
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	58	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	59
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	60	#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
				61	/* Top-level Connection ID API */
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	62
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	63	int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
				64	size_t len,
				65	int ignore_other_cid )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	66	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	67	if( len > MBEDTLS_SSL_CID_IN_LEN_MAX )
				68	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	69
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	70	if( ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
				71	ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	72	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	73	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	74	}
				75
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	76	conf->ignore_unexpected_cid = ignore_other_cid;
				77	conf->cid_len = len;
				78	return( 0 );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	79	}
				80
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	81	int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
				82	int enable,
				83	unsigned char const *own_cid,
				84	size_t own_cid_len )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	85	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	86	if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
				87	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	88
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	89	ssl->negotiate_cid = enable;
				90	if( enable == MBEDTLS_SSL_CID_DISABLED )
				91	{
				92	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Disable use of CID extension." ) );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	93	return( 0 );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	94	}
				95	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
				96	MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	97
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	98	if( own_cid_len != ssl->conf->cid_len )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	99	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	100	MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
				101	(unsigned) own_cid_len,
				102	(unsigned) ssl->conf->cid_len ) );
				103	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	104	}
				105
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	106	memcpy( ssl->own_cid, own_cid, own_cid_len );
				107	/* Truncation is not an issue here because
				108	* MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
				109	ssl->own_cid_len = (uint8_t) own_cid_len;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	110
				111	return( 0 );
				112	}
				113
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	114	int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
				115	int *enabled,
				116	unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
				117	size_t *peer_cid_len )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	118	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	119	*enabled = MBEDTLS_SSL_CID_DISABLED;
				120
				121	if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM \|\|
				122	ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
				123	{
				124	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				125	}
				126
				127	/* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
				128	* were used, but client and server requested the empty CID.
				129	* This is indistinguishable from not using the CID extension
				130	* in the first place. */
				131	if( ssl->transform_in->in_cid_len == 0 &&
				132	ssl->transform_in->out_cid_len == 0 )
				133	{
				134	return( 0 );
				135	}
				136
				137	if( peer_cid_len != NULL )
				138	{
				139	*peer_cid_len = ssl->transform_in->out_cid_len;
				140	if( peer_cid != NULL )
				141	{
				142	memcpy( peer_cid, ssl->transform_in->out_cid,
				143	ssl->transform_in->out_cid_len );
				144	}
				145	}
				146
				147	*enabled = MBEDTLS_SSL_CID_ENABLED;
				148
				149	return( 0 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	150	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	151	#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
				152
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	153	#endif /* MBEDTLS_SSL_PROTO_DTLS */
				154
				155	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
				156	/*
				157	* Convert max_fragment_length codes to length.
				158	* RFC 6066 says:
				159	* enum{
				160	* 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
				161	* } MaxFragmentLength;
				162	* and we add 0 -> extension unused
				163	*/
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	164	static unsigned int ssl_mfl_code_to_length( int mfl )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	165	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	166	switch( mfl )
				167	{
				168	case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
				169	return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
				170	case MBEDTLS_SSL_MAX_FRAG_LEN_512:
				171	return 512;
				172	case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
				173	return 1024;
				174	case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
				175	return 2048;
				176	case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
				177	return 4096;
				178	default:
				179	return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
				180	}
				181	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	182	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
				183
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	184	int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
				185	const mbedtls_ssl_session *src )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	186	{
				187	mbedtls_ssl_session_free( dst );
				188	memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
				189
				190	#if defined(MBEDTLS_X509_CRT_PARSE_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	191
				192	#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	193	if( src->peer_cert != NULL )
				194	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	195	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	196
				197	dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
				198	if( dst->peer_cert == NULL )
				199	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
				200
				201	mbedtls_x509_crt_init( dst->peer_cert );
				202
				203	if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
				204	src->peer_cert->raw.len ) ) != 0 )
				205	{
				206	mbedtls_free( dst->peer_cert );
				207	dst->peer_cert = NULL;
				208	return( ret );
				209	}
				210	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	211	#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				212	if( src->peer_cert_digest != NULL )
				213	{
				214	dst->peer_cert_digest =
				215	mbedtls_calloc( 1, src->peer_cert_digest_len );
				216	if( dst->peer_cert_digest == NULL )
				217	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
				218
				219	memcpy( dst->peer_cert_digest, src->peer_cert_digest,
				220	src->peer_cert_digest_len );
				221	dst->peer_cert_digest_type = src->peer_cert_digest_type;
				222	dst->peer_cert_digest_len = src->peer_cert_digest_len;
				223	}
				224	#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				225
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	226	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				227
				228	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
				229	if( src->ticket != NULL )
				230	{
				231	dst->ticket = mbedtls_calloc( 1, src->ticket_len );
				232	if( dst->ticket == NULL )
				233	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
				234
				235	memcpy( dst->ticket, src->ticket, src->ticket_len );
				236	}
				237	#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
				238
				239	return( 0 );
				240	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	241
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	242	#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
				243	static int resize_buffer( unsigned char *buffer, size_t len_new, size_t len_old )
				244	{
				245	unsigned char* resized_buffer = mbedtls_calloc( 1, len_new );
				246	if( resized_buffer == NULL )
				247	return -1;
				248
				249	/* We want to copy len_new bytes when downsizing the buffer, and
				250	* len_old bytes when upsizing, so we choose the smaller of two sizes,
				251	* to fit one buffer into another. Size checks, ensuring that no data is
				252	* lost, are done outside of this function. */
				253	memcpy( resized_buffer, *buffer,
				254	( len_new < len_old ) ? len_new : len_old );
				255	mbedtls_platform_zeroize( buffer, len_old );
				256	mbedtls_free( *buffer );
				257
				258	*buffer = resized_buffer;
				259	*len_old = len_new;
				260
				261	return 0;
				262	}
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	263
				264	static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing,
				265	size_t in_buf_new_len,
				266	size_t out_buf_new_len )
				267	{
				268	int modified = 0;
				269	size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
				270	size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
				271	if( ssl->in_buf != NULL )
				272	{
				273	written_in = ssl->in_msg - ssl->in_buf;
				274	iv_offset_in = ssl->in_iv - ssl->in_buf;
				275	len_offset_in = ssl->in_len - ssl->in_buf;
				276	if( downsizing ?
				277	ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
				278	ssl->in_buf_len < in_buf_new_len )
				279	{
				280	if( resize_buffer( &ssl->in_buf, in_buf_new_len, &ssl->in_buf_len ) != 0 )
				281	{
				282	MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
				283	}
				284	else
				285	{
				286	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
				287	in_buf_new_len ) );
				288	modified = 1;
				289	}
				290	}
				291	}
				292
				293	if( ssl->out_buf != NULL )
				294	{
				295	written_out = ssl->out_msg - ssl->out_buf;
				296	iv_offset_out = ssl->out_iv - ssl->out_buf;
				297	len_offset_out = ssl->out_len - ssl->out_buf;
				298	if( downsizing ?
				299	ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
				300	ssl->out_buf_len < out_buf_new_len )
				301	{
				302	if( resize_buffer( &ssl->out_buf, out_buf_new_len, &ssl->out_buf_len ) != 0 )
				303	{
				304	MBEDTLS_SSL_DEBUG_MSG( 1, ( "output buffer resizing failed - out of memory" ) );
				305	}
				306	else
				307	{
				308	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
				309	out_buf_new_len ) );
				310	modified = 1;
				311	}
				312	}
				313	}
				314	if( modified )
				315	{
				316	/* Update pointers here to avoid doing it twice. */
				317	mbedtls_ssl_reset_in_out_pointers( ssl );
				318	/* Fields below might not be properly updated with record
				319	* splitting or with CID, so they are manually updated here. */
				320	ssl->out_msg = ssl->out_buf + written_out;
				321	ssl->out_len = ssl->out_buf + len_offset_out;
				322	ssl->out_iv = ssl->out_buf + iv_offset_out;
				323
				324	ssl->in_msg = ssl->in_buf + written_in;
				325	ssl->in_len = ssl->in_buf + len_offset_in;
				326	ssl->in_iv = ssl->in_buf + iv_offset_in;
				327	}
				328	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	329	#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	330
				331	/*
				332	* Key material generation
				333	*/
				334	#if defined(MBEDTLS_SSL_PROTO_SSL3)
				335	static int ssl3_prf( const unsigned char *secret, size_t slen,
				336	const char *label,
				337	const unsigned char *random, size_t rlen,
				338	unsigned char *dstbuf, size_t dlen )
				339	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	340	int ret = 0;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	341	size_t i;
				342	mbedtls_md5_context md5;
				343	mbedtls_sha1_context sha1;
				344	unsigned char padding[16];
				345	unsigned char sha1sum[20];
				346	((void)label);
				347
				348	mbedtls_md5_init( &md5 );
				349	mbedtls_sha1_init( &sha1 );
				350
				351	/*
				352	* SSLv3:
				353	* block =
				354	* MD5( secret + SHA1( 'A' + secret + random ) ) +
				355	* MD5( secret + SHA1( 'BB' + secret + random ) ) +
				356	* MD5( secret + SHA1( 'CCC' + secret + random ) ) +
				357	* ...
				358	*/
				359	for( i = 0; i < dlen / 16; i++ )
				360	{
				361	memset( padding, (unsigned char) ('A' + i), 1 + i );
				362
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	363	if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )
				364	goto exit;
				365	if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )
				366	goto exit;
				367	if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )
				368	goto exit;
				369	if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )
				370	goto exit;
				371	if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )
				372	goto exit;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	373
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	374	if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )
				375	goto exit;
				376	if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )
				377	goto exit;
				378	if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )
				379	goto exit;
				380	if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )
				381	goto exit;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	382	}
				383
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	384	exit:
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	385	mbedtls_md5_free( &md5 );
				386	mbedtls_sha1_free( &sha1 );
				387
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	388	mbedtls_platform_zeroize( padding, sizeof( padding ) );
				389	mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	390
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	391	return( ret );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	392	}
				393	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
				394
				395	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
				396	static int tls1_prf( const unsigned char *secret, size_t slen,
				397	const char *label,
				398	const unsigned char *random, size_t rlen,
				399	unsigned char *dstbuf, size_t dlen )
				400	{
				401	size_t nb, hs;
				402	size_t i, j, k;
				403	const unsigned char S1, S2;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	404	unsigned char *tmp;
				405	size_t tmp_len = 0;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	406	unsigned char h_i[20];
				407	const mbedtls_md_info_t *md_info;
				408	mbedtls_md_context_t md_ctx;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	409	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	410
				411	mbedtls_md_init( &md_ctx );
				412
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	413	tmp_len = 20 + strlen( label ) + rlen;
				414	tmp = mbedtls_calloc( 1, tmp_len );
				415	if( tmp == NULL )
				416	{
				417	ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
				418	goto exit;
				419	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	420
				421	hs = ( slen + 1 ) / 2;
				422	S1 = secret;
				423	S2 = secret + slen - hs;
				424
				425	nb = strlen( label );
				426	memcpy( tmp + 20, label, nb );
				427	memcpy( tmp + 20 + nb, random, rlen );
				428	nb += rlen;
				429
				430	/*
				431	* First compute P_md5(secret,label+random)[0..dlen]
				432	*/
				433	if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	434	{
				435	ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
				436	goto exit;
				437	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	438
				439	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	440	{
				441	goto exit;
				442	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	443
				444	mbedtls_md_hmac_starts( &md_ctx, S1, hs );
				445	mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
				446	mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
				447
				448	for( i = 0; i < dlen; i += 16 )
				449	{
				450	mbedtls_md_hmac_reset ( &md_ctx );
				451	mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
				452	mbedtls_md_hmac_finish( &md_ctx, h_i );
				453
				454	mbedtls_md_hmac_reset ( &md_ctx );
				455	mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
				456	mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
				457
				458	k = ( i + 16 > dlen ) ? dlen % 16 : 16;
				459
				460	for( j = 0; j < k; j++ )
				461	dstbuf[i + j] = h_i[j];
				462	}
				463
				464	mbedtls_md_free( &md_ctx );
				465
				466	/*
				467	* XOR out with P_sha1(secret,label+random)[0..dlen]
				468	*/
				469	if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	470	{
				471	ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
				472	goto exit;
				473	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	474
				475	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	476	{
				477	goto exit;
				478	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	479
				480	mbedtls_md_hmac_starts( &md_ctx, S2, hs );
				481	mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
				482	mbedtls_md_hmac_finish( &md_ctx, tmp );
				483
				484	for( i = 0; i < dlen; i += 20 )
				485	{
				486	mbedtls_md_hmac_reset ( &md_ctx );
				487	mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
				488	mbedtls_md_hmac_finish( &md_ctx, h_i );
				489
				490	mbedtls_md_hmac_reset ( &md_ctx );
				491	mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
				492	mbedtls_md_hmac_finish( &md_ctx, tmp );
				493
				494	k = ( i + 20 > dlen ) ? dlen % 20 : 20;
				495
				496	for( j = 0; j < k; j++ )
				497	dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
				498	}
				499
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	500	exit:
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	501	mbedtls_md_free( &md_ctx );
				502
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	503	mbedtls_platform_zeroize( tmp, tmp_len );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	504	mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	505
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	506	mbedtls_free( tmp );
				507	return( ret );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	508	}
				509	#endif /* MBEDTLS_SSL_PROTO_TLS1) \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
				510
				511	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	512	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				513
				514	static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	515	psa_key_id_t key,
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	516	psa_algorithm_t alg,
				517	const unsigned char* seed, size_t seed_length,
				518	const unsigned char* label, size_t label_length,
				519	size_t capacity )
				520	{
				521	psa_status_t status;
				522
				523	status = psa_key_derivation_setup( derivation, alg );
				524	if( status != PSA_SUCCESS )
				525	return( status );
				526
				527	if( PSA_ALG_IS_TLS12_PRF( alg ) \|\| PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
				528	{
				529	status = psa_key_derivation_input_bytes( derivation,
				530	PSA_KEY_DERIVATION_INPUT_SEED,
				531	seed, seed_length );
				532	if( status != PSA_SUCCESS )
				533	return( status );
				534
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	535	if( mbedtls_svc_key_id_is_null( key ) )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	536	{
				537	status = psa_key_derivation_input_bytes(
				538	derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
				539	NULL, 0 );
				540	}
				541	else
				542	{
				543	status = psa_key_derivation_input_key(
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	544	derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	545	}
				546	if( status != PSA_SUCCESS )
				547	return( status );
				548
				549	status = psa_key_derivation_input_bytes( derivation,
				550	PSA_KEY_DERIVATION_INPUT_LABEL,
				551	label, label_length );
				552	if( status != PSA_SUCCESS )
				553	return( status );
				554	}
				555	else
				556	{
				557	return( PSA_ERROR_NOT_SUPPORTED );
				558	}
				559
				560	status = psa_key_derivation_set_capacity( derivation, capacity );
				561	if( status != PSA_SUCCESS )
				562	return( status );
				563
				564	return( PSA_SUCCESS );
				565	}
				566
				567	static int tls_prf_generic( mbedtls_md_type_t md_type,
				568	const unsigned char *secret, size_t slen,
				569	const char *label,
				570	const unsigned char *random, size_t rlen,
				571	unsigned char *dstbuf, size_t dlen )
				572	{
				573	psa_status_t status;
				574	psa_algorithm_t alg;
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	575	psa_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	576	psa_key_derivation_operation_t derivation =
				577	PSA_KEY_DERIVATION_OPERATION_INIT;
				578
				579	if( md_type == MBEDTLS_MD_SHA384 )
				580	alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
				581	else
				582	alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
				583
				584	/* Normally a "secret" should be long enough to be impossible to
				585	* find by brute force, and in particular should not be empty. But
				586	* this PRF is also used to derive an IV, in particular in EAP-TLS,
				587	* and for this use case it makes sense to have a 0-length "secret".
				588	* Since the key API doesn't allow importing a key of length 0,
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	589	* keep master_key=0, which setup_psa_key_derivation() understands
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	590	* to mean a 0-length "secret" input. */
				591	if( slen != 0 )
				592	{
				593	psa_key_attributes_t key_attributes = psa_key_attributes_init();
				594	psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
				595	psa_set_key_algorithm( &key_attributes, alg );
				596	psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
				597
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	598	status = psa_import_key( &key_attributes, secret, slen, &master_key );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	599	if( status != PSA_SUCCESS )
				600	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
				601	}
				602
				603	status = setup_psa_key_derivation( &derivation,
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	604	master_key, alg,
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	605	random, rlen,
				606	(unsigned char const *) label,
				607	(size_t) strlen( label ),
				608	dlen );
				609	if( status != PSA_SUCCESS )
				610	{
				611	psa_key_derivation_abort( &derivation );
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	612	psa_destroy_key( master_key );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	613	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
				614	}
				615
				616	status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen );
				617	if( status != PSA_SUCCESS )
				618	{
				619	psa_key_derivation_abort( &derivation );
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	620	psa_destroy_key( master_key );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	621	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
				622	}
				623
				624	status = psa_key_derivation_abort( &derivation );
				625	if( status != PSA_SUCCESS )
				626	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	627	psa_destroy_key( master_key );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	628	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
				629	}
				630
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	631	if( ! mbedtls_svc_key_id_is_null( master_key ) )
				632	status = psa_destroy_key( master_key );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	633	if( status != PSA_SUCCESS )
				634	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
				635
				636	return( 0 );
				637	}
				638
				639	#else /* MBEDTLS_USE_PSA_CRYPTO */
				640
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	641	static int tls_prf_generic( mbedtls_md_type_t md_type,
				642	const unsigned char *secret, size_t slen,
				643	const char *label,
				644	const unsigned char *random, size_t rlen,
				645	unsigned char *dstbuf, size_t dlen )
				646	{
				647	size_t nb;
				648	size_t i, j, k, md_len;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	649	unsigned char *tmp;
				650	size_t tmp_len = 0;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	651	unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
				652	const mbedtls_md_info_t *md_info;
				653	mbedtls_md_context_t md_ctx;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	654	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	655
				656	mbedtls_md_init( &md_ctx );
				657
				658	if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
				659	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
				660
				661	md_len = mbedtls_md_get_size( md_info );
				662
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	663	tmp_len = md_len + strlen( label ) + rlen;
				664	tmp = mbedtls_calloc( 1, tmp_len );
				665	if( tmp == NULL )
				666	{
				667	ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
				668	goto exit;
				669	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	670
				671	nb = strlen( label );
				672	memcpy( tmp + md_len, label, nb );
				673	memcpy( tmp + md_len + nb, random, rlen );
				674	nb += rlen;
				675
				676	/*
				677	* Compute P_<hash>(secret, label + random)[0..dlen]
				678	*/
				679	if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	680	goto exit;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	681
				682	mbedtls_md_hmac_starts( &md_ctx, secret, slen );
				683	mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
				684	mbedtls_md_hmac_finish( &md_ctx, tmp );
				685
				686	for( i = 0; i < dlen; i += md_len )
				687	{
				688	mbedtls_md_hmac_reset ( &md_ctx );
				689	mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
				690	mbedtls_md_hmac_finish( &md_ctx, h_i );
				691
				692	mbedtls_md_hmac_reset ( &md_ctx );
				693	mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
				694	mbedtls_md_hmac_finish( &md_ctx, tmp );
				695
				696	k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
				697
				698	for( j = 0; j < k; j++ )
				699	dstbuf[i + j] = h_i[j];
				700	}
				701
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	702	exit:
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	703	mbedtls_md_free( &md_ctx );
				704
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	705	mbedtls_platform_zeroize( tmp, tmp_len );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	706	mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	707
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	708	mbedtls_free( tmp );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	709
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	710	return( ret );
				711	}
				712	#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	713	#if defined(MBEDTLS_SHA256_C)
				714	static int tls_prf_sha256( const unsigned char *secret, size_t slen,
				715	const char *label,
				716	const unsigned char *random, size_t rlen,
				717	unsigned char *dstbuf, size_t dlen )
				718	{
				719	return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
				720	label, random, rlen, dstbuf, dlen ) );
				721	}
				722	#endif /* MBEDTLS_SHA256_C */
				723
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	724	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	725	static int tls_prf_sha384( const unsigned char *secret, size_t slen,
				726	const char *label,
				727	const unsigned char *random, size_t rlen,
				728	unsigned char *dstbuf, size_t dlen )
				729	{
				730	return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
				731	label, random, rlen, dstbuf, dlen ) );
				732	}
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	733	#endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	734	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				735
				736	static void ssl_update_checksum_start( mbedtls_ssl_context , const unsigned char , size_t );
				737
				738	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
				739	defined(MBEDTLS_SSL_PROTO_TLS1_1)
				740	static void ssl_update_checksum_md5sha1( mbedtls_ssl_context , const unsigned char , size_t );
				741	#endif
				742
				743	#if defined(MBEDTLS_SSL_PROTO_SSL3)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	744	static void ssl_calc_verify_ssl( const mbedtls_ssl_context , unsigned char , size_t * );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	745	static void ssl_calc_finished_ssl( mbedtls_ssl_context , unsigned char , int );
				746	#endif
				747
				748	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	749	static void ssl_calc_verify_tls( const mbedtls_ssl_context , unsigned char, size_t * );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	750	static void ssl_calc_finished_tls( mbedtls_ssl_context , unsigned char , int );
				751	#endif
				752
				753	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
				754	#if defined(MBEDTLS_SHA256_C)
				755	static void ssl_update_checksum_sha256( mbedtls_ssl_context , const unsigned char , size_t );
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	756	static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context ,unsigned char, size_t * );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	757	static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context ,unsigned char , int );
				758	#endif
				759
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	760	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	761	static void ssl_update_checksum_sha384( mbedtls_ssl_context , const unsigned char , size_t );
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	762	static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context , unsigned char, size_t * );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	763	static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context , unsigned char , int );
				764	#endif
				765	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				766
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	767	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \
				768	defined(MBEDTLS_USE_PSA_CRYPTO)
				769	static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
				770	{
				771	if( ssl->conf->f_psk != NULL )
				772	{
				773	/* If we've used a callback to select the PSK,
				774	* the static configuration is irrelevant. */
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	775	if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	776	return( 1 );
				777
				778	return( 0 );
				779	}
				780
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	781	if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	782	return( 1 );
				783
				784	return( 0 );
				785	}
				786	#endif /* MBEDTLS_USE_PSA_CRYPTO &&
				787	MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
				788
				789	#if defined(MBEDTLS_SSL_EXPORT_KEYS)
				790	static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
				791	{
				792	#if defined(MBEDTLS_SSL_PROTO_SSL3)
				793	if( tls_prf == ssl3_prf )
				794	{
				795	return( MBEDTLS_SSL_TLS_PRF_SSL3 );
				796	}
				797	else
				798	#endif
				799	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
				800	if( tls_prf == tls1_prf )
				801	{
				802	return( MBEDTLS_SSL_TLS_PRF_TLS1 );
				803	}
				804	else
				805	#endif
				806	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	807	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	808	if( tls_prf == tls_prf_sha384 )
				809	{
				810	return( MBEDTLS_SSL_TLS_PRF_SHA384 );
				811	}
				812	else
				813	#endif
				814	#if defined(MBEDTLS_SHA256_C)
				815	if( tls_prf == tls_prf_sha256 )
				816	{
				817	return( MBEDTLS_SSL_TLS_PRF_SHA256 );
				818	}
				819	else
				820	#endif
				821	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				822	return( MBEDTLS_SSL_TLS_PRF_NONE );
				823	}
				824	#endif /* MBEDTLS_SSL_EXPORT_KEYS */
				825
				826	int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
				827	const unsigned char *secret, size_t slen,
				828	const char *label,
				829	const unsigned char *random, size_t rlen,
				830	unsigned char *dstbuf, size_t dlen )
				831	{
				832	mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
				833
				834	switch( prf )
				835	{
				836	#if defined(MBEDTLS_SSL_PROTO_SSL3)
				837	case MBEDTLS_SSL_TLS_PRF_SSL3:
				838	tls_prf = ssl3_prf;
				839	break;
				840	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
				841	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
				842	case MBEDTLS_SSL_TLS_PRF_TLS1:
				843	tls_prf = tls1_prf;
				844	break;
				845	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
				846
				847	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	848	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	849	case MBEDTLS_SSL_TLS_PRF_SHA384:
				850	tls_prf = tls_prf_sha384;
				851	break;
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	852	#endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	853	#if defined(MBEDTLS_SHA256_C)
				854	case MBEDTLS_SSL_TLS_PRF_SHA256:
				855	tls_prf = tls_prf_sha256;
				856	break;
				857	#endif /* MBEDTLS_SHA256_C */
				858	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				859	default:
				860	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
				861	}
				862
				863	return( tls_prf( secret, slen, label, random, rlen, dstbuf, dlen ) );
				864	}
				865
				866	/* Type for the TLS PRF */
				867	typedef int ssl_tls_prf_t(const unsigned char , size_t, const char ,
				868	const unsigned char *, size_t,
				869	unsigned char *, size_t);
				870
				871	/*
				872	* Populate a transform structure with session keys and all the other
				873	* necessary information.
				874	*
				875	* Parameters:
				876	* - [in/out]: transform: structure to populate
				877	* [in] must be just initialised with mbedtls_ssl_transform_init()
				878	* [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
				879	* - [in] ciphersuite
				880	* - [in] master
				881	* - [in] encrypt_then_mac
				882	* - [in] trunc_hmac
				883	* - [in] compression
				884	* - [in] tls_prf: pointer to PRF to use for key derivation
				885	* - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
				886	* - [in] minor_ver: SSL/TLS minor version
				887	* - [in] endpoint: client or server
				888	* - [in] ssl: optionally used for:
				889	* - MBEDTLS_SSL_HW_RECORD_ACCEL: whole context (non-const)
				890	* - MBEDTLS_SSL_EXPORT_KEYS: ssl->conf->{f,p}_export_keys
				891	* - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
				892	*/
				893	static int ssl_populate_transform( mbedtls_ssl_transform *transform,
				894	int ciphersuite,
				895	const unsigned char master[48],
				896	#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
				897	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
				898	int encrypt_then_mac,
				899	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
				900	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
				901	int trunc_hmac,
				902	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
				903	#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
				904	#if defined(MBEDTLS_ZLIB_SUPPORT)
				905	int compression,
				906	#endif
				907	ssl_tls_prf_t tls_prf,
				908	const unsigned char randbytes[64],
				909	int minor_ver,
				910	unsigned endpoint,
				911	#if !defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
				912	const
				913	#endif
				914	mbedtls_ssl_context *ssl )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	915	{
				916	int ret = 0;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	917	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				918	int psa_fallthrough;
				919	#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	920	unsigned char keyblk[256];
				921	unsigned char *key1;
				922	unsigned char *key2;
				923	unsigned char *mac_enc;
				924	unsigned char *mac_dec;
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	925	size_t mac_key_len = 0;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	926	size_t iv_copy_len;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	927	unsigned keylen;
				928	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	929	const mbedtls_cipher_info_t *cipher_info;
				930	const mbedtls_md_info_t *md_info;
				931
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	932	#if !defined(MBEDTLS_SSL_HW_RECORD_ACCEL) && \
				933	!defined(MBEDTLS_SSL_EXPORT_KEYS) && \
				934	!defined(MBEDTLS_DEBUG_C)
				935	ssl = NULL; /* make sure we don't use it except for those cases */
				936	(void) ssl;
				937	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	938
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	939	/*
				940	* Some data just needs copying into the structure
				941	*/
				942	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
				943	defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
				944	transform->encrypt_then_mac = encrypt_then_mac;
				945	#endif
				946	transform->minor_ver = minor_ver;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	947
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	948	#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
				949	memcpy( transform->randbytes, randbytes, sizeof( transform->randbytes ) );
				950	#endif
				951
				952	/*
				953	* Get various info structures
				954	*/
				955	ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
				956	if( ciphersuite_info == NULL )
				957	{
				958	MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
				959	ciphersuite ) );
				960	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				961	}
				962
				963	cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	964	if( cipher_info == NULL )
				965	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	966	MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	967	ciphersuite_info->cipher ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	968	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				969	}
				970
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	971	md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	972	if( md_info == NULL )
				973	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	974	MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %u not found",
				975	(unsigned) ciphersuite_info->mac ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	976	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				977	}
				978
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	979	#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
				980	/* Copy own and peer's CID if the use of the CID
				981	* extension has been negotiated. */
				982	if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	983	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	984	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
				985
				986	transform->in_cid_len = ssl->own_cid_len;
				987	memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
				988	MBEDTLS_SSL_DEBUG_BUF( 3, "Incoming CID", transform->in_cid,
				989	transform->in_cid_len );
				990
				991	transform->out_cid_len = ssl->handshake->peer_cid_len;
				992	memcpy( transform->out_cid, ssl->handshake->peer_cid,
				993	ssl->handshake->peer_cid_len );
				994	MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
				995	transform->out_cid_len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	996	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	997	#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	998
				999	/*
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1000	* Compute key block using the PRF
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1001	*/
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1002	ret = tls_prf( master, 48, "key expansion", randbytes, 64, keyblk, 256 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1003	if( ret != 0 )
				1004	{
				1005	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
				1006	return( ret );
				1007	}
				1008
				1009	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1010	mbedtls_ssl_get_ciphersuite_name( ciphersuite ) ) );
				1011	MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", master, 48 );
				1012	MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", randbytes, 64 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1013	MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
				1014
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1015	/*
				1016	* Determine the appropriate key, IV and MAC length.
