TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1cb6c2a69d72f26ead7657f4d05433cf4b787989 / . / library / ssl_msg.c
blob: 958071c2a48bb50527d2882586f6fecb247e826f [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Hanno Beckerf1a38282020-02-05 16:14:29 +0000[diff] [blame]2 * Generic SSL/TLS messaging layer functions
3 * (record layer + retransmission state machine)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4 *
Hanno Beckerf1a38282020-02-05 16:14:29 +0000[diff] [blame]5 * Copyright (C) 2006-2020, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]19 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]20 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21 */
22/*
23 * The SSL 3.0 specification was drafted by Netscape in 1996,
24 * and became an IETF standard in 1999.
25 *
26 * http://wp.netscape.com/eng/ssl3/
27 * http://www.ietf.org/rfc/rfc2246.txt
28 * http://www.ietf.org/rfc/rfc4346.txt
29 */
30
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]33#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]35#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]37#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]39#if defined(MBEDTLS_PLATFORM_C)
40#include "mbedtls/platform.h"
41#else
42#include <stdlib.h>
43#define mbedtls_calloc calloc
44#define mbedtls_free free
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]45#endif
46
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]47#include "mbedtls/ssl.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200[diff] [blame]48#include "mbedtls/ssl_internal.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]49#include "mbedtls/debug.h"
50#include "mbedtls/error.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]51#include "mbedtls/platform_util.h"
Hanno Beckera835da52019-05-16 12:39:07 +0100[diff] [blame]52#include "mbedtls/version.h"
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]53
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]54#include <string.h>
55
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]56#if defined(MBEDTLS_USE_PSA_CRYPTO)
57#include "mbedtls/psa_util.h"
58#include "psa/crypto.h"
59#endif
60
Janos Follath23bdca02016-10-07 14:47:14 +0100[diff] [blame]61#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]62#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]63#endif
64
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]65static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]66
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]67/*
68 * Start a timer.
69 * Passing millisecs = 0 cancels a running timer.
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]70 */
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]71void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]72{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]73 if( ssl->f_set_timer == NULL )
74 return;
75
76 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
77 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]78}
79
80/*
81 * Return -1 is timer is expired, 0 if it isn't.
82 */
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]83int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]84{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]85 if( ssl->f_get_timer == NULL )
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]86 return( 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]87
88 if( ssl->f_get_timer( ssl->p_timer ) == 2 )
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]89 {
90 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]91 return( -1 );
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]92 }
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]93
94 return( 0 );
95}
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]96
Hanno Beckercfe45792019-07-03 16:13:00 +0100[diff] [blame]97#if defined(MBEDTLS_SSL_RECORD_CHECKING)
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]98static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
99 unsigned char *buf,
100 size_t len,
101 mbedtls_record *rec );
102
Hanno Beckercfe45792019-07-03 16:13:00 +0100[diff] [blame]103int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
104 unsigned char *buf,
105 size_t buflen )
106{
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]107 int ret = 0;
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]108 MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
109 MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
110
111 /* We don't support record checking in TLS because
112 * (a) there doesn't seem to be a usecase for it, and
113 * (b) In SSLv3 and TLS 1.0, CBC record decryption has state
114 * and we'd need to backup the transform here.
115 */
116 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
117 {
118 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
119 goto exit;
120 }
121#if defined(MBEDTLS_SSL_PROTO_DTLS)
122 else
123 {
irwir734f0cf2019-09-26 21:03:24 +0300[diff] [blame]124 mbedtls_record rec;
125
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]126 ret = ssl_parse_record_header( ssl, buf, buflen, &rec );
127 if( ret != 0 )
128 {
129 MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret );
130 goto exit;
131 }
132
133 if( ssl->transform_in != NULL )
134 {
135 ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec );
136 if( ret != 0 )
137 {
138 MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret );
139 goto exit;
140 }
141 }
142 }
143#endif /* MBEDTLS_SSL_PROTO_DTLS */
144
145exit:
146 /* On success, we have decrypted the buffer in-place, so make
147 * sure we don't leak any plaintext data. */
148 mbedtls_platform_zeroize( buf, buflen );
149
150 /* For the purpose of this API, treat messages with unexpected CID
151 * as well as such from future epochs as unexpected. */
152 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
153 ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
154 {
155 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
156 }
157
158 MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
159 return( ret );
Hanno Beckercfe45792019-07-03 16:13:00 +0100[diff] [blame]160}
161#endif /* MBEDTLS_SSL_RECORD_CHECKING */
162
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]163#define SSL_DONT_FORCE_FLUSH 0
164#define SSL_FORCE_FLUSH 1
165
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]166#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]167
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]168/* Forward declarations for functions related to message buffering. */
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]169static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
170 uint8_t slot );
171static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
172static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
173static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
174static int ssl_buffer_message( mbedtls_ssl_context *ssl );
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]175static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
176 mbedtls_record const *rec );
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]177static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]178
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]179static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]180{
Hanno Becker89490712020-02-05 10:50:12 +0000[diff] [blame]181 size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]182#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
183 size_t out_buf_len = ssl->out_buf_len;
184#else
185 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
186#endif
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]187
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]188 if( mtu != 0 && mtu < out_buf_len )
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]189 return( mtu );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]190
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]191 return( out_buf_len );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]192}
193
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]194static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
195{
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]196 size_t const bytes_written = ssl->out_left;
197 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]198
199 /* Double-check that the write-index hasn't gone
200 * past what we can transmit in a single datagram. */
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]201 if( bytes_written > mtu )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]202 {
203 /* Should never happen... */
204 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
205 }
206
207 return( (int) ( mtu - bytes_written ) );
208}
209
210static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
211{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]212 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]213 size_t remaining, expansion;
Andrzej Kurek748face2018-10-11 07:20:19 -0400[diff] [blame]214 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]215
216#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]217 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]218
219 if( max_len > mfl )
220 max_len = mfl;
Hanno Beckerf4b010e2018-08-24 10:47:29 +0100[diff] [blame]221
222 /* By the standard (RFC 6066 Sect. 4), the MFL extension
223 * only limits the maximum record payload size, so in theory
224 * we would be allowed to pack multiple records of payload size
225 * MFL into a single datagram. However, this would mean that there's
226 * no way to explicitly communicate MTU restrictions to the peer.
227 *
228 * The following reduction of max_len makes sure that we never
229 * write datagrams larger than MFL + Record Expansion Overhead.
230 */
231 if( max_len <= ssl->out_left )
232 return( 0 );
233
234 max_len -= ssl->out_left;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]235#endif
236
237 ret = ssl_get_remaining_space_in_datagram( ssl );
238 if( ret < 0 )
239 return( ret );
240 remaining = (size_t) ret;
241
242 ret = mbedtls_ssl_get_record_expansion( ssl );
243 if( ret < 0 )
244 return( ret );
245 expansion = (size_t) ret;
246
247 if( remaining <= expansion )
248 return( 0 );
249
250 remaining -= expansion;
251 if( remaining >= max_len )
252 remaining = max_len;
253
254 return( (int) remaining );
255}
256
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]257/*
258 * Double the retransmit timeout value, within the allowed range,
259 * returning -1 if the maximum value has already been reached.
260 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]261static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]262{
263 uint32_t new_timeout;
264
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]265 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]266 return( -1 );
267
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]268 /* Implement the final paragraph of RFC 6347 section 4.1.1.1
269 * in the following way: after the initial transmission and a first
270 * retransmission, back off to a temporary estimated MTU of 508 bytes.
271 * This value is guaranteed to be deliverable (if not guaranteed to be
272 * delivered) of any compliant IPv4 (and IPv6) network, and should work
273 * on most non-IP stacks too. */
274 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]275 {
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]276 ssl->handshake->mtu = 508;
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]277 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
278 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]279
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]280 new_timeout = 2 * ssl->handshake->retransmit_timeout;
281
282 /* Avoid arithmetic overflow and range overflow */
283 if( new_timeout < ssl->handshake->retransmit_timeout ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]284 new_timeout > ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]285 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]286 new_timeout = ssl->conf->hs_timeout_max;
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]287 }
288
289 ssl->handshake->retransmit_timeout = new_timeout;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]290 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]291 ssl->handshake->retransmit_timeout ) );
292
293 return( 0 );
294}
295
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]296static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]297{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]298 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]299 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]300 ssl->handshake->retransmit_timeout ) );
301}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]302#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]303
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]304#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
305int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]306 const unsigned char *key_enc, const unsigned char *key_dec,
307 size_t keylen,
308 const unsigned char *iv_enc, const unsigned char *iv_dec,
309 size_t ivlen,
310 const unsigned char *mac_enc, const unsigned char *mac_dec,
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]311 size_t maclen ) = NULL;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]312int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
313int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
314int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
315int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
316int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
317#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]318
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]319/* The function below is only used in the Lucky 13 counter-measure in
Hanno Beckerb2ca87d2018-10-18 15:43:13 +0100[diff] [blame]320 * mbedtls_ssl_decrypt_buf(). These are the defines that guard the call site. */
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]321#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) && \
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]322 ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
323 defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
324 defined(MBEDTLS_SSL_PROTO_TLS1_2) )
325/* This function makes sure every byte in the memory region is accessed
326 * (in ascending addresses order) */
327static void ssl_read_memory( unsigned char *p, size_t len )
328{
329 unsigned char acc = 0;
330 volatile unsigned char force;
331
332 for( ; len != 0; p++, len-- )
333 acc ^= *p;
334
335 force = acc;
336 (void) force;
337}
338#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */
339
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]340/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341 * Encryption/decryption functions
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]342 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]343
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]344#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || \
345 defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]346/* This functions transforms a (D)TLS plaintext fragment and a record content
347 * type into an instance of the (D)TLSInnerPlaintext structure. This is used
348 * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
349 * a record's content type.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]350 *
351 * struct {
352 * opaque content[DTLSPlaintext.length];
353 * ContentType real_type;
354 * uint8 zeros[length_of_padding];
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]355 * } (D)TLSInnerPlaintext;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]356 *
357 * Input:
358 * - `content`: The beginning of the buffer holding the
359 * plaintext to be wrapped.
360 * - `*content_size`: The length of the plaintext in Bytes.
361 * - `max_len`: The number of Bytes available starting from
362 * `content`. This must be `>= *content_size`.
363 * - `rec_type`: The desired record content type.
364 *
365 * Output:
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]366 * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
367 * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]368 *
369 * Returns:
370 * - `0` on success.
371 * - A negative error code if `max_len` didn't offer enough space
372 * for the expansion.
373 */
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]374static int ssl_build_inner_plaintext( unsigned char *content,
375 size_t *content_size,
376 size_t remaining,
377 uint8_t rec_type )
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]378{
379 size_t len = *content_size;
Hanno Beckerb9ec44f2019-05-13 15:31:17 +0100[diff] [blame]380 size_t pad = ( MBEDTLS_SSL_CID_PADDING_GRANULARITY -
381 ( len + 1 ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY ) %
382 MBEDTLS_SSL_CID_PADDING_GRANULARITY;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]383
384 /* Write real content type */
385 if( remaining == 0 )
386 return( -1 );
387 content[ len ] = rec_type;
388 len++;
389 remaining--;
390
391 if( remaining < pad )
392 return( -1 );
393 memset( content + len, 0, pad );
394 len += pad;
395 remaining -= pad;
396
397 *content_size = len;
398 return( 0 );
399}
400
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]401/* This function parses a (D)TLSInnerPlaintext structure.
402 * See ssl_build_inner_plaintext() for details. */
403static int ssl_parse_inner_plaintext( unsigned char const *content,
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]404 size_t *content_size,
405 uint8_t *rec_type )
406{
407 size_t remaining = *content_size;
408
409 /* Determine length of padding by skipping zeroes from the back. */
410 do
411 {
412 if( remaining == 0 )
413 return( -1 );
414 remaining--;
415 } while( content[ remaining ] == 0 );
416
417 *content_size = remaining;
418 *rec_type = content[ remaining ];
419
420 return( 0 );
421}
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]422#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID ||
423 MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]424
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]425/* `add_data` must have size 13 Bytes if the CID extension is disabled,
Hanno Beckerc4a190b2019-05-08 18:15:21 +0100[diff] [blame]426 * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]427static void ssl_extract_add_data_from_record( unsigned char* add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]428 size_t *add_data_len,
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]429 mbedtls_record *rec,
430 unsigned minor_ver )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]431{
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]432 /* Quoting RFC 5246 (TLS 1.2):
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]433 *
434 * additional_data = seq_num + TLSCompressed.type +
435 * TLSCompressed.version + TLSCompressed.length;
436 *
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]437 * For the CID extension, this is extended as follows
438 * (quoting draft-ietf-tls-dtls-connection-id-05,
439 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05):
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]440 *
441 * additional_data = seq_num + DTLSPlaintext.type +
442 * DTLSPlaintext.version +
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]443 * cid +
444 * cid_length +
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]445 * length_of_DTLSInnerPlaintext;
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]446 *
447 * For TLS 1.3, the record sequence number is dropped from the AAD
448 * and encoded within the nonce of the AEAD operation instead.
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]449 */
450
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]451 unsigned char *cur = add_data;
452
453#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
454 if( minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 )
455#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
456 {
457 ((void) minor_ver);
458 memcpy( cur, rec->ctr, sizeof( rec->ctr ) );
459 cur += sizeof( rec->ctr );
460 }
461
462 *cur = rec->type;
463 cur++;
464
465 memcpy( cur, rec->ver, sizeof( rec->ver ) );
466 cur += sizeof( rec->ver );
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]467
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]468#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]469 if( rec->cid_len != 0 )
470 {
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]471 memcpy( cur, rec->cid, rec->cid_len );
472 cur += rec->cid_len;
473
474 *cur = rec->cid_len;
475 cur++;
476
477 cur[0] = ( rec->data_len >> 8 ) & 0xFF;
478 cur[1] = ( rec->data_len >> 0 ) & 0xFF;
479 cur += 2;
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]480 }
481 else
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]482#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]483 {
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]484 cur[0] = ( rec->data_len >> 8 ) & 0xFF;
485 cur[1] = ( rec->data_len >> 0 ) & 0xFF;
486 cur += 2;
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]487 }
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]488
489 *add_data_len = cur - add_data;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]490}
491
Hanno Becker9d062f92020-02-07 10:26:36 +0000[diff] [blame]492#if defined(MBEDTLS_SSL_PROTO_SSL3)
493
494#define SSL3_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */
495
496/*
497 * SSLv3.0 MAC functions
498 */
499static void ssl_mac( mbedtls_md_context_t *md_ctx,
500 const unsigned char *secret,
501 const unsigned char *buf, size_t len,
502 const unsigned char *ctr, int type,
503 unsigned char out[SSL3_MAC_MAX_BYTES] )
504{
505 unsigned char header[11];
506 unsigned char padding[48];
507 int padlen;
508 int md_size = mbedtls_md_get_size( md_ctx->md_info );
509 int md_type = mbedtls_md_get_type( md_ctx->md_info );
510
511 /* Only MD5 and SHA-1 supported */
512 if( md_type == MBEDTLS_MD_MD5 )
513 padlen = 48;
514 else
515 padlen = 40;
516
517 memcpy( header, ctr, 8 );
518 header[ 8] = (unsigned char) type;
519 header[ 9] = (unsigned char)( len >> 8 );
520 header[10] = (unsigned char)( len );
521
522 memset( padding, 0x36, padlen );
523 mbedtls_md_starts( md_ctx );
524 mbedtls_md_update( md_ctx, secret, md_size );
525 mbedtls_md_update( md_ctx, padding, padlen );
526 mbedtls_md_update( md_ctx, header, 11 );
527 mbedtls_md_update( md_ctx, buf, len );
528 mbedtls_md_finish( md_ctx, out );
529
530 memset( padding, 0x5C, padlen );
531 mbedtls_md_starts( md_ctx );
532 mbedtls_md_update( md_ctx, secret, md_size );
533 mbedtls_md_update( md_ctx, padding, padlen );
534 mbedtls_md_update( md_ctx, out, md_size );
535 mbedtls_md_finish( md_ctx, out );
536}
537#endif /* MBEDTLS_SSL_PROTO_SSL3 */
538
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]539int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
540 mbedtls_ssl_transform *transform,
541 mbedtls_record *rec,
542 int (*f_rng)(void *, unsigned char *, size_t),
543 void *p_rng )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]544{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]545 mbedtls_cipher_mode_t mode;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]546 int auth_done = 0;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]547 unsigned char * data;
Hanno Becker92fb4fa2019-05-20 14:54:26 +0100[diff] [blame]548 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]549 size_t add_data_len;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]550 size_t post_avail;
551
552 /* The SSL context is only used for debugging purposes! */
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]553#if !defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +0200[diff] [blame]554 ssl = NULL; /* make sure we don't use it except for debug */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]555 ((void) ssl);
556#endif
557
558 /* The PRNG is used for dynamic IV generation that's used
559 * for CBC transformations in TLS 1.1 and TLS 1.2. */
560#if !( defined(MBEDTLS_CIPHER_MODE_CBC) && \
561 ( defined(MBEDTLS_AES_C) || \
562 defined(MBEDTLS_ARIA_C) || \
563 defined(MBEDTLS_CAMELLIA_C) ) && \
564 ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) )
565 ((void) f_rng);
566 ((void) p_rng);
567#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]568
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]569 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]571 if( transform == NULL )
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]572 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]573 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) );
574 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
575 }
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]576 if( rec == NULL
577 || rec->buf == NULL
578 || rec->buf_len < rec->data_offset
579 || rec->buf_len - rec->data_offset < rec->data_len
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]580#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]581 || rec->cid_len != 0
582#endif
583 )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]584 {
585 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]586 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]587 }
588
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]589 data = rec->buf + rec->data_offset;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]590 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]591 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]592 data, rec->data_len );
593
594 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc );
595
596 if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
597 {
598 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
599 (unsigned) rec->data_len,
600 MBEDTLS_SSL_OUT_CONTENT_LEN ) );
601 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
602 }
Manuel Pégourié-Gonnard60346be2014-11-21 11:38:37 +0100[diff] [blame]603
Hanno Becker92313402020-05-20 13:58:58 +0100[diff] [blame]604 /* The following two code paths implement the (D)TLSInnerPlaintext
605 * structure present in TLS 1.3 and DTLS 1.2 + CID.
606 *
607 * See ssl_build_inner_plaintext() for more information.
608 *
609 * Note that this changes `rec->data_len`, and hence
610 * `post_avail` needs to be recalculated afterwards.
611 *
612 * Note also that the two code paths cannot occur simultaneously
613 * since they apply to different versions of the protocol. There
614 * is hence no risk of double-addition of the inner plaintext.
615 */
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]616#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
617 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
618 {
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]619 if( ssl_build_inner_plaintext( data,
620 &rec->data_len,
621 post_avail,
622 rec->type ) != 0 )
623 {
624 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
625 }
626
627 rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
628 }
629#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
630
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]631#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]632 /*
633 * Add CID information
634 */
635 rec->cid_len = transform->out_cid_len;
636 memcpy( rec->cid, transform->out_cid, transform->out_cid_len );
637 MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]638
639 if( rec->cid_len != 0 )
640 {
641 /*
Hanno Becker07dc97d2019-05-20 15:08:01 +0100[diff] [blame]642 * Wrap plaintext into DTLSInnerPlaintext structure.
