blob: a957482ce56383b8983b47f97d6d488d14152ec6 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01002 * TLS shared functions
Paul Bakker5121ce52009-01-03 21:22:43 +00003 *
Bence Szépkúti1e148272020-08-07 13:07:28 +02004 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +00005 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker5121ce52009-01-03 21:22:43 +00006 */
7/*
Paul Bakker5121ce52009-01-03 21:22:43 +00008 * http://www.ietf.org/rfc/rfc2246.txt
9 * http://www.ietf.org/rfc/rfc4346.txt
10 */
11
Harry Ramsey0f6bc412024-10-04 10:36:54 +010012#include "ssl_misc.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000013
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020014#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000015
SimonBd5800b72016-04-26 07:43:27 +010016#include "mbedtls/platform.h"
SimonBd5800b72016-04-26 07:43:27 +010017
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000018#include "mbedtls/ssl.h"
Ronald Cron9f0fba32022-02-10 16:45:15 +010019#include "ssl_client.h"
Ronald Cron27c85e72022-03-08 11:37:55 +010020#include "ssl_debug_helpers.h"
Max Fillingerbd81c9d2024-07-22 14:43:56 +020021#include "ssl_tls13_keys.h"
Andrzej Kurek25f27152022-08-17 16:09:31 -040022
Valerio Settib4f50762024-01-17 10:24:52 +010023#include "debug_internal.h"
Janos Follath73c616b2019-12-18 15:07:04 +000024#include "mbedtls/error.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050025#include "mbedtls/platform_util.h"
Hanno Beckera835da52019-05-16 12:39:07 +010026#include "mbedtls/version.h"
Gabor Mezei765862c2021-10-19 12:22:25 +020027#include "mbedtls/constant_time.h"
Paul Bakker0be444a2013-08-27 21:55:01 +020028
Rich Evans00ab4702015-02-06 13:43:58 +000029#include <string.h>
30
Valerio Setti384fbde2024-01-02 13:26:40 +010031#include "mbedtls/psa_util.h"
Manuel Pégourié-Gonnard02b10d82023-03-28 12:33:20 +020032#include "md_psa.h"
Manuel Pégourié-Gonnard2be8c632023-06-07 13:07:21 +020033#include "psa_util_internal.h"
Andrzej Kurekd6db9be2019-01-10 05:27:10 -050034#include "psa/crypto.h"
Andrzej Kurekd6db9be2019-01-10 05:27:10 -050035
Janos Follath23bdca02016-10-07 14:47:14 +010036#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000037#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +020038#endif
39
Andrzej Kurek00644842023-05-30 05:45:00 -040040/* Define local translating functions to save code size by not using too many
41 * arguments in each translating place. */
42static int local_err_translation(psa_status_t status)
43{
44 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -040045 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -040046 psa_generic_status_to_mbedtls);
47}
48#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek8a045ce2022-12-23 11:00:06 -050049
Ronald Cronad8c17b2022-06-10 17:18:09 +020050#if defined(MBEDTLS_TEST_HOOKS)
51static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
52
53void mbedtls_ssl_set_chk_buf_ptr_fail_args(
Gilles Peskine449bd832023-01-11 14:50:10 +010054 const uint8_t *cur, const uint8_t *end, size_t need)
Ronald Cronad8c17b2022-06-10 17:18:09 +020055{
56 chk_buf_ptr_fail_args.cur = cur;
57 chk_buf_ptr_fail_args.end = end;
58 chk_buf_ptr_fail_args.need = need;
59}
60
Gilles Peskine449bd832023-01-11 14:50:10 +010061void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
Ronald Cronad8c17b2022-06-10 17:18:09 +020062{
Gilles Peskine449bd832023-01-11 14:50:10 +010063 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
Ronald Cronad8c17b2022-06-10 17:18:09 +020064}
65
Gilles Peskine449bd832023-01-11 14:50:10 +010066int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
Ronald Cronad8c17b2022-06-10 17:18:09 +020067{
Gilles Peskine449bd832023-01-11 14:50:10 +010068 return (chk_buf_ptr_fail_args.cur != args->cur) ||
69 (chk_buf_ptr_fail_args.end != args->end) ||
70 (chk_buf_ptr_fail_args.need != args->need);
Ronald Cronad8c17b2022-06-10 17:18:09 +020071}
72#endif /* MBEDTLS_TEST_HOOKS */
73
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +020074#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +010075
Hanno Beckera0e20d02019-05-15 14:03:01 +010076#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerf8542cf2019-04-09 15:22:03 +010077/* Top-level Connection ID API */
78
Gilles Peskine449bd832023-01-11 14:50:10 +010079int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
80 size_t len,
81 int ignore_other_cid)
Hanno Beckerad4a1372019-05-03 13:06:44 +010082{
Gilles Peskine449bd832023-01-11 14:50:10 +010083 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
84 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
85 }
Hanno Beckerad4a1372019-05-03 13:06:44 +010086
Gilles Peskine449bd832023-01-11 14:50:10 +010087 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
88 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
89 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Becker611ac772019-05-14 11:45:26 +010090 }
91
92 conf->ignore_unexpected_cid = ignore_other_cid;
Hanno Beckerad4a1372019-05-03 13:06:44 +010093 conf->cid_len = len;
Gilles Peskine449bd832023-01-11 14:50:10 +010094 return 0;
Hanno Beckerad4a1372019-05-03 13:06:44 +010095}
96
Gilles Peskine449bd832023-01-11 14:50:10 +010097int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
98 int enable,
99 unsigned char const *own_cid,
100 size_t own_cid_len)
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100101{
Gilles Peskine449bd832023-01-11 14:50:10 +0100102 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
103 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
104 }
Hanno Becker76a79ab2019-05-03 14:38:32 +0100105
Hanno Beckerca092242019-04-25 16:01:49 +0100106 ssl->negotiate_cid = enable;
Gilles Peskine449bd832023-01-11 14:50:10 +0100107 if (enable == MBEDTLS_SSL_CID_DISABLED) {
108 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
109 return 0;
Hanno Beckerca092242019-04-25 16:01:49 +0100110 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100111 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
112 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
Hanno Beckerca092242019-04-25 16:01:49 +0100113
Gilles Peskine449bd832023-01-11 14:50:10 +0100114 if (own_cid_len != ssl->conf->cid_len) {
115 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
116 (unsigned) own_cid_len,
117 (unsigned) ssl->conf->cid_len));
118 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Beckerca092242019-04-25 16:01:49 +0100119 }
120
Gilles Peskine449bd832023-01-11 14:50:10 +0100121 memcpy(ssl->own_cid, own_cid, own_cid_len);
Hanno Beckerb7ee0cf2019-04-30 14:07:31 +0100122 /* Truncation is not an issue here because
123 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
124 ssl->own_cid_len = (uint8_t) own_cid_len;
Hanno Beckerca092242019-04-25 16:01:49 +0100125
Gilles Peskine449bd832023-01-11 14:50:10 +0100126 return 0;
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100127}
128
Gilles Peskine449bd832023-01-11 14:50:10 +0100129int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
130 int *enabled,
Sam Berry3504c882024-06-11 14:34:17 +0100131 unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],
Gilles Peskine449bd832023-01-11 14:50:10 +0100132 size_t *own_cid_len)
Paul Elliott0113cf12022-03-11 20:26:47 +0000133{
134 *enabled = MBEDTLS_SSL_CID_DISABLED;
135
Gilles Peskine449bd832023-01-11 14:50:10 +0100136 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
137 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
138 }
Paul Elliott0113cf12022-03-11 20:26:47 +0000139
140 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
141 * zero as this is indistinguishable from not requesting to use
142 * the CID extension. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100143 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
144 return 0;
145 }
Paul Elliott0113cf12022-03-11 20:26:47 +0000146
Gilles Peskine449bd832023-01-11 14:50:10 +0100147 if (own_cid_len != NULL) {
Paul Elliott0113cf12022-03-11 20:26:47 +0000148 *own_cid_len = ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100149 if (own_cid != NULL) {
150 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
151 }
Paul Elliott0113cf12022-03-11 20:26:47 +0000152 }
153
154 *enabled = MBEDTLS_SSL_CID_ENABLED;
155
Gilles Peskine449bd832023-01-11 14:50:10 +0100156 return 0;
Paul Elliott0113cf12022-03-11 20:26:47 +0000157}
158
Gilles Peskine449bd832023-01-11 14:50:10 +0100159int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
160 int *enabled,
161 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
162 size_t *peer_cid_len)
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100163{
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100164 *enabled = MBEDTLS_SSL_CID_DISABLED;
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100165
Gilles Peskine449bd832023-01-11 14:50:10 +0100166 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
167 mbedtls_ssl_is_handshake_over(ssl) == 0) {
168 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Becker76a79ab2019-05-03 14:38:32 +0100169 }
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100170
Hanno Beckerc5f24222019-05-03 12:54:52 +0100171 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
172 * were used, but client and server requested the empty CID.
173 * This is indistinguishable from not using the CID extension
174 * in the first place. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100175 if (ssl->transform_in->in_cid_len == 0 &&
176 ssl->transform_in->out_cid_len == 0) {
177 return 0;
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100178 }
179
Gilles Peskine449bd832023-01-11 14:50:10 +0100180 if (peer_cid_len != NULL) {
Hanno Becker615ef172019-05-22 16:50:35 +0100181 *peer_cid_len = ssl->transform_in->out_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100182 if (peer_cid != NULL) {
183 memcpy(peer_cid, ssl->transform_in->out_cid,
184 ssl->transform_in->out_cid_len);
Hanno Becker615ef172019-05-22 16:50:35 +0100185 }
186 }
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100187
188 *enabled = MBEDTLS_SSL_CID_ENABLED;
189
Gilles Peskine449bd832023-01-11 14:50:10 +0100190 return 0;
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100191}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100192#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100193
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200194#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200195
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200196#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200197/*
198 * Convert max_fragment_length codes to length.
199 * RFC 6066 says:
200 * enum{
201 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
202 * } MaxFragmentLength;
203 * and we add 0 -> extension unused
204 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100205static unsigned int ssl_mfl_code_to_length(int mfl)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200206{
Gilles Peskine449bd832023-01-11 14:50:10 +0100207 switch (mfl) {
208 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
209 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
210 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
211 return 512;
212 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
213 return 1024;
214 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
215 return 2048;
216 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
217 return 4096;
218 default:
219 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
Angus Grattond8213d02016-05-25 20:56:48 +1000220 }
221}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200222#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200223
Gilles Peskine449bd832023-01-11 14:50:10 +0100224int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
225 const mbedtls_ssl_session *src)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200226{
Gilles Peskine449bd832023-01-11 14:50:10 +0100227 mbedtls_ssl_session_free(dst);
228 memcpy(dst, src, sizeof(mbedtls_ssl_session));
吴敬辉0b716112021-11-29 10:46:35 +0800229#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
230 dst->ticket = NULL;
Xiaokang Qian87306442022-10-12 09:47:38 +0000231#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
232 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Xiaokang Qian126bf8e2022-10-13 02:22:40 +0000233 dst->hostname = NULL;
吴敬辉0b716112021-11-29 10:46:35 +0800234#endif
Xiaokang Qian87306442022-10-12 09:47:38 +0000235#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
吴敬辉0b716112021-11-29 10:46:35 +0800236
Waleed Elmelegy4dfb0e72024-03-14 01:48:40 +0000237#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
238 defined(MBEDTLS_SSL_EARLY_DATA)
239 dst->ticket_alpn = NULL;
240#endif
241
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200242#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker6d1986e2019-02-07 12:27:42 +0000243
244#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100245 if (src->peer_cert != NULL) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000246 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker2292d1f2013-09-15 17:06:49 +0200247
Gilles Peskine449bd832023-01-11 14:50:10 +0100248 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
249 if (dst->peer_cert == NULL) {
250 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
251 }
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200252
Gilles Peskine449bd832023-01-11 14:50:10 +0100253 mbedtls_x509_crt_init(dst->peer_cert);
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200254
Gilles Peskine449bd832023-01-11 14:50:10 +0100255 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
256 src->peer_cert->raw.len)) != 0) {
257 mbedtls_free(dst->peer_cert);
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200258 dst->peer_cert = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +0100259 return ret;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200260 }
261 }
Hanno Becker6d1986e2019-02-07 12:27:42 +0000262#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100263 if (src->peer_cert_digest != NULL) {
Hanno Becker9198ad12019-02-05 17:00:50 +0000264 dst->peer_cert_digest =
Gilles Peskine449bd832023-01-11 14:50:10 +0100265 mbedtls_calloc(1, src->peer_cert_digest_len);
266 if (dst->peer_cert_digest == NULL) {
267 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
268 }
Hanno Becker9198ad12019-02-05 17:00:50 +0000269
Gilles Peskine449bd832023-01-11 14:50:10 +0100270 memcpy(dst->peer_cert_digest, src->peer_cert_digest,
271 src->peer_cert_digest_len);
Hanno Becker9198ad12019-02-05 17:00:50 +0000272 dst->peer_cert_digest_type = src->peer_cert_digest_type;
Hanno Beckeraccc5992019-02-25 10:06:59 +0000273 dst->peer_cert_digest_len = src->peer_cert_digest_len;
Hanno Becker9198ad12019-02-05 17:00:50 +0000274 }
275#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
276
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200277#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200278
Waleed Elmelegy4dfb0e72024-03-14 01:48:40 +0000279#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
280 defined(MBEDTLS_SSL_EARLY_DATA)
281 {
282 int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
283 if (ret != 0) {
284 return ret;
285 }
286 }
287#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
288
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200289#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100290 if (src->ticket != NULL) {
291 dst->ticket = mbedtls_calloc(1, src->ticket_len);
292 if (dst->ticket == NULL) {
293 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
294 }
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200295
Gilles Peskine449bd832023-01-11 14:50:10 +0100296 memcpy(dst->ticket, src->ticket, src->ticket_len);
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200297 }
Xiaokang Qian126bf8e2022-10-13 02:22:40 +0000298
299#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
300 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100301 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
Xiaokang Qian126bf8e2022-10-13 02:22:40 +0000302 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100303 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
304 if (ret != 0) {
305 return ret;
306 }
Xiaokang Qian126bf8e2022-10-13 02:22:40 +0000307 }
308#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
309 MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200310#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200311
Gilles Peskine449bd832023-01-11 14:50:10 +0100312 return 0;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200313}
314
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500315#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200316MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100317static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500318{
Gilles Peskine449bd832023-01-11 14:50:10 +0100319 unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
320 if (resized_buffer == NULL) {
Yanray Wang365ee3e2023-11-22 10:28:28 +0800321 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100322 }
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500323
324 /* We want to copy len_new bytes when downsizing the buffer, and
325 * len_old bytes when upsizing, so we choose the smaller of two sizes,
326 * to fit one buffer into another. Size checks, ensuring that no data is
327 * lost, are done outside of this function. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100328 memcpy(resized_buffer, *buffer,
329 (len_new < *len_old) ? len_new : *len_old);
Tom Cosgroveca8c61b2023-07-17 15:17:40 +0100330 mbedtls_zeroize_and_free(*buffer, *len_old);
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500331
332 *buffer = resized_buffer;
333 *len_old = len_new;
334
335 return 0;
336}
Andrzej Kurek4a063792020-10-21 15:08:44 +0200337
Gilles Peskine449bd832023-01-11 14:50:10 +0100338static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
339 size_t in_buf_new_len,
340 size_t out_buf_new_len)
Andrzej Kurek4a063792020-10-21 15:08:44 +0200341{
342 int modified = 0;
Deomid rojer Ryabkovac2cf1f2024-03-10 02:11:03 +0000343 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0;
Andrzej Kurek4a063792020-10-21 15:08:44 +0200344 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100345 if (ssl->in_buf != NULL) {
Andrzej Kurek4a063792020-10-21 15:08:44 +0200346 written_in = ssl->in_msg - ssl->in_buf;
347 iv_offset_in = ssl->in_iv - ssl->in_buf;
348 len_offset_in = ssl->in_len - ssl->in_buf;
Deomid rojer Ryabkovac2cf1f2024-03-10 02:11:03 +0000349 hdr_in = ssl->in_hdr - ssl->in_buf;
Gilles Peskine449bd832023-01-11 14:50:10 +0100350 if (downsizing ?