				1017	*/
				1018
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1019	keylen = cipher_info->key_bitlen / 8;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1020
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1021	#if defined(MBEDTLS_GCM_C) \|\| \
				1022	defined(MBEDTLS_CCM_C) \|\| \
				1023	defined(MBEDTLS_CHACHAPOLY_C)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1024	if( cipher_info->mode == MBEDTLS_MODE_GCM \|\|
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1025	cipher_info->mode == MBEDTLS_MODE_CCM \|\|
				1026	cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1027	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1028	size_t explicit_ivlen;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1029
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1030	transform->maclen = 0;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1031	mac_key_len = 0;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1032	transform->taglen =
				1033	ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1034
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1035	/* All modes haves 96-bit IVs, but the length of the static parts vary
				1036	* with mode and version:
				1037	* - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
				1038	* (to be concatenated with a dynamically chosen IV of 8 Bytes)
				1039	* - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
				1040	* a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
				1041	* sequence number).
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1042	*/
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1043	transform->ivlen = 12;
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1044	#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
				1045	if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
				1046	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1047	transform->fixed_ivlen = 12;
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1048	}
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1049	else
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1050	#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
				1051	{
				1052	if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
				1053	transform->fixed_ivlen = 12;
				1054	else
				1055	transform->fixed_ivlen = 4;
				1056	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1057
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1058	/* Minimum length of encrypted record */
				1059	explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1060	transform->minlen = explicit_ivlen + transform->taglen;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1061	}
				1062	else
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1063	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CCM_C \|\| MBEDTLS_CHACHAPOLY_C */
				1064	#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
				1065	if( cipher_info->mode == MBEDTLS_MODE_STREAM \|\|
				1066	cipher_info->mode == MBEDTLS_MODE_CBC )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1067	{
				1068	/* Initialize HMAC contexts */
				1069	if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 \|\|
				1070	( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
				1071	{
				1072	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1073	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1074	}
				1075
				1076	/* Get MAC length */
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1077	mac_key_len = mbedtls_md_get_size( md_info );
				1078	transform->maclen = mac_key_len;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1079
				1080	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
				1081	/*
				1082	* If HMAC is to be truncated, we shall keep the leftmost bytes,
				1083	* (rfc 6066 page 13 or rfc 2104 section 4),
				1084	* so we only need to adjust the length here.
				1085	*/
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1086	if( trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1087	{
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1088	transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1089
				1090	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
				1091	/* Fall back to old, non-compliant version of the truncated
				1092	* HMAC implementation which also truncates the key
				1093	* (Mbed TLS versions from 1.3 to 2.6.0) */
				1094	mac_key_len = transform->maclen;
				1095	#endif
				1096	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1097	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
				1098
				1099	/* IV length */
				1100	transform->ivlen = cipher_info->iv_size;
				1101
				1102	/* Minimum length */
				1103	if( cipher_info->mode == MBEDTLS_MODE_STREAM )
				1104	transform->minlen = transform->maclen;
				1105	else
				1106	{
				1107	/*
				1108	* GenericBlockCipher:
				1109	* 1. if EtM is in use: one block plus MAC
				1110	* otherwise: * first multiple of blocklen greater than maclen
				1111	* 2. IV except for SSL3 and TLS 1.0
				1112	*/
				1113	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1114	if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1115	{
				1116	transform->minlen = transform->maclen
				1117	+ cipher_info->block_size;
				1118	}
				1119	else
				1120	#endif
				1121	{
				1122	transform->minlen = transform->maclen
				1123	+ cipher_info->block_size
				1124	- transform->maclen % cipher_info->block_size;
				1125	}
				1126
				1127	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1128	if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 \|\|
				1129	minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1130	; /* No need to adjust minlen */
				1131	else
				1132	#endif
				1133	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1134	if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 \|\|
				1135	minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1136	{
				1137	transform->minlen += transform->ivlen;
				1138	}
				1139	else
				1140	#endif
				1141	{
				1142	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1143	ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
				1144	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1145	}
				1146	}
				1147	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1148	else
				1149	#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
				1150	{
				1151	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
				1152	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
				1153	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1154
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1155	MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
				1156	(unsigned) keylen,
				1157	(unsigned) transform->minlen,
				1158	(unsigned) transform->ivlen,
				1159	(unsigned) transform->maclen ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1160
				1161	/*
				1162	* Finally setup the cipher contexts, IVs and MAC secrets.
				1163	*/
				1164	#if defined(MBEDTLS_SSL_CLI_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1165	if( endpoint == MBEDTLS_SSL_IS_CLIENT )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1166	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1167	key1 = keyblk + mac_key_len * 2;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1168	key2 = keyblk + mac_key_len * 2 + keylen;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1169
				1170	mac_enc = keyblk;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1171	mac_dec = keyblk + mac_key_len;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1172
				1173	/*
				1174	* This is not used in TLS v1.1.
				1175	*/
				1176	iv_copy_len = ( transform->fixed_ivlen ) ?
				1177	transform->fixed_ivlen : transform->ivlen;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1178	memcpy( transform->iv_enc, key2 + keylen, iv_copy_len );
				1179	memcpy( transform->iv_dec, key2 + keylen + iv_copy_len,
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1180	iv_copy_len );
				1181	}
				1182	else
				1183	#endif /* MBEDTLS_SSL_CLI_C */
				1184	#if defined(MBEDTLS_SSL_SRV_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1185	if( endpoint == MBEDTLS_SSL_IS_SERVER )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1186	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1187	key1 = keyblk + mac_key_len * 2 + keylen;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1188	key2 = keyblk + mac_key_len * 2;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1189
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1190	mac_enc = keyblk + mac_key_len;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1191	mac_dec = keyblk;
				1192
				1193	/*
				1194	* This is not used in TLS v1.1.
				1195	*/
				1196	iv_copy_len = ( transform->fixed_ivlen ) ?
				1197	transform->fixed_ivlen : transform->ivlen;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1198	memcpy( transform->iv_dec, key1 + keylen, iv_copy_len );
				1199	memcpy( transform->iv_enc, key1 + keylen + iv_copy_len,
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1200	iv_copy_len );
				1201	}
				1202	else
				1203	#endif /* MBEDTLS_SSL_SRV_C */
				1204	{
				1205	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1206	ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
				1207	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1208	}
				1209
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1210	#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1211	#if defined(MBEDTLS_SSL_PROTO_SSL3)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1212	if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1213	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1214	if( mac_key_len > sizeof( transform->mac_enc ) )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1215	{
				1216	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1217	ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
				1218	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1219	}
				1220
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1221	memcpy( transform->mac_enc, mac_enc, mac_key_len );
				1222	memcpy( transform->mac_dec, mac_dec, mac_key_len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1223	}
				1224	else
				1225	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
				1226	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
				1227	defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1228	if( minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1229	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1230	/* For HMAC-based ciphersuites, initialize the HMAC transforms.
				1231	For AEAD-based ciphersuites, there is nothing to do here. */
				1232	if( mac_key_len != 0 )
				1233	{
				1234	mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
				1235	mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
				1236	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1237	}
				1238	else
				1239	#endif
				1240	{
				1241	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1242	ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
				1243	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1244	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1245	#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1246
				1247	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
				1248	if( mbedtls_ssl_hw_record_init != NULL )
				1249	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1250	ret = 0;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1251
				1252	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
				1253
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1254	if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, keylen,
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1255	transform->iv_enc, transform->iv_dec,
				1256	iv_copy_len,
				1257	mac_enc, mac_dec,
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1258	mac_key_len ) ) != 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1259	{
				1260	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1261	ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
				1262	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1263	}
				1264	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1265	#else
				1266	((void) mac_dec);
				1267	((void) mac_enc);
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1268	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
				1269
				1270	#if defined(MBEDTLS_SSL_EXPORT_KEYS)
				1271	if( ssl->conf->f_export_keys != NULL )
				1272	{
				1273	ssl->conf->f_export_keys( ssl->conf->p_export_keys,
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1274	master, keyblk,
				1275	mac_key_len, keylen,
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1276	iv_copy_len );
				1277	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1278
				1279	if( ssl->conf->f_export_keys_ext != NULL )
				1280	{
				1281	ssl->conf->f_export_keys_ext( ssl->conf->p_export_keys,
				1282	master, keyblk,
				1283	mac_key_len, keylen,
				1284	iv_copy_len,
				1285	randbytes + 32,
				1286	randbytes,
				1287	tls_prf_get_type( tls_prf ) );
				1288	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1289	#endif
				1290
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1291	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				1292
				1293	/* Only use PSA-based ciphers for TLS-1.2.
				1294	* That's relevant at least for TLS-1.0, where
				1295	* we assume that mbedtls_cipher_crypt() updates
				1296	* the structure field for the IV, which the PSA-based
				1297	* implementation currently doesn't. */
				1298	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
				1299	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
				1300	{
				1301	ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
				1302	cipher_info, transform->taglen );
				1303	if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
				1304	{
				1305	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
				1306	goto end;
				1307	}
				1308
				1309	if( ret == 0 )
				1310	{
				1311	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based encryption cipher context" ) );
				1312	psa_fallthrough = 0;
				1313	}
				1314	else
				1315	{
				1316	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );
				1317	psa_fallthrough = 1;
				1318	}
				1319	}
				1320	else
				1321	psa_fallthrough = 1;
				1322	#else
				1323	psa_fallthrough = 1;
				1324	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				1325
				1326	if( psa_fallthrough == 1 )
				1327	#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1328	if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
				1329	cipher_info ) ) != 0 )
				1330	{
				1331	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1332	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1333	}
				1334
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1335	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				1336	/* Only use PSA-based ciphers for TLS-1.2.
				1337	* That's relevant at least for TLS-1.0, where
				1338	* we assume that mbedtls_cipher_crypt() updates
				1339	* the structure field for the IV, which the PSA-based
				1340	* implementation currently doesn't. */
				1341	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
				1342	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
				1343	{
				1344	ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
				1345	cipher_info, transform->taglen );
				1346	if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
				1347	{
				1348	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
				1349	goto end;
				1350	}
				1351
				1352	if( ret == 0 )
				1353	{
				1354	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based decryption cipher context" ) );
				1355	psa_fallthrough = 0;
				1356	}
				1357	else
				1358	{
				1359	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );
				1360	psa_fallthrough = 1;
				1361	}
				1362	}
				1363	else
				1364	psa_fallthrough = 1;
				1365	#else
				1366	psa_fallthrough = 1;
				1367	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				1368
				1369	if( psa_fallthrough == 1 )
				1370	#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1371	if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
				1372	cipher_info ) ) != 0 )
				1373	{
				1374	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1375	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1376	}
				1377
				1378	if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
				1379	cipher_info->key_bitlen,
				1380	MBEDTLS_ENCRYPT ) ) != 0 )
				1381	{
				1382	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1383	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1384	}
				1385
				1386	if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
				1387	cipher_info->key_bitlen,
				1388	MBEDTLS_DECRYPT ) ) != 0 )
				1389	{
				1390	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1391	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1392	}
				1393
				1394	#if defined(MBEDTLS_CIPHER_MODE_CBC)
				1395	if( cipher_info->mode == MBEDTLS_MODE_CBC )
				1396	{
				1397	if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
				1398	MBEDTLS_PADDING_NONE ) ) != 0 )
				1399	{
				1400	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1401	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1402	}
				1403
				1404	if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
				1405	MBEDTLS_PADDING_NONE ) ) != 0 )
				1406	{
				1407	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1408	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1409	}
				1410	}
				1411	#endif /* MBEDTLS_CIPHER_MODE_CBC */
				1412
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1413
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1414	/* Initialize Zlib contexts */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1415	#if defined(MBEDTLS_ZLIB_SUPPORT)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1416	if( compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1417	{
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1418	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
				1419
				1420	memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
				1421	memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
				1422
				1423	if( deflateInit( &transform->ctx_deflate,
				1424	Z_DEFAULT_COMPRESSION ) != Z_OK \|\|
				1425	inflateInit( &transform->ctx_inflate ) != Z_OK )
				1426	{
				1427	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1428	ret = MBEDTLS_ERR_SSL_COMPRESSION_FAILED;
				1429	goto end;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1430	}
				1431	}
				1432	#endif /* MBEDTLS_ZLIB_SUPPORT */
				1433
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1434	end:
				1435	mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
				1436	return( ret );
				1437	}
				1438
				1439	/*
				1440	* Set appropriate PRF function and other SSL / TLS 1.0/1.1 / TLS1.2 functions
				1441	*
				1442	* Inputs:
				1443	* - SSL/TLS minor version
				1444	* - hash associated with the ciphersuite (only used by TLS 1.2)
				1445	*
				1446	* Outputs:
				1447	* - the tls_prf, calc_verify and calc_finished members of handshake structure
				1448	*/
				1449	static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
				1450	int minor_ver,
				1451	mbedtls_md_type_t hash )
				1452	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1453	#if !defined(MBEDTLS_SSL_PROTO_TLS1_2) \|\| \
				1454	!( defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384) )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1455	(void) hash;
				1456	#endif
				1457
				1458	#if defined(MBEDTLS_SSL_PROTO_SSL3)
				1459	if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
				1460	{
				1461	handshake->tls_prf = ssl3_prf;
				1462	handshake->calc_verify = ssl_calc_verify_ssl;
				1463	handshake->calc_finished = ssl_calc_finished_ssl;
				1464	}
				1465	else
				1466	#endif
				1467	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
				1468	if( minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
				1469	{
				1470	handshake->tls_prf = tls1_prf;
				1471	handshake->calc_verify = ssl_calc_verify_tls;
				1472	handshake->calc_finished = ssl_calc_finished_tls;
				1473	}
				1474	else
				1475	#endif
				1476	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1477	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1478	if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
				1479	hash == MBEDTLS_MD_SHA384 )
				1480	{
				1481	handshake->tls_prf = tls_prf_sha384;
				1482	handshake->calc_verify = ssl_calc_verify_tls_sha384;
				1483	handshake->calc_finished = ssl_calc_finished_tls_sha384;
				1484	}
				1485	else
				1486	#endif
				1487	#if defined(MBEDTLS_SHA256_C)
				1488	if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
				1489	{
				1490	handshake->tls_prf = tls_prf_sha256;
				1491	handshake->calc_verify = ssl_calc_verify_tls_sha256;
				1492	handshake->calc_finished = ssl_calc_finished_tls_sha256;
				1493	}
				1494	else
				1495	#endif
				1496	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				1497	{
				1498	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
				1499	}
				1500
				1501	return( 0 );
				1502	}
				1503
				1504	/*
				1505	* Compute master secret if needed
				1506	*
				1507	* Parameters:
				1508	* [in/out] handshake
				1509	* [in] resume, premaster, extended_ms, calc_verify, tls_prf
				1510	* (PSA-PSK) ciphersuite_info, psk_opaque
				1511	* [out] premaster (cleared)
				1512	* [out] master
				1513	* [in] ssl: optionally used for debugging, EMS and PSA-PSK
				1514	* debug: conf->f_dbg, conf->p_dbg
				1515	* EMS: passed to calc_verify (debug + (SSL3) session_negotiate)
				1516	* PSA-PSA: minor_ver, conf
				1517	*/
				1518	static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
				1519	unsigned char *master,
				1520	const mbedtls_ssl_context *ssl )
				1521	{
				1522	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				1523
				1524	/* cf. RFC 5246, Section 8.1:
				1525	* "The master secret is always exactly 48 bytes in length." */
				1526	size_t const master_secret_len = 48;
				1527
				1528	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
				1529	unsigned char session_hash[48];
				1530	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
				1531
				1532	/* The label for the KDF used for key expansion.
				1533	* This is either "master secret" or "extended master secret"
				1534	* depending on whether the Extended Master Secret extension
				1535	* is used. */
				1536	char const *lbl = "master secret";
				1537
				1538	/* The salt for the KDF used for key expansion.
				1539	* - If the Extended Master Secret extension is not used,
				1540	* this is ClientHello.Random + ServerHello.Random
				1541	* (see Sect. 8.1 in RFC 5246).
				1542	* - If the Extended Master Secret extension is used,
				1543	* this is the transcript of the handshake so far.
				1544	* (see Sect. 4 in RFC 7627). */
				1545	unsigned char const *salt = handshake->randbytes;
				1546	size_t salt_len = 64;
				1547
				1548	#if !defined(MBEDTLS_DEBUG_C) && \
				1549	!defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
				1550	!(defined(MBEDTLS_USE_PSA_CRYPTO) && \
				1551	defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
				1552	ssl = NULL; /* make sure we don't use it except for those cases */
				1553	(void) ssl;
				1554	#endif
				1555
				1556	if( handshake->resume != 0 )
				1557	{
				1558	MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
				1559	return( 0 );
				1560	}
				1561
				1562	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
				1563	if( handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
				1564	{
				1565	lbl = "extended master secret";
				1566	salt = session_hash;
				1567	handshake->calc_verify( ssl, session_hash, &salt_len );
				1568
				1569	MBEDTLS_SSL_DEBUG_BUF( 3, "session hash for extended master secret",
				1570	session_hash, salt_len );
				1571	}
				1572	#endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */
				1573
				1574	#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
				1575	defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
				1576	if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
				1577	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
				1578	ssl_use_opaque_psk( ssl ) == 1 )
				1579	{
				1580	/* Perform PSK-to-MS expansion in a single step. */
				1581	psa_status_t status;
				1582	psa_algorithm_t alg;
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1583	psa_key_id_t psk;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1584	psa_key_derivation_operation_t derivation =
				1585	PSA_KEY_DERIVATION_OPERATION_INIT;
				1586	mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
				1587
				1588	MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
				1589
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1590	psk = mbedtls_ssl_get_opaque_psk( ssl );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1591
				1592	if( hash_alg == MBEDTLS_MD_SHA384 )
				1593	alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
				1594	else
				1595	alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
				1596
				1597	status = setup_psa_key_derivation( &derivation, psk, alg,
				1598	salt, salt_len,
				1599	(unsigned char const *) lbl,
				1600	(size_t) strlen( lbl ),
				1601	master_secret_len );
				1602	if( status != PSA_SUCCESS )
				1603	{
				1604	psa_key_derivation_abort( &derivation );
				1605	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
				1606	}
				1607
				1608	status = psa_key_derivation_output_bytes( &derivation,
				1609	master,
				1610	master_secret_len );
				1611	if( status != PSA_SUCCESS )
				1612	{
				1613	psa_key_derivation_abort( &derivation );
				1614	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
				1615	}
				1616
				1617	status = psa_key_derivation_abort( &derivation );
				1618	if( status != PSA_SUCCESS )
				1619	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
				1620	}
				1621	else
				1622	#endif
				1623	{
				1624	ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
				1625	lbl, salt, salt_len,
				1626	master,
				1627	master_secret_len );
				1628	if( ret != 0 )
				1629	{
				1630	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
				1631	return( ret );
				1632	}
				1633
				1634	MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret",
				1635	handshake->premaster,
				1636	handshake->pmslen );
				1637
				1638	mbedtls_platform_zeroize( handshake->premaster,
				1639	sizeof(handshake->premaster) );
				1640	}
				1641
				1642	return( 0 );
				1643	}
				1644
				1645	int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
				1646	{
				1647	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				1648	const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
				1649	ssl->handshake->ciphersuite_info;
				1650
				1651	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
				1652
				1653	/* Set PRF, calc_verify and calc_finished function pointers */
				1654	ret = ssl_set_handshake_prfs( ssl->handshake,
				1655	ssl->minor_ver,
				1656	ciphersuite_info->mac );
				1657	if( ret != 0 )
				1658	{
				1659	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_set_handshake_prfs", ret );
				1660	return( ret );
				1661	}
				1662
				1663	/* Compute master secret if needed */
				1664	ret = ssl_compute_master( ssl->handshake,
				1665	ssl->session_negotiate->master,
				1666	ssl );
				1667	if( ret != 0 )
				1668	{
				1669	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compute_master", ret );
				1670	return( ret );
				1671	}
				1672
				1673	/* Swap the client and server random values:
				1674	* - MS derivation wanted client+server (RFC 5246 8.1)
				1675	* - key derivation wants server+client (RFC 5246 6.3) */
				1676	{
				1677	unsigned char tmp[64];
				1678	memcpy( tmp, ssl->handshake->randbytes, 64 );
				1679	memcpy( ssl->handshake->randbytes, tmp + 32, 32 );
				1680	memcpy( ssl->handshake->randbytes + 32, tmp, 32 );
				1681	mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
				1682	}
				1683
				1684	/* Populate transform structure */
				1685	ret = ssl_populate_transform( ssl->transform_negotiate,
				1686	ssl->session_negotiate->ciphersuite,
				1687	ssl->session_negotiate->master,
				1688	#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
				1689	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
				1690	ssl->session_negotiate->encrypt_then_mac,
				1691	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
				1692	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
				1693	ssl->session_negotiate->trunc_hmac,
				1694	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
				1695	#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
				1696	#if defined(MBEDTLS_ZLIB_SUPPORT)
				1697	ssl->session_negotiate->compression,
				1698	#endif
				1699	ssl->handshake->tls_prf,
				1700	ssl->handshake->randbytes,
				1701	ssl->minor_ver,
				1702	ssl->conf->endpoint,
				1703	ssl );
				1704	if( ret != 0 )
				1705	{
				1706	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_populate_transform", ret );
				1707	return( ret );
				1708	}
				1709
				1710	/* We no longer need Server/ClientHello.random values */
				1711	mbedtls_platform_zeroize( ssl->handshake->randbytes,
				1712	sizeof( ssl->handshake->randbytes ) );
				1713
				1714	/* Allocate compression buffer */
				1715	#if defined(MBEDTLS_ZLIB_SUPPORT)
				1716	if( ssl->session_negotiate->compression == MBEDTLS_SSL_COMPRESS_DEFLATE &&
				1717	ssl->compress_buf == NULL )
				1718	{
				1719	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
				1720	ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
				1721	if( ssl->compress_buf == NULL )
				1722	{
				1723	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
				1724	MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
				1725	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
				1726	}
				1727	}
				1728	#endif
				1729
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1730	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
				1731
				1732	return( 0 );
				1733	}
				1734
				1735	#if defined(MBEDTLS_SSL_PROTO_SSL3)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1736	void ssl_calc_verify_ssl( const mbedtls_ssl_context *ssl,
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1737	unsigned char *hash,
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1738	size_t *hlen )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1739	{
				1740	mbedtls_md5_context md5;
				1741	mbedtls_sha1_context sha1;
				1742	unsigned char pad_1[48];
				1743	unsigned char pad_2[48];
				1744
				1745	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
				1746
				1747	mbedtls_md5_init( &md5 );
				1748	mbedtls_sha1_init( &sha1 );
				1749
				1750	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
				1751	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
				1752
				1753	memset( pad_1, 0x36, 48 );
				1754	memset( pad_2, 0x5C, 48 );
				1755
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1756	mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
				1757	mbedtls_md5_update_ret( &md5, pad_1, 48 );
				1758	mbedtls_md5_finish_ret( &md5, hash );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1759
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1760	mbedtls_md5_starts_ret( &md5 );
				1761	mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
				1762	mbedtls_md5_update_ret( &md5, pad_2, 48 );
				1763	mbedtls_md5_update_ret( &md5, hash, 16 );
				1764	mbedtls_md5_finish_ret( &md5, hash );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1765
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1766	mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
				1767	mbedtls_sha1_update_ret( &sha1, pad_1, 40 );
				1768	mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1769
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1770	mbedtls_sha1_starts_ret( &sha1 );
				1771	mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
				1772	mbedtls_sha1_update_ret( &sha1, pad_2, 40 );
				1773	mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );
				1774	mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1775
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1776	*hlen = 36;
				1777
				1778	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1779	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
				1780
				1781	mbedtls_md5_free( &md5 );
				1782	mbedtls_sha1_free( &sha1 );
				1783
				1784	return;
				1785	}
				1786	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
				1787
				1788	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1789	void ssl_calc_verify_tls( const mbedtls_ssl_context *ssl,
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1790	unsigned char *hash,
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1791	size_t *hlen )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1792	{
				1793	mbedtls_md5_context md5;
				1794	mbedtls_sha1_context sha1;
				1795
				1796	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
				1797
				1798	mbedtls_md5_init( &md5 );
				1799	mbedtls_sha1_init( &sha1 );
				1800
				1801	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
				1802	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
				1803
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1804	mbedtls_md5_finish_ret( &md5, hash );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1805	mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1806
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1807	*hlen = 36;
				1808
				1809	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1810	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
				1811
				1812	mbedtls_md5_free( &md5 );
				1813	mbedtls_sha1_free( &sha1 );
				1814
				1815	return;
				1816	}
				1817	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
				1818
				1819	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
				1820	#if defined(MBEDTLS_SHA256_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1821	void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl,
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1822	unsigned char *hash,
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1823	size_t *hlen )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1824	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1825	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				1826	size_t hash_size;
				1827	psa_status_t status;
				1828	psa_hash_operation_t sha256_psa = psa_hash_operation_init();
				1829
				1830	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) );
				1831	status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
				1832	if( status != PSA_SUCCESS )
				1833	{
				1834	MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
				1835	return;
				1836	}
				1837
				1838	status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size );
				1839	if( status != PSA_SUCCESS )
				1840	{
				1841	MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
				1842	return;
				1843	}
				1844
				1845	*hlen = 32;
				1846	MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
				1847	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
				1848	#else
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1849	mbedtls_sha256_context sha256;
				1850
				1851	mbedtls_sha256_init( &sha256 );
				1852
				1853	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
				1854
				1855	mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1856	mbedtls_sha256_finish_ret( &sha256, hash );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1857
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1858	*hlen = 32;
				1859
				1860	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1861	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
				1862
				1863	mbedtls_sha256_free( &sha256 );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1864	#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1865	return;
				1866	}
				1867	#endif /* MBEDTLS_SHA256_C */
				1868
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1869	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1870	void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl,
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1871	unsigned char *hash,
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1872	size_t *hlen )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1873	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1874	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				1875	size_t hash_size;
				1876	psa_status_t status;
				1877	psa_hash_operation_t sha384_psa = psa_hash_operation_init();
				1878
				1879	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) );
				1880	status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
				1881	if( status != PSA_SUCCESS )
				1882	{
				1883	MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
				1884	return;
				1885	}
				1886
				1887	status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size );
				1888	if( status != PSA_SUCCESS )
				1889	{
				1890	MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
				1891	return;
				1892	}
				1893
				1894	*hlen = 48;
				1895	MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
				1896	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
				1897	#else
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1898	mbedtls_sha512_context sha512;
				1899
				1900	mbedtls_sha512_init( &sha512 );
				1901
				1902	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
				1903
				1904	mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1905	mbedtls_sha512_finish_ret( &sha512, hash );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1906
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1907	*hlen = 48;
				1908
				1909	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1910	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
				1911
				1912	mbedtls_sha512_free( &sha512 );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1913	#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1914	return;
				1915	}
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1916	#endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1917	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				1918
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1919	#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1920	int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
				1921	{
				1922	unsigned char *p = ssl->handshake->premaster;
				1923	unsigned char *end = p + sizeof( ssl->handshake->premaster );
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1924	const unsigned char *psk = NULL;
				1925	size_t psk_len = 0;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1926
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1927	if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
				1928	== MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1929	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	1930	/*
				1931	* This should never happen because the existence of a PSK is always
				1932	* checked before calling this function
				1933	*/
				1934	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
				1935	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1936	}
				1937
				1938	/*
				1939	* PMS = struct {
				1940	* opaque other_secret<0..2^16-1>;
				1941	* opaque psk<0..2^16-1>;
				1942	* };
				1943	* with "other_secret" depending on the particular key exchange
				1944	*/
				1945	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
				1946	if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
				1947	{
				1948	if( end - p < 2 )
				1949	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				1950
				1951	*(p++) = (unsigned char)( psk_len >> 8 );
				1952	*(p++) = (unsigned char)( psk_len );
				1953
				1954	if( end < p \|\| (size_t)( end - p ) < psk_len )
				1955	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				1956
				1957	memset( p, 0, psk_len );
				1958	p += psk_len;
				1959	}
				1960	else
				1961	#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
				1962	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
				1963	if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
				1964	{
				1965	/*
				1966	* other_secret already set by the ClientKeyExchange message,
				1967	* and is 48 bytes long
				1968	*/
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	1969	if( end - p < 2 )
				1970	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				1971
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1972	*p++ = 0;
				1973	*p++ = 48;
				1974	p += 48;
				1975	}
				1976	else
				1977	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
				1978	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
				1979	if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
				1980	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	1981	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	1982	size_t len;
				1983
				1984	/* Write length only when we know the actual value */
				1985	if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
				1986	p + 2, end - ( p + 2 ), &len,
				1987	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
				1988	{
				1989	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
				1990	return( ret );
				1991	}
				1992	*(p++) = (unsigned char)( len >> 8 );
				1993	*(p++) = (unsigned char)( len );
				1994	p += len;
				1995
				1996	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
				1997	}
				1998	else
				1999	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
				2000	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
				2001	if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
				2002	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2003	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2004	size_t zlen;
				2005
				2006	if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
				2007	p + 2, end - ( p + 2 ),
				2008	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
				2009	{
				2010	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
				2011	return( ret );
				2012	}
				2013
				2014	*(p++) = (unsigned char)( zlen >> 8 );
				2015	*(p++) = (unsigned char)( zlen );
				2016	p += zlen;
				2017
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2018	MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
				2019	MBEDTLS_DEBUG_ECDH_Z );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2020	}
				2021	else
				2022	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
				2023	{
				2024	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
				2025	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
				2026	}
				2027
				2028	/* opaque psk<0..2^16-1>; */
				2029	if( end - p < 2 )
				2030	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				2031
				2032	*(p++) = (unsigned char)( psk_len >> 8 );
				2033	*(p++) = (unsigned char)( psk_len );
				2034
				2035	if( end < p \|\| (size_t)( end - p ) < psk_len )
				2036	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				2037
				2038	memcpy( p, psk, psk_len );
				2039	p += psk_len;
				2040
				2041	ssl->handshake->pmslen = p - ssl->handshake->premaster;
				2042
				2043	return( 0 );
				2044	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2045	#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2046
				2047	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
				2048	static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
				2049
				2050	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2051	int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2052	{
				2053	/* If renegotiation is not enforced, retransmit until we would reach max
				2054	* timeout if we were using the usual handshake doubling scheme */
				2055	if( ssl->conf->renego_max_records < 0 )
				2056	{
				2057	uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
				2058	unsigned char doublings = 1;
				2059
				2060	while( ratio != 0 )
				2061	{
				2062	++doublings;
				2063	ratio >>= 1;
				2064	}
				2065
				2066	if( ++ssl->renego_records_seen > doublings )
				2067	{
				2068	MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
				2069	return( 0 );
				2070	}
				2071	}
				2072
				2073	return( ssl_write_hello_request( ssl ) );
				2074	}
				2075	#endif
				2076	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
				2077
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2078	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				2079	static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2080	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2081	#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
				2082	if( session->peer_cert != NULL )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2083	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2084	mbedtls_x509_crt_free( session->peer_cert );
				2085	mbedtls_free( session->peer_cert );
				2086	session->peer_cert = NULL;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2087	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2088	#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				2089	if( session->peer_cert_digest != NULL )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2090	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2091	/* Zeroization is not necessary. */
				2092	mbedtls_free( session->peer_cert_digest );
				2093	session->peer_cert_digest = NULL;
				2094	session->peer_cert_digest_type = MBEDTLS_MD_NONE;
				2095	session->peer_cert_digest_len = 0;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2096	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2097	#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2098	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2099	#endif /* MBEDTLS_X509_CRT_PARSE_C */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2100
				2101	/*
				2102	* Handshake functions
				2103	*/
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2104	#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2105	/* No certificate support -> dummy functions */
				2106	int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
				2107	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2108	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
				2109	ssl->handshake->ciphersuite_info;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2110
				2111	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
				2112
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2113	if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2114	{
				2115	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
				2116	ssl->state++;
				2117	return( 0 );
				2118	}
				2119
				2120	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
				2121	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
				2122	}
				2123
				2124	int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
				2125	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2126	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
				2127	ssl->handshake->ciphersuite_info;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2128
				2129	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
				2130
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2131	if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2132	{
				2133	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
				2134	ssl->state++;
				2135	return( 0 );
				2136	}
				2137
				2138	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
				2139	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
				2140	}
				2141
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2142	#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2143	/* Some certificate support -> implement write and parse */
				2144
				2145	int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
				2146	{
				2147	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
				2148	size_t i, n;
				2149	const mbedtls_x509_crt *crt;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2150	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
				2151	ssl->handshake->ciphersuite_info;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2152
				2153	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
				2154
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2155	if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2156	{
				2157	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
				2158	ssl->state++;
				2159	return( 0 );
				2160	}
				2161
				2162	#if defined(MBEDTLS_SSL_CLI_C)
				2163	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
				2164	{
				2165	if( ssl->client_auth == 0 )
				2166	{
				2167	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
				2168	ssl->state++;
				2169	return( 0 );
				2170	}
				2171
				2172	#if defined(MBEDTLS_SSL_PROTO_SSL3)
				2173	/*
				2174	* If using SSLv3 and got no cert, send an Alert message
				2175	* (otherwise an empty Certificate message will be sent).
