TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 11fa71b9ddb429088f325cfda430183003ccd1db / . / lib / libmbedtls / mbedtls / library / ssl_msg.c
blob: 976fc7b00b0bd106816529d498221f00bdef9fec [file] [log] [blame]
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame^]1/*
2 * Generic SSL/TLS messaging layer functions
3 * (record layer + retransmission state machine)
4 *
5 * Copyright (C) 2006-2020, ARM Limited, All Rights Reserved
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 *
20 * This file is part of mbed TLS (https://tls.mbed.org)
21 */
22/*
23 * The SSL 3.0 specification was drafted by Netscape in 1996,
24 * and became an IETF standard in 1999.
25 *
26 * http://wp.netscape.com/eng/ssl3/
27 * http://www.ietf.org/rfc/rfc2246.txt
28 * http://www.ietf.org/rfc/rfc4346.txt
29 */
30
31#if !defined(MBEDTLS_CONFIG_FILE)
32#include "mbedtls/config.h"
33#else
34#include MBEDTLS_CONFIG_FILE
35#endif
36
37#if defined(MBEDTLS_SSL_TLS_C)
38
39#if defined(MBEDTLS_PLATFORM_C)
40#include "mbedtls/platform.h"
41#else
42#include <stdlib.h>
43#define mbedtls_calloc calloc
44#define mbedtls_free free
45#endif
46
47#include "mbedtls/ssl.h"
48#include "mbedtls/ssl_internal.h"
49#include "mbedtls/debug.h"
50#include "mbedtls/error.h"
51#include "mbedtls/platform_util.h"
52#include "mbedtls/version.h"
53
54#include <string.h>
55
56#if defined(MBEDTLS_USE_PSA_CRYPTO)
57#include "mbedtls/psa_util.h"
58#include "psa/crypto.h"
59#endif
60
61#if defined(MBEDTLS_X509_CRT_PARSE_C)
62#include "mbedtls/oid.h"
63#endif
64
65static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
66
67/*
68 * Start a timer.
69 * Passing millisecs = 0 cancels a running timer.
70 */
71void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
72{
73 if( ssl->f_set_timer == NULL )
74 return;
75
76 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
77 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
78}
79
80/*
81 * Return -1 is timer is expired, 0 if it isn't.
82 */
83int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
84{
85 if( ssl->f_get_timer == NULL )
86 return( 0 );
87
88 if( ssl->f_get_timer( ssl->p_timer ) == 2 )
89 {
90 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
91 return( -1 );
92 }
93
94 return( 0 );
95}
96
97#if defined(MBEDTLS_SSL_RECORD_CHECKING)
98static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
99 unsigned char *buf,
100 size_t len,
101 mbedtls_record *rec );
102
103int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
104 unsigned char *buf,
105 size_t buflen )
106{
107 int ret = 0;
108 MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
109 MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
110
111 /* We don't support record checking in TLS because
112 * (a) there doesn't seem to be a usecase for it, and
113 * (b) In SSLv3 and TLS 1.0, CBC record decryption has state
114 * and we'd need to backup the transform here.
115 */
116 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
117 {
118 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
119 goto exit;
120 }
121#if defined(MBEDTLS_SSL_PROTO_DTLS)
122 else
123 {
124 mbedtls_record rec;
125
126 ret = ssl_parse_record_header( ssl, buf, buflen, &rec );
127 if( ret != 0 )
128 {
129 MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret );
130 goto exit;
131 }
132
133 if( ssl->transform_in != NULL )
134 {
135 ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec );
136 if( ret != 0 )
137 {
138 MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret );
139 goto exit;
140 }
141 }
142 }
143#endif /* MBEDTLS_SSL_PROTO_DTLS */
144
145exit:
146 /* On success, we have decrypted the buffer in-place, so make
147 * sure we don't leak any plaintext data. */
148 mbedtls_platform_zeroize( buf, buflen );
149
150 /* For the purpose of this API, treat messages with unexpected CID
151 * as well as such from future epochs as unexpected. */
152 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
153 ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
154 {
155 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
156 }
157
158 MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
159 return( ret );
160}
161#endif /* MBEDTLS_SSL_RECORD_CHECKING */
162
163#define SSL_DONT_FORCE_FLUSH 0
164#define SSL_FORCE_FLUSH 1
165
166#if defined(MBEDTLS_SSL_PROTO_DTLS)
167
168/* Forward declarations for functions related to message buffering. */
169static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
170 uint8_t slot );
171static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
172static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
173static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
174static int ssl_buffer_message( mbedtls_ssl_context *ssl );
175static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
176 mbedtls_record const *rec );
177static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
178
179static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
180{
181 size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
182#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
183 size_t out_buf_len = ssl->out_buf_len;
184#else
185 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
186#endif
187
188 if( mtu != 0 && mtu < out_buf_len )
189 return( mtu );
190
191 return( out_buf_len );
192}
193
194static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
195{
196 size_t const bytes_written = ssl->out_left;
197 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
198
199 /* Double-check that the write-index hasn't gone
200 * past what we can transmit in a single datagram. */
201 if( bytes_written > mtu )
202 {
203 /* Should never happen... */
204 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
205 }
206
207 return( (int) ( mtu - bytes_written ) );
208}
209
210static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
211{
212 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
213 size_t remaining, expansion;
214 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
215
216#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
217 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
218
219 if( max_len > mfl )
220 max_len = mfl;
221
222 /* By the standard (RFC 6066 Sect. 4), the MFL extension
223 * only limits the maximum record payload size, so in theory
224 * we would be allowed to pack multiple records of payload size
225 * MFL into a single datagram. However, this would mean that there's
226 * no way to explicitly communicate MTU restrictions to the peer.
227 *
228 * The following reduction of max_len makes sure that we never
229 * write datagrams larger than MFL + Record Expansion Overhead.
230 */
231 if( max_len <= ssl->out_left )
232 return( 0 );
233
234 max_len -= ssl->out_left;
235#endif
236
237 ret = ssl_get_remaining_space_in_datagram( ssl );
238 if( ret < 0 )
239 return( ret );
240 remaining = (size_t) ret;
241
242 ret = mbedtls_ssl_get_record_expansion( ssl );
243 if( ret < 0 )
244 return( ret );
245 expansion = (size_t) ret;
246
247 if( remaining <= expansion )
248 return( 0 );
249
250 remaining -= expansion;
251 if( remaining >= max_len )
252 remaining = max_len;
253
254 return( (int) remaining );
255}
256
257/*
258 * Double the retransmit timeout value, within the allowed range,
259 * returning -1 if the maximum value has already been reached.
260 */
261static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
262{
263 uint32_t new_timeout;
264
265 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
266 return( -1 );
267
268 /* Implement the final paragraph of RFC 6347 section 4.1.1.1
269 * in the following way: after the initial transmission and a first
270 * retransmission, back off to a temporary estimated MTU of 508 bytes.
271 * This value is guaranteed to be deliverable (if not guaranteed to be
272 * delivered) of any compliant IPv4 (and IPv6) network, and should work
273 * on most non-IP stacks too. */
274 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
275 {
276 ssl->handshake->mtu = 508;
277 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
278 }
279
280 new_timeout = 2 * ssl->handshake->retransmit_timeout;
281
282 /* Avoid arithmetic overflow and range overflow */
283 if( new_timeout < ssl->handshake->retransmit_timeout ||
284 new_timeout > ssl->conf->hs_timeout_max )
285 {
286 new_timeout = ssl->conf->hs_timeout_max;
287 }
288
289 ssl->handshake->retransmit_timeout = new_timeout;
290 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
291 ssl->handshake->retransmit_timeout ) );
292
293 return( 0 );
294}
295
296static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
297{
298 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
299 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
300 ssl->handshake->retransmit_timeout ) );
301}
302#endif /* MBEDTLS_SSL_PROTO_DTLS */
303
304#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
305int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
306 const unsigned char *key_enc, const unsigned char *key_dec,
307 size_t keylen,
308 const unsigned char *iv_enc, const unsigned char *iv_dec,
309 size_t ivlen,
310 const unsigned char *mac_enc, const unsigned char *mac_dec,
311 size_t maclen ) = NULL;
312int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
313int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
314int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
315int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
316int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
317#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
318
319/* The function below is only used in the Lucky 13 counter-measure in
320 * mbedtls_ssl_decrypt_buf(). These are the defines that guard the call site. */
321#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) && \
322 ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
323 defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
324 defined(MBEDTLS_SSL_PROTO_TLS1_2) )
325/* This function makes sure every byte in the memory region is accessed
326 * (in ascending addresses order) */
327static void ssl_read_memory( unsigned char *p, size_t len )
328{
329 unsigned char acc = 0;
330 volatile unsigned char force;
331
332 for( ; len != 0; p++, len-- )
333 acc ^= *p;
334
335 force = acc;
336 (void) force;
337}
338#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */
339
340/*
341 * Encryption/decryption functions
342 */
343
344#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
345/* This functions transforms a DTLS plaintext fragment and a record content
346 * type into an instance of the DTLSInnerPlaintext structure:
347 *
348 * struct {
349 * opaque content[DTLSPlaintext.length];
350 * ContentType real_type;
351 * uint8 zeros[length_of_padding];
352 * } DTLSInnerPlaintext;
353 *
354 * Input:
355 * - `content`: The beginning of the buffer holding the
356 * plaintext to be wrapped.
357 * - `*content_size`: The length of the plaintext in Bytes.
358 * - `max_len`: The number of Bytes available starting from
359 * `content`. This must be `>= *content_size`.
360 * - `rec_type`: The desired record content type.
361 *
362 * Output:
363 * - `content`: The beginning of the resulting DTLSInnerPlaintext structure.
364 * - `*content_size`: The length of the resulting DTLSInnerPlaintext structure.
365 *
366 * Returns:
367 * - `0` on success.
368 * - A negative error code if `max_len` didn't offer enough space
369 * for the expansion.
370 */
371static int ssl_cid_build_inner_plaintext( unsigned char *content,
372 size_t *content_size,
373 size_t remaining,
374 uint8_t rec_type )
375{
376 size_t len = *content_size;
377 size_t pad = ( MBEDTLS_SSL_CID_PADDING_GRANULARITY -
378 ( len + 1 ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY ) %
379 MBEDTLS_SSL_CID_PADDING_GRANULARITY;
380
381 /* Write real content type */
382 if( remaining == 0 )
383 return( -1 );
384 content[ len ] = rec_type;
385 len++;
386 remaining--;
387
388 if( remaining < pad )
389 return( -1 );
390 memset( content + len, 0, pad );
391 len += pad;
392 remaining -= pad;
393
394 *content_size = len;
395 return( 0 );
396}
397
398/* This function parses a DTLSInnerPlaintext structure.
399 * See ssl_cid_build_inner_plaintext() for details. */
400static int ssl_cid_parse_inner_plaintext( unsigned char const *content,
401 size_t *content_size,
402 uint8_t *rec_type )
403{
404 size_t remaining = *content_size;
405
406 /* Determine length of padding by skipping zeroes from the back. */
407 do
408 {
409 if( remaining == 0 )
410 return( -1 );
411 remaining--;
412 } while( content[ remaining ] == 0 );
413
414 *content_size = remaining;
415 *rec_type = content[ remaining ];
416
417 return( 0 );
418}
419#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
420
421/* `add_data` must have size 13 Bytes if the CID extension is disabled,
422 * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */
423static void ssl_extract_add_data_from_record( unsigned char* add_data,
424 size_t *add_data_len,
425 mbedtls_record *rec )
426{
427 /* Quoting RFC 5246 (TLS 1.2):
428 *
429 * additional_data = seq_num + TLSCompressed.type +
430 * TLSCompressed.version + TLSCompressed.length;
431 *
432 * For the CID extension, this is extended as follows
433 * (quoting draft-ietf-tls-dtls-connection-id-05,
434 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05):
435 *
436 * additional_data = seq_num + DTLSPlaintext.type +
437 * DTLSPlaintext.version +
438 * cid +
439 * cid_length +
440 * length_of_DTLSInnerPlaintext;
441 */
442
443 memcpy( add_data, rec->ctr, sizeof( rec->ctr ) );
444 add_data[8] = rec->type;
445 memcpy( add_data + 9, rec->ver, sizeof( rec->ver ) );
446
447#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
448 if( rec->cid_len != 0 )
449 {
450 memcpy( add_data + 11, rec->cid, rec->cid_len );
451 add_data[11 + rec->cid_len + 0] = rec->cid_len;
452 add_data[11 + rec->cid_len + 1] = ( rec->data_len >> 8 ) & 0xFF;
453 add_data[11 + rec->cid_len + 2] = ( rec->data_len >> 0 ) & 0xFF;
454 *add_data_len = 13 + 1 + rec->cid_len;
455 }
456 else
457#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
458 {
459 add_data[11 + 0] = ( rec->data_len >> 8 ) & 0xFF;
460 add_data[11 + 1] = ( rec->data_len >> 0 ) & 0xFF;
461 *add_data_len = 13;
462 }
463}
464
465#if defined(MBEDTLS_SSL_PROTO_SSL3)
466
467#define SSL3_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */
468
469/*
470 * SSLv3.0 MAC functions
471 */
472static void ssl_mac( mbedtls_md_context_t *md_ctx,
473 const unsigned char *secret,
474 const unsigned char *buf, size_t len,
475 const unsigned char *ctr, int type,
476 unsigned char out[SSL3_MAC_MAX_BYTES] )
477{
478 unsigned char header[11];
479 unsigned char padding[48];
480 int padlen;
481 int md_size = mbedtls_md_get_size( md_ctx->md_info );
482 int md_type = mbedtls_md_get_type( md_ctx->md_info );
483
484 /* Only MD5 and SHA-1 supported */
485 if( md_type == MBEDTLS_MD_MD5 )
486 padlen = 48;
487 else
488 padlen = 40;
489
490 memcpy( header, ctr, 8 );
491 header[ 8] = (unsigned char) type;
492 header[ 9] = (unsigned char)( len >> 8 );
493 header[10] = (unsigned char)( len );
494
495 memset( padding, 0x36, padlen );
496 mbedtls_md_starts( md_ctx );
497 mbedtls_md_update( md_ctx, secret, md_size );
498 mbedtls_md_update( md_ctx, padding, padlen );
499 mbedtls_md_update( md_ctx, header, 11 );
500 mbedtls_md_update( md_ctx, buf, len );
501 mbedtls_md_finish( md_ctx, out );
502
503 memset( padding, 0x5C, padlen );
504 mbedtls_md_starts( md_ctx );
505 mbedtls_md_update( md_ctx, secret, md_size );
506 mbedtls_md_update( md_ctx, padding, padlen );
507 mbedtls_md_update( md_ctx, out, md_size );
508 mbedtls_md_finish( md_ctx, out );
509}
510#endif /* MBEDTLS_SSL_PROTO_SSL3 */
511
512int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
513 mbedtls_ssl_transform *transform,
514 mbedtls_record *rec,
515 int (*f_rng)(void *, unsigned char *, size_t),
516 void *p_rng )
517{
518 mbedtls_cipher_mode_t mode;
519 int auth_done = 0;
520 unsigned char * data;
521 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
522 size_t add_data_len;
523 size_t post_avail;
524
525 /* The SSL context is only used for debugging purposes! */
526#if !defined(MBEDTLS_DEBUG_C)
527 ssl = NULL; /* make sure we don't use it except for debug */
528 ((void) ssl);
529#endif
530
531 /* The PRNG is used for dynamic IV generation that's used
532 * for CBC transformations in TLS 1.1 and TLS 1.2. */
533#if !( defined(MBEDTLS_CIPHER_MODE_CBC) && \
534 ( defined(MBEDTLS_AES_C) || \
535 defined(MBEDTLS_ARIA_C) || \
536 defined(MBEDTLS_CAMELLIA_C) ) && \
537 ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) )
538 ((void) f_rng);
539 ((void) p_rng);
540#endif
541
542 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
543
544 if( transform == NULL )
545 {
546 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) );
547 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
548 }
549 if( rec == NULL
550 || rec->buf == NULL
551 || rec->buf_len < rec->data_offset
552 || rec->buf_len - rec->data_offset < rec->data_len
553#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
554 || rec->cid_len != 0
555#endif
556 )
557 {
558 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) );
559 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
560 }
561
562 data = rec->buf + rec->data_offset;
563 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
564 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
565 data, rec->data_len );
566
567 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc );
568
569 if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
570 {
571 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
572 (unsigned) rec->data_len,
573 MBEDTLS_SSL_OUT_CONTENT_LEN ) );
574 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
575 }
576
577#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
578 /*
579 * Add CID information
580 */
581 rec->cid_len = transform->out_cid_len;
582 memcpy( rec->cid, transform->out_cid, transform->out_cid_len );
583 MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );
584
585 if( rec->cid_len != 0 )
586 {
587 /*
588 * Wrap plaintext into DTLSInnerPlaintext structure.
589 * See ssl_cid_build_inner_plaintext() for more information.
590 *
591 * Note that this changes `rec->data_len`, and hence
592 * `post_avail` needs to be recalculated afterwards.