Andrzej Kurek4a063792020-10-21 15:08:44 +0200351 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
Gilles Peskine449bd832023-01-11 14:50:10 +0100352 ssl->in_buf_len < in_buf_new_len) {
353 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
354 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
355 } else {
356 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
357 in_buf_new_len));
Andrzej Kurek4a063792020-10-21 15:08:44 +0200358 modified = 1;
359 }
360 }
361 }
362
Gilles Peskine449bd832023-01-11 14:50:10 +0100363 if (ssl->out_buf != NULL) {
Andrzej Kurek4a063792020-10-21 15:08:44 +0200364 written_out = ssl->out_msg - ssl->out_buf;
365 iv_offset_out = ssl->out_iv - ssl->out_buf;
366 len_offset_out = ssl->out_len - ssl->out_buf;
Gilles Peskine449bd832023-01-11 14:50:10 +0100367 if (downsizing ?
Andrzej Kurek4a063792020-10-21 15:08:44 +0200368 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
Gilles Peskine449bd832023-01-11 14:50:10 +0100369 ssl->out_buf_len < out_buf_new_len) {
370 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
371 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
372 } else {
373 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
374 out_buf_new_len));
Andrzej Kurek4a063792020-10-21 15:08:44 +0200375 modified = 1;
376 }
377 }
378 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100379 if (modified) {
Andrzej Kurek4a063792020-10-21 15:08:44 +0200380 /* Update pointers here to avoid doing it twice. */
Deomid rojer Ryabkovac2cf1f2024-03-10 02:11:03 +0000381 ssl->in_hdr = ssl->in_buf + hdr_in;
382 mbedtls_ssl_update_in_pointers(ssl);
383 mbedtls_ssl_reset_out_pointers(ssl);
384
Andrzej Kurek4a063792020-10-21 15:08:44 +0200385 /* Fields below might not be properly updated with record
386 * splitting or with CID, so they are manually updated here. */
387 ssl->out_msg = ssl->out_buf + written_out;
388 ssl->out_len = ssl->out_buf + len_offset_out;
389 ssl->out_iv = ssl->out_buf + iv_offset_out;
390
391 ssl->in_msg = ssl->in_buf + written_in;
392 ssl->in_len = ssl->in_buf + len_offset_in;
393 ssl->in_iv = ssl->in_buf + iv_offset_in;
394 }
395}
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500396#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
397
Jerry Yudb8c48a2022-01-27 14:54:54 +0800398#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yued14c932022-02-17 13:40:45 +0800399
400#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100401typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
402 const char *label,
403 const unsigned char *random, size_t rlen,
404 unsigned char *dstbuf, size_t dlen);
Jerry Yued14c932022-02-17 13:40:45 +0800405
Gilles Peskine449bd832023-01-11 14:50:10 +0100406static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
Jerry Yued14c932022-02-17 13:40:45 +0800407
408#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
409
410/* Type for the TLS PRF */
411typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
412 const unsigned char *, size_t,
413 unsigned char *, size_t);
414
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200415MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100416static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
417 int ciphersuite,
418 const unsigned char master[48],
Neil Armstrongf2c82f02022-04-05 11:16:53 +0200419#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100420 int encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +0200421#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +0100422 ssl_tls_prf_t tls_prf,
423 const unsigned char randbytes[64],
424 mbedtls_ssl_protocol_version tls_version,
425 unsigned endpoint,
426 const mbedtls_ssl_context *ssl);
Jerry Yued14c932022-02-17 13:40:45 +0800427
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100428#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200429MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100430static int tls_prf_sha256(const unsigned char *secret, size_t slen,
Ron Eldor51d3ab52019-05-12 14:54:30 +0300431 const char *label,
432 const unsigned char *random, size_t rlen,
Gilles Peskine449bd832023-01-11 14:50:10 +0100433 unsigned char *dstbuf, size_t dlen);
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100434static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
435static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
Gilles Peskine449bd832023-01-11 14:50:10 +0100436
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100437#endif /* PSA_WANT_ALG_SHA_256*/
Gilles Peskine449bd832023-01-11 14:50:10 +0100438
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100439#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +0100440MBEDTLS_CHECK_RETURN_CRITICAL
441static int tls_prf_sha384(const unsigned char *secret, size_t slen,
442 const char *label,
443 const unsigned char *random, size_t rlen,
444 unsigned char *dstbuf, size_t dlen);
445
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100446static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
447static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100448#endif /* PSA_WANT_ALG_SHA_384*/
Gilles Peskine449bd832023-01-11 14:50:10 +0100449
Gilles Peskine449bd832023-01-11 14:50:10 +0100450MBEDTLS_CHECK_RETURN_CRITICAL
451static int ssl_tls12_session_load(mbedtls_ssl_session *session,
452 const unsigned char *buf,
453 size_t len);
454#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
455
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100456static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
Gilles Peskine449bd832023-01-11 14:50:10 +0100457
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100458#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100459static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100460#endif /* PSA_WANT_ALG_SHA_256*/
Gilles Peskine449bd832023-01-11 14:50:10 +0100461
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100462#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100463static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100464#endif /* PSA_WANT_ALG_SHA_384*/
Gilles Peskine449bd832023-01-11 14:50:10 +0100465
466int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
467 const unsigned char *secret, size_t slen,
468 const char *label,
469 const unsigned char *random, size_t rlen,
470 unsigned char *dstbuf, size_t dlen)
Ron Eldor51d3ab52019-05-12 14:54:30 +0300471{
472 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
473
Gilles Peskine449bd832023-01-11 14:50:10 +0100474 switch (prf) {
Ron Eldord2f25f72019-05-15 14:54:22 +0300475#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100476#if defined(PSA_WANT_ALG_SHA_384)
Ron Eldor51d3ab52019-05-12 14:54:30 +0300477 case MBEDTLS_SSL_TLS_PRF_SHA384:
478 tls_prf = tls_prf_sha384;
Gilles Peskine449bd832023-01-11 14:50:10 +0100479 break;
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100480#endif /* PSA_WANT_ALG_SHA_384*/
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100481#if defined(PSA_WANT_ALG_SHA_256)
Ron Eldor51d3ab52019-05-12 14:54:30 +0300482 case MBEDTLS_SSL_TLS_PRF_SHA256:
483 tls_prf = tls_prf_sha256;
Gilles Peskine449bd832023-01-11 14:50:10 +0100484 break;
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100485#endif /* PSA_WANT_ALG_SHA_256*/
Ron Eldord2f25f72019-05-15 14:54:22 +0300486#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100487 default:
488 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Ron Eldor51d3ab52019-05-12 14:54:30 +0300489 }
490
Gilles Peskine449bd832023-01-11 14:50:10 +0100491 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
Ron Eldor51d3ab52019-05-12 14:54:30 +0300492}
493
Jerry Yuc73c6182022-02-08 20:29:25 +0800494#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100495static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
Jerry Yuc73c6182022-02-08 20:29:25 +0800496{
497#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100498 if (session->peer_cert != NULL) {
499 mbedtls_x509_crt_free(session->peer_cert);
500 mbedtls_free(session->peer_cert);
Jerry Yuc73c6182022-02-08 20:29:25 +0800501 session->peer_cert = NULL;
502 }
503#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100504 if (session->peer_cert_digest != NULL) {
Jerry Yuc73c6182022-02-08 20:29:25 +0800505 /* Zeroization is not necessary. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100506 mbedtls_free(session->peer_cert_digest);
Jerry Yuc73c6182022-02-08 20:29:25 +0800507 session->peer_cert_digest = NULL;
508 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
509 session->peer_cert_digest_len = 0;
510 }
511#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
512}
513#endif /* MBEDTLS_X509_CRT_PARSE_C */
514
Gilles Peskine449bd832023-01-11 14:50:10 +0100515uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
Jerry Yu7a485c12022-10-31 13:08:18 +0800516{
Gilles Peskine449bd832023-01-11 14:50:10 +0100517 switch (extension_type) {
Jerry Yu7a485c12022-10-31 13:08:18 +0800518 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100519 return MBEDTLS_SSL_EXT_ID_SERVERNAME;
Jerry Yu7a485c12022-10-31 13:08:18 +0800520
521 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100522 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
Jerry Yu7a485c12022-10-31 13:08:18 +0800523
524 case MBEDTLS_TLS_EXT_STATUS_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100525 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
Jerry Yu7a485c12022-10-31 13:08:18 +0800526
527 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100528 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
Jerry Yu7a485c12022-10-31 13:08:18 +0800529
530 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100531 return MBEDTLS_SSL_EXT_ID_SIG_ALG;
Jerry Yu7a485c12022-10-31 13:08:18 +0800532
533 case MBEDTLS_TLS_EXT_USE_SRTP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100534 return MBEDTLS_SSL_EXT_ID_USE_SRTP;
Jerry Yu7a485c12022-10-31 13:08:18 +0800535
536 case MBEDTLS_TLS_EXT_HEARTBEAT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100537 return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
Jerry Yu7a485c12022-10-31 13:08:18 +0800538
539 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100540 return MBEDTLS_SSL_EXT_ID_ALPN;
Jerry Yu7a485c12022-10-31 13:08:18 +0800541
542 case MBEDTLS_TLS_EXT_SCT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100543 return MBEDTLS_SSL_EXT_ID_SCT;
Jerry Yu7a485c12022-10-31 13:08:18 +0800544
545 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100546 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
Jerry Yu7a485c12022-10-31 13:08:18 +0800547
548 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100549 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
Jerry Yu7a485c12022-10-31 13:08:18 +0800550
551 case MBEDTLS_TLS_EXT_PADDING:
Gilles Peskine449bd832023-01-11 14:50:10 +0100552 return MBEDTLS_SSL_EXT_ID_PADDING;
Jerry Yu7a485c12022-10-31 13:08:18 +0800553
554 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100555 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
Jerry Yu7a485c12022-10-31 13:08:18 +0800556
557 case MBEDTLS_TLS_EXT_EARLY_DATA:
Gilles Peskine449bd832023-01-11 14:50:10 +0100558 return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
Jerry Yu7a485c12022-10-31 13:08:18 +0800559
560 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100561 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
Jerry Yu7a485c12022-10-31 13:08:18 +0800562
563 case MBEDTLS_TLS_EXT_COOKIE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100564 return MBEDTLS_SSL_EXT_ID_COOKIE;
Jerry Yu7a485c12022-10-31 13:08:18 +0800565
566 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
Gilles Peskine449bd832023-01-11 14:50:10 +0100567 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
Jerry Yu7a485c12022-10-31 13:08:18 +0800568
569 case MBEDTLS_TLS_EXT_CERT_AUTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100570 return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
Jerry Yu7a485c12022-10-31 13:08:18 +0800571
572 case MBEDTLS_TLS_EXT_OID_FILTERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100573 return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
Jerry Yu7a485c12022-10-31 13:08:18 +0800574
575 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100576 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
Jerry Yu7a485c12022-10-31 13:08:18 +0800577
578 case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100579 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
Jerry Yu7a485c12022-10-31 13:08:18 +0800580
581 case MBEDTLS_TLS_EXT_KEY_SHARE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100582 return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
Jerry Yu7a485c12022-10-31 13:08:18 +0800583
584 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100585 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
Jerry Yu7a485c12022-10-31 13:08:18 +0800586
587 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100588 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
Jerry Yu7a485c12022-10-31 13:08:18 +0800589
590 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100591 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
Jerry Yu7a485c12022-10-31 13:08:18 +0800592
593 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100594 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
Jerry Yu7a485c12022-10-31 13:08:18 +0800595
Jan Bruckner151f6422023-02-10 12:45:19 +0100596 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
597 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
598
Jerry Yu7a485c12022-10-31 13:08:18 +0800599 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100600 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
Jerry Yu7a485c12022-10-31 13:08:18 +0800601
602 }
603
Gilles Peskine449bd832023-01-11 14:50:10 +0100604 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
Jerry Yu7a485c12022-10-31 13:08:18 +0800605}
606
Gilles Peskine449bd832023-01-11 14:50:10 +0100607uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
Jerry Yu7a485c12022-10-31 13:08:18 +0800608{
Gilles Peskine449bd832023-01-11 14:50:10 +0100609 return 1 << mbedtls_ssl_get_extension_id(extension_type);
Jerry Yu7a485c12022-10-31 13:08:18 +0800610}
611
Jerry Yud25cab02022-10-31 12:48:30 +0800612#if defined(MBEDTLS_DEBUG_C)
613static const char *extension_name_table[] = {
Jerry Yuea52ed92022-11-08 21:01:17 +0800614 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
Jerry Yud25cab02022-10-31 12:48:30 +0800615 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
616 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
617 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
618 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
619 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
620 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
621 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
622 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
623 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
624 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
625 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
626 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
627 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
628 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
629 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
630 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
631 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
632 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
633 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
634 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
635 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
636 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
637 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
638 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
639 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
640 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
Jan Bruckner151f6422023-02-10 12:45:19 +0100641 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
642 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
Jerry Yud25cab02022-10-31 12:48:30 +0800643};
644
Chien Wong4e9683e2023-12-28 17:07:43 +0800645static const unsigned int extension_type_table[] = {
Jerry Yud25cab02022-10-31 12:48:30 +0800646 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
647 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
648 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
649 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
650 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
651 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
652 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
653 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
654 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
655 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
656 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
657 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
658 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
659 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
660 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
661 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
662 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
663 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