				2176	*/
				2177	if( mbedtls_ssl_own_cert( ssl ) == NULL &&
				2178	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
				2179	{
				2180	ssl->out_msglen = 2;
				2181	ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
				2182	ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
				2183	ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
				2184
				2185	MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
				2186	goto write_msg;
				2187	}
				2188	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
				2189	}
				2190	#endif /* MBEDTLS_SSL_CLI_C */
				2191	#if defined(MBEDTLS_SSL_SRV_C)
				2192	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
				2193	{
				2194	if( mbedtls_ssl_own_cert( ssl ) == NULL )
				2195	{
				2196	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
				2197	return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
				2198	}
				2199	}
				2200	#endif
				2201
				2202	MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
				2203
				2204	/*
				2205	* 0 . 0 handshake type
				2206	* 1 . 3 handshake length
				2207	* 4 . 6 length of all certs
				2208	* 7 . 9 length of cert. 1
				2209	* 10 . n-1 peer certificate
				2210	* n . n+2 length of cert. 2
				2211	* n+3 . ... upper level cert, etc.
				2212	*/
				2213	i = 7;
				2214	crt = mbedtls_ssl_own_cert( ssl );
				2215
				2216	while( crt != NULL )
				2217	{
				2218	n = crt->raw.len;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2219	if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2220	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	2221	MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %" MBEDTLS_PRINTF_SIZET
				2222	" > %" MBEDTLS_PRINTF_SIZET,
				2223	i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2224	return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
				2225	}
				2226
				2227	ssl->out_msg[i ] = (unsigned char)( n >> 16 );
				2228	ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
				2229	ssl->out_msg[i + 2] = (unsigned char)( n );
				2230
				2231	i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
				2232	i += n; crt = crt->next;
				2233	}
				2234
				2235	ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
				2236	ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
				2237	ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
				2238
				2239	ssl->out_msglen = i;
				2240	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
				2241	ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
				2242
				2243	#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
				2244	write_msg:
				2245	#endif
				2246
				2247	ssl->state++;
				2248
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2249	if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2250	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2251	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2252	return( ret );
				2253	}
				2254
				2255	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
				2256
				2257	return( ret );
				2258	}
				2259
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2260	#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
				2261
				2262	#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
				2263	static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
				2264	unsigned char *crt_buf,
				2265	size_t crt_buf_len )
				2266	{
				2267	mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
				2268
				2269	if( peer_crt == NULL )
				2270	return( -1 );
				2271
				2272	if( peer_crt->raw.len != crt_buf_len )
				2273	return( -1 );
				2274
				2275	return( memcmp( peer_crt->raw.p, crt_buf, peer_crt->raw.len ) );
				2276	}
				2277	#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				2278	static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
				2279	unsigned char *crt_buf,
				2280	size_t crt_buf_len )
				2281	{
				2282	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				2283	unsigned char const * const peer_cert_digest =
				2284	ssl->session->peer_cert_digest;
				2285	mbedtls_md_type_t const peer_cert_digest_type =
				2286	ssl->session->peer_cert_digest_type;
				2287	mbedtls_md_info_t const * const digest_info =
				2288	mbedtls_md_info_from_type( peer_cert_digest_type );
				2289	unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
				2290	size_t digest_len;
				2291
				2292	if( peer_cert_digest == NULL \|\| digest_info == NULL )
				2293	return( -1 );
				2294
				2295	digest_len = mbedtls_md_get_size( digest_info );
				2296	if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN )
				2297	return( -1 );
				2298
				2299	ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest );
				2300	if( ret != 0 )
				2301	return( -1 );
				2302
				2303	return( memcmp( tmp_digest, peer_cert_digest, digest_len ) );
				2304	}
				2305	#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				2306	#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
				2307
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2308	/*
				2309	* Once the certificate message is read, parse it into a cert chain and
				2310	* perform basic checks, but leave actual verification to the caller
				2311	*/
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2312	static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
				2313	mbedtls_x509_crt *chain )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2314	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2315	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				2316	#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
				2317	int crt_cnt=0;
				2318	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2319	size_t i, n;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2320	uint8_t alert;
				2321
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2322	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
				2323	{
				2324	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
				2325	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				2326	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
				2327	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
				2328	}
				2329
				2330	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE \|\|
				2331	ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
				2332	{
				2333	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
				2334	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				2335	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
				2336	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
				2337	}
				2338
				2339	i = mbedtls_ssl_hs_hdr_len( ssl );
				2340
				2341	/*
				2342	* Same message structure as in mbedtls_ssl_write_certificate()
				2343	*/
				2344	n = ( ssl->in_msg[i+1] << 8 ) \| ssl->in_msg[i+2];
				2345
				2346	if( ssl->in_msg[i] != 0 \|\|
				2347	ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
				2348	{
				2349	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
				2350	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				2351	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
				2352	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
				2353	}
				2354
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2355	/* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2356	i += 3;
				2357
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2358	/* Iterate through and parse the CRTs in the provided chain. */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2359	while( i < ssl->in_hslen )
				2360	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2361	/* Check that there's room for the next CRT's length fields. */
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2362	if ( i + 3 > ssl->in_hslen ) {
				2363	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2364	mbedtls_ssl_send_alert_message( ssl,
				2365	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				2366	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2367	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
				2368	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2369	/* In theory, the CRT can be up to 2**24 Bytes, but we don't support
				2370	* anything beyond 2*16 ~ 64K. /
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2371	if( ssl->in_msg[i] != 0 )
				2372	{
				2373	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2374	mbedtls_ssl_send_alert_message( ssl,
				2375	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				2376	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2377	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
				2378	}
				2379
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2380	/* Read length of the next CRT in the chain. */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2381	n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
				2382	\| (unsigned int) ssl->in_msg[i + 2];
				2383	i += 3;
				2384
				2385	if( n < 128 \|\| i + n > ssl->in_hslen )
				2386	{
				2387	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2388	mbedtls_ssl_send_alert_message( ssl,
				2389	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				2390	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2391	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
				2392	}
				2393
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2394	/* Check if we're handling the first CRT in the chain. */
				2395	#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
				2396	if( crt_cnt++ == 0 &&
				2397	ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
				2398	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
				2399	{
				2400	/* During client-side renegotiation, check that the server's
				2401	* end-CRTs hasn't changed compared to the initial handshake,
				2402	* mitigating the triple handshake attack. On success, reuse
				2403	* the original end-CRT instead of parsing it again. */
				2404	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Check that peer CRT hasn't changed during renegotiation" ) );
				2405	if( ssl_check_peer_crt_unchanged( ssl,
				2406	&ssl->in_msg[i],
				2407	n ) != 0 )
				2408	{
				2409	MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
				2410	mbedtls_ssl_send_alert_message( ssl,
				2411	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				2412	MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
				2413	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
				2414	}
				2415
				2416	/* Now we can safely free the original chain. */
				2417	ssl_clear_peer_cert( ssl->session );
				2418	}
				2419	#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
				2420
				2421	/* Parse the next certificate in the chain. */
				2422	#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
				2423	ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n );
				2424	#else
				2425	/* If we don't need to store the CRT chain permanently, parse
				2426	* it in-place from the input buffer instead of making a copy. */
				2427	ret = mbedtls_x509_crt_parse_der_nocopy( chain, ssl->in_msg + i, n );
				2428	#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2429	switch( ret )
				2430	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2431	case 0: /ok/
				2432	case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
				2433	/* Ignore certificate with an unknown algorithm: maybe a
				2434	prior certificate was already trusted. */
				2435	break;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2436
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2437	case MBEDTLS_ERR_X509_ALLOC_FAILED:
				2438	alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
				2439	goto crt_parse_der_failed;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2440
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2441	case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
				2442	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
				2443	goto crt_parse_der_failed;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2444
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2445	default:
				2446	alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
				2447	crt_parse_der_failed:
				2448	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
				2449	MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
				2450	return( ret );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2451	}
				2452
				2453	i += n;
				2454	}
				2455
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2456	MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", chain );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2457	return( 0 );
				2458	}
				2459
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2460	#if defined(MBEDTLS_SSL_SRV_C)
				2461	static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2462	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2463	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
				2464	return( -1 );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2465
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2466	#if defined(MBEDTLS_SSL_PROTO_SSL3)
				2467	/*
				2468	* Check if the client sent an empty certificate
				2469	*/
				2470	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2471	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2472	if( ssl->in_msglen == 2 &&
				2473	ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
				2474	ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
				2475	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2476	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2477	MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
				2478	return( 0 );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2479	}
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2480
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2481	return( -1 );
				2482	}
				2483	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
				2484
				2485	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
				2486	defined(MBEDTLS_SSL_PROTO_TLS1_2)
				2487	if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
				2488	ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
				2489	ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
				2490	memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
				2491	{
				2492	MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
				2493	return( 0 );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2494	}
				2495
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2496	return( -1 );
				2497	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
				2498	MBEDTLS_SSL_PROTO_TLS1_2 */
				2499	}
				2500	#endif /* MBEDTLS_SSL_SRV_C */
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2501
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2502	/* Check if a certificate message is expected.
				2503	* Return either
				2504	* - SSL_CERTIFICATE_EXPECTED, or
				2505	* - SSL_CERTIFICATE_SKIP
				2506	* indicating whether a Certificate message is expected or not.
				2507	*/
				2508	#define SSL_CERTIFICATE_EXPECTED 0
				2509	#define SSL_CERTIFICATE_SKIP 1
				2510	static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
				2511	int authmode )
				2512	{
				2513	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
				2514	ssl->handshake->ciphersuite_info;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2515
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2516	if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
				2517	return( SSL_CERTIFICATE_SKIP );
				2518
				2519	#if defined(MBEDTLS_SSL_SRV_C)
				2520	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
				2521	{
				2522	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
				2523	return( SSL_CERTIFICATE_SKIP );
				2524
				2525	if( authmode == MBEDTLS_SSL_VERIFY_NONE )
				2526	{
				2527	ssl->session_negotiate->verify_result =
				2528	MBEDTLS_X509_BADCERT_SKIP_VERIFY;
				2529	return( SSL_CERTIFICATE_SKIP );
				2530	}
				2531	}
				2532	#else
				2533	((void) authmode);
				2534	#endif /* MBEDTLS_SSL_SRV_C */
				2535
				2536	return( SSL_CERTIFICATE_EXPECTED );
				2537	}
				2538
				2539	static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
				2540	int authmode,
				2541	mbedtls_x509_crt *chain,
				2542	void *rs_ctx )
				2543	{
				2544	int ret = 0;
				2545	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
				2546	ssl->handshake->ciphersuite_info;
				2547	int have_ca_chain = 0;
				2548
				2549	int (f_vrfy)(void , mbedtls_x509_crt , int, uint32_t );
				2550	void *p_vrfy;
				2551
				2552	if( authmode == MBEDTLS_SSL_VERIFY_NONE )
				2553	return( 0 );
				2554
				2555	if( ssl->f_vrfy != NULL )
				2556	{
				2557	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );
				2558	f_vrfy = ssl->f_vrfy;
				2559	p_vrfy = ssl->p_vrfy;
				2560	}
				2561	else
				2562	{
				2563	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );
				2564	f_vrfy = ssl->conf->f_vrfy;
				2565	p_vrfy = ssl->conf->p_vrfy;
				2566	}
				2567
				2568	/*
				2569	* Main check: verify certificate
				2570	*/
				2571	#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
				2572	if( ssl->conf->f_ca_cb != NULL )
				2573	{
				2574	((void) rs_ctx);
				2575	have_ca_chain = 1;
				2576
				2577	MBEDTLS_SSL_DEBUG_MSG( 3, ( "use CA callback for X.509 CRT verification" ) );
				2578	ret = mbedtls_x509_crt_verify_with_ca_cb(
				2579	chain,
				2580	ssl->conf->f_ca_cb,
				2581	ssl->conf->p_ca_cb,
				2582	ssl->conf->cert_profile,
				2583	ssl->hostname,
				2584	&ssl->session_negotiate->verify_result,
				2585	f_vrfy, p_vrfy );
				2586	}
				2587	else
				2588	#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2589	{
				2590	mbedtls_x509_crt *ca_chain;
				2591	mbedtls_x509_crl *ca_crl;
				2592
				2593	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
				2594	if( ssl->handshake->sni_ca_chain != NULL )
				2595	{
				2596	ca_chain = ssl->handshake->sni_ca_chain;
				2597	ca_crl = ssl->handshake->sni_ca_crl;
				2598	}
				2599	else
				2600	#endif
				2601	{
				2602	ca_chain = ssl->conf->ca_chain;
				2603	ca_crl = ssl->conf->ca_crl;
				2604	}
				2605
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2606	if( ca_chain != NULL )
				2607	have_ca_chain = 1;
				2608
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2609	ret = mbedtls_x509_crt_verify_restartable(
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2610	chain,
				2611	ca_chain, ca_crl,
				2612	ssl->conf->cert_profile,
				2613	ssl->hostname,
				2614	&ssl->session_negotiate->verify_result,
				2615	f_vrfy, p_vrfy, rs_ctx );
				2616	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2617
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2618	if( ret != 0 )
				2619	{
				2620	MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
				2621	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2622
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2623	#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
				2624	if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
				2625	return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2626	#endif
				2627
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2628	/*
				2629	* Secondary checks: always done, but change 'ret' only if it was 0
				2630	*/
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2631
				2632	#if defined(MBEDTLS_ECP_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2633	{
				2634	const mbedtls_pk_context *pk = &chain->pk;
				2635
				2636	/* If certificate uses an EC key, make sure the curve is OK */
				2637	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
				2638	mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2639	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2640	ssl->session_negotiate->verify_result \|= MBEDTLS_X509_BADCERT_BAD_KEY;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2641
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2642	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2643	if( ret == 0 )
				2644	ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
				2645	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2646	}
				2647	#endif /* MBEDTLS_ECP_C */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2648
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2649	if( mbedtls_ssl_check_cert_usage( chain,
				2650	ciphersuite_info,
				2651	! ssl->conf->endpoint,
				2652	&ssl->session_negotiate->verify_result ) != 0 )
				2653	{
				2654	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
				2655	if( ret == 0 )
				2656	ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2657	}
				2658
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2659	/* mbedtls_x509_crt_verify_with_profile is supposed to report a
				2660	* verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
				2661	* with details encoded in the verification flags. All other kinds
				2662	* of error codes, including those from the user provided f_vrfy
				2663	* functions, are treated as fatal and lead to a failure of
				2664	* ssl_parse_certificate even if verification was optional. */
				2665	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
				2666	( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED \|\|
				2667	ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
				2668	{
				2669	ret = 0;
				2670	}
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2671
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2672	if( have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
				2673	{
				2674	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
				2675	ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
				2676	}
				2677
				2678	if( ret != 0 )
				2679	{
				2680	uint8_t alert;
				2681
				2682	/* The certificate may have been rejected for several reasons.