593 */
594 if( ssl_cid_build_inner_plaintext( data,
595 &rec->data_len,
596 post_avail,
597 rec->type ) != 0 )
598 {
599 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
600 }
601
602 rec->type = MBEDTLS_SSL_MSG_CID;
603 }
604#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
605
606 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
607
608 /*
609 * Add MAC before if needed
610 */
611#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
612 if( mode == MBEDTLS_MODE_STREAM ||
613 ( mode == MBEDTLS_MODE_CBC
614#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
615 && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
616#endif
617 ) )
618 {
619 if( post_avail < transform->maclen )
620 {
621 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
622 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
623 }
624
625#if defined(MBEDTLS_SSL_PROTO_SSL3)
626 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
627 {
628 unsigned char mac[SSL3_MAC_MAX_BYTES];
629 ssl_mac( &transform->md_ctx_enc, transform->mac_enc,
630 data, rec->data_len, rec->ctr, rec->type, mac );
631 memcpy( data + rec->data_len, mac, transform->maclen );
632 }
633 else
634#endif
635#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
636 defined(MBEDTLS_SSL_PROTO_TLS1_2)
637 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
638 {
639 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
640
641 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
642
643 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
644 add_data_len );
645 mbedtls_md_hmac_update( &transform->md_ctx_enc,
646 data, rec->data_len );
647 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
648 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
649
650 memcpy( data + rec->data_len, mac, transform->maclen );
651 }
652 else
653#endif
654 {
655 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
656 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
657 }
658
659 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len,
660 transform->maclen );
661
662 rec->data_len += transform->maclen;
663 post_avail -= transform->maclen;
664 auth_done++;
665 }
666#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
667
668 /*
669 * Encrypt
670 */
671#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
672 if( mode == MBEDTLS_MODE_STREAM )
673 {
674 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
675 size_t olen;
676 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
677 "including %d bytes of padding",
678 rec->data_len, 0 ) );
679
680 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
681 transform->iv_enc, transform->ivlen,
682 data, rec->data_len,
683 data, &olen ) ) != 0 )
684 {
685 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
686 return( ret );
687 }
688
689 if( rec->data_len != olen )
690 {
691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
692 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
693 }
694 }
695 else
696#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
697
698#if defined(MBEDTLS_GCM_C) || \
699 defined(MBEDTLS_CCM_C) || \
700 defined(MBEDTLS_CHACHAPOLY_C)
701 if( mode == MBEDTLS_MODE_GCM ||
702 mode == MBEDTLS_MODE_CCM ||
703 mode == MBEDTLS_MODE_CHACHAPOLY )
704 {
705 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
706 unsigned char iv[12];
707 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
708
709 /* Check that there's space for both the authentication tag
710 * and the explicit IV before and after the record content. */
711 if( post_avail < transform->taglen ||
712 rec->data_offset < explicit_iv_len )
713 {
714 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
715 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
716 }
717
718 /*
719 * Generate IV
720 */
721 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
722 {
723 /* GCM and CCM: fixed || explicit (=seqnum) */
724 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
725 memcpy( iv + transform->fixed_ivlen, rec->ctr,
726 explicit_iv_len );
727 /* Prefix record content with explicit IV. */
728 memcpy( data - explicit_iv_len, rec->ctr, explicit_iv_len );
729 }
730 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
731 {
732 /* ChachaPoly: fixed XOR sequence number */
733 unsigned char i;
734
735 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
736
737 for( i = 0; i < 8; i++ )
738 iv[i+4] ^= rec->ctr[i];
739 }
740 else
741 {
742 /* Reminder if we ever add an AEAD mode with a different size */
743 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
744 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
745 }
746
747 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
748
749 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
750 iv, transform->ivlen );
751 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
752 data - explicit_iv_len, explicit_iv_len );
753 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
754 add_data, add_data_len );
755 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
756 "including 0 bytes of padding",
757 rec->data_len ) );
758
759 /*
760 * Encrypt and authenticate
761 */
762
763 if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
764 iv, transform->ivlen,
765 add_data, add_data_len, /* add data */
766 data, rec->data_len, /* source */
767 data, &rec->data_len, /* destination */
768 data + rec->data_len, transform->taglen ) ) != 0 )
769 {
770 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
771 return( ret );
772 }
773
774 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
775 data + rec->data_len, transform->taglen );
776
777 rec->data_len += transform->taglen + explicit_iv_len;
778 rec->data_offset -= explicit_iv_len;
779 post_avail -= transform->taglen;
780 auth_done++;
781 }
782 else
783#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
784#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
785 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
786 if( mode == MBEDTLS_MODE_CBC )
787 {
788 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
789 size_t padlen, i;
790 size_t olen;
791
792 /* Currently we're always using minimal padding
793 * (up to 255 bytes would be allowed). */
794 padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen;
795 if( padlen == transform->ivlen )
796 padlen = 0;
797
798 /* Check there's enough space in the buffer for the padding. */
799 if( post_avail < padlen + 1 )
800 {
801 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
802 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
803 }
804
805 for( i = 0; i <= padlen; i++ )
806 data[rec->data_len + i] = (unsigned char) padlen;
807
808 rec->data_len += padlen + 1;
809 post_avail -= padlen + 1;
810
811#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
812 /*
813 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
814 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
815 */
816 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
817 {
818 if( f_rng == NULL )
819 {
820 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) );
821 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
822 }
823
824 if( rec->data_offset < transform->ivlen )
825 {
826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
827 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
828 }
829
830 /*
831 * Generate IV
832 */
833 ret = f_rng( p_rng, transform->iv_enc, transform->ivlen );
834 if( ret != 0 )
835 return( ret );
836
837 memcpy( data - transform->ivlen, transform->iv_enc,
838 transform->ivlen );
839
840 }
841#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
842
843 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
844 "including %d bytes of IV and %d bytes of padding",
845 rec->data_len, transform->ivlen,
846 padlen + 1 ) );
847
848 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
849 transform->iv_enc,
850 transform->ivlen,
851 data, rec->data_len,
852 data, &olen ) ) != 0 )
853 {
854 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
855 return( ret );
856 }
857
858 if( rec->data_len != olen )
859 {
860 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
861 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
862 }
863
864#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
865 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
866 {
867 /*
868 * Save IV in SSL3 and TLS1
869 */
870 memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv,
871 transform->ivlen );
872 }
873 else
874#endif
875 {
876 data -= transform->ivlen;
877 rec->data_offset -= transform->ivlen;
878 rec->data_len += transform->ivlen;
879 }
880
881#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
882 if( auth_done == 0 )
883 {
884 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
885
886 /*
887 * MAC(MAC_write_key, seq_num +
888 * TLSCipherText.type +
889 * TLSCipherText.version +
890 * length_of( (IV +) ENC(...) ) +
891 * IV + // except for TLS 1.0
892 * ENC(content + padding + padding_length));
893 */
894
895 if( post_avail < transform->maclen)
896 {
897 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
898 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
899 }
900
901 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
902
903 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
904 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
905 add_data_len );
906
907 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
908 add_data_len );
909 mbedtls_md_hmac_update( &transform->md_ctx_enc,
910 data, rec->data_len );
911 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
912 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
913
914 memcpy( data + rec->data_len, mac, transform->maclen );
915
916 rec->data_len += transform->maclen;
917 post_avail -= transform->maclen;
918 auth_done++;
919 }
920#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
921 }
922 else
923#endif /* MBEDTLS_CIPHER_MODE_CBC &&
924 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
925 {
926 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
927 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
928 }
929
930 /* Make extra sure authentication was performed, exactly once */
931 if( auth_done != 1 )
932 {
933 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
934 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
935 }
936
937 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
938
939 return( 0 );
940}
941
942int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
943 mbedtls_ssl_transform *transform,
944 mbedtls_record *rec )
945{
946 size_t olen;
947 mbedtls_cipher_mode_t mode;
948 int ret, auth_done = 0;
949#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
950 size_t padlen = 0, correct = 1;
951#endif
952 unsigned char* data;
953 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ];
954 size_t add_data_len;
955
956#if !defined(MBEDTLS_DEBUG_C)
957 ssl = NULL; /* make sure we don't use it except for debug */
958 ((void) ssl);
959#endif
960
961 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
962 if( rec == NULL ||
963 rec->buf == NULL ||
964 rec->buf_len < rec->data_offset ||
965 rec->buf_len - rec->data_offset < rec->data_len )
966 {
967 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) );
968 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
969 }
970
971 data = rec->buf + rec->data_offset;
972 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec );
973
974#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
975 /*
976 * Match record's CID with incoming CID.
977 */
978 if( rec->cid_len != transform->in_cid_len ||
979 memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
980 {
981 return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
982 }
983#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
984
985#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
986 if( mode == MBEDTLS_MODE_STREAM )
987 {
988 padlen = 0;
989 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
990 transform->iv_dec,
991 transform->ivlen,
992 data, rec->data_len,
993 data, &olen ) ) != 0 )
994 {
995 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
996 return( ret );
997 }
998
999 if( rec->data_len != olen )
1000 {
1001 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1002 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1003 }
1004 }
1005 else
1006#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
1007#if defined(MBEDTLS_GCM_C) || \
1008 defined(MBEDTLS_CCM_C) || \
1009 defined(MBEDTLS_CHACHAPOLY_C)
1010 if( mode == MBEDTLS_MODE_GCM ||
1011 mode == MBEDTLS_MODE_CCM ||
1012 mode == MBEDTLS_MODE_CHACHAPOLY )
1013 {
1014 unsigned char iv[12];
1015 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
1016
1017 /*
1018 * Prepare IV from explicit and implicit data.
1019 */
1020
1021 /* Check that there's enough space for the explicit IV
1022 * (at the beginning of the record) and the MAC (at the
1023 * end of the record). */
1024 if( rec->data_len < explicit_iv_len + transform->taglen )
1025 {
1026 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
1027 "+ taglen (%d)", rec->data_len,
1028 explicit_iv_len, transform->taglen ) );
1029 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1030 }
1031
1032#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
1033 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
1034 {
1035 /* GCM and CCM: fixed || explicit */
1036
1037 /* Fixed */
1038 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
1039 /* Explicit */
1040 memcpy( iv + transform->fixed_ivlen, data, 8 );
1041 }
1042 else
1043#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1044#if defined(MBEDTLS_CHACHAPOLY_C)
1045 if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
1046 {
1047 /* ChachaPoly: fixed XOR sequence number */
1048 unsigned char i;
1049
1050 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
1051
1052 for( i = 0; i < 8; i++ )
1053 iv[i+4] ^= rec->ctr[i];
1054 }
1055 else
1056#endif /* MBEDTLS_CHACHAPOLY_C */
1057 {
1058 /* Reminder if we ever add an AEAD mode with a different size */
1059 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1060 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1061 }
1062
1063 /* Group changes to data, data_len, and add_data, because
1064 * add_data depends on data_len. */
1065 data += explicit_iv_len;
1066 rec->data_offset += explicit_iv_len;
1067 rec->data_len -= explicit_iv_len + transform->taglen;
1068
1069 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
1070 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1071 add_data, add_data_len );
1072
1073 /* Because of the check above, we know that there are
1074 * explicit_iv_len Bytes preceeding data, and taglen
1075 * bytes following data + data_len. This justifies
1076 * the debug message and the invocation of
1077 * mbedtls_cipher_auth_decrypt() below. */
1078
1079 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
1080 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len,
1081 transform->taglen );
1082
1083 /*
1084 * Decrypt and authenticate
1085 */
1086 if( ( ret = mbedtls_cipher_auth_decrypt( &transform->cipher_ctx_dec,
1087 iv, transform->ivlen,
1088 add_data, add_data_len,
1089 data, rec->data_len,
1090 data, &olen,
1091 data + rec->data_len,
1092 transform->taglen ) ) != 0 )
1093 {
1094 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
1095
1096 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
1097 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1098
1099 return( ret );
1100 }
1101 auth_done++;
1102
1103 /* Double-check that AEAD decryption doesn't change content length. */
1104 if( olen != rec->data_len )
1105 {
1106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1107 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1108 }
1109 }
1110 else
1111#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1112#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
1113 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
1114 if( mode == MBEDTLS_MODE_CBC )
1115 {
1116 size_t minlen = 0;
1117
1118 /*
1119 * Check immediate ciphertext sanity
1120 */
1121#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1122 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
1123 {
1124 /* The ciphertext is prefixed with the CBC IV. */
1125 minlen += transform->ivlen;
1126 }
1127#endif
1128
1129 /* Size considerations:
1130 *
1131 * - The CBC cipher text must not be empty and hence
1132 * at least of size transform->ivlen.
1133 *
1134 * Together with the potential IV-prefix, this explains
1135 * the first of the two checks below.
1136 *
1137 * - The record must contain a MAC, either in plain or
1138 * encrypted, depending on whether Encrypt-then-MAC
1139 * is used or not.
1140 * - If it is, the message contains the IV-prefix,
1141 * the CBC ciphertext, and the MAC.
1142 * - If it is not, the padded plaintext, and hence
1143 * the CBC ciphertext, has at least length maclen + 1
1144 * because there is at least the padding length byte.
1145 *
1146 * As the CBC ciphertext is not empty, both cases give the
1147 * lower bound minlen + maclen + 1 on the record size, which
1148 * we test for in the second check below.
1149 */
1150 if( rec->data_len < minlen + transform->ivlen ||
1151 rec->data_len < minlen + transform->maclen + 1 )
1152 {
1153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
1154 "+ 1 ) ( + expl IV )", rec->data_len,
1155 transform->ivlen,
1156 transform->maclen ) );
1157 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1158 }
1159
1160 /*
1161 * Authenticate before decrypt if enabled
1162 */
1163#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1164 if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
1165 {
1166 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
1167
1168 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1169
1170 /* Update data_len in tandem with add_data.
1171 *
1172 * The subtraction is safe because of the previous check
1173 * data_len >= minlen + maclen + 1.
1174 *
1175 * Afterwards, we know that data + data_len is followed by at
1176 * least maclen Bytes, which justifies the call to
1177 * mbedtls_ssl_safer_memcmp() below.
1178 *
1179 * Further, we still know that data_len > minlen */
1180 rec->data_len -= transform->maclen;
1181 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
1182
1183 /* Calculate expected MAC. */
1184 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
1185 add_data_len );
1186 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1187 add_data_len );
1188 mbedtls_md_hmac_update( &transform->md_ctx_dec,
1189 data, rec->data_len );
1190 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
1191 mbedtls_md_hmac_reset( &transform->md_ctx_dec );
1192
1193 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len,
1194 transform->maclen );
1195 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
1196 transform->maclen );
1197
1198 /* Compare expected MAC with MAC at the end of the record. */
1199 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
1200 transform->maclen ) != 0 )
1201 {
1202 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1203 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1204 }
1205 auth_done++;
1206 }
1207#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1208
1209 /*
1210 * Check length sanity
1211 */
1212
1213 /* We know from above that data_len > minlen >= 0,
1214 * so the following check in particular implies that
1215 * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
1216 if( rec->data_len % transform->ivlen != 0 )
1217 {
1218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1219 rec->data_len, transform->ivlen ) );
1220 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1221 }
1222
1223#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1224 /*
1225 * Initialize for prepended IV for block cipher in TLS v1.1 and up
1226 */
1227 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
1228 {
1229 /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
1230 memcpy( transform->iv_dec, data, transform->ivlen );
1231
1232 data += transform->ivlen;
1233 rec->data_offset += transform->ivlen;
1234 rec->data_len -= transform->ivlen;
1235 }
1236#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
1237
1238 /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
1239
1240 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1241 transform->iv_dec, transform->ivlen,
1242 data, rec->data_len, data, &olen ) ) != 0 )
1243 {
1244 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1245 return( ret );
1246 }
1247
1248 /* Double-check that length hasn't changed during decryption. */
1249 if( rec->data_len != olen )
1250 {
1251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1252 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1253 }
1254
1255#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
1256 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
1257 {
1258 /*
1259 * Save IV in SSL3 and TLS1, where CBC decryption of consecutive
1260 * records is equivalent to CBC decryption of the concatenation
1261 * of the records; in other words, IVs are maintained across
1262 * record decryptions.
1263 */
1264 memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv,
1265 transform->ivlen );
1266 }
1267#endif
1268
1269 /* Safe since data_len >= minlen + maclen + 1, so after having
1270 * subtracted at most minlen and maclen up to this point,
1271 * data_len > 0 (because of data_len % ivlen == 0, it's actually
1272 * >= ivlen ). */
1273 padlen = data[rec->data_len - 1];
1274
1275 if( auth_done == 1 )
1276 {
1277 correct *= ( rec->data_len >= padlen + 1 );
1278 padlen *= ( rec->data_len >= padlen + 1 );
1279 }
1280 else
1281 {
1282#if defined(MBEDTLS_SSL_DEBUG_ALL)
1283 if( rec->data_len < transform->maclen + padlen + 1 )
1284 {
1285 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1286 rec->data_len,
1287 transform->maclen,
1288 padlen + 1 ) );
1289 }
1290#endif
1291
1292 correct *= ( rec->data_len >= transform->maclen + padlen + 1 );
1293 padlen *= ( rec->data_len >= transform->maclen + padlen + 1 );
1294 }
1295
1296 padlen++;
1297
1298 /* Regardless of the validity of the padding,
1299 * we have data_len >= padlen here. */
1300
1301#if defined(MBEDTLS_SSL_PROTO_SSL3)
1302 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
1303 {
1304 if( padlen > transform->ivlen )
1305 {
1306#if defined(MBEDTLS_SSL_DEBUG_ALL)
1307 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1308 "should be no more than %d",
1309 padlen, transform->ivlen ) );
1310#endif
1311 correct = 0;
1312 }
1313 }
1314 else
1315#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1316#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1317 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1318 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
1319 {
1320 /* The padding check involves a series of up to 256
1321 * consecutive memory reads at the end of the record
1322 * plaintext buffer. In order to hide the length and
1323 * validity of the padding, always perform exactly
1324 * `min(256,plaintext_len)` reads (but take into account
1325 * only the last `padlen` bytes for the padding check). */
1326 size_t pad_count = 0;
1327 size_t real_count = 0;
1328 volatile unsigned char* const check = data;
1329
1330 /* Index of first padding byte; it has been ensured above
1331 * that the subtraction is safe. */
1332 size_t const padding_idx = rec->data_len - padlen;
1333 size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
1334 size_t const start_idx = rec->data_len - num_checks;
1335 size_t idx;
1336
1337 for( idx = start_idx; idx < rec->data_len; idx++ )
1338 {
1339 real_count |= ( idx >= padding_idx );
1340 pad_count += real_count * ( check[idx] == padlen - 1 );
1341 }
1342 correct &= ( pad_count == padlen );
1343
1344#if defined(MBEDTLS_SSL_DEBUG_ALL)
1345 if( padlen > 0 && correct == 0 )
1346 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1347#endif
1348 padlen &= correct * 0x1FF;
1349 }
1350 else
1351#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1352 MBEDTLS_SSL_PROTO_TLS1_2 */
1353 {
1354 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1355 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1356 }
1357
1358 /* If the padding was found to be invalid, padlen == 0
1359 * and the subtraction is safe. If the padding was found valid,
1360 * padlen hasn't been changed and the previous assertion
1361 * data_len >= padlen still holds. */
1362 rec->data_len -= padlen;
1363 }
1364 else
1365#endif /* MBEDTLS_CIPHER_MODE_CBC &&
1366 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
1367 {
1368 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1369 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1370 }
1371
1372#if defined(MBEDTLS_SSL_DEBUG_ALL)
1373 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1374 data, rec->data_len );
1375#endif
1376
1377 /*
1378 * Authenticate if not done yet.
1379 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
1380 */
1381#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
1382 if( auth_done == 0 )
1383 {
1384 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
1385
1386 /* If the initial value of padlen was such that
1387 * data_len < maclen + padlen + 1, then padlen
1388 * got reset to 1, and the initial check
1389 * data_len >= minlen + maclen + 1
1390 * guarantees that at this point we still
1391 * have at least data_len >= maclen.
1392 *
1393 * If the initial value of padlen was such that
1394 * data_len >= maclen + padlen + 1, then we have
1395 * subtracted either padlen + 1 (if the padding was correct)
1396 * or 0 (if the padding was incorrect) since then,
1397 * hence data_len >= maclen in any case.