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]643 * See ssl_build_inner_plaintext() for more information.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]644 *
Hanno Becker07dc97d2019-05-20 15:08:01 +0100[diff] [blame]645 * Note that this changes `rec->data_len`, and hence
646 * `post_avail` needs to be recalculated afterwards.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]647 */
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]648 if( ssl_build_inner_plaintext( data,
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]649 &rec->data_len,
650 post_avail,
651 rec->type ) != 0 )
652 {
653 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
654 }
655
656 rec->type = MBEDTLS_SSL_MSG_CID;
657 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]658#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]659
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]660 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
661
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662 /*
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]663 * Add MAC before if needed
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664 */
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]665#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]666 if( mode == MBEDTLS_MODE_STREAM ||
667 ( mode == MBEDTLS_MODE_CBC
668#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]669 && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]670#endif
671 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]672 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]673 if( post_avail < transform->maclen )
674 {
675 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
676 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
677 }
678
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]679#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]680 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]681 {
Hanno Becker9d062f92020-02-07 10:26:36 +0000[diff] [blame]682 unsigned char mac[SSL3_MAC_MAX_BYTES];
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]683 ssl_mac( &transform->md_ctx_enc, transform->mac_enc,
684 data, rec->data_len, rec->ctr, rec->type, mac );
685 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]686 }
687 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]688#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]689#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
690 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]691 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]692 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]693 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
694
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]695 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
696 transform->minor_ver );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]697
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]698 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]699 add_data_len );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]700 mbedtls_md_hmac_update( &transform->md_ctx_enc,
701 data, rec->data_len );
702 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
703 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
704
705 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]706 }
707 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]708#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]709 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]710 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
711 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]712 }
713
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]714 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len,
715 transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]716
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]717 rec->data_len += transform->maclen;
718 post_avail -= transform->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]719 auth_done++;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]720 }
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]721#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]722
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]723 /*
724 * Encrypt
725 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]726#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
727 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]729 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]730 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]731 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]732 "including %d bytes of padding",
733 rec->data_len, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]734
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]735 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
736 transform->iv_enc, transform->ivlen,
737 data, rec->data_len,
738 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]739 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]740 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]741 return( ret );
742 }
743
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]744 if( rec->data_len != olen )
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]745 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]746 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
747 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]748 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]749 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]750 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]751#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]752
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]753#if defined(MBEDTLS_GCM_C) || \
754 defined(MBEDTLS_CCM_C) || \
755 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]756 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]757 mode == MBEDTLS_MODE_CCM ||
758 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]759 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]760 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]761 unsigned char iv[12];
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]762 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]763
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]764 /* Check that there's space for both the authentication tag
765 * and the explicit IV before and after the record content. */
766 if( post_avail < transform->taglen ||
767 rec->data_offset < explicit_iv_len )
768 {
769 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
770 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
771 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]772
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]773 /*
774 * Generate IV
775 */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]776 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
777 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]778 /* GCM and CCM: fixed || explicit (=seqnum) */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]779 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]780 memcpy( iv + transform->fixed_ivlen, rec->ctr,
781 explicit_iv_len );
782 /* Prefix record content with explicit IV. */
783 memcpy( data - explicit_iv_len, rec->ctr, explicit_iv_len );
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]784 }
785 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
786 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]787 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]788 unsigned char i;
789
790 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
791
792 for( i = 0; i < 8; i++ )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]793 iv[i+4] ^= rec->ctr[i];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]794 }
795 else
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +0100[diff] [blame]796 {
797 /* Reminder if we ever add an AEAD mode with a different size */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]798 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
799 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +0100[diff] [blame]800 }
801
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]802 /*
803 * Build additional data for AEAD encryption.
804 * This depends on the TLS version.
805 */
806 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
807 transform->minor_ver );
Hanno Becker1f10d762019-04-26 13:34:37 +0100[diff] [blame]808
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]809 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
810 iv, transform->ivlen );
811 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]812 data - explicit_iv_len, explicit_iv_len );
813 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]814 add_data, add_data_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]815 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]816 "including 0 bytes of padding",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]817 rec->data_len ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]818
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]819 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]820 * Encrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]821 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]822
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]823 if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]824 iv, transform->ivlen,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]825 add_data, add_data_len, /* add data */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]826 data, rec->data_len, /* source */
827 data, &rec->data_len, /* destination */
828 data + rec->data_len, transform->taglen ) ) != 0 )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]829 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]830 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]831 return( ret );
832 }
833
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]834 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
835 data + rec->data_len, transform->taglen );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]836
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]837 rec->data_len += transform->taglen + explicit_iv_len;
838 rec->data_offset -= explicit_iv_len;
839 post_avail -= transform->taglen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]840 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]841 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]842 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]843#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
844#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]845 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]846 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]847 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]848 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]849 size_t padlen, i;
850 size_t olen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]851
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]852 /* Currently we're always using minimal padding
853 * (up to 255 bytes would be allowed). */
854 padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen;
855 if( padlen == transform->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]856 padlen = 0;
857
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]858 /* Check there's enough space in the buffer for the padding. */
859 if( post_avail < padlen + 1 )
860 {
861 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
862 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
863 }
864
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]865 for( i = 0; i <= padlen; i++ )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]866 data[rec->data_len + i] = (unsigned char) padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]867
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]868 rec->data_len += padlen + 1;
869 post_avail -= padlen + 1;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]870
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]871#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]872 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]873 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
874 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]875 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]876 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]877 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]878 if( f_rng == NULL )
879 {
880 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) );
881 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
882 }
883
884 if( rec->data_offset < transform->ivlen )
885 {
886 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
887 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
888 }
889
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]890 /*
891 * Generate IV
892 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]893 ret = f_rng( p_rng, transform->iv_enc, transform->ivlen );
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]894 if( ret != 0 )
895 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]896
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]897 memcpy( data - transform->ivlen, transform->iv_enc,
898 transform->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]899
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]900 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]901#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]902
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]903 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]904 "including %d bytes of IV and %d bytes of padding",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]905 rec->data_len, transform->ivlen,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]906 padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]907
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]908 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
909 transform->iv_enc,
910 transform->ivlen,
911 data, rec->data_len,
912 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]913 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]914 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]915 return( ret );
916 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]917
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]918 if( rec->data_len != olen )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]919 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
921 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]922 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]923
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]924#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]925 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]926 {
927 /*
928 * Save IV in SSL3 and TLS1
929 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]930 memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv,
931 transform->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]932 }
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]933 else
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]934#endif
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]935 {
936 data -= transform->ivlen;
937 rec->data_offset -= transform->ivlen;
938 rec->data_len += transform->ivlen;
939 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]940
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]941#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]942 if( auth_done == 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]943 {
Hanno Becker3d8c9072018-01-05 16:24:22 +0000[diff] [blame]944 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
945
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]946 /*
947 * MAC(MAC_write_key, seq_num +
948 * TLSCipherText.type +
949 * TLSCipherText.version +
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]950 * length_of( (IV +) ENC(...) ) +
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]951 * IV + // except for TLS 1.0
952 * ENC(content + padding + padding_length));
953 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]954
955 if( post_avail < transform->maclen)
956 {
957 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
958 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
959 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]960
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]961 ssl_extract_add_data_from_record( add_data, &add_data_len,
962 rec, transform->minor_ver );
Hanno Becker1f10d762019-04-26 13:34:37 +0100[diff] [blame]963
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]964 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]965 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]966 add_data_len );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]967
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]968 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]969 add_data_len );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]970 mbedtls_md_hmac_update( &transform->md_ctx_enc,
971 data, rec->data_len );
972 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
973 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]974
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]975 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]976
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]977 rec->data_len += transform->maclen;
978 post_avail -= transform->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]979 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]980 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]981#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]983 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]984#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]985 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]986 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]987 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
988 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]989 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]990
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]991 /* Make extra sure authentication was performed, exactly once */
992 if( auth_done != 1 )
993 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]994 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
995 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]996 }
997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]998 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]999
1000 return( 0 );
1001}
1002
Hanno Becker605949f2019-07-12 08:23:59 +0100[diff] [blame]1003int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]1004 mbedtls_ssl_transform *transform,
1005 mbedtls_record *rec )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1006{
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1007 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1008 mbedtls_cipher_mode_t mode;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1009 int ret, auth_done = 0;
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]1010#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]1011 size_t padlen = 0, correct = 1;
1012#endif
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1013 unsigned char* data;
Hanno Becker92fb4fa2019-05-20 14:54:26 +0100[diff] [blame]1014 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ];
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1015 size_t add_data_len;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1016
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]1017#if !defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +0200[diff] [blame]1018 ssl = NULL; /* make sure we don't use it except for debug */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1019 ((void) ssl);
1020#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1021
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1022 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1023 if( rec == NULL ||
1024 rec->buf == NULL ||
1025 rec->buf_len < rec->data_offset ||
1026 rec->buf_len - rec->data_offset < rec->data_len )
1027 {
1028 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1030 }
1031
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1032 data = rec->buf + rec->data_offset;
1033 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1034
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1035#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1036 /*
1037 * Match record's CID with incoming CID.
1038 */
Hanno Becker938489a2019-05-08 13:02:22 +0100[diff] [blame]1039 if( rec->cid_len != transform->in_cid_len ||
1040 memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
1041 {
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]1042 return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
Hanno Becker938489a2019-05-08 13:02:22 +0100[diff] [blame]1043 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1044#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1045
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1046#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1047 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1048 {
1049 padlen = 0;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1050 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1051 transform->iv_dec,
1052 transform->ivlen,
1053 data, rec->data_len,
1054 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1055 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1056 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1057 return( ret );
1058 }
1059
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1060 if( rec->data_len != olen )
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1061 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1062 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1063 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1064 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1065 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1066 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1068#if defined(MBEDTLS_GCM_C) || \
1069 defined(MBEDTLS_CCM_C) || \
1070 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1071 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1072 mode == MBEDTLS_MODE_CCM ||
1073 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1074 {
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1075 unsigned char iv[12];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1076 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1077
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1078 /*
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1079 * Prepare IV from explicit and implicit data.
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1080 */
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1081
1082 /* Check that there's enough space for the explicit IV
1083 * (at the beginning of the record) and the MAC (at the
1084 * end of the record). */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1085 if( rec->data_len < explicit_iv_len + transform->taglen )
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]1086 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1087 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1088 "+ taglen (%d)", rec->data_len,
1089 explicit_iv_len, transform->taglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1090 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]1091 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1092
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1093#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1094 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
1095 {
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1096 /* GCM and CCM: fixed || explicit */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1097
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1098 /* Fixed */
1099 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
1100 /* Explicit */
1101 memcpy( iv + transform->fixed_ivlen, data, 8 );
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1102 }
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1103 else
1104#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1105#if defined(MBEDTLS_CHACHAPOLY_C)
1106 if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1107 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]1108 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1109 unsigned char i;
1110
1111 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
1112
1113 for( i = 0; i < 8; i++ )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1114 iv[i+4] ^= rec->ctr[i];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1115 }
1116 else
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1117#endif /* MBEDTLS_CHACHAPOLY_C */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1118 {
1119 /* Reminder if we ever add an AEAD mode with a different size */
1120 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1121 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1122 }
1123
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1124 /* Group changes to data, data_len, and add_data, because
1125 * add_data depends on data_len. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1126 data += explicit_iv_len;
1127 rec->data_offset += explicit_iv_len;
1128 rec->data_len -= explicit_iv_len + transform->taglen;
1129
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]1130 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1131 transform->minor_ver );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1132 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1133 add_data, add_data_len );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1134
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1135 /* Because of the check above, we know that there are
1136 * explicit_iv_len Bytes preceeding data, and taglen
1137 * bytes following data + data_len. This justifies
Hanno Becker20016652019-07-10 11:44:13 +0100[diff] [blame]1138 * the debug message and the invocation of
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1139 * mbedtls_cipher_auth_decrypt() below. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1140
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1141 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1142 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len,
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1143 transform->taglen );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1144
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1145 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1146 * Decrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1147 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1148 if( ( ret = mbedtls_cipher_auth_decrypt( &transform->cipher_ctx_dec,
1149 iv, transform->ivlen,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1150 add_data, add_data_len,
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1151 data, rec->data_len,
1152 data, &olen,
1153 data + rec->data_len,
1154 transform->taglen ) ) != 0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1155 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1156 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1157
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1158 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
1159 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1160
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1161 return( ret );
1162 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1163 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1164
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1165 /* Double-check that AEAD decryption doesn't change content length. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1166 if( olen != rec->data_len )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1167 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1168 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1169 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1170 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1171 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1172 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1173#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1174#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]1175 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1176 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1177 {
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1178 size_t minlen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1179
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1180 /*
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1181 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1182 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1183#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1184 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
1185 {
1186 /* The ciphertext is prefixed with the CBC IV. */
1187 minlen += transform->ivlen;
1188 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1189#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1190
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1191 /* Size considerations:
1192 *
1193 * - The CBC cipher text must not be empty and hence
1194 * at least of size transform->ivlen.
1195 *
1196 * Together with the potential IV-prefix, this explains
1197 * the first of the two checks below.
1198 *
1199 * - The record must contain a MAC, either in plain or
1200 * encrypted, depending on whether Encrypt-then-MAC
1201 * is used or not.
1202 * - If it is, the message contains the IV-prefix,
1203 * the CBC ciphertext, and the MAC.
1204 * - If it is not, the padded plaintext, and hence
1205 * the CBC ciphertext, has at least length maclen + 1
1206 * because there is at least the padding length byte.
1207 *
1208 * As the CBC ciphertext is not empty, both cases give the
1209 * lower bound minlen + maclen + 1 on the record size, which
1210 * we test for in the second check below.
1211 */
1212 if( rec->data_len < minlen + transform->ivlen ||
1213 rec->data_len < minlen + transform->maclen + 1 )
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1214 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1215 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1216 "+ 1 ) ( + expl IV )", rec->data_len,
1217 transform->ivlen,
1218 transform->maclen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1219 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1220 }
1221
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1222 /*
1223 * Authenticate before decrypt if enabled
1224 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1225#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1226 if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1227 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1228 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1229
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1230 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1231
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1232 /* Update data_len in tandem with add_data.
1233 *
1234 * The subtraction is safe because of the previous check
1235 * data_len >= minlen + maclen + 1.
1236 *
1237 * Afterwards, we know that data + data_len is followed by at
1238 * least maclen Bytes, which justifies the call to
1239 * mbedtls_ssl_safer_memcmp() below.
1240 *
1241 * Further, we still know that data_len > minlen */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1242 rec->data_len -= transform->maclen;
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]1243 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1244 transform->minor_ver );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]1245
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1246 /* Calculate expected MAC. */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1247 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
1248 add_data_len );
1249 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1250 add_data_len );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1251 mbedtls_md_hmac_update( &transform->md_ctx_dec,
1252 data, rec->data_len );
1253 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
1254 mbedtls_md_hmac_reset( &transform->md_ctx_dec );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]1255
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1256 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len,
1257 transform->maclen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1258 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1259 transform->maclen );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1260
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1261 /* Compare expected MAC with MAC at the end of the record. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1262 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
1263 transform->maclen ) != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1264 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1265 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1266 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1267 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1268 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1269 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1270#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1271
1272 /*
1273 * Check length sanity
1274 */
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1275
1276 /* We know from above that data_len > minlen >= 0,
1277 * so the following check in particular implies that
1278 * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1279 if( rec->data_len % transform->ivlen != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1280 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1281 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1282 rec->data_len, transform->ivlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1283 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1284 }
1285
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1286#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1287 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1288 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1289 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1290 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1291 {
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1292 /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1293 memcpy( transform->iv_dec, data, transform->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1294
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1295 data += transform->ivlen;
1296 rec->data_offset += transform->ivlen;
1297 rec->data_len -= transform->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1298 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1299#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1300
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1301 /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
1302
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1303 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1304 transform->iv_dec, transform->ivlen,
1305 data, rec->data_len, data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1306 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1307 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1308 return( ret );
1309 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1310
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1311 /* Double-check that length hasn't changed during decryption. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1312 if( rec->data_len != olen )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1313 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1315 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1316 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1317
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1318#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1319 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1320 {
1321 /*
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1322 * Save IV in SSL3 and TLS1, where CBC decryption of consecutive
1323 * records is equivalent to CBC decryption of the concatenation
1324 * of the records; in other words, IVs are maintained across
1325 * record decryptions.
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1326 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1327 memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv,
1328 transform->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1329 }
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1330#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1332 /* Safe since data_len >= minlen + maclen + 1, so after having
1333 * subtracted at most minlen and maclen up to this point,
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1334 * data_len > 0 (because of data_len % ivlen == 0, it's actually
1335 * >= ivlen ). */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1336 padlen = data[rec->data_len - 1];
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1337
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1338 if( auth_done == 1 )
1339 {
1340 correct *= ( rec->data_len >= padlen + 1 );
1341 padlen *= ( rec->data_len >= padlen + 1 );
1342 }
1343 else
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1344 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1345#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1346 if( rec->data_len < transform->maclen + padlen + 1 )
1347 {
1348 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1349 rec->data_len,
1350 transform->maclen,
1351 padlen + 1 ) );
1352 }
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]1353#endif
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1354
1355 correct *= ( rec->data_len >= transform->maclen + padlen + 1 );
1356 padlen *= ( rec->data_len >= transform->maclen + padlen + 1 );
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1357 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1358
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1359 padlen++;
1360
1361 /* Regardless of the validity of the padding,
1362 * we have data_len >= padlen here. */
1363
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1364#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1365 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1366 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1367 if( padlen > transform->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1368 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1369#if defined(MBEDTLS_SSL_DEBUG_ALL)
1370 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1371 "should be no more than %d",
1372 padlen, transform->ivlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]1373#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1374 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1375 }
1376 }
1377 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1378#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1379#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1380 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1381 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1382 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1383 /* The padding check involves a series of up to 256
1384 * consecutive memory reads at the end of the record
1385 * plaintext buffer. In order to hide the length and
1386 * validity of the padding, always perform exactly
1387 * `min(256,plaintext_len)` reads (but take into account
1388 * only the last `padlen` bytes for the padding check). */
1389 size_t pad_count = 0;
1390 size_t real_count = 0;
1391 volatile unsigned char* const check = data;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1392
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1393 /* Index of first padding byte; it has been ensured above
1394 * that the subtraction is safe. */
1395 size_t const padding_idx = rec->data_len - padlen;
1396 size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
1397 size_t const start_idx = rec->data_len - num_checks;
1398 size_t idx;
Paul Bakker956c9e02013-12-19 14:42:28 +0100[diff] [blame]1399
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1400 for( idx = start_idx; idx < rec->data_len; idx++ )
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]1401 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1402 real_count |= ( idx >= padding_idx );
1403 pad_count += real_count * ( check[idx] == padlen - 1 );
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]1404 }
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1405 correct &= ( pad_count == padlen );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1406
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1407#if defined(MBEDTLS_SSL_DEBUG_ALL)
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1408 if( padlen > 0 && correct == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1409 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]1410#endif
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1411 padlen &= correct * 0x1FF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1412 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1413 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1414#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1415 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1416 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1417 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1418 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1419 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1420
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1421 /* If the padding was found to be invalid, padlen == 0
1422 * and the subtraction is safe. If the padding was found valid,
1423 * padlen hasn't been changed and the previous assertion
1424 * data_len >= padlen still holds. */
1425 rec->data_len -= padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1426 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1427 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1428#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]1429 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1430 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1431 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1432 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1433 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1434
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]1435#if defined(MBEDTLS_SSL_DEBUG_ALL)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1436 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1437 data, rec->data_len );
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]1438#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1439
1440 /*
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1441 * Authenticate if not done yet.