				2683	Pick one and send the corresponding alert. Which alert to send
				2684	may be a subject of debate in some cases. */
				2685	if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
				2686	alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
				2687	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
				2688	alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
				2689	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
				2690	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
				2691	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
				2692	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
				2693	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
				2694	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
				2695	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
				2696	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
				2697	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
				2698	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
				2699	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
				2700	alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
				2701	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
				2702	alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
				2703	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
				2704	alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
				2705	else
				2706	alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
				2707	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				2708	alert );
				2709	}
				2710
				2711	#if defined(MBEDTLS_DEBUG_C)
				2712	if( ssl->session_negotiate->verify_result != 0 )
				2713	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	2714	MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
				2715	(unsigned int) ssl->session_negotiate->verify_result ) );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2716	}
				2717	else
				2718	{
				2719	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
				2720	}
				2721	#endif /* MBEDTLS_DEBUG_C */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2722
				2723	return( ret );
				2724	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2725
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2726	#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
				2727	static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
				2728	unsigned char *start, size_t len )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2729	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2730	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				2731	/* Remember digest of the peer's end-CRT. */
				2732	ssl->session_negotiate->peer_cert_digest =
				2733	mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
				2734	if( ssl->session_negotiate->peer_cert_digest == NULL )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2735	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2736	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
				2737	MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) );
				2738	mbedtls_ssl_send_alert_message( ssl,
				2739	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				2740	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
				2741
				2742	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2743	}
				2744
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2745	ret = mbedtls_md( mbedtls_md_info_from_type(
				2746	MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
				2747	start, len,
				2748	ssl->session_negotiate->peer_cert_digest );
				2749
				2750	ssl->session_negotiate->peer_cert_digest_type =
				2751	MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
				2752	ssl->session_negotiate->peer_cert_digest_len =
				2753	MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
				2754
				2755	return( ret );
				2756	}
				2757
				2758	static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
				2759	unsigned char *start, size_t len )
				2760	{
				2761	unsigned char *end = start + len;
				2762	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				2763
				2764	/* Make a copy of the peer's raw public key. */
				2765	mbedtls_pk_init( &ssl->handshake->peer_pubkey );
				2766	ret = mbedtls_pk_parse_subpubkey( &start, end,
				2767	&ssl->handshake->peer_pubkey );
				2768	if( ret != 0 )
				2769	{
				2770	/* We should have parsed the public key before. */
				2771	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
				2772	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2773
				2774	return( 0 );
				2775	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2776	#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2777
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2778	int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2779	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2780	int ret = 0;
				2781	int crt_expected;
				2782	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
				2783	const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
				2784	? ssl->handshake->sni_authmode
				2785	: ssl->conf->authmode;
				2786	#else
				2787	const int authmode = ssl->conf->authmode;
				2788	#endif
				2789	void *rs_ctx = NULL;
				2790	mbedtls_x509_crt *chain = NULL;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2791
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2792	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
				2793
				2794	crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
				2795	if( crt_expected == SSL_CERTIFICATE_SKIP )
				2796	{
				2797	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
				2798	goto exit;
				2799	}
				2800
				2801	#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
				2802	if( ssl->handshake->ecrs_enabled &&
				2803	ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
				2804	{
				2805	chain = ssl->handshake->ecrs_peer_cert;
				2806	ssl->handshake->ecrs_peer_cert = NULL;
				2807	goto crt_verify;
				2808	}
				2809	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2810
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2811	if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2812	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2813	/* mbedtls_ssl_read_record may have sent an alert already. We
				2814	let it decide whether to alert. */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2815	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2816	goto exit;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2817	}
				2818
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2819	#if defined(MBEDTLS_SSL_SRV_C)
				2820	if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2821	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2822	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
				2823
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	2824	if( authmode != MBEDTLS_SSL_VERIFY_OPTIONAL )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2825	ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
				2826
				2827	goto exit;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2828	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2829	#endif /* MBEDTLS_SSL_SRV_C */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2830
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2831	/* Clear existing peer CRT structure in case we tried to
				2832	* reuse a session but it failed, and allocate a new one. */
				2833	ssl_clear_peer_cert( ssl->session_negotiate );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2834
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2835	chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
				2836	if( chain == NULL )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2837	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	2838	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2839	sizeof( mbedtls_x509_crt ) ) );
				2840	mbedtls_ssl_send_alert_message( ssl,
				2841	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				2842	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
				2843
				2844	ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
				2845	goto exit;
				2846	}
				2847	mbedtls_x509_crt_init( chain );
				2848
				2849	ret = ssl_parse_certificate_chain( ssl, chain );
				2850	if( ret != 0 )
				2851	goto exit;
				2852
				2853	#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
				2854	if( ssl->handshake->ecrs_enabled)
				2855	ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
				2856
				2857	crt_verify:
				2858	if( ssl->handshake->ecrs_enabled)
				2859	rs_ctx = &ssl->handshake->ecrs_ctx;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2860	#endif
				2861
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2862	ret = ssl_parse_certificate_verify( ssl, authmode,
				2863	chain, rs_ctx );
				2864	if( ret != 0 )
				2865	goto exit;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2866
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2867	#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2868	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2869	unsigned char crt_start, pk_start;
				2870	size_t crt_len, pk_len;
				2871
				2872	/* We parse the CRT chain without copying, so
				2873	* these pointers point into the input buffer,
				2874	* and are hence still valid after freeing the
				2875	* CRT chain. */
				2876
				2877	crt_start = chain->raw.p;
				2878	crt_len = chain->raw.len;
				2879
				2880	pk_start = chain->pk_raw.p;
				2881	pk_len = chain->pk_raw.len;
				2882
				2883	/* Free the CRT structures before computing
				2884	* digest and copying the peer's public key. */
				2885	mbedtls_x509_crt_free( chain );
				2886	mbedtls_free( chain );
				2887	chain = NULL;
				2888
				2889	ret = ssl_remember_peer_crt_digest( ssl, crt_start, crt_len );
				2890	if( ret != 0 )
				2891	goto exit;
				2892
				2893	ret = ssl_remember_peer_pubkey( ssl, pk_start, pk_len );
				2894	if( ret != 0 )
				2895	goto exit;
				2896	}
				2897	#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				2898	/* Pass ownership to session structure. */
				2899	ssl->session_negotiate->peer_cert = chain;
				2900	chain = NULL;
				2901	#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				2902
				2903	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
				2904
				2905	exit:
				2906
				2907	if( ret == 0 )
				2908	ssl->state++;
				2909
				2910	#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
				2911	if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
				2912	{
				2913	ssl->handshake->ecrs_peer_cert = chain;
				2914	chain = NULL;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2915	}
				2916	#endif
				2917
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2918	if( chain != NULL )
				2919	{
				2920	mbedtls_x509_crt_free( chain );
				2921	mbedtls_free( chain );
				2922	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2923
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2924	return( ret );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2925	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2926	#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2927
				2928	void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
				2929	const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
				2930	{
				2931	((void) ciphersuite_info);
				2932
				2933	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
				2934	defined(MBEDTLS_SSL_PROTO_TLS1_1)
				2935	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
				2936	ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
				2937	else
				2938	#endif
				2939	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	2940	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2941	if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
				2942	ssl->handshake->update_checksum = ssl_update_checksum_sha384;
				2943	else
				2944	#endif
				2945	#if defined(MBEDTLS_SHA256_C)
				2946	if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
				2947	ssl->handshake->update_checksum = ssl_update_checksum_sha256;
				2948	else
				2949	#endif
				2950	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				2951	{
				2952	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
				2953	return;
				2954	}
				2955	}
				2956
				2957	void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
				2958	{
				2959	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
				2960	defined(MBEDTLS_SSL_PROTO_TLS1_1)
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2961	mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 );
				2962	mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2963	#endif
				2964	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
				2965	#if defined(MBEDTLS_SHA256_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2966	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				2967	psa_hash_abort( &ssl->handshake->fin_sha256_psa );
				2968	psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
				2969	#else
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2970	mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2971	#endif
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2972	#endif
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	2973	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2974	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				2975	psa_hash_abort( &ssl->handshake->fin_sha384_psa );
				2976	psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
				2977	#else
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2978	mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2979	#endif
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2980	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2981	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				2982	}
				2983
				2984	static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
				2985	const unsigned char *buf, size_t len )
				2986	{
				2987	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
				2988	defined(MBEDTLS_SSL_PROTO_TLS1_1)
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2989	mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
				2990	mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2991	#endif
				2992	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
				2993	#if defined(MBEDTLS_SHA256_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2994	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				2995	psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
				2996	#else
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	2997	mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	2998	#endif
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	2999	#endif
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3000	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3001	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				3002	psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
				3003	#else
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3004	mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3005	#endif
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3006	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3007	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				3008	}
				3009
				3010	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
				3011	defined(MBEDTLS_SSL_PROTO_TLS1_1)
				3012	static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
				3013	const unsigned char *buf, size_t len )
				3014	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3015	mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
				3016	mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3017	}
				3018	#endif
				3019
				3020	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
				3021	#if defined(MBEDTLS_SHA256_C)
				3022	static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
				3023	const unsigned char *buf, size_t len )
				3024	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3025	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				3026	psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
				3027	#else
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3028	mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3029	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3030	}
				3031	#endif
				3032
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3033	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3034	static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
				3035	const unsigned char *buf, size_t len )
				3036	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3037	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				3038	psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
				3039	#else
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3040	mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3041	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3042	}
				3043	#endif
				3044	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				3045
				3046	#if defined(MBEDTLS_SSL_PROTO_SSL3)
				3047	static void ssl_calc_finished_ssl(
				3048	mbedtls_ssl_context ssl, unsigned char buf, int from )
				3049	{
				3050	const char *sender;
				3051	mbedtls_md5_context md5;
				3052	mbedtls_sha1_context sha1;
				3053
				3054	unsigned char padbuf[48];
				3055	unsigned char md5sum[16];
				3056	unsigned char sha1sum[20];
				3057
				3058	mbedtls_ssl_session *session = ssl->session_negotiate;
				3059	if( !session )
				3060	session = ssl->session;
				3061
				3062	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
				3063
				3064	mbedtls_md5_init( &md5 );
				3065	mbedtls_sha1_init( &sha1 );
				3066
				3067	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
				3068	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
				3069
				3070	/*
				3071	* SSLv3:
				3072	* hash =
				3073	* MD5( master + pad2 +
				3074	* MD5( handshake + sender + master + pad1 ) )
				3075	* + SHA1( master + pad2 +
				3076	* SHA1( handshake + sender + master + pad1 ) )
				3077	*/
				3078
				3079	#if !defined(MBEDTLS_MD5_ALT)
				3080	MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
				3081	md5.state, sizeof( md5.state ) );
				3082	#endif
				3083
				3084	#if !defined(MBEDTLS_SHA1_ALT)
				3085	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
				3086	sha1.state, sizeof( sha1.state ) );
				3087	#endif
				3088
				3089	sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
				3090	: "SRVR";
				3091
				3092	memset( padbuf, 0x36, 48 );
				3093
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3094	mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );
				3095	mbedtls_md5_update_ret( &md5, session->master, 48 );
				3096	mbedtls_md5_update_ret( &md5, padbuf, 48 );
				3097	mbedtls_md5_finish_ret( &md5, md5sum );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3098
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3099	mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );
				3100	mbedtls_sha1_update_ret( &sha1, session->master, 48 );
				3101	mbedtls_sha1_update_ret( &sha1, padbuf, 40 );
				3102	mbedtls_sha1_finish_ret( &sha1, sha1sum );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3103
				3104	memset( padbuf, 0x5C, 48 );
				3105
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3106	mbedtls_md5_starts_ret( &md5 );
				3107	mbedtls_md5_update_ret( &md5, session->master, 48 );
				3108	mbedtls_md5_update_ret( &md5, padbuf, 48 );
				3109	mbedtls_md5_update_ret( &md5, md5sum, 16 );
				3110	mbedtls_md5_finish_ret( &md5, buf );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3111
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3112	mbedtls_sha1_starts_ret( &sha1 );
				3113	mbedtls_sha1_update_ret( &sha1, session->master, 48 );
				3114	mbedtls_sha1_update_ret( &sha1, padbuf , 40 );
				3115	mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );
				3116	mbedtls_sha1_finish_ret( &sha1, buf + 16 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3117
				3118	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
				3119
				3120	mbedtls_md5_free( &md5 );
				3121	mbedtls_sha1_free( &sha1 );
				3122
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3123	mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
				3124	mbedtls_platform_zeroize( md5sum, sizeof( md5sum ) );
				3125	mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3126
				3127	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
				3128	}
				3129	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
				3130
				3131	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
				3132	static void ssl_calc_finished_tls(
				3133	mbedtls_ssl_context ssl, unsigned char buf, int from )
				3134	{
				3135	int len = 12;
				3136	const char *sender;
				3137	mbedtls_md5_context md5;
				3138	mbedtls_sha1_context sha1;
				3139	unsigned char padbuf[36];
				3140
				3141	mbedtls_ssl_session *session = ssl->session_negotiate;
				3142	if( !session )
				3143	session = ssl->session;
				3144
				3145	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
				3146
				3147	mbedtls_md5_init( &md5 );
				3148	mbedtls_sha1_init( &sha1 );
				3149
				3150	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
				3151	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
				3152
				3153	/*
				3154	* TLSv1:
				3155	* hash = PRF( master, finished_label,
				3156	* MD5( handshake ) + SHA1( handshake ) )[0..11]
				3157	*/
				3158
				3159	#if !defined(MBEDTLS_MD5_ALT)
				3160	MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
				3161	md5.state, sizeof( md5.state ) );
				3162	#endif
				3163
				3164	#if !defined(MBEDTLS_SHA1_ALT)
				3165	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
				3166	sha1.state, sizeof( sha1.state ) );
				3167	#endif
				3168
				3169	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
				3170	? "client finished"
				3171	: "server finished";
				3172
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3173	mbedtls_md5_finish_ret( &md5, padbuf );
				3174	mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3175
				3176	ssl->handshake->tls_prf( session->master, 48, sender,
				3177	padbuf, 36, buf, len );
				3178
				3179	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
				3180
				3181	mbedtls_md5_free( &md5 );
				3182	mbedtls_sha1_free( &sha1 );
				3183
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3184	mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3185
				3186	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
				3187	}
				3188	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
				3189
				3190	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
				3191	#if defined(MBEDTLS_SHA256_C)
				3192	static void ssl_calc_finished_tls_sha256(
				3193	mbedtls_ssl_context ssl, unsigned char buf, int from )
				3194	{
				3195	int len = 12;
				3196	const char *sender;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3197	unsigned char padbuf[32];
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3198	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				3199	size_t hash_size;
				3200	psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
				3201	psa_status_t status;
				3202	#else
				3203	mbedtls_sha256_context sha256;
				3204	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3205
				3206	mbedtls_ssl_session *session = ssl->session_negotiate;
				3207	if( !session )
				3208	session = ssl->session;
				3209
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3210	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
				3211	? "client finished"
				3212	: "server finished";
				3213
				3214	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				3215	sha256_psa = psa_hash_operation_init();
				3216
				3217	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) );
				3218
				3219	status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
				3220	if( status != PSA_SUCCESS )
				3221	{
				3222	MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
				3223	return;
				3224	}
				3225
				3226	status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size );
				3227	if( status != PSA_SUCCESS )
				3228	{
				3229	MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
				3230	return;
				3231	}
				3232	MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 );
				3233	#else
				3234
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3235	mbedtls_sha256_init( &sha256 );
				3236
				3237	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
				3238
				3239	mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
				3240
				3241	/*
				3242	* TLSv1.2:
				3243	* hash = PRF( master, finished_label,
				3244	* Hash( handshake ) )[0.11]
				3245	*/
				3246
				3247	#if !defined(MBEDTLS_SHA256_ALT)
				3248	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
				3249	sha256.state, sizeof( sha256.state ) );
				3250	#endif
				3251
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3252	mbedtls_sha256_finish_ret( &sha256, padbuf );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3253	mbedtls_sha256_free( &sha256 );
				3254	#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3255
				3256	ssl->handshake->tls_prf( session->master, 48, sender,
				3257	padbuf, 32, buf, len );
				3258
				3259	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
				3260
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3261	mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3262
				3263	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
				3264	}
				3265	#endif /* MBEDTLS_SHA256_C */
				3266
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3267	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
				3268
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3269	static void ssl_calc_finished_tls_sha384(
				3270	mbedtls_ssl_context ssl, unsigned char buf, int from )
				3271	{
				3272	int len = 12;
				3273	const char *sender;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3274	unsigned char padbuf[48];
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3275	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				3276	size_t hash_size;
				3277	psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
				3278	psa_status_t status;
				3279	#else
				3280	mbedtls_sha512_context sha512;
				3281	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3282
				3283	mbedtls_ssl_session *session = ssl->session_negotiate;
				3284	if( !session )
				3285	session = ssl->session;
				3286
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3287	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
				3288	? "client finished"
				3289	: "server finished";
				3290
				3291	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				3292	sha384_psa = psa_hash_operation_init();
				3293
				3294	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) );
				3295
				3296	status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
				3297	if( status != PSA_SUCCESS )
				3298	{
				3299	MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
				3300	return;
				3301	}
				3302
				3303	status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size );
				3304	if( status != PSA_SUCCESS )
				3305	{
				3306	MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
				3307	return;
				3308	}
				3309	MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 );
				3310	#else
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3311	mbedtls_sha512_init( &sha512 );
				3312
				3313	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
				3314
				3315	mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
				3316
				3317	/*
				3318	* TLSv1.2:
				3319	* hash = PRF( master, finished_label,
				3320	* Hash( handshake ) )[0.11]
				3321	*/
				3322
				3323	#if !defined(MBEDTLS_SHA512_ALT)
				3324	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
				3325	sha512.state, sizeof( sha512.state ) );
				3326	#endif
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3327	/* mbedtls_sha512_finish_ret's output parameter is declared as a
				3328	* 64-byte buffer, but sice we're using SHA-384, we know that the
				3329	* output fits in 48 bytes. This is correct C, but GCC 11.1 warns
				3330	* about it.
				3331	*/
				3332	#if defined(__GNUC__) && __GNUC__ >= 11
				3333	#pragma GCC diagnostic push
				3334	#pragma GCC diagnostic ignored "-Wstringop-overflow"
				3335	#endif
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3336	mbedtls_sha512_finish_ret( &sha512, padbuf );
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3337	#if defined(__GNUC__) && __GNUC__ >= 11
				3338	#pragma GCC diagnostic pop
				3339	#endif
				3340
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3341	mbedtls_sha512_free( &sha512 );
				3342	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3343
				3344	ssl->handshake->tls_prf( session->master, 48, sender,
				3345	padbuf, 48, buf, len );
				3346
				3347	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
				3348
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3349	mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3350
				3351	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
				3352	}
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3353	#endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3354	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				3355
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3356	void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3357	{
				3358	MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
				3359
				3360	/*
				3361	* Free our handshake params
				3362	*/
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3363	mbedtls_ssl_handshake_free( ssl );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3364	mbedtls_free( ssl->handshake );
				3365	ssl->handshake = NULL;
				3366
				3367	/*
				3368	* Free the previous transform and swith in the current one
				3369	*/
				3370	if( ssl->transform )
				3371	{
				3372	mbedtls_ssl_transform_free( ssl->transform );
				3373	mbedtls_free( ssl->transform );
				3374	}
				3375	ssl->transform = ssl->transform_negotiate;
				3376	ssl->transform_negotiate = NULL;
				3377
				3378	MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
				3379	}
				3380
				3381	void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
				3382	{
				3383	int resume = ssl->handshake->resume;
				3384
				3385	MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
				3386
				3387	#if defined(MBEDTLS_SSL_RENEGOTIATION)
				3388	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
				3389	{
				3390	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
				3391	ssl->renego_records_seen = 0;
				3392	}
				3393	#endif
				3394
				3395	/*
				3396	* Free the previous session and switch in the current one
				3397	*/
				3398	if( ssl->session )
				3399	{
				3400	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
				3401	/* RFC 7366 3.1: keep the EtM state */
				3402	ssl->session_negotiate->encrypt_then_mac =
				3403	ssl->session->encrypt_then_mac;
				3404	#endif
				3405
				3406	mbedtls_ssl_session_free( ssl->session );
				3407	mbedtls_free( ssl->session );
				3408	}
				3409	ssl->session = ssl->session_negotiate;
				3410	ssl->session_negotiate = NULL;
				3411
				3412	/*
				3413	* Add cache entry
				3414	*/
				3415	if( ssl->conf->f_set_cache != NULL &&
				3416	ssl->session->id_len != 0 &&
				3417	resume == 0 )
				3418	{
				3419	if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
				3420	MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
				3421	}
				3422
				3423	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				3424	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
				3425	ssl->handshake->flight != NULL )
				3426	{
				3427	/* Cancel handshake timer */
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3428	mbedtls_ssl_set_timer( ssl, 0 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3429
				3430	/* Keep last flight around in case we need to resend it:
				3431	* we need the handshake and transform structures for that */
				3432	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
				3433	}
				3434	else
				3435	#endif
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3436	mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3437
				3438	ssl->state++;
				3439
				3440	MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
				3441	}
				3442
				3443	int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
				3444	{
				3445	int ret, hash_len;
				3446
				3447	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
				3448
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3449	mbedtls_ssl_update_out_pointers( ssl, ssl->transform_negotiate );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3450
				3451	ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
				3452
				3453	/*
				3454	* RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
				3455	* may define some other value. Currently (early 2016), no defined
				3456	* ciphersuite does this (and this is unlikely to change as activity has
				3457	* moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
				3458	*/
				3459	hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
				3460
				3461	#if defined(MBEDTLS_SSL_RENEGOTIATION)
				3462	ssl->verify_data_len = hash_len;
				3463	memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
				3464	#endif
				3465
				3466	ssl->out_msglen = 4 + hash_len;
				3467	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
				3468	ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
				3469
				3470	/*
				3471	* In case of session resuming, invert the client and server
				3472	* ChangeCipherSpec messages order.
				3473	*/
				3474	if( ssl->handshake->resume != 0 )
				3475	{
				3476	#if defined(MBEDTLS_SSL_CLI_C)
				3477	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
				3478	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
				3479	#endif
				3480	#if defined(MBEDTLS_SSL_SRV_C)
				3481	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
				3482	ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
				3483	#endif
				3484	}
				3485	else
				3486	ssl->state++;
				3487
				3488	/*
				3489	* Switch to our negotiated transform and session parameters for outbound
				3490	* data.
				3491	*/
				3492	MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
				3493
				3494	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				3495	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
				3496	{
				3497	unsigned char i;
				3498
				3499	/* Remember current epoch settings for resending */
				3500	ssl->handshake->alt_transform_out = ssl->transform_out;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3501	memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3502
				3503	/* Set sequence_number to zero */
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3504	memset( ssl->cur_out_ctr + 2, 0, 6 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3505
				3506	/* Increment epoch */
				3507	for( i = 2; i > 0; i-- )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3508	if( ++ssl->cur_out_ctr[i - 1] != 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3509	break;
				3510
				3511	/* The loop goes to its end iff the counter is wrapping */
				3512	if( i == 0 )
				3513	{
				3514	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
				3515	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
				3516	}
				3517	}
				3518	else
				3519	#endif /* MBEDTLS_SSL_PROTO_DTLS */
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3520	memset( ssl->cur_out_ctr, 0, 8 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3521
				3522	ssl->transform_out = ssl->transform_negotiate;
				3523	ssl->session_out = ssl->session_negotiate;
				3524
				3525	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
				3526	if( mbedtls_ssl_hw_record_activate != NULL )
				3527	{
				3528	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
				3529	{
				3530	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
				3531	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
				3532	}
				3533	}
				3534	#endif
				3535
				3536	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				3537	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
				3538	mbedtls_ssl_send_flight_completed( ssl );
				3539	#endif
				3540
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3541	if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3542	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3543	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3544	return( ret );
				3545	}
				3546
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3547	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				3548	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
				3549	( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
				3550	{
				3551	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
				3552	return( ret );
				3553	}
				3554	#endif
				3555
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3556	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
				3557
				3558	return( 0 );
				3559	}
				3560
				3561	#if defined(MBEDTLS_SSL_PROTO_SSL3)
				3562	#define SSL_MAX_HASH_LEN 36
				3563	#else
				3564	#define SSL_MAX_HASH_LEN 12
				3565	#endif
				3566
				3567	int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
				3568	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3569	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3570	unsigned int hash_len;
				3571	unsigned char buf[SSL_MAX_HASH_LEN];
				3572
				3573	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
				3574
				3575	ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
				3576
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3577	if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3578	{
				3579	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
				3580	return( ret );
				3581	}
				3582
				3583	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
				3584	{
				3585	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
				3586	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				3587	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
				3588	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
				3589	}
				3590
				3591	/* There is currently no ciphersuite using another length with TLS 1.2 */
				3592	#if defined(MBEDTLS_SSL_PROTO_SSL3)
				3593	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
				3594	hash_len = 36;
				3595	else
				3596	#endif
				3597	hash_len = 12;
				3598
				3599	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED \|\|
				3600	ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
				3601	{
				3602	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
				3603	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				3604	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
				3605	return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
				3606	}
				3607
				3608	if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
				3609	buf, hash_len ) != 0 )
				3610	{
				3611	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
				3612	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3613	MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3614	return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
				3615	}
				3616
				3617	#if defined(MBEDTLS_SSL_RENEGOTIATION)
				3618	ssl->verify_data_len = hash_len;
				3619	memcpy( ssl->peer_verify_data, buf, hash_len );
				3620	#endif
				3621
				3622	if( ssl->handshake->resume != 0 )
				3623	{
				3624	#if defined(MBEDTLS_SSL_CLI_C)
				3625	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
				3626	ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
				3627	#endif
				3628	#if defined(MBEDTLS_SSL_SRV_C)
				3629	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
				3630	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
				3631	#endif
				3632	}
				3633	else
				3634	ssl->state++;
				3635
				3636	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				3637	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
				3638	mbedtls_ssl_recv_flight_completed( ssl );
				3639	#endif
				3640
				3641	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
				3642
				3643	return( 0 );
				3644	}
				3645
				3646	static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
				3647	{
				3648	memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
				3649
				3650	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
				3651	defined(MBEDTLS_SSL_PROTO_TLS1_1)
				3652	mbedtls_md5_init( &handshake->fin_md5 );
				3653	mbedtls_sha1_init( &handshake->fin_sha1 );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3654	mbedtls_md5_starts_ret( &handshake->fin_md5 );
				3655	mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3656	#endif
				3657	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
				3658	#if defined(MBEDTLS_SHA256_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3659	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				3660	handshake->fin_sha256_psa = psa_hash_operation_init();
				3661	psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
				3662	#else
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3663	mbedtls_sha256_init( &handshake->fin_sha256 );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3664	mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3665	#endif
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3666	#endif
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3667	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3668	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				3669	handshake->fin_sha384_psa = psa_hash_operation_init();
				3670	psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
				3671	#else
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3672	mbedtls_sha512_init( &handshake->fin_sha512 );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3673	mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3674	#endif
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3675	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3676	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				3677
				3678	handshake->update_checksum = ssl_update_checksum_start;
				3679
				3680	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3681	defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3682	mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
				3683	#endif
				3684
				3685	#if defined(MBEDTLS_DHM_C)
				3686	mbedtls_dhm_init( &handshake->dhm_ctx );
				3687	#endif
				3688	#if defined(MBEDTLS_ECDH_C)
				3689	mbedtls_ecdh_init( &handshake->ecdh_ctx );
				3690	#endif
				3691	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
				3692	mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
				3693	#if defined(MBEDTLS_SSL_CLI_C)
				3694	handshake->ecjpake_cache = NULL;
				3695	handshake->ecjpake_cache_len = 0;
				3696	#endif
				3697	#endif
				3698
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3699	#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3700	mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
				3701	#endif
				3702
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3703	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
				3704	handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
				3705	#endif
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3706
				3707	#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
				3708	!defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
				3709	mbedtls_pk_init( &handshake->peer_pubkey );
				3710	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3711	}
				3712
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3713	void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3714	{
				3715	memset( transform, 0, sizeof(mbedtls_ssl_transform) );
				3716
				3717	mbedtls_cipher_init( &transform->cipher_ctx_enc );
				3718	mbedtls_cipher_init( &transform->cipher_ctx_dec );
				3719
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3720	#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3721	mbedtls_md_init( &transform->md_ctx_enc );
				3722	mbedtls_md_init( &transform->md_ctx_dec );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3723	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3724	}
				3725
				3726	void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
				3727	{
				3728	memset( session, 0, sizeof(mbedtls_ssl_session) );
				3729	}
				3730
				3731	static int ssl_handshake_init( mbedtls_ssl_context *ssl )
				3732	{
				3733	/* Clear old handshake information if present */
				3734	if( ssl->transform_negotiate )
				3735	mbedtls_ssl_transform_free( ssl->transform_negotiate );
				3736	if( ssl->session_negotiate )
				3737	mbedtls_ssl_session_free( ssl->session_negotiate );
				3738	if( ssl->handshake )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3739	mbedtls_ssl_handshake_free( ssl );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3740
				3741	/*
				3742	* Either the pointers are now NULL or cleared properly and can be freed.
				3743	* Now allocate missing structures.
				3744	*/
				3745	if( ssl->transform_negotiate == NULL )
				3746	{
				3747	ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
				3748	}
				3749
				3750	if( ssl->session_negotiate == NULL )
				3751	{
				3752	ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
				3753	}
				3754
				3755	if( ssl->handshake == NULL )
				3756	{
				3757	ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
				3758	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3759	#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
				3760	/* If the buffers are too small - reallocate */
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3761
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3762	handle_buffer_resizing( ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
				3763	MBEDTLS_SSL_OUT_BUFFER_LEN );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3764	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3765
				3766	/* All pointers should exist and can be directly freed without issue */
				3767	if( ssl->handshake == NULL \|\|
				3768	ssl->transform_negotiate == NULL \|\|
				3769	ssl->session_negotiate == NULL )
				3770	{
				3771	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
				3772
				3773	mbedtls_free( ssl->handshake );
				3774	mbedtls_free( ssl->transform_negotiate );
				3775	mbedtls_free( ssl->session_negotiate );
				3776
				3777	ssl->handshake = NULL;
				3778	ssl->transform_negotiate = NULL;
				3779	ssl->session_negotiate = NULL;
				3780
				3781	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
				3782	}
				3783
				3784	/* Initialize structures */
				3785	mbedtls_ssl_session_init( ssl->session_negotiate );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3786	mbedtls_ssl_transform_init( ssl->transform_negotiate );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3787	ssl_handshake_params_init( ssl->handshake );
				3788
				3789	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				3790	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
				3791	{
				3792	ssl->handshake->alt_transform_out = ssl->transform_out;
				3793
				3794	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
				3795	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
				3796	else
				3797	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
				3798
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3799	mbedtls_ssl_set_timer( ssl, 0 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3800	}
				3801	#endif
				3802
				3803	return( 0 );
				3804	}
				3805
				3806	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
				3807	/* Dummy cookie callbacks for defaults */
				3808	static int ssl_cookie_write_dummy( void *ctx,
				3809	unsigned char *p, unsigned char end,
				3810	const unsigned char *cli_id, size_t cli_id_len )
				3811	{
				3812	((void) ctx);
				3813	((void) p);
				3814	((void) end);
				3815	((void) cli_id);
				3816	((void) cli_id_len);
				3817
				3818	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
				3819	}
				3820
				3821	static int ssl_cookie_check_dummy( void *ctx,
				3822	const unsigned char *cookie, size_t cookie_len,
				3823	const unsigned char *cli_id, size_t cli_id_len )
				3824	{
				3825	((void) ctx);
				3826	((void) cookie);
				3827	((void) cookie_len);
				3828	((void) cli_id);
				3829	((void) cli_id_len);
				3830
				3831	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
				3832	}
				3833	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
				3834
				3835	/*
				3836	* Initialize an SSL context
				3837	*/
				3838	void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
				3839	{
				3840	memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
				3841	}
				3842
				3843	/*
				3844	* Setup an SSL context
				3845	*/
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3846
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3847	int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
				3848	const mbedtls_ssl_config *conf )
				3849	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3850	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				3851	size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
				3852	size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3853
				3854	ssl->conf = conf;
				3855
				3856	/*
				3857	* Prepare base structures
				3858	*/
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3859
				3860	/* Set to NULL in case of an error condition */
				3861	ssl->out_buf = NULL;
				3862
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3863	#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
				3864	ssl->in_buf_len = in_buf_len;
				3865	#endif
				3866	ssl->in_buf = mbedtls_calloc( 1, in_buf_len );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3867	if( ssl->in_buf == NULL )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3868	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3869	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len ) );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3870	ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
				3871	goto error;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3872	}
				3873
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3874	#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
				3875	ssl->out_buf_len = out_buf_len;
				3876	#endif
				3877	ssl->out_buf = mbedtls_calloc( 1, out_buf_len );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3878	if( ssl->out_buf == NULL )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3879	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3880	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len ) );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3881	ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
				3882	goto error;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3883	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3884
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3885	mbedtls_ssl_reset_in_out_pointers( ssl );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3886
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	3887	#if defined(MBEDTLS_SSL_DTLS_SRTP)
				3888	memset( &ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info) );
				3889	#endif
				3890
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3891	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3892	goto error;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3893
				3894	return( 0 );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3895
				3896	error:
				3897	mbedtls_free( ssl->in_buf );
				3898	mbedtls_free( ssl->out_buf );
				3899
				3900	ssl->conf = NULL;
				3901
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3902	#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
				3903	ssl->in_buf_len = 0;
				3904	ssl->out_buf_len = 0;
				3905	#endif
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3906	ssl->in_buf = NULL;
				3907	ssl->out_buf = NULL;
				3908
				3909	ssl->in_hdr = NULL;
				3910	ssl->in_ctr = NULL;
				3911	ssl->in_len = NULL;
				3912	ssl->in_iv = NULL;
				3913	ssl->in_msg = NULL;
				3914
				3915	ssl->out_hdr = NULL;
				3916	ssl->out_ctr = NULL;
				3917	ssl->out_len = NULL;
				3918	ssl->out_iv = NULL;
				3919	ssl->out_msg = NULL;
				3920
				3921	return( ret );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3922	}
				3923
				3924	/*
				3925	* Reset an initialized and used SSL context for re-use while retaining
				3926	* all application-set variables, function pointers and data.
				3927	*
				3928	* If partial is non-zero, keep data in the input buffer and client ID.
				3929	* (Use when a DTLS client reconnects from the same port.)