664 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
665 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
666 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
667 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
668 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
669 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
670 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
671 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
672 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
Jan Bruckner151f6422023-02-10 12:45:19 +0100673 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
674 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
Jerry Yud25cab02022-10-31 12:48:30 +0800675};
676
Gilles Peskine449bd832023-01-11 14:50:10 +0100677const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
Jerry Yud25cab02022-10-31 12:48:30 +0800678{
Gilles Peskine449bd832023-01-11 14:50:10 +0100679 return extension_name_table[
680 mbedtls_ssl_get_extension_id(extension_type)];
Jerry Yud25cab02022-10-31 12:48:30 +0800681}
682
Gilles Peskine449bd832023-01-11 14:50:10 +0100683static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
Jerry Yud25cab02022-10-31 12:48:30 +0800684{
Gilles Peskine449bd832023-01-11 14:50:10 +0100685 switch (hs_msg_type) {
Jerry Yud25cab02022-10-31 12:48:30 +0800686 case MBEDTLS_SSL_HS_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100687 return "ClientHello";
Jerry Yud25cab02022-10-31 12:48:30 +0800688 case MBEDTLS_SSL_HS_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100689 return "ServerHello";
Jerry Yud25cab02022-10-31 12:48:30 +0800690 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100691 return "HelloRetryRequest";
Jerry Yud25cab02022-10-31 12:48:30 +0800692 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100693 return "NewSessionTicket";
Jerry Yud25cab02022-10-31 12:48:30 +0800694 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100695 return "EncryptedExtensions";
Jerry Yud25cab02022-10-31 12:48:30 +0800696 case MBEDTLS_SSL_HS_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100697 return "Certificate";
Jerry Yud25cab02022-10-31 12:48:30 +0800698 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100699 return "CertificateRequest";
Jerry Yud25cab02022-10-31 12:48:30 +0800700 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100701 return "Unknown";
Jerry Yud25cab02022-10-31 12:48:30 +0800702}
703
Gilles Peskine449bd832023-01-11 14:50:10 +0100704void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
705 int level, const char *file, int line,
706 int hs_msg_type, unsigned int extension_type,
707 const char *extra_msg0, const char *extra_msg1)
Jerry Yud25cab02022-10-31 12:48:30 +0800708{
709 const char *extra_msg;
Gilles Peskine449bd832023-01-11 14:50:10 +0100710 if (extra_msg0 && extra_msg1) {
Jerry Yud25cab02022-10-31 12:48:30 +0800711 mbedtls_debug_print_msg(
712 ssl, level, file, line,
713 "%s: %s(%u) extension %s %s.",
Gilles Peskine449bd832023-01-11 14:50:10 +0100714 ssl_tls13_get_hs_msg_name(hs_msg_type),
715 mbedtls_ssl_get_extension_name(extension_type),
Jerry Yud25cab02022-10-31 12:48:30 +0800716 extension_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100717 extra_msg0, extra_msg1);
Jerry Yud25cab02022-10-31 12:48:30 +0800718 return;
719 }
720
721 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100722 if (extra_msg) {
Jerry Yud25cab02022-10-31 12:48:30 +0800723 mbedtls_debug_print_msg(
724 ssl, level, file, line,
Gilles Peskine449bd832023-01-11 14:50:10 +0100725 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
726 mbedtls_ssl_get_extension_name(extension_type), extension_type,
727 extra_msg);
Jerry Yud25cab02022-10-31 12:48:30 +0800728 return;
729 }
730
731 mbedtls_debug_print_msg(
732 ssl, level, file, line,
Gilles Peskine449bd832023-01-11 14:50:10 +0100733 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
734 mbedtls_ssl_get_extension_name(extension_type), extension_type);
Jerry Yud25cab02022-10-31 12:48:30 +0800735}
736
Gilles Peskine449bd832023-01-11 14:50:10 +0100737void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
738 int level, const char *file, int line,
739 int hs_msg_type, uint32_t extensions_mask,
740 const char *extra)
Jerry Yud25cab02022-10-31 12:48:30 +0800741{
742
Gilles Peskine449bd832023-01-11 14:50:10 +0100743 for (unsigned i = 0;
744 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
745 i++) {
Jerry Yu79aa7212022-11-08 21:30:21 +0800746 mbedtls_ssl_print_extension(
Jerry Yuea52ed92022-11-08 21:01:17 +0800747 ssl, level, file, line, hs_msg_type, extension_type_table[i],
Gilles Peskine449bd832023-01-11 14:50:10 +0100748 extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
Jerry Yud25cab02022-10-31 12:48:30 +0800749 }
750}
751
Pengyu Lvee455c02023-01-12 14:37:24 +0800752#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
Pengyu Lvee455c02023-01-12 14:37:24 +0800753static const char *ticket_flag_name_table[] =
754{
755 [0] = "ALLOW_PSK_RESUMPTION",
756 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
757 [3] = "ALLOW_EARLY_DATA",
758};
759
Pengyu Lv4938a562023-01-16 11:28:49 +0800760void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
761 int level, const char *file, int line,
762 unsigned int flags)
Pengyu Lvee455c02023-01-12 14:37:24 +0800763{
764 size_t i;
765
766 mbedtls_debug_print_msg(ssl, level, file, line,
Pengyu Lv4938a562023-01-16 11:28:49 +0800767 "print ticket_flags (0x%02x)", flags);
768
769 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
Pengyu Lvee455c02023-01-12 14:37:24 +0800770
771 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
Pengyu Lv4938a562023-01-16 11:28:49 +0800772 if ((flags & (1 << i))) {
Pengyu Lvee455c02023-01-12 14:37:24 +0800773 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
774 ticket_flag_name_table[i]);
775 }
776 }
777}
778#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
779
Jerry Yud25cab02022-10-31 12:48:30 +0800780#endif /* MBEDTLS_DEBUG_C */
781
Gilles Peskine449bd832023-01-11 14:50:10 +0100782void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
783 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
Jerry Yuc73c6182022-02-08 20:29:25 +0800784{
785 ((void) ciphersuite_info);
786
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100787#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +0100788 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
Jerry Yuc73c6182022-02-08 20:29:25 +0800789 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
Gilles Peskine449bd832023-01-11 14:50:10 +0100790 } else
Jerry Yuc73c6182022-02-08 20:29:25 +0800791#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100792#if defined(PSA_WANT_ALG_SHA_256)
Gilles Peskine449bd832023-01-11 14:50:10 +0100793 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
Jerry Yuc73c6182022-02-08 20:29:25 +0800794 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Gilles Peskine449bd832023-01-11 14:50:10 +0100795 } else
Jerry Yuc73c6182022-02-08 20:29:25 +0800796#endif
797 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100798 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Jerry Yuc73c6182022-02-08 20:29:25 +0800799 return;
800 }
801}
802
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100803int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100804 unsigned hs_type,
805 size_t total_hs_len)
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100806{
807 unsigned char hs_hdr[4];
808
809 /* Build HS header for checksum update. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100810 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
811 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
812 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
813 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100814
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100815 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100816}
817
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100818int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100819 unsigned hs_type,
820 unsigned char const *msg,
821 size_t msg_len)
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100822{
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100823 int ret;
824 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100825 if (ret != 0) {
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100826 return ret;
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100827 }
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100828 return ssl->handshake->update_checksum(ssl, msg, msg_len);
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100829}
830
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100831int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
Jerry Yuc73c6182022-02-08 20:29:25 +0800832{
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100833#if defined(PSA_WANT_ALG_SHA_256) || \
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100834 defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100835 psa_status_t status;
Manuel Pégourié-Gonnard626aaed2023-02-06 22:03:06 +0100836#else /* SHA-256 or SHA-384 */
Jerry Yuc73c6182022-02-08 20:29:25 +0800837 ((void) ssl);
Manuel Pégourié-Gonnard626aaed2023-02-06 22:03:06 +0100838#endif /* SHA-256 or SHA-384 */
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100839#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100840 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
841 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200842 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100843 }
844 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
845 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200846 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100847 }
Jerry Yuc73c6182022-02-08 20:29:25 +0800848#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100849#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100850 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
851 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200852 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100853 }
854 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
855 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200856 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100857 }
Jerry Yuc73c6182022-02-08 20:29:25 +0800858#endif
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100859 return 0;
Jerry Yuc73c6182022-02-08 20:29:25 +0800860}
861
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100862static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100863 const unsigned char *buf, size_t len)
Jerry Yuc73c6182022-02-08 20:29:25 +0800864{
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100865#if defined(PSA_WANT_ALG_SHA_256) || \
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100866 defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnarddf949012023-02-06 10:00:52 +0100867 psa_status_t status;
Manuel Pégourié-Gonnard626aaed2023-02-06 22:03:06 +0100868#else /* SHA-256 or SHA-384 */
869 ((void) ssl);
870 (void) buf;
871 (void) len;
872#endif /* SHA-256 or SHA-384 */
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100873#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnarddf949012023-02-06 10:00:52 +0100874 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
875 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200876 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnarddf949012023-02-06 10:00:52 +0100877 }
Jerry Yuc73c6182022-02-08 20:29:25 +0800878#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100879#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnarddf949012023-02-06 10:00:52 +0100880 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
881 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200882 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnarddf949012023-02-06 10:00:52 +0100883 }
Jerry Yuc73c6182022-02-08 20:29:25 +0800884#endif
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100885 return 0;
Jerry Yuc73c6182022-02-08 20:29:25 +0800886}
887
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100888#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100889static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100890 const unsigned char *buf, size_t len)
Jerry Yuc73c6182022-02-08 20:29:25 +0800891{
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200892 return mbedtls_md_error_from_psa(psa_hash_update(
893 &ssl->handshake->fin_sha256_psa, buf, len));
Jerry Yuc73c6182022-02-08 20:29:25 +0800894}
895#endif
896
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100897#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100898static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100899 const unsigned char *buf, size_t len)
Jerry Yuc73c6182022-02-08 20:29:25 +0800900{
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200901 return mbedtls_md_error_from_psa(psa_hash_update(
902 &ssl->handshake->fin_sha384_psa, buf, len));
Jerry Yuc73c6182022-02-08 20:29:25 +0800903}
904#endif
905
Gilles Peskine449bd832023-01-11 14:50:10 +0100906static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200907{
Gilles Peskine449bd832023-01-11 14:50:10 +0100908 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200909
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100910#if defined(PSA_WANT_ALG_SHA_256)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500911 handshake->fin_sha256_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -0500912#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100913#if defined(PSA_WANT_ALG_SHA_384)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500914 handshake->fin_sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -0500915#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200916
917 handshake->update_checksum = ssl_update_checksum_start;
Hanno Becker7e5437a2017-04-28 17:15:26 +0100918
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200919#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200920 handshake->psa_pake_ctx = psa_pake_operation_init();
921 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200922#if defined(MBEDTLS_SSL_CLI_C)
923 handshake->ecjpake_cache = NULL;
924 handshake->ecjpake_cache_len = 0;
925#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200926#endif
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200927
Gilles Peskineeccd8882020-03-10 12:19:08 +0100928#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100929 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200930#endif
931
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200932#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
933 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
934#endif
Hanno Becker75173122019-02-06 16:18:31 +0000935
936#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
937 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100938 mbedtls_pk_init(&handshake->peer_pubkey);
Hanno Becker75173122019-02-06 16:18:31 +0000939#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200940}
941
Gilles Peskine449bd832023-01-11 14:50:10 +0100942void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200943{
Gilles Peskine449bd832023-01-11 14:50:10 +0100944 memset(transform, 0, sizeof(mbedtls_ssl_transform));
Paul Bakker84bbeb52014-07-01 14:53:22 +0200945
Przemyslaw Stekiel8f80fb92022-01-11 08:28:13 +0100946 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
947 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
Przemyslaw Stekiel8f80fb92022-01-11 08:28:13 +0100948
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000949#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Neil Armstrong39b8e7d2022-02-23 09:24:45 +0100950 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
951 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrongcf8841a2022-02-24 11:17:45 +0100952#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200953}
954
Gilles Peskine449bd832023-01-11 14:50:10 +0100955void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200956{
Gilles Peskine449bd832023-01-11 14:50:10 +0100957 memset(session, 0, sizeof(mbedtls_ssl_session));
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200958}
959
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200960MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100961static int ssl_handshake_init(mbedtls_ssl_context *ssl)
Paul Bakker48916f92012-09-16 19:57:18 +0000962{
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100963 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
964
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200965 /* Clear old handshake information if present */
Jerry Yu2e199812022-12-01 18:57:19 +0800966#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +0100967 if (ssl->transform_negotiate) {
968 mbedtls_ssl_transform_free(ssl->transform_negotiate);
969 }
Jerry Yu2e199812022-12-01 18:57:19 +0800970#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100971 if (ssl->session_negotiate) {
972 mbedtls_ssl_session_free(ssl->session_negotiate);
973 }
974 if (ssl->handshake) {
975 mbedtls_ssl_handshake_free(ssl);
976 }
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200977
Jerry Yu2e199812022-12-01 18:57:19 +0800978#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200979 /*
980 * Either the pointers are now NULL or cleared properly and can be freed.