1398 */
1399 rec->data_len -= transform->maclen;
1400 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
1401
1402#if defined(MBEDTLS_SSL_PROTO_SSL3)
1403 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
1404 {
1405 ssl_mac( &transform->md_ctx_dec,
1406 transform->mac_dec,
1407 data, rec->data_len,
1408 rec->ctr, rec->type,
1409 mac_expect );
1410 }
1411 else
1412#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1413#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1414 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1415 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
1416 {
1417 /*
1418 * Process MAC and always update for padlen afterwards to make
1419 * total time independent of padlen.
1420 *
1421 * Known timing attacks:
1422 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1423 *
1424 * To compensate for different timings for the MAC calculation
1425 * depending on how much padding was removed (which is determined
1426 * by padlen), process extra_run more blocks through the hash
1427 * function.
1428 *
1429 * The formula in the paper is
1430 * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
1431 * where L1 is the size of the header plus the decrypted message
1432 * plus CBC padding and L2 is the size of the header plus the
1433 * decrypted message. This is for an underlying hash function
1434 * with 64-byte blocks.
1435 * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
1436 * correctly. We round down instead of up, so -56 is the correct
1437 * value for our calculations instead of -55.
1438 *
1439 * Repeat the formula rather than defining a block_size variable.
1440 * This avoids requiring division by a variable at runtime
1441 * (which would be marginally less efficient and would require
1442 * linking an extra division function in some builds).
1443 */
1444 size_t j, extra_run = 0;
1445 unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
1446
1447 /*
1448 * The next two sizes are the minimum and maximum values of
1449 * in_msglen over all padlen values.
1450 *
1451 * They're independent of padlen, since we previously did
1452 * data_len -= padlen.
1453 *
1454 * Note that max_len + maclen is never more than the buffer
1455 * length, as we previously did in_msglen -= maclen too.
1456 */
1457 const size_t max_len = rec->data_len + padlen;
1458 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
1459
1460 memset( tmp, 0, sizeof( tmp ) );
1461
1462 switch( mbedtls_md_get_type( transform->md_ctx_dec.md_info ) )
1463 {
1464#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
1465 defined(MBEDTLS_SHA256_C)
1466 case MBEDTLS_MD_MD5:
1467 case MBEDTLS_MD_SHA1:
1468 case MBEDTLS_MD_SHA256:
1469 /* 8 bytes of message size, 64-byte compression blocks */
1470 extra_run =
1471 ( add_data_len + rec->data_len + padlen + 8 ) / 64 -
1472 ( add_data_len + rec->data_len + 8 ) / 64;
1473 break;
1474#endif
1475#if defined(MBEDTLS_SHA512_C)
1476 case MBEDTLS_MD_SHA384:
1477 /* 16 bytes of message size, 128-byte compression blocks */
1478 extra_run =
1479 ( add_data_len + rec->data_len + padlen + 16 ) / 128 -
1480 ( add_data_len + rec->data_len + 16 ) / 128;
1481 break;
1482#endif
1483 default:
1484 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1485 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1486 }
1487
1488 extra_run &= correct * 0xFF;
1489
1490 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1491 add_data_len );
1492 mbedtls_md_hmac_update( &transform->md_ctx_dec, data,
1493 rec->data_len );
1494 /* Make sure we access everything even when padlen > 0. This
1495 * makes the synchronisation requirements for just-in-time
1496 * Prime+Probe attacks much tighter and hopefully impractical. */
1497 ssl_read_memory( data + rec->data_len, padlen );
1498 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
1499
1500 /* Call mbedtls_md_process at least once due to cache attacks
1501 * that observe whether md_process() was called of not */
1502 for( j = 0; j < extra_run + 1; j++ )
1503 mbedtls_md_process( &transform->md_ctx_dec, tmp );
1504
1505 mbedtls_md_hmac_reset( &transform->md_ctx_dec );
1506
1507 /* Make sure we access all the memory that could contain the MAC,
1508 * before we check it in the next code block. This makes the
1509 * synchronisation requirements for just-in-time Prime+Probe
1510 * attacks much tighter and hopefully impractical. */
1511 ssl_read_memory( data + min_len,
1512 max_len - min_len + transform->maclen );
1513 }
1514 else
1515#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1516 MBEDTLS_SSL_PROTO_TLS1_2 */
1517 {
1518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1519 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1520 }
1521
1522#if defined(MBEDTLS_SSL_DEBUG_ALL)
1523 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
1524 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, transform->maclen );
1525#endif
1526
1527 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
1528 transform->maclen ) != 0 )
1529 {
1530#if defined(MBEDTLS_SSL_DEBUG_ALL)
1531 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1532#endif
1533 correct = 0;
1534 }
1535 auth_done++;
1536 }
1537
1538 /*
1539 * Finally check the correct flag
1540 */
1541 if( correct == 0 )
1542 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1543#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
1544
1545 /* Make extra sure authentication was performed, exactly once */
1546 if( auth_done != 1 )
1547 {
1548 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1549 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1550 }
1551
1552#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1553 if( rec->cid_len != 0 )
1554 {
1555 ret = ssl_cid_parse_inner_plaintext( data, &rec->data_len,
1556 &rec->type );
1557 if( ret != 0 )
1558 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1559 }
1560#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1561
1562 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1563
1564 return( 0 );
1565}
1566
1567#undef MAC_NONE
1568#undef MAC_PLAINTEXT
1569#undef MAC_CIPHERTEXT
1570
1571#if defined(MBEDTLS_ZLIB_SUPPORT)
1572/*
1573 * Compression/decompression functions
1574 */
1575static int ssl_compress_buf( mbedtls_ssl_context *ssl )
1576{
1577 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1578 unsigned char *msg_post = ssl->out_msg;
1579 ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
1580 size_t len_pre = ssl->out_msglen;
1581 unsigned char *msg_pre = ssl->compress_buf;
1582#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1583 size_t out_buf_len = ssl->out_buf_len;
1584#else
1585 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1586#endif
1587
1588 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1589
1590 if( len_pre == 0 )
1591 return( 0 );
1592
1593 memcpy( msg_pre, ssl->out_msg, len_pre );
1594
1595 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1596 ssl->out_msglen ) );
1597
1598 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
1599 ssl->out_msg, ssl->out_msglen );
1600
1601 ssl->transform_out->ctx_deflate.next_in = msg_pre;
1602 ssl->transform_out->ctx_deflate.avail_in = len_pre;
1603 ssl->transform_out->ctx_deflate.next_out = msg_post;
1604 ssl->transform_out->ctx_deflate.avail_out = out_buf_len - bytes_written;
1605
1606 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1607 if( ret != Z_OK )
1608 {
1609 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1610 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
1611 }
1612
1613 ssl->out_msglen = out_buf_len -
1614 ssl->transform_out->ctx_deflate.avail_out - bytes_written;
1615
1616 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1617 ssl->out_msglen ) );
1618
1619 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
1620 ssl->out_msg, ssl->out_msglen );
1621
1622 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1623
1624 return( 0 );
1625}
1626
1627static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
1628{
1629 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1630 unsigned char *msg_post = ssl->in_msg;
1631 ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
1632 size_t len_pre = ssl->in_msglen;
1633 unsigned char *msg_pre = ssl->compress_buf;
1634#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1635 size_t in_buf_len = ssl->in_buf_len;
1636#else
1637 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1638#endif
1639
1640 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1641
1642 if( len_pre == 0 )
1643 return( 0 );
1644
1645 memcpy( msg_pre, ssl->in_msg, len_pre );
1646
1647 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1648 ssl->in_msglen ) );
1649
1650 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
1651 ssl->in_msg, ssl->in_msglen );
1652
1653 ssl->transform_in->ctx_inflate.next_in = msg_pre;
1654 ssl->transform_in->ctx_inflate.avail_in = len_pre;
1655 ssl->transform_in->ctx_inflate.next_out = msg_post;
1656 ssl->transform_in->ctx_inflate.avail_out = in_buf_len - header_bytes;
1657
1658 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1659 if( ret != Z_OK )
1660 {
1661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1662 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
1663 }
1664
1665 ssl->in_msglen = in_buf_len -
1666 ssl->transform_in->ctx_inflate.avail_out - header_bytes;
1667
1668 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1669 ssl->in_msglen ) );
1670
1671 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
1672 ssl->in_msg, ssl->in_msglen );
1673
1674 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1675
1676 return( 0 );
1677}
1678#endif /* MBEDTLS_ZLIB_SUPPORT */
1679
1680/*
1681 * Fill the input message buffer by appending data to it.
1682 * The amount of data already fetched is in ssl->in_left.
1683 *
1684 * If we return 0, is it guaranteed that (at least) nb_want bytes are
1685 * available (from this read and/or a previous one). Otherwise, an error code
1686 * is returned (possibly EOF or WANT_READ).
1687 *
1688 * With stream transport (TLS) on success ssl->in_left == nb_want, but
1689 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
1690 * since we always read a whole datagram at once.
1691 *
1692 * For DTLS, it is up to the caller to set ssl->next_record_offset when
1693 * they're done reading a record.
1694 */
1695int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
1696{
1697 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1698 size_t len;
1699#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1700 size_t in_buf_len = ssl->in_buf_len;
1701#else
1702 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1703#endif
1704
1705 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1706
1707 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
1708 {
1709 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
1710 "or mbedtls_ssl_set_bio()" ) );
1711 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1712 }
1713
1714 if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
1715 {
1716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1717 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1718 }
1719
1720#if defined(MBEDTLS_SSL_PROTO_DTLS)
1721 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1722 {
1723 uint32_t timeout;
1724
1725 /* Just to be sure */
1726 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
1727 {
1728 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
1729 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
1730 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1731 }
1732
1733 /*
1734 * The point is, we need to always read a full datagram at once, so we
1735 * sometimes read more then requested, and handle the additional data.
1736 * It could be the rest of the current record (while fetching the
1737 * header) and/or some other records in the same datagram.
1738 */
1739
1740 /*
1741 * Move to the next record in the already read datagram if applicable
1742 */
1743 if( ssl->next_record_offset != 0 )
1744 {
1745 if( ssl->in_left < ssl->next_record_offset )
1746 {
1747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1748 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1749 }
1750
1751 ssl->in_left -= ssl->next_record_offset;
1752
1753 if( ssl->in_left != 0 )
1754 {
1755 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
1756 ssl->next_record_offset ) );
1757 memmove( ssl->in_hdr,
1758 ssl->in_hdr + ssl->next_record_offset,
1759 ssl->in_left );
1760 }
1761
1762 ssl->next_record_offset = 0;
1763 }
1764
1765 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1766 ssl->in_left, nb_want ) );
1767
1768 /*
1769 * Done if we already have enough data.
1770 */
1771 if( nb_want <= ssl->in_left)
1772 {
1773 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1774 return( 0 );
1775 }
1776
1777 /*
1778 * A record can't be split across datagrams. If we need to read but
1779 * are not at the beginning of a new record, the caller did something
1780 * wrong.
1781 */
1782 if( ssl->in_left != 0 )
1783 {
1784 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1785 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1786 }
1787
1788 /*
1789 * Don't even try to read if time's out already.
1790 * This avoids by-passing the timer when repeatedly receiving messages
1791 * that will end up being dropped.
1792 */
1793 if( mbedtls_ssl_check_timer( ssl ) != 0 )
1794 {
1795 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
1796 ret = MBEDTLS_ERR_SSL_TIMEOUT;
1797 }
1798 else
1799 {
1800 len = in_buf_len - ( ssl->in_hdr - ssl->in_buf );
1801
1802 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
1803 timeout = ssl->handshake->retransmit_timeout;
1804 else
1805 timeout = ssl->conf->read_timeout;
1806
1807 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
1808
1809 if( ssl->f_recv_timeout != NULL )
1810 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
1811 timeout );
1812 else
1813 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
1814
1815 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
1816
1817 if( ret == 0 )
1818 return( MBEDTLS_ERR_SSL_CONN_EOF );
1819 }
1820
1821 if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
1822 {
1823 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
1824 mbedtls_ssl_set_timer( ssl, 0 );
1825
1826 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
1827 {
1828 if( ssl_double_retransmit_timeout( ssl ) != 0 )
1829 {
1830 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
1831 return( MBEDTLS_ERR_SSL_TIMEOUT );
1832 }
1833
1834 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
1835 {
1836 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
1837 return( ret );
1838 }
1839
1840 return( MBEDTLS_ERR_SSL_WANT_READ );
1841 }
1842#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
1843 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
1844 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
1845 {
1846 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
1847 {
1848 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
1849 ret );
1850 return( ret );
1851 }
1852
1853 return( MBEDTLS_ERR_SSL_WANT_READ );
1854 }
1855#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
1856 }
1857
1858 if( ret < 0 )
1859 return( ret );
1860
1861 ssl->in_left = ret;
1862 }
1863 else
1864#endif
1865 {
1866 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1867 ssl->in_left, nb_want ) );
1868
1869 while( ssl->in_left < nb_want )
1870 {
1871 len = nb_want - ssl->in_left;
1872
1873 if( mbedtls_ssl_check_timer( ssl ) != 0 )
1874 ret = MBEDTLS_ERR_SSL_TIMEOUT;
1875 else
1876 {
1877 if( ssl->f_recv_timeout != NULL )
1878 {
1879 ret = ssl->f_recv_timeout( ssl->p_bio,
1880 ssl->in_hdr + ssl->in_left, len,
1881 ssl->conf->read_timeout );
1882 }
1883 else
1884 {
1885 ret = ssl->f_recv( ssl->p_bio,
1886 ssl->in_hdr + ssl->in_left, len );
1887 }
1888 }
1889
1890 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1891 ssl->in_left, nb_want ) );
1892 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
1893
1894 if( ret == 0 )
1895 return( MBEDTLS_ERR_SSL_CONN_EOF );
1896
1897 if( ret < 0 )
1898 return( ret );
1899
1900 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
1901 {
1902 MBEDTLS_SSL_DEBUG_MSG( 1,
1903 ( "f_recv returned %d bytes but only %lu were requested",
1904 ret, (unsigned long)len ) );
1905 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1906 }
1907
1908 ssl->in_left += ret;
1909 }
1910 }
1911
1912 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1913
1914 return( 0 );
1915}
1916
1917/*
1918 * Flush any data not yet written
1919 */
1920int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
1921{
1922 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1923 unsigned char *buf;
1924
1925 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1926
1927 if( ssl->f_send == NULL )
1928 {
1929 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
1930 "or mbedtls_ssl_set_bio()" ) );
1931 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1932 }
1933
1934 /* Avoid incrementing counter if data is flushed */
1935 if( ssl->out_left == 0 )
1936 {
1937 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1938 return( 0 );
1939 }
1940
1941 while( ssl->out_left > 0 )
1942 {
1943 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1944 mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
1945
1946 buf = ssl->out_hdr - ssl->out_left;
1947 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
1948
1949 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1950
1951 if( ret <= 0 )
1952 return( ret );
1953
1954 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
1955 {
1956 MBEDTLS_SSL_DEBUG_MSG( 1,
1957 ( "f_send returned %d bytes but only %lu bytes were sent",
1958 ret, (unsigned long)ssl->out_left ) );
1959 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1960 }
1961
1962 ssl->out_left -= ret;
1963 }
1964
1965#if defined(MBEDTLS_SSL_PROTO_DTLS)
1966 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1967 {
1968 ssl->out_hdr = ssl->out_buf;
1969 }
1970 else
1971#endif
1972 {
1973 ssl->out_hdr = ssl->out_buf + 8;
1974 }
1975 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
1976
1977 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1978
1979 return( 0 );
1980}
1981
1982/*
1983 * Functions to handle the DTLS retransmission state machine
1984 */
1985#if defined(MBEDTLS_SSL_PROTO_DTLS)
1986/*
1987 * Append current handshake message to current outgoing flight
1988 */
1989static int ssl_flight_append( mbedtls_ssl_context *ssl )
1990{
1991 mbedtls_ssl_flight_item *msg;
1992 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
1993 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
1994 ssl->out_msg, ssl->out_msglen );
1995
1996 /* Allocate space for current message */
1997 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
1998 {
1999 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
2000 sizeof( mbedtls_ssl_flight_item ) ) );
2001 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2002 }
2003
2004 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
2005 {
2006 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
2007 mbedtls_free( msg );
2008 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2009 }
2010
2011 /* Copy current handshake message with headers */
2012 memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
2013 msg->len = ssl->out_msglen;
2014 msg->type = ssl->out_msgtype;
2015 msg->next = NULL;
2016
2017 /* Append to the current flight */
2018 if( ssl->handshake->flight == NULL )
2019 ssl->handshake->flight = msg;
2020 else
2021 {
2022 mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
2023 while( cur->next != NULL )
2024 cur = cur->next;
2025 cur->next = msg;
2026 }
2027
2028 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
2029 return( 0 );
2030}
2031
2032/*
2033 * Free the current flight of handshake messages
2034 */
2035void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight )
2036{
2037 mbedtls_ssl_flight_item *cur = flight;
2038 mbedtls_ssl_flight_item *next;
2039
2040 while( cur != NULL )
2041 {
2042 next = cur->next;
2043
2044 mbedtls_free( cur->p );
2045 mbedtls_free( cur );
2046
2047 cur = next;
2048 }
2049}
2050
2051/*
2052 * Swap transform_out and out_ctr with the alternative ones
2053 */
2054static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
2055{
2056 mbedtls_ssl_transform *tmp_transform;
2057 unsigned char tmp_out_ctr[8];
2058
2059 if( ssl->transform_out == ssl->handshake->alt_transform_out )
2060 {
2061 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
2062 return( 0 );
2063 }
2064
2065 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
2066
2067 /* Swap transforms */
2068 tmp_transform = ssl->transform_out;
2069 ssl->transform_out = ssl->handshake->alt_transform_out;
2070 ssl->handshake->alt_transform_out = tmp_transform;
2071
2072 /* Swap epoch + sequence_number */
2073 memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 );
2074 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 );
2075 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
2076
2077 /* Adjust to the newly activated transform */
2078 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
2079
2080#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2081 if( mbedtls_ssl_hw_record_activate != NULL )
2082 {
2083 int ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND );
2084 if( ret != 0 )
2085 {
2086 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
2087 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
2088 }
2089 }
2090#endif
2091
2092 return( 0 );
2093}
2094
2095/*
2096 * Retransmit the current flight of messages.
2097 */
2098int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
2099{
2100 int ret = 0;
2101
2102 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
2103
2104 ret = mbedtls_ssl_flight_transmit( ssl );
2105
2106 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
2107
2108 return( ret );
2109}
2110
2111/*
2112 * Transmit or retransmit the current flight of messages.