				3930	*/
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3931	int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3932	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3933	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				3934	#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
				3935	size_t in_buf_len = ssl->in_buf_len;
				3936	size_t out_buf_len = ssl->out_buf_len;
				3937	#else
				3938	size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
				3939	size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
				3940	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3941
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3942	#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) \|\| \
				3943	!defined(MBEDTLS_SSL_SRV_C)
				3944	((void) partial);
				3945	#endif
				3946
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3947	ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
				3948
				3949	/* Cancel any possibly running timer */
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3950	mbedtls_ssl_set_timer( ssl, 0 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3951
				3952	#if defined(MBEDTLS_SSL_RENEGOTIATION)
				3953	ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
				3954	ssl->renego_records_seen = 0;
				3955
				3956	ssl->verify_data_len = 0;
				3957	memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
				3958	memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
				3959	#endif
				3960	ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
				3961
				3962	ssl->in_offt = NULL;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3963	mbedtls_ssl_reset_in_out_pointers( ssl );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3964
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3965	ssl->in_msgtype = 0;
				3966	ssl->in_msglen = 0;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3967	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				3968	ssl->next_record_offset = 0;
				3969	ssl->in_epoch = 0;
				3970	#endif
				3971	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3972	mbedtls_ssl_dtls_replay_reset( ssl );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3973	#endif
				3974
				3975	ssl->in_hslen = 0;
				3976	ssl->nb_zero = 0;
				3977
				3978	ssl->keep_current_message = 0;
				3979
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3980	ssl->out_msgtype = 0;
				3981	ssl->out_msglen = 0;
				3982	ssl->out_left = 0;
				3983	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
				3984	if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
				3985	ssl->split_done = 0;
				3986	#endif
				3987
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3988	memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
				3989
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3990	ssl->transform_in = NULL;
				3991	ssl->transform_out = NULL;
				3992
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3993	ssl->session_in = NULL;
				3994	ssl->session_out = NULL;
				3995
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	3996	memset( ssl->out_buf, 0, out_buf_len );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	3997
				3998	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	3999	if( partial == 0 )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4000	#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
				4001	{
				4002	ssl->in_left = 0;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4003	memset( ssl->in_buf, 0, in_buf_len );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4004	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4005
				4006	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
				4007	if( mbedtls_ssl_hw_record_reset != NULL )
				4008	{
				4009	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
				4010	if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
				4011	{
				4012	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
				4013	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
				4014	}
				4015	}
				4016	#endif
				4017
				4018	if( ssl->transform )
				4019	{
				4020	mbedtls_ssl_transform_free( ssl->transform );
				4021	mbedtls_free( ssl->transform );
				4022	ssl->transform = NULL;
				4023	}
				4024
				4025	if( ssl->session )
				4026	{
				4027	mbedtls_ssl_session_free( ssl->session );
				4028	mbedtls_free( ssl->session );
				4029	ssl->session = NULL;
				4030	}
				4031
				4032	#if defined(MBEDTLS_SSL_ALPN)
				4033	ssl->alpn_chosen = NULL;
				4034	#endif
				4035
				4036	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4037	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4038	if( partial == 0 )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4039	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4040	{
				4041	mbedtls_free( ssl->cli_id );
				4042	ssl->cli_id = NULL;
				4043	ssl->cli_id_len = 0;
				4044	}
				4045	#endif
				4046
				4047	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
				4048	return( ret );
				4049
				4050	return( 0 );
				4051	}
				4052
				4053	/*
				4054	* Reset an initialized and used SSL context for re-use while retaining
				4055	* all application-set variables, function pointers and data.
				4056	*/
				4057	int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
				4058	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4059	return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4060	}
				4061
				4062	/*
				4063	* SSL set accessors
				4064	*/
				4065	void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
				4066	{
				4067	conf->endpoint = endpoint;
				4068	}
				4069
				4070	void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
				4071	{
				4072	conf->transport = transport;
				4073	}
				4074
				4075	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
				4076	void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
				4077	{
				4078	conf->anti_replay = mode;
				4079	}
				4080	#endif
				4081
				4082	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
				4083	void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
				4084	{
				4085	conf->badmac_limit = limit;
				4086	}
				4087	#endif
				4088
				4089	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4090
				4091	void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
				4092	unsigned allow_packing )
				4093	{
				4094	ssl->disable_datagram_packing = !allow_packing;
				4095	}
				4096
				4097	void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
				4098	uint32_t min, uint32_t max )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4099	{
				4100	conf->hs_timeout_min = min;
				4101	conf->hs_timeout_max = max;
				4102	}
				4103	#endif
				4104
				4105	void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
				4106	{
				4107	conf->authmode = authmode;
				4108	}
				4109
				4110	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				4111	void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
				4112	int (f_vrfy)(void , mbedtls_x509_crt , int, uint32_t ),
				4113	void *p_vrfy )
				4114	{
				4115	conf->f_vrfy = f_vrfy;
				4116	conf->p_vrfy = p_vrfy;
				4117	}
				4118	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				4119
				4120	void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
				4121	int (f_rng)(void , unsigned char *, size_t),
				4122	void *p_rng )
				4123	{
				4124	conf->f_rng = f_rng;
				4125	conf->p_rng = p_rng;
				4126	}
				4127
				4128	void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
				4129	void (f_dbg)(void , int, const char , int, const char ),
				4130	void *p_dbg )
				4131	{
				4132	conf->f_dbg = f_dbg;
				4133	conf->p_dbg = p_dbg;
				4134	}
				4135
				4136	void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
				4137	void *p_bio,
				4138	mbedtls_ssl_send_t *f_send,
				4139	mbedtls_ssl_recv_t *f_recv,
				4140	mbedtls_ssl_recv_timeout_t *f_recv_timeout )
				4141	{
				4142	ssl->p_bio = p_bio;
				4143	ssl->f_send = f_send;
				4144	ssl->f_recv = f_recv;
				4145	ssl->f_recv_timeout = f_recv_timeout;
				4146	}
				4147
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4148	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				4149	void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
				4150	{
				4151	ssl->mtu = mtu;
				4152	}
				4153	#endif
				4154
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4155	void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
				4156	{
				4157	conf->read_timeout = timeout;
				4158	}
				4159
				4160	void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
				4161	void *p_timer,
				4162	mbedtls_ssl_set_timer_t *f_set_timer,
				4163	mbedtls_ssl_get_timer_t *f_get_timer )
				4164	{
				4165	ssl->p_timer = p_timer;
				4166	ssl->f_set_timer = f_set_timer;
				4167	ssl->f_get_timer = f_get_timer;
				4168
				4169	/* Make sure we start with no timer running */
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4170	mbedtls_ssl_set_timer( ssl, 0 );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4171	}
				4172
				4173	#if defined(MBEDTLS_SSL_SRV_C)
				4174	void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
				4175	void *p_cache,
				4176	int (f_get_cache)(void , mbedtls_ssl_session *),
				4177	int (f_set_cache)(void , const mbedtls_ssl_session *) )
				4178	{
				4179	conf->p_cache = p_cache;
				4180	conf->f_get_cache = f_get_cache;
				4181	conf->f_set_cache = f_set_cache;
				4182	}
				4183	#endif /* MBEDTLS_SSL_SRV_C */
				4184
				4185	#if defined(MBEDTLS_SSL_CLI_C)
				4186	int mbedtls_ssl_set_session( mbedtls_ssl_context ssl, const mbedtls_ssl_session session )
				4187	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4188	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4189
				4190	if( ssl == NULL \|\|
				4191	session == NULL \|\|
				4192	ssl->session_negotiate == NULL \|\|
				4193	ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
				4194	{
				4195	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4196	}
				4197
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4198	if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
				4199	session ) ) != 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4200	return( ret );
				4201
				4202	ssl->handshake->resume = 1;
				4203
				4204	return( 0 );
				4205	}
				4206	#endif /* MBEDTLS_SSL_CLI_C */
				4207
				4208	void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
				4209	const int *ciphersuites )
				4210	{
				4211	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
				4212	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
				4213	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
				4214	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
				4215	}
				4216
				4217	void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
				4218	const int *ciphersuites,
				4219	int major, int minor )
				4220	{
				4221	if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
				4222	return;
				4223
				4224	if( minor < MBEDTLS_SSL_MINOR_VERSION_0 \|\| minor > MBEDTLS_SSL_MINOR_VERSION_3 )
				4225	return;
				4226
				4227	conf->ciphersuite_list[minor] = ciphersuites;
				4228	}
				4229
				4230	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				4231	void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
				4232	const mbedtls_x509_crt_profile *profile )
				4233	{
				4234	conf->cert_profile = profile;
				4235	}
				4236
				4237	/* Append a new keycert entry to a (possibly empty) list */
				4238	static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
				4239	mbedtls_x509_crt *cert,
				4240	mbedtls_pk_context *key )
				4241	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4242	mbedtls_ssl_key_cert *new_cert;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4243
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4244	new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
				4245	if( new_cert == NULL )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4246	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
				4247
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4248	new_cert->cert = cert;
				4249	new_cert->key = key;
				4250	new_cert->next = NULL;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4251
				4252	/* Update head is the list was null, else add to the end */
				4253	if( *head == NULL )
				4254	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4255	*head = new_cert;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4256	}
				4257	else
				4258	{
				4259	mbedtls_ssl_key_cert cur = head;
				4260	while( cur->next != NULL )
				4261	cur = cur->next;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4262	cur->next = new_cert;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4263	}
				4264
				4265	return( 0 );
				4266	}
				4267
				4268	int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
				4269	mbedtls_x509_crt *own_cert,
				4270	mbedtls_pk_context *pk_key )
				4271	{
				4272	return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
				4273	}
				4274
				4275	void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
				4276	mbedtls_x509_crt *ca_chain,
				4277	mbedtls_x509_crl *ca_crl )
				4278	{
				4279	conf->ca_chain = ca_chain;
				4280	conf->ca_crl = ca_crl;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4281
				4282	#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
				4283	/* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
				4284	* cannot be used together. */
				4285	conf->f_ca_cb = NULL;
				4286	conf->p_ca_cb = NULL;
				4287	#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4288	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4289
				4290	#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
				4291	void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
				4292	mbedtls_x509_crt_ca_cb_t f_ca_cb,
				4293	void *p_ca_cb )
				4294	{
				4295	conf->f_ca_cb = f_ca_cb;
				4296	conf->p_ca_cb = p_ca_cb;
				4297
				4298	/* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
				4299	* cannot be used together. */
				4300	conf->ca_chain = NULL;
				4301	conf->ca_crl = NULL;
				4302	}
				4303	#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4304	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				4305
				4306	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
				4307	int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
				4308	mbedtls_x509_crt *own_cert,
				4309	mbedtls_pk_context *pk_key )
				4310	{
				4311	return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
				4312	own_cert, pk_key ) );
				4313	}
				4314
				4315	void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
				4316	mbedtls_x509_crt *ca_chain,
				4317	mbedtls_x509_crl *ca_crl )
				4318	{
				4319	ssl->handshake->sni_ca_chain = ca_chain;
				4320	ssl->handshake->sni_ca_crl = ca_crl;
				4321	}
				4322
				4323	void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
				4324	int authmode )
				4325	{
				4326	ssl->handshake->sni_authmode = authmode;
				4327	}
				4328	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
				4329
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4330	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				4331	void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
				4332	int (f_vrfy)(void , mbedtls_x509_crt , int, uint32_t ),
				4333	void *p_vrfy )
				4334	{
				4335	ssl->f_vrfy = f_vrfy;
				4336	ssl->p_vrfy = p_vrfy;
				4337	}
				4338	#endif
				4339
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4340	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
				4341	/*
				4342	* Set EC J-PAKE password for current handshake
				4343	*/
				4344	int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
				4345	const unsigned char *pw,
				4346	size_t pw_len )
				4347	{
				4348	mbedtls_ecjpake_role role;
				4349
				4350	if( ssl->handshake == NULL \|\| ssl->conf == NULL )
				4351	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4352
				4353	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
				4354	role = MBEDTLS_ECJPAKE_SERVER;
				4355	else
				4356	role = MBEDTLS_ECJPAKE_CLIENT;
				4357
				4358	return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
				4359	role,
				4360	MBEDTLS_MD_SHA256,
				4361	MBEDTLS_ECP_DP_SECP256R1,
				4362	pw, pw_len ) );
				4363	}
				4364	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
				4365
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4366	#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
				4367
				4368	static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4369	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4370	/* Remove reference to existing PSK, if any. */
				4371	#if defined(MBEDTLS_USE_PSA_CRYPTO)
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4372	if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4373	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4374	/* The maintenance of the PSK key slot is the
				4375	* user's responsibility. */
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4376	conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4377	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4378	/* This and the following branch should never
				4379	* be taken simultaenously as we maintain the
				4380	* invariant that raw and opaque PSKs are never
				4381	* configured simultaneously. As a safeguard,
				4382	* though, `else` is omitted here. */
				4383	#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4384	if( conf->psk != NULL )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4385	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4386	mbedtls_platform_zeroize( conf->psk, conf->psk_len );
				4387
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4388	mbedtls_free( conf->psk );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4389	conf->psk = NULL;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4390	conf->psk_len = 0;
				4391	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4392
				4393	/* Remove reference to PSK identity, if any. */
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4394	if( conf->psk_identity != NULL )
				4395	{
				4396	mbedtls_free( conf->psk_identity );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4397	conf->psk_identity = NULL;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4398	conf->psk_identity_len = 0;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4399	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4400	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4401
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4402	/* This function assumes that PSK identity in the SSL config is unset.
				4403	* It checks that the provided identity is well-formed and attempts
				4404	* to make a copy of it in the SSL config.
				4405	* On failure, the PSK identity in the config remains unset. */
				4406	static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
				4407	unsigned char const *psk_identity,
				4408	size_t psk_identity_len )
				4409	{
				4410	/* Identity len will be encoded on two bytes */
				4411	if( psk_identity == NULL \|\|
				4412	( psk_identity_len >> 16 ) != 0 \|\|
				4413	psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4414	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4415	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4416	}
				4417
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4418	conf->psk_identity = mbedtls_calloc( 1, psk_identity_len );
				4419	if( conf->psk_identity == NULL )
				4420	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4421
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4422	conf->psk_identity_len = psk_identity_len;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4423	memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
				4424
				4425	return( 0 );
				4426	}
				4427
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4428	int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
				4429	const unsigned char *psk, size_t psk_len,
				4430	const unsigned char *psk_identity, size_t psk_identity_len )
				4431	{
				4432	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				4433	/* Remove opaque/raw PSK + PSK Identity */
				4434	ssl_conf_remove_psk( conf );
				4435
				4436	/* Check and set raw PSK */
				4437	if( psk == NULL )
				4438	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4439	if( psk_len == 0 )
				4440	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4441	if( psk_len > MBEDTLS_PSK_MAX_LEN )
				4442	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4443
				4444	if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
				4445	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
				4446	conf->psk_len = psk_len;
				4447	memcpy( conf->psk, psk, conf->psk_len );
				4448
				4449	/* Check and set PSK Identity */
				4450	ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len );
				4451	if( ret != 0 )
				4452	ssl_conf_remove_psk( conf );
				4453
				4454	return( ret );
				4455	}
				4456
				4457	static void ssl_remove_psk( mbedtls_ssl_context *ssl )
				4458	{
				4459	#if defined(MBEDTLS_USE_PSA_CRYPTO)
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4460	if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4461	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4462	ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4463	}
				4464	else
				4465	#endif /* MBEDTLS_USE_PSA_CRYPTO */
				4466	if( ssl->handshake->psk != NULL )
				4467	{
				4468	mbedtls_platform_zeroize( ssl->handshake->psk,
				4469	ssl->handshake->psk_len );
				4470	mbedtls_free( ssl->handshake->psk );
				4471	ssl->handshake->psk_len = 0;
				4472	}
				4473	}
				4474
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4475	int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
				4476	const unsigned char *psk, size_t psk_len )
				4477	{
				4478	if( psk == NULL \|\| ssl->handshake == NULL )
				4479	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4480
				4481	if( psk_len > MBEDTLS_PSK_MAX_LEN )
				4482	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4483
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4484	ssl_remove_psk( ssl );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4485
				4486	if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
				4487	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
				4488
				4489	ssl->handshake->psk_len = psk_len;
				4490	memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
				4491
				4492	return( 0 );
				4493	}
				4494
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4495	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				4496	int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4497	psa_key_id_t psk,
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4498	const unsigned char *psk_identity,
				4499	size_t psk_identity_len )
				4500	{
				4501	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				4502	/* Clear opaque/raw PSK + PSK Identity, if present. */
				4503	ssl_conf_remove_psk( conf );
				4504
				4505	/* Check and set opaque PSK */
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4506	if( mbedtls_svc_key_id_is_null( psk ) )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4507	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4508	conf->psk_opaque = psk;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4509
				4510	/* Check and set PSK Identity */
				4511	ret = ssl_conf_set_psk_identity( conf, psk_identity,
				4512	psk_identity_len );
				4513	if( ret != 0 )
				4514	ssl_conf_remove_psk( conf );
				4515
				4516	return( ret );
				4517	}
				4518
				4519	int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4520	psa_key_id_t psk )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4521	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4522	if( ( mbedtls_svc_key_id_is_null( psk ) ) \|\|
				4523	( ssl->handshake == NULL ) )
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4524	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4525
				4526	ssl_remove_psk( ssl );
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4527	ssl->handshake->psk_opaque = psk;
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4528	return( 0 );
				4529	}
				4530	#endif /* MBEDTLS_USE_PSA_CRYPTO */
				4531
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4532	void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
				4533	int (f_psk)(void , mbedtls_ssl_context , const unsigned char ,
				4534	size_t),
				4535	void *p_psk )
				4536	{
				4537	conf->f_psk = f_psk;
				4538	conf->p_psk = p_psk;
				4539	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4540	#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4541
				4542	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4543
				4544	#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4545	int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config conf, const char dhm_P, const char *dhm_G )
				4546	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4547	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4548
				4549	if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 \|\|
				4550	( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
				4551	{
				4552	mbedtls_mpi_free( &conf->dhm_P );
				4553	mbedtls_mpi_free( &conf->dhm_G );
				4554	return( ret );
				4555	}
				4556
				4557	return( 0 );
				4558	}
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4559	#endif /* MBEDTLS_DEPRECATED_REMOVED */
				4560
				4561	int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
				4562	const unsigned char *dhm_P, size_t P_len,
				4563	const unsigned char *dhm_G, size_t G_len )
				4564	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4565	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4566
				4567	if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 \|\|
				4568	( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
				4569	{
				4570	mbedtls_mpi_free( &conf->dhm_P );
				4571	mbedtls_mpi_free( &conf->dhm_G );
				4572	return( ret );
				4573	}
				4574
				4575	return( 0 );
				4576	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4577
				4578	int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config conf, mbedtls_dhm_context dhm_ctx )
				4579	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4580	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4581
				4582	if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 \|\|
				4583	( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
				4584	{
				4585	mbedtls_mpi_free( &conf->dhm_P );
				4586	mbedtls_mpi_free( &conf->dhm_G );
				4587	return( ret );
				4588	}
				4589
				4590	return( 0 );
				4591	}
				4592	#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
				4593
				4594	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
				4595	/*
				4596	* Set the minimum length for Diffie-Hellman parameters
				4597	*/
				4598	void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
				4599	unsigned int bitlen )
				4600	{
				4601	conf->dhm_min_bitlen = bitlen;
				4602	}
				4603	#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
				4604
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4605	#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4606	/*
				4607	* Set allowed/preferred hashes for handshake signatures
				4608	*/
				4609	void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
				4610	const int *hashes )
				4611	{
				4612	conf->sig_hashes = hashes;
				4613	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4614	#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4615
				4616	#if defined(MBEDTLS_ECP_C)
				4617	/*
				4618	* Set the allowed elliptic curves
				4619	*/
				4620	void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
				4621	const mbedtls_ecp_group_id *curve_list )
				4622	{
				4623	conf->curve_list = curve_list;
				4624	}
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4625	#endif /* MBEDTLS_ECP_C */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4626
				4627	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				4628	int mbedtls_ssl_set_hostname( mbedtls_ssl_context ssl, const char hostname )
				4629	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4630	/* Initialize to suppress unnecessary compiler warning */
				4631	size_t hostname_len = 0;
				4632
				4633	/* Check if new hostname is valid before
				4634	* making any change to current one */
				4635	if( hostname != NULL )
				4636	{
				4637	hostname_len = strlen( hostname );
				4638
				4639	if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
				4640	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4641	}
				4642
				4643	/* Now it's clear that we will overwrite the old hostname,
				4644	* so we can free it safely */
				4645
				4646	if( ssl->hostname != NULL )
				4647	{
				4648	mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
				4649	mbedtls_free( ssl->hostname );
				4650	}
				4651
				4652	/* Passing NULL as hostname shall clear the old one */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4653
				4654	if( hostname == NULL )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4655	{
				4656	ssl->hostname = NULL;
				4657	}
				4658	else
				4659	{
				4660	ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
				4661	if( ssl->hostname == NULL )
				4662	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4663
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4664	memcpy( ssl->hostname, hostname, hostname_len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4665
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4666	ssl->hostname[hostname_len] = '\0';
				4667	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4668
				4669	return( 0 );
				4670	}
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4671	#endif /* MBEDTLS_X509_CRT_PARSE_C */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4672
				4673	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
				4674	void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
				4675	int (f_sni)(void , mbedtls_ssl_context *,
				4676	const unsigned char *, size_t),
				4677	void *p_sni )
				4678	{
				4679	conf->f_sni = f_sni;
				4680	conf->p_sni = p_sni;
				4681	}
				4682	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
				4683
				4684	#if defined(MBEDTLS_SSL_ALPN)
				4685	int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config conf, const char *protos )
				4686	{
				4687	size_t cur_len, tot_len;
				4688	const char **p;
				4689
				4690	/*
				4691	* RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
				4692	* MUST NOT be truncated."
				4693	* We check lengths now rather than later.
				4694	*/
				4695	tot_len = 0;
				4696	for( p = protos; *p != NULL; p++ )
				4697	{
				4698	cur_len = strlen( *p );
				4699	tot_len += cur_len;
				4700
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4701	if( ( cur_len == 0 ) \|\|
				4702	( cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN ) \|\|
				4703	( tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN ) )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4704	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4705	}
				4706
				4707	conf->alpn_list = protos;
				4708
				4709	return( 0 );
				4710	}
				4711
				4712	const char mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context ssl )
				4713	{
				4714	return( ssl->alpn_chosen );
				4715	}
				4716	#endif /* MBEDTLS_SSL_ALPN */
				4717
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	4718	#if defined(MBEDTLS_SSL_DTLS_SRTP)
				4719	void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf,
				4720	int support_mki_value )
				4721	{
				4722	conf->dtls_srtp_mki_support = support_mki_value;
				4723	}
				4724
				4725	int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
				4726	unsigned char *mki_value,
				4727	uint16_t mki_len )
				4728	{
				4729	if( mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH )
				4730	{
				4731	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4732	}
				4733
				4734	if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED )
				4735	{
				4736	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
				4737	}
				4738
				4739	memcpy( ssl->dtls_srtp_info.mki_value, mki_value, mki_len );
				4740	ssl->dtls_srtp_info.mki_len = mki_len;
				4741	return( 0 );
				4742	}
				4743
				4744	int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
				4745	const mbedtls_ssl_srtp_profile *profiles )
				4746	{
				4747	const mbedtls_ssl_srtp_profile *p;
				4748	size_t list_size = 0;
				4749
				4750	/* check the profiles list: all entry must be valid,
				4751	* its size cannot be more than the total number of supported profiles, currently 4 */
				4752	for( p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
				4753	list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
				4754	p++ )
				4755	{
				4756	if( mbedtls_ssl_check_srtp_profile_value( *p ) != MBEDTLS_TLS_SRTP_UNSET )
				4757	{
				4758	list_size++;
				4759	}
				4760	else
				4761	{
				4762	/* unsupported value, stop parsing and set the size to an error value */
				4763	list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
				4764	}
				4765	}
				4766
				4767	if( list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH )
				4768	{
				4769	conf->dtls_srtp_profile_list = NULL;
				4770	conf->dtls_srtp_profile_list_len = 0;
				4771	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4772	}
				4773
				4774	conf->dtls_srtp_profile_list = profiles;
				4775	conf->dtls_srtp_profile_list_len = list_size;
				4776
				4777	return( 0 );
				4778	}
				4779
				4780	void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl,
				4781	mbedtls_dtls_srtp_info *dtls_srtp_info )
				4782	{
				4783	dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
				4784	/* do not copy the mki value if there is no chosen profile */
				4785	if( dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET )
				4786	{
				4787	dtls_srtp_info->mki_len = 0;
				4788	}
				4789	else
				4790	{
				4791	dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
				4792	memcpy( dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
				4793	ssl->dtls_srtp_info.mki_len );
				4794	}
				4795	}
				4796	#endif /* MBEDTLS_SSL_DTLS_SRTP */
				4797
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4798	void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
				4799	{
				4800	conf->max_major_ver = major;
				4801	conf->max_minor_ver = minor;
				4802	}
				4803
				4804	void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
				4805	{
				4806	conf->min_major_ver = major;
				4807	conf->min_minor_ver = minor;
				4808	}
				4809
				4810	#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
				4811	void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
				4812	{
				4813	conf->fallback = fallback;
				4814	}
				4815	#endif
				4816
				4817	#if defined(MBEDTLS_SSL_SRV_C)
				4818	void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
				4819	char cert_req_ca_list )
				4820	{
				4821	conf->cert_req_ca_list = cert_req_ca_list;
				4822	}
				4823	#endif
				4824
				4825	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
				4826	void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
				4827	{
				4828	conf->encrypt_then_mac = etm;
				4829	}
				4830	#endif
				4831
				4832	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
				4833	void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
				4834	{
				4835	conf->extended_ms = ems;
				4836	}
				4837	#endif
				4838
				4839	#if defined(MBEDTLS_ARC4_C)
				4840	void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
				4841	{
				4842	conf->arc4_disabled = arc4;
				4843	}
				4844	#endif
				4845
				4846	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
				4847	int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
				4848	{
				4849	if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID \|\|
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4850	ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4851	{
				4852	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				4853	}
				4854
				4855	conf->mfl_code = mfl_code;
				4856
				4857	return( 0 );
				4858	}
				4859	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
				4860
				4861	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
				4862	void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
				4863	{
				4864	conf->trunc_hmac = truncate;
				4865	}
				4866	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
				4867
				4868	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
				4869	void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
				4870	{
				4871	conf->cbc_record_splitting = split;
				4872	}
				4873	#endif
				4874
				4875	void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
				4876	{
				4877	conf->allow_legacy_renegotiation = allow_legacy;
				4878	}
				4879
				4880	#if defined(MBEDTLS_SSL_RENEGOTIATION)
				4881	void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
				4882	{
				4883	conf->disable_renegotiation = renegotiation;
				4884	}
				4885
				4886	void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
				4887	{
				4888	conf->renego_max_records = max_records;
				4889	}
				4890
				4891	void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
				4892	const unsigned char period[8] )
				4893	{
				4894	memcpy( conf->renego_period, period, 8 );
				4895	}
				4896	#endif /* MBEDTLS_SSL_RENEGOTIATION */
				4897
				4898	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
				4899	#if defined(MBEDTLS_SSL_CLI_C)
				4900	void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
				4901	{
				4902	conf->session_tickets = use_tickets;
				4903	}
				4904	#endif
				4905
				4906	#if defined(MBEDTLS_SSL_SRV_C)
				4907	void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
				4908	mbedtls_ssl_ticket_write_t *f_ticket_write,
				4909	mbedtls_ssl_ticket_parse_t *f_ticket_parse,
				4910	void *p_ticket )
				4911	{
				4912	conf->f_ticket_write = f_ticket_write;
				4913	conf->f_ticket_parse = f_ticket_parse;
				4914	conf->p_ticket = p_ticket;
				4915	}
				4916	#endif
				4917	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
				4918
				4919	#if defined(MBEDTLS_SSL_EXPORT_KEYS)
				4920	void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
				4921	mbedtls_ssl_export_keys_t *f_export_keys,
				4922	void *p_export_keys )
				4923	{
				4924	conf->f_export_keys = f_export_keys;
				4925	conf->p_export_keys = p_export_keys;
				4926	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	4927
				4928	void mbedtls_ssl_conf_export_keys_ext_cb( mbedtls_ssl_config *conf,
				4929	mbedtls_ssl_export_keys_ext_t *f_export_keys_ext,
				4930	void *p_export_keys )
				4931	{
				4932	conf->f_export_keys_ext = f_export_keys_ext;
				4933	conf->p_export_keys = p_export_keys;
				4934	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4935	#endif
				4936
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	4937	#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
				4938	void mbedtls_ssl_conf_async_private_cb(
				4939	mbedtls_ssl_config *conf,
				4940	mbedtls_ssl_async_sign_t *f_async_sign,
				4941	mbedtls_ssl_async_decrypt_t *f_async_decrypt,
				4942	mbedtls_ssl_async_resume_t *f_async_resume,
				4943	mbedtls_ssl_async_cancel_t *f_async_cancel,
				4944	void *async_config_data )
				4945	{
				4946	conf->f_async_sign_start = f_async_sign;
				4947	conf->f_async_decrypt_start = f_async_decrypt;
				4948	conf->f_async_resume = f_async_resume;
				4949	conf->f_async_cancel = f_async_cancel;
				4950	conf->p_async_config_data = async_config_data;
				4951	}
				4952
				4953	void mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config conf )
				4954	{
				4955	return( conf->p_async_config_data );
				4956	}
				4957
				4958	void mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context ssl )
				4959	{
				4960	if( ssl->handshake == NULL )
				4961	return( NULL );
				4962	else
				4963	return( ssl->handshake->user_async_ctx );
				4964	}
				4965
				4966	void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
				4967	void *ctx )
				4968	{
				4969	if( ssl->handshake != NULL )
				4970	ssl->handshake->user_async_ctx = ctx;
				4971	}
				4972	#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
				4973
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4974	/*
				4975	* SSL get accessors
				4976	*/
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	4977	uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
				4978	{
				4979	if( ssl->session != NULL )
				4980	return( ssl->session->verify_result );
				4981
				4982	if( ssl->session_negotiate != NULL )
				4983	return( ssl->session_negotiate->verify_result );
				4984
				4985	return( 0xFFFFFFFF );
				4986	}
				4987
				4988	const char mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context ssl )
				4989	{
				4990	if( ssl == NULL \|\| ssl->session == NULL )
				4991	return( NULL );
				4992
				4993	return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
				4994	}
				4995
				4996	const char mbedtls_ssl_get_version( const mbedtls_ssl_context ssl )
				4997	{
				4998	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				4999	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
				5000	{
				5001	switch( ssl->minor_ver )
				5002	{
				5003	case MBEDTLS_SSL_MINOR_VERSION_2:
				5004	return( "DTLSv1.0" );
				5005
				5006	case MBEDTLS_SSL_MINOR_VERSION_3:
				5007	return( "DTLSv1.2" );
				5008
				5009	default:
				5010	return( "unknown (DTLS)" );
				5011	}
				5012	}
				5013	#endif
				5014
				5015	switch( ssl->minor_ver )
				5016	{
				5017	case MBEDTLS_SSL_MINOR_VERSION_0:
				5018	return( "SSLv3.0" );
				5019
				5020	case MBEDTLS_SSL_MINOR_VERSION_1:
				5021	return( "TLSv1.0" );
				5022
				5023	case MBEDTLS_SSL_MINOR_VERSION_2:
				5024	return( "TLSv1.1" );
				5025
				5026	case MBEDTLS_SSL_MINOR_VERSION_3:
				5027	return( "TLSv1.2" );
				5028
				5029	default:
				5030	return( "unknown" );
				5031	}
				5032	}
				5033
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5034	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
				5035	size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5036	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5037	size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
				5038	size_t read_mfl;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5039
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5040	/* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
				5041	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
				5042	ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5043	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5044	return ssl_mfl_code_to_length( ssl->conf->mfl_code );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5045	}
				5046
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5047	/* Check if a smaller max length was negotiated */
				5048	if( ssl->session_out != NULL )
				5049	{
				5050	read_mfl = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
				5051	if( read_mfl < max_len )
				5052	{
				5053	max_len = read_mfl;
				5054	}
				5055	}
				5056
				5057	// During a handshake, use the value being negotiated
				5058	if( ssl->session_negotiate != NULL )
				5059	{
				5060	read_mfl = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
				5061	if( read_mfl < max_len )
				5062	{
				5063	max_len = read_mfl;
				5064	}
				5065	}
				5066
				5067	return( max_len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5068	}
				5069
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5070	size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5071	{
				5072	size_t max_len;
				5073
				5074	/*
				5075	* Assume mfl_code is correct since it was checked when set
				5076	*/
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5077	max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5078
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5079	/* Check if a smaller max length was negotiated */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5080	if( ssl->session_out != NULL &&
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5081	ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5082	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5083	max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5084	}
				5085
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5086	/* During a handshake, use the value being negotiated */
				5087	if( ssl->session_negotiate != NULL &&
				5088	ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
				5089	{
				5090	max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
				5091	}
				5092
				5093	return( max_len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5094	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5095
				5096	#if !defined(MBEDTLS_DEPRECATED_REMOVED)
				5097	size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
				5098	{
				5099	return mbedtls_ssl_get_output_max_frag_len( ssl );
				5100	}
				5101	#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5102	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
				5103
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5104	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5105	size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5106	{
				5107	/* Return unlimited mtu for client hello messages to avoid fragmentation. */
				5108	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
				5109	( ssl->state == MBEDTLS_SSL_CLIENT_HELLO \|\|
				5110	ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
				5111	return ( 0 );
				5112
				5113	if( ssl->handshake == NULL \|\| ssl->handshake->mtu == 0 )
				5114	return( ssl->mtu );
				5115
				5116	if( ssl->mtu == 0 )
				5117	return( ssl->handshake->mtu );
				5118
				5119	return( ssl->mtu < ssl->handshake->mtu ?