981 * Now allocate missing structures.
982 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100983 if (ssl->transform_negotiate == NULL) {
984 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200985 }
Jerry Yu2e199812022-12-01 18:57:19 +0800986#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker48916f92012-09-16 19:57:18 +0000987
Gilles Peskine449bd832023-01-11 14:50:10 +0100988 if (ssl->session_negotiate == NULL) {
989 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200990 }
Paul Bakker48916f92012-09-16 19:57:18 +0000991
Gilles Peskine449bd832023-01-11 14:50:10 +0100992 if (ssl->handshake == NULL) {
993 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200994 }
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500995#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
996 /* If the buffers are too small - reallocate */
Andrzej Kurek8ea68722020-04-03 06:40:47 -0400997
Gilles Peskine449bd832023-01-11 14:50:10 +0100998 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
999 MBEDTLS_SSL_OUT_BUFFER_LEN);
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05001000#endif
Paul Bakker48916f92012-09-16 19:57:18 +00001001
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001002 /* All pointers should exist and can be directly freed without issue */
Gilles Peskine449bd832023-01-11 14:50:10 +01001003 if (ssl->handshake == NULL ||
Jerry Yu2e199812022-12-01 18:57:19 +08001004#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker48916f92012-09-16 19:57:18 +00001005 ssl->transform_negotiate == NULL ||
Jerry Yu2e199812022-12-01 18:57:19 +08001006#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01001007 ssl->session_negotiate == NULL) {
1008 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001009
Gilles Peskine449bd832023-01-11 14:50:10 +01001010 mbedtls_free(ssl->handshake);
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001011 ssl->handshake = NULL;
Jerry Yu2e199812022-12-01 18:57:19 +08001012
1013#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01001014 mbedtls_free(ssl->transform_negotiate);
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001015 ssl->transform_negotiate = NULL;
Jerry Yu2e199812022-12-01 18:57:19 +08001016#endif
1017
Gilles Peskine449bd832023-01-11 14:50:10 +01001018 mbedtls_free(ssl->session_negotiate);
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001019 ssl->session_negotiate = NULL;
1020
Gilles Peskine449bd832023-01-11 14:50:10 +01001021 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Paul Bakker48916f92012-09-16 19:57:18 +00001022 }
1023
Jerry Yu4caf3ca2023-11-15 16:13:47 +08001024#if defined(MBEDTLS_SSL_EARLY_DATA)
1025#if defined(MBEDTLS_SSL_CLI_C)
Ronald Cron05d7cfb2024-03-03 15:39:30 +01001026 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
Ronald Cron5d0ae902024-01-05 14:20:35 +01001027#endif
Jerry Yu4caf3ca2023-11-15 16:13:47 +08001028#if defined(MBEDTLS_SSL_SRV_C)
1029 ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
1030#endif
Ronald Cron19bfe0a2024-02-26 16:43:01 +01001031 ssl->total_early_data_size = 0;
Jerry Yu4caf3ca2023-11-15 16:13:47 +08001032#endif /* MBEDTLS_SSL_EARLY_DATA */
Ronald Cron5d0ae902024-01-05 14:20:35 +01001033
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001034 /* Initialize structures */
Gilles Peskine449bd832023-01-11 14:50:10 +01001035 mbedtls_ssl_session_init(ssl->session_negotiate);
1036 ssl_handshake_params_init(ssl->handshake);
Paul Bakker968afaa2014-07-09 11:09:24 +02001037
Jerry Yu2e199812022-12-01 18:57:19 +08001038#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01001039 mbedtls_ssl_transform_init(ssl->transform_negotiate);
Jerry Yu2e199812022-12-01 18:57:19 +08001040#endif
1041
Manuel Pégourié-Gonnard537f2312023-02-05 10:17:45 +01001042 /* Setup handshake checksums */
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +01001043 ret = mbedtls_ssl_reset_checksum(ssl);
1044 if (ret != 0) {
1045 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1046 return ret;
1047 }
Manuel Pégourié-Gonnard537f2312023-02-05 10:17:45 +01001048
Jerry Yud0766ec2022-09-22 10:46:57 +08001049#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
1050 defined(MBEDTLS_SSL_SRV_C) && \
1051 defined(MBEDTLS_SSL_SESSION_TICKETS)
1052 ssl->handshake->new_session_tickets_count =
Gilles Peskine449bd832023-01-11 14:50:10 +01001053 ssl->conf->new_session_tickets_count;
Jerry Yud0766ec2022-09-22 10:46:57 +08001054#endif
1055
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001056#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01001057 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02001058 ssl->handshake->alt_transform_out = ssl->transform_out;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02001059
Gilles Peskine449bd832023-01-11 14:50:10 +01001060 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02001061 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
Gilles Peskine449bd832023-01-11 14:50:10 +01001062 } else {
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02001063 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Gilles Peskine449bd832023-01-11 14:50:10 +01001064 }
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02001065
Gilles Peskine449bd832023-01-11 14:50:10 +01001066 mbedtls_ssl_set_timer(ssl, 0);
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02001067 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02001068#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01001069 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +00001070}
1071
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02001072#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001073/* Dummy cookie callbacks for defaults */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001074MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01001075static int ssl_cookie_write_dummy(void *ctx,
1076 unsigned char **p, unsigned char *end,
1077 const unsigned char *cli_id, size_t cli_id_len)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001078{
1079 ((void) ctx);
1080 ((void) p);
1081 ((void) end);
1082 ((void) cli_id);
1083 ((void) cli_id_len);
1084
Gilles Peskine449bd832023-01-11 14:50:10 +01001085 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001086}
1087
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001088MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01001089static int ssl_cookie_check_dummy(void *ctx,
1090 const unsigned char *cookie, size_t cookie_len,
1091 const unsigned char *cli_id, size_t cli_id_len)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001092{
1093 ((void) ctx);
1094 ((void) cookie);
1095 ((void) cookie_len);
1096 ((void) cli_id);
1097 ((void) cli_id_len);
1098
Gilles Peskine449bd832023-01-11 14:50:10 +01001099 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001100}
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02001101#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001102
Paul Bakker5121ce52009-01-03 21:22:43 +00001103/*
1104 * Initialize an SSL context
1105 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001106void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02001107{
Gilles Peskine449bd832023-01-11 14:50:10 +01001108 memset(ssl, 0, sizeof(mbedtls_ssl_context));
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02001109}
1110
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001111MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01001112static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
Jerry Yu60835a82021-08-04 10:13:52 +08001113{
Ronald Cron086ee0b2022-03-15 15:18:51 +01001114 const mbedtls_ssl_config *conf = ssl->conf;
1115
Ronald Cron6f135e12021-12-08 16:57:54 +01001116#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01001117 if (mbedtls_ssl_conf_is_tls13_only(conf)) {
1118 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1119 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
1120 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQianed582dd2022-04-13 08:21:05 +00001121 }
1122
Gilles Peskine449bd832023-01-11 14:50:10 +01001123 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
1124 return 0;
Jerry Yu60835a82021-08-04 10:13:52 +08001125 }
1126#endif
1127
1128#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01001129 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
1130 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
1131 return 0;
Jerry Yu60835a82021-08-04 10:13:52 +08001132 }
1133#endif
1134
Ronald Cron6f135e12021-12-08 16:57:54 +01001135#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01001136 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
1137 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1138 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
1139 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQianed582dd2022-04-13 08:21:05 +00001140 }
1141
Gilles Peskine449bd832023-01-11 14:50:10 +01001142 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
1143 return 0;
Jerry Yu60835a82021-08-04 10:13:52 +08001144 }
1145#endif
1146
Gilles Peskine449bd832023-01-11 14:50:10 +01001147 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
1148 return MBEDTLS_ERR_SSL_BAD_CONFIG;
Jerry Yu60835a82021-08-04 10:13:52 +08001149}
1150
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001151MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu60835a82021-08-04 10:13:52 +08001152static int ssl_conf_check(const mbedtls_ssl_context *ssl)
1153{
1154 int ret;
Gilles Peskine449bd832023-01-11 14:50:10 +01001155 ret = ssl_conf_version_check(ssl);
1156 if (ret != 0) {
1157 return ret;
1158 }
Jerry Yu60835a82021-08-04 10:13:52 +08001159
1160 /* Space for further checks */
1161
Gilles Peskine449bd832023-01-11 14:50:10 +01001162 return 0;
Jerry Yu60835a82021-08-04 10:13:52 +08001163}
1164
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02001165/*
1166 * Setup an SSL context
1167 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +01001168
Gilles Peskine449bd832023-01-11 14:50:10 +01001169int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
1170 const mbedtls_ssl_config *conf)
Paul Bakker5121ce52009-01-03 21:22:43 +00001171{
Janos Follath865b3eb2019-12-16 11:46:15 +00001172 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Darryl Greenb33cc762019-11-28 14:29:44 +00001173 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1174 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
Paul Bakker5121ce52009-01-03 21:22:43 +00001175
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +02001176 ssl->conf = conf;
Paul Bakker62f2dee2012-09-28 07:31:51 +00001177
Gilles Peskine449bd832023-01-11 14:50:10 +01001178 if ((ret = ssl_conf_check(ssl)) != 0) {
1179 return ret;
1180 }
Ronald Cron8a12aee2023-03-08 15:30:43 +01001181 ssl->tls_version = ssl->conf->max_tls_version;
Jerry Yu60835a82021-08-04 10:13:52 +08001182
Paul Bakker62f2dee2012-09-28 07:31:51 +00001183 /*
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +01001184 * Prepare base structures
Paul Bakker62f2dee2012-09-28 07:31:51 +00001185 */
k-stachowiakc9a5f022018-07-24 13:53:31 +02001186
1187 /* Set to NULL in case of an error condition */
1188 ssl->out_buf = NULL;
k-stachowiaka47911c2018-07-04 17:41:58 +02001189
Darryl Greenb33cc762019-11-28 14:29:44 +00001190#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1191 ssl->in_buf_len = in_buf_len;
1192#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01001193 ssl->in_buf = mbedtls_calloc(1, in_buf_len);
1194 if (ssl->in_buf == NULL) {
1195 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
k-stachowiak9f7798e2018-07-31 16:52:32 +02001196 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02001197 goto error;
Angus Grattond8213d02016-05-25 20:56:48 +10001198 }
1199
Darryl Greenb33cc762019-11-28 14:29:44 +00001200#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1201 ssl->out_buf_len = out_buf_len;
1202#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01001203 ssl->out_buf = mbedtls_calloc(1, out_buf_len);
1204 if (ssl->out_buf == NULL) {
1205 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
k-stachowiak9f7798e2018-07-31 16:52:32 +02001206 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02001207 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +00001208 }
1209
Deomid rojer Ryabkov3dfe75e2025-01-26 10:43:42 +02001210 mbedtls_ssl_reset_in_pointers(ssl);
1211 mbedtls_ssl_reset_out_pointers(ssl);
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02001212
Johan Pascalb62bb512015-12-03 21:56:45 +01001213#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +01001214 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
Johan Pascalb62bb512015-12-03 21:56:45 +01001215#endif
1216
Gilles Peskine449bd832023-01-11 14:50:10 +01001217 if ((ret = ssl_handshake_init(ssl)) != 0) {
k-stachowiaka47911c2018-07-04 17:41:58 +02001218 goto error;
Gilles Peskine449bd832023-01-11 14:50:10 +01001219 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001220
Gilles Peskine449bd832023-01-11 14:50:10 +01001221 return 0;
k-stachowiaka47911c2018-07-04 17:41:58 +02001222
1223error:
Gilles Peskine449bd832023-01-11 14:50:10 +01001224 mbedtls_free(ssl->in_buf);
1225 mbedtls_free(ssl->out_buf);
k-stachowiaka47911c2018-07-04 17:41:58 +02001226
1227 ssl->conf = NULL;
1228
Darryl Greenb33cc762019-11-28 14:29:44 +00001229#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1230 ssl->in_buf_len = 0;
1231 ssl->out_buf_len = 0;
1232#endif
k-stachowiaka47911c2018-07-04 17:41:58 +02001233 ssl->in_buf = NULL;
1234 ssl->out_buf = NULL;
1235
1236 ssl->in_hdr = NULL;
1237 ssl->in_ctr = NULL;
1238 ssl->in_len = NULL;
1239 ssl->in_iv = NULL;
1240 ssl->in_msg = NULL;
1241
1242 ssl->out_hdr = NULL;
1243 ssl->out_ctr = NULL;
1244 ssl->out_len = NULL;
1245 ssl->out_iv = NULL;
1246 ssl->out_msg = NULL;
1247
Gilles Peskine449bd832023-01-11 14:50:10 +01001248 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00001249}
1250
1251/*
Paul Bakker7eb013f2011-10-06 12:37:39 +00001252 * Reset an initialized and used SSL context for re-use while retaining
1253 * all application-set variables, function pointers and data.