2113 *
2114 * Need to remember the current message in case flush_output returns
2115 * WANT_WRITE, causing us to exit this function and come back later.
2116 * This function must be called until state is no longer SENDING.
2117 */
2118int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
2119{
2120 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
2122
2123 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
2124 {
2125 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
2126
2127 ssl->handshake->cur_msg = ssl->handshake->flight;
2128 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
2129 ret = ssl_swap_epochs( ssl );
2130 if( ret != 0 )
2131 return( ret );
2132
2133 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
2134 }
2135
2136 while( ssl->handshake->cur_msg != NULL )
2137 {
2138 size_t max_frag_len;
2139 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
2140
2141 int const is_finished =
2142 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
2143 cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
2144
2145 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
2146 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
2147
2148 /* Swap epochs before sending Finished: we can't do it after
2149 * sending ChangeCipherSpec, in case write returns WANT_READ.
2150 * Must be done before copying, may change out_msg pointer */
2151 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
2152 {
2153 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
2154 ret = ssl_swap_epochs( ssl );
2155 if( ret != 0 )
2156 return( ret );
2157 }
2158
2159 ret = ssl_get_remaining_payload_in_datagram( ssl );
2160 if( ret < 0 )
2161 return( ret );
2162 max_frag_len = (size_t) ret;
2163
2164 /* CCS is copied as is, while HS messages may need fragmentation */
2165 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2166 {
2167 if( max_frag_len == 0 )
2168 {
2169 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2170 return( ret );
2171
2172 continue;
2173 }
2174
2175 memcpy( ssl->out_msg, cur->p, cur->len );
2176 ssl->out_msglen = cur->len;
2177 ssl->out_msgtype = cur->type;
2178
2179 /* Update position inside current message */
2180 ssl->handshake->cur_msg_p += cur->len;
2181 }
2182 else
2183 {
2184 const unsigned char * const p = ssl->handshake->cur_msg_p;
2185 const size_t hs_len = cur->len - 12;
2186 const size_t frag_off = p - ( cur->p + 12 );
2187 const size_t rem_len = hs_len - frag_off;
2188 size_t cur_hs_frag_len, max_hs_frag_len;
2189
2190 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
2191 {
2192 if( is_finished )
2193 {
2194 ret = ssl_swap_epochs( ssl );
2195 if( ret != 0 )
2196 return( ret );
2197 }
2198
2199 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2200 return( ret );
2201
2202 continue;
2203 }
2204 max_hs_frag_len = max_frag_len - 12;
2205
2206 cur_hs_frag_len = rem_len > max_hs_frag_len ?
2207 max_hs_frag_len : rem_len;
2208
2209 if( frag_off == 0 && cur_hs_frag_len != hs_len )
2210 {
2211 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
2212 (unsigned) cur_hs_frag_len,
2213 (unsigned) max_hs_frag_len ) );
2214 }
2215
2216 /* Messages are stored with handshake headers as if not fragmented,
2217 * copy beginning of headers then fill fragmentation fields.
2218 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
2219 memcpy( ssl->out_msg, cur->p, 6 );
2220
2221 ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
2222 ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
2223 ssl->out_msg[8] = ( ( frag_off ) & 0xff );
2224
2225 ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
2226 ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
2227 ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
2228
2229 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
2230
2231 /* Copy the handshake message content and set records fields */
2232 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
2233 ssl->out_msglen = cur_hs_frag_len + 12;
2234 ssl->out_msgtype = cur->type;
2235
2236 /* Update position inside current message */
2237 ssl->handshake->cur_msg_p += cur_hs_frag_len;
2238 }
2239
2240 /* If done with the current message move to the next one if any */
2241 if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
2242 {
2243 if( cur->next != NULL )
2244 {
2245 ssl->handshake->cur_msg = cur->next;
2246 ssl->handshake->cur_msg_p = cur->next->p + 12;
2247 }
2248 else
2249 {
2250 ssl->handshake->cur_msg = NULL;
2251 ssl->handshake->cur_msg_p = NULL;
2252 }
2253 }
2254
2255 /* Actually send the message out */
2256 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
2257 {
2258 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
2259 return( ret );
2260 }
2261 }
2262
2263 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2264 return( ret );
2265
2266 /* Update state and set timer */
2267 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
2268 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2269 else
2270 {
2271 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
2272 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
2273 }
2274
2275 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
2276
2277 return( 0 );
2278}
2279
2280/*
2281 * To be called when the last message of an incoming flight is received.
2282 */
2283void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
2284{
2285 /* We won't need to resend that one any more */
2286 mbedtls_ssl_flight_free( ssl->handshake->flight );
2287 ssl->handshake->flight = NULL;
2288 ssl->handshake->cur_msg = NULL;
2289
2290 /* The next incoming flight will start with this msg_seq */
2291 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
2292
2293 /* We don't want to remember CCS's across flight boundaries. */
2294 ssl->handshake->buffering.seen_ccs = 0;
2295
2296 /* Clear future message buffering structure. */
2297 mbedtls_ssl_buffering_free( ssl );
2298
2299 /* Cancel timer */
2300 mbedtls_ssl_set_timer( ssl, 0 );
2301
2302 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2303 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
2304 {
2305 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2306 }
2307 else
2308 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
2309}
2310
2311/*
2312 * To be called when the last message of an outgoing flight is send.
2313 */
2314void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
2315{
2316 ssl_reset_retransmit_timeout( ssl );
2317 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
2318
2319 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2320 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
2321 {
2322 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2323 }
2324 else
2325 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
2326}
2327#endif /* MBEDTLS_SSL_PROTO_DTLS */
2328
2329/*
2330 * Handshake layer functions
2331 */
2332
2333/*
2334 * Write (DTLS: or queue) current handshake (including CCS) message.
2335 *
2336 * - fill in handshake headers
2337 * - update handshake checksum
2338 * - DTLS: save message for resending
2339 * - then pass to the record layer
2340 *
2341 * DTLS: except for HelloRequest, messages are only queued, and will only be
2342 * actually sent when calling flight_transmit() or resend().
2343 *
2344 * Inputs:
2345 * - ssl->out_msglen: 4 + actual handshake message len
2346 * (4 is the size of handshake headers for TLS)
2347 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
2348 * - ssl->out_msg + 4: the handshake message body
2349 *
2350 * Outputs, ie state before passing to flight_append() or write_record():
2351 * - ssl->out_msglen: the length of the record contents
2352 * (including handshake headers but excluding record headers)
2353 * - ssl->out_msg: the record contents (handshake headers + content)
2354 */
2355int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
2356{
2357 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2358 const size_t hs_len = ssl->out_msglen - 4;
2359 const unsigned char hs_type = ssl->out_msg[0];
2360
2361 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
2362
2363 /*
2364 * Sanity checks
2365 */
2366 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
2367 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2368 {
2369 /* In SSLv3, the client might send a NoCertificate alert. */
2370#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
2371 if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
2372 ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
2373 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
2374#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
2375 {
2376 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2377 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2378 }
2379 }
2380
2381 /* Whenever we send anything different from a
2382 * HelloRequest we should be in a handshake - double check. */
2383 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2384 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
2385 ssl->handshake == NULL )
2386 {
2387 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2388 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2389 }
2390
2391#if defined(MBEDTLS_SSL_PROTO_DTLS)
2392 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2393 ssl->handshake != NULL &&
2394 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
2395 {
2396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2397 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2398 }
2399#endif
2400
2401 /* Double-check that we did not exceed the bounds
2402 * of the outgoing record buffer.
2403 * This should never fail as the various message
2404 * writing functions must obey the bounds of the
2405 * outgoing record buffer, but better be safe.
2406 *
2407 * Note: We deliberately do not check for the MTU or MFL here.
2408 */
2409 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
2410 {
2411 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
2412 "size %u, maximum %u",
2413 (unsigned) ssl->out_msglen,
2414 (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
2415 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2416 }
2417
2418 /*
2419 * Fill handshake headers
2420 */
2421 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
2422 {
2423 ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
2424 ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );
2425 ssl->out_msg[3] = (unsigned char)( hs_len );
2426
2427 /*
2428 * DTLS has additional fields in the Handshake layer,
2429 * between the length field and the actual payload:
2430 * uint16 message_seq;
2431 * uint24 fragment_offset;
2432 * uint24 fragment_length;
2433 */
2434#if defined(MBEDTLS_SSL_PROTO_DTLS)
2435 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2436 {
2437 /* Make room for the additional DTLS fields */
2438 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
2439 {
2440 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
2441 "size %u, maximum %u",
2442 (unsigned) ( hs_len ),
2443 (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
2444 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2445 }
2446
2447 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
2448 ssl->out_msglen += 8;
2449
2450 /* Write message_seq and update it, except for HelloRequest */
2451 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
2452 {
2453 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
2454 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
2455 ++( ssl->handshake->out_msg_seq );
2456 }
2457 else
2458 {
2459 ssl->out_msg[4] = 0;
2460 ssl->out_msg[5] = 0;
2461 }
2462
2463 /* Handshake hashes are computed without fragmentation,
2464 * so set frag_offset = 0 and frag_len = hs_len for now */
2465 memset( ssl->out_msg + 6, 0x00, 3 );
2466 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
2467 }
2468#endif /* MBEDTLS_SSL_PROTO_DTLS */
2469
2470 /* Update running hashes of handshake messages seen */
2471 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
2472 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
2473 }
2474
2475 /* Either send now, or just save to be sent (and resent) later */
2476#if defined(MBEDTLS_SSL_PROTO_DTLS)
2477 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2478 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2479 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
2480 {
2481 if( ( ret = ssl_flight_append( ssl ) ) != 0 )
2482 {
2483 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
2484 return( ret );
2485 }
2486 }
2487 else
2488#endif
2489 {
2490 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
2491 {
2492 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2493 return( ret );
2494 }
2495 }
2496
2497 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
2498
2499 return( 0 );
2500}
2501
2502/*
2503 * Record layer functions
2504 */
2505
2506/*
2507 * Write current record.
2508 *
2509 * Uses:
2510 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
2511 * - ssl->out_msglen: length of the record content (excl headers)
2512 * - ssl->out_msg: record content
2513 */
2514int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
2515{
2516 int ret, done = 0;
2517 size_t len = ssl->out_msglen;
2518 uint8_t flush = force_flush;
2519
2520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
2521
2522#if defined(MBEDTLS_ZLIB_SUPPORT)
2523 if( ssl->transform_out != NULL &&
2524 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
2525 {
2526 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
2527 {
2528 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
2529 return( ret );
2530 }
2531
2532 len = ssl->out_msglen;
2533 }
2534#endif /*MBEDTLS_ZLIB_SUPPORT */
2535
2536#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2537 if( mbedtls_ssl_hw_record_write != NULL )
2538 {
2539 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
2540
2541 ret = mbedtls_ssl_hw_record_write( ssl );
2542 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2543 {
2544 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
2545 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
2546 }
2547
2548 if( ret == 0 )
2549 done = 1;
2550 }
2551#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
2552 if( !done )
2553 {
2554 unsigned i;
2555 size_t protected_record_size;
2556#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2557 size_t out_buf_len = ssl->out_buf_len;
2558#else
2559 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
2560#endif
2561 /* Skip writing the record content type to after the encryption,
2562 * as it may change when using the CID extension. */
2563
2564 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2565 ssl->conf->transport, ssl->out_hdr + 1 );
2566
2567 memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
2568 ssl->out_len[0] = (unsigned char)( len >> 8 );
2569 ssl->out_len[1] = (unsigned char)( len );
2570
2571 if( ssl->transform_out != NULL )
2572 {
2573 mbedtls_record rec;
2574
2575 rec.buf = ssl->out_iv;
2576 rec.buf_len = out_buf_len - ( ssl->out_iv - ssl->out_buf );
2577 rec.data_len = ssl->out_msglen;
2578 rec.data_offset = ssl->out_msg - rec.buf;
2579
2580 memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
2581 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2582 ssl->conf->transport, rec.ver );
2583 rec.type = ssl->out_msgtype;
2584
2585#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2586 /* The CID is set by mbedtls_ssl_encrypt_buf(). */
2587 rec.cid_len = 0;
2588#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2589
2590 if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec,
2591 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2592 {
2593 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
2594 return( ret );
2595 }
2596
2597 if( rec.data_offset != 0 )
2598 {
2599 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2600 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2601 }
2602
2603 /* Update the record content type and CID. */
2604 ssl->out_msgtype = rec.type;
2605#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID )
2606 memcpy( ssl->out_cid, rec.cid, rec.cid_len );
2607#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2608 ssl->out_msglen = len = rec.data_len;
2609 ssl->out_len[0] = (unsigned char)( rec.data_len >> 8 );
2610 ssl->out_len[1] = (unsigned char)( rec.data_len );
2611 }
2612
2613 protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl );
2614
2615#if defined(MBEDTLS_SSL_PROTO_DTLS)
2616 /* In case of DTLS, double-check that we don't exceed
2617 * the remaining space in the datagram. */
2618 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2619 {
2620 ret = ssl_get_remaining_space_in_datagram( ssl );
2621 if( ret < 0 )
2622 return( ret );
2623
2624 if( protected_record_size > (size_t) ret )
2625 {
2626 /* Should never happen */
2627 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2628 }
2629 }
2630#endif /* MBEDTLS_SSL_PROTO_DTLS */
2631
2632 /* Now write the potentially updated record content type. */
2633 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2634
2635 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
2636 "version = [%d:%d], msglen = %d",
2637 ssl->out_hdr[0], ssl->out_hdr[1],
2638 ssl->out_hdr[2], len ) );
2639
2640 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
2641 ssl->out_hdr, protected_record_size );
2642
2643 ssl->out_left += protected_record_size;
2644 ssl->out_hdr += protected_record_size;
2645 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
2646
2647 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
2648 if( ++ssl->cur_out_ctr[i - 1] != 0 )
2649 break;
2650
2651 /* The loop goes to its end iff the counter is wrapping */
2652 if( i == mbedtls_ssl_ep_len( ssl ) )
2653 {
2654 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
2655 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2656 }
2657 }
2658
2659#if defined(MBEDTLS_SSL_PROTO_DTLS)
2660 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2661 flush == SSL_DONT_FORCE_FLUSH )
2662 {
2663 size_t remaining;
2664 ret = ssl_get_remaining_payload_in_datagram( ssl );
2665 if( ret < 0 )
2666 {
2667 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
2668 ret );
2669 return( ret );
2670 }
2671
2672 remaining = (size_t) ret;
2673 if( remaining == 0 )
2674 {
2675 flush = SSL_FORCE_FLUSH;
2676 }
2677 else
2678 {
2679 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
2680 }
2681 }
2682#endif /* MBEDTLS_SSL_PROTO_DTLS */
2683
2684 if( ( flush == SSL_FORCE_FLUSH ) &&
2685 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2686 {
2687 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
2688 return( ret );
2689 }
2690
2691 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2692
2693 return( 0 );
2694}
2695
2696#if defined(MBEDTLS_SSL_PROTO_DTLS)
2697
2698static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
2699{
2700 if( ssl->in_msglen < ssl->in_hslen ||
2701 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
2702 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
2703 {
2704 return( 1 );
2705 }
2706 return( 0 );
2707}
2708
2709static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
2710{
2711 return( ( ssl->in_msg[9] << 16 ) |
2712 ( ssl->in_msg[10] << 8 ) |
2713 ssl->in_msg[11] );
2714}
2715
2716static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
2717{
2718 return( ( ssl->in_msg[6] << 16 ) |
2719 ( ssl->in_msg[7] << 8 ) |
2720 ssl->in_msg[8] );
2721}
2722
2723static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
2724{
2725 uint32_t msg_len, frag_off, frag_len;
2726
2727 msg_len = ssl_get_hs_total_len( ssl );
2728 frag_off = ssl_get_hs_frag_off( ssl );
2729 frag_len = ssl_get_hs_frag_len( ssl );
2730
2731 if( frag_off > msg_len )
2732 return( -1 );
2733
2734 if( frag_len > msg_len - frag_off )
2735 return( -1 );
2736
2737 if( frag_len + 12 > ssl->in_msglen )
2738 return( -1 );
2739
2740 return( 0 );
2741}
2742
2743/*
2744 * Mark bits in bitmask (used for DTLS HS reassembly)
2745 */
2746static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
2747{
2748 unsigned int start_bits, end_bits;
2749
2750 start_bits = 8 - ( offset % 8 );
2751 if( start_bits != 8 )
2752 {
2753 size_t first_byte_idx = offset / 8;
2754
2755 /* Special case */
2756 if( len <= start_bits )
2757 {
2758 for( ; len != 0; len-- )
2759 mask[first_byte_idx] |= 1 << ( start_bits - len );
2760
2761 /* Avoid potential issues with offset or len becoming invalid */
2762 return;
2763 }
2764
2765 offset += start_bits; /* Now offset % 8 == 0 */
2766 len -= start_bits;
2767
2768 for( ; start_bits != 0; start_bits-- )
2769 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
2770 }
2771
2772 end_bits = len % 8;
2773 if( end_bits != 0 )
2774 {
2775 size_t last_byte_idx = ( offset + len ) / 8;
2776
2777 len -= end_bits; /* Now len % 8 == 0 */
2778
2779 for( ; end_bits != 0; end_bits-- )
2780 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
2781 }
2782
2783 memset( mask + offset / 8, 0xFF, len / 8 );
2784}
2785
2786/*
2787 * Check that bitmask is full
2788 */
2789static int ssl_bitmask_check( unsigned char *mask, size_t len )
2790{
2791 size_t i;
2792
2793 for( i = 0; i < len / 8; i++ )
2794 if( mask[i] != 0xFF )
2795 return( -1 );
2796
2797 for( i = 0; i < len % 8; i++ )
2798 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
2799 return( -1 );
2800
2801 return( 0 );
2802}
2803
2804/* msg_len does not include the handshake header */
2805static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
2806 unsigned add_bitmap )
2807{
2808 size_t alloc_len;
2809
2810 alloc_len = 12; /* Handshake header */
2811 alloc_len += msg_len; /* Content buffer */
2812
2813 if( add_bitmap )
2814 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
2815
2816 return( alloc_len );
2817}
2818
2819#endif /* MBEDTLS_SSL_PROTO_DTLS */
2820
2821static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
2822{
2823 return( ( ssl->in_msg[1] << 16 ) |
2824 ( ssl->in_msg[2] << 8 ) |
2825 ssl->in_msg[3] );
2826}
2827
2828int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
2829{
2830 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
2831 {
2832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
2833 ssl->in_msglen ) );
2834 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2835 }
2836
2837 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
2838
2839 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2840 " %d, type = %d, hslen = %d",
2841 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2842
2843#if defined(MBEDTLS_SSL_PROTO_DTLS)
2844 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2845 {
2846 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2847 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
2848
2849 if( ssl_check_hs_header( ssl ) != 0 )
2850 {
2851 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
2852 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2853 }
2854
2855 if( ssl->handshake != NULL &&
2856 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
2857 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
2858 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
2859 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
2860 {
2861 if( recv_msg_seq > ssl->handshake->in_msg_seq )
2862 {
2863 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
2864 recv_msg_seq,
2865 ssl->handshake->in_msg_seq ) );
2866 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
2867 }
2868
2869 /* Retransmit only on last message from previous flight, to avoid
2870 * too many retransmissions.