1442 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1443 */
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]1444#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1445 if( auth_done == 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1446 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1447 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]1448
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1449 /* If the initial value of padlen was such that
1450 * data_len < maclen + padlen + 1, then padlen
1451 * got reset to 1, and the initial check
1452 * data_len >= minlen + maclen + 1
1453 * guarantees that at this point we still
1454 * have at least data_len >= maclen.
1455 *
1456 * If the initial value of padlen was such that
1457 * data_len >= maclen + padlen + 1, then we have
1458 * subtracted either padlen + 1 (if the padding was correct)
1459 * or 0 (if the padding was incorrect) since then,
1460 * hence data_len >= maclen in any case.
1461 */
1462 rec->data_len -= transform->maclen;
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame^]1463 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1464 transform->minor_ver );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1465
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1466#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1467 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1468 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1469 ssl_mac( &transform->md_ctx_dec,
1470 transform->mac_dec,
1471 data, rec->data_len,
1472 rec->ctr, rec->type,
1473 mac_expect );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1474 }
1475 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1476#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1477#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1478 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1479 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1480 {
1481 /*
1482 * Process MAC and always update for padlen afterwards to make
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1483 * total time independent of padlen.
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1484 *
1485 * Known timing attacks:
1486 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1487 *
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1488 * To compensate for different timings for the MAC calculation
1489 * depending on how much padding was removed (which is determined
1490 * by padlen), process extra_run more blocks through the hash
1491 * function.
1492 *
1493 * The formula in the paper is
1494 * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
1495 * where L1 is the size of the header plus the decrypted message
1496 * plus CBC padding and L2 is the size of the header plus the
1497 * decrypted message. This is for an underlying hash function
1498 * with 64-byte blocks.
1499 * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
1500 * correctly. We round down instead of up, so -56 is the correct
1501 * value for our calculations instead of -55.
1502 *
Gilles Peskine1bd9d582018-06-04 11:58:44 +0200[diff] [blame]1503 * Repeat the formula rather than defining a block_size variable.
1504 * This avoids requiring division by a variable at runtime
1505 * (which would be marginally less efficient and would require
1506 * linking an extra division function in some builds).
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1507 */
1508 size_t j, extra_run = 0;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1509 unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1510
1511 /*
1512 * The next two sizes are the minimum and maximum values of
1513 * in_msglen over all padlen values.
1514 *
1515 * They're independent of padlen, since we previously did
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1516 * data_len -= padlen.
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1517 *
1518 * Note that max_len + maclen is never more than the buffer
1519 * length, as we previously did in_msglen -= maclen too.
1520 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1521 const size_t max_len = rec->data_len + padlen;
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1522 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
1523
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1524 memset( tmp, 0, sizeof( tmp ) );
1525
1526 switch( mbedtls_md_get_type( transform->md_ctx_dec.md_info ) )
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1527 {
Gilles Peskined0e55a42018-06-04 12:03:30 +0200[diff] [blame]1528#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
1529 defined(MBEDTLS_SHA256_C)
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1530 case MBEDTLS_MD_MD5:
1531 case MBEDTLS_MD_SHA1:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1532 case MBEDTLS_MD_SHA256:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1533 /* 8 bytes of message size, 64-byte compression blocks */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1534 extra_run =
1535 ( add_data_len + rec->data_len + padlen + 8 ) / 64 -
1536 ( add_data_len + rec->data_len + 8 ) / 64;
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1537 break;
1538#endif
Gilles Peskinea7fe25d2018-06-04 12:01:18 +0200[diff] [blame]1539#if defined(MBEDTLS_SHA512_C)
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1540 case MBEDTLS_MD_SHA384:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1541 /* 16 bytes of message size, 128-byte compression blocks */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1542 extra_run =
1543 ( add_data_len + rec->data_len + padlen + 16 ) / 128 -
1544 ( add_data_len + rec->data_len + 16 ) / 128;
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1545 break;
1546#endif
1547 default:
Gilles Peskine5c389842018-06-04 12:02:43 +0200[diff] [blame]1548 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1549 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1550 }
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1551
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1552 extra_run &= correct * 0xFF;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1553
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1554 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1555 add_data_len );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1556 mbedtls_md_hmac_update( &transform->md_ctx_dec, data,
1557 rec->data_len );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1558 /* Make sure we access everything even when padlen > 0. This
1559 * makes the synchronisation requirements for just-in-time
1560 * Prime+Probe attacks much tighter and hopefully impractical. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1561 ssl_read_memory( data + rec->data_len, padlen );
1562 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1563
1564 /* Call mbedtls_md_process at least once due to cache attacks
1565 * that observe whether md_process() was called of not */
Manuel Pégourié-Gonnard47fede02015-04-29 01:35:48 +0200[diff] [blame]1566 for( j = 0; j < extra_run + 1; j++ )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1567 mbedtls_md_process( &transform->md_ctx_dec, tmp );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1568
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1569 mbedtls_md_hmac_reset( &transform->md_ctx_dec );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1570
1571 /* Make sure we access all the memory that could contain the MAC,
1572 * before we check it in the next code block. This makes the
1573 * synchronisation requirements for just-in-time Prime+Probe
1574 * attacks much tighter and hopefully impractical. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1575 ssl_read_memory( data + min_len,
1576 max_len - min_len + transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1577 }
1578 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1579#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1580 MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1581 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1582 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1583 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1584 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1585
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1586#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1587 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
1588 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, transform->maclen );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1589#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1590
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1591 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
1592 transform->maclen ) != 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1593 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1594#if defined(MBEDTLS_SSL_DEBUG_ALL)
1595 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1596#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1597 correct = 0;
1598 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1599 auth_done++;
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1600 }
Hanno Beckerdd3ab132018-10-17 14:43:14 +0100[diff] [blame]1601
1602 /*
1603 * Finally check the correct flag
1604 */
1605 if( correct == 0 )
1606 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]1607#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1608
1609 /* Make extra sure authentication was performed, exactly once */
1610 if( auth_done != 1 )
1611 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1612 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1613 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1614 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1615
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]1616#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
1617 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
1618 {
1619 /* Remove inner padding and infer true content type. */
1620 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1621 &rec->type );
1622
1623 if( ret != 0 )
1624 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1625 }
1626#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1627
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1628#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1629 if( rec->cid_len != 0 )
1630 {
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]1631 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1632 &rec->type );
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1633 if( ret != 0 )
1634 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1635 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1636#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1637
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1638 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1639
1640 return( 0 );
1641}
1642
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1643#undef MAC_NONE
1644#undef MAC_PLAINTEXT
1645#undef MAC_CIPHERTEXT
1646
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1647#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1648/*
1649 * Compression/decompression functions
1650 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1651static int ssl_compress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1652{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1653 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1654 unsigned char *msg_post = ssl->out_msg;
Andrzej Kurek5462e022018-04-20 07:58:53 -0400[diff] [blame]1655 ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1656 size_t len_pre = ssl->out_msglen;
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1657 unsigned char *msg_pre = ssl->compress_buf;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1658#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1659 size_t out_buf_len = ssl->out_buf_len;
1660#else
1661 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1662#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1664 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1665
Paul Bakkerabf2f8f2013-06-30 14:57:46 +0200[diff] [blame]1666 if( len_pre == 0 )
1667 return( 0 );
1668
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1669 memcpy( msg_pre, ssl->out_msg, len_pre );
1670
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1671 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1672 ssl->out_msglen ) );
1673
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1674 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1675 ssl->out_msg, ssl->out_msglen );
1676
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1677 ssl->transform_out->ctx_deflate.next_in = msg_pre;
1678 ssl->transform_out->ctx_deflate.avail_in = len_pre;
1679 ssl->transform_out->ctx_deflate.next_out = msg_post;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1680 ssl->transform_out->ctx_deflate.avail_out = out_buf_len - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1681
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1682 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1683 if( ret != Z_OK )
1684 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1685 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1686 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1687 }
1688
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1689 ssl->out_msglen = out_buf_len -
Andrzej Kurek5462e022018-04-20 07:58:53 -0400[diff] [blame]1690 ssl->transform_out->ctx_deflate.avail_out - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1691
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1692 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1693 ssl->out_msglen ) );
1694
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1695 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1696 ssl->out_msg, ssl->out_msglen );
1697
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1698 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1699
1700 return( 0 );
1701}
1702
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1703static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1704{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1705 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1706 unsigned char *msg_post = ssl->in_msg;
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]1707 ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1708 size_t len_pre = ssl->in_msglen;
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1709 unsigned char *msg_pre = ssl->compress_buf;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1710#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1711 size_t in_buf_len = ssl->in_buf_len;
1712#else
1713 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1714#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1715
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1716 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1717
Paul Bakkerabf2f8f2013-06-30 14:57:46 +0200[diff] [blame]1718 if( len_pre == 0 )
1719 return( 0 );
1720
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1721 memcpy( msg_pre, ssl->in_msg, len_pre );
1722
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1723 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1724 ssl->in_msglen ) );
1725
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1726 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1727 ssl->in_msg, ssl->in_msglen );
1728
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1729 ssl->transform_in->ctx_inflate.next_in = msg_pre;
1730 ssl->transform_in->ctx_inflate.avail_in = len_pre;
1731 ssl->transform_in->ctx_inflate.next_out = msg_post;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1732 ssl->transform_in->ctx_inflate.avail_out = in_buf_len - header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1733
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1734 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1735 if( ret != Z_OK )
1736 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1738 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1739 }
1740
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1741 ssl->in_msglen = in_buf_len -
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]1742 ssl->transform_in->ctx_inflate.avail_out - header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1743
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1744 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1745 ssl->in_msglen ) );
1746
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1747 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1748 ssl->in_msg, ssl->in_msglen );
1749
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1750 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1751
1752 return( 0 );
1753}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1754#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1755
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1756/*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1757 * Fill the input message buffer by appending data to it.
1758 * The amount of data already fetched is in ssl->in_left.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1759 *
1760 * If we return 0, is it guaranteed that (at least) nb_want bytes are
1761 * available (from this read and/or a previous one). Otherwise, an error code
1762 * is returned (possibly EOF or WANT_READ).
1763 *
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1764 * With stream transport (TLS) on success ssl->in_left == nb_want, but
1765 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
1766 * since we always read a whole datagram at once.
1767 *
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]1768 * For DTLS, it is up to the caller to set ssl->next_record_offset when
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1769 * they're done reading a record.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1770 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1771int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1772{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1773 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1774 size_t len;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1775#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1776 size_t in_buf_len = ssl->in_buf_len;
1777#else
1778 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1779#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1780
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1781 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1782
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1783 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
1784 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1785 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]1786 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1787 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1788 }
1789
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1790 if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]1791 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1792 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1793 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]1794 }
1795
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1796#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1797 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1799 uint32_t timeout;
1800
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]1801 /* Just to be sure */
1802 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
1803 {
1804 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
1805 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
1806 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1807 }
1808
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1809 /*
1810 * The point is, we need to always read a full datagram at once, so we
1811 * sometimes read more then requested, and handle the additional data.
1812 * It could be the rest of the current record (while fetching the
1813 * header) and/or some other records in the same datagram.
1814 */
1815
1816 /*
1817 * Move to the next record in the already read datagram if applicable
1818 */
1819 if( ssl->next_record_offset != 0 )
1820 {
1821 if( ssl->in_left < ssl->next_record_offset )
1822 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1823 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1824 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1825 }
1826
1827 ssl->in_left -= ssl->next_record_offset;
1828
1829 if( ssl->in_left != 0 )
1830 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1831 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1832 ssl->next_record_offset ) );
1833 memmove( ssl->in_hdr,
1834 ssl->in_hdr + ssl->next_record_offset,
1835 ssl->in_left );
1836 }
1837
1838 ssl->next_record_offset = 0;
1839 }
1840
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1841 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1842 ssl->in_left, nb_want ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1843
1844 /*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1845 * Done if we already have enough data.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1846 */
1847 if( nb_want <= ssl->in_left)
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]1848 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1849 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1850 return( 0 );
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]1851 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1852
1853 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1854 * A record can't be split across datagrams. If we need to read but
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1855 * are not at the beginning of a new record, the caller did something
1856 * wrong.
1857 */
1858 if( ssl->in_left != 0 )
1859 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1860 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1861 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1862 }
1863
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1864 /*
1865 * Don't even try to read if time's out already.
1866 * This avoids by-passing the timer when repeatedly receiving messages
1867 * that will end up being dropped.
1868 */
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]1869 if( mbedtls_ssl_check_timer( ssl ) != 0 )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]1870 {
1871 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1872 ret = MBEDTLS_ERR_SSL_TIMEOUT;
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]1873 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1874 else
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1875 {
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1876 len = in_buf_len - ( ssl->in_hdr - ssl->in_buf );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1877
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1878 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1879 timeout = ssl->handshake->retransmit_timeout;
1880 else
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1881 timeout = ssl->conf->read_timeout;
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1882
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1883 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1884
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1885 if( ssl->f_recv_timeout != NULL )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1886 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
1887 timeout );
1888 else
1889 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
1890
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1891 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1892
1893 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1894 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1895 }
1896
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1897 if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1898 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1899 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]1900 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1901
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1902 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]1903 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1904 if( ssl_double_retransmit_timeout( ssl ) != 0 )
1905 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1906 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1907 return( MBEDTLS_ERR_SSL_TIMEOUT );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1908 }
1909
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1910 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1911 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1912 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1913 return( ret );
1914 }
1915
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1916 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]1917 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1918#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1919 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1920 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1921 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]1922 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1923 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]1924 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
1925 ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1926 return( ret );
1927 }
1928
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1929 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1930 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1931#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1932 }
1933
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1934 if( ret < 0 )
1935 return( ret );
1936
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1937 ssl->in_left = ret;
1938 }
1939 else
1940#endif
1941 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1942 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1943 ssl->in_left, nb_want ) );
1944
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1945 while( ssl->in_left < nb_want )
1946 {
1947 len = nb_want - ssl->in_left;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]1948
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]1949 if( mbedtls_ssl_check_timer( ssl ) != 0 )
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]1950 ret = MBEDTLS_ERR_SSL_TIMEOUT;
1951 else
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1952 {
1953 if( ssl->f_recv_timeout != NULL )
1954 {
1955 ret = ssl->f_recv_timeout( ssl->p_bio,
1956 ssl->in_hdr + ssl->in_left, len,
1957 ssl->conf->read_timeout );
1958 }
1959 else
1960 {
1961 ret = ssl->f_recv( ssl->p_bio,
1962 ssl->in_hdr + ssl->in_left, len );
1963 }
1964 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1965
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1966 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1967 ssl->in_left, nb_want ) );
1968 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1969
1970 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1971 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1972
1973 if( ret < 0 )
1974 return( ret );
1975
mohammad160352aecb92018-03-28 23:41:40 -0700[diff] [blame]1976 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]1977 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1978 MBEDTLS_SSL_DEBUG_MSG( 1,
1979 ( "f_recv returned %d bytes but only %lu were requested",
mohammad160319d392b2018-04-02 07:25:26 -0700[diff] [blame]1980 ret, (unsigned long)len ) );
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]1981 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1982 }
1983
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1984 ssl->in_left += ret;
1985 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1986 }
1987
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1988 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1989
1990 return( 0 );
1991}
1992
1993/*
1994 * Flush any data not yet written
1995 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1996int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1997{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1998 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]1999 unsigned char *buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2000
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2001 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2002
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]2003 if( ssl->f_send == NULL )
2004 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2005 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]2006 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2007 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]2008 }
2009
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]2010 /* Avoid incrementing counter if data is flushed */
2011 if( ssl->out_left == 0 )
2012 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2013 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]2014 return( 0 );
2015 }
2016
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2017 while( ssl->out_left > 0 )
2018 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2019 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]2020 mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2021
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2022 buf = ssl->out_hdr - ssl->out_left;
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]2023 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]2024
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2025 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2026
2027 if( ret <= 0 )
2028 return( ret );
2029
mohammad160352aecb92018-03-28 23:41:40 -0700[diff] [blame]2030 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]2031 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]2032 MBEDTLS_SSL_DEBUG_MSG( 1,
2033 ( "f_send returned %d bytes but only %lu bytes were sent",
mohammad160319d392b2018-04-02 07:25:26 -0700[diff] [blame]2034 ret, (unsigned long)ssl->out_left ) );
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]2035 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2036 }
2037
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2038 ssl->out_left -= ret;
2039 }
2040
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2041#if defined(MBEDTLS_SSL_PROTO_DTLS)
2042 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]2043 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2044 ssl->out_hdr = ssl->out_buf;
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]2045 }
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2046 else
2047#endif
2048 {
2049 ssl->out_hdr = ssl->out_buf + 8;
2050 }
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]2051 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]2052
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2053 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2054
2055 return( 0 );
2056}
2057
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2058/*
2059 * Functions to handle the DTLS retransmission state machine
2060 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2061#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2062/*
2063 * Append current handshake message to current outgoing flight
2064 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2065static int ssl_flight_append( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2066{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2067 mbedtls_ssl_flight_item *msg;
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]2068 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
2069 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
2070 ssl->out_msg, ssl->out_msglen );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2071
2072 /* Allocate space for current message */
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]2073 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2074 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]2075 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2076 sizeof( mbedtls_ssl_flight_item ) ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]2077 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2078 }
2079
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]2080 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2081 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]2082 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2083 mbedtls_free( msg );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]2084 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2085 }
2086
2087 /* Copy current handshake message with headers */
2088 memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
2089 msg->len = ssl->out_msglen;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2090 msg->type = ssl->out_msgtype;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2091 msg->next = NULL;
2092
2093 /* Append to the current flight */
2094 if( ssl->handshake->flight == NULL )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2095 ssl->handshake->flight = msg;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2096 else
2097 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2098 mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2099 while( cur->next != NULL )
2100 cur = cur->next;
2101 cur->next = msg;
2102 }
2103
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]2104 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2105 return( 0 );
2106}
2107
2108/*
2109 * Free the current flight of handshake messages
2110 */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]2111void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2112{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2113 mbedtls_ssl_flight_item *cur = flight;
2114 mbedtls_ssl_flight_item *next;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2115
2116 while( cur != NULL )
2117 {
2118 next = cur->next;
2119
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2120 mbedtls_free( cur->p );
2121 mbedtls_free( cur );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2122
2123 cur = next;
2124 }
2125}
2126
2127/*
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2128 * Swap transform_out and out_ctr with the alternative ones
2129 */
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2130static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2131{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2132 mbedtls_ssl_transform *tmp_transform;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2133 unsigned char tmp_out_ctr[8];
2134
2135 if( ssl->transform_out == ssl->handshake->alt_transform_out )
2136 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2137 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2138 return( 0 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2139 }
2140
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2141 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2142
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2143 /* Swap transforms */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2144 tmp_transform = ssl->transform_out;
2145 ssl->transform_out = ssl->handshake->alt_transform_out;
2146 ssl->handshake->alt_transform_out = tmp_transform;
2147
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2148 /* Swap epoch + sequence_number */
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]2149 memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 );
2150 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2151 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2152
2153 /* Adjust to the newly activated transform */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]2154 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2155
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2156#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2157 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2158 {
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2159 int ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND );
2160 if( ret != 0 )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2161 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2162 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
2163 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2164 }
2165 }
2166#endif
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2167
2168 return( 0 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2169}
2170
2171/*
2172 * Retransmit the current flight of messages.
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2173 */
2174int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
2175{
2176 int ret = 0;
2177
2178 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
2179
2180 ret = mbedtls_ssl_flight_transmit( ssl );
2181
2182 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
2183
2184 return( ret );
2185}
2186
2187/*
2188 * Transmit or retransmit the current flight of messages.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2189 *
2190 * Need to remember the current message in case flush_output returns
2191 * WANT_WRITE, causing us to exit this function and come back later.