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02001254 *
1255 * If partial is non-zero, keep data in the input buffer and client ID.
1256 * (Use when a DTLS client reconnects from the same port.)
Paul Bakker7eb013f2011-10-06 12:37:39 +00001257 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001258void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1259 int partial)
Paul Bakker7eb013f2011-10-06 12:37:39 +00001260{
Darryl Greenb33cc762019-11-28 14:29:44 +00001261#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1262 size_t in_buf_len = ssl->in_buf_len;
1263 size_t out_buf_len = ssl->out_buf_len;
1264#else
1265 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1266 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1267#endif
Paul Bakker48916f92012-09-16 19:57:18 +00001268
Hanno Beckerb0302c42021-08-03 09:39:42 +01001269#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
1270 partial = 0;
Hanno Becker7e772132018-08-10 12:38:21 +01001271#endif
1272
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02001273 /* Cancel any possibly running timer */
Gilles Peskine449bd832023-01-11 14:50:10 +01001274 mbedtls_ssl_set_timer(ssl, 0);
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02001275
Deomid rojer Ryabkov3dfe75e2025-01-26 10:43:42 +02001276 mbedtls_ssl_reset_in_pointers(ssl);
1277 mbedtls_ssl_reset_out_pointers(ssl);
Hanno Beckerb0302c42021-08-03 09:39:42 +01001278
1279 /* Reset incoming message parsing */
1280 ssl->in_offt = NULL;
1281 ssl->nb_zero = 0;
1282 ssl->in_msgtype = 0;
1283 ssl->in_msglen = 0;
1284 ssl->in_hslen = 0;
Deomid rojer Ryabkovdd14c0a2025-02-13 13:41:51 +03001285 ssl->in_hsfraglen = 0;
Hanno Beckerb0302c42021-08-03 09:39:42 +01001286 ssl->keep_current_message = 0;
1287 ssl->transform_in = NULL;
1288
1289#if defined(MBEDTLS_SSL_PROTO_DTLS)
1290 ssl->next_record_offset = 0;
1291 ssl->in_epoch = 0;
1292#endif
1293
1294 /* Keep current datagram if partial == 1 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001295 if (partial == 0) {
Hanno Beckerb0302c42021-08-03 09:39:42 +01001296 ssl->in_left = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01001297 memset(ssl->in_buf, 0, in_buf_len);
Hanno Beckerb0302c42021-08-03 09:39:42 +01001298 }
1299
Ronald Cronad8c17b2022-06-10 17:18:09 +02001300 ssl->send_alert = 0;
1301
Hanno Beckerb0302c42021-08-03 09:39:42 +01001302 /* Reset outgoing message writing */
1303 ssl->out_msgtype = 0;
1304 ssl->out_msglen = 0;
1305 ssl->out_left = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01001306 memset(ssl->out_buf, 0, out_buf_len);
1307 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
Hanno Beckerb0302c42021-08-03 09:39:42 +01001308 ssl->transform_out = NULL;
1309
1310#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +01001311 mbedtls_ssl_dtls_replay_reset(ssl);
Hanno Beckerb0302c42021-08-03 09:39:42 +01001312#endif
1313
XiaokangQian2b01dc32022-01-21 02:53:13 +00001314#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01001315 if (ssl->transform) {
1316 mbedtls_ssl_transform_free(ssl->transform);
1317 mbedtls_free(ssl->transform);
Hanno Beckerb0302c42021-08-03 09:39:42 +01001318 ssl->transform = NULL;
1319 }
XiaokangQian2b01dc32022-01-21 02:53:13 +00001320#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1321
XiaokangQian2b01dc32022-01-21 02:53:13 +00001322#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01001323 mbedtls_ssl_transform_free(ssl->transform_application);
1324 mbedtls_free(ssl->transform_application);
XiaokangQian2b01dc32022-01-21 02:53:13 +00001325 ssl->transform_application = NULL;
1326
Gilles Peskine449bd832023-01-11 14:50:10 +01001327 if (ssl->handshake != NULL) {
Jerry Yu3d9b5902022-11-04 14:07:25 +08001328#if defined(MBEDTLS_SSL_EARLY_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +01001329 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
1330 mbedtls_free(ssl->handshake->transform_earlydata);
XiaokangQian2b01dc32022-01-21 02:53:13 +00001331 ssl->handshake->transform_earlydata = NULL;
Jerry Yu3d9b5902022-11-04 14:07:25 +08001332#endif
XiaokangQian2b01dc32022-01-21 02:53:13 +00001333
Gilles Peskine449bd832023-01-11 14:50:10 +01001334 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
1335 mbedtls_free(ssl->handshake->transform_handshake);
XiaokangQian2b01dc32022-01-21 02:53:13 +00001336 ssl->handshake->transform_handshake = NULL;
1337 }
1338
XiaokangQian2b01dc32022-01-21 02:53:13 +00001339#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Beckerb0302c42021-08-03 09:39:42 +01001340}
1341
Gilles Peskine449bd832023-01-11 14:50:10 +01001342int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
Hanno Beckerb0302c42021-08-03 09:39:42 +01001343{
1344 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1345
Gilles Peskinef670ba52025-03-07 15:09:32 +01001346 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
Gilles Peskinefd89acc2025-02-24 18:45:49 +01001347 ssl->flags &= MBEDTLS_SSL_CONTEXT_FLAGS_KEEP_AT_SESSION;
Ronald Cron195c0bc2024-02-08 08:51:20 +01001348 ssl->tls_version = ssl->conf->max_tls_version;
Hanno Beckerb0302c42021-08-03 09:39:42 +01001349
Gilles Peskine449bd832023-01-11 14:50:10 +01001350 mbedtls_ssl_session_reset_msg_layer(ssl, partial);
Hanno Beckerb0302c42021-08-03 09:39:42 +01001351
1352 /* Reset renegotiation state */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001353#if defined(MBEDTLS_SSL_RENEGOTIATION)
1354 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001355 ssl->renego_records_seen = 0;
Paul Bakker48916f92012-09-16 19:57:18 +00001356
1357 ssl->verify_data_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01001358 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1359 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001360#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001361 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +00001362
Hanno Beckerb0302c42021-08-03 09:39:42 +01001363 ssl->session_in = NULL;
Hanno Becker78640902018-08-13 16:35:15 +01001364 ssl->session_out = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01001365 if (ssl->session) {
1366 mbedtls_ssl_session_free(ssl->session);
1367 mbedtls_free(ssl->session);
Paul Bakkerc0463502013-02-14 11:19:38 +01001368 ssl->session = NULL;
1369 }
1370
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001371#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02001372 ssl->alpn_chosen = NULL;
1373#endif
1374
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02001375#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
David Horstmann3b2276a2022-10-06 14:49:08 +01001376 int free_cli_id = 1;
Hanno Becker4ccbf062018-08-10 11:20:38 +01001377#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
Gilles Peskine449bd832023-01-11 14:50:10 +01001378 free_cli_id = (partial == 0);
Hanno Becker4ccbf062018-08-10 11:20:38 +01001379#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01001380 if (free_cli_id) {
1381 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02001382 ssl->cli_id = NULL;
1383 ssl->cli_id_len = 0;
1384 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02001385#endif
1386
Gilles Peskine449bd832023-01-11 14:50:10 +01001387 if ((ret = ssl_handshake_init(ssl)) != 0) {
1388 return ret;
1389 }
Paul Bakker2770fbd2012-07-03 13:30:23 +00001390
Gilles Peskine449bd832023-01-11 14:50:10 +01001391 return 0;
Paul Bakker7eb013f2011-10-06 12:37:39 +00001392}
1393
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02001394/*
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02001395 * Reset an initialized and used SSL context for re-use while retaining
1396 * all application-set variables, function pointers and data.
1397 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001398int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02001399{
Gilles Peskine449bd832023-01-11 14:50:10 +01001400 return mbedtls_ssl_session_reset_int(ssl, 0);
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02001401}
1402
1403/*
Paul Bakker5121ce52009-01-03 21:22:43 +00001404 * SSL set accessors
1405 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001406void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
Paul Bakker5121ce52009-01-03 21:22:43 +00001407{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001408 conf->endpoint = endpoint;
Paul Bakker5121ce52009-01-03 21:22:43 +00001409}
1410
Gilles Peskine449bd832023-01-11 14:50:10 +01001411void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001412{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001413 conf->transport = transport;
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001414}
1415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001416#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +01001417void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02001418{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001419 conf->anti_replay = mode;
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02001420}
1421#endif
1422
Gilles Peskine449bd832023-01-11 14:50:10 +01001423void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001424{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001425 conf->badmac_limit = limit;
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001426}
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001427
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001428#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker04da1892018-08-14 13:22:10 +01001429
Gilles Peskine449bd832023-01-11 14:50:10 +01001430void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
1431 unsigned allow_packing)
Hanno Becker04da1892018-08-14 13:22:10 +01001432{
1433 ssl->disable_datagram_packing = !allow_packing;
1434}
1435
Gilles Peskine449bd832023-01-11 14:50:10 +01001436void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
1437 uint32_t min, uint32_t max)
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02001438{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001439 conf->hs_timeout_min = min;
1440 conf->hs_timeout_max = max;
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02001441}
1442#endif
1443
Gilles Peskine449bd832023-01-11 14:50:10 +01001444void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
Paul Bakker5121ce52009-01-03 21:22:43 +00001445{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001446 conf->authmode = authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +00001447}
1448
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001449#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001450void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
1451 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1452 void *p_vrfy)
Paul Bakkerb63b0af2011-01-13 17:54:59 +00001453{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001454 conf->f_vrfy = f_vrfy;
1455 conf->p_vrfy = p_vrfy;
Paul Bakkerb63b0af2011-01-13 17:54:59 +00001456}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001457#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +00001458
Gilles Peskine449bd832023-01-11 14:50:10 +01001459void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
1460 void (*f_dbg)(void *, int, const char *, int, const char *),
1461 void *p_dbg)
Paul Bakker5121ce52009-01-03 21:22:43 +00001462{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001463 conf->f_dbg = f_dbg;
1464 conf->p_dbg = p_dbg;
Paul Bakker5121ce52009-01-03 21:22:43 +00001465}
1466
Gilles Peskine449bd832023-01-11 14:50:10 +01001467void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
1468 void *p_bio,
1469 mbedtls_ssl_send_t *f_send,
1470 mbedtls_ssl_recv_t *f_recv,
1471 mbedtls_ssl_recv_timeout_t *f_recv_timeout)
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02001472{
1473 ssl->p_bio = p_bio;
1474 ssl->f_send = f_send;
1475 ssl->f_recv = f_recv;
1476 ssl->f_recv_timeout = f_recv_timeout;
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01001477}
1478
Manuel Pégourié-Gonnard6e7aaca2018-08-20 10:37:23 +02001479#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01001480void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
Manuel Pégourié-Gonnard6e7aaca2018-08-20 10:37:23 +02001481{
1482 ssl->mtu = mtu;
1483}
1484#endif
1485
Gilles Peskine449bd832023-01-11 14:50:10 +01001486void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01001487{
1488 conf->read_timeout = timeout;
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02001489}
1490
Gilles Peskine449bd832023-01-11 14:50:10 +01001491void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
1492 void *p_timer,
1493 mbedtls_ssl_set_timer_t *f_set_timer,
1494 mbedtls_ssl_get_timer_t *f_get_timer)
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02001495{
1496 ssl->p_timer = p_timer;
1497 ssl->f_set_timer = f_set_timer;
1498 ssl->f_get_timer = f_get_timer;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02001499
1500 /* Make sure we start with no timer running */
Gilles Peskine449bd832023-01-11 14:50:10 +01001501 mbedtls_ssl_set_timer(ssl, 0);
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02001502}
1503
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001504#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001505void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
1506 void *p_cache,
1507 mbedtls_ssl_cache_get_t *f_get_cache,
1508 mbedtls_ssl_cache_set_t *f_set_cache)
Paul Bakker5121ce52009-01-03 21:22:43 +00001509{
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +01001510 conf->p_cache = p_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001511 conf->f_get_cache = f_get_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001512 conf->f_set_cache = f_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +00001513}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001514#endif /* MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00001515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001516#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001517int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
Paul Bakker5121ce52009-01-03 21:22:43 +00001518{
Janos Follath865b3eb2019-12-16 11:46:15 +00001519 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02001520
Gilles Peskine449bd832023-01-11 14:50:10 +01001521 if (ssl == NULL ||
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02001522 session == NULL ||
1523 ssl->session_negotiate == NULL ||
Gilles Peskine449bd832023-01-11 14:50:10 +01001524 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
1525 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02001526 }
1527
Gilles Peskine449bd832023-01-11 14:50:10 +01001528 if (ssl->handshake->resume == 1) {
1529 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1530 }
Hanno Beckere810bbc2021-05-14 16:01:05 +01001531
Jerry Yu21092062022-10-10 21:21:31 +08001532#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01001533 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
Ronald Cron233fcaa2024-04-04 14:05:21 +02001534#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yu21092062022-10-10 21:21:31 +08001535 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +01001536 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
Jerry Yu21092062022-10-10 21:21:31 +08001537
Gilles Peskine449bd832023-01-11 14:50:10 +01001538 if (mbedtls_ssl_validate_ciphersuite(
Jerry Yu21092062022-10-10 21:21:31 +08001539 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
Gilles Peskine449bd832023-01-11 14:50:10 +01001540 MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
1541 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
1542 session->ciphersuite));
1543 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jerry Yu21092062022-10-10 21:21:31 +08001544 }
Ronald Cron233fcaa2024-04-04 14:05:21 +02001545#else
1546 /*
1547 * If session tickets are not enabled, it is not possible to resume a
1548 * TLS 1.3 session, thus do not make any change to the SSL context in
1549 * the first place.