2871 * Besides, No sane server ever retransmits HelloVerifyRequest */
2872 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
2873 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
2874 {
2875 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
2876 "message_seq = %d, start_of_flight = %d",
2877 recv_msg_seq,
2878 ssl->handshake->in_flight_start_seq ) );
2879
2880 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
2881 {
2882 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
2883 return( ret );
2884 }
2885 }
2886 else
2887 {
2888 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
2889 "message_seq = %d, expected = %d",
2890 recv_msg_seq,
2891 ssl->handshake->in_msg_seq ) );
2892 }
2893
2894 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
2895 }
2896 /* Wait until message completion to increment in_msg_seq */
2897
2898 /* Message reassembly is handled alongside buffering of future
2899 * messages; the commonality is that both handshake fragments and
2900 * future messages cannot be forwarded immediately to the
2901 * handshake logic layer. */
2902 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
2903 {
2904 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
2905 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
2906 }
2907 }
2908 else
2909#endif /* MBEDTLS_SSL_PROTO_DTLS */
2910 /* With TLS we don't handle fragmentation (for now) */
2911 if( ssl->in_msglen < ssl->in_hslen )
2912 {
2913 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
2914 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
2915 }
2916
2917 return( 0 );
2918}
2919
2920void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
2921{
2922 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
2923
2924 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
2925 {
2926 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2927 }
2928
2929 /* Handshake message is complete, increment counter */
2930#if defined(MBEDTLS_SSL_PROTO_DTLS)
2931 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2932 ssl->handshake != NULL )
2933 {
2934 unsigned offset;
2935 mbedtls_ssl_hs_buffer *hs_buf;
2936
2937 /* Increment handshake sequence number */
2938 hs->in_msg_seq++;
2939
2940 /*
2941 * Clear up handshake buffering and reassembly structure.
2942 */
2943
2944 /* Free first entry */
2945 ssl_buffering_free_slot( ssl, 0 );
2946
2947 /* Shift all other entries */
2948 for( offset = 0, hs_buf = &hs->buffering.hs[0];
2949 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
2950 offset++, hs_buf++ )
2951 {
2952 *hs_buf = *(hs_buf + 1);
2953 }
2954
2955 /* Create a fresh last entry */
2956 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
2957 }
2958#endif
2959}
2960
2961/*
2962 * DTLS anti-replay: RFC 6347 4.1.2.6
2963 *
2964 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
2965 * Bit n is set iff record number in_window_top - n has been seen.
2966 *
2967 * Usually, in_window_top is the last record number seen and the lsb of
2968 * in_window is set. The only exception is the initial state (record number 0
2969 * not seen yet).
2970 */
2971#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
2972void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
2973{
2974 ssl->in_window_top = 0;
2975 ssl->in_window = 0;
2976}
2977
2978static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
2979{
2980 return( ( (uint64_t) buf[0] << 40 ) |
2981 ( (uint64_t) buf[1] << 32 ) |
2982 ( (uint64_t) buf[2] << 24 ) |
2983 ( (uint64_t) buf[3] << 16 ) |
2984 ( (uint64_t) buf[4] << 8 ) |
2985 ( (uint64_t) buf[5] ) );
2986}
2987
2988static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr )
2989{
2990 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2991 unsigned char *original_in_ctr;
2992
2993 // save original in_ctr
2994 original_in_ctr = ssl->in_ctr;
2995
2996 // use counter from record
2997 ssl->in_ctr = record_in_ctr;
2998
2999 ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl );
3000
3001 // restore the counter
3002 ssl->in_ctr = original_in_ctr;
3003
3004 return ret;
3005}
3006
3007/*
3008 * Return 0 if sequence number is acceptable, -1 otherwise
3009 */
3010int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl )
3011{
3012 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3013 uint64_t bit;
3014
3015 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3016 return( 0 );
3017
3018 if( rec_seqnum > ssl->in_window_top )
3019 return( 0 );
3020
3021 bit = ssl->in_window_top - rec_seqnum;
3022
3023 if( bit >= 64 )
3024 return( -1 );
3025
3026 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
3027 return( -1 );
3028
3029 return( 0 );
3030}
3031
3032/*
3033 * Update replay window on new validated record
3034 */
3035void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
3036{
3037 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3038
3039 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3040 return;
3041
3042 if( rec_seqnum > ssl->in_window_top )
3043 {
3044 /* Update window_top and the contents of the window */
3045 uint64_t shift = rec_seqnum - ssl->in_window_top;
3046
3047 if( shift >= 64 )
3048 ssl->in_window = 1;
3049 else
3050 {
3051 ssl->in_window <<= shift;
3052 ssl->in_window |= 1;
3053 }
3054
3055 ssl->in_window_top = rec_seqnum;
3056 }
3057 else
3058 {
3059 /* Mark that number as seen in the current window */
3060 uint64_t bit = ssl->in_window_top - rec_seqnum;
3061
3062 if( bit < 64 ) /* Always true, but be extra sure */
3063 ssl->in_window |= (uint64_t) 1 << bit;
3064 }
3065}
3066#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
3067
3068#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3069/*
3070 * Without any SSL context, check if a datagram looks like a ClientHello with
3071 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
3072 * Both input and output include full DTLS headers.
3073 *
3074 * - if cookie is valid, return 0
3075 * - if ClientHello looks superficially valid but cookie is not,
3076 * fill obuf and set olen, then
3077 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3078 * - otherwise return a specific error code
3079 */
3080static int ssl_check_dtls_clihlo_cookie(
3081 mbedtls_ssl_cookie_write_t *f_cookie_write,
3082 mbedtls_ssl_cookie_check_t *f_cookie_check,
3083 void *p_cookie,
3084 const unsigned char *cli_id, size_t cli_id_len,
3085 const unsigned char *in, size_t in_len,
3086 unsigned char *obuf, size_t buf_len, size_t *olen )
3087{
3088 size_t sid_len, cookie_len;
3089 unsigned char *p;
3090
3091 /*
3092 * Structure of ClientHello with record and handshake headers,
3093 * and expected values. We don't need to check a lot, more checks will be
3094 * done when actually parsing the ClientHello - skipping those checks
3095 * avoids code duplication and does not make cookie forging any easier.
3096 *
3097 * 0-0 ContentType type; copied, must be handshake
3098 * 1-2 ProtocolVersion version; copied
3099 * 3-4 uint16 epoch; copied, must be 0
3100 * 5-10 uint48 sequence_number; copied
3101 * 11-12 uint16 length; (ignored)
3102 *
3103 * 13-13 HandshakeType msg_type; (ignored)
3104 * 14-16 uint24 length; (ignored)
3105 * 17-18 uint16 message_seq; copied
3106 * 19-21 uint24 fragment_offset; copied, must be 0
3107 * 22-24 uint24 fragment_length; (ignored)
3108 *
3109 * 25-26 ProtocolVersion client_version; (ignored)
3110 * 27-58 Random random; (ignored)
3111 * 59-xx SessionID session_id; 1 byte len + sid_len content
3112 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
3113 * ...
3114 *
3115 * Minimum length is 61 bytes.
3116 */
3117 if( in_len < 61 ||
3118 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
3119 in[3] != 0 || in[4] != 0 ||
3120 in[19] != 0 || in[20] != 0 || in[21] != 0 )
3121 {
3122 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3123 }
3124
3125 sid_len = in[59];
3126 if( sid_len > in_len - 61 )
3127 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3128
3129 cookie_len = in[60 + sid_len];
3130 if( cookie_len > in_len - 60 )
3131 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3132
3133 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
3134 cli_id, cli_id_len ) == 0 )
3135 {
3136 /* Valid cookie */
3137 return( 0 );
3138 }
3139
3140 /*
3141 * If we get here, we've got an invalid cookie, let's prepare HVR.
3142 *
3143 * 0-0 ContentType type; copied
3144 * 1-2 ProtocolVersion version; copied
3145 * 3-4 uint16 epoch; copied
3146 * 5-10 uint48 sequence_number; copied
3147 * 11-12 uint16 length; olen - 13
3148 *
3149 * 13-13 HandshakeType msg_type; hello_verify_request
3150 * 14-16 uint24 length; olen - 25
3151 * 17-18 uint16 message_seq; copied
3152 * 19-21 uint24 fragment_offset; copied
3153 * 22-24 uint24 fragment_length; olen - 25
3154 *
3155 * 25-26 ProtocolVersion server_version; 0xfe 0xff
3156 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
3157 *
3158 * Minimum length is 28.
3159 */
3160 if( buf_len < 28 )
3161 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3162
3163 /* Copy most fields and adapt others */
3164 memcpy( obuf, in, 25 );
3165 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
3166 obuf[25] = 0xfe;
3167 obuf[26] = 0xff;
3168
3169 /* Generate and write actual cookie */
3170 p = obuf + 28;
3171 if( f_cookie_write( p_cookie,
3172 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
3173 {
3174 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3175 }
3176
3177 *olen = p - obuf;
3178
3179 /* Go back and fill length fields */
3180 obuf[27] = (unsigned char)( *olen - 28 );
3181
3182 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
3183 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
3184 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
3185
3186 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
3187 obuf[12] = (unsigned char)( ( *olen - 13 ) );
3188
3189 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
3190}
3191
3192/*
3193 * Handle possible client reconnect with the same UDP quadruplet
3194 * (RFC 6347 Section 4.2.8).
3195 *
3196 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
3197 * that looks like a ClientHello.
3198 *
3199 * - if the input looks like a ClientHello without cookies,
3200 * send back HelloVerifyRequest, then return 0
3201 * - if the input looks like a ClientHello with a valid cookie,
3202 * reset the session of the current context, and
3203 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
3204 * - if anything goes wrong, return a specific error code
3205 *
3206 * This function is called (through ssl_check_client_reconnect()) when an
3207 * unexpected record is found in ssl_get_next_record(), which will discard the
3208 * record if we return 0, and bubble up the return value otherwise (this
3209 * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
3210 * errors, and is the right thing to do in both cases).
3211 */
3212static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
3213{
3214 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3215 size_t len;
3216
3217 if( ssl->conf->f_cookie_write == NULL ||
3218 ssl->conf->f_cookie_check == NULL )
3219 {
3220 /* If we can't use cookies to verify reachability of the peer,
3221 * drop the record. */
3222 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no cookie callbacks, "
3223 "can't check reconnect validity" ) );
3224 return( 0 );
3225 }
3226
3227 ret = ssl_check_dtls_clihlo_cookie(
3228 ssl->conf->f_cookie_write,
3229 ssl->conf->f_cookie_check,
3230 ssl->conf->p_cookie,
3231 ssl->cli_id, ssl->cli_id_len,
3232 ssl->in_buf, ssl->in_left,
3233 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
3234
3235 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
3236
3237 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
3238 {
3239 int send_ret;
3240 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) );
3241 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
3242 ssl->out_buf, len );
3243 /* Don't check write errors as we can't do anything here.
3244 * If the error is permanent we'll catch it later,
3245 * if it's not, then hopefully it'll work next time. */
3246 send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len );
3247 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret );
3248 (void) send_ret;
3249
3250 return( 0 );
3251 }
3252
3253 if( ret == 0 )
3254 {
3255 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) );
3256 if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 )
3257 {
3258 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
3259 return( ret );
3260 }
3261
3262 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
3263 }
3264
3265 return( ret );
3266}
3267#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3268
3269static int ssl_check_record_type( uint8_t record_type )
3270{
3271 if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
3272 record_type != MBEDTLS_SSL_MSG_ALERT &&
3273 record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
3274 record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3275 {
3276 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3277 }
3278
3279 return( 0 );
3280}
3281
3282/*
3283 * ContentType type;
3284 * ProtocolVersion version;
3285 * uint16 epoch; // DTLS only
3286 * uint48 sequence_number; // DTLS only
3287 * uint16 length;
3288 *
3289 * Return 0 if header looks sane (and, for DTLS, the record is expected)
3290 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
3291 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
3292 *
3293 * With DTLS, mbedtls_ssl_read_record() will:
3294 * 1. proceed with the record if this function returns 0
3295 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
3296 * 3. return CLIENT_RECONNECT if this function return that value
3297 * 4. drop the whole datagram if this function returns anything else.
3298 * Point 2 is needed when the peer is resending, and we have already received
3299 * the first record from a datagram but are still waiting for the others.
3300 */
3301static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
3302 unsigned char *buf,
3303 size_t len,
3304 mbedtls_record *rec )
3305{
3306 int major_ver, minor_ver;
3307
3308 size_t const rec_hdr_type_offset = 0;
3309 size_t const rec_hdr_type_len = 1;
3310
3311 size_t const rec_hdr_version_offset = rec_hdr_type_offset +
3312 rec_hdr_type_len;
3313 size_t const rec_hdr_version_len = 2;
3314
3315 size_t const rec_hdr_ctr_len = 8;
3316#if defined(MBEDTLS_SSL_PROTO_DTLS)
3317 uint32_t rec_epoch;
3318 size_t const rec_hdr_ctr_offset = rec_hdr_version_offset +
3319 rec_hdr_version_len;
3320
3321#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3322 size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset +
3323 rec_hdr_ctr_len;
3324 size_t rec_hdr_cid_len = 0;
3325#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3326#endif /* MBEDTLS_SSL_PROTO_DTLS */
3327
3328 size_t rec_hdr_len_offset; /* To be determined */
3329 size_t const rec_hdr_len_len = 2;
3330
3331 /*
3332 * Check minimum lengths for record header.
3333 */
3334
3335#if defined(MBEDTLS_SSL_PROTO_DTLS)
3336 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3337 {
3338 rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len;
3339 }
3340 else
3341#endif /* MBEDTLS_SSL_PROTO_DTLS */
3342 {
3343 rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len;
3344 }
3345
3346 if( len < rec_hdr_len_offset + rec_hdr_len_len )
3347 {
3348 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header of length %u",
3349 (unsigned) len,
3350 (unsigned)( rec_hdr_len_len + rec_hdr_len_len ) ) );
3351 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3352 }
3353
3354 /*
3355 * Parse and validate record content type
3356 */
3357
3358 rec->type = buf[ rec_hdr_type_offset ];
3359
3360 /* Check record content type */
3361#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3362 rec->cid_len = 0;
3363
3364 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3365 ssl->conf->cid_len != 0 &&
3366 rec->type == MBEDTLS_SSL_MSG_CID )
3367 {
3368 /* Shift pointers to account for record header including CID
3369 * struct {
3370 * ContentType special_type = tls12_cid;
3371 * ProtocolVersion version;
3372 * uint16 epoch;
3373 * uint48 sequence_number;
3374 * opaque cid[cid_length]; // Additional field compared to
3375 * // default DTLS record format
3376 * uint16 length;
3377 * opaque enc_content[DTLSCiphertext.length];
3378 * } DTLSCiphertext;
3379 */
3380
3381 /* So far, we only support static CID lengths
3382 * fixed in the configuration. */
3383 rec_hdr_cid_len = ssl->conf->cid_len;
3384 rec_hdr_len_offset += rec_hdr_cid_len;
3385
3386 if( len < rec_hdr_len_offset + rec_hdr_len_len )
3387 {
3388 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header including CID, length %u",
3389 (unsigned) len,
3390 (unsigned)( rec_hdr_len_offset + rec_hdr_len_len ) ) );
3391 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3392 }
3393
3394 /* configured CID len is guaranteed at most 255, see
3395 * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */
3396 rec->cid_len = (uint8_t) rec_hdr_cid_len;
3397 memcpy( rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len );
3398 }
3399 else
3400#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3401 {
3402 if( ssl_check_record_type( rec->type ) )
3403 {
3404 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type %u",
3405 (unsigned) rec->type ) );
3406 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3407 }
3408 }
3409
3410 /*
3411 * Parse and validate record version
3412 */
3413
3414 rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
3415 rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
3416 mbedtls_ssl_read_version( &major_ver, &minor_ver,
3417 ssl->conf->transport,
3418 &rec->ver[0] );
3419
3420 if( major_ver != ssl->major_ver )
3421 {
3422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
3423 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3424 }
3425
3426 if( minor_ver > ssl->conf->max_minor_ver )
3427 {
3428 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
3429 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3430 }
3431
3432 /*
3433 * Parse/Copy record sequence number.
3434 */
3435
3436#if defined(MBEDTLS_SSL_PROTO_DTLS)
3437 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3438 {
3439 /* Copy explicit record sequence number from input buffer. */
3440 memcpy( &rec->ctr[0], buf + rec_hdr_ctr_offset,
3441 rec_hdr_ctr_len );
3442 }
3443 else
3444#endif /* MBEDTLS_SSL_PROTO_DTLS */
3445 {
3446 /* Copy implicit record sequence number from SSL context structure. */
3447 memcpy( &rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len );
3448 }
3449
3450 /*
3451 * Parse record length.
3452 */
3453
3454 rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
3455 rec->data_len = ( (size_t) buf[ rec_hdr_len_offset + 0 ] << 8 ) |
3456 ( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 );
3457 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset );
3458
3459 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
3460 "version = [%d:%d], msglen = %d",
3461 rec->type,
3462 major_ver, minor_ver, rec->data_len ) );
3463
3464 rec->buf = buf;
3465 rec->buf_len = rec->data_offset + rec->data_len;
3466
3467 if( rec->data_len == 0 )
3468 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3469
3470 /*
3471 * DTLS-related tests.
3472 * Check epoch before checking length constraint because
3473 * the latter varies with the epoch. E.g., if a ChangeCipherSpec
3474 * message gets duplicated before the corresponding Finished message,
3475 * the second ChangeCipherSpec should be discarded because it belongs
3476 * to an old epoch, but not because its length is shorter than
3477 * the minimum record length for packets using the new record transform.
3478 * Note that these two kinds of failures are handled differently,
3479 * as an unexpected record is silently skipped but an invalid
3480 * record leads to the entire datagram being dropped.