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2192 * This function must be called until state is no longer SENDING.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2193 */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2194int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2195{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2196 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2197 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2198
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2199 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2200 {
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2201 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2202
2203 ssl->handshake->cur_msg = ssl->handshake->flight;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2204 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2205 ret = ssl_swap_epochs( ssl );
2206 if( ret != 0 )
2207 return( ret );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2208
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2209 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2210 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2211
2212 while( ssl->handshake->cur_msg != NULL )
2213 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2214 size_t max_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2215 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2216
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2217 int const is_finished =
2218 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
2219 cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
2220
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]2221 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
2222 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
2223
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2224 /* Swap epochs before sending Finished: we can't do it after
2225 * sending ChangeCipherSpec, in case write returns WANT_READ.
2226 * Must be done before copying, may change out_msg pointer */
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2227 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2228 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2229 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2230 ret = ssl_swap_epochs( ssl );
2231 if( ret != 0 )
2232 return( ret );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2233 }
2234
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2235 ret = ssl_get_remaining_payload_in_datagram( ssl );
2236 if( ret < 0 )
2237 return( ret );
2238 max_frag_len = (size_t) ret;
2239
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2240 /* CCS is copied as is, while HS messages may need fragmentation */
2241 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2242 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2243 if( max_frag_len == 0 )
2244 {
2245 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2246 return( ret );
2247
2248 continue;
2249 }
2250
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2251 memcpy( ssl->out_msg, cur->p, cur->len );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2252 ssl->out_msglen = cur->len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2253 ssl->out_msgtype = cur->type;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2254
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2255 /* Update position inside current message */
2256 ssl->handshake->cur_msg_p += cur->len;
2257 }
2258 else
2259 {
2260 const unsigned char * const p = ssl->handshake->cur_msg_p;
2261 const size_t hs_len = cur->len - 12;
2262 const size_t frag_off = p - ( cur->p + 12 );
2263 const size_t rem_len = hs_len - frag_off;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2264 size_t cur_hs_frag_len, max_hs_frag_len;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2265
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2266 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
Manuel Pégourié-Gonnarda1071a52018-08-20 11:56:14 +0200[diff] [blame]2267 {
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2268 if( is_finished )
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2269 {
2270 ret = ssl_swap_epochs( ssl );
2271 if( ret != 0 )
2272 return( ret );
2273 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2274
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2275 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2276 return( ret );
2277
2278 continue;
2279 }
2280 max_hs_frag_len = max_frag_len - 12;
2281
2282 cur_hs_frag_len = rem_len > max_hs_frag_len ?
2283 max_hs_frag_len : rem_len;
2284
2285 if( frag_off == 0 && cur_hs_frag_len != hs_len )
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2286 {
2287 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2288 (unsigned) cur_hs_frag_len,
2289 (unsigned) max_hs_frag_len ) );
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2290 }
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]2291
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2292 /* Messages are stored with handshake headers as if not fragmented,
2293 * copy beginning of headers then fill fragmentation fields.
2294 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
2295 memcpy( ssl->out_msg, cur->p, 6 );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2296
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2297 ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
2298 ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
2299 ssl->out_msg[8] = ( ( frag_off ) & 0xff );
2300
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2301 ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
2302 ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
2303 ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2304
2305 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
2306
Hanno Becker3f7b9732018-08-28 09:53:25 +0100[diff] [blame]2307 /* Copy the handshake message content and set records fields */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2308 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
2309 ssl->out_msglen = cur_hs_frag_len + 12;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2310 ssl->out_msgtype = cur->type;
2311
2312 /* Update position inside current message */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2313 ssl->handshake->cur_msg_p += cur_hs_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2314 }
2315
2316 /* If done with the current message move to the next one if any */
2317 if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
2318 {
2319 if( cur->next != NULL )
2320 {
2321 ssl->handshake->cur_msg = cur->next;
2322 ssl->handshake->cur_msg_p = cur->next->p + 12;
2323 }
2324 else
2325 {
2326 ssl->handshake->cur_msg = NULL;
2327 ssl->handshake->cur_msg_p = NULL;
2328 }
2329 }
2330
2331 /* Actually send the message out */
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]2332 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2333 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2334 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2335 return( ret );
2336 }
2337 }
2338
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2339 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2340 return( ret );
2341
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2342 /* Update state and set timer */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2343 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
2344 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard23b7b702014-09-25 13:50:12 +0200[diff] [blame]2345 else
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2346 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2347 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2348 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2349 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2350
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2351 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2352
2353 return( 0 );
2354}
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2355
2356/*
2357 * To be called when the last message of an incoming flight is received.
2358 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2359void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2360{
2361 /* We won't need to resend that one any more */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]2362 mbedtls_ssl_flight_free( ssl->handshake->flight );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2363 ssl->handshake->flight = NULL;
2364 ssl->handshake->cur_msg = NULL;
2365
2366 /* The next incoming flight will start with this msg_seq */
2367 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
2368
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]2369 /* We don't want to remember CCS's across flight boundaries. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]2370 ssl->handshake->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]2371
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2372 /* Clear future message buffering structure. */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]2373 mbedtls_ssl_buffering_free( ssl );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2374
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]2375 /* Cancel timer */
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2376 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2377
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2378 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2379 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2380 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2381 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2382 }
2383 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2384 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2385}
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2386
2387/*
2388 * To be called when the last message of an outgoing flight is send.
2389 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2390void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2391{
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]2392 ssl_reset_retransmit_timeout( ssl );
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2393 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2394
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2395 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2396 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2397 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2398 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2399 }
2400 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2401 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2402}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2403#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2404
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2405/*
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2406 * Handshake layer functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2407 */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2408
2409/*
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2410 * Write (DTLS: or queue) current handshake (including CCS) message.
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2411 *
2412 * - fill in handshake headers
2413 * - update handshake checksum
2414 * - DTLS: save message for resending
2415 * - then pass to the record layer
2416 *
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2417 * DTLS: except for HelloRequest, messages are only queued, and will only be
2418 * actually sent when calling flight_transmit() or resend().
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2419 *
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2420 * Inputs:
2421 * - ssl->out_msglen: 4 + actual handshake message len
2422 * (4 is the size of handshake headers for TLS)
2423 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
2424 * - ssl->out_msg + 4: the handshake message body
2425 *
Manuel Pégourié-Gonnard065a2a32018-08-20 11:09:26 +0200[diff] [blame]2426 * Outputs, ie state before passing to flight_append() or write_record():
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2427 * - ssl->out_msglen: the length of the record contents
2428 * (including handshake headers but excluding record headers)
2429 * - ssl->out_msg: the record contents (handshake headers + content)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2430 */
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2431int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2432{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2433 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2434 const size_t hs_len = ssl->out_msglen - 4;
2435 const unsigned char hs_type = ssl->out_msg[0];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2436
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2437 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
2438
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2439 /*
2440 * Sanity checks
2441 */
Hanno Beckerc83d2b32018-08-22 16:05:47 +0100[diff] [blame]2442 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2443 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2444 {
Hanno Beckerc83d2b32018-08-22 16:05:47 +0100[diff] [blame]2445 /* In SSLv3, the client might send a NoCertificate alert. */
2446#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
2447 if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
2448 ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
2449 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
2450#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
2451 {
2452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2453 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2454 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2455 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2456
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2457 /* Whenever we send anything different from a
2458 * HelloRequest we should be in a handshake - double check. */
2459 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2460 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2461 ssl->handshake == NULL )
2462 {
2463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2464 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2465 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2466
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2467#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2468 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2469 ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2470 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2471 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2472 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2473 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2474 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2475#endif
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2476
Hanno Beckerb50a2532018-08-06 11:52:54 +0100[diff] [blame]2477 /* Double-check that we did not exceed the bounds
2478 * of the outgoing record buffer.
2479 * This should never fail as the various message
2480 * writing functions must obey the bounds of the
2481 * outgoing record buffer, but better be safe.
2482 *
2483 * Note: We deliberately do not check for the MTU or MFL here.
2484 */
2485 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
2486 {
2487 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
2488 "size %u, maximum %u",
2489 (unsigned) ssl->out_msglen,
2490 (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
2491 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2492 }
2493
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2494 /*
2495 * Fill handshake headers
2496 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2497 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2498 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2499 ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
2500 ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );
2501 ssl->out_msg[3] = (unsigned char)( hs_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2502
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2503 /*
2504 * DTLS has additional fields in the Handshake layer,
2505 * between the length field and the actual payload:
2506 * uint16 message_seq;
2507 * uint24 fragment_offset;
2508 * uint24 fragment_length;
2509 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2510#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2511 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2512 {
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2513 /* Make room for the additional DTLS fields */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2514 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]2515 {
2516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
2517 "size %u, maximum %u",
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2518 (unsigned) ( hs_len ),
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2519 (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]2520 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2521 }
2522
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2523 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2524 ssl->out_msglen += 8;
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2525
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2526 /* Write message_seq and update it, except for HelloRequest */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2527 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2528 {
Manuel Pégourié-Gonnardd9ba0d92014-09-02 18:30:26 +0200[diff] [blame]2529 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
2530 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
2531 ++( ssl->handshake->out_msg_seq );
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2532 }
2533 else
2534 {
2535 ssl->out_msg[4] = 0;
2536 ssl->out_msg[5] = 0;
2537 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2538
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2539 /* Handshake hashes are computed without fragmentation,
2540 * so set frag_offset = 0 and frag_len = hs_len for now */
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2541 memset( ssl->out_msg + 6, 0x00, 3 );
2542 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2543 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2544#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2545
Hanno Becker0207e532018-08-28 10:28:28 +0100[diff] [blame]2546 /* Update running hashes of handshake messages seen */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2547 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
2548 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2549 }
2550
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2551 /* Either send now, or just save to be sent (and resent) later */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2552#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2553 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2554 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2555 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2556 {
2557 if( ( ret = ssl_flight_append( ssl ) ) != 0 )
2558 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2559 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2560 return( ret );
2561 }
2562 }
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2563 else
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2564#endif
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2565 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2566 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2567 {
2568 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2569 return( ret );
2570 }
2571 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2572
2573 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
2574
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2575 return( 0 );
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2576}
2577
2578/*
2579 * Record layer functions
2580 */
2581
2582/*
2583 * Write current record.
2584 *
2585 * Uses:
2586 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
2587 * - ssl->out_msglen: length of the record content (excl headers)
2588 * - ssl->out_msg: record content
2589 */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2590int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2591{
2592 int ret, done = 0;
2593 size_t len = ssl->out_msglen;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2594 uint8_t flush = force_flush;
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2595
2596 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2597
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2598#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2599 if( ssl->transform_out != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2600 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2601 {
2602 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
2603 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2604 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2605 return( ret );
2606 }
2607
2608 len = ssl->out_msglen;
2609 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2610#endif /*MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2611
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2612#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2613 if( mbedtls_ssl_hw_record_write != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2614 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2615 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2616
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2617 ret = mbedtls_ssl_hw_record_write( ssl );
2618 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2619 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2620 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
2621 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2622 }
Paul Bakkerc7878112012-12-19 14:41:14 +0100[diff] [blame]2623
2624 if( ret == 0 )
2625 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2626 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2627#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2628 if( !done )
2629 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2630 unsigned i;
2631 size_t protected_record_size;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]2632#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2633 size_t out_buf_len = ssl->out_buf_len;
2634#else
2635 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
2636#endif
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2637 /* Skip writing the record content type to after the encryption,
2638 * as it may change when using the CID extension. */
2639
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2640 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2641 ssl->conf->transport, ssl->out_hdr + 1 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]2642
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]2643 memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]2644 ssl->out_len[0] = (unsigned char)( len >> 8 );
2645 ssl->out_len[1] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2646
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2647 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2648 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2649 mbedtls_record rec;
2650
2651 rec.buf = ssl->out_iv;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]2652 rec.buf_len = out_buf_len - ( ssl->out_iv - ssl->out_buf );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2653 rec.data_len = ssl->out_msglen;
2654 rec.data_offset = ssl->out_msg - rec.buf;
2655
2656 memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
2657 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2658 ssl->conf->transport, rec.ver );
2659 rec.type = ssl->out_msgtype;
2660
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2661#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]2662 /* The CID is set by mbedtls_ssl_encrypt_buf(). */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]2663 rec.cid_len = 0;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2664#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]2665
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]2666 if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec,
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2667 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2668 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2669 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2670 return( ret );
2671 }
2672
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2673 if( rec.data_offset != 0 )
2674 {
2675 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2676 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2677 }
2678
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2679 /* Update the record content type and CID. */
2680 ssl->out_msgtype = rec.type;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2681#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID )
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]2682 memcpy( ssl->out_cid, rec.cid, rec.cid_len );
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2683#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker78f839d2019-03-14 12:56:23 +0000[diff] [blame]2684 ssl->out_msglen = len = rec.data_len;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2685 ssl->out_len[0] = (unsigned char)( rec.data_len >> 8 );
2686 ssl->out_len[1] = (unsigned char)( rec.data_len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2687 }
2688
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]2689 protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2690
2691#if defined(MBEDTLS_SSL_PROTO_DTLS)
2692 /* In case of DTLS, double-check that we don't exceed
2693 * the remaining space in the datagram. */
2694 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2695 {
Hanno Becker554b0af2018-08-22 20:33:41 +0100[diff] [blame]2696 ret = ssl_get_remaining_space_in_datagram( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2697 if( ret < 0 )
2698 return( ret );
2699
2700 if( protected_record_size > (size_t) ret )
2701 {
2702 /* Should never happen */
2703 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2704 }
2705 }
2706#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2707
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2708 /* Now write the potentially updated record content type. */
2709 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2710
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2711 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]2712 "version = [%d:%d], msglen = %d",
2713 ssl->out_hdr[0], ssl->out_hdr[1],
2714 ssl->out_hdr[2], len ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2715
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2716 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]2717 ssl->out_hdr, protected_record_size );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2718
2719 ssl->out_left += protected_record_size;
2720 ssl->out_hdr += protected_record_size;
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]2721 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2722
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]2723 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]2724 if( ++ssl->cur_out_ctr[i - 1] != 0 )
2725 break;
2726
2727 /* The loop goes to its end iff the counter is wrapping */
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]2728 if( i == mbedtls_ssl_ep_len( ssl ) )
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]2729 {
2730 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
2731 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2732 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2733 }
2734
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2735#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker47db8772018-08-21 13:32:13 +0100[diff] [blame]2736 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2737 flush == SSL_DONT_FORCE_FLUSH )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2738 {
Hanno Becker1f5a15d2018-08-21 13:31:31 +0100[diff] [blame]2739 size_t remaining;
2740 ret = ssl_get_remaining_payload_in_datagram( ssl );
2741 if( ret < 0 )
2742 {
2743 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
2744 ret );
2745 return( ret );
2746 }
2747
2748 remaining = (size_t) ret;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2749 if( remaining == 0 )
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]2750 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2751 flush = SSL_FORCE_FLUSH;
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]2752 }
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2753 else
2754 {
Hanno Becker513815a2018-08-20 11:56:09 +0100[diff] [blame]2755 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2756 }
2757 }
2758#endif /* MBEDTLS_SSL_PROTO_DTLS */
2759
2760 if( ( flush == SSL_FORCE_FLUSH ) &&
2761 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2762 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2763 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2764 return( ret );
2765 }
2766
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2767 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2768
2769 return( 0 );
2770}
2771
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2772#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2773
2774static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
2775{
2776 if( ssl->in_msglen < ssl->in_hslen ||
2777 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
2778 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
2779 {
2780 return( 1 );
2781 }
2782 return( 0 );
2783}
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2784
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2785static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2786{
2787 return( ( ssl->in_msg[9] << 16 ) |
2788 ( ssl->in_msg[10] << 8 ) |
2789 ssl->in_msg[11] );
2790}
2791
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2792static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2793{
2794 return( ( ssl->in_msg[6] << 16 ) |
2795 ( ssl->in_msg[7] << 8 ) |
2796 ssl->in_msg[8] );
2797}
2798
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2799static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2800{
2801 uint32_t msg_len, frag_off, frag_len;
2802
2803 msg_len = ssl_get_hs_total_len( ssl );
2804 frag_off = ssl_get_hs_frag_off( ssl );
2805 frag_len = ssl_get_hs_frag_len( ssl );
2806
2807 if( frag_off > msg_len )
2808 return( -1 );
2809
2810 if( frag_len > msg_len - frag_off )
2811 return( -1 );
2812
2813 if( frag_len + 12 > ssl->in_msglen )
2814 return( -1 );
2815
2816 return( 0 );
2817}
2818
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2819/*
2820 * Mark bits in bitmask (used for DTLS HS reassembly)
2821 */
2822static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
2823{
2824 unsigned int start_bits, end_bits;
2825
2826 start_bits = 8 - ( offset % 8 );
2827 if( start_bits != 8 )
2828 {
2829 size_t first_byte_idx = offset / 8;
2830
Manuel Pégourié-Gonnardac030522014-09-02 14:23:40 +0200[diff] [blame]2831 /* Special case */
2832 if( len <= start_bits )
2833 {
2834 for( ; len != 0; len-- )
2835 mask[first_byte_idx] |= 1 << ( start_bits - len );
2836
2837 /* Avoid potential issues with offset or len becoming invalid */
2838 return;
2839 }
2840
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2841 offset += start_bits; /* Now offset % 8 == 0 */
2842 len -= start_bits;
2843
2844 for( ; start_bits != 0; start_bits-- )
2845 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
2846 }
2847
2848 end_bits = len % 8;
2849 if( end_bits != 0 )
2850 {
2851 size_t last_byte_idx = ( offset + len ) / 8;
2852
2853 len -= end_bits; /* Now len % 8 == 0 */
2854
2855 for( ; end_bits != 0; end_bits-- )
2856 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
2857 }
2858
2859 memset( mask + offset / 8, 0xFF, len / 8 );
2860}
2861
2862/*
2863 * Check that bitmask is full
2864 */
2865static int ssl_bitmask_check( unsigned char *mask, size_t len )
2866{
2867 size_t i;
2868
2869 for( i = 0; i < len / 8; i++ )
2870 if( mask[i] != 0xFF )
2871 return( -1 );
2872
2873 for( i = 0; i < len % 8; i++ )
2874 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
2875 return( -1 );
2876
2877 return( 0 );
2878}
2879
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2880/* msg_len does not include the handshake header */
Hanno Becker65dc8852018-08-23 09:40:49 +0100[diff] [blame]2881static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]2882 unsigned add_bitmap )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2883{
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2884 size_t alloc_len;
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2885
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2886 alloc_len = 12; /* Handshake header */
2887 alloc_len += msg_len; /* Content buffer */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2888
Hanno Beckerd07df862018-08-16 09:14:58 +0100[diff] [blame]2889 if( add_bitmap )
2890 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2891
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]2892 return( alloc_len );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2893}
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2894
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2895#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2896
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2897static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]2898{
2899 return( ( ssl->in_msg[1] << 16 ) |
2900 ( ssl->in_msg[2] << 8 ) |
2901 ssl->in_msg[3] );
2902}
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2903
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2904int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2905{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2906 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2907 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2908 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2909 ssl->in_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2910 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2911 }
2912
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]2913 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2914
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2915 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2916 " %d, type = %d, hslen = %d",
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2917 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2918
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2919#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2920 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2921 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2922 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2923 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2924
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2925 if( ssl_check_hs_header( ssl ) != 0 )
2926 {
2927 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
2928 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2929 }
2930
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2931 if( ssl->handshake != NULL &&
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]2932 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
2933 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
2934 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
2935 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2936 {
Hanno Becker9e1ec222018-08-15 15:54:43 +0100[diff] [blame]2937 if( recv_msg_seq > ssl->handshake->in_msg_seq )
2938 {
2939 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
2940 recv_msg_seq,
2941 ssl->handshake->in_msg_seq ) );
2942 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
2943 }
2944
Manuel Pégourié-Gonnardfc572dd2014-10-09 17:56:57 +0200[diff] [blame]2945 /* Retransmit only on last message from previous flight, to avoid
2946 * too many retransmissions.