1550 */
1551 return 0;
1552#endif
Jerry Yu40afab62022-10-08 10:42:13 +08001553 }
Jerry Yu21092062022-10-10 21:21:31 +08001554#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu40afab62022-10-08 10:42:13 +08001555
Gilles Peskine449bd832023-01-11 14:50:10 +01001556 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
1557 session)) != 0) {
1558 return ret;
1559 }
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02001560
Paul Bakker0a597072012-09-25 21:55:46 +00001561 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02001562
Gilles Peskine449bd832023-01-11 14:50:10 +01001563 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001564}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001565#endif /* MBEDTLS_SSL_CLI_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00001566
Gilles Peskine449bd832023-01-11 14:50:10 +01001567void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
1568 const int *ciphersuites)
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01001569{
Hanno Beckerd60b6c62021-04-29 12:04:11 +01001570 conf->ciphersuite_list = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +00001571}
1572
Ronald Cron6f135e12021-12-08 16:57:54 +01001573#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01001574void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
1575 const int kex_modes)
Hanno Becker71f1ed62021-07-24 06:01:47 +01001576{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001577 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
Hanno Becker71f1ed62021-07-24 06:01:47 +01001578}
Xiaokang Qian72de95d2022-10-25 02:54:33 +00001579
1580#if defined(MBEDTLS_SSL_EARLY_DATA)
Yanray Wangd5ed36f2023-11-07 11:40:43 +08001581void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
1582 int early_data_enabled)
Xiaokang Qian72de95d2022-10-25 02:54:33 +00001583{
1584 conf->early_data_enabled = early_data_enabled;
1585}
Jerry Yucc4e0072022-11-22 17:22:22 +08001586
1587#if defined(MBEDTLS_SSL_SRV_C)
Yanray Wang07517612023-11-07 11:47:36 +08001588void mbedtls_ssl_conf_max_early_data_size(
Gilles Peskine449bd832023-01-11 14:50:10 +01001589 mbedtls_ssl_config *conf, uint32_t max_early_data_size)
Jerry Yucc4e0072022-11-22 17:22:22 +08001590{
Jerry Yu39da9852022-12-06 16:58:36 +08001591 conf->max_early_data_size = max_early_data_size;
Jerry Yucc4e0072022-11-22 17:22:22 +08001592}
1593#endif /* MBEDTLS_SSL_SRV_C */
1594
Xiaokang Qian72de95d2022-10-25 02:54:33 +00001595#endif /* MBEDTLS_SSL_EARLY_DATA */
Ronald Cron6f135e12021-12-08 16:57:54 +01001596#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker71f1ed62021-07-24 06:01:47 +01001597
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001598#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001599void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
1600 const mbedtls_x509_crt_profile *profile)
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +02001601{
1602 conf->cert_profile = profile;
1603}
1604
Gilles Peskine449bd832023-01-11 14:50:10 +01001605static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
Glenn Strauss36872db2022-01-22 05:06:31 -05001606{
1607 mbedtls_ssl_key_cert *cur = key_cert, *next;
1608
Gilles Peskine449bd832023-01-11 14:50:10 +01001609 while (cur != NULL) {
Glenn Strauss36872db2022-01-22 05:06:31 -05001610 next = cur->next;
Gilles Peskine449bd832023-01-11 14:50:10 +01001611 mbedtls_free(cur);
Glenn Strauss36872db2022-01-22 05:06:31 -05001612 cur = next;
1613 }
1614}
1615
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001616/* Append a new keycert entry to a (possibly empty) list */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001617MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01001618static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
1619 mbedtls_x509_crt *cert,
1620 mbedtls_pk_context *key)
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001621{
niisato8ee24222018-06-25 19:05:48 +09001622 mbedtls_ssl_key_cert *new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001623
Gilles Peskine449bd832023-01-11 14:50:10 +01001624 if (cert == NULL) {
Glenn Strauss36872db2022-01-22 05:06:31 -05001625 /* Free list if cert is null */
Gilles Peskine449bd832023-01-11 14:50:10 +01001626 ssl_key_cert_free(*head);
Glenn Strauss36872db2022-01-22 05:06:31 -05001627 *head = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01001628 return 0;
Glenn Strauss36872db2022-01-22 05:06:31 -05001629 }
1630
Gilles Peskine449bd832023-01-11 14:50:10 +01001631 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
1632 if (new_cert == NULL) {
1633 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1634 }
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001635
niisato8ee24222018-06-25 19:05:48 +09001636 new_cert->cert = cert;
1637 new_cert->key = key;
1638 new_cert->next = NULL;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001639
Glenn Strauss36872db2022-01-22 05:06:31 -05001640 /* Update head if the list was null, else add to the end */
Gilles Peskine449bd832023-01-11 14:50:10 +01001641 if (*head == NULL) {
niisato8ee24222018-06-25 19:05:48 +09001642 *head = new_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +01001643 } else {
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001644 mbedtls_ssl_key_cert *cur = *head;
Gilles Peskine449bd832023-01-11 14:50:10 +01001645 while (cur->next != NULL) {
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001646 cur = cur->next;
Gilles Peskine449bd832023-01-11 14:50:10 +01001647 }
niisato8ee24222018-06-25 19:05:48 +09001648 cur->next = new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001649 }
1650
Gilles Peskine449bd832023-01-11 14:50:10 +01001651 return 0;
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001652}
1653
Gilles Peskine449bd832023-01-11 14:50:10 +01001654int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001655 mbedtls_x509_crt *own_cert,
Gilles Peskine449bd832023-01-11 14:50:10 +01001656 mbedtls_pk_context *pk_key)
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001657{
Gilles Peskine449bd832023-01-11 14:50:10 +01001658 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001659}
1660
Gilles Peskine449bd832023-01-11 14:50:10 +01001661void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01001662 mbedtls_x509_crt *ca_chain,
Gilles Peskine449bd832023-01-11 14:50:10 +01001663 mbedtls_x509_crl *ca_crl)
Paul Bakker5121ce52009-01-03 21:22:43 +00001664{
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01001665 conf->ca_chain = ca_chain;
1666 conf->ca_crl = ca_crl;
Hanno Becker5adaad92019-03-27 16:54:37 +00001667
1668#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1669 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1670 * cannot be used together. */
1671 conf->f_ca_cb = NULL;
1672 conf->p_ca_cb = NULL;
1673#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Paul Bakker5121ce52009-01-03 21:22:43 +00001674}
Hanno Becker5adaad92019-03-27 16:54:37 +00001675
1676#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
Gilles Peskine449bd832023-01-11 14:50:10 +01001677void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
1678 mbedtls_x509_crt_ca_cb_t f_ca_cb,
1679 void *p_ca_cb)
Hanno Becker5adaad92019-03-27 16:54:37 +00001680{
1681 conf->f_ca_cb = f_ca_cb;
1682 conf->p_ca_cb = p_ca_cb;
1683
1684 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1685 * cannot be used together. */
1686 conf->ca_chain = NULL;
1687 conf->ca_crl = NULL;
1688}
1689#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001690#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +00001691
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02001692#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01001693const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
1694 size_t *name_len)
Glenn Strauss69894072022-01-24 12:58:00 -05001695{
1696 *name_len = ssl->handshake->sni_name_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001697 return ssl->handshake->sni_name;
Glenn Strauss69894072022-01-24 12:58:00 -05001698}
1699
Gilles Peskine449bd832023-01-11 14:50:10 +01001700int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
1701 mbedtls_x509_crt *own_cert,
1702 mbedtls_pk_context *pk_key)
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02001703{
Gilles Peskine449bd832023-01-11 14:50:10 +01001704 return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
1705 own_cert, pk_key);
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02001706}
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +02001707
Gilles Peskine449bd832023-01-11 14:50:10 +01001708void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
1709 mbedtls_x509_crt *ca_chain,
1710 mbedtls_x509_crl *ca_crl)
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +02001711{
1712 ssl->handshake->sni_ca_chain = ca_chain;
1713 ssl->handshake->sni_ca_crl = ca_crl;
1714}
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02001715
Glenn Strauss999ef702022-03-11 01:37:23 -05001716#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01001717void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
1718 const mbedtls_x509_crt *crt)
Glenn Strauss999ef702022-03-11 01:37:23 -05001719{
1720 ssl->handshake->dn_hints = crt;
1721}
1722#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
1723
Gilles Peskine449bd832023-01-11 14:50:10 +01001724void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
1725 int authmode)
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02001726{
1727 ssl->handshake->sni_authmode = authmode;
1728}
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02001729#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1730
Hanno Becker8927c832019-04-03 12:52:50 +01001731#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001732void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
1733 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1734 void *p_vrfy)
Hanno Becker8927c832019-04-03 12:52:50 +01001735{
1736 ssl->f_vrfy = f_vrfy;
1737 ssl->p_vrfy = p_vrfy;
1738}
1739#endif
1740
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02001741#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02001742
Przemek Stekielfde11282023-03-13 16:06:09 +01001743static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
1744static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
1745
Valerio Setti016f6822022-12-09 14:17:50 +01001746static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
Gilles Peskine449bd832023-01-11 14:50:10 +01001747 mbedtls_ssl_context *ssl,
1748 mbedtls_svc_key_id_t pwd)
Valerio Setti016f6822022-12-09 14:17:50 +01001749{
1750 psa_status_t status;
Valerio Setti016f6822022-12-09 14:17:50 +01001751 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
Przemek Stekielfde11282023-03-13 16:06:09 +01001752 const uint8_t *user = NULL;
Przemek Stekiel4cd20312023-03-01 11:11:28 +01001753 size_t user_len = 0;
Przemek Stekielfde11282023-03-13 16:06:09 +01001754 const uint8_t *peer = NULL;
Przemek Stekiel4cd20312023-03-01 11:11:28 +01001755 size_t peer_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01001756 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
1757 psa_pake_cs_set_primitive(&cipher_suite,
1758 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
1759 PSA_ECC_FAMILY_SECP_R1,
1760 256));
1761 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
Valerio Setti016f6822022-12-09 14:17:50 +01001762
Anton Matkin72d60302025-03-19 14:56:57 +01001763 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, pwd, &cipher_suite);
Gilles Peskine449bd832023-01-11 14:50:10 +01001764 if (status != PSA_SUCCESS) {
Valerio Setti016f6822022-12-09 14:17:50 +01001765 return status;
Gilles Peskine449bd832023-01-11 14:50:10 +01001766 }
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02001767
Gilles Peskine449bd832023-01-11 14:50:10 +01001768 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Przemek Stekielfde11282023-03-13 16:06:09 +01001769 user = jpake_server_id;
1770 user_len = sizeof(jpake_server_id);
1771 peer = jpake_client_id;
1772 peer_len = sizeof(jpake_client_id);
Gilles Peskine449bd832023-01-11 14:50:10 +01001773 } else {
Przemek Stekielfde11282023-03-13 16:06:09 +01001774 user = jpake_client_id;
1775 user_len = sizeof(jpake_client_id);
1776 peer = jpake_server_id;
1777 peer_len = sizeof(jpake_server_id);
Gilles Peskine449bd832023-01-11 14:50:10 +01001778 }
Neil Armstrongca7d5062022-05-31 14:43:23 +02001779
Przemek Stekiel4cd20312023-03-01 11:11:28 +01001780 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
1781 if (status != PSA_SUCCESS) {
1782 return status;
1783 }
1784
1785 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
Gilles Peskine449bd832023-01-11 14:50:10 +01001786 if (status != PSA_SUCCESS) {
Valerio Setti016f6822022-12-09 14:17:50 +01001787 return status;
Gilles Peskine449bd832023-01-11 14:50:10 +01001788 }
Valerio Setti016f6822022-12-09 14:17:50 +01001789
Valerio Setti016f6822022-12-09 14:17:50 +01001790 ssl->handshake->psa_pake_ctx_is_ok = 1;
1791
Gilles Peskine449bd832023-01-11 14:50:10 +01001792 return PSA_SUCCESS;
Valerio Setti016f6822022-12-09 14:17:50 +01001793}
1794
Gilles Peskine449bd832023-01-11 14:50:10 +01001795int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
1796 const unsigned char *pw,
1797 size_t pw_len)
Valerio Setti016f6822022-12-09 14:17:50 +01001798{
1799 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1800 psa_status_t status;
1801
Gilles Peskine449bd832023-01-11 14:50:10 +01001802 if (ssl->handshake == NULL || ssl->conf == NULL) {
1803 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Neil Armstrongca7d5062022-05-31 14:43:23 +02001804 }
1805
Gilles Peskine449bd832023-01-11 14:50:10 +01001806 /* Empty password is not valid */
1807 if ((pw == NULL) || (pw_len == 0)) {
1808 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1809 }
1810
1811 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
1812 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
1813 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
1814
1815 status = psa_import_key(&attributes, pw, pw_len,
1816 &ssl->handshake->psa_pake_password);
1817 if (status != PSA_SUCCESS) {
1818 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
1819 }
1820
1821 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
1822 ssl->handshake->psa_pake_password);
1823 if (status != PSA_SUCCESS) {
1824 psa_destroy_key(ssl->handshake->psa_pake_password);
1825 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1826 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
1827 }
1828
1829 return 0;
Valerio Setti02c25b52022-11-15 14:08:42 +01001830}
Valerio Settia9a97dc2022-11-28 18:26:16 +01001831
Gilles Peskine449bd832023-01-11 14:50:10 +01001832int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
1833 mbedtls_svc_key_id_t pwd)
Valerio Settia9a97dc2022-11-28 18:26:16 +01001834{
Valerio Settia9a97dc2022-11-28 18:26:16 +01001835 psa_status_t status;
1836
Gilles Peskine449bd832023-01-11 14:50:10 +01001837 if (ssl->handshake == NULL || ssl->conf == NULL) {
1838 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Neil Armstrongca7d5062022-05-31 14:43:23 +02001839 }