3481 */
3482#if defined(MBEDTLS_SSL_PROTO_DTLS)
3483 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3484 {
3485 rec_epoch = ( rec->ctr[0] << 8 ) | rec->ctr[1];
3486
3487 /* Check that the datagram is large enough to contain a record
3488 * of the advertised length. */
3489 if( len < rec->data_offset + rec->data_len )
3490 {
3491 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram of length %u too small to contain record of advertised length %u.",
3492 (unsigned) len,
3493 (unsigned)( rec->data_offset + rec->data_len ) ) );
3494 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3495 }
3496
3497 /* Records from other, non-matching epochs are silently discarded.
3498 * (The case of same-port Client reconnects must be considered in
3499 * the caller). */
3500 if( rec_epoch != ssl->in_epoch )
3501 {
3502 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
3503 "expected %d, received %d",
3504 ssl->in_epoch, rec_epoch ) );
3505
3506 /* Records from the next epoch are considered for buffering
3507 * (concretely: early Finished messages). */
3508 if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
3509 {
3510 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
3511 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3512 }
3513
3514 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3515 }
3516#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3517 /* For records from the correct epoch, check whether their
3518 * sequence number has been seen before. */
3519 else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl,
3520 &rec->ctr[0] ) != 0 )
3521 {
3522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
3523 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3524 }
3525#endif
3526 }
3527#endif /* MBEDTLS_SSL_PROTO_DTLS */
3528
3529 return( 0 );
3530}
3531
3532
3533#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3534static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
3535{
3536 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
3537
3538 /*
3539 * Check for an epoch 0 ClientHello. We can't use in_msg here to
3540 * access the first byte of record content (handshake type), as we
3541 * have an active transform (possibly iv_len != 0), so use the
3542 * fact that the record header len is 13 instead.
3543 */
3544 if( rec_epoch == 0 &&
3545 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
3546 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3547 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3548 ssl->in_left > 13 &&
3549 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
3550 {
3551 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
3552 "from the same port" ) );
3553 return( ssl_handle_possible_reconnect( ssl ) );
3554 }
3555
3556 return( 0 );
3557}
3558#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3559
3560/*
3561 * If applicable, decrypt record content
3562 */
3563static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
3564 mbedtls_record *rec )
3565{
3566 int ret, done = 0;
3567
3568 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
3569 rec->buf, rec->buf_len );
3570
3571#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3572 if( mbedtls_ssl_hw_record_read != NULL )
3573 {
3574 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
3575
3576 ret = mbedtls_ssl_hw_record_read( ssl );
3577 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
3578 {
3579 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
3580 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3581 }
3582
3583 if( ret == 0 )
3584 done = 1;
3585 }
3586#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
3587 if( !done && ssl->transform_in != NULL )
3588 {
3589 unsigned char const old_msg_type = rec->type;
3590
3591 if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
3592 rec ) ) != 0 )
3593 {
3594 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
3595
3596#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3597 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
3598 ssl->conf->ignore_unexpected_cid
3599 == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
3600 {
3601 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
3602 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
3603 }
3604#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3605
3606 return( ret );
3607 }
3608
3609 if( old_msg_type != rec->type )
3610 {
3611 MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d",
3612 old_msg_type, rec->type ) );
3613 }
3614
3615 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
3616 rec->buf + rec->data_offset, rec->data_len );
3617
3618#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3619 /* We have already checked the record content type
3620 * in ssl_parse_record_header(), failing or silently
3621 * dropping the record in the case of an unknown type.
3622 *
3623 * Since with the use of CIDs, the record content type
3624 * might change during decryption, re-check the record
3625 * content type, but treat a failure as fatal this time. */
3626 if( ssl_check_record_type( rec->type ) )
3627 {
3628 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
3629 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3630 }
3631#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3632
3633 if( rec->data_len == 0 )
3634 {
3635#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3636 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
3637 && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3638 {
3639 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
3640 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
3641 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3642 }
3643#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3644
3645 ssl->nb_zero++;
3646
3647 /*
3648 * Three or more empty messages may be a DoS attack
3649 * (excessive CPU consumption).
3650 */
3651 if( ssl->nb_zero > 3 )
3652 {
3653 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
3654 "messages, possible DoS attack" ) );
3655 /* Treat the records as if they were not properly authenticated,
3656 * thereby failing the connection if we see more than allowed
3657 * by the configured bad MAC threshold. */
3658 return( MBEDTLS_ERR_SSL_INVALID_MAC );
3659 }
3660 }
3661 else
3662 ssl->nb_zero = 0;
3663
3664#if defined(MBEDTLS_SSL_PROTO_DTLS)
3665 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3666 {
3667 ; /* in_ctr read from peer, not maintained internally */
3668 }
3669 else
3670#endif
3671 {
3672 unsigned i;
3673 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
3674 if( ++ssl->in_ctr[i - 1] != 0 )
3675 break;
3676
3677 /* The loop goes to its end iff the counter is wrapping */
3678 if( i == mbedtls_ssl_ep_len( ssl ) )
3679 {
3680 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
3681 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3682 }
3683 }
3684
3685 }
3686
3687#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3688 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3689 {
3690 mbedtls_ssl_dtls_replay_update( ssl );
3691 }
3692#endif
3693
3694 /* Check actual (decrypted) record content length against
3695 * configured maximum. */
3696 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
3697 {
3698 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3699 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3700 }
3701
3702 return( 0 );
3703}
3704
3705/*
3706 * Read a record.
3707 *
3708 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
3709 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
3710 *
3711 */
3712
3713/* Helper functions for mbedtls_ssl_read_record(). */
3714static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
3715static int ssl_get_next_record( mbedtls_ssl_context *ssl );
3716static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
3717
3718int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
3719 unsigned update_hs_digest )
3720{
3721 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3722
3723 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
3724
3725 if( ssl->keep_current_message == 0 )
3726 {
3727 do {
3728
3729 ret = ssl_consume_current_message( ssl );
3730 if( ret != 0 )
3731 return( ret );
3732
3733 if( ssl_record_is_in_progress( ssl ) == 0 )
3734 {
3735#if defined(MBEDTLS_SSL_PROTO_DTLS)
3736 int have_buffered = 0;
3737
3738 /* We only check for buffered messages if the
3739 * current datagram is fully consumed. */
3740 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3741 ssl_next_record_is_in_datagram( ssl ) == 0 )
3742 {
3743 if( ssl_load_buffered_message( ssl ) == 0 )
3744 have_buffered = 1;
3745 }
3746
3747 if( have_buffered == 0 )
3748#endif /* MBEDTLS_SSL_PROTO_DTLS */
3749 {
3750 ret = ssl_get_next_record( ssl );
3751 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
3752 continue;
3753
3754 if( ret != 0 )
3755 {
3756 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
3757 return( ret );
3758 }
3759 }
3760 }
3761
3762 ret = mbedtls_ssl_handle_message_type( ssl );
3763
3764#if defined(MBEDTLS_SSL_PROTO_DTLS)
3765 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
3766 {
3767 /* Buffer future message */
3768 ret = ssl_buffer_message( ssl );
3769 if( ret != 0 )
3770 return( ret );
3771
3772 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
3773 }
3774#endif /* MBEDTLS_SSL_PROTO_DTLS */
3775
3776 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||
3777 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
3778
3779 if( 0 != ret )
3780 {
3781 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
3782 return( ret );
3783 }
3784
3785 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3786 update_hs_digest == 1 )
3787 {
3788 mbedtls_ssl_update_handshake_status( ssl );
3789 }
3790 }
3791 else
3792 {
3793 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
3794 ssl->keep_current_message = 0;
3795 }
3796
3797 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
3798
3799 return( 0 );
3800}
3801
3802#if defined(MBEDTLS_SSL_PROTO_DTLS)
3803static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
3804{
3805 if( ssl->in_left > ssl->next_record_offset )
3806 return( 1 );
3807
3808 return( 0 );
3809}
3810
3811static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
3812{
3813 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3814 mbedtls_ssl_hs_buffer * hs_buf;
3815 int ret = 0;
3816
3817 if( hs == NULL )
3818 return( -1 );
3819
3820 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
3821
3822 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
3823 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
3824 {
3825 /* Check if we have seen a ChangeCipherSpec before.
3826 * If yes, synthesize a CCS record. */
3827 if( !hs->buffering.seen_ccs )
3828 {
3829 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
3830 ret = -1;
3831 goto exit;
3832 }
3833
3834 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
3835 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
3836 ssl->in_msglen = 1;
3837 ssl->in_msg[0] = 1;
3838
3839 /* As long as they are equal, the exact value doesn't matter. */
3840 ssl->in_left = 0;
3841 ssl->next_record_offset = 0;
3842
3843 hs->buffering.seen_ccs = 0;
3844 goto exit;
3845 }
3846
3847#if defined(MBEDTLS_DEBUG_C)
3848 /* Debug only */
3849 {
3850 unsigned offset;
3851 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
3852 {
3853 hs_buf = &hs->buffering.hs[offset];
3854 if( hs_buf->is_valid == 1 )
3855 {
3856 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
3857 hs->in_msg_seq + offset,
3858 hs_buf->is_complete ? "fully" : "partially" ) );
3859 }
3860 }
3861 }
3862#endif /* MBEDTLS_DEBUG_C */
3863
3864 /* Check if we have buffered and/or fully reassembled the
3865 * next handshake message. */
3866 hs_buf = &hs->buffering.hs[0];
3867 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
3868 {
3869 /* Synthesize a record containing the buffered HS message. */
3870 size_t msg_len = ( hs_buf->data[1] << 16 ) |
3871 ( hs_buf->data[2] << 8 ) |
3872 hs_buf->data[3];
3873
3874 /* Double-check that we haven't accidentally buffered
3875 * a message that doesn't fit into the input buffer. */
3876 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
3877 {
3878 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3879 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3880 }
3881
3882 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
3883 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
3884 hs_buf->data, msg_len + 12 );
3885
3886 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3887 ssl->in_hslen = msg_len + 12;
3888 ssl->in_msglen = msg_len + 12;
3889 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
3890
3891 ret = 0;
3892 goto exit;
3893 }
3894 else
3895 {
3896 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
3897 hs->in_msg_seq ) );
3898 }
3899
3900 ret = -1;
3901
3902exit:
3903
3904 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
3905 return( ret );
3906}
3907
3908static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
3909 size_t desired )
3910{
3911 int offset;
3912 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3913 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
3914 (unsigned) desired ) );
3915
3916 /* Get rid of future records epoch first, if such exist. */
3917 ssl_free_buffered_record( ssl );
3918
3919 /* Check if we have enough space available now. */
3920 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3921 hs->buffering.total_bytes_buffered ) )
3922 {
3923 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
3924 return( 0 );
3925 }
3926
3927 /* We don't have enough space to buffer the next expected handshake
3928 * message. Remove buffers used for future messages to gain space,
3929 * starting with the most distant one. */
3930 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
3931 offset >= 0; offset-- )
3932 {
3933 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
3934 offset ) );
3935
3936 ssl_buffering_free_slot( ssl, (uint8_t) offset );
3937
3938 /* Check if we have enough space available now. */
3939 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3940 hs->buffering.total_bytes_buffered ) )
3941 {
3942 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
3943 return( 0 );
3944 }
3945 }
3946
3947 return( -1 );
3948}
3949
3950static int ssl_buffer_message( mbedtls_ssl_context *ssl )
3951{
3952 int ret = 0;
3953 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3954
3955 if( hs == NULL )
3956 return( 0 );
3957
3958 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
3959
3960 switch( ssl->in_msgtype )
3961 {
3962 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
3963 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
3964
3965 hs->buffering.seen_ccs = 1;
3966 break;
3967
3968 case MBEDTLS_SSL_MSG_HANDSHAKE:
3969 {
3970 unsigned recv_msg_seq_offset;
3971 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
3972 mbedtls_ssl_hs_buffer *hs_buf;
3973 size_t msg_len = ssl->in_hslen - 12;
3974
3975 /* We should never receive an old handshake
3976 * message - double-check nonetheless. */
3977 if( recv_msg_seq < ssl->handshake->in_msg_seq )
3978 {
3979 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3980 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3981 }
3982
3983 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
3984 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
3985 {
3986 /* Silently ignore -- message too far in the future */
3987 MBEDTLS_SSL_DEBUG_MSG( 2,
3988 ( "Ignore future HS message with sequence number %u, "
3989 "buffering window %u - %u",
3990 recv_msg_seq, ssl->handshake->in_msg_seq,
3991 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
3992
3993 goto exit;
3994 }
3995
3996 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
3997 recv_msg_seq, recv_msg_seq_offset ) );
3998
3999 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
4000
4001 /* Check if the buffering for this seq nr has already commenced. */
4002 if( !hs_buf->is_valid )
4003 {
4004 size_t reassembly_buf_sz;
4005
4006 hs_buf->is_fragmented =
4007 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
4008
4009 /* We copy the message back into the input buffer
4010 * after reassembly, so check that it's not too large.
4011 * This is an implementation-specific limitation
4012 * and not one from the standard, hence it is not
4013 * checked in ssl_check_hs_header(). */
4014 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
4015 {
4016 /* Ignore message */
4017 goto exit;
4018 }
4019
4020 /* Check if we have enough space to buffer the message. */
4021 if( hs->buffering.total_bytes_buffered >
4022 MBEDTLS_SSL_DTLS_MAX_BUFFERING )
4023 {
4024 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4025 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4026 }
4027
4028 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
4029 hs_buf->is_fragmented );
4030
4031 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4032 hs->buffering.total_bytes_buffered ) )
4033 {
4034 if( recv_msg_seq_offset > 0 )
4035 {
4036 /* If we can't buffer a future message because
4037 * of space limitations -- ignore. */
4038 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
4039 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4040 (unsigned) hs->buffering.total_bytes_buffered ) );
4041 goto exit;
4042 }
4043 else
4044 {
4045 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
4046 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4047 (unsigned) hs->buffering.total_bytes_buffered ) );
4048 }
4049
4050 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
4051 {
4052 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
4053 (unsigned) msg_len,
4054 (unsigned) reassembly_buf_sz,
4055 MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4056 (unsigned) hs->buffering.total_bytes_buffered ) );
4057 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4058 goto exit;
4059 }
4060 }
4061
4062 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
4063 msg_len ) );
4064
4065 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
4066 if( hs_buf->data == NULL )
4067 {
4068 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
4069 goto exit;
4070 }
4071 hs_buf->data_len = reassembly_buf_sz;
4072
4073 /* Prepare final header: copy msg_type, length and message_seq,
4074 * then add standardised fragment_offset and fragment_length */
4075 memcpy( hs_buf->data, ssl->in_msg, 6 );
4076 memset( hs_buf->data + 6, 0, 3 );
4077 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
4078
4079 hs_buf->is_valid = 1;
4080
4081 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
4082 }
4083 else
4084 {
4085 /* Make sure msg_type and length are consistent */
4086 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
4087 {
4088 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
4089 /* Ignore */
4090 goto exit;
4091 }
4092 }
4093
4094 if( !hs_buf->is_complete )
4095 {
4096 size_t frag_len, frag_off;
4097 unsigned char * const msg = hs_buf->data + 12;
4098
4099 /*
4100 * Check and copy current fragment
4101 */
4102
4103 /* Validation of header fields already done in
4104 * mbedtls_ssl_prepare_handshake_record(). */
4105 frag_off = ssl_get_hs_frag_off( ssl );
4106 frag_len = ssl_get_hs_frag_len( ssl );
4107
4108 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
4109 frag_off, frag_len ) );
4110 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
4111
4112 if( hs_buf->is_fragmented )
4113 {
4114 unsigned char * const bitmask = msg + msg_len;
4115 ssl_bitmask_set( bitmask, frag_off, frag_len );
4116 hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
4117 msg_len ) == 0 );
4118 }
4119 else
4120 {
4121 hs_buf->is_complete = 1;
4122 }
4123
4124 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
4125 hs_buf->is_complete ? "" : "not yet " ) );
4126 }
4127
4128 break;
4129 }
4130
4131 default:
4132 /* We don't buffer other types of messages. */
4133 break;
4134 }
4135
4136exit:
4137
4138 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
4139 return( ret );
4140}
4141#endif /* MBEDTLS_SSL_PROTO_DTLS */
4142
4143static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
4144{
4145 /*
4146 * Consume last content-layer message and potentially
4147 * update in_msglen which keeps track of the contents'
4148 * consumption state.
4149 *
4150 * (1) Handshake messages:
4151 * Remove last handshake message, move content
4152 * and adapt in_msglen.
4153 *
4154 * (2) Alert messages:
4155 * Consume whole record content, in_msglen = 0.
4156 *
4157 * (3) Change cipher spec:
4158 * Consume whole record content, in_msglen = 0.
4159 *
4160 * (4) Application data:
4161 * Don't do anything - the record layer provides
4162 * the application data as a stream transport
4163 * and consumes through mbedtls_ssl_read only.
4164 *
4165 */
4166
4167 /* Case (1): Handshake messages */
4168 if( ssl->in_hslen != 0 )
4169 {
4170 /* Hard assertion to be sure that no application data
4171 * is in flight, as corrupting ssl->in_msglen during
4172 * ssl->in_offt != NULL is fatal. */
4173 if( ssl->in_offt != NULL )
4174 {
4175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4176 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4177 }
4178
4179 /*
4180 * Get next Handshake message in the current record
4181 */
4182
4183 /* Notes:
4184 * (1) in_hslen is not necessarily the size of the
4185 * current handshake content: If DTLS handshake
4186 * fragmentation is used, that's the fragment
4187 * size instead. Using the total handshake message
4188 * size here is faulty and should be changed at
4189 * some point.
4190 * (2) While it doesn't seem to cause problems, one
4191 * has to be very careful not to assume that in_hslen
4192 * is always <= in_msglen in a sensible communication.
4193 * Again, it's wrong for DTLS handshake fragmentation.
4194 * The following check is therefore mandatory, and
4195 * should not be treated as a silently corrected assertion.
4196 * Additionally, ssl->in_hslen might be arbitrarily out of
4197 * bounds after handling a DTLS message with an unexpected
4198 * sequence number, see mbedtls_ssl_prepare_handshake_record.