2947 * Besides, No sane server ever retransmits HelloVerifyRequest */
2948 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2949 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2950 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2951 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2952 "message_seq = %d, start_of_flight = %d",
2953 recv_msg_seq,
2954 ssl->handshake->in_flight_start_seq ) );
2955
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2956 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2957 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2958 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2959 return( ret );
2960 }
2961 }
2962 else
2963 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2964 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2965 "message_seq = %d, expected = %d",
2966 recv_msg_seq,
2967 ssl->handshake->in_msg_seq ) );
2968 }
2969
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]2970 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2971 }
2972 /* Wait until message completion to increment in_msg_seq */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2973
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2974 /* Message reassembly is handled alongside buffering of future
2975 * messages; the commonality is that both handshake fragments and
Hanno Becker83ab41c2018-08-28 17:19:38 +0100[diff] [blame]2976 * future messages cannot be forwarded immediately to the
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2977 * handshake logic layer. */
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2978 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2979 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2980 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2981 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2982 }
2983 }
2984 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2985#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2986 /* With TLS we don't handle fragmentation (for now) */
2987 if( ssl->in_msglen < ssl->in_hslen )
2988 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2989 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
2990 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2991 }
2992
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2993 return( 0 );
2994}
2995
2996void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
2997{
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2998 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2999
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]3000 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]3001 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3002 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]3003 }
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3004
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3005 /* Handshake message is complete, increment counter */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3006#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3007 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3008 ssl->handshake != NULL )
3009 {
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]3010 unsigned offset;
3011 mbedtls_ssl_hs_buffer *hs_buf;
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]3012
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]3013 /* Increment handshake sequence number */
3014 hs->in_msg_seq++;
3015
3016 /*
3017 * Clear up handshake buffering and reassembly structure.
3018 */
3019
3020 /* Free first entry */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]3021 ssl_buffering_free_slot( ssl, 0 );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]3022
3023 /* Shift all other entries */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]3024 for( offset = 0, hs_buf = &hs->buffering.hs[0];
3025 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]3026 offset++, hs_buf++ )
3027 {
3028 *hs_buf = *(hs_buf + 1);
3029 }
3030
3031 /* Create a fresh last entry */
3032 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3033 }
3034#endif
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3035}
3036
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3037/*
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3038 * DTLS anti-replay: RFC 6347 4.1.2.6
3039 *
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3040 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
3041 * Bit n is set iff record number in_window_top - n has been seen.
3042 *
3043 * Usually, in_window_top is the last record number seen and the lsb of
3044 * in_window is set. The only exception is the initial state (record number 0
3045 * not seen yet).
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3046 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3047#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker7e8e6a62020-02-05 10:45:48 +0000[diff] [blame]3048void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3049{
3050 ssl->in_window_top = 0;
3051 ssl->in_window = 0;
3052}
3053
3054static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
3055{
3056 return( ( (uint64_t) buf[0] << 40 ) |
3057 ( (uint64_t) buf[1] << 32 ) |
3058 ( (uint64_t) buf[2] << 24 ) |
3059 ( (uint64_t) buf[3] << 16 ) |
3060 ( (uint64_t) buf[4] << 8 ) |
3061 ( (uint64_t) buf[5] ) );
3062}
3063
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]3064static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr )
3065{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3066 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]3067 unsigned char *original_in_ctr;
3068
3069 // save original in_ctr
3070 original_in_ctr = ssl->in_ctr;
3071
3072 // use counter from record
3073 ssl->in_ctr = record_in_ctr;
3074
3075 ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl );
3076
3077 // restore the counter
3078 ssl->in_ctr = original_in_ctr;
3079
3080 return ret;
3081}
3082
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3083/*
3084 * Return 0 if sequence number is acceptable, -1 otherwise
3085 */
Hanno Becker0183d692019-07-12 08:50:37 +0100[diff] [blame]3086int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3087{
3088 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3089 uint64_t bit;
3090
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3091 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3092 return( 0 );
3093
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3094 if( rec_seqnum > ssl->in_window_top )
3095 return( 0 );
3096
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3097 bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3098
3099 if( bit >= 64 )
3100 return( -1 );
3101
3102 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
3103 return( -1 );
3104
3105 return( 0 );
3106}
3107
3108/*
3109 * Update replay window on new validated record
3110 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3111void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3112{
3113 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3114
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3115 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3116 return;
3117
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3118 if( rec_seqnum > ssl->in_window_top )
3119 {
3120 /* Update window_top and the contents of the window */
3121 uint64_t shift = rec_seqnum - ssl->in_window_top;
3122
3123 if( shift >= 64 )
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3124 ssl->in_window = 1;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3125 else
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3126 {
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3127 ssl->in_window <<= shift;
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3128 ssl->in_window |= 1;
3129 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3130
3131 ssl->in_window_top = rec_seqnum;
3132 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3133 else
3134 {
3135 /* Mark that number as seen in the current window */
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3136 uint64_t bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3137
3138 if( bit < 64 ) /* Always true, but be extra sure */
3139 ssl->in_window |= (uint64_t) 1 << bit;
3140 }
3141}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3142#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3143
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]3144#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3145/*
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3146 * Without any SSL context, check if a datagram looks like a ClientHello with
3147 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
Simon Butcher0789aed2015-09-11 17:15:17 +0100[diff] [blame]3148 * Both input and output include full DTLS headers.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3149 *
3150 * - if cookie is valid, return 0
3151 * - if ClientHello looks superficially valid but cookie is not,
3152 * fill obuf and set olen, then
3153 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3154 * - otherwise return a specific error code
3155 */
3156static int ssl_check_dtls_clihlo_cookie(
3157 mbedtls_ssl_cookie_write_t *f_cookie_write,
3158 mbedtls_ssl_cookie_check_t *f_cookie_check,
3159 void *p_cookie,
3160 const unsigned char *cli_id, size_t cli_id_len,
3161 const unsigned char *in, size_t in_len,
3162 unsigned char *obuf, size_t buf_len, size_t *olen )
3163{
3164 size_t sid_len, cookie_len;
3165 unsigned char *p;
3166
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3167 /*
3168 * Structure of ClientHello with record and handshake headers,
3169 * and expected values. We don't need to check a lot, more checks will be
3170 * done when actually parsing the ClientHello - skipping those checks
3171 * avoids code duplication and does not make cookie forging any easier.
3172 *
3173 * 0-0 ContentType type; copied, must be handshake
3174 * 1-2 ProtocolVersion version; copied
3175 * 3-4 uint16 epoch; copied, must be 0
3176 * 5-10 uint48 sequence_number; copied
3177 * 11-12 uint16 length; (ignored)
3178 *
3179 * 13-13 HandshakeType msg_type; (ignored)
3180 * 14-16 uint24 length; (ignored)
3181 * 17-18 uint16 message_seq; copied
3182 * 19-21 uint24 fragment_offset; copied, must be 0
3183 * 22-24 uint24 fragment_length; (ignored)
3184 *
3185 * 25-26 ProtocolVersion client_version; (ignored)
3186 * 27-58 Random random; (ignored)
3187 * 59-xx SessionID session_id; 1 byte len + sid_len content
3188 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
3189 * ...
3190 *
3191 * Minimum length is 61 bytes.
3192 */
3193 if( in_len < 61 ||
3194 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
3195 in[3] != 0 || in[4] != 0 ||
3196 in[19] != 0 || in[20] != 0 || in[21] != 0 )
3197 {
3198 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3199 }
3200
3201 sid_len = in[59];
3202 if( sid_len > in_len - 61 )
3203 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3204
3205 cookie_len = in[60 + sid_len];
3206 if( cookie_len > in_len - 60 )
3207 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3208
3209 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
3210 cli_id, cli_id_len ) == 0 )
3211 {
3212 /* Valid cookie */
3213 return( 0 );
3214 }
3215
3216 /*
3217 * If we get here, we've got an invalid cookie, let's prepare HVR.
3218 *
3219 * 0-0 ContentType type; copied
3220 * 1-2 ProtocolVersion version; copied
3221 * 3-4 uint16 epoch; copied
3222 * 5-10 uint48 sequence_number; copied
3223 * 11-12 uint16 length; olen - 13
3224 *
3225 * 13-13 HandshakeType msg_type; hello_verify_request
3226 * 14-16 uint24 length; olen - 25
3227 * 17-18 uint16 message_seq; copied
3228 * 19-21 uint24 fragment_offset; copied
3229 * 22-24 uint24 fragment_length; olen - 25
3230 *
3231 * 25-26 ProtocolVersion server_version; 0xfe 0xff
3232 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
3233 *
3234 * Minimum length is 28.
3235 */
3236 if( buf_len < 28 )
3237 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3238
3239 /* Copy most fields and adapt others */
3240 memcpy( obuf, in, 25 );
3241 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
3242 obuf[25] = 0xfe;
3243 obuf[26] = 0xff;
3244
3245 /* Generate and write actual cookie */
3246 p = obuf + 28;
3247 if( f_cookie_write( p_cookie,
3248 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
3249 {
3250 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3251 }
3252
3253 *olen = p - obuf;
3254
3255 /* Go back and fill length fields */
3256 obuf[27] = (unsigned char)( *olen - 28 );
3257
3258 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
3259 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
3260 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
3261
3262 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
3263 obuf[12] = (unsigned char)( ( *olen - 13 ) );
3264
3265 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
3266}
3267
3268/*
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3269 * Handle possible client reconnect with the same UDP quadruplet
3270 * (RFC 6347 Section 4.2.8).
3271 *
3272 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
3273 * that looks like a ClientHello.
3274 *
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3275 * - if the input looks like a ClientHello without cookies,
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3276 * send back HelloVerifyRequest, then return 0
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3277 * - if the input looks like a ClientHello with a valid cookie,
3278 * reset the session of the current context, and
Manuel Pégourié-Gonnardbe619c12015-09-08 11:21:21 +0200[diff] [blame]3279 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3280 * - if anything goes wrong, return a specific error code
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3281 *
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3282 * This function is called (through ssl_check_client_reconnect()) when an
3283 * unexpected record is found in ssl_get_next_record(), which will discard the
3284 * record if we return 0, and bubble up the return value otherwise (this
3285 * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
3286 * errors, and is the right thing to do in both cases).
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3287 */
3288static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
3289{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3290 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3291 size_t len;
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3292
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3293 if( ssl->conf->f_cookie_write == NULL ||
3294 ssl->conf->f_cookie_check == NULL )
3295 {
3296 /* If we can't use cookies to verify reachability of the peer,
3297 * drop the record. */
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no cookie callbacks, "
3299 "can't check reconnect validity" ) );
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3300 return( 0 );
3301 }
3302
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3303 ret = ssl_check_dtls_clihlo_cookie(
3304 ssl->conf->f_cookie_write,
3305 ssl->conf->f_cookie_check,
3306 ssl->conf->p_cookie,
3307 ssl->cli_id, ssl->cli_id_len,
3308 ssl->in_buf, ssl->in_left,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3309 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3310
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3311 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
3312
3313 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3314 {
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3315 int send_ret;
3316 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) );
3317 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
3318 ssl->out_buf, len );
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]3319 /* Don't check write errors as we can't do anything here.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3320 * If the error is permanent we'll catch it later,
3321 * if it's not, then hopefully it'll work next time. */
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3322 send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len );
3323 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret );
3324 (void) send_ret;
3325
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3326 return( 0 );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3327 }
3328
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3329 if( ret == 0 )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3330 {
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3331 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) );
Hanno Becker43aefe22020-02-05 10:44:56 +0000[diff] [blame]3332 if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3333 {
3334 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
3335 return( ret );
3336 }
3337
3338 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3339 }
3340
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3341 return( ret );
3342}
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]3343#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3344
Hanno Beckerf661c9c2019-05-03 13:25:54 +0100[diff] [blame]3345static int ssl_check_record_type( uint8_t record_type )
3346{
3347 if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
3348 record_type != MBEDTLS_SSL_MSG_ALERT &&
3349 record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
3350 record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3351 {
3352 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3353 }
3354
3355 return( 0 );
3356}
3357
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3358/*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3359 * ContentType type;
3360 * ProtocolVersion version;
3361 * uint16 epoch; // DTLS only
3362 * uint48 sequence_number; // DTLS only
3363 * uint16 length;
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3364 *
3365 * Return 0 if header looks sane (and, for DTLS, the record is expected)
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]3366 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3367 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
3368 *
3369 * With DTLS, mbedtls_ssl_read_record() will:
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]3370 * 1. proceed with the record if this function returns 0
3371 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
3372 * 3. return CLIENT_RECONNECT if this function return that value
3373 * 4. drop the whole datagram if this function returns anything else.
3374 * Point 2 is needed when the peer is resending, and we have already received
3375 * the first record from a datagram but are still waiting for the others.
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3376 */
Hanno Becker331de3d2019-07-12 11:10:16 +0100[diff] [blame]3377static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3378 unsigned char *buf,
3379 size_t len,
3380 mbedtls_record *rec )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3381{
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]3382 int major_ver, minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3383
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3384 size_t const rec_hdr_type_offset = 0;
3385 size_t const rec_hdr_type_len = 1;
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3386
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3387 size_t const rec_hdr_version_offset = rec_hdr_type_offset +
3388 rec_hdr_type_len;
3389 size_t const rec_hdr_version_len = 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3390
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3391 size_t const rec_hdr_ctr_len = 8;
3392#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckerf5466252019-07-25 10:13:02 +0100[diff] [blame]3393 uint32_t rec_epoch;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3394 size_t const rec_hdr_ctr_offset = rec_hdr_version_offset +
3395 rec_hdr_version_len;
3396
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3397#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3398 size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset +
3399 rec_hdr_ctr_len;
Hanno Beckerf5466252019-07-25 10:13:02 +0100[diff] [blame]3400 size_t rec_hdr_cid_len = 0;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3401#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3402#endif /* MBEDTLS_SSL_PROTO_DTLS */
3403
3404 size_t rec_hdr_len_offset; /* To be determined */
3405 size_t const rec_hdr_len_len = 2;
3406
3407 /*
3408 * Check minimum lengths for record header.
3409 */
3410
3411#if defined(MBEDTLS_SSL_PROTO_DTLS)
3412 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3413 {
3414 rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len;
3415 }
3416 else
3417#endif /* MBEDTLS_SSL_PROTO_DTLS */
3418 {
3419 rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len;
3420 }
3421
3422 if( len < rec_hdr_len_offset + rec_hdr_len_len )
3423 {
3424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header of length %u",
3425 (unsigned) len,
3426 (unsigned)( rec_hdr_len_len + rec_hdr_len_len ) ) );
3427 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3428 }
3429
3430 /*
3431 * Parse and validate record content type
3432 */
3433
3434 rec->type = buf[ rec_hdr_type_offset ];
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3435
3436 /* Check record content type */
3437#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3438 rec->cid_len = 0;
3439
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3440 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3441 ssl->conf->cid_len != 0 &&
3442 rec->type == MBEDTLS_SSL_MSG_CID )
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3443 {
3444 /* Shift pointers to account for record header including CID
3445 * struct {
3446 * ContentType special_type = tls12_cid;
3447 * ProtocolVersion version;
3448 * uint16 epoch;
3449 * uint48 sequence_number;
Hanno Becker8e55b0f2019-05-23 17:03:19 +0100[diff] [blame]3450 * opaque cid[cid_length]; // Additional field compared to
3451 * // default DTLS record format
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3452 * uint16 length;
3453 * opaque enc_content[DTLSCiphertext.length];
3454 * } DTLSCiphertext;
3455 */
3456
3457 /* So far, we only support static CID lengths
3458 * fixed in the configuration. */
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3459 rec_hdr_cid_len = ssl->conf->cid_len;
3460 rec_hdr_len_offset += rec_hdr_cid_len;
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3461
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3462 if( len < rec_hdr_len_offset + rec_hdr_len_len )
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3463 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header including CID, length %u",
3465 (unsigned) len,
3466 (unsigned)( rec_hdr_len_offset + rec_hdr_len_len ) ) );
Hanno Becker59be60e2019-07-10 14:53:43 +0100[diff] [blame]3467 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3468 }
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3469
Manuel Pégourié-Gonnard7e821b52019-08-02 10:17:15 +0200[diff] [blame]3470 /* configured CID len is guaranteed at most 255, see
3471 * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */
3472 rec->cid_len = (uint8_t) rec_hdr_cid_len;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3473 memcpy( rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len );
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3474 }
3475 else
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3476#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]3477 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3478 if( ssl_check_record_type( rec->type ) )
3479 {
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]3480 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type %u",
3481 (unsigned) rec->type ) );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3482 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3483 }
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]3484 }
3485
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3486 /*
3487 * Parse and validate record version
3488 */
3489
Hanno Beckerd0b66d02019-07-26 08:07:03 +0100[diff] [blame]3490 rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
3491 rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3492 mbedtls_ssl_read_version( &major_ver, &minor_ver,
3493 ssl->conf->transport,
Hanno Beckerd0b66d02019-07-26 08:07:03 +0100[diff] [blame]3494 &rec->ver[0] );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3495
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]3496 if( major_ver != ssl->major_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3497 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3498 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
3499 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3500 }
3501
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3502 if( minor_ver > ssl->conf->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3503 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3504 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
3505 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3506 }
3507
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3508 /*
3509 * Parse/Copy record sequence number.
3510 */
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3511
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3512#if defined(MBEDTLS_SSL_PROTO_DTLS)
3513 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]3514 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3515 /* Copy explicit record sequence number from input buffer. */
3516 memcpy( &rec->ctr[0], buf + rec_hdr_ctr_offset,
3517 rec_hdr_ctr_len );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]3518 }
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3519 else
3520#endif /* MBEDTLS_SSL_PROTO_DTLS */
3521 {
3522 /* Copy implicit record sequence number from SSL context structure. */
3523 memcpy( &rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len );
3524 }
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3525
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3526 /*
3527 * Parse record length.
3528 */
3529
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3530 rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
Hanno Becker9eca2762019-07-25 10:16:37 +0100[diff] [blame]3531 rec->data_len = ( (size_t) buf[ rec_hdr_len_offset + 0 ] << 8 ) |
3532 ( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3533 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3534
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3535 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
Hanno Becker92d30f52019-05-23 17:03:44 +0100[diff] [blame]3536 "version = [%d:%d], msglen = %d",
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3537 rec->type,
3538 major_ver, minor_ver, rec->data_len ) );
3539
3540 rec->buf = buf;
3541 rec->buf_len = rec->data_offset + rec->data_len;
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3542
Hanno Beckerd417cc92019-07-26 08:20:27 +0100[diff] [blame]3543 if( rec->data_len == 0 )
3544 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3545
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3546 /*
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]3547 * DTLS-related tests.
3548 * Check epoch before checking length constraint because
3549 * the latter varies with the epoch. E.g., if a ChangeCipherSpec
3550 * message gets duplicated before the corresponding Finished message,
3551 * the second ChangeCipherSpec should be discarded because it belongs
3552 * to an old epoch, but not because its length is shorter than
3553 * the minimum record length for packets using the new record transform.