1840
Gilles Peskine449bd832023-01-11 14:50:10 +01001841 if (mbedtls_svc_key_id_is_null(pwd)) {
1842 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1843 }
1844
1845 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
1846 if (status != PSA_SUCCESS) {
1847 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1848 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
1849 }
1850
1851 return 0;
Valerio Setti02c25b52022-11-15 14:08:42 +01001852}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02001853#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02001854
Ronald Cron73fe8df2022-10-05 14:31:43 +02001855#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01001856int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
Hanno Becker2ed3dce2021-04-19 21:59:14 +01001857{
Gilles Peskine449bd832023-01-11 14:50:10 +01001858 if (conf->psk_identity == NULL ||
1859 conf->psk_identity_len == 0) {
1860 return 0;
Ronald Crond29e13e2022-10-19 10:33:48 +02001861 }
1862
Gilles Peskine449bd832023-01-11 14:50:10 +01001863 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
1864 return 1;
1865 }
Ronald Crond29e13e2022-10-19 10:33:48 +02001866
Gilles Peskine449bd832023-01-11 14:50:10 +01001867 if (conf->psk != NULL && conf->psk_len != 0) {
1868 return 1;
1869 }
Hanno Becker2ed3dce2021-04-19 21:59:14 +01001870
Gilles Peskine449bd832023-01-11 14:50:10 +01001871 return 0;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01001872}
1873
Gilles Peskine449bd832023-01-11 14:50:10 +01001874static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001875{
1876 /* Remove reference to existing PSK, if any. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001877 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001878 /* The maintenance of the PSK key slot is the
1879 * user's responsibility. */
Ronald Croncf56a0a2020-08-04 09:51:30 +02001880 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001881 }
Gilles Peskine449bd832023-01-11 14:50:10 +01001882 if (conf->psk != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01001883 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001884 conf->psk = NULL;
1885 conf->psk_len = 0;
1886 }
1887
1888 /* Remove reference to PSK identity, if any. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001889 if (conf->psk_identity != NULL) {
1890 mbedtls_free(conf->psk_identity);
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001891 conf->psk_identity = NULL;
1892 conf->psk_identity_len = 0;
1893 }
1894}
1895
Hanno Becker7390c712018-11-15 13:33:04 +00001896/* This function assumes that PSK identity in the SSL config is unset.
1897 * It checks that the provided identity is well-formed and attempts
1898 * to make a copy of it in the SSL config.
1899 * On failure, the PSK identity in the config remains unset. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001900MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01001901static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
1902 unsigned char const *psk_identity,
1903 size_t psk_identity_len)
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001904{
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02001905 /* Identity len will be encoded on two bytes */
Gilles Peskine449bd832023-01-11 14:50:10 +01001906 if (psk_identity == NULL ||
Ronald Cron2a87e9b2022-10-19 10:55:26 +02001907 psk_identity_len == 0 ||
Gilles Peskine449bd832023-01-11 14:50:10 +01001908 (psk_identity_len >> 16) != 0 ||
1909 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
1910 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02001911 }
1912
Gilles Peskine449bd832023-01-11 14:50:10 +01001913 conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
1914 if (conf->psk_identity == NULL) {
1915 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1916 }
Paul Bakker6db455e2013-09-18 17:29:31 +02001917
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01001918 conf->psk_identity_len = psk_identity_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001919 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
Paul Bakker5ad403f2013-09-18 21:21:30 +02001920
Gilles Peskine449bd832023-01-11 14:50:10 +01001921 return 0;
Paul Bakker6db455e2013-09-18 17:29:31 +02001922}
1923
Gilles Peskine449bd832023-01-11 14:50:10 +01001924int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
1925 const unsigned char *psk, size_t psk_len,
1926 const unsigned char *psk_identity, size_t psk_identity_len)
Hanno Becker7390c712018-11-15 13:33:04 +00001927{
Janos Follath865b3eb2019-12-16 11:46:15 +00001928 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01001929
1930 /* We currently only support one PSK, raw or opaque. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001931 if (mbedtls_ssl_conf_has_static_psk(conf)) {
1932 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1933 }
Hanno Becker7390c712018-11-15 13:33:04 +00001934
1935 /* Check and set raw PSK */
Gilles Peskine449bd832023-01-11 14:50:10 +01001936 if (psk == NULL) {
1937 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1938 }
1939 if (psk_len == 0) {
1940 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1941 }
1942 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
1943 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1944 }
Piotr Nowicki9926eaf2019-11-20 14:54:36 +01001945
Gilles Peskine449bd832023-01-11 14:50:10 +01001946 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
1947 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1948 }
Hanno Becker7390c712018-11-15 13:33:04 +00001949 conf->psk_len = psk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001950 memcpy(conf->psk, psk, conf->psk_len);
Hanno Becker7390c712018-11-15 13:33:04 +00001951
1952 /* Check and set PSK Identity */
Gilles Peskine449bd832023-01-11 14:50:10 +01001953 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
1954 if (ret != 0) {
1955 ssl_conf_remove_psk(conf);
1956 }
Hanno Becker7390c712018-11-15 13:33:04 +00001957
Gilles Peskine449bd832023-01-11 14:50:10 +01001958 return ret;
Hanno Becker7390c712018-11-15 13:33:04 +00001959}
1960
Gilles Peskine449bd832023-01-11 14:50:10 +01001961static void ssl_remove_psk(mbedtls_ssl_context *ssl)
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001962{
Gilles Peskine449bd832023-01-11 14:50:10 +01001963 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
Neil Armstrong501c9322022-05-03 09:35:09 +02001964 /* The maintenance of the external PSK key slot is the
1965 * user's responsibility. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001966 if (ssl->handshake->psk_opaque_is_internal) {
1967 psa_destroy_key(ssl->handshake->psk_opaque);
Neil Armstrong501c9322022-05-03 09:35:09 +02001968 ssl->handshake->psk_opaque_is_internal = 0;
1969 }
Ronald Croncf56a0a2020-08-04 09:51:30 +02001970 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001971 }
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001972}
1973
Gilles Peskine449bd832023-01-11 14:50:10 +01001974int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
1975 const unsigned char *psk, size_t psk_len)
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001976{
Neil Armstrong501c9322022-05-03 09:35:09 +02001977 psa_key_attributes_t key_attributes = psa_key_attributes_init();
Jerry Yu5d01c052022-08-17 10:18:10 +08001978 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Jerry Yu24b8c812022-08-20 19:06:56 +08001979 psa_algorithm_t alg = PSA_ALG_NONE;
Jerry Yu5d01c052022-08-17 10:18:10 +08001980 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong501c9322022-05-03 09:35:09 +02001981
Gilles Peskine449bd832023-01-11 14:50:10 +01001982 if (psk == NULL || ssl->handshake == NULL) {
1983 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1984 }
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001985
Gilles Peskine449bd832023-01-11 14:50:10 +01001986 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
1987 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1988 }
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001989
Gilles Peskine449bd832023-01-11 14:50:10 +01001990 ssl_remove_psk(ssl);
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001991
Jerry Yuccc68a42022-07-26 16:39:20 +08001992#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01001993 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
1994 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
1995 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
1996 } else {
1997 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
1998 }
1999 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
Jerry Yuccc68a42022-07-26 16:39:20 +08002000 }
2001#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Neil Armstrong501c9322022-05-03 09:35:09 +02002002
Jerry Yu568ec252022-07-22 21:27:34 +08002003#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01002004 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2005 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
2006 psa_set_key_usage_flags(&key_attributes,
2007 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
Jerry Yuccc68a42022-07-26 16:39:20 +08002008 }
2009#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2010
Gilles Peskine449bd832023-01-11 14:50:10 +01002011 psa_set_key_algorithm(&key_attributes, alg);
2012 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
Neil Armstrong501c9322022-05-03 09:35:09 +02002013
Gilles Peskine449bd832023-01-11 14:50:10 +01002014 status = psa_import_key(&key_attributes, psk, psk_len, &key);
2015 if (status != PSA_SUCCESS) {
2016 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2017 }
Neil Armstrong501c9322022-05-03 09:35:09 +02002018
2019 /* Allow calling psa_destroy_key() on psk remove */
2020 ssl->handshake->psk_opaque_is_internal = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01002021 return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01002022}
2023
Gilles Peskine449bd832023-01-11 14:50:10 +01002024int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
2025 mbedtls_svc_key_id_t psk,
2026 const unsigned char *psk_identity,
2027 size_t psk_identity_len)
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01002028{
Janos Follath865b3eb2019-12-16 11:46:15 +00002029 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01002030
2031 /* We currently only support one PSK, raw or opaque. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002032 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2033 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2034 }
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01002035
Hanno Becker7390c712018-11-15 13:33:04 +00002036 /* Check and set opaque PSK */
Gilles Peskine449bd832023-01-11 14:50:10 +01002037 if (mbedtls_svc_key_id_is_null(psk)) {
2038 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2039 }
Ronald Croncf56a0a2020-08-04 09:51:30 +02002040 conf->psk_opaque = psk;
Hanno Becker7390c712018-11-15 13:33:04 +00002041
2042 /* Check and set PSK Identity */
Gilles Peskine449bd832023-01-11 14:50:10 +01002043 ret = ssl_conf_set_psk_identity(conf, psk_identity,
2044 psk_identity_len);
2045 if (ret != 0) {
2046 ssl_conf_remove_psk(conf);
2047 }
Hanno Becker7390c712018-11-15 13:33:04 +00002048
Gilles Peskine449bd832023-01-11 14:50:10 +01002049 return ret;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01002050}
2051
Gilles Peskine449bd832023-01-11 14:50:10 +01002052int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
2053 mbedtls_svc_key_id_t psk)
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002054{
Gilles Peskine449bd832023-01-11 14:50:10 +01002055 if ((mbedtls_svc_key_id_is_null(psk)) ||
2056 (ssl->handshake == NULL)) {
2057 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2058 }
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002059
Gilles Peskine449bd832023-01-11 14:50:10 +01002060 ssl_remove_psk(ssl);
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002061 ssl->handshake->psk_opaque = psk;
Gilles Peskine449bd832023-01-11 14:50:10 +01002062 return 0;
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002063}
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002064
Jerry Yu8897c072022-08-12 13:56:53 +08002065#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01002066void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
2067 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
2068 size_t),
2069 void *p_psk)
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002070{
2071 conf->f_psk = f_psk;
2072 conf->p_psk = p_psk;
2073}
Jerry Yu8897c072022-08-12 13:56:53 +08002074#endif /* MBEDTLS_SSL_SRV_C */
2075
Ronald Cron73fe8df2022-10-05 14:31:43 +02002076#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002077
Gilles Peskine301711e2022-04-26 16:57:05 +02002078static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
Gilles Peskine449bd832023-01-11 14:50:10 +01002079 psa_algorithm_t alg)
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002080{
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002081#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +01002082 if (alg == PSA_ALG_CBC_NO_PADDING) {
2083 return MBEDTLS_SSL_MODE_CBC;
2084 }
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002085#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Gilles Peskine449bd832023-01-11 14:50:10 +01002086 if (PSA_ALG_IS_AEAD(alg)) {
2087 return MBEDTLS_SSL_MODE_AEAD;
2088 }
2089 return MBEDTLS_SSL_MODE_STREAM;
Gilles Peskine301711e2022-04-26 16:57:05 +02002090}
2091
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002092
Gilles Peskinee108d982022-04-26 16:50:40 +02002093static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
2094 mbedtls_ssl_mode_t base_mode,
Gilles Peskine449bd832023-01-11 14:50:10 +01002095 int encrypt_then_mac)
Gilles Peskinee108d982022-04-26 16:50:40 +02002096{
2097#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01002098 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
2099 base_mode == MBEDTLS_SSL_MODE_CBC) {
2100 return MBEDTLS_SSL_MODE_CBC_ETM;
Gilles Peskinee108d982022-04-26 16:50:40 +02002101 }
2102#else
2103 (void) encrypt_then_mac;
2104#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01002105 return base_mode;
Gilles Peskinee108d982022-04-26 16:50:40 +02002106}
2107
Neil Armstrongab555e02022-04-04 11:07:59 +02002108mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
Gilles Peskine449bd832023-01-11 14:50:10 +01002109 const mbedtls_ssl_transform *transform)
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002110{
Gilles Peskinee108d982022-04-26 16:50:40 +02002111 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
Gilles Peskine449bd832023-01-11 14:50:10 +01002112 transform->psa_alg
Gilles Peskinee108d982022-04-26 16:50:40 +02002113 );
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002114
Gilles Peskinee108d982022-04-26 16:50:40 +02002115 int encrypt_then_mac = 0;
Neil Armstrongf2c82f02022-04-05 11:16:53 +02002116#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskinee108d982022-04-26 16:50:40 +02002117 encrypt_then_mac = transform->encrypt_then_mac;