				5120	ssl->mtu : ssl->handshake->mtu );
				5121	}
				5122	#endif /* MBEDTLS_SSL_PROTO_DTLS */
				5123
				5124	int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
				5125	{
				5126	size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
				5127
				5128	#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
				5129	!defined(MBEDTLS_SSL_PROTO_DTLS)
				5130	(void) ssl;
				5131	#endif
				5132
				5133	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5134	const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5135
				5136	if( max_len > mfl )
				5137	max_len = mfl;
				5138	#endif
				5139
				5140	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5141	if( mbedtls_ssl_get_current_mtu( ssl ) != 0 )
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5142	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5143	const size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5144	const int ret = mbedtls_ssl_get_record_expansion( ssl );
				5145	const size_t overhead = (size_t) ret;
				5146
				5147	if( ret < 0 )
				5148	return( ret );
				5149
				5150	if( mtu <= overhead )
				5151	{
				5152	MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
				5153	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
				5154	}
				5155
				5156	if( max_len > mtu - overhead )
				5157	max_len = mtu - overhead;
				5158	}
				5159	#endif /* MBEDTLS_SSL_PROTO_DTLS */
				5160
				5161	#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
				5162	!defined(MBEDTLS_SSL_PROTO_DTLS)
				5163	((void) ssl);
				5164	#endif
				5165
				5166	return( (int) max_len );
				5167	}
				5168
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5169	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				5170	const mbedtls_x509_crt mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context ssl )
				5171	{
				5172	if( ssl == NULL \|\| ssl->session == NULL )
				5173	return( NULL );
				5174
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5175	#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5176	return( ssl->session->peer_cert );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5177	#else
				5178	return( NULL );
				5179	#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5180	}
				5181	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				5182
				5183	#if defined(MBEDTLS_SSL_CLI_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5184	int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
				5185	mbedtls_ssl_session *dst )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5186	{
				5187	if( ssl == NULL \|\|
				5188	dst == NULL \|\|
				5189	ssl->session == NULL \|\|
				5190	ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
				5191	{
				5192	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5193	}
				5194
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5195	return( mbedtls_ssl_session_copy( dst, ssl->session ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5196	}
				5197	#endif /* MBEDTLS_SSL_CLI_C */
				5198
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5199	const mbedtls_ssl_session mbedtls_ssl_get_session_pointer( const mbedtls_ssl_context ssl )
				5200	{
				5201	if( ssl == NULL )
				5202	return( NULL );
				5203
				5204	return( ssl->session );
				5205	}
				5206
				5207	/*
				5208	* Define ticket header determining Mbed TLS version
				5209	* and structure of the ticket.
				5210	*/
				5211
				5212	/*
				5213	* Define bitflag determining compile-time settings influencing
				5214	* structure of serialized SSL sessions.
				5215	*/
				5216
				5217	#if defined(MBEDTLS_HAVE_TIME)
				5218	#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
				5219	#else
				5220	#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
				5221	#endif /* MBEDTLS_HAVE_TIME */
				5222
				5223	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				5224	#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
				5225	#else
				5226	#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
				5227	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				5228
				5229	#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
				5230	#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
				5231	#else
				5232	#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
				5233	#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
				5234
				5235	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
				5236	#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
				5237	#else
				5238	#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
				5239	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
				5240
				5241	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
				5242	#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 1
				5243	#else
				5244	#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 0
				5245	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
				5246
				5247	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
				5248	#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
				5249	#else
				5250	#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
				5251	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
				5252
				5253	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
				5254	#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
				5255	#else
				5256	#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
				5257	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
				5258
				5259	#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
				5260	#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
				5261	#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
				5262	#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
				5263	#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT 4
				5264	#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 5
				5265	#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 6
				5266
				5267	#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
				5268	( (uint16_t) ( \
				5269	( SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT ) \| \
				5270	( SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT ) \| \
				5271	( SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT ) \| \
				5272	( SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT ) \| \
				5273	( SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC << SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT ) \| \
				5274	( SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT ) \| \
				5275	( SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT ) ) )
				5276
				5277	static unsigned char ssl_serialized_session_header[] = {
				5278	MBEDTLS_VERSION_MAJOR,
				5279	MBEDTLS_VERSION_MINOR,
				5280	MBEDTLS_VERSION_PATCH,
				5281	( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 8 ) & 0xFF,
				5282	( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 0 ) & 0xFF,
				5283	};
				5284
				5285	/*
				5286	* Serialize a session in the following format:
				5287	* (in the presentation language of TLS, RFC 8446 section 3)
				5288	*
				5289	* opaque mbedtls_version[3]; // major, minor, patch
				5290	* opaque session_format[2]; // version-specific 16-bit field determining
				5291	* // the format of the remaining
				5292	* // serialized data.
				5293	*
				5294	* Note: When updating the format, remember to keep
				5295	* these version+format bytes.
				5296	*
				5297	* // In this version, `session_format` determines
				5298	* // the setting of those compile-time
				5299	* // configuration options which influence
				5300	* // the structure of mbedtls_ssl_session.
				5301	* uint64 start_time;
				5302	* uint8 ciphersuite[2]; // defined by the standard
				5303	* uint8 compression; // 0 or 1
				5304	* uint8 session_id_len; // at most 32
				5305	* opaque session_id[32];
				5306	* opaque master[48]; // fixed length in the standard
				5307	* uint32 verify_result;
				5308	* opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
				5309	* opaque ticket<0..2^24-1>; // length 0 means no ticket
				5310	* uint32 ticket_lifetime;
				5311	* uint8 mfl_code; // up to 255 according to standard
				5312	* uint8 trunc_hmac; // 0 or 1
				5313	* uint8 encrypt_then_mac; // 0 or 1
				5314	*
				5315	* The order is the same as in the definition of the structure, except
				5316	* verify_result is put before peer_cert so that all mandatory fields come
				5317	* together in one block.
				5318	*/
				5319	static int ssl_session_save( const mbedtls_ssl_session *session,
				5320	unsigned char omit_header,
				5321	unsigned char *buf,
				5322	size_t buf_len,
				5323	size_t *olen )
				5324	{
				5325	unsigned char *p = buf;
				5326	size_t used = 0;
				5327	#if defined(MBEDTLS_HAVE_TIME)
				5328	uint64_t start;
				5329	#endif
				5330	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				5331	#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
				5332	size_t cert_len;
				5333	#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				5334	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				5335
				5336
				5337	if( !omit_header )
				5338	{
				5339	/*
				5340	* Add version identifier
				5341	*/
				5342
				5343	used += sizeof( ssl_serialized_session_header );
				5344
				5345	if( used <= buf_len )
				5346	{
				5347	memcpy( p, ssl_serialized_session_header,
				5348	sizeof( ssl_serialized_session_header ) );
				5349	p += sizeof( ssl_serialized_session_header );
				5350	}
				5351	}
				5352
				5353	/*
				5354	* Time
				5355	*/
				5356	#if defined(MBEDTLS_HAVE_TIME)
				5357	used += 8;
				5358
				5359	if( used <= buf_len )
				5360	{
				5361	start = (uint64_t) session->start;
				5362
				5363	*p++ = (unsigned char)( ( start >> 56 ) & 0xFF );
				5364	*p++ = (unsigned char)( ( start >> 48 ) & 0xFF );
				5365	*p++ = (unsigned char)( ( start >> 40 ) & 0xFF );
				5366	*p++ = (unsigned char)( ( start >> 32 ) & 0xFF );
				5367	*p++ = (unsigned char)( ( start >> 24 ) & 0xFF );
				5368	*p++ = (unsigned char)( ( start >> 16 ) & 0xFF );
				5369	*p++ = (unsigned char)( ( start >> 8 ) & 0xFF );
				5370	*p++ = (unsigned char)( ( start ) & 0xFF );
				5371	}
				5372	#endif /* MBEDTLS_HAVE_TIME */
				5373
				5374	/*
				5375	* Basic mandatory fields
				5376	*/
				5377	used += 2 /* ciphersuite */
				5378	+ 1 /* compression */
				5379	+ 1 /* id_len */
				5380	+ sizeof( session->id )
				5381	+ sizeof( session->master )
				5382	+ 4; /* verify_result */
				5383
				5384	if( used <= buf_len )
				5385	{
				5386	*p++ = (unsigned char)( ( session->ciphersuite >> 8 ) & 0xFF );
				5387	*p++ = (unsigned char)( ( session->ciphersuite ) & 0xFF );
				5388
				5389	*p++ = (unsigned char)( session->compression & 0xFF );
				5390
				5391	*p++ = (unsigned char)( session->id_len & 0xFF );
				5392	memcpy( p, session->id, 32 );
				5393	p += 32;
				5394
				5395	memcpy( p, session->master, 48 );
				5396	p += 48;
				5397
				5398	*p++ = (unsigned char)( ( session->verify_result >> 24 ) & 0xFF );
				5399	*p++ = (unsigned char)( ( session->verify_result >> 16 ) & 0xFF );
				5400	*p++ = (unsigned char)( ( session->verify_result >> 8 ) & 0xFF );
				5401	*p++ = (unsigned char)( ( session->verify_result ) & 0xFF );
				5402	}
				5403
				5404	/*
				5405	* Peer's end-entity certificate
				5406	*/
				5407	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				5408	#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
				5409	if( session->peer_cert == NULL )
				5410	cert_len = 0;
				5411	else
				5412	cert_len = session->peer_cert->raw.len;
				5413
				5414	used += 3 + cert_len;
				5415
				5416	if( used <= buf_len )
				5417	{
				5418	*p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF );
				5419	*p++ = (unsigned char)( ( cert_len >> 8 ) & 0xFF );
				5420	*p++ = (unsigned char)( ( cert_len ) & 0xFF );
				5421
				5422	if( session->peer_cert != NULL )
				5423	{
				5424	memcpy( p, session->peer_cert->raw.p, cert_len );
				5425	p += cert_len;
				5426	}
				5427	}
				5428	#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				5429	if( session->peer_cert_digest != NULL )
				5430	{
				5431	used += 1 /* type / + 1 / length */ + session->peer_cert_digest_len;
				5432	if( used <= buf_len )
				5433	{
				5434	*p++ = (unsigned char) session->peer_cert_digest_type;
				5435	*p++ = (unsigned char) session->peer_cert_digest_len;
				5436	memcpy( p, session->peer_cert_digest,
				5437	session->peer_cert_digest_len );
				5438	p += session->peer_cert_digest_len;
				5439	}
				5440	}
				5441	else
				5442	{
				5443	used += 2;
				5444	if( used <= buf_len )
				5445	{
				5446	*p++ = (unsigned char) MBEDTLS_MD_NONE;
				5447	*p++ = 0;
				5448	}
				5449	}
				5450	#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				5451	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				5452
				5453	/*
				5454	* Session ticket if any, plus associated data
				5455	*/
				5456	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
				5457	used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
				5458
				5459	if( used <= buf_len )
				5460	{
				5461	*p++ = (unsigned char)( ( session->ticket_len >> 16 ) & 0xFF );
				5462	*p++ = (unsigned char)( ( session->ticket_len >> 8 ) & 0xFF );
				5463	*p++ = (unsigned char)( ( session->ticket_len ) & 0xFF );
				5464
				5465	if( session->ticket != NULL )
				5466	{
				5467	memcpy( p, session->ticket, session->ticket_len );
				5468	p += session->ticket_len;
				5469	}
				5470
				5471	*p++ = (unsigned char)( ( session->ticket_lifetime >> 24 ) & 0xFF );
				5472	*p++ = (unsigned char)( ( session->ticket_lifetime >> 16 ) & 0xFF );
				5473	*p++ = (unsigned char)( ( session->ticket_lifetime >> 8 ) & 0xFF );
				5474	*p++ = (unsigned char)( ( session->ticket_lifetime ) & 0xFF );
				5475	}
				5476	#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
				5477
				5478	/*
				5479	* Misc extension-related info
				5480	*/
				5481	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
				5482	used += 1;
				5483
				5484	if( used <= buf_len )
				5485	*p++ = session->mfl_code;
				5486	#endif
				5487
				5488	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
				5489	used += 1;
				5490
				5491	if( used <= buf_len )
				5492	*p++ = (unsigned char)( ( session->trunc_hmac ) & 0xFF );
				5493	#endif
				5494
				5495	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
				5496	used += 1;
				5497
				5498	if( used <= buf_len )
				5499	*p++ = (unsigned char)( ( session->encrypt_then_mac ) & 0xFF );
				5500	#endif
				5501
				5502	/* Done */
				5503	*olen = used;
				5504
				5505	if( used > buf_len )
				5506	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
				5507
				5508	return( 0 );
				5509	}
				5510
				5511	/*
				5512	* Public wrapper for ssl_session_save()
				5513	*/
				5514	int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
				5515	unsigned char *buf,
				5516	size_t buf_len,
				5517	size_t *olen )
				5518	{
				5519	return( ssl_session_save( session, 0, buf, buf_len, olen ) );
				5520	}
				5521
				5522	/*
				5523	* Deserialize session, see mbedtls_ssl_session_save() for format.
				5524	*
				5525	* This internal version is wrapped by a public function that cleans up in
				5526	* case of error, and has an extra option omit_header.
				5527	*/
				5528	static int ssl_session_load( mbedtls_ssl_session *session,
				5529	unsigned char omit_header,
				5530	const unsigned char *buf,
				5531	size_t len )
				5532	{
				5533	const unsigned char *p = buf;
				5534	const unsigned char * const end = buf + len;
				5535	#if defined(MBEDTLS_HAVE_TIME)
				5536	uint64_t start;
				5537	#endif
				5538	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				5539	#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
				5540	size_t cert_len;
				5541	#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				5542	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				5543
				5544	if( !omit_header )
				5545	{
				5546	/*
				5547	* Check version identifier
				5548	*/
				5549
				5550	if( (size_t)( end - p ) < sizeof( ssl_serialized_session_header ) )
				5551	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5552
				5553	if( memcmp( p, ssl_serialized_session_header,
				5554	sizeof( ssl_serialized_session_header ) ) != 0 )
				5555	{
				5556	return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
				5557	}
				5558	p += sizeof( ssl_serialized_session_header );
				5559	}
				5560
				5561	/*
				5562	* Time
				5563	*/
				5564	#if defined(MBEDTLS_HAVE_TIME)
				5565	if( 8 > (size_t)( end - p ) )
				5566	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5567
				5568	start = ( (uint64_t) p[0] << 56 ) \|
				5569	( (uint64_t) p[1] << 48 ) \|
				5570	( (uint64_t) p[2] << 40 ) \|
				5571	( (uint64_t) p[3] << 32 ) \|
				5572	( (uint64_t) p[4] << 24 ) \|
				5573	( (uint64_t) p[5] << 16 ) \|
				5574	( (uint64_t) p[6] << 8 ) \|
				5575	( (uint64_t) p[7] );
				5576	p += 8;
				5577
				5578	session->start = (time_t) start;
				5579	#endif /* MBEDTLS_HAVE_TIME */
				5580
				5581	/*
				5582	* Basic mandatory fields
				5583	*/
				5584	if( 2 + 1 + 1 + 32 + 48 + 4 > (size_t)( end - p ) )
				5585	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5586
				5587	session->ciphersuite = ( p[0] << 8 ) \| p[1];
				5588	p += 2;
				5589
				5590	session->compression = *p++;
				5591
				5592	session->id_len = *p++;
				5593	memcpy( session->id, p, 32 );
				5594	p += 32;
				5595
				5596	memcpy( session->master, p, 48 );
				5597	p += 48;
				5598
				5599	session->verify_result = ( (uint32_t) p[0] << 24 ) \|
				5600	( (uint32_t) p[1] << 16 ) \|
				5601	( (uint32_t) p[2] << 8 ) \|
				5602	( (uint32_t) p[3] );
				5603	p += 4;
				5604
				5605	/* Immediately clear invalid pointer values that have been read, in case
				5606	* we exit early before we replaced them with valid ones. */
				5607	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				5608	#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
				5609	session->peer_cert = NULL;
				5610	#else
				5611	session->peer_cert_digest = NULL;
				5612	#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				5613	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				5614	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
				5615	session->ticket = NULL;
				5616	#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
				5617
				5618	/*
				5619	* Peer certificate
				5620	*/
				5621	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				5622	#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
				5623	/* Deserialize CRT from the end of the ticket. */
				5624	if( 3 > (size_t)( end - p ) )
				5625	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5626
				5627	cert_len = ( p[0] << 16 ) \| ( p[1] << 8 ) \| p[2];
				5628	p += 3;
				5629
				5630	if( cert_len != 0 )
				5631	{
				5632	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				5633
				5634	if( cert_len > (size_t)( end - p ) )
				5635	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5636
				5637	session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
				5638
				5639	if( session->peer_cert == NULL )
				5640	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
				5641
				5642	mbedtls_x509_crt_init( session->peer_cert );
				5643
				5644	if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
				5645	p, cert_len ) ) != 0 )
				5646	{
				5647	mbedtls_x509_crt_free( session->peer_cert );
				5648	mbedtls_free( session->peer_cert );
				5649	session->peer_cert = NULL;
				5650	return( ret );
				5651	}
				5652
				5653	p += cert_len;
				5654	}
				5655	#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				5656	/* Deserialize CRT digest from the end of the ticket. */
				5657	if( 2 > (size_t)( end - p ) )
				5658	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5659
				5660	session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
				5661	session->peer_cert_digest_len = (size_t) *p++;
				5662
				5663	if( session->peer_cert_digest_len != 0 )
				5664	{
				5665	const mbedtls_md_info_t *md_info =
				5666	mbedtls_md_info_from_type( session->peer_cert_digest_type );
				5667	if( md_info == NULL )
				5668	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5669	if( session->peer_cert_digest_len != mbedtls_md_get_size( md_info ) )
				5670	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5671
				5672	if( session->peer_cert_digest_len > (size_t)( end - p ) )
				5673	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5674
				5675	session->peer_cert_digest =
				5676	mbedtls_calloc( 1, session->peer_cert_digest_len );
				5677	if( session->peer_cert_digest == NULL )
				5678	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
				5679
				5680	memcpy( session->peer_cert_digest, p,
				5681	session->peer_cert_digest_len );
				5682	p += session->peer_cert_digest_len;
				5683	}
				5684	#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				5685	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				5686
				5687	/*
				5688	* Session ticket and associated data
				5689	*/
				5690	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
				5691	if( 3 > (size_t)( end - p ) )
				5692	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5693
				5694	session->ticket_len = ( p[0] << 16 ) \| ( p[1] << 8 ) \| p[2];
				5695	p += 3;
				5696
				5697	if( session->ticket_len != 0 )
				5698	{
				5699	if( session->ticket_len > (size_t)( end - p ) )
				5700	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5701
				5702	session->ticket = mbedtls_calloc( 1, session->ticket_len );
				5703	if( session->ticket == NULL )
				5704	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
				5705
				5706	memcpy( session->ticket, p, session->ticket_len );
				5707	p += session->ticket_len;
				5708	}
				5709
				5710	if( 4 > (size_t)( end - p ) )
				5711	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5712
				5713	session->ticket_lifetime = ( (uint32_t) p[0] << 24 ) \|
				5714	( (uint32_t) p[1] << 16 ) \|
				5715	( (uint32_t) p[2] << 8 ) \|
				5716	( (uint32_t) p[3] );
				5717	p += 4;
				5718	#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
				5719
				5720	/*
				5721	* Misc extension-related info
				5722	*/
				5723	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
				5724	if( 1 > (size_t)( end - p ) )
				5725	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5726
				5727	session->mfl_code = *p++;
				5728	#endif
				5729
				5730	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
				5731	if( 1 > (size_t)( end - p ) )
				5732	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5733
				5734	session->trunc_hmac = *p++;
				5735	#endif
				5736
				5737	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
				5738	if( 1 > (size_t)( end - p ) )
				5739	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5740
				5741	session->encrypt_then_mac = *p++;
				5742	#endif
				5743
				5744	/* Done, should have consumed entire buffer */
				5745	if( p != end )
				5746	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5747
				5748	return( 0 );
				5749	}
				5750
				5751	/*
				5752	* Deserialize session: public wrapper for error cleaning
				5753	*/
				5754	int mbedtls_ssl_session_load( mbedtls_ssl_session *session,
				5755	const unsigned char *buf,
				5756	size_t len )
				5757	{
				5758	int ret = ssl_session_load( session, 0, buf, len );
				5759
				5760	if( ret != 0 )
				5761	mbedtls_ssl_session_free( session );
				5762
				5763	return( ret );
				5764	}
				5765
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5766	/*
				5767	* Perform a single step of the SSL handshake
				5768	*/
				5769	int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
				5770	{
				5771	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
				5772
				5773	if( ssl == NULL \|\| ssl->conf == NULL )
				5774	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5775
				5776	#if defined(MBEDTLS_SSL_CLI_C)
				5777	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
				5778	ret = mbedtls_ssl_handshake_client_step( ssl );
				5779	#endif
				5780	#if defined(MBEDTLS_SSL_SRV_C)
				5781	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
				5782	ret = mbedtls_ssl_handshake_server_step( ssl );
				5783	#endif
				5784
				5785	return( ret );
				5786	}
				5787
				5788	/*
				5789	* Perform the SSL handshake
				5790	*/
				5791	int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
				5792	{
				5793	int ret = 0;
				5794
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	5795	/* Sanity checks */
				5796
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5797	if( ssl == NULL \|\| ssl->conf == NULL )
				5798	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5799
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	5800	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				5801	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
				5802	( ssl->f_set_timer == NULL \|\| ssl->f_get_timer == NULL ) )
				5803	{
				5804	MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
				5805	"mbedtls_ssl_set_timer_cb() for DTLS" ) );
				5806	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5807	}
				5808	#endif /* MBEDTLS_SSL_PROTO_DTLS */
				5809
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5810	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
				5811
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	5812	/* Main handshake loop */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5813	while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
				5814	{
				5815	ret = mbedtls_ssl_handshake_step( ssl );
				5816
				5817	if( ret != 0 )
				5818	break;
				5819	}
				5820
				5821	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
				5822
				5823	return( ret );
				5824	}
				5825
				5826	#if defined(MBEDTLS_SSL_RENEGOTIATION)
				5827	#if defined(MBEDTLS_SSL_SRV_C)
				5828	/*
				5829	* Write HelloRequest to request renegotiation on server
				5830	*/
				5831	static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
				5832	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5833	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5834
				5835	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
				5836
				5837	ssl->out_msglen = 4;
				5838	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
				5839	ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
				5840
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5841	if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5842	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5843	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5844	return( ret );
				5845	}
				5846
				5847	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
				5848
				5849	return( 0 );
				5850	}
				5851	#endif /* MBEDTLS_SSL_SRV_C */
				5852
				5853	/*
				5854	* Actually renegotiate current connection, triggered by either:
				5855	* - any side: calling mbedtls_ssl_renegotiate(),
				5856	* - client: receiving a HelloRequest during mbedtls_ssl_read(),
				5857	* - server: receiving any handshake message on server during mbedtls_ssl_read() after
				5858	* the initial handshake is completed.