3554 * Note that these two kinds of failures are handled differently,
3555 * as an unexpected record is silently skipped but an invalid
3556 * record leads to the entire datagram being dropped.
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3557 */
3558#if defined(MBEDTLS_SSL_PROTO_DTLS)
3559 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3560 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3561 rec_epoch = ( rec->ctr[0] << 8 ) | rec->ctr[1];
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3562
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3563 /* Check that the datagram is large enough to contain a record
3564 * of the advertised length. */
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3565 if( len < rec->data_offset + rec->data_len )
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3566 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3567 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram of length %u too small to contain record of advertised length %u.",
3568 (unsigned) len,
3569 (unsigned)( rec->data_offset + rec->data_len ) ) );
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3570 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3571 }
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3572
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3573 /* Records from other, non-matching epochs are silently discarded.
3574 * (The case of same-port Client reconnects must be considered in
3575 * the caller). */
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3576 if( rec_epoch != ssl->in_epoch )
3577 {
3578 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
3579 "expected %d, received %d",
3580 ssl->in_epoch, rec_epoch ) );
3581
Hanno Becker552f7472019-07-19 10:59:12 +0100[diff] [blame]3582 /* Records from the next epoch are considered for buffering
3583 * (concretely: early Finished messages). */
3584 if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3585 {
Hanno Becker552f7472019-07-19 10:59:12 +0100[diff] [blame]3586 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
3587 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3588 }
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]3589
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3590 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3591 }
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3592#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3593 /* For records from the correct epoch, check whether their
3594 * sequence number has been seen before. */
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]3595 else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl,
3596 &rec->ctr[0] ) != 0 )
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3597 {
3598 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
3599 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3600 }
3601#endif
3602 }
3603#endif /* MBEDTLS_SSL_PROTO_DTLS */
3604
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3605 return( 0 );
3606}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3607
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3608
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3609#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3610static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
3611{
3612 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
3613
3614 /*
3615 * Check for an epoch 0 ClientHello. We can't use in_msg here to
3616 * access the first byte of record content (handshake type), as we
3617 * have an active transform (possibly iv_len != 0), so use the
3618 * fact that the record header len is 13 instead.
3619 */
3620 if( rec_epoch == 0 &&
3621 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
3622 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3623 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3624 ssl->in_left > 13 &&
3625 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
3626 {
3627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
3628 "from the same port" ) );
3629 return( ssl_handle_possible_reconnect( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3630 }
3631
3632 return( 0 );
3633}
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3634#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3635
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3636/*
Manuel Pégourié-Gonnardc40b6852020-01-03 12:18:49 +0100[diff] [blame]3637 * If applicable, decrypt record content
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3638 */
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3639static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
3640 mbedtls_record *rec )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3641{
3642 int ret, done = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]3643
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3644 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3645 rec->buf, rec->buf_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3646
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3647#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3648 if( mbedtls_ssl_hw_record_read != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3649 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3650 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3651
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3652 ret = mbedtls_ssl_hw_record_read( ssl );
3653 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3654 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3655 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
3656 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3657 }
Paul Bakkerc7878112012-12-19 14:41:14 +0100[diff] [blame]3658
3659 if( ret == 0 )
3660 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3661 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3662#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3663 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3664 {
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3665 unsigned char const old_msg_type = rec->type;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3666
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]3667 if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3668 rec ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3669 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3670 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3671
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3672#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3673 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
3674 ssl->conf->ignore_unexpected_cid
3675 == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
3676 {
Hanno Beckere8d6afd2019-05-24 10:11:06 +0100[diff] [blame]3677 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
Hanno Becker16ded982019-05-08 13:02:55 +0100[diff] [blame]3678 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3679 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3680#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker16ded982019-05-08 13:02:55 +0100[diff] [blame]3681
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3682 return( ret );
3683 }
3684
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3685 if( old_msg_type != rec->type )
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3686 {
3687 MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d",
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3688 old_msg_type, rec->type ) );
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3689 }
3690
Hanno Becker1c0c37f2018-08-07 14:29:29 +0100[diff] [blame]3691 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3692 rec->buf + rec->data_offset, rec->data_len );
Hanno Becker1c0c37f2018-08-07 14:29:29 +0100[diff] [blame]3693
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3694#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3695 /* We have already checked the record content type
3696 * in ssl_parse_record_header(), failing or silently
3697 * dropping the record in the case of an unknown type.
3698 *
3699 * Since with the use of CIDs, the record content type
3700 * might change during decryption, re-check the record
3701 * content type, but treat a failure as fatal this time. */
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3702 if( ssl_check_record_type( rec->type ) )
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3703 {
3704 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
3705 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3706 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3707#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3708
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3709 if( rec->data_len == 0 )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3710 {
3711#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3712 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3713 && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3714 {
3715 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
3716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
3717 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3718 }
3719#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3720
3721 ssl->nb_zero++;
3722
3723 /*
3724 * Three or more empty messages may be a DoS attack
3725 * (excessive CPU consumption).
3726 */
3727 if( ssl->nb_zero > 3 )
3728 {
3729 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
Hanno Becker6e7700d2019-05-08 10:38:32 +0100[diff] [blame]3730 "messages, possible DoS attack" ) );
3731 /* Treat the records as if they were not properly authenticated,
3732 * thereby failing the connection if we see more than allowed
3733 * by the configured bad MAC threshold. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3734 return( MBEDTLS_ERR_SSL_INVALID_MAC );
3735 }
3736 }
3737 else
3738 ssl->nb_zero = 0;
3739
3740#if defined(MBEDTLS_SSL_PROTO_DTLS)
3741 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3742 {
3743 ; /* in_ctr read from peer, not maintained internally */
3744 }
3745 else
3746#endif
3747 {
3748 unsigned i;
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]3749 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3750 if( ++ssl->in_ctr[i - 1] != 0 )
3751 break;
3752
3753 /* The loop goes to its end iff the counter is wrapping */
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]3754 if( i == mbedtls_ssl_ep_len( ssl ) )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3755 {
3756 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
3757 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3758 }
3759 }
3760
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3761 }
3762
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3763#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3764 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3765 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3766 mbedtls_ssl_dtls_replay_update( ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3767 }
3768#endif
3769
Hanno Beckerd96e10b2019-07-09 17:30:02 +0100[diff] [blame]3770 /* Check actual (decrypted) record content length against
3771 * configured maximum. */
3772 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
3773 {
3774 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3775 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3776 }
3777
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3778 return( 0 );
3779}
3780
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3781/*
3782 * Read a record.
3783 *
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]3784 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
3785 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
3786 *
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3787 */
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]3788
3789/* Helper functions for mbedtls_ssl_read_record(). */
3790static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3791static int ssl_get_next_record( mbedtls_ssl_context *ssl );
3792static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
Hanno Becker4162b112018-08-15 14:05:04 +0100[diff] [blame]3793
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3794int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]3795 unsigned update_hs_digest )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3796{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3797 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3798
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3799 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3800
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3801 if( ssl->keep_current_message == 0 )
3802 {
3803 do {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3804
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]3805 ret = ssl_consume_current_message( ssl );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]3806 if( ret != 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3807 return( ret );
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]3808
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3809 if( ssl_record_is_in_progress( ssl ) == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3810 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3811#if defined(MBEDTLS_SSL_PROTO_DTLS)
3812 int have_buffered = 0;
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3813
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3814 /* We only check for buffered messages if the
3815 * current datagram is fully consumed. */
3816 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]3817 ssl_next_record_is_in_datagram( ssl ) == 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3818 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3819 if( ssl_load_buffered_message( ssl ) == 0 )
3820 have_buffered = 1;
3821 }
3822
3823 if( have_buffered == 0 )
3824#endif /* MBEDTLS_SSL_PROTO_DTLS */
3825 {
3826 ret = ssl_get_next_record( ssl );
3827 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
3828 continue;
3829
3830 if( ret != 0 )
3831 {
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]3832 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3833 return( ret );
3834 }
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3835 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3836 }
3837
3838 ret = mbedtls_ssl_handle_message_type( ssl );
3839
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3840#if defined(MBEDTLS_SSL_PROTO_DTLS)
3841 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
3842 {
3843 /* Buffer future message */
3844 ret = ssl_buffer_message( ssl );
3845 if( ret != 0 )
3846 return( ret );
3847
3848 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
3849 }
3850#endif /* MBEDTLS_SSL_PROTO_DTLS */
3851
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]3852 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||
3853 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3854
3855 if( 0 != ret )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3856 {
Hanno Becker05c4fc82017-11-09 14:34:06 +0000[diff] [blame]3857 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3858 return( ret );
3859 }
3860
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3861 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]3862 update_hs_digest == 1 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3863 {
3864 mbedtls_ssl_update_handshake_status( ssl );
3865 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3866 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3867 else
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3868 {
Hanno Becker02f59072018-08-15 14:00:24 +0100[diff] [blame]3869 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3870 ssl->keep_current_message = 0;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3871 }
3872
3873 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
3874
3875 return( 0 );
3876}
3877
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3878#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]3879static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3880{
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3881 if( ssl->in_left > ssl->next_record_offset )
3882 return( 1 );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3883
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3884 return( 0 );
3885}
3886
3887static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
3888{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3889 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3890 mbedtls_ssl_hs_buffer * hs_buf;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3891 int ret = 0;
3892
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3893 if( hs == NULL )
3894 return( -1 );
3895
Hanno Beckere00ae372018-08-20 09:39:42 +0100[diff] [blame]3896 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
3897
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3898 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
3899 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
3900 {
3901 /* Check if we have seen a ChangeCipherSpec before.
3902 * If yes, synthesize a CCS record. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]3903 if( !hs->buffering.seen_ccs )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3904 {
3905 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
3906 ret = -1;
Hanno Becker0d4b3762018-08-20 09:36:59 +0100[diff] [blame]3907 goto exit;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3908 }
3909
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]3910 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3911 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
3912 ssl->in_msglen = 1;
3913 ssl->in_msg[0] = 1;
3914
3915 /* As long as they are equal, the exact value doesn't matter. */
3916 ssl->in_left = 0;
3917 ssl->next_record_offset = 0;
3918
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]3919 hs->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3920 goto exit;
3921 }
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3922
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]3923#if defined(MBEDTLS_DEBUG_C)
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3924 /* Debug only */
3925 {
3926 unsigned offset;
3927 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
3928 {
3929 hs_buf = &hs->buffering.hs[offset];
3930 if( hs_buf->is_valid == 1 )
3931 {
3932 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
3933 hs->in_msg_seq + offset,
Hanno Beckera591c482018-08-28 17:20:00 +0100[diff] [blame]3934 hs_buf->is_complete ? "fully" : "partially" ) );
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3935 }
3936 }
3937 }
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]3938#endif /* MBEDTLS_DEBUG_C */
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3939
3940 /* Check if we have buffered and/or fully reassembled the
3941 * next handshake message. */
3942 hs_buf = &hs->buffering.hs[0];
3943 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
3944 {
3945 /* Synthesize a record containing the buffered HS message. */
3946 size_t msg_len = ( hs_buf->data[1] << 16 ) |
3947 ( hs_buf->data[2] << 8 ) |
3948 hs_buf->data[3];
3949
3950 /* Double-check that we haven't accidentally buffered
3951 * a message that doesn't fit into the input buffer. */
3952 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
3953 {
3954 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3955 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3956 }
3957
3958 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
3959 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
3960 hs_buf->data, msg_len + 12 );
3961
3962 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3963 ssl->in_hslen = msg_len + 12;
3964 ssl->in_msglen = msg_len + 12;
3965 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
3966
3967 ret = 0;
3968 goto exit;
3969 }
3970 else
3971 {
3972 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
3973 hs->in_msg_seq ) );
3974 }
3975
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3976 ret = -1;
3977
3978exit:
3979
3980 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
3981 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3982}
3983
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3984static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
3985 size_t desired )
3986{
3987 int offset;
3988 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]3989 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
3990 (unsigned) desired ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3991
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]3992 /* Get rid of future records epoch first, if such exist. */
3993 ssl_free_buffered_record( ssl );
3994
3995 /* Check if we have enough space available now. */
3996 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3997 hs->buffering.total_bytes_buffered ) )
3998 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]3999 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4000 return( 0 );
4001 }
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4002
Hanno Becker4f432ad2018-08-28 10:02:32 +0100[diff] [blame]4003 /* We don't have enough space to buffer the next expected handshake
4004 * message. Remove buffers used for future messages to gain space,
4005 * starting with the most distant one. */
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4006 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
4007 offset >= 0; offset-- )
4008 {
4009 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
4010 offset ) );
4011
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]4012 ssl_buffering_free_slot( ssl, (uint8_t) offset );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4013
4014 /* Check if we have enough space available now. */
4015 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4016 hs->buffering.total_bytes_buffered ) )
4017 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4018 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4019 return( 0 );
4020 }
4021 }
4022
4023 return( -1 );
4024}
4025
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4026static int ssl_buffer_message( mbedtls_ssl_context *ssl )
4027{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4028 int ret = 0;
4029 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4030
4031 if( hs == NULL )
4032 return( 0 );
4033
4034 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
4035
4036 switch( ssl->in_msgtype )
4037 {
4038 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
4039 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4040
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]4041 hs->buffering.seen_ccs = 1;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4042 break;
4043
4044 case MBEDTLS_SSL_MSG_HANDSHAKE:
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4045 {
4046 unsigned recv_msg_seq_offset;
4047 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
4048 mbedtls_ssl_hs_buffer *hs_buf;
4049 size_t msg_len = ssl->in_hslen - 12;
4050
4051 /* We should never receive an old handshake
4052 * message - double-check nonetheless. */
4053 if( recv_msg_seq < ssl->handshake->in_msg_seq )
4054 {
4055 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4056 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4057 }
4058
4059 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
4060 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
4061 {
4062 /* Silently ignore -- message too far in the future */
4063 MBEDTLS_SSL_DEBUG_MSG( 2,
4064 ( "Ignore future HS message with sequence number %u, "
4065 "buffering window %u - %u",
4066 recv_msg_seq, ssl->handshake->in_msg_seq,
4067 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
4068
4069 goto exit;
4070 }
4071
4072 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
4073 recv_msg_seq, recv_msg_seq_offset ) );
4074
4075 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
4076
4077 /* Check if the buffering for this seq nr has already commenced. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4078 if( !hs_buf->is_valid )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4079 {
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4080 size_t reassembly_buf_sz;
4081
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4082 hs_buf->is_fragmented =
4083 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
4084
4085 /* We copy the message back into the input buffer
4086 * after reassembly, so check that it's not too large.
4087 * This is an implementation-specific limitation
4088 * and not one from the standard, hence it is not
4089 * checked in ssl_check_hs_header(). */
Hanno Becker96a6c692018-08-21 15:56:03 +0100[diff] [blame]4090 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4091 {
4092 /* Ignore message */
4093 goto exit;
4094 }
4095
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4096 /* Check if we have enough space to buffer the message. */
4097 if( hs->buffering.total_bytes_buffered >
4098 MBEDTLS_SSL_DTLS_MAX_BUFFERING )
4099 {
4100 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4101 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4102 }
4103
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4104 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
4105 hs_buf->is_fragmented );
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4106
4107 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4108 hs->buffering.total_bytes_buffered ) )
4109 {
4110 if( recv_msg_seq_offset > 0 )
4111 {
4112 /* If we can't buffer a future message because
4113 * of space limitations -- ignore. */
4114 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
4115 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4116 (unsigned) hs->buffering.total_bytes_buffered ) );
4117 goto exit;
4118 }
Hanno Beckere1801392018-08-21 16:51:05 +0100[diff] [blame]4119 else
4120 {
4121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
4122 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4123 (unsigned) hs->buffering.total_bytes_buffered ) );
4124 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4125
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4126 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]4127 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4128 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
4129 (unsigned) msg_len,
4130 (unsigned) reassembly_buf_sz,
4131 MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4132 (unsigned) hs->buffering.total_bytes_buffered ) );
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]4133 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4134 goto exit;
4135 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4136 }
4137
4138 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
4139 msg_len ) );
4140
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4141 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
4142 if( hs_buf->data == NULL )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4143 {
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4144 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4145 goto exit;
4146 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4147 hs_buf->data_len = reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4148
4149 /* Prepare final header: copy msg_type, length and message_seq,
4150 * then add standardised fragment_offset and fragment_length */
4151 memcpy( hs_buf->data, ssl->in_msg, 6 );
4152 memset( hs_buf->data + 6, 0, 3 );
4153 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
4154
4155 hs_buf->is_valid = 1;
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4156
4157 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4158 }
4159 else
4160 {
4161 /* Make sure msg_type and length are consistent */
4162 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
4163 {
4164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
4165 /* Ignore */
4166 goto exit;
4167 }
4168 }
4169
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4170 if( !hs_buf->is_complete )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4171 {
4172 size_t frag_len, frag_off;
4173 unsigned char * const msg = hs_buf->data + 12;
4174
4175 /*
4176 * Check and copy current fragment
4177 */
4178
4179 /* Validation of header fields already done in
4180 * mbedtls_ssl_prepare_handshake_record(). */
4181 frag_off = ssl_get_hs_frag_off( ssl );
4182 frag_len = ssl_get_hs_frag_len( ssl );
4183
4184 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
4185 frag_off, frag_len ) );
4186 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
4187
4188 if( hs_buf->is_fragmented )
4189 {
4190 unsigned char * const bitmask = msg + msg_len;
4191 ssl_bitmask_set( bitmask, frag_off, frag_len );
4192 hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
4193 msg_len ) == 0 );
4194 }
4195 else
4196 {
4197 hs_buf->is_complete = 1;
4198 }
4199
4200 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
4201 hs_buf->is_complete ? "" : "not yet " ) );
4202 }
4203
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4204 break;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4205 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4206
4207 default:
Hanno Becker360bef32018-08-28 10:04:33 +0100[diff] [blame]4208 /* We don't buffer other types of messages. */
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4209 break;
4210 }
4211
4212exit:
4213
4214 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
4215 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4216}
4217#endif /* MBEDTLS_SSL_PROTO_DTLS */
4218
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4219static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4220{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4221 /*
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4222 * Consume last content-layer message and potentially
4223 * update in_msglen which keeps track of the contents'
4224 * consumption state.
4225 *
4226 * (1) Handshake messages:
4227 * Remove last handshake message, move content
4228 * and adapt in_msglen.
4229 *
4230 * (2) Alert messages:
4231 * Consume whole record content, in_msglen = 0.
4232 *
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4233 * (3) Change cipher spec:
4234 * Consume whole record content, in_msglen = 0.
4235 *
4236 * (4) Application data:
4237 * Don't do anything - the record layer provides
4238 * the application data as a stream transport
4239 * and consumes through mbedtls_ssl_read only.
4240 *
4241 */
4242
4243 /* Case (1): Handshake messages */
4244 if( ssl->in_hslen != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4245 {
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]4246 /* Hard assertion to be sure that no application data
4247 * is in flight, as corrupting ssl->in_msglen during
4248 * ssl->in_offt != NULL is fatal. */
4249 if( ssl->in_offt != NULL )
4250 {
4251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4252 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4253 }
4254
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4255 /*
4256 * Get next Handshake message in the current record
4257 */
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4258
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4259 /* Notes:
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]4260 * (1) in_hslen is not necessarily the size of the
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4261 * current handshake content: If DTLS handshake
4262 * fragmentation is used, that's the fragment
4263 * size instead. Using the total handshake message
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]4264 * size here is faulty and should be changed at
4265 * some point.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4266 * (2) While it doesn't seem to cause problems, one
4267 * has to be very careful not to assume that in_hslen
4268 * is always <= in_msglen in a sensible communication.