4199 */
4200 if( ssl->in_hslen < ssl->in_msglen )
4201 {
4202 ssl->in_msglen -= ssl->in_hslen;
4203 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
4204 ssl->in_msglen );
4205
4206 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
4207 ssl->in_msg, ssl->in_msglen );
4208 }
4209 else
4210 {
4211 ssl->in_msglen = 0;
4212 }
4213
4214 ssl->in_hslen = 0;
4215 }
4216 /* Case (4): Application data */
4217 else if( ssl->in_offt != NULL )
4218 {
4219 return( 0 );
4220 }
4221 /* Everything else (CCS & Alerts) */
4222 else
4223 {
4224 ssl->in_msglen = 0;
4225 }
4226
4227 return( 0 );
4228}
4229
4230static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
4231{
4232 if( ssl->in_msglen > 0 )
4233 return( 1 );
4234
4235 return( 0 );
4236}
4237
4238#if defined(MBEDTLS_SSL_PROTO_DTLS)
4239
4240static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
4241{
4242 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4243 if( hs == NULL )
4244 return;
4245
4246 if( hs->buffering.future_record.data != NULL )
4247 {
4248 hs->buffering.total_bytes_buffered -=
4249 hs->buffering.future_record.len;
4250
4251 mbedtls_free( hs->buffering.future_record.data );
4252 hs->buffering.future_record.data = NULL;
4253 }
4254}
4255
4256static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
4257{
4258 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4259 unsigned char * rec;
4260 size_t rec_len;
4261 unsigned rec_epoch;
4262#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4263 size_t in_buf_len = ssl->in_buf_len;
4264#else
4265 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
4266#endif
4267 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4268 return( 0 );
4269
4270 if( hs == NULL )
4271 return( 0 );
4272
4273 rec = hs->buffering.future_record.data;
4274 rec_len = hs->buffering.future_record.len;
4275 rec_epoch = hs->buffering.future_record.epoch;
4276
4277 if( rec == NULL )
4278 return( 0 );
4279
4280 /* Only consider loading future records if the
4281 * input buffer is empty. */
4282 if( ssl_next_record_is_in_datagram( ssl ) == 1 )
4283 return( 0 );
4284
4285 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
4286
4287 if( rec_epoch != ssl->in_epoch )
4288 {
4289 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
4290 goto exit;
4291 }
4292
4293 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
4294
4295 /* Double-check that the record is not too large */
4296 if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
4297 {
4298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4299 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4300 }
4301
4302 memcpy( ssl->in_hdr, rec, rec_len );
4303 ssl->in_left = rec_len;
4304 ssl->next_record_offset = 0;
4305
4306 ssl_free_buffered_record( ssl );
4307
4308exit:
4309 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
4310 return( 0 );
4311}
4312
4313static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
4314 mbedtls_record const *rec )
4315{
4316 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4317
4318 /* Don't buffer future records outside handshakes. */
4319 if( hs == NULL )
4320 return( 0 );
4321
4322 /* Only buffer handshake records (we are only interested
4323 * in Finished messages). */
4324 if( rec->type != MBEDTLS_SSL_MSG_HANDSHAKE )
4325 return( 0 );
4326
4327 /* Don't buffer more than one future epoch record. */
4328 if( hs->buffering.future_record.data != NULL )
4329 return( 0 );
4330
4331 /* Don't buffer record if there's not enough buffering space remaining. */
4332 if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4333 hs->buffering.total_bytes_buffered ) )
4334 {
4335 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
4336 (unsigned) rec->buf_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4337 (unsigned) hs->buffering.total_bytes_buffered ) );
4338 return( 0 );
4339 }
4340
4341 /* Buffer record */
4342 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
4343 ssl->in_epoch + 1 ) );
4344 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len );
4345
4346 /* ssl_parse_record_header() only considers records
4347 * of the next epoch as candidates for buffering. */
4348 hs->buffering.future_record.epoch = ssl->in_epoch + 1;
4349 hs->buffering.future_record.len = rec->buf_len;
4350
4351 hs->buffering.future_record.data =
4352 mbedtls_calloc( 1, hs->buffering.future_record.len );
4353 if( hs->buffering.future_record.data == NULL )
4354 {
4355 /* If we run out of RAM trying to buffer a
4356 * record from the next epoch, just ignore. */
4357 return( 0 );
4358 }
4359
4360 memcpy( hs->buffering.future_record.data, rec->buf, rec->buf_len );
4361
4362 hs->buffering.total_bytes_buffered += rec->buf_len;
4363 return( 0 );
4364}
4365
4366#endif /* MBEDTLS_SSL_PROTO_DTLS */
4367
4368static int ssl_get_next_record( mbedtls_ssl_context *ssl )
4369{
4370 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4371 mbedtls_record rec;
4372
4373#if defined(MBEDTLS_SSL_PROTO_DTLS)
4374 /* We might have buffered a future record; if so,
4375 * and if the epoch matches now, load it.
4376 * On success, this call will set ssl->in_left to
4377 * the length of the buffered record, so that
4378 * the calls to ssl_fetch_input() below will
4379 * essentially be no-ops. */
4380 ret = ssl_load_buffered_record( ssl );
4381 if( ret != 0 )
4382 return( ret );
4383#endif /* MBEDTLS_SSL_PROTO_DTLS */
4384
4385 /* Ensure that we have enough space available for the default form
4386 * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,
4387 * with no space for CIDs counted in). */
4388 ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) );
4389 if( ret != 0 )
4390 {
4391 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4392 return( ret );
4393 }
4394
4395 ret = ssl_parse_record_header( ssl, ssl->in_hdr, ssl->in_left, &rec );
4396 if( ret != 0 )
4397 {
4398#if defined(MBEDTLS_SSL_PROTO_DTLS)
4399 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4400 {
4401 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4402 {
4403 ret = ssl_buffer_future_record( ssl, &rec );
4404 if( ret != 0 )
4405 return( ret );
4406
4407 /* Fall through to handling of unexpected records */
4408 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
4409 }
4410
4411 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
4412 {
4413#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
4414 /* Reset in pointers to default state for TLS/DTLS records,
4415 * assuming no CID and no offset between record content and
4416 * record plaintext. */
4417 mbedtls_ssl_update_in_pointers( ssl );
4418
4419 /* Setup internal message pointers from record structure. */
4420 ssl->in_msgtype = rec.type;
4421#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4422 ssl->in_len = ssl->in_cid + rec.cid_len;
4423#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4424 ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
4425 ssl->in_msglen = rec.data_len;
4426
4427 ret = ssl_check_client_reconnect( ssl );
4428 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_client_reconnect", ret );
4429 if( ret != 0 )
4430 return( ret );
4431#endif
4432
4433 /* Skip unexpected record (but not whole datagram) */
4434 ssl->next_record_offset = rec.buf_len;
4435
4436 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
4437 "(header)" ) );
4438 }
4439 else
4440 {
4441 /* Skip invalid record and the rest of the datagram */
4442 ssl->next_record_offset = 0;
4443 ssl->in_left = 0;
4444
4445 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
4446 "(header)" ) );
4447 }
4448
4449 /* Get next record */
4450 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
4451 }
4452 else
4453#endif
4454 {
4455 return( ret );
4456 }
4457 }
4458
4459#if defined(MBEDTLS_SSL_PROTO_DTLS)
4460 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4461 {
4462 /* Remember offset of next record within datagram. */
4463 ssl->next_record_offset = rec.buf_len;
4464 if( ssl->next_record_offset < ssl->in_left )
4465 {
4466 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
4467 }
4468 }
4469 else
4470#endif
4471 {
4472 /*
4473 * Fetch record contents from underlying transport.
4474 */
4475 ret = mbedtls_ssl_fetch_input( ssl, rec.buf_len );
4476 if( ret != 0 )
4477 {
4478 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4479 return( ret );
4480 }
4481
4482 ssl->in_left = 0;
4483 }
4484
4485 /*
4486 * Decrypt record contents.
4487 */
4488
4489 if( ( ret = ssl_prepare_record_content( ssl, &rec ) ) != 0 )
4490 {
4491#if defined(MBEDTLS_SSL_PROTO_DTLS)
4492 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4493 {
4494 /* Silently discard invalid records */
4495 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4496 {
4497 /* Except when waiting for Finished as a bad mac here
4498 * probably means something went wrong in the handshake
4499 * (eg wrong psk used, mitm downgrade attempt, etc.) */
4500 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
4501 ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
4502 {
4503#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4504 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4505 {
4506 mbedtls_ssl_send_alert_message( ssl,
4507 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4508 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4509 }
4510#endif
4511 return( ret );
4512 }
4513
4514#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
4515 if( ssl->conf->badmac_limit != 0 &&
4516 ++ssl->badmac_seen >= ssl->conf->badmac_limit )
4517 {
4518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
4519 return( MBEDTLS_ERR_SSL_INVALID_MAC );
4520 }
4521#endif
4522
4523 /* As above, invalid records cause
4524 * dismissal of the whole datagram. */
4525
4526 ssl->next_record_offset = 0;
4527 ssl->in_left = 0;
4528
4529 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
4530 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
4531 }
4532
4533 return( ret );
4534 }
4535 else
4536#endif
4537 {
4538 /* Error out (and send alert) on invalid records */
4539#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4540 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4541 {
4542 mbedtls_ssl_send_alert_message( ssl,
4543 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4544 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4545 }
4546#endif
4547 return( ret );
4548 }
4549 }
4550
4551
4552 /* Reset in pointers to default state for TLS/DTLS records,
4553 * assuming no CID and no offset between record content and
4554 * record plaintext. */
4555 mbedtls_ssl_update_in_pointers( ssl );
4556#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4557 ssl->in_len = ssl->in_cid + rec.cid_len;
4558#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4559 ssl->in_iv = ssl->in_len + 2;
4560
4561 /* The record content type may change during decryption,
4562 * so re-read it. */
4563 ssl->in_msgtype = rec.type;
4564 /* Also update the input buffer, because unfortunately
4565 * the server-side ssl_parse_client_hello() reparses the
4566 * record header when receiving a ClientHello initiating
4567 * a renegotiation. */
4568 ssl->in_hdr[0] = rec.type;
4569 ssl->in_msg = rec.buf + rec.data_offset;
4570 ssl->in_msglen = rec.data_len;
4571 ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 );
4572 ssl->in_len[1] = (unsigned char)( rec.data_len );
4573
4574#if defined(MBEDTLS_ZLIB_SUPPORT)
4575 if( ssl->transform_in != NULL &&
4576 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
4577 {
4578 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
4579 {
4580 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
4581 return( ret );
4582 }
4583
4584 /* Check actual (decompress) record content length against
4585 * configured maximum. */
4586 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
4587 {
4588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4589 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4590 }
4591 }
4592#endif /* MBEDTLS_ZLIB_SUPPORT */
4593
4594 return( 0 );
4595}
4596
4597int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
4598{
4599 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4600
4601 /*
4602 * Handle particular types of records
4603 */
4604 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
4605 {
4606 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
4607 {
4608 return( ret );
4609 }
4610 }
4611
4612 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
4613 {
4614 if( ssl->in_msglen != 1 )
4615 {
4616 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
4617 ssl->in_msglen ) );
4618 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4619 }
4620
4621 if( ssl->in_msg[0] != 1 )
4622 {
4623 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
4624 ssl->in_msg[0] ) );
4625 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4626 }
4627
4628#if defined(MBEDTLS_SSL_PROTO_DTLS)
4629 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4630 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
4631 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4632 {
4633 if( ssl->handshake == NULL )
4634 {
4635 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
4636 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4637 }
4638
4639 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
4640 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4641 }
4642#endif
4643 }
4644
4645 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
4646 {
4647 if( ssl->in_msglen != 2 )
4648 {
4649 /* Note: Standard allows for more than one 2 byte alert
4650 to be packed in a single message, but Mbed TLS doesn't
4651 currently support this. */
4652 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
4653 ssl->in_msglen ) );
4654 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4655 }
4656
4657 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
4658 ssl->in_msg[0], ssl->in_msg[1] ) );
4659
4660 /*
4661 * Ignore non-fatal alerts, except close_notify and no_renegotiation
4662 */
4663 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
4664 {
4665 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
4666 ssl->in_msg[1] ) );
4667 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
4668 }
4669
4670 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4671 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
4672 {
4673 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
4674 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
4675 }
4676
4677#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
4678 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4679 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
4680 {
4681 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
4682 /* Will be handled when trying to parse ServerHello */
4683 return( 0 );
4684 }
4685#endif
4686
4687#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
4688 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
4689 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4690 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4691 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
4692 {
4693 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
4694 /* Will be handled in mbedtls_ssl_parse_certificate() */
4695 return( 0 );
4696 }
4697#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
4698
4699 /* Silently ignore: fetch new message */
4700 return MBEDTLS_ERR_SSL_NON_FATAL;
4701 }
4702
4703#if defined(MBEDTLS_SSL_PROTO_DTLS)
4704 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4705 {
4706 /* Drop unexpected ApplicationData records,
4707 * except at the beginning of renegotiations */
4708 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
4709 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
4710#if defined(MBEDTLS_SSL_RENEGOTIATION)
4711 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
4712 ssl->state == MBEDTLS_SSL_SERVER_HELLO )
4713#endif
4714 )
4715 {
4716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
4717 return( MBEDTLS_ERR_SSL_NON_FATAL );
4718 }
4719
4720 if( ssl->handshake != NULL &&
4721 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
4722 {
4723 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
4724 }
4725 }
4726#endif /* MBEDTLS_SSL_PROTO_DTLS */
4727
4728 return( 0 );
4729}
4730
4731int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
4732{
4733 return( mbedtls_ssl_send_alert_message( ssl,
4734 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4735 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) );
4736}
4737
4738int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
4739 unsigned char level,
4740 unsigned char message )
4741{
4742 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4743
4744 if( ssl == NULL || ssl->conf == NULL )
4745 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4746
4747 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
4748 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
4749
4750 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
4751 ssl->out_msglen = 2;
4752 ssl->out_msg[0] = level;
4753 ssl->out_msg[1] = message;
4754
4755 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
4756 {
4757 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
4758 return( ret );
4759 }
4760 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
4761
4762 return( 0 );
4763}
4764
4765int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
4766{
4767 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4768
4769 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
4770
4771 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
4772 ssl->out_msglen = 1;
4773 ssl->out_msg[0] = 1;
4774
4775 ssl->state++;
4776
4777 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
4778 {
4779 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
4780 return( ret );
4781 }
4782
4783 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
4784
4785 return( 0 );
4786}
4787
4788int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
4789{
4790 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4791
4792 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
4793
4794 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
4795 {
4796 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
4797 return( ret );
4798 }
4799
4800 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
4801 {
4802 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
4803 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4804 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
4805 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
4806 }
4807
4808 /* CCS records are only accepted if they have length 1 and content '1',
4809 * so we don't need to check this here. */
4810
4811 /*
4812 * Switch to our negotiated transform and session parameters for inbound
4813 * data.
4814 */
4815 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
4816 ssl->transform_in = ssl->transform_negotiate;
4817 ssl->session_in = ssl->session_negotiate;
4818
4819#if defined(MBEDTLS_SSL_PROTO_DTLS)
4820 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4821 {
4822#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4823 mbedtls_ssl_dtls_replay_reset( ssl );
4824#endif
4825
4826 /* Increment epoch */
4827 if( ++ssl->in_epoch == 0 )
4828 {
4829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
4830 /* This is highly unlikely to happen for legitimate reasons, so
4831 treat it as an attack and don't send an alert. */
4832 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
4833 }
4834 }
4835 else
4836#endif /* MBEDTLS_SSL_PROTO_DTLS */
4837 memset( ssl->in_ctr, 0, 8 );
4838
4839 mbedtls_ssl_update_in_pointers( ssl );
4840
4841#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
4842 if( mbedtls_ssl_hw_record_activate != NULL )
4843 {
4844 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
4845 {
4846 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
4847 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4848 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
4849 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
4850 }
4851 }
4852#endif
4853
4854 ssl->state++;
4855
4856 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
4857
4858 return( 0 );
4859}
4860
4861/* Once ssl->out_hdr as the address of the beginning of the
4862 * next outgoing record is set, deduce the other pointers.
4863 *
4864 * Note: For TLS, we save the implicit record sequence number
4865 * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
4866 * and the caller has to make sure there's space for this.
4867 */
4868
4869void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
4870 mbedtls_ssl_transform *transform )
4871{
4872#if defined(MBEDTLS_SSL_PROTO_DTLS)
4873 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4874 {
4875 ssl->out_ctr = ssl->out_hdr + 3;
4876#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4877 ssl->out_cid = ssl->out_ctr + 8;
4878 ssl->out_len = ssl->out_cid;
4879 if( transform != NULL )
4880 ssl->out_len += transform->out_cid_len;
4881#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4882 ssl->out_len = ssl->out_ctr + 8;
4883#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4884 ssl->out_iv = ssl->out_len + 2;
4885 }
4886 else
4887#endif
4888 {
4889 ssl->out_ctr = ssl->out_hdr - 8;
4890 ssl->out_len = ssl->out_hdr + 3;
4891#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4892 ssl->out_cid = ssl->out_len;
4893#endif
4894 ssl->out_iv = ssl->out_hdr + 5;
4895 }
4896
4897 /* Adjust out_msg to make space for explicit IV, if used. */
4898 if( transform != NULL &&
4899 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
4900 {
4901 ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
4902 }
4903 else
4904 ssl->out_msg = ssl->out_iv;
4905}
4906
4907/* Once ssl->in_hdr as the address of the beginning of the
4908 * next incoming record is set, deduce the other pointers.
4909 *
4910 * Note: For TLS, we save the implicit record sequence number
4911 * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
4912 * and the caller has to make sure there's space for this.
4913 */
4914
4915void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl )
4916{
4917 /* This function sets the pointers to match the case
4918 * of unprotected TLS/DTLS records, with both ssl->in_iv
4919 * and ssl->in_msg pointing to the beginning of the record
4920 * content.
4921 *
4922 * When decrypting a protected record, ssl->in_msg
4923 * will be shifted to point to the beginning of the
4924 * record plaintext.
4925 */
4926
4927#if defined(MBEDTLS_SSL_PROTO_DTLS)
4928 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4929 {
4930 /* This sets the header pointers to match records
4931 * without CID. When we receive a record containing
4932 * a CID, the fields are shifted accordingly in
4933 * ssl_parse_record_header(). */
4934 ssl->in_ctr = ssl->in_hdr + 3;
4935#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4936 ssl->in_cid = ssl->in_ctr + 8;
4937 ssl->in_len = ssl->in_cid; /* Default: no CID */
4938#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4939 ssl->in_len = ssl->in_ctr + 8;
4940#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4941 ssl->in_iv = ssl->in_len + 2;
4942 }
4943 else
4944#endif
4945 {
4946 ssl->in_ctr = ssl->in_hdr - 8;
4947 ssl->in_len = ssl->in_hdr + 3;
4948#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4949 ssl->in_cid = ssl->in_len;
4950#endif
4951 ssl->in_iv = ssl->in_hdr + 5;
4952 }
4953
4954 /* This will be adjusted at record decryption time. */
4955 ssl->in_msg = ssl->in_iv;
4956}
4957
4958/*
4959 * Setup an SSL context
4960 */
4961
4962void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
4963{
4964 /* Set the incoming and outgoing record pointers. */
4965#if defined(MBEDTLS_SSL_PROTO_DTLS)
4966 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4967 {
4968 ssl->out_hdr = ssl->out_buf;
4969 ssl->in_hdr = ssl->in_buf;
4970 }
4971 else
4972#endif /* MBEDTLS_SSL_PROTO_DTLS */
4973 {
4974 ssl->out_hdr = ssl->out_buf + 8;
4975 ssl->in_hdr = ssl->in_buf + 8;
4976 }
4977
4978 /* Derive other internal pointers. */
4979 mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
4980 mbedtls_ssl_update_in_pointers ( ssl );
4981}
4982
4983/*
4984 * SSL get accessors
4985 */
4986size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
4987{
4988 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
4989}
4990
4991int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
4992{
4993 /*
4994 * Case A: We're currently holding back
4995 * a message for further processing.