				5859	* If the handshake doesn't complete due to waiting for I/O, it will continue
				5860	* during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
				5861	*/
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5862	int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5863	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5864	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5865
				5866	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
				5867
				5868	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
				5869	return( ret );
				5870
				5871	/* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
				5872	* the ServerHello will have message_seq = 1" */
				5873	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				5874	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
				5875	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
				5876	{
				5877	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
				5878	ssl->handshake->out_msg_seq = 1;
				5879	else
				5880	ssl->handshake->in_msg_seq = 1;
				5881	}
				5882	#endif
				5883
				5884	ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
				5885	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
				5886
				5887	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
				5888	{
				5889	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
				5890	return( ret );
				5891	}
				5892
				5893	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
				5894
				5895	return( 0 );
				5896	}
				5897
				5898	/*
				5899	* Renegotiate current connection on client,
				5900	* or request renegotiation on server
				5901	*/
				5902	int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
				5903	{
				5904	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
				5905
				5906	if( ssl == NULL \|\| ssl->conf == NULL )
				5907	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5908
				5909	#if defined(MBEDTLS_SSL_SRV_C)
				5910	/* On server, just send the request */
				5911	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
				5912	{
				5913	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
				5914	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5915
				5916	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
				5917
				5918	/* Did we already try/start sending HelloRequest? */
				5919	if( ssl->out_left != 0 )
				5920	return( mbedtls_ssl_flush_output( ssl ) );
				5921
				5922	return( ssl_write_hello_request( ssl ) );
				5923	}
				5924	#endif /* MBEDTLS_SSL_SRV_C */
				5925
				5926	#if defined(MBEDTLS_SSL_CLI_C)
				5927	/*
				5928	* On client, either start the renegotiation process or,
				5929	* if already in progress, continue the handshake
				5930	*/
				5931	if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
				5932	{
				5933	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
				5934	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				5935
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5936	if( ( ret = mbedtls_ssl_start_renegotiation( ssl ) ) != 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5937	{
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5938	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation", ret );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5939	return( ret );
				5940	}
				5941	}
				5942	else
				5943	{
				5944	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
				5945	{
				5946	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
				5947	return( ret );
				5948	}
				5949	}
				5950	#endif /* MBEDTLS_SSL_CLI_C */
				5951
				5952	return( ret );
				5953	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5954	#endif /* MBEDTLS_SSL_RENEGOTIATION */
				5955
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5956	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				5957	static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
				5958	{
				5959	mbedtls_ssl_key_cert cur = key_cert, next;
				5960
				5961	while( cur != NULL )
				5962	{
				5963	next = cur->next;
				5964	mbedtls_free( cur );
				5965	cur = next;
				5966	}
				5967	}
				5968	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				5969
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5970	void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
				5971	{
				5972	mbedtls_ssl_handshake_params *handshake = ssl->handshake;
				5973
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5974	if( handshake == NULL )
				5975	return;
				5976
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	5977	#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
				5978	if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
				5979	{
				5980	ssl->conf->f_async_cancel( ssl );
				5981	handshake->async_in_progress = 0;
				5982	}
				5983	#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
				5984
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5985	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
				5986	defined(MBEDTLS_SSL_PROTO_TLS1_1)
				5987	mbedtls_md5_free( &handshake->fin_md5 );
				5988	mbedtls_sha1_free( &handshake->fin_sha1 );
				5989	#endif
				5990	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
				5991	#if defined(MBEDTLS_SHA256_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5992	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				5993	psa_hash_abort( &handshake->fin_sha256_psa );
				5994	#else
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	5995	mbedtls_sha256_free( &handshake->fin_sha256 );
				5996	#endif
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5997	#endif
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	5998	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	5999	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				6000	psa_hash_abort( &handshake->fin_sha384_psa );
				6001	#else
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6002	mbedtls_sha512_free( &handshake->fin_sha512 );
				6003	#endif
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6004	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6005	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				6006
				6007	#if defined(MBEDTLS_DHM_C)
				6008	mbedtls_dhm_free( &handshake->dhm_ctx );
				6009	#endif
				6010	#if defined(MBEDTLS_ECDH_C)
				6011	mbedtls_ecdh_free( &handshake->ecdh_ctx );
				6012	#endif
				6013	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
				6014	mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
				6015	#if defined(MBEDTLS_SSL_CLI_C)
				6016	mbedtls_free( handshake->ecjpake_cache );
				6017	handshake->ecjpake_cache = NULL;
				6018	handshake->ecjpake_cache_len = 0;
				6019	#endif
				6020	#endif
				6021
				6022	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
				6023	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
				6024	/* explicit void pointer cast for buggy MS compiler */
				6025	mbedtls_free( (void *) handshake->curves );
				6026	#endif
				6027
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6028	#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6029	if( handshake->psk != NULL )
				6030	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	6031	mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6032	mbedtls_free( handshake->psk );
				6033	}
				6034	#endif
				6035
				6036	#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
				6037	defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
				6038	/*
				6039	* Free only the linked list wrapper, not the keys themselves
				6040	* since the belong to the SNI callback
				6041	*/
				6042	if( handshake->sni_key_cert != NULL )
				6043	{
				6044	mbedtls_ssl_key_cert cur = handshake->sni_key_cert, next;
				6045
				6046	while( cur != NULL )
				6047	{
				6048	next = cur->next;
				6049	mbedtls_free( cur );
				6050	cur = next;
				6051	}
				6052	}
				6053	#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
				6054
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6055	#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	6056	mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6057	if( handshake->ecrs_peer_cert != NULL )
				6058	{
				6059	mbedtls_x509_crt_free( handshake->ecrs_peer_cert );
				6060	mbedtls_free( handshake->ecrs_peer_cert );
				6061	}
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6062	#endif
				6063
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6064	#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
				6065	!defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
				6066	mbedtls_pk_free( &handshake->peer_pubkey );
				6067	#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
				6068
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	6069	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				6070	mbedtls_free( handshake->verify_cookie );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6071	mbedtls_ssl_flight_free( handshake->flight );
				6072	mbedtls_ssl_buffering_free( ssl );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	6073	#endif
				6074
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6075	#if defined(MBEDTLS_ECDH_C) && \
				6076	defined(MBEDTLS_USE_PSA_CRYPTO)
				6077	psa_destroy_key( handshake->ecdh_psa_privkey );
				6078	#endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
				6079
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	6080	mbedtls_platform_zeroize( handshake,
				6081	sizeof( mbedtls_ssl_handshake_params ) );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6082
				6083	#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
				6084	/* If the buffers are too big - reallocate. Because of the way Mbed TLS
				6085	* processes datagrams and the fact that a datagram is allowed to have
				6086	* several records in it, it is possible that the I/O buffers are not
				6087	* empty at this stage */
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	6088	handle_buffer_resizing( ssl, 1, mbedtls_ssl_get_input_buflen( ssl ),
				6089	mbedtls_ssl_get_output_buflen( ssl ) );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6090	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6091	}
				6092
				6093	void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
				6094	{
				6095	if( session == NULL )
				6096	return;
				6097
				6098	#if defined(MBEDTLS_X509_CRT_PARSE_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6099	ssl_clear_peer_cert( session );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6100	#endif
				6101
				6102	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
				6103	mbedtls_free( session->ticket );
				6104	#endif
				6105
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	6106	mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6107	}
				6108
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6109	#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
				6110
				6111	#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
				6112	#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
				6113	#else
				6114	#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
				6115	#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
				6116
				6117	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
				6118	#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
				6119	#else
				6120	#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 0u
				6121	#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
				6122
				6123	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
				6124	#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
				6125	#else
				6126	#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
				6127	#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
				6128
				6129	#if defined(MBEDTLS_SSL_ALPN)
				6130	#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
				6131	#else
				6132	#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
				6133	#endif /* MBEDTLS_SSL_ALPN */
				6134
				6135	#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
				6136	#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
				6137	#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
				6138	#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
				6139
				6140	#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
				6141	( (uint32_t) ( \
				6142	( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT ) \| \
				6143	( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT ) \| \
				6144	( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT ) \| \
				6145	( SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT ) \| \
				6146	0u ) )
				6147
				6148	static unsigned char ssl_serialized_context_header[] = {
				6149	MBEDTLS_VERSION_MAJOR,
				6150	MBEDTLS_VERSION_MINOR,
				6151	MBEDTLS_VERSION_PATCH,
				6152	( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 8 ) & 0xFF,
				6153	( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 0 ) & 0xFF,
				6154	( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 16 ) & 0xFF,
				6155	( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 8 ) & 0xFF,
				6156	( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 0 ) & 0xFF,
				6157	};
				6158
				6159	/*
				6160	* Serialize a full SSL context
				6161	*
				6162	* The format of the serialized data is:
				6163	* (in the presentation language of TLS, RFC 8446 section 3)
				6164	*
				6165	* // header
				6166	* opaque mbedtls_version[3]; // major, minor, patch
				6167	* opaque context_format[5]; // version-specific field determining
				6168	* // the format of the remaining
				6169	* // serialized data.
				6170	* Note: When updating the format, remember to keep these
				6171	* version+format bytes. (We may make their size part of the API.)
				6172	*
				6173	* // session sub-structure
				6174	* opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
				6175	* // transform sub-structure
				6176	* uint8 random[64]; // ServerHello.random+ClientHello.random
				6177	* uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
				6178	* uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
				6179	* // fields from ssl_context
				6180	* uint32 badmac_seen; // DTLS: number of records with failing MAC
				6181	* uint64 in_window_top; // DTLS: last validated record seq_num
				6182	* uint64 in_window; // DTLS: bitmask for replay protection
				6183	* uint8 disable_datagram_packing; // DTLS: only one record per datagram
				6184	* uint64 cur_out_ctr; // Record layer: outgoing sequence number
				6185	* uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
				6186	* uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
				6187	*
				6188	* Note that many fields of the ssl_context or sub-structures are not
				6189	* serialized, as they fall in one of the following categories:
				6190	*
				6191	* 1. forced value (eg in_left must be 0)
				6192	* 2. pointer to dynamically-allocated memory (eg session, transform)
				6193	* 3. value can be re-derived from other data (eg session keys from MS)
				6194	* 4. value was temporary (eg content of input buffer)
				6195	* 5. value will be provided by the user again (eg I/O callbacks and context)
				6196	*/
				6197	int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
				6198	unsigned char *buf,
				6199	size_t buf_len,
				6200	size_t *olen )
				6201	{
				6202	unsigned char *p = buf;
				6203	size_t used = 0;
				6204	size_t session_len;
				6205	int ret = 0;
				6206
				6207	/*
				6208	* Enforce usage restrictions, see "return BAD_INPUT_DATA" in
				6209	* this function's documentation.
				6210	*
				6211	* These are due to assumptions/limitations in the implementation. Some of
				6212	* them are likely to stay (no handshake in progress) some might go away
				6213	* (only DTLS) but are currently used to simplify the implementation.
				6214	*/
				6215	/* The initial handshake must be over */
				6216	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
				6217	{
				6218	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Initial handshake isn't over" ) );
				6219	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6220	}
				6221	if( ssl->handshake != NULL )
				6222	{
				6223	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Handshake isn't completed" ) );
				6224	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6225	}
				6226	/* Double-check that sub-structures are indeed ready */
				6227	if( ssl->transform == NULL \|\| ssl->session == NULL )
				6228	{
				6229	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Serialised structures aren't ready" ) );
				6230	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6231	}
				6232	/* There must be no pending incoming or outgoing data */
				6233	if( mbedtls_ssl_check_pending( ssl ) != 0 )
				6234	{
				6235	MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending incoming data" ) );
				6236	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6237	}
				6238	if( ssl->out_left != 0 )
				6239	{
				6240	MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending outgoing data" ) );
				6241	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6242	}
				6243	/* Protocol must be DLTS, not TLS */
				6244	if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
				6245	{
				6246	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only DTLS is supported" ) );
				6247	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6248	}
				6249	/* Version must be 1.2 */
				6250	if( ssl->major_ver != MBEDTLS_SSL_MAJOR_VERSION_3 )
				6251	{
				6252	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
				6253	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6254	}
				6255	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
				6256	{
				6257	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
				6258	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6259	}
				6260	/* We must be using an AEAD ciphersuite */
				6261	if( mbedtls_ssl_transform_uses_aead( ssl->transform ) != 1 )
				6262	{
				6263	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only AEAD ciphersuites supported" ) );
				6264	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6265	}
				6266	/* Renegotiation must not be enabled */
				6267	#if defined(MBEDTLS_SSL_RENEGOTIATION)
				6268	if( ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED )
				6269	{
				6270	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Renegotiation must not be enabled" ) );
				6271	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6272	}
				6273	#endif
				6274
				6275	/*
				6276	* Version and format identifier
				6277	*/
				6278	used += sizeof( ssl_serialized_context_header );
				6279
				6280	if( used <= buf_len )
				6281	{
				6282	memcpy( p, ssl_serialized_context_header,
				6283	sizeof( ssl_serialized_context_header ) );
				6284	p += sizeof( ssl_serialized_context_header );
				6285	}
				6286
				6287	/*
				6288	* Session (length + data)
				6289	*/
				6290	ret = ssl_session_save( ssl->session, 1, NULL, 0, &session_len );
				6291	if( ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL )
				6292	return( ret );
				6293
				6294	used += 4 + session_len;
				6295	if( used <= buf_len )
				6296	{
				6297	*p++ = (unsigned char)( ( session_len >> 24 ) & 0xFF );
				6298	*p++ = (unsigned char)( ( session_len >> 16 ) & 0xFF );
				6299	*p++ = (unsigned char)( ( session_len >> 8 ) & 0xFF );
				6300	*p++ = (unsigned char)( ( session_len ) & 0xFF );
				6301
				6302	ret = ssl_session_save( ssl->session, 1,
				6303	p, session_len, &session_len );
				6304	if( ret != 0 )
				6305	return( ret );
				6306
				6307	p += session_len;
				6308	}
				6309
				6310	/*
				6311	* Transform
				6312	*/
				6313	used += sizeof( ssl->transform->randbytes );
				6314	if( used <= buf_len )
				6315	{
				6316	memcpy( p, ssl->transform->randbytes,
				6317	sizeof( ssl->transform->randbytes ) );
				6318	p += sizeof( ssl->transform->randbytes );
				6319	}
				6320
				6321	#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
				6322	used += 2 + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
				6323	if( used <= buf_len )
				6324	{
				6325	*p++ = ssl->transform->in_cid_len;
				6326	memcpy( p, ssl->transform->in_cid, ssl->transform->in_cid_len );
				6327	p += ssl->transform->in_cid_len;
				6328
				6329	*p++ = ssl->transform->out_cid_len;
				6330	memcpy( p, ssl->transform->out_cid, ssl->transform->out_cid_len );
				6331	p += ssl->transform->out_cid_len;
				6332	}
				6333	#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
				6334
				6335	/*
				6336	* Saved fields from top-level ssl_context structure
				6337	*/
				6338	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
				6339	used += 4;
				6340	if( used <= buf_len )
				6341	{
				6342	*p++ = (unsigned char)( ( ssl->badmac_seen >> 24 ) & 0xFF );
				6343	*p++ = (unsigned char)( ( ssl->badmac_seen >> 16 ) & 0xFF );
				6344	*p++ = (unsigned char)( ( ssl->badmac_seen >> 8 ) & 0xFF );
				6345	*p++ = (unsigned char)( ( ssl->badmac_seen ) & 0xFF );
				6346	}
				6347	#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
				6348
				6349	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
				6350	used += 16;
				6351	if( used <= buf_len )
				6352	{
				6353	*p++ = (unsigned char)( ( ssl->in_window_top >> 56 ) & 0xFF );
				6354	*p++ = (unsigned char)( ( ssl->in_window_top >> 48 ) & 0xFF );
				6355	*p++ = (unsigned char)( ( ssl->in_window_top >> 40 ) & 0xFF );
				6356	*p++ = (unsigned char)( ( ssl->in_window_top >> 32 ) & 0xFF );
				6357	*p++ = (unsigned char)( ( ssl->in_window_top >> 24 ) & 0xFF );
				6358	*p++ = (unsigned char)( ( ssl->in_window_top >> 16 ) & 0xFF );
				6359	*p++ = (unsigned char)( ( ssl->in_window_top >> 8 ) & 0xFF );
				6360	*p++ = (unsigned char)( ( ssl->in_window_top ) & 0xFF );
				6361
				6362	*p++ = (unsigned char)( ( ssl->in_window >> 56 ) & 0xFF );
				6363	*p++ = (unsigned char)( ( ssl->in_window >> 48 ) & 0xFF );
				6364	*p++ = (unsigned char)( ( ssl->in_window >> 40 ) & 0xFF );
				6365	*p++ = (unsigned char)( ( ssl->in_window >> 32 ) & 0xFF );
				6366	*p++ = (unsigned char)( ( ssl->in_window >> 24 ) & 0xFF );
				6367	*p++ = (unsigned char)( ( ssl->in_window >> 16 ) & 0xFF );
				6368	*p++ = (unsigned char)( ( ssl->in_window >> 8 ) & 0xFF );
				6369	*p++ = (unsigned char)( ( ssl->in_window ) & 0xFF );
				6370	}
				6371	#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
				6372
				6373	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				6374	used += 1;
				6375	if( used <= buf_len )
				6376	{
				6377	*p++ = ssl->disable_datagram_packing;
				6378	}
				6379	#endif /* MBEDTLS_SSL_PROTO_DTLS */
				6380
				6381	used += 8;
				6382	if( used <= buf_len )
				6383	{
				6384	memcpy( p, ssl->cur_out_ctr, 8 );
				6385	p += 8;
				6386	}
				6387
				6388	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				6389	used += 2;
				6390	if( used <= buf_len )
				6391	{
				6392	*p++ = (unsigned char)( ( ssl->mtu >> 8 ) & 0xFF );
				6393	*p++ = (unsigned char)( ( ssl->mtu ) & 0xFF );
				6394	}
				6395	#endif /* MBEDTLS_SSL_PROTO_DTLS */
				6396
				6397	#if defined(MBEDTLS_SSL_ALPN)
				6398	{
				6399	const uint8_t alpn_len = ssl->alpn_chosen
				6400	? (uint8_t) strlen( ssl->alpn_chosen )
				6401	: 0;
				6402
				6403	used += 1 + alpn_len;
				6404	if( used <= buf_len )
				6405	{
				6406	*p++ = alpn_len;
				6407
				6408	if( ssl->alpn_chosen != NULL )
				6409	{
				6410	memcpy( p, ssl->alpn_chosen, alpn_len );
				6411	p += alpn_len;
				6412	}
				6413	}
				6414	}
				6415	#endif /* MBEDTLS_SSL_ALPN */
				6416
				6417	/*
				6418	* Done
				6419	*/
				6420	*olen = used;
				6421
				6422	if( used > buf_len )
				6423	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
				6424
				6425	MBEDTLS_SSL_DEBUG_BUF( 4, "saved context", buf, used );
				6426
				6427	return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
				6428	}
				6429
				6430	/*
				6431	* Helper to get TLS 1.2 PRF from ciphersuite
				6432	* (Duplicates bits of logic from ssl_set_handshake_prfs().)
				6433	*/
				6434	typedef int (tls_prf_fn)( const unsigned char secret, size_t slen,
				6435	const char *label,
				6436	const unsigned char *random, size_t rlen,
				6437	unsigned char *dstbuf, size_t dlen );
				6438	static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id )
				6439	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	6440	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6441	const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
				6442	mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
				6443
				6444	if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
				6445	return( tls_prf_sha384 );
				6446	#else
				6447	(void) ciphersuite_id;
				6448	#endif
				6449	return( tls_prf_sha256 );
				6450	}
				6451
				6452	/*
				6453	* Deserialize context, see mbedtls_ssl_context_save() for format.
				6454	*
				6455	* This internal version is wrapped by a public function that cleans up in
				6456	* case of error.
				6457	*/
				6458	static int ssl_context_load( mbedtls_ssl_context *ssl,
				6459	const unsigned char *buf,
				6460	size_t len )
				6461	{
				6462	const unsigned char *p = buf;
				6463	const unsigned char * const end = buf + len;
				6464	size_t session_len;
				6465	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				6466
				6467	/*
				6468	* The context should have been freshly setup or reset.
				6469	* Give the user an error in case of obvious misuse.
				6470	* (Checking session is useful because it won't be NULL if we're
				6471	* renegotiating, or if the user mistakenly loaded a session first.)
				6472	*/
				6473	if( ssl->state != MBEDTLS_SSL_HELLO_REQUEST \|\|
				6474	ssl->session != NULL )
				6475	{
				6476	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6477	}
				6478
				6479	/*
				6480	* We can't check that the config matches the initial one, but we can at
				6481	* least check it matches the requirements for serializing.
				6482	*/
				6483	if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM \|\|
				6484	ssl->conf->max_major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 \|\|
				6485	ssl->conf->min_major_ver > MBEDTLS_SSL_MAJOR_VERSION_3 \|\|
				6486	ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 \|\|
				6487	ssl->conf->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 \|\|
				6488	#if defined(MBEDTLS_SSL_RENEGOTIATION)
				6489	ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED \|\|
				6490	#endif
				6491	0 )
				6492	{
				6493	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6494	}
				6495
				6496	MBEDTLS_SSL_DEBUG_BUF( 4, "context to load", buf, len );
				6497
				6498	/*
				6499	* Check version identifier
				6500	*/
				6501	if( (size_t)( end - p ) < sizeof( ssl_serialized_context_header ) )
				6502	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6503
				6504	if( memcmp( p, ssl_serialized_context_header,
				6505	sizeof( ssl_serialized_context_header ) ) != 0 )
				6506	{
				6507	return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
				6508	}
				6509	p += sizeof( ssl_serialized_context_header );
				6510
				6511	/*
				6512	* Session
				6513	*/
				6514	if( (size_t)( end - p ) < 4 )
				6515	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6516
				6517	session_len = ( (size_t) p[0] << 24 ) \|
				6518	( (size_t) p[1] << 16 ) \|
				6519	( (size_t) p[2] << 8 ) \|
				6520	( (size_t) p[3] );
				6521	p += 4;
				6522
				6523	/* This has been allocated by ssl_handshake_init(), called by
				6524	* by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
				6525	ssl->session = ssl->session_negotiate;
				6526	ssl->session_in = ssl->session;
				6527	ssl->session_out = ssl->session;
				6528	ssl->session_negotiate = NULL;
				6529
				6530	if( (size_t)( end - p ) < session_len )
				6531	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6532
				6533	ret = ssl_session_load( ssl->session, 1, p, session_len );
				6534	if( ret != 0 )
				6535	{
				6536	mbedtls_ssl_session_free( ssl->session );
				6537	return( ret );
				6538	}
				6539
				6540	p += session_len;
				6541
				6542	/*
				6543	* Transform
				6544	*/
				6545
				6546	/* This has been allocated by ssl_handshake_init(), called by
				6547	* by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
				6548	ssl->transform = ssl->transform_negotiate;
				6549	ssl->transform_in = ssl->transform;
				6550	ssl->transform_out = ssl->transform;
				6551	ssl->transform_negotiate = NULL;
				6552
				6553	/* Read random bytes and populate structure */
				6554	if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) )
				6555	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6556
				6557	ret = ssl_populate_transform( ssl->transform,
				6558	ssl->session->ciphersuite,
				6559	ssl->session->master,
				6560	#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
				6561	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
				6562	ssl->session->encrypt_then_mac,
				6563	#endif
				6564	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
				6565	ssl->session->trunc_hmac,
				6566	#endif
				6567	#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
				6568	#if defined(MBEDTLS_ZLIB_SUPPORT)
				6569	ssl->session->compression,
				6570	#endif
				6571	ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
				6572	p, /* currently pointing to randbytes */
				6573	MBEDTLS_SSL_MINOR_VERSION_3, /* (D)TLS 1.2 is forced */
				6574	ssl->conf->endpoint,
				6575	ssl );
				6576	if( ret != 0 )
				6577	return( ret );
				6578
				6579	p += sizeof( ssl->transform->randbytes );
				6580
				6581	#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
				6582	/* Read connection IDs and store them */
				6583	if( (size_t)( end - p ) < 1 )
				6584	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6585
				6586	ssl->transform->in_cid_len = *p++;
				6587
				6588	if( (size_t)( end - p ) < ssl->transform->in_cid_len + 1u )
				6589	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6590
				6591	memcpy( ssl->transform->in_cid, p, ssl->transform->in_cid_len );
				6592	p += ssl->transform->in_cid_len;
				6593
				6594	ssl->transform->out_cid_len = *p++;
				6595
				6596	if( (size_t)( end - p ) < ssl->transform->out_cid_len )
				6597	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6598
				6599	memcpy( ssl->transform->out_cid, p, ssl->transform->out_cid_len );
				6600	p += ssl->transform->out_cid_len;
				6601	#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
				6602
				6603	/*
				6604	* Saved fields from top-level ssl_context structure
				6605	*/
				6606	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
				6607	if( (size_t)( end - p ) < 4 )
				6608	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6609
				6610	ssl->badmac_seen = ( (uint32_t) p[0] << 24 ) \|
				6611	( (uint32_t) p[1] << 16 ) \|
				6612	( (uint32_t) p[2] << 8 ) \|
				6613	( (uint32_t) p[3] );
				6614	p += 4;
				6615	#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
				6616
				6617	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
				6618	if( (size_t)( end - p ) < 16 )
				6619	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6620
				6621	ssl->in_window_top = ( (uint64_t) p[0] << 56 ) \|
				6622	( (uint64_t) p[1] << 48 ) \|
				6623	( (uint64_t) p[2] << 40 ) \|
				6624	( (uint64_t) p[3] << 32 ) \|
				6625	( (uint64_t) p[4] << 24 ) \|
				6626	( (uint64_t) p[5] << 16 ) \|
				6627	( (uint64_t) p[6] << 8 ) \|
				6628	( (uint64_t) p[7] );
				6629	p += 8;
				6630
				6631	ssl->in_window = ( (uint64_t) p[0] << 56 ) \|
				6632	( (uint64_t) p[1] << 48 ) \|
				6633	( (uint64_t) p[2] << 40 ) \|
				6634	( (uint64_t) p[3] << 32 ) \|
				6635	( (uint64_t) p[4] << 24 ) \|
				6636	( (uint64_t) p[5] << 16 ) \|
				6637	( (uint64_t) p[6] << 8 ) \|
				6638	( (uint64_t) p[7] );
				6639	p += 8;
				6640	#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
				6641
				6642	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				6643	if( (size_t)( end - p ) < 1 )
				6644	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6645
				6646	ssl->disable_datagram_packing = *p++;
				6647	#endif /* MBEDTLS_SSL_PROTO_DTLS */
				6648
				6649	if( (size_t)( end - p ) < 8 )
				6650	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6651
				6652	memcpy( ssl->cur_out_ctr, p, 8 );
				6653	p += 8;
				6654
				6655	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				6656	if( (size_t)( end - p ) < 2 )
				6657	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6658
				6659	ssl->mtu = ( p[0] << 8 ) \| p[1];
				6660	p += 2;
				6661	#endif /* MBEDTLS_SSL_PROTO_DTLS */
				6662
				6663	#if defined(MBEDTLS_SSL_ALPN)
				6664	{
				6665	uint8_t alpn_len;
				6666	const char **cur;
				6667
				6668	if( (size_t)( end - p ) < 1 )
				6669	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6670
				6671	alpn_len = *p++;
				6672
				6673	if( alpn_len != 0 && ssl->conf->alpn_list != NULL )
				6674	{
				6675	/* alpn_chosen should point to an item in the configured list */
				6676	for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
				6677	{
				6678	if( strlen( *cur ) == alpn_len &&
				6679	memcmp( p, cur, alpn_len ) == 0 )
				6680	{
				6681	ssl->alpn_chosen = *cur;
				6682	break;
				6683	}
				6684	}
				6685	}
				6686
				6687	/* can only happen on conf mismatch */
				6688	if( alpn_len != 0 && ssl->alpn_chosen == NULL )
				6689	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6690
				6691	p += alpn_len;
				6692	}
				6693	#endif /* MBEDTLS_SSL_ALPN */
				6694
				6695	/*
				6696	* Forced fields from top-level ssl_context structure
				6697	*
				6698	* Most of them already set to the correct value by mbedtls_ssl_init() and
				6699	* mbedtls_ssl_reset(), so we only need to set the remaining ones.