4269 * Again, it's wrong for DTLS handshake fragmentation.
4270 * The following check is therefore mandatory, and
4271 * should not be treated as a silently corrected assertion.
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]4272 * Additionally, ssl->in_hslen might be arbitrarily out of
4273 * bounds after handling a DTLS message with an unexpected
4274 * sequence number, see mbedtls_ssl_prepare_handshake_record.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4275 */
4276 if( ssl->in_hslen < ssl->in_msglen )
4277 {
4278 ssl->in_msglen -= ssl->in_hslen;
4279 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
4280 ssl->in_msglen );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4281
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4282 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
4283 ssl->in_msg, ssl->in_msglen );
4284 }
4285 else
4286 {
4287 ssl->in_msglen = 0;
4288 }
Manuel Pégourié-Gonnard4a175362014-09-09 17:45:31 +0200[diff] [blame]4289
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4290 ssl->in_hslen = 0;
4291 }
4292 /* Case (4): Application data */
4293 else if( ssl->in_offt != NULL )
4294 {
4295 return( 0 );
4296 }
4297 /* Everything else (CCS & Alerts) */
4298 else
4299 {
4300 ssl->in_msglen = 0;
4301 }
4302
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4303 return( 0 );
4304}
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4305
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4306static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
4307{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4308 if( ssl->in_msglen > 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4309 return( 1 );
4310
4311 return( 0 );
4312}
4313
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4314#if defined(MBEDTLS_SSL_PROTO_DTLS)
4315
4316static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
4317{
4318 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4319 if( hs == NULL )
4320 return;
4321
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4322 if( hs->buffering.future_record.data != NULL )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4323 {
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4324 hs->buffering.total_bytes_buffered -=
4325 hs->buffering.future_record.len;
4326
4327 mbedtls_free( hs->buffering.future_record.data );
4328 hs->buffering.future_record.data = NULL;
4329 }
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4330}
4331
4332static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
4333{
4334 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4335 unsigned char * rec;
4336 size_t rec_len;
4337 unsigned rec_epoch;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]4338#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4339 size_t in_buf_len = ssl->in_buf_len;
4340#else
4341 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
4342#endif
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4343 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4344 return( 0 );
4345
4346 if( hs == NULL )
4347 return( 0 );
4348
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4349 rec = hs->buffering.future_record.data;
4350 rec_len = hs->buffering.future_record.len;
4351 rec_epoch = hs->buffering.future_record.epoch;
4352
4353 if( rec == NULL )
4354 return( 0 );
4355
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]4356 /* Only consider loading future records if the
4357 * input buffer is empty. */
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]4358 if( ssl_next_record_is_in_datagram( ssl ) == 1 )
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]4359 return( 0 );
4360
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4361 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
4362
4363 if( rec_epoch != ssl->in_epoch )
4364 {
4365 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
4366 goto exit;
4367 }
4368
4369 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
4370
4371 /* Double-check that the record is not too large */
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]4372 if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4373 {
4374 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4375 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4376 }
4377
4378 memcpy( ssl->in_hdr, rec, rec_len );
4379 ssl->in_left = rec_len;
4380 ssl->next_record_offset = 0;
4381
4382 ssl_free_buffered_record( ssl );
4383
4384exit:
4385 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
4386 return( 0 );
4387}
4388
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4389static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
4390 mbedtls_record const *rec )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4391{
4392 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4393
4394 /* Don't buffer future records outside handshakes. */
4395 if( hs == NULL )
4396 return( 0 );
4397
4398 /* Only buffer handshake records (we are only interested
4399 * in Finished messages). */
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4400 if( rec->type != MBEDTLS_SSL_MSG_HANDSHAKE )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4401 return( 0 );
4402
4403 /* Don't buffer more than one future epoch record. */
4404 if( hs->buffering.future_record.data != NULL )
4405 return( 0 );
4406
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4407 /* Don't buffer record if there's not enough buffering space remaining. */
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4408 if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4409 hs->buffering.total_bytes_buffered ) )
4410 {
4411 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4412 (unsigned) rec->buf_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4413 (unsigned) hs->buffering.total_bytes_buffered ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4414 return( 0 );
4415 }
4416
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4417 /* Buffer record */
4418 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
4419 ssl->in_epoch + 1 ) );
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4420 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4421
4422 /* ssl_parse_record_header() only considers records
4423 * of the next epoch as candidates for buffering. */
4424 hs->buffering.future_record.epoch = ssl->in_epoch + 1;
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4425 hs->buffering.future_record.len = rec->buf_len;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4426
4427 hs->buffering.future_record.data =
4428 mbedtls_calloc( 1, hs->buffering.future_record.len );
4429 if( hs->buffering.future_record.data == NULL )
4430 {
4431 /* If we run out of RAM trying to buffer a
4432 * record from the next epoch, just ignore. */
4433 return( 0 );
4434 }
4435
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4436 memcpy( hs->buffering.future_record.data, rec->buf, rec->buf_len );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4437
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4438 hs->buffering.total_bytes_buffered += rec->buf_len;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4439 return( 0 );
4440}
4441
4442#endif /* MBEDTLS_SSL_PROTO_DTLS */
4443
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4444static int ssl_get_next_record( mbedtls_ssl_context *ssl )
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4445{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4446 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]4447 mbedtls_record rec;
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4448
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4449#if defined(MBEDTLS_SSL_PROTO_DTLS)
4450 /* We might have buffered a future record; if so,
4451 * and if the epoch matches now, load it.
4452 * On success, this call will set ssl->in_left to
4453 * the length of the buffered record, so that
4454 * the calls to ssl_fetch_input() below will
4455 * essentially be no-ops. */
4456 ret = ssl_load_buffered_record( ssl );
4457 if( ret != 0 )
4458 return( ret );
4459#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4460
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]4461 /* Ensure that we have enough space available for the default form
4462 * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,
4463 * with no space for CIDs counted in). */
4464 ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) );
4465 if( ret != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4466 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4467 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4468 return( ret );
4469 }
4470
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]4471 ret = ssl_parse_record_header( ssl, ssl->in_hdr, ssl->in_left, &rec );
4472 if( ret != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4473 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4474#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4475 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4476 {
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4477 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4478 {
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4479 ret = ssl_buffer_future_record( ssl, &rec );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4480 if( ret != 0 )
4481 return( ret );
4482
4483 /* Fall through to handling of unexpected records */
4484 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
4485 }
4486
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4487 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
4488 {
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4489#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Hanno Beckerd8bf8ce2019-07-12 09:23:47 +0100[diff] [blame]4490 /* Reset in pointers to default state for TLS/DTLS records,
4491 * assuming no CID and no offset between record content and
4492 * record plaintext. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4493 mbedtls_ssl_update_in_pointers( ssl );
Hanno Beckerd8bf8ce2019-07-12 09:23:47 +0100[diff] [blame]4494
Hanno Becker7ae20e02019-07-12 08:33:49 +0100[diff] [blame]4495 /* Setup internal message pointers from record structure. */
4496 ssl->in_msgtype = rec.type;
4497#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4498 ssl->in_len = ssl->in_cid + rec.cid_len;
4499#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4500 ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
4501 ssl->in_msglen = rec.data_len;
4502
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4503 ret = ssl_check_client_reconnect( ssl );
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]4504 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_client_reconnect", ret );
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4505 if( ret != 0 )
4506 return( ret );
4507#endif
4508
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4509 /* Skip unexpected record (but not whole datagram) */
Hanno Becker4acada32019-07-11 12:48:53 +0100[diff] [blame]4510 ssl->next_record_offset = rec.buf_len;
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4511
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
4513 "(header)" ) );
4514 }
4515 else
4516 {
4517 /* Skip invalid record and the rest of the datagram */
4518 ssl->next_record_offset = 0;
4519 ssl->in_left = 0;
4520
4521 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
4522 "(header)" ) );
4523 }
4524
4525 /* Get next record */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4526 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4527 }
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4528 else
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4529#endif
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4530 {
4531 return( ret );
4532 }
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4533 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4534
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4535#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4536 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]4537 {
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4538 /* Remember offset of next record within datagram. */
Hanno Beckerf50da502019-07-11 12:50:10 +0100[diff] [blame]4539 ssl->next_record_offset = rec.buf_len;
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]4540 if( ssl->next_record_offset < ssl->in_left )
4541 {
4542 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
4543 }
4544 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4545 else
4546#endif
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4547 {
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]4548 /*
4549 * Fetch record contents from underlying transport.
4550 */
Hanno Beckera3175662019-07-11 12:50:29 +0100[diff] [blame]4551 ret = mbedtls_ssl_fetch_input( ssl, rec.buf_len );
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4552 if( ret != 0 )
4553 {
4554 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4555 return( ret );
4556 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4557
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4558 ssl->in_left = 0;
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4559 }
4560
4561 /*
4562 * Decrypt record contents.
4563 */
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4564
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]4565 if( ( ret = ssl_prepare_record_content( ssl, &rec ) ) != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4566 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4567#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4568 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4569 {
4570 /* Silently discard invalid records */
Hanno Becker82e2a392019-05-03 16:36:59 +0100[diff] [blame]4571 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4572 {
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]4573 /* Except when waiting for Finished as a bad mac here
4574 * probably means something went wrong in the handshake
4575 * (eg wrong psk used, mitm downgrade attempt, etc.) */
4576 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
4577 ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
4578 {
4579#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4580 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4581 {
4582 mbedtls_ssl_send_alert_message( ssl,
4583 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4584 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4585 }
4586#endif
4587 return( ret );
4588 }
4589
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4590#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4591 if( ssl->conf->badmac_limit != 0 &&
4592 ++ssl->badmac_seen >= ssl->conf->badmac_limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]4593 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
4595 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]4596 }
4597#endif
4598
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4599 /* As above, invalid records cause
4600 * dismissal of the whole datagram. */
4601
4602 ssl->next_record_offset = 0;
4603 ssl->in_left = 0;
4604
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4605 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4606 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4607 }
4608
4609 return( ret );
4610 }
4611 else
4612#endif
4613 {
4614 /* Error out (and send alert) on invalid records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4615#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4616 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4617 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4618 mbedtls_ssl_send_alert_message( ssl,
4619 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4620 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4621 }
4622#endif
4623 return( ret );
4624 }
4625 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4626
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4627
4628 /* Reset in pointers to default state for TLS/DTLS records,
4629 * assuming no CID and no offset between record content and
4630 * record plaintext. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4631 mbedtls_ssl_update_in_pointers( ssl );
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4632#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4633 ssl->in_len = ssl->in_cid + rec.cid_len;
4634#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
irwir89af51f2019-09-26 21:04:56 +0300[diff] [blame]4635 ssl->in_iv = ssl->in_len + 2;
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4636
Hanno Becker8685c822019-07-12 09:37:30 +0100[diff] [blame]4637 /* The record content type may change during decryption,
4638 * so re-read it. */
4639 ssl->in_msgtype = rec.type;
4640 /* Also update the input buffer, because unfortunately
4641 * the server-side ssl_parse_client_hello() reparses the
4642 * record header when receiving a ClientHello initiating
4643 * a renegotiation. */
4644 ssl->in_hdr[0] = rec.type;
4645 ssl->in_msg = rec.buf + rec.data_offset;
4646 ssl->in_msglen = rec.data_len;
4647 ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 );
4648 ssl->in_len[1] = (unsigned char)( rec.data_len );
4649
Manuel Pégourié-Gonnardc40b6852020-01-03 12:18:49 +0100[diff] [blame]4650#if defined(MBEDTLS_ZLIB_SUPPORT)
4651 if( ssl->transform_in != NULL &&
4652 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
4653 {
4654 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
4655 {
4656 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
4657 return( ret );
4658 }
4659
4660 /* Check actual (decompress) record content length against
4661 * configured maximum. */
4662 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
4663 {
4664 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4665 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4666 }
4667 }
4668#endif /* MBEDTLS_ZLIB_SUPPORT */
4669
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4670 return( 0 );
4671}
4672
4673int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
4674{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4675 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4676
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]4677 /*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4678 * Handle particular types of records
4679 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4680 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4681 {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4682 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
4683 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4684 return( ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4685 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4686 }
4687
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4688 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4689 {
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4690 if( ssl->in_msglen != 1 )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4691 {
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4692 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
4693 ssl->in_msglen ) );
4694 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4695 }
4696
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4697 if( ssl->in_msg[0] != 1 )
4698 {
4699 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
4700 ssl->in_msg[0] ) );
4701 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4702 }
4703
4704#if defined(MBEDTLS_SSL_PROTO_DTLS)
4705 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4706 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
4707 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4708 {
4709 if( ssl->handshake == NULL )
4710 {
4711 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
4712 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4713 }
4714
4715 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
4716 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4717 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4718#endif
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4719 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4720
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4721 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4722 {
Angus Gratton1a7a17e2018-06-20 15:43:50 +1000[diff] [blame]4723 if( ssl->in_msglen != 2 )
4724 {
4725 /* Note: Standard allows for more than one 2 byte alert
4726 to be packed in a single message, but Mbed TLS doesn't
4727 currently support this. */
4728 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
4729 ssl->in_msglen ) );
4730 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4731 }
4732
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4733 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4734 ssl->in_msg[0], ssl->in_msg[1] ) );
4735
4736 /*
Simon Butcher459a9502015-10-27 16:09:03 +0000[diff] [blame]4737 * Ignore non-fatal alerts, except close_notify and no_renegotiation
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4738 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4739 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4740 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4741 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4742 ssl->in_msg[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4743 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4744 }
4745
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4746 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4747 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4748 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4749 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
4750 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4751 }
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]4752
4753#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
4754 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4755 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
4756 {
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4757 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]4758 /* Will be handled when trying to parse ServerHello */
4759 return( 0 );
4760 }
4761#endif
4762
4763#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
4764 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
4765 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4766 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4767 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
4768 {
4769 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
4770 /* Will be handled in mbedtls_ssl_parse_certificate() */
4771 return( 0 );
4772 }
4773#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
4774
4775 /* Silently ignore: fetch new message */
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4776 return MBEDTLS_ERR_SSL_NON_FATAL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4777 }
4778
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4779#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4780 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4781 {
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4782 /* Drop unexpected ApplicationData records,
4783 * except at the beginning of renegotiations */
4784 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
4785 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
4786#if defined(MBEDTLS_SSL_RENEGOTIATION)
4787 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
4788 ssl->state == MBEDTLS_SSL_SERVER_HELLO )
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4789#endif
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4790 )
4791 {
4792 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
4793 return( MBEDTLS_ERR_SSL_NON_FATAL );
4794 }
4795
4796 if( ssl->handshake != NULL &&
4797 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
4798 {
Hanno Beckerce5f5fd2020-02-05 10:47:44 +0000[diff] [blame]4799 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4800 }
4801 }
Hanno Becker4a4af9f2019-05-08 16:26:21 +0100[diff] [blame]4802#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4803
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4804 return( 0 );
4805}
4806
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4807int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]4808{
irwir6c0da642019-09-26 21:07:41 +0300[diff] [blame]4809 return( mbedtls_ssl_send_alert_message( ssl,
4810 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4811 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]4812}
4813
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4814int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4815 unsigned char level,
4816 unsigned char message )
4817{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4818 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4819
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]4820 if( ssl == NULL || ssl->conf == NULL )
4821 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4822
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4823 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4824 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4825
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4826 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4827 ssl->out_msglen = 2;
4828 ssl->out_msg[0] = level;
4829 ssl->out_msg[1] = message;
4830
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]4831 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4832 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4833 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4834 return( ret );
4835 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4836 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4837
4838 return( 0 );
4839}
4840
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4841int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4842{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4843 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4844
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4845 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4846
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4847 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4848 ssl->out_msglen = 1;
4849 ssl->out_msg[0] = 1;
4850
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4851 ssl->state++;
4852
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]4853 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4854 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]4855 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4856 return( ret );
4857 }
4858
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4859 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4860
4861 return( 0 );
4862}
4863
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4864int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4865{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4866 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4867
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4868 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4869
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]4870 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4871 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4872 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4873 return( ret );
4874 }
4875
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4876 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4877 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4878 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4879 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4880 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4881 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4882 }
4883
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4884 /* CCS records are only accepted if they have length 1 and content '1',
4885 * so we don't need to check this here. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4886
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4887 /*
4888 * Switch to our negotiated transform and session parameters for inbound
4889 * data.
4890 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4891 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4892 ssl->transform_in = ssl->transform_negotiate;
4893 ssl->session_in = ssl->session_negotiate;
4894
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4895#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4896 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4897 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4898#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker7e8e6a62020-02-05 10:45:48 +0000[diff] [blame]4899 mbedtls_ssl_dtls_replay_reset( ssl );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4900#endif
4901
4902 /* Increment epoch */
4903 if( ++ssl->in_epoch == 0 )
4904 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4905 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4906 /* This is highly unlikely to happen for legitimate reasons, so
4907 treat it as an attack and don't send an alert. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4908 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4909 }
4910 }
4911 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4912#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4913 memset( ssl->in_ctr, 0, 8 );
4914
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4915 mbedtls_ssl_update_in_pointers( ssl );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4916
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4917#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
4918 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4919 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4920 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4921 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4922 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4923 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4924 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4925 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4926 }
4927 }
4928#endif
4929
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4930 ssl->state++;
4931
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4932 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4933
4934 return( 0 );
4935}
4936
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4937/* Once ssl->out_hdr as the address of the beginning of the
4938 * next outgoing record is set, deduce the other pointers.
4939 *
4940 * Note: For TLS, we save the implicit record sequence number
4941 * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
4942 * and the caller has to make sure there's space for this.
4943 */
4944
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4945void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
4946 mbedtls_ssl_transform *transform )
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4947{
4948#if defined(MBEDTLS_SSL_PROTO_DTLS)
4949 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4950 {
4951 ssl->out_ctr = ssl->out_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4952#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4953 ssl->out_cid = ssl->out_ctr + 8;
4954 ssl->out_len = ssl->out_cid;
4955 if( transform != NULL )
4956 ssl->out_len += transform->out_cid_len;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4957#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4958 ssl->out_len = ssl->out_ctr + 8;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4959#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4960 ssl->out_iv = ssl->out_len + 2;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4961 }
4962 else
4963#endif
4964 {
4965 ssl->out_ctr = ssl->out_hdr - 8;
4966 ssl->out_len = ssl->out_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4967#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker4c3eb7c2019-05-08 16:43:21 +0100[diff] [blame]4968 ssl->out_cid = ssl->out_len;
4969#endif
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4970 ssl->out_iv = ssl->out_hdr + 5;
4971 }
4972
4973 /* Adjust out_msg to make space for explicit IV, if used. */
4974 if( transform != NULL &&
4975 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
4976 {
4977 ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
4978 }
4979 else
4980 ssl->out_msg = ssl->out_iv;
4981}
4982
4983/* Once ssl->in_hdr as the address of the beginning of the
4984 * next incoming record is set, deduce the other pointers.
4985 *
4986 * Note: For TLS, we save the implicit record sequence number
4987 * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
4988 * and the caller has to make sure there's space for this.
4989 */
4990
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4991void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl )
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4992{
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]4993 /* This function sets the pointers to match the case
4994 * of unprotected TLS/DTLS records, with both ssl->in_iv
4995 * and ssl->in_msg pointing to the beginning of the record
4996 * content.
4997 *
4998 * When decrypting a protected record, ssl->in_msg
4999 * will be shifted to point to the beginning of the
5000 * record plaintext.