4996 */
4997
4998 if( ssl->keep_current_message == 1 )
4999 {
5000 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
5001 return( 1 );
5002 }
5003
5004 /*
5005 * Case B: Further records are pending in the current datagram.
5006 */
5007
5008#if defined(MBEDTLS_SSL_PROTO_DTLS)
5009 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5010 ssl->in_left > ssl->next_record_offset )
5011 {
5012 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
5013 return( 1 );
5014 }
5015#endif /* MBEDTLS_SSL_PROTO_DTLS */
5016
5017 /*
5018 * Case C: A handshake message is being processed.
5019 */
5020
5021 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
5022 {
5023 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
5024 return( 1 );
5025 }
5026
5027 /*
5028 * Case D: An application data message is being processed
5029 */
5030 if( ssl->in_offt != NULL )
5031 {
5032 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
5033 return( 1 );
5034 }
5035
5036 /*
5037 * In all other cases, the rest of the message can be dropped.
5038 * As in ssl_get_next_record, this needs to be adapted if
5039 * we implement support for multiple alerts in single records.
5040 */
5041
5042 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
5043 return( 0 );
5044}
5045
5046
5047int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
5048{
5049 size_t transform_expansion = 0;
5050 const mbedtls_ssl_transform *transform = ssl->transform_out;
5051 unsigned block_size;
5052
5053 size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl );
5054
5055 if( transform == NULL )
5056 return( (int) out_hdr_len );
5057
5058#if defined(MBEDTLS_ZLIB_SUPPORT)
5059 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
5060 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
5061#endif
5062
5063 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
5064 {
5065 case MBEDTLS_MODE_GCM:
5066 case MBEDTLS_MODE_CCM:
5067 case MBEDTLS_MODE_CHACHAPOLY:
5068 case MBEDTLS_MODE_STREAM:
5069 transform_expansion = transform->minlen;
5070 break;
5071
5072 case MBEDTLS_MODE_CBC:
5073
5074 block_size = mbedtls_cipher_get_block_size(
5075 &transform->cipher_ctx_enc );
5076
5077 /* Expansion due to the addition of the MAC. */
5078 transform_expansion += transform->maclen;
5079
5080 /* Expansion due to the addition of CBC padding;
5081 * Theoretically up to 256 bytes, but we never use
5082 * more than the block size of the underlying cipher. */
5083 transform_expansion += block_size;
5084
5085 /* For TLS 1.1 or higher, an explicit IV is added
5086 * after the record header. */
5087#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
5088 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
5089 transform_expansion += block_size;
5090#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
5091
5092 break;
5093
5094 default:
5095 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5096 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5097 }
5098
5099#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5100 if( transform->out_cid_len != 0 )
5101 transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
5102#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5103
5104 return( (int)( out_hdr_len + transform_expansion ) );
5105}
5106
5107#if defined(MBEDTLS_SSL_RENEGOTIATION)
5108/*
5109 * Check record counters and renegotiate if they're above the limit.
5110 */
5111static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
5112{
5113 size_t ep_len = mbedtls_ssl_ep_len( ssl );
5114 int in_ctr_cmp;
5115 int out_ctr_cmp;
5116
5117 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
5118 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
5119 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
5120 {
5121 return( 0 );
5122 }
5123
5124 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
5125 ssl->conf->renego_period + ep_len, 8 - ep_len );
5126 out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
5127 ssl->conf->renego_period + ep_len, 8 - ep_len );
5128
5129 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
5130 {
5131 return( 0 );
5132 }
5133
5134 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
5135 return( mbedtls_ssl_renegotiate( ssl ) );
5136}
5137#endif /* MBEDTLS_SSL_RENEGOTIATION */
5138
5139/*
5140 * Receive application data decrypted from the SSL layer
5141 */
5142int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
5143{
5144 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5145 size_t n;
5146
5147 if( ssl == NULL || ssl->conf == NULL )
5148 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5149
5150 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
5151
5152#if defined(MBEDTLS_SSL_PROTO_DTLS)
5153 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5154 {
5155 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
5156 return( ret );
5157
5158 if( ssl->handshake != NULL &&
5159 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
5160 {
5161 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
5162 return( ret );
5163 }
5164 }
5165#endif
5166
5167 /*
5168 * Check if renegotiation is necessary and/or handshake is
5169 * in process. If yes, perform/continue, and fall through
5170 * if an unexpected packet is received while the client
5171 * is waiting for the ServerHello.
5172 *
5173 * (There is no equivalent to the last condition on
5174 * the server-side as it is not treated as within
5175 * a handshake while waiting for the ClientHello
5176 * after a renegotiation request.)
5177 */
5178
5179#if defined(MBEDTLS_SSL_RENEGOTIATION)
5180 ret = ssl_check_ctr_renegotiate( ssl );
5181 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5182 ret != 0 )
5183 {
5184 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
5185 return( ret );
5186 }
5187#endif
5188
5189 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5190 {
5191 ret = mbedtls_ssl_handshake( ssl );
5192 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5193 ret != 0 )
5194 {
5195 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
5196 return( ret );
5197 }
5198 }
5199
5200 /* Loop as long as no application data record is available */
5201 while( ssl->in_offt == NULL )
5202 {
5203 /* Start timer if not already running */
5204 if( ssl->f_get_timer != NULL &&
5205 ssl->f_get_timer( ssl->p_timer ) == -1 )
5206 {
5207 mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout );
5208 }
5209
5210 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
5211 {
5212 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5213 return( 0 );
5214
5215 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5216 return( ret );
5217 }
5218
5219 if( ssl->in_msglen == 0 &&
5220 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
5221 {
5222 /*
5223 * OpenSSL sends empty messages to randomize the IV
5224 */
5225 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
5226 {
5227 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5228 return( 0 );
5229
5230 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5231 return( ret );
5232 }
5233 }
5234
5235 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
5236 {
5237 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
5238
5239 /*
5240 * - For client-side, expect SERVER_HELLO_REQUEST.
5241 * - For server-side, expect CLIENT_HELLO.
5242 * - Fail (TLS) or silently drop record (DTLS) in other cases.
5243 */
5244
5245#if defined(MBEDTLS_SSL_CLI_C)
5246 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
5247 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
5248 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
5249 {
5250 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
5251
5252 /* With DTLS, drop the packet (probably from last handshake) */
5253#if defined(MBEDTLS_SSL_PROTO_DTLS)
5254 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5255 {
5256 continue;
5257 }
5258#endif
5259 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5260 }
5261#endif /* MBEDTLS_SSL_CLI_C */
5262
5263#if defined(MBEDTLS_SSL_SRV_C)
5264 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5265 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
5266 {
5267 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
5268
5269 /* With DTLS, drop the packet (probably from last handshake) */
5270#if defined(MBEDTLS_SSL_PROTO_DTLS)
5271 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5272 {
5273 continue;
5274 }
5275#endif
5276 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5277 }
5278#endif /* MBEDTLS_SSL_SRV_C */
5279
5280#if defined(MBEDTLS_SSL_RENEGOTIATION)
5281 /* Determine whether renegotiation attempt should be accepted */
5282 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5283 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
5284 ssl->conf->allow_legacy_renegotiation ==
5285 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
5286 {
5287 /*
5288 * Accept renegotiation request
5289 */
5290
5291 /* DTLS clients need to know renego is server-initiated */
5292#if defined(MBEDTLS_SSL_PROTO_DTLS)
5293 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5294 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5295 {
5296 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
5297 }
5298#endif
5299 ret = mbedtls_ssl_start_renegotiation( ssl );
5300 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5301 ret != 0 )
5302 {
5303 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation",
5304 ret );
5305 return( ret );
5306 }
5307 }
5308 else
5309#endif /* MBEDTLS_SSL_RENEGOTIATION */
5310 {
5311 /*
5312 * Refuse renegotiation
5313 */
5314
5315 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
5316
5317#if defined(MBEDTLS_SSL_PROTO_SSL3)
5318 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
5319 {
5320 /* SSLv3 does not have a "no_renegotiation" warning, so
5321 we send a fatal alert and abort the connection. */
5322 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5323 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
5324 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5325 }
5326 else
5327#endif /* MBEDTLS_SSL_PROTO_SSL3 */
5328#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
5329 defined(MBEDTLS_SSL_PROTO_TLS1_2)
5330 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
5331 {
5332 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5333 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5334 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
5335 {
5336 return( ret );
5337 }
5338 }
5339 else
5340#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
5341 MBEDTLS_SSL_PROTO_TLS1_2 */
5342 {
5343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5344 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5345 }
5346 }
5347
5348 /* At this point, we don't know whether the renegotiation has been
5349 * completed or not. The cases to consider are the following:
5350 * 1) The renegotiation is complete. In this case, no new record
5351 * has been read yet.
5352 * 2) The renegotiation is incomplete because the client received
5353 * an application data record while awaiting the ServerHello.
5354 * 3) The renegotiation is incomplete because the client received
5355 * a non-handshake, non-application data message while awaiting
5356 * the ServerHello.
5357 * In each of these case, looping will be the proper action:
5358 * - For 1), the next iteration will read a new record and check
5359 * if it's application data.
5360 * - For 2), the loop condition isn't satisfied as application data
5361 * is present, hence continue is the same as break
5362 * - For 3), the loop condition is satisfied and read_record
5363 * will re-deliver the message that was held back by the client
5364 * when expecting the ServerHello.
5365 */
5366 continue;
5367 }
5368#if defined(MBEDTLS_SSL_RENEGOTIATION)
5369 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
5370 {
5371 if( ssl->conf->renego_max_records >= 0 )
5372 {
5373 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
5374 {
5375 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
5376 "but not honored by client" ) );
5377 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5378 }
5379 }
5380 }
5381#endif /* MBEDTLS_SSL_RENEGOTIATION */
5382
5383 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
5384 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
5385 {
5386 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
5387 return( MBEDTLS_ERR_SSL_WANT_READ );
5388 }
5389
5390 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
5391 {
5392 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
5393 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5394 }
5395
5396 ssl->in_offt = ssl->in_msg;
5397
5398 /* We're going to return something now, cancel timer,
5399 * except if handshake (renegotiation) is in progress */
5400 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5401 mbedtls_ssl_set_timer( ssl, 0 );
5402
5403#if defined(MBEDTLS_SSL_PROTO_DTLS)
5404 /* If we requested renego but received AppData, resend HelloRequest.
5405 * Do it now, after setting in_offt, to avoid taking this branch
5406 * again if ssl_write_hello_request() returns WANT_WRITE */
5407#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
5408 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5409 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
5410 {
5411 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
5412 {
5413 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
5414 ret );
5415 return( ret );
5416 }
5417 }
5418#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
5419#endif /* MBEDTLS_SSL_PROTO_DTLS */
5420 }
5421
5422 n = ( len < ssl->in_msglen )
5423 ? len : ssl->in_msglen;
5424
5425 memcpy( buf, ssl->in_offt, n );
5426 ssl->in_msglen -= n;
5427
5428 if( ssl->in_msglen == 0 )
5429 {
5430 /* all bytes consumed */
5431 ssl->in_offt = NULL;
5432 ssl->keep_current_message = 0;
5433 }
5434 else
5435 {
5436 /* more data available */
5437 ssl->in_offt += n;
5438 }
5439
5440 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
5441
5442 return( (int) n );
5443}
5444
5445/*
5446 * Send application data to be encrypted by the SSL layer, taking care of max
5447 * fragment length and buffer size.
5448 *
5449 * According to RFC 5246 Section 6.2.1:
5450 *
5451 * Zero-length fragments of Application data MAY be sent as they are
5452 * potentially useful as a traffic analysis countermeasure.
5453 *
5454 * Therefore, it is possible that the input message length is 0 and the
5455 * corresponding return code is 0 on success.
5456 */
5457static int ssl_write_real( mbedtls_ssl_context *ssl,
5458 const unsigned char *buf, size_t len )
5459{
5460 int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
5461 const size_t max_len = (size_t) ret;
5462
5463 if( ret < 0 )
5464 {
5465 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
5466 return( ret );
5467 }
5468
5469 if( len > max_len )
5470 {
5471#if defined(MBEDTLS_SSL_PROTO_DTLS)
5472 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5473 {
5474 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
5475 "maximum fragment length: %d > %d",
5476 len, max_len ) );
5477 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5478 }
5479 else
5480#endif
5481 len = max_len;
5482 }
5483
5484 if( ssl->out_left != 0 )
5485 {
5486 /*
5487 * The user has previously tried to send the data and
5488 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
5489 * written. In this case, we expect the high-level write function
5490 * (e.g. mbedtls_ssl_write()) to be called with the same parameters
5491 */
5492 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
5493 {
5494 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
5495 return( ret );
5496 }
5497 }
5498 else
5499 {
5500 /*
5501 * The user is trying to send a message the first time, so we need to
5502 * copy the data into the internal buffers and setup the data structure
5503 * to keep track of partial writes
5504 */
5505 ssl->out_msglen = len;
5506 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
5507 memcpy( ssl->out_msg, buf, len );
5508
5509 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
5510 {
5511 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
5512 return( ret );
5513 }
5514 }
5515
5516 return( (int) len );
5517}
5518
5519/*
5520 * Write application data, doing 1/n-1 splitting if necessary.
5521 *
5522 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
5523 * then the caller will call us again with the same arguments, so
5524 * remember whether we already did the split or not.
5525 */
5526#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
5527static int ssl_write_split( mbedtls_ssl_context *ssl,
5528 const unsigned char *buf, size_t len )
5529{
5530 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5531
5532 if( ssl->conf->cbc_record_splitting ==
5533 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
5534 len <= 1 ||
5535 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
5536 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
5537 != MBEDTLS_MODE_CBC )
5538 {
5539 return( ssl_write_real( ssl, buf, len ) );
5540 }
5541
5542 if( ssl->split_done == 0 )
5543 {
5544 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
5545 return( ret );
5546 ssl->split_done = 1;
5547 }
5548
5549 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
5550 return( ret );
5551 ssl->split_done = 0;
5552
5553 return( ret + 1 );
5554}
5555#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
5556
5557/*
5558 * Write application data (public-facing wrapper)
5559 */
5560int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
5561{
5562 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5563
5564 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
5565
5566 if( ssl == NULL || ssl->conf == NULL )
5567 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5568
5569#if defined(MBEDTLS_SSL_RENEGOTIATION)
5570 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
5571 {
5572 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
5573 return( ret );
5574 }
5575#endif
5576
5577 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5578 {
5579 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
5580 {
5581 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
5582 return( ret );
5583 }
5584 }
5585
5586#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
5587 ret = ssl_write_split( ssl, buf, len );
5588#else
5589 ret = ssl_write_real( ssl, buf, len );
5590#endif
5591
5592 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
5593
5594 return( ret );
5595}
5596
5597/*
5598 * Notify the peer that the connection is being closed
5599 */
5600int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
5601{
5602 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5603
5604 if( ssl == NULL || ssl->conf == NULL )
5605 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5606
5607 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
5608
5609 if( ssl->out_left != 0 )
5610 return( mbedtls_ssl_flush_output( ssl ) );
5611
5612 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5613 {
5614 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5615 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5616 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
5617 {
5618 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
5619 return( ret );
5620 }
5621 }
5622
5623 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
5624
5625 return( 0 );
5626}
5627
5628void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
5629{
5630 if( transform == NULL )
5631 return;
5632
5633#if defined(MBEDTLS_ZLIB_SUPPORT)
5634 deflateEnd( &transform->ctx_deflate );
5635 inflateEnd( &transform->ctx_inflate );
5636#endif
5637
5638 mbedtls_cipher_free( &transform->cipher_ctx_enc );
5639 mbedtls_cipher_free( &transform->cipher_ctx_dec );
5640
5641#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
5642 mbedtls_md_free( &transform->md_ctx_enc );
5643 mbedtls_md_free( &transform->md_ctx_dec );
5644#endif
5645
5646 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
5647}
5648
5649#if defined(MBEDTLS_SSL_PROTO_DTLS)
5650
5651void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl )
5652{
5653 unsigned offset;
5654 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5655
5656 if( hs == NULL )
5657 return;
5658
5659 ssl_free_buffered_record( ssl );
5660
5661 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
5662 ssl_buffering_free_slot( ssl, offset );
5663}
5664
5665static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
5666 uint8_t slot )
5667{
5668 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5669 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
5670
5671 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
5672 return;
5673
5674 if( hs_buf->is_valid == 1 )
5675 {
5676 hs->buffering.total_bytes_buffered -= hs_buf->data_len;
5677 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
5678 mbedtls_free( hs_buf->data );
5679 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
5680 }
5681}
5682
5683#endif /* MBEDTLS_SSL_PROTO_DTLS */
5684
5685/*
5686 * Convert version numbers to/from wire format
5687 * and, for DTLS, to/from TLS equivalent.
5688 *
5689 * For TLS this is the identity.
5690 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
5691 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
5692 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
5693 */
5694void mbedtls_ssl_write_version( int major, int minor, int transport,
5695 unsigned char ver[2] )
5696{
5697#if defined(MBEDTLS_SSL_PROTO_DTLS)
5698 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5699 {
5700 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
5701 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5702
5703 ver[0] = (unsigned char)( 255 - ( major - 2 ) );
5704 ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
5705 }
5706 else
5707#else
5708 ((void) transport);
5709#endif
5710 {
5711 ver[0] = (unsigned char) major;
5712 ver[1] = (unsigned char) minor;
5713 }
5714}
5715
5716void mbedtls_ssl_read_version( int *major, int *minor, int transport,
5717 const unsigned char ver[2] )
5718{
5719#if defined(MBEDTLS_SSL_PROTO_DTLS)
5720 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5721 {
5722 *major = 255 - ver[0] + 2;
5723 *minor = 255 - ver[1] + 1;
5724
5725 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
5726 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5727 }
5728 else
5729#else
5730 ((void) transport);
5731#endif
5732 {
5733 *major = ver[0];
5734 *minor = ver[1];
5735 }
5736}
5737
5738#endif /* MBEDTLS_SSL_TLS_C */