				6700	*/
				6701	ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
				6702
				6703	ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
				6704	ssl->minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
				6705
				6706	/* Adjust pointers for header fields of outgoing records to
				6707	* the given transform, accounting for explicit IV and CID. */
				6708	mbedtls_ssl_update_out_pointers( ssl, ssl->transform );
				6709
				6710	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				6711	ssl->in_epoch = 1;
				6712	#endif
				6713
				6714	/* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
				6715	* which we don't want - otherwise we'd end up freeing the wrong transform
				6716	* by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
				6717	* inappropriately. */
				6718	if( ssl->handshake != NULL )
				6719	{
				6720	mbedtls_ssl_handshake_free( ssl );
				6721	mbedtls_free( ssl->handshake );
				6722	ssl->handshake = NULL;
				6723	}
				6724
				6725	/*
				6726	* Done - should have consumed entire buffer
				6727	*/
				6728	if( p != end )
				6729	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
				6730
				6731	return( 0 );
				6732	}
				6733
				6734	/*
				6735	* Deserialize context: public wrapper for error cleaning
				6736	*/
				6737	int mbedtls_ssl_context_load( mbedtls_ssl_context *context,
				6738	const unsigned char *buf,
				6739	size_t len )
				6740	{
				6741	int ret = ssl_context_load( context, buf, len );
				6742
				6743	if( ret != 0 )
				6744	mbedtls_ssl_free( context );
				6745
				6746	return( ret );
				6747	}
				6748	#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
				6749
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6750	/*
				6751	* Free an SSL context
				6752	*/
				6753	void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
				6754	{
				6755	if( ssl == NULL )
				6756	return;
				6757
				6758	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
				6759
				6760	if( ssl->out_buf != NULL )
				6761	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	6762	#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
				6763	size_t out_buf_len = ssl->out_buf_len;
				6764	#else
				6765	size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
				6766	#endif
				6767
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6768	mbedtls_platform_zeroize( ssl->out_buf, out_buf_len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6769	mbedtls_free( ssl->out_buf );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6770	ssl->out_buf = NULL;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6771	}
				6772
				6773	if( ssl->in_buf != NULL )
				6774	{
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	6775	#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
				6776	size_t in_buf_len = ssl->in_buf_len;
				6777	#else
				6778	size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
				6779	#endif
				6780
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6781	mbedtls_platform_zeroize( ssl->in_buf, in_buf_len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6782	mbedtls_free( ssl->in_buf );
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6783	ssl->in_buf = NULL;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6784	}
				6785
				6786	#if defined(MBEDTLS_ZLIB_SUPPORT)
				6787	if( ssl->compress_buf != NULL )
				6788	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	6789	mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6790	mbedtls_free( ssl->compress_buf );
				6791	}
				6792	#endif
				6793
				6794	if( ssl->transform )
				6795	{
				6796	mbedtls_ssl_transform_free( ssl->transform );
				6797	mbedtls_free( ssl->transform );
				6798	}
				6799
				6800	if( ssl->handshake )
				6801	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	6802	mbedtls_ssl_handshake_free( ssl );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6803	mbedtls_ssl_transform_free( ssl->transform_negotiate );
				6804	mbedtls_ssl_session_free( ssl->session_negotiate );
				6805
				6806	mbedtls_free( ssl->handshake );
				6807	mbedtls_free( ssl->transform_negotiate );
				6808	mbedtls_free( ssl->session_negotiate );
				6809	}
				6810
				6811	if( ssl->session )
				6812	{
				6813	mbedtls_ssl_session_free( ssl->session );
				6814	mbedtls_free( ssl->session );
				6815	}
				6816
				6817	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				6818	if( ssl->hostname != NULL )
				6819	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	6820	mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6821	mbedtls_free( ssl->hostname );
				6822	}
				6823	#endif
				6824
				6825	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
				6826	if( mbedtls_ssl_hw_record_finish != NULL )
				6827	{
				6828	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
				6829	mbedtls_ssl_hw_record_finish( ssl );
				6830	}
				6831	#endif
				6832
				6833	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
				6834	mbedtls_free( ssl->cli_id );
				6835	#endif
				6836
				6837	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
				6838
				6839	/* Actually clear after last debug message */
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	6840	mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6841	}
				6842
				6843	/*
				6844	* Initialze mbedtls_ssl_config
				6845	*/
				6846	void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
				6847	{
				6848	memset( conf, 0, sizeof( mbedtls_ssl_config ) );
				6849	}
				6850
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6851	#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6852	static int ssl_preset_default_hashes[] = {
				6853	#if defined(MBEDTLS_SHA512_C)
				6854	MBEDTLS_MD_SHA512,
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	6855	#endif
				6856	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6857	MBEDTLS_MD_SHA384,
				6858	#endif
				6859	#if defined(MBEDTLS_SHA256_C)
				6860	MBEDTLS_MD_SHA256,
				6861	MBEDTLS_MD_SHA224,
				6862	#endif
				6863	#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
				6864	MBEDTLS_MD_SHA1,
				6865	#endif
				6866	MBEDTLS_MD_NONE
				6867	};
				6868	#endif
				6869
				6870	static int ssl_preset_suiteb_ciphersuites[] = {
				6871	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
				6872	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
				6873	0
				6874	};
				6875
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6876	#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6877	static int ssl_preset_suiteb_hashes[] = {
				6878	MBEDTLS_MD_SHA256,
				6879	MBEDTLS_MD_SHA384,
				6880	MBEDTLS_MD_NONE
				6881	};
				6882	#endif
				6883
				6884	#if defined(MBEDTLS_ECP_C)
				6885	static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
Jerome Forissier	5b25c76	2020-04-07 11:18:49 +0200	[diff] [blame]	6886	#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6887	MBEDTLS_ECP_DP_SECP256R1,
Jerome Forissier	5b25c76	2020-04-07 11:18:49 +0200	[diff] [blame]	6888	#endif
				6889	#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6890	MBEDTLS_ECP_DP_SECP384R1,
Jerome Forissier	5b25c76	2020-04-07 11:18:49 +0200	[diff] [blame]	6891	#endif
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6892	MBEDTLS_ECP_DP_NONE
				6893	};
				6894	#endif
				6895
				6896	/*
				6897	* Load default in mbedtls_ssl_config
				6898	*/
				6899	int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
				6900	int endpoint, int transport, int preset )
				6901	{
				6902	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	6903	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6904	#endif
				6905
				6906	/* Use the functions here so that they are covered in tests,
				6907	* but otherwise access member directly for efficiency */
				6908	mbedtls_ssl_conf_endpoint( conf, endpoint );
				6909	mbedtls_ssl_conf_transport( conf, transport );
				6910
				6911	/*
				6912	* Things that are common to all presets
				6913	*/
				6914	#if defined(MBEDTLS_SSL_CLI_C)
				6915	if( endpoint == MBEDTLS_SSL_IS_CLIENT )
				6916	{
				6917	conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
				6918	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
				6919	conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
				6920	#endif
				6921	}
				6922	#endif
				6923
				6924	#if defined(MBEDTLS_ARC4_C)
				6925	conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
				6926	#endif
				6927
				6928	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
				6929	conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
				6930	#endif
				6931
				6932	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
				6933	conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
				6934	#endif
				6935
				6936	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
				6937	conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
				6938	#endif
				6939
				6940	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
				6941	conf->f_cookie_write = ssl_cookie_write_dummy;
				6942	conf->f_cookie_check = ssl_cookie_check_dummy;
				6943	#endif
				6944
				6945	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
				6946	conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
				6947	#endif
				6948
				6949	#if defined(MBEDTLS_SSL_SRV_C)
				6950	conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
				6951	#endif
				6952
				6953	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				6954	conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
				6955	conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
				6956	#endif
				6957
				6958	#if defined(MBEDTLS_SSL_RENEGOTIATION)
				6959	conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
				6960	memset( conf->renego_period, 0x00, 2 );
				6961	memset( conf->renego_period + 2, 0xFF, 6 );
				6962	#endif
				6963
				6964	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
				6965	if( endpoint == MBEDTLS_SSL_IS_SERVER )
				6966	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	6967	const unsigned char dhm_p[] =
				6968	MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
				6969	const unsigned char dhm_g[] =
				6970	MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
				6971
				6972	if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
				6973	dhm_p, sizeof( dhm_p ),
				6974	dhm_g, sizeof( dhm_g ) ) ) != 0 )
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	6975	{
				6976	return( ret );
				6977	}
				6978	}
				6979	#endif
				6980
				6981	/*
				6982	* Preset-specific defaults
				6983	*/
				6984	switch( preset )
				6985	{
				6986	/*
				6987	* NSA Suite B
				6988	*/
				6989	case MBEDTLS_SSL_PRESET_SUITEB:
				6990	conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
				6991	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
				6992	conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
				6993	conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
				6994
				6995	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
				6996	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
				6997	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
				6998	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
				6999	ssl_preset_suiteb_ciphersuites;
				7000
				7001	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				7002	conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
				7003	#endif
				7004
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	7005	#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7006	conf->sig_hashes = ssl_preset_suiteb_hashes;
				7007	#endif
				7008
				7009	#if defined(MBEDTLS_ECP_C)
				7010	conf->curve_list = ssl_preset_suiteb_curves;
				7011	#endif
				7012	break;
				7013
				7014	/*
				7015	* Default
				7016	*/
				7017	default:
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	7018	conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
				7019	MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
				7020	MBEDTLS_SSL_MIN_MAJOR_VERSION :
				7021	MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
				7022	conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
				7023	MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
				7024	MBEDTLS_SSL_MIN_MINOR_VERSION :
				7025	MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7026	conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
				7027	conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
				7028
				7029	#if defined(MBEDTLS_SSL_PROTO_DTLS)
				7030	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
				7031	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
				7032	#endif
				7033
				7034	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
				7035	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
				7036	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
				7037	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
				7038	mbedtls_ssl_list_ciphersuites();
				7039
				7040	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				7041	conf->cert_profile = &mbedtls_x509_crt_profile_default;
				7042	#endif
				7043
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	7044	#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7045	conf->sig_hashes = ssl_preset_default_hashes;
				7046	#endif
				7047
				7048	#if defined(MBEDTLS_ECP_C)
				7049	conf->curve_list = mbedtls_ecp_grp_id_list();
				7050	#endif
				7051
				7052	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
				7053	conf->dhm_min_bitlen = 1024;
				7054	#endif
				7055	}
				7056
				7057	return( 0 );
				7058	}
				7059
				7060	/*
				7061	* Free mbedtls_ssl_config
				7062	*/
				7063	void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
				7064	{
				7065	#if defined(MBEDTLS_DHM_C)
				7066	mbedtls_mpi_free( &conf->dhm_P );
				7067	mbedtls_mpi_free( &conf->dhm_G );
				7068	#endif
				7069
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	7070	#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7071	if( conf->psk != NULL )
				7072	{
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	7073	mbedtls_platform_zeroize( conf->psk, conf->psk_len );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7074	mbedtls_free( conf->psk );
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	7075	conf->psk = NULL;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7076	conf->psk_len = 0;
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	7077	}
				7078
				7079	if( conf->psk_identity != NULL )
				7080	{
				7081	mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
				7082	mbedtls_free( conf->psk_identity );
				7083	conf->psk_identity = NULL;
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7084	conf->psk_identity_len = 0;
				7085	}
				7086	#endif
				7087
				7088	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				7089	ssl_key_cert_free( conf->key_cert );
				7090	#endif
				7091
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	7092	mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7093	}
				7094
				7095	#if defined(MBEDTLS_PK_C) && \
				7096	( defined(MBEDTLS_RSA_C) \|\| defined(MBEDTLS_ECDSA_C) )
				7097	/*
				7098	* Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
				7099	*/
				7100	unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
				7101	{
				7102	#if defined(MBEDTLS_RSA_C)
				7103	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
				7104	return( MBEDTLS_SSL_SIG_RSA );
				7105	#endif
				7106	#if defined(MBEDTLS_ECDSA_C)
				7107	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
				7108	return( MBEDTLS_SSL_SIG_ECDSA );
				7109	#endif
				7110	return( MBEDTLS_SSL_SIG_ANON );
				7111	}
				7112
				7113	unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
				7114	{
				7115	switch( type ) {
				7116	case MBEDTLS_PK_RSA:
				7117	return( MBEDTLS_SSL_SIG_RSA );
				7118	case MBEDTLS_PK_ECDSA:
				7119	case MBEDTLS_PK_ECKEY:
				7120	return( MBEDTLS_SSL_SIG_ECDSA );
				7121	default:
				7122	return( MBEDTLS_SSL_SIG_ANON );
				7123	}
				7124	}
				7125
				7126	mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
				7127	{
				7128	switch( sig )
				7129	{
				7130	#if defined(MBEDTLS_RSA_C)
				7131	case MBEDTLS_SSL_SIG_RSA:
				7132	return( MBEDTLS_PK_RSA );
				7133	#endif
				7134	#if defined(MBEDTLS_ECDSA_C)
				7135	case MBEDTLS_SSL_SIG_ECDSA:
				7136	return( MBEDTLS_PK_ECDSA );
				7137	#endif
				7138	default:
				7139	return( MBEDTLS_PK_NONE );
				7140	}
				7141	}
				7142	#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C \|\| MBEDTLS_ECDSA_C ) */
				7143
				7144	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	7145	defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7146
				7147	/* Find an entry in a signature-hash set matching a given hash algorithm. */
				7148	mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
				7149	mbedtls_pk_type_t sig_alg )
				7150	{
				7151	switch( sig_alg )
				7152	{
				7153	case MBEDTLS_PK_RSA:
				7154	return( set->rsa );
				7155	case MBEDTLS_PK_ECDSA:
				7156	return( set->ecdsa );
				7157	default:
				7158	return( MBEDTLS_MD_NONE );
				7159	}
				7160	}
				7161
				7162	/* Add a signature-hash-pair to a signature-hash set */
				7163	void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
				7164	mbedtls_pk_type_t sig_alg,
				7165	mbedtls_md_type_t md_alg )
				7166	{
				7167	switch( sig_alg )
				7168	{
				7169	case MBEDTLS_PK_RSA:
				7170	if( set->rsa == MBEDTLS_MD_NONE )
				7171	set->rsa = md_alg;
				7172	break;
				7173
				7174	case MBEDTLS_PK_ECDSA:
				7175	if( set->ecdsa == MBEDTLS_MD_NONE )
				7176	set->ecdsa = md_alg;
				7177	break;
				7178
				7179	default:
				7180	break;
				7181	}
				7182	}
				7183
				7184	/* Allow exactly one hash algorithm for each signature. */
				7185	void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
				7186	mbedtls_md_type_t md_alg )
				7187	{
				7188	set->rsa = md_alg;
				7189	set->ecdsa = md_alg;
				7190	}
				7191
				7192	#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	7193	MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7194
				7195	/*
				7196	* Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
				7197	*/
				7198	mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
				7199	{
				7200	switch( hash )
				7201	{
				7202	#if defined(MBEDTLS_MD5_C)
				7203	case MBEDTLS_SSL_HASH_MD5:
				7204	return( MBEDTLS_MD_MD5 );
				7205	#endif
				7206	#if defined(MBEDTLS_SHA1_C)
				7207	case MBEDTLS_SSL_HASH_SHA1:
				7208	return( MBEDTLS_MD_SHA1 );
				7209	#endif
				7210	#if defined(MBEDTLS_SHA256_C)
				7211	case MBEDTLS_SSL_HASH_SHA224:
				7212	return( MBEDTLS_MD_SHA224 );
				7213	case MBEDTLS_SSL_HASH_SHA256:
				7214	return( MBEDTLS_MD_SHA256 );
				7215	#endif
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	7216	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7217	case MBEDTLS_SSL_HASH_SHA384:
				7218	return( MBEDTLS_MD_SHA384 );
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	7219	#endif
				7220	#if defined(MBEDTLS_SHA512_C)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7221	case MBEDTLS_SSL_HASH_SHA512:
				7222	return( MBEDTLS_MD_SHA512 );
				7223	#endif
				7224	default:
				7225	return( MBEDTLS_MD_NONE );
				7226	}
				7227	}
				7228
				7229	/*
				7230	* Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
				7231	*/
				7232	unsigned char mbedtls_ssl_hash_from_md_alg( int md )
				7233	{
				7234	switch( md )
				7235	{
				7236	#if defined(MBEDTLS_MD5_C)
				7237	case MBEDTLS_MD_MD5:
				7238	return( MBEDTLS_SSL_HASH_MD5 );
				7239	#endif
				7240	#if defined(MBEDTLS_SHA1_C)
				7241	case MBEDTLS_MD_SHA1:
				7242	return( MBEDTLS_SSL_HASH_SHA1 );
				7243	#endif
				7244	#if defined(MBEDTLS_SHA256_C)
				7245	case MBEDTLS_MD_SHA224:
				7246	return( MBEDTLS_SSL_HASH_SHA224 );
				7247	case MBEDTLS_MD_SHA256:
				7248	return( MBEDTLS_SSL_HASH_SHA256 );
				7249	#endif
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	7250	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7251	case MBEDTLS_MD_SHA384:
				7252	return( MBEDTLS_SSL_HASH_SHA384 );
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	7253	#endif
				7254	#if defined(MBEDTLS_SHA512_C)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7255	case MBEDTLS_MD_SHA512:
				7256	return( MBEDTLS_SSL_HASH_SHA512 );
				7257	#endif
				7258	default:
				7259	return( MBEDTLS_SSL_HASH_NONE );
				7260	}
				7261	}
				7262
				7263	#if defined(MBEDTLS_ECP_C)
				7264	/*
				7265	* Check if a curve proposed by the peer is in our list.
				7266	* Return 0 if we're willing to use it, -1 otherwise.
				7267	*/
				7268	int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
				7269	{
				7270	const mbedtls_ecp_group_id *gid;
				7271
				7272	if( ssl->conf->curve_list == NULL )
				7273	return( -1 );
				7274
				7275	for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
				7276	if( *gid == grp_id )
				7277	return( 0 );
				7278
				7279	return( -1 );
				7280	}
				7281	#endif /* MBEDTLS_ECP_C */
				7282
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	7283	#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7284	/*
				7285	* Check if a hash proposed by the peer is in our list.
				7286	* Return 0 if we're willing to use it, -1 otherwise.
				7287	*/
				7288	int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
				7289	mbedtls_md_type_t md )
				7290	{
				7291	const int *cur;
				7292
				7293	if( ssl->conf->sig_hashes == NULL )
				7294	return( -1 );
				7295
				7296	for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
				7297	if( *cur == (int) md )
				7298	return( 0 );
				7299
				7300	return( -1 );
				7301	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	7302	#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7303
				7304	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				7305	int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
				7306	const mbedtls_ssl_ciphersuite_t *ciphersuite,
				7307	int cert_endpoint,
				7308	uint32_t *flags )
				7309	{
				7310	int ret = 0;
				7311	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
				7312	int usage = 0;
				7313	#endif
				7314	#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
				7315	const char *ext_oid;
				7316	size_t ext_len;
				7317	#endif
				7318
				7319	#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
				7320	!defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
				7321	((void) cert);
				7322	((void) cert_endpoint);
				7323	((void) flags);
				7324	#endif
				7325
				7326	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
				7327	if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
				7328	{
				7329	/* Server part of the key exchange */
				7330	switch( ciphersuite->key_exchange )
				7331	{
				7332	case MBEDTLS_KEY_EXCHANGE_RSA:
				7333	case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
				7334	usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
				7335	break;
				7336
				7337	case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
				7338	case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
				7339	case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
				7340	usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
				7341	break;
				7342
				7343	case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
				7344	case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
				7345	usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
				7346	break;
				7347
				7348	/* Don't use default: we want warnings when adding new values */
				7349	case MBEDTLS_KEY_EXCHANGE_NONE:
				7350	case MBEDTLS_KEY_EXCHANGE_PSK:
				7351	case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
				7352	case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
				7353	case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
				7354	usage = 0;
				7355	}
				7356	}
				7357	else
				7358	{
				7359	/* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
				7360	usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
				7361	}
				7362
				7363	if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
				7364	{
				7365	*flags \|= MBEDTLS_X509_BADCERT_KEY_USAGE;
				7366	ret = -1;
				7367	}
				7368	#else
				7369	((void) ciphersuite);
				7370	#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
				7371
				7372	#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
				7373	if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
				7374	{
				7375	ext_oid = MBEDTLS_OID_SERVER_AUTH;
				7376	ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
				7377	}
				7378	else
				7379	{
				7380	ext_oid = MBEDTLS_OID_CLIENT_AUTH;
				7381	ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
				7382	}
				7383
				7384	if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
				7385	{
				7386	*flags \|= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
				7387	ret = -1;
				7388	}
				7389	#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
				7390
				7391	return( ret );
				7392	}
				7393	#endif /* MBEDTLS_X509_CRT_PARSE_C */
				7394
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7395	int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
				7396	{
				7397	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
				7398	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
				7399	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
				7400
				7401	switch( md )
				7402	{
				7403	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
				7404	#if defined(MBEDTLS_MD5_C)
				7405	case MBEDTLS_SSL_HASH_MD5:
				7406	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
				7407	#endif
				7408	#if defined(MBEDTLS_SHA1_C)
				7409	case MBEDTLS_SSL_HASH_SHA1:
				7410	ssl->handshake->calc_verify = ssl_calc_verify_tls;
				7411	break;
				7412	#endif
				7413	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
Jerome Forissier	7901324	2021-07-28 10:24:04 +0200	[diff] [blame]	7414	#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7415	case MBEDTLS_SSL_HASH_SHA384:
				7416	ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
				7417	break;
				7418	#endif
				7419	#if defined(MBEDTLS_SHA256_C)
				7420	case MBEDTLS_SSL_HASH_SHA256:
				7421	ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
				7422	break;
				7423	#endif
				7424	default:
				7425	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
				7426	}
				7427
				7428	return 0;
				7429	#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
				7430	(void) ssl;
				7431	(void) md;
				7432
				7433	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
				7434	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
				7435	}
				7436
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	7437	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
				7438	defined(MBEDTLS_SSL_PROTO_TLS1_1)
				7439	int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
				7440	unsigned char *output,
				7441	unsigned char *data, size_t data_len )
				7442	{
				7443	int ret = 0;
				7444	mbedtls_md5_context mbedtls_md5;
				7445	mbedtls_sha1_context mbedtls_sha1;
				7446
				7447	mbedtls_md5_init( &mbedtls_md5 );
				7448	mbedtls_sha1_init( &mbedtls_sha1 );
				7449
				7450	/*
				7451	* digitally-signed struct {
				7452	* opaque md5_hash[16];
				7453	* opaque sha_hash[20];
				7454	* };
				7455	*
				7456	* md5_hash
				7457	* MD5(ClientHello.random + ServerHello.random
				7458	* + ServerParams);
				7459	* sha_hash
				7460	* SHA(ClientHello.random + ServerHello.random
				7461	* + ServerParams);
				7462	*/
				7463	if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )
				7464	{
				7465	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );
				7466	goto exit;
				7467	}
				7468	if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,
				7469	ssl->handshake->randbytes, 64 ) ) != 0 )
				7470	{
				7471	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
				7472	goto exit;
				7473	}
				7474	if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )
				7475	{
				7476	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
				7477	goto exit;
				7478	}
				7479	if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )
				7480	{
				7481	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );
				7482	goto exit;
				7483	}
				7484
				7485	if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )
				7486	{
				7487	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );
				7488	goto exit;
				7489	}
				7490	if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,
				7491	ssl->handshake->randbytes, 64 ) ) != 0 )
				7492	{
				7493	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
				7494	goto exit;
				7495	}
				7496	if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,
				7497	data_len ) ) != 0 )
				7498	{
				7499	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
				7500	goto exit;
				7501	}
				7502	if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,
				7503	output + 16 ) ) != 0 )
				7504	{
				7505	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );
				7506	goto exit;
				7507	}
				7508
				7509	exit:
				7510	mbedtls_md5_free( &mbedtls_md5 );
				7511	mbedtls_sha1_free( &mbedtls_sha1 );
				7512
				7513	if( ret != 0 )
				7514	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				7515	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
				7516
				7517	return( ret );
				7518
				7519	}
				7520	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\| \
				7521	MBEDTLS_SSL_PROTO_TLS1_1 */
				7522
				7523	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
				7524	defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	7525
				7526	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				7527	int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
				7528	unsigned char hash, size_t hashlen,
				7529	unsigned char *data, size_t data_len,
				7530	mbedtls_md_type_t md_alg )
				7531	{
				7532	psa_status_t status;
				7533	psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
				7534	psa_algorithm_t hash_alg = mbedtls_psa_translate_md( md_alg );
				7535
				7536	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform PSA-based computation of digest of ServerKeyExchange" ) );
				7537
				7538	if( ( status = psa_hash_setup( &hash_operation,
				7539	hash_alg ) ) != PSA_SUCCESS )
				7540	{
				7541	MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_setup", status );
				7542	goto exit;
				7543	}
				7544
				7545	if( ( status = psa_hash_update( &hash_operation, ssl->handshake->randbytes,
				7546	64 ) ) != PSA_SUCCESS )
				7547	{
				7548	MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
				7549	goto exit;
				7550	}
				7551
				7552	if( ( status = psa_hash_update( &hash_operation,
				7553	data, data_len ) ) != PSA_SUCCESS )
				7554	{
				7555	MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
				7556	goto exit;
				7557	}
				7558
				7559	if( ( status = psa_hash_finish( &hash_operation, hash, MBEDTLS_MD_MAX_SIZE,
				7560	hashlen ) ) != PSA_SUCCESS )
				7561	{
				7562	MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status );
				7563	goto exit;
				7564	}
				7565
				7566	exit:
				7567	if( status != PSA_SUCCESS )
				7568	{
				7569	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				7570	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
				7571	switch( status )
				7572	{
				7573	case PSA_ERROR_NOT_SUPPORTED:
				7574	return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
				7575	case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
				7576	case PSA_ERROR_BUFFER_TOO_SMALL:
				7577	return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
				7578	case PSA_ERROR_INSUFFICIENT_MEMORY:
				7579	return( MBEDTLS_ERR_MD_ALLOC_FAILED );
				7580	default:
				7581	return( MBEDTLS_ERR_MD_HW_ACCEL_FAILED );
				7582	}
				7583	}
				7584	return( 0 );
				7585	}
				7586
				7587	#else
				7588
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	7589	int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
				7590	unsigned char hash, size_t hashlen,
				7591	unsigned char *data, size_t data_len,
				7592	mbedtls_md_type_t md_alg )
				7593	{
				7594	int ret = 0;
				7595	mbedtls_md_context_t ctx;
				7596	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
				7597	*hashlen = mbedtls_md_get_size( md_info );
				7598
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	7599	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform mbedtls-based computation of digest of ServerKeyExchange" ) );
				7600
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	7601	mbedtls_md_init( &ctx );
				7602
				7603	/*
				7604	* digitally-signed struct {
				7605	* opaque client_random[32];
				7606	* opaque server_random[32];
				7607	* ServerDHParams params;
				7608	* };
				7609	*/
				7610	if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
				7611	{
				7612	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
				7613	goto exit;
				7614	}
				7615	if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
				7616	{
				7617	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
				7618	goto exit;
				7619	}
				7620	if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
				7621	{
				7622	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
				7623	goto exit;
				7624	}
				7625	if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
				7626	{
				7627	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
				7628	goto exit;
				7629	}
				7630	if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
				7631	{
				7632	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
				7633	goto exit;
				7634	}
				7635
				7636	exit:
				7637	mbedtls_md_free( &ctx );
				7638
				7639	if( ret != 0 )
				7640	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
				7641	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
				7642
				7643	return( ret );
				7644	}
Jerome Forissier	11fa71b	2020-04-20 17:17:56 +0200	[diff] [blame]	7645	#endif /* MBEDTLS_USE_PSA_CRYPTO */
				7646
Jens Wiklander	3d3b059	2019-03-20 15:30:29 +0100	[diff] [blame]	7647	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
				7648	MBEDTLS_SSL_PROTO_TLS1_2 */
				7649
Jens Wiklander	817466c	2018-05-22 13:49:31 +0200	[diff] [blame]	7650	#endif /* MBEDTLS_SSL_TLS_C */