5001 */
5002
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]5003#if defined(MBEDTLS_SSL_PROTO_DTLS)
5004 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5005 {
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]5006 /* This sets the header pointers to match records
5007 * without CID. When we receive a record containing
5008 * a CID, the fields are shifted accordingly in
5009 * ssl_parse_record_header(). */
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]5010 ssl->in_ctr = ssl->in_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]5011#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]5012 ssl->in_cid = ssl->in_ctr + 8;
5013 ssl->in_len = ssl->in_cid; /* Default: no CID */
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]5014#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]5015 ssl->in_len = ssl->in_ctr + 8;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]5016#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]5017 ssl->in_iv = ssl->in_len + 2;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]5018 }
5019 else
5020#endif
5021 {
5022 ssl->in_ctr = ssl->in_hdr - 8;
5023 ssl->in_len = ssl->in_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]5024#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker4c3eb7c2019-05-08 16:43:21 +0100[diff] [blame]5025 ssl->in_cid = ssl->in_len;
5026#endif
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]5027 ssl->in_iv = ssl->in_hdr + 5;
5028 }
5029
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]5030 /* This will be adjusted at record decryption time. */
5031 ssl->in_msg = ssl->in_iv;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]5032}
5033
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5034/*
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +0200[diff] [blame]5035 * Setup an SSL context
5036 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]5037
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]5038void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]5039{
5040 /* Set the incoming and outgoing record pointers. */
5041#if defined(MBEDTLS_SSL_PROTO_DTLS)
5042 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5043 {
5044 ssl->out_hdr = ssl->out_buf;
5045 ssl->in_hdr = ssl->in_buf;
5046 }
5047 else
5048#endif /* MBEDTLS_SSL_PROTO_DTLS */
5049 {
5050 ssl->out_hdr = ssl->out_buf + 8;
5051 ssl->in_hdr = ssl->in_buf + 8;
5052 }
5053
5054 /* Derive other internal pointers. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]5055 mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
5056 mbedtls_ssl_update_in_pointers ( ssl );
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]5057}
5058
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5059/*
5060 * SSL get accessors
5061 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5062size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5063{
5064 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
5065}
5066
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5067int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
5068{
5069 /*
5070 * Case A: We're currently holding back
5071 * a message for further processing.
5072 */
5073
5074 if( ssl->keep_current_message == 1 )
5075 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5076 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5077 return( 1 );
5078 }
5079
5080 /*
5081 * Case B: Further records are pending in the current datagram.
5082 */
5083
5084#if defined(MBEDTLS_SSL_PROTO_DTLS)
5085 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5086 ssl->in_left > ssl->next_record_offset )
5087 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5088 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5089 return( 1 );
5090 }
5091#endif /* MBEDTLS_SSL_PROTO_DTLS */
5092
5093 /*
5094 * Case C: A handshake message is being processed.
5095 */
5096
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5097 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
5098 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5099 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5100 return( 1 );
5101 }
5102
5103 /*
5104 * Case D: An application data message is being processed
5105 */
5106 if( ssl->in_offt != NULL )
5107 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5108 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5109 return( 1 );
5110 }
5111
5112 /*
5113 * In all other cases, the rest of the message can be dropped.
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]5114 * As in ssl_get_next_record, this needs to be adapted if
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5115 * we implement support for multiple alerts in single records.
5116 */
5117
5118 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
5119 return( 0 );
5120}
5121
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]5122
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5123int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5124{
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5125 size_t transform_expansion = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5126 const mbedtls_ssl_transform *transform = ssl->transform_out;
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5127 unsigned block_size;
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5128
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]5129 size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl );
5130
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]5131 if( transform == NULL )
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]5132 return( (int) out_hdr_len );
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]5133
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5134#if defined(MBEDTLS_ZLIB_SUPPORT)
5135 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
5136 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5137#endif
5138
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5139 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5140 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5141 case MBEDTLS_MODE_GCM:
5142 case MBEDTLS_MODE_CCM:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5143 case MBEDTLS_MODE_CHACHAPOLY:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5144 case MBEDTLS_MODE_STREAM:
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5145 transform_expansion = transform->minlen;
5146 break;
5147
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5148 case MBEDTLS_MODE_CBC:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5149
5150 block_size = mbedtls_cipher_get_block_size(
5151 &transform->cipher_ctx_enc );
5152
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5153 /* Expansion due to the addition of the MAC. */
5154 transform_expansion += transform->maclen;
5155
5156 /* Expansion due to the addition of CBC padding;
5157 * Theoretically up to 256 bytes, but we never use
5158 * more than the block size of the underlying cipher. */
5159 transform_expansion += block_size;
5160
5161 /* For TLS 1.1 or higher, an explicit IV is added
5162 * after the record header. */
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5163#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
5164 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5165 transform_expansion += block_size;
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5166#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5167
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5168 break;
5169
5170 default:
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]5171 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5172 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5173 }
5174
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]5175#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker6cbad552019-05-08 15:40:11 +0100[diff] [blame]5176 if( transform->out_cid_len != 0 )
5177 transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]5178#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker6cbad552019-05-08 15:40:11 +0100[diff] [blame]5179
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]5180 return( (int)( out_hdr_len + transform_expansion ) );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5181}
5182
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5183#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]5184/*
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5185 * Check record counters and renegotiate if they're above the limit.
5186 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5187static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5188{
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]5189 size_t ep_len = mbedtls_ssl_ep_len( ssl );
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5190 int in_ctr_cmp;
5191 int out_ctr_cmp;
5192
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5193 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
5194 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5195 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5196 {
5197 return( 0 );
5198 }
5199
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5200 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
5201 ssl->conf->renego_period + ep_len, 8 - ep_len );
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]5202 out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5203 ssl->conf->renego_period + ep_len, 8 - ep_len );
5204
5205 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5206 {
5207 return( 0 );
5208 }
5209
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]5210 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5211 return( mbedtls_ssl_renegotiate( ssl ) );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5212}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5213#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5214
5215/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5216 * Receive application data decrypted from the SSL layer
5217 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5218int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5219{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5220 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]5221 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5222
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5223 if( ssl == NULL || ssl->conf == NULL )
5224 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5225
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5226 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5227
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5228#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5229 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5230 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5231 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5232 return( ret );
5233
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5234 if( ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5235 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5236 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]5237 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5238 return( ret );
5239 }
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5240 }
5241#endif
5242
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5243 /*
5244 * Check if renegotiation is necessary and/or handshake is
5245 * in process. If yes, perform/continue, and fall through
5246 * if an unexpected packet is received while the client
5247 * is waiting for the ServerHello.
5248 *
5249 * (There is no equivalent to the last condition on
5250 * the server-side as it is not treated as within
5251 * a handshake while waiting for the ClientHello
5252 * after a renegotiation request.)
5253 */
5254
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5255#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5256 ret = ssl_check_ctr_renegotiate( ssl );
5257 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5258 ret != 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5259 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5260 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5261 return( ret );
5262 }
5263#endif
5264
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5265 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5266 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5267 ret = mbedtls_ssl_handshake( ssl );
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5268 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5269 ret != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5270 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5271 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5272 return( ret );
5273 }
5274 }
5275
Hanno Beckere41158b2017-10-23 13:30:32 +0100[diff] [blame]5276 /* Loop as long as no application data record is available */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5277 while( ssl->in_offt == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5278 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5279 /* Start timer if not already running */
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]5280 if( ssl->f_get_timer != NULL &&
5281 ssl->f_get_timer( ssl->p_timer ) == -1 )
5282 {
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]5283 mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout );
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]5284 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5285
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]5286 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5287 {
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5288 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5289 return( 0 );
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]5290
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5291 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5292 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5293 }
5294
5295 if( ssl->in_msglen == 0 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5296 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5297 {
5298 /*
5299 * OpenSSL sends empty messages to randomize the IV
5300 */
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]5301 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5302 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5303 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]5304 return( 0 );
5305
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5306 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5307 return( ret );
5308 }
5309 }
5310
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5311 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5312 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5313 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5314
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5315 /*
5316 * - For client-side, expect SERVER_HELLO_REQUEST.
5317 * - For server-side, expect CLIENT_HELLO.
5318 * - Fail (TLS) or silently drop record (DTLS) in other cases.
5319 */
5320
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5321#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5322 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5323 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5324 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5325 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5326 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5327
5328 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5329#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5330 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5331 {
5332 continue;
5333 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5334#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5335 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5336 }
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5337#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5338
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5339#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5340 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5341 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5342 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5344
5345 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5346#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5347 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5348 {
5349 continue;
5350 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5351#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5352 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5353 }
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5354#endif /* MBEDTLS_SSL_SRV_C */
5355
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]5356#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5357 /* Determine whether renegotiation attempt should be accepted */
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5358 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5359 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
5360 ssl->conf->allow_legacy_renegotiation ==
5361 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
5362 {
5363 /*
5364 * Accept renegotiation request
5365 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5366
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5367 /* DTLS clients need to know renego is server-initiated */
5368#if defined(MBEDTLS_SSL_PROTO_DTLS)
5369 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5370 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5371 {
5372 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
5373 }
5374#endif
Hanno Becker40cdaa12020-02-05 10:48:27 +0000[diff] [blame]5375 ret = mbedtls_ssl_start_renegotiation( ssl );
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5376 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5377 ret != 0 )
5378 {
Hanno Becker40cdaa12020-02-05 10:48:27 +0000[diff] [blame]5379 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation",
5380 ret );
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5381 return( ret );
5382 }
5383 }
5384 else
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]5385#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5386 {
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5387 /*
5388 * Refuse renegotiation
5389 */
5390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5391 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5393#if defined(MBEDTLS_SSL_PROTO_SSL3)
5394 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5395 {
Gilles Peskine92e44262017-05-10 17:27:49 +0200[diff] [blame]5396 /* SSLv3 does not have a "no_renegotiation" warning, so
5397 we send a fatal alert and abort the connection. */
5398 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5399 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
5400 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5401 }
5402 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5403#endif /* MBEDTLS_SSL_PROTO_SSL3 */
5404#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
5405 defined(MBEDTLS_SSL_PROTO_TLS1_2)
5406 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5407 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5408 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5409 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5410 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5411 {
5412 return( ret );
5413 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5414 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]5415 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5416#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
5417 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]5418 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5419 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5420 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]5421 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5422 }
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5423
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5424 /* At this point, we don't know whether the renegotiation has been
5425 * completed or not. The cases to consider are the following:
5426 * 1) The renegotiation is complete. In this case, no new record
5427 * has been read yet.
5428 * 2) The renegotiation is incomplete because the client received
5429 * an application data record while awaiting the ServerHello.
5430 * 3) The renegotiation is incomplete because the client received
5431 * a non-handshake, non-application data message while awaiting
5432 * the ServerHello.
5433 * In each of these case, looping will be the proper action:
5434 * - For 1), the next iteration will read a new record and check
5435 * if it's application data.
5436 * - For 2), the loop condition isn't satisfied as application data
5437 * is present, hence continue is the same as break
5438 * - For 3), the loop condition is satisfied and read_record
5439 * will re-deliver the message that was held back by the client
5440 * when expecting the ServerHello.
5441 */
5442 continue;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5443 }
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]5444#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5445 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]5446 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5447 if( ssl->conf->renego_max_records >= 0 )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]5448 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5449 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5450 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5451 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5452 "but not honored by client" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5453 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5454 }
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]5455 }
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]5456 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5457#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5458
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5459 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
5460 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5461 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5462 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]5463 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5464 }
5465
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5466 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5467 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5468 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
5469 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5470 }
5471
5472 ssl->in_offt = ssl->in_msg;
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5473
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5474 /* We're going to return something now, cancel timer,
5475 * except if handshake (renegotiation) is in progress */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5476 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]5477 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5478
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]5479#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5480 /* If we requested renego but received AppData, resend HelloRequest.
5481 * Do it now, after setting in_offt, to avoid taking this branch
5482 * again if ssl_write_hello_request() returns WANT_WRITE */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5483#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5484 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5485 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5486 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]5487 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5488 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]5489 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
5490 ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5491 return( ret );
5492 }
5493 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5494#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5495#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5496 }
5497
5498 n = ( len < ssl->in_msglen )
5499 ? len : ssl->in_msglen;
5500
5501 memcpy( buf, ssl->in_offt, n );
5502 ssl->in_msglen -= n;
5503
5504 if( ssl->in_msglen == 0 )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5505 {
5506 /* all bytes consumed */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5507 ssl->in_offt = NULL;
Hanno Beckerbdf39052017-06-09 10:42:03 +0100[diff] [blame]5508 ssl->keep_current_message = 0;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5509 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5510 else
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5511 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5512 /* more data available */
5513 ssl->in_offt += n;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5514 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5516 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5517
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]5518 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5519}
5520
5521/*
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5522 * Send application data to be encrypted by the SSL layer, taking care of max
5523 * fragment length and buffer size.
5524 *
5525 * According to RFC 5246 Section 6.2.1:
5526 *
5527 * Zero-length fragments of Application data MAY be sent as they are
5528 * potentially useful as a traffic analysis countermeasure.
5529 *
5530 * Therefore, it is possible that the input message length is 0 and the
5531 * corresponding return code is 0 on success.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5532 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5533static int ssl_write_real( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5534 const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5535{
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]5536 int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
5537 const size_t max_len = (size_t) ret;
5538
5539 if( ret < 0 )
5540 {
5541 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
5542 return( ret );
5543 }
5544
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5545 if( len > max_len )
5546 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5547#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5548 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5549 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5551 "maximum fragment length: %d > %d",
5552 len, max_len ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5553 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5554 }
5555 else
5556#endif
5557 len = max_len;
5558 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5559
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5560 if( ssl->out_left != 0 )
5561 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5562 /*
5563 * The user has previously tried to send the data and
5564 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
5565 * written. In this case, we expect the high-level write function
5566 * (e.g. mbedtls_ssl_write()) to be called with the same parameters
5567 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5568 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5569 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5570 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5571 return( ret );
5572 }
5573 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5574 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]5575 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5576 /*
5577 * The user is trying to send a message the first time, so we need to
5578 * copy the data into the internal buffers and setup the data structure
5579 * to keep track of partial writes
5580 */
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5581 ssl->out_msglen = len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5582 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5583 memcpy( ssl->out_msg, buf, len );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5584
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]5585 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5586 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5587 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5588 return( ret );
5589 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5590 }
5591
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5592 return( (int) len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5593}
5594
5595/*
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5596 * Write application data, doing 1/n-1 splitting if necessary.
5597 *
5598 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]5599 * then the caller will call us again with the same arguments, so
Hanno Becker2b187c42017-09-18 14:58:11 +0100[diff] [blame]5600 * remember whether we already did the split or not.
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5601 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5602#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5603static int ssl_write_split( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5604 const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5605{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5606 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5607
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +0100[diff] [blame]5608 if( ssl->conf->cbc_record_splitting ==
5609 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]5610 len <= 1 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5611 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
5612 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
5613 != MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5614 {
5615 return( ssl_write_real( ssl, buf, len ) );
5616 }
5617
5618 if( ssl->split_done == 0 )
5619 {
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]5620 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5621 return( ret );
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]5622 ssl->split_done = 1;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5623 }
5624
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]5625 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
5626 return( ret );
5627 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5628
5629 return( ret + 1 );
5630}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5631#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5632
5633/*
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5634 * Write application data (public-facing wrapper)
5635 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5636int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5637{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5638 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5639
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5640 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5641
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5642 if( ssl == NULL || ssl->conf == NULL )
5643 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5644
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5645#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5646 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
5647 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5648 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5649 return( ret );
5650 }
5651#endif
5652
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5653 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5654 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5655 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5656 {
Manuel Pégourié-Gonnard151dc772015-05-14 13:55:51 +0200[diff] [blame]5657 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5658 return( ret );
5659 }
5660 }
5661
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5662#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5663 ret = ssl_write_split( ssl, buf, len );
5664#else
5665 ret = ssl_write_real( ssl, buf, len );
5666#endif
5667
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5668 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5669
5670 return( ret );
5671}
5672
5673/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5674 * Notify the peer that the connection is being closed
5675 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5676int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5677{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5678 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5679
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5680 if( ssl == NULL || ssl->conf == NULL )
5681 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5683 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5684
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]5685 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5686 return( mbedtls_ssl_flush_output( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5687
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5688 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5689 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5690 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5691 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5692 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5693 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5694 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5695 return( ret );
5696 }
5697 }
5698
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5699 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5700
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]5701 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5702}
5703
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5704void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5705{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]5706 if( transform == NULL )
5707 return;
5708
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5709#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5710 deflateEnd( &transform->ctx_deflate );
5711 inflateEnd( &transform->ctx_inflate );
5712#endif
5713
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5714 mbedtls_cipher_free( &transform->cipher_ctx_enc );
5715 mbedtls_cipher_free( &transform->cipher_ctx_dec );
Manuel Pégourié-Gonnardf71e5872013-09-23 17:12:43 +0200[diff] [blame]5716
Hanno Beckerd56ed242018-01-03 15:32:51 +0000[diff] [blame]5717#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5718 mbedtls_md_free( &transform->md_ctx_enc );
5719 mbedtls_md_free( &transform->md_ctx_dec );
Hanno Beckerd56ed242018-01-03 15:32:51 +0000[diff] [blame]5720#endif
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]5721
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]5722 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5723}
5724
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5725#if defined(MBEDTLS_SSL_PROTO_DTLS)
5726
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]5727void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl )
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5728{
5729 unsigned offset;
5730 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5731
5732 if( hs == NULL )
5733 return;
5734
Hanno Becker283f5ef2018-08-24 09:34:47 +0100[diff] [blame]5735 ssl_free_buffered_record( ssl );
5736
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5737 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5738 ssl_buffering_free_slot( ssl, offset );
5739}
5740
5741static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
5742 uint8_t slot )
5743{
5744 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5745 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]5746
5747 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
5748 return;
5749
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5750 if( hs_buf->is_valid == 1 )
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5751 {
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5752 hs->buffering.total_bytes_buffered -= hs_buf->data_len;
Hanno Becker805f2e12018-10-12 16:31:41 +0100[diff] [blame]5753 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5754 mbedtls_free( hs_buf->data );
5755 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5756 }
5757}
5758
5759#endif /* MBEDTLS_SSL_PROTO_DTLS */
5760
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5761/*
5762 * Convert version numbers to/from wire format
5763 * and, for DTLS, to/from TLS equivalent.
5764 *
5765 * For TLS this is the identity.
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]5766 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5767 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
5768 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
5769 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5770void mbedtls_ssl_write_version( int major, int minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5771 unsigned char ver[2] )
5772{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5773#if defined(MBEDTLS_SSL_PROTO_DTLS)
5774 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5775 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5776 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5777 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5778
5779 ver[0] = (unsigned char)( 255 - ( major - 2 ) );
5780 ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
5781 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5782 else
5783#else
5784 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5785#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5786 {
5787 ver[0] = (unsigned char) major;
5788 ver[1] = (unsigned char) minor;
5789 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5790}
5791
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5792void mbedtls_ssl_read_version( int *major, int *minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5793 const unsigned char ver[2] )
5794{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5795#if defined(MBEDTLS_SSL_PROTO_DTLS)
5796 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5797 {
5798 *major = 255 - ver[0] + 2;
5799 *minor = 255 - ver[1] + 1;
5800
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5801 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5802 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5803 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5804 else
5805#else
5806 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5807#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5808 {
5809 *major = ver[0];
5810 *minor = ver[1];
5811 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5812}
5813
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5814#endif /* MBEDTLS_SSL_TLS_C */