2118#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01002119 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002120}
2121
Neil Armstrongab555e02022-04-04 11:07:59 +02002122mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongf2c82f02022-04-05 11:16:53 +02002123#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01002124 int encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02002125#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +01002126 const mbedtls_ssl_ciphersuite_t *suite)
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002127{
Gilles Peskinee108d982022-04-26 16:50:40 +02002128 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
2129
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002130 psa_status_t status;
2131 psa_algorithm_t alg;
2132 psa_key_type_t type;
2133 size_t size;
Dave Rodgman2eab4622023-10-05 13:30:37 +01002134 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher,
2135 0, &alg, &type, &size);
Gilles Peskine449bd832023-01-11 14:50:10 +01002136 if (status == PSA_SUCCESS) {
2137 base_mode = mbedtls_ssl_get_base_mode(alg);
2138 }
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002139
Gilles Peskinee108d982022-04-26 16:50:40 +02002140#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2141 int encrypt_then_mac = 0;
2142#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01002143 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002144}
2145
Jerry Yu251a12e2022-07-13 15:15:48 +08002146
Ronald Cron8b592d22024-11-12 18:08:25 +01002147const mbedtls_error_pair_t psa_to_ssl_errors[] =
2148{
2149 { PSA_SUCCESS, 0 },
2150 { PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_SSL_ALLOC_FAILED },
2151 { PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE },
2152 { PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_SSL_INVALID_MAC },
2153 { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_SSL_BAD_INPUT_DATA },
2154 { PSA_ERROR_BAD_STATE, MBEDTLS_ERR_SSL_INTERNAL_ERROR },
2155 { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL }
2156};
2157
Gilles Peskine449bd832023-01-11 14:50:10 +01002158psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2159 size_t taglen,
2160 psa_algorithm_t *alg,
2161 psa_key_type_t *key_type,
2162 size_t *key_size)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002163{
Elena Uziunaitec2561722024-07-05 11:37:33 +01002164#if !defined(PSA_WANT_ALG_CCM)
Yanray Wang19e4dc82023-11-16 18:02:05 +08002165 (void) taglen;
2166#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01002167 switch (mbedtls_cipher_type) {
Elena Uziunaite74342c72024-07-05 11:31:29 +01002168#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002169 case MBEDTLS_CIPHER_AES_128_CBC:
2170 *alg = PSA_ALG_CBC_NO_PADDING;
2171 *key_type = PSA_KEY_TYPE_AES;
2172 *key_size = 128;
2173 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002174#endif
Elena Uziunaitec2561722024-07-05 11:37:33 +01002175#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002176 case MBEDTLS_CIPHER_AES_128_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002177 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002178 *key_type = PSA_KEY_TYPE_AES;
2179 *key_size = 128;
2180 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002181#endif
Elena Uziunaite83a0d9d2024-07-05 11:41:22 +01002182#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002183 case MBEDTLS_CIPHER_AES_128_GCM:
2184 *alg = PSA_ALG_GCM;
2185 *key_type = PSA_KEY_TYPE_AES;
2186 *key_size = 128;
2187 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002188#endif
Elena Uziunaitec2561722024-07-05 11:37:33 +01002189#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002190 case MBEDTLS_CIPHER_AES_192_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002191 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002192 *key_type = PSA_KEY_TYPE_AES;
2193 *key_size = 192;
2194 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002195#endif
Elena Uziunaite83a0d9d2024-07-05 11:41:22 +01002196#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002197 case MBEDTLS_CIPHER_AES_192_GCM:
2198 *alg = PSA_ALG_GCM;
2199 *key_type = PSA_KEY_TYPE_AES;
2200 *key_size = 192;
2201 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002202#endif
Elena Uziunaite74342c72024-07-05 11:31:29 +01002203#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002204 case MBEDTLS_CIPHER_AES_256_CBC:
2205 *alg = PSA_ALG_CBC_NO_PADDING;
2206 *key_type = PSA_KEY_TYPE_AES;
2207 *key_size = 256;
2208 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002209#endif
Elena Uziunaitec2561722024-07-05 11:37:33 +01002210#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002211 case MBEDTLS_CIPHER_AES_256_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002212 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002213 *key_type = PSA_KEY_TYPE_AES;
2214 *key_size = 256;
2215 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002216#endif
Elena Uziunaite83a0d9d2024-07-05 11:41:22 +01002217#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002218 case MBEDTLS_CIPHER_AES_256_GCM:
2219 *alg = PSA_ALG_GCM;
2220 *key_type = PSA_KEY_TYPE_AES;
2221 *key_size = 256;
2222 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002223#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002224#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002225 case MBEDTLS_CIPHER_ARIA_128_CBC:
2226 *alg = PSA_ALG_CBC_NO_PADDING;
2227 *key_type = PSA_KEY_TYPE_ARIA;
2228 *key_size = 128;
2229 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002230#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002231#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002232 case MBEDTLS_CIPHER_ARIA_128_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002233 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002234 *key_type = PSA_KEY_TYPE_ARIA;
2235 *key_size = 128;
2236 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002237#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002238#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002239 case MBEDTLS_CIPHER_ARIA_128_GCM:
2240 *alg = PSA_ALG_GCM;
2241 *key_type = PSA_KEY_TYPE_ARIA;
2242 *key_size = 128;
2243 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002244#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002245#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002246 case MBEDTLS_CIPHER_ARIA_192_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002247 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002248 *key_type = PSA_KEY_TYPE_ARIA;
2249 *key_size = 192;
2250 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002251#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002252#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002253 case MBEDTLS_CIPHER_ARIA_192_GCM:
2254 *alg = PSA_ALG_GCM;
2255 *key_type = PSA_KEY_TYPE_ARIA;
2256 *key_size = 192;
2257 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002258#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002259#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002260 case MBEDTLS_CIPHER_ARIA_256_CBC:
2261 *alg = PSA_ALG_CBC_NO_PADDING;
2262 *key_type = PSA_KEY_TYPE_ARIA;
2263 *key_size = 256;
2264 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002265#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002266#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002267 case MBEDTLS_CIPHER_ARIA_256_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002268 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002269 *key_type = PSA_KEY_TYPE_ARIA;
2270 *key_size = 256;
2271 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002272#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002273#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002274 case MBEDTLS_CIPHER_ARIA_256_GCM:
2275 *alg = PSA_ALG_GCM;
2276 *key_type = PSA_KEY_TYPE_ARIA;
2277 *key_size = 256;
2278 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002279#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002280#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002281 case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
2282 *alg = PSA_ALG_CBC_NO_PADDING;
2283 *key_type = PSA_KEY_TYPE_CAMELLIA;
2284 *key_size = 128;
2285 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002286#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002287#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002288 case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002289 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002290 *key_type = PSA_KEY_TYPE_CAMELLIA;
2291 *key_size = 128;
2292 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002293#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002294#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002295 case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
2296 *alg = PSA_ALG_GCM;
2297 *key_type = PSA_KEY_TYPE_CAMELLIA;
2298 *key_size = 128;
2299 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002300#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002301#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002302 case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002303 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002304 *key_type = PSA_KEY_TYPE_CAMELLIA;
2305 *key_size = 192;
2306 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002307#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002308#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002309 case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
2310 *alg = PSA_ALG_GCM;
2311 *key_type = PSA_KEY_TYPE_CAMELLIA;
2312 *key_size = 192;
2313 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002314#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002315#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002316 case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
2317 *alg = PSA_ALG_CBC_NO_PADDING;
2318 *key_type = PSA_KEY_TYPE_CAMELLIA;
2319 *key_size = 256;
2320 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002321#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002322#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002323 case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002324 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002325 *key_type = PSA_KEY_TYPE_CAMELLIA;
2326 *key_size = 256;
2327 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002328#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002329#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002330 case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
2331 *alg = PSA_ALG_GCM;
2332 *key_type = PSA_KEY_TYPE_CAMELLIA;
2333 *key_size = 256;
2334 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002335#endif
Elena Uziunaite5c70c302024-07-05 11:44:44 +01002336#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002337 case MBEDTLS_CIPHER_CHACHA20_POLY1305:
2338 *alg = PSA_ALG_CHACHA20_POLY1305;
2339 *key_type = PSA_KEY_TYPE_CHACHA20;
2340 *key_size = 256;
2341 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002342#endif
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002343 case MBEDTLS_CIPHER_NULL:
2344 *alg = MBEDTLS_SSL_NULL_CIPHER;
2345 *key_type = 0;
2346 *key_size = 0;
2347 break;
2348 default:
2349 return PSA_ERROR_NOT_SUPPORTED;
2350 }
2351
2352 return PSA_SUCCESS;
2353}
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01002354
Ronald Crone68ab4f2022-10-05 12:46:29 +02002355#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Hanno Becker1cd6e002021-08-10 13:27:10 +01002356
Jerry Yuf017ee42022-01-12 15:49:48 +08002357/* Configure allowed signature algorithms for handshake */
Gilles Peskine449bd832023-01-11 14:50:10 +01002358void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
2359 const uint16_t *sig_algs)
Hanno Becker1cd6e002021-08-10 13:27:10 +01002360{
Jerry Yuf017ee42022-01-12 15:49:48 +08002361 conf->sig_algs = sig_algs;
Hanno Becker1cd6e002021-08-10 13:27:10 +01002362}
Ronald Crone68ab4f2022-10-05 12:46:29 +02002363#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02002364
Brett Warrene0edc842021-08-17 09:53:13 +01002365/*
2366 * Set the allowed groups
2367 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002368void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
2369 const uint16_t *group_list)
Brett Warrene0edc842021-08-17 09:53:13 +01002370{
Brett Warrene0edc842021-08-17 09:53:13 +01002371 conf->group_list = group_list;
2372}
2373
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01002374#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine4ac40082025-02-20 18:13:58 +01002375
2376#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2377/** Whether mbedtls_ssl_set_hostname() has been called.
2378 *
2379 * \param[in] ssl SSL context
2380 *
2381 * \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl
2382 * (including `mbedtls_ssl_set_hostname(ssl, NULL)`),
2383 * otherwise \c 0.
2384 */
2385static int mbedtls_ssl_has_set_hostname_been_called(
2386 const mbedtls_ssl_context *ssl)
2387{
Gilles Peskine434016e2025-02-20 18:49:59 +01002388 return (ssl->flags & MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET) != 0;
Gilles Peskine4ac40082025-02-20 18:13:58 +01002389}
2390#endif
2391
2392static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl)
2393{
2394 if (ssl->hostname != NULL) {
2395 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
2396 }
2397 ssl->hostname = NULL;
2398}
2399
Gilles Peskine449bd832023-01-11 14:50:10 +01002400int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
Paul Bakker5121ce52009-01-03 21:22:43 +00002401{
Hanno Becker947194e2017-04-07 13:25:49 +01002402 /* Initialize to suppress unnecessary compiler warning */
2403 size_t hostname_len = 0;
2404
2405 /* Check if new hostname is valid before
2406 * making any change to current one */
Gilles Peskine449bd832023-01-11 14:50:10 +01002407 if (hostname != NULL) {
2408 hostname_len = strlen(hostname);
Hanno Becker947194e2017-04-07 13:25:49 +01002409
Gilles Peskine449bd832023-01-11 14:50:10 +01002410 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
2411 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2412 }
Hanno Becker947194e2017-04-07 13:25:49 +01002413 }
2414
2415 /* Now it's clear that we will overwrite the old hostname,
2416 * so we can free it safely */
Gilles Peskine4ac40082025-02-20 18:13:58 +01002417 mbedtls_ssl_free_hostname(ssl);
Hanno Becker947194e2017-04-07 13:25:49 +01002418
2419 /* Passing NULL as hostname shall clear the old one */
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +01002420
Gilles Peskine449bd832023-01-11 14:50:10 +01002421 if (hostname == NULL) {
Hanno Becker947194e2017-04-07 13:25:49 +01002422 ssl->hostname = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01002423 } else {
2424 ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
2425 if (ssl->hostname == NULL) {
2426 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2427 }
Paul Bakker75c1a6f2013-08-19 14:25:29 +02002428
Gilles Peskine449bd832023-01-11 14:50:10 +01002429 memcpy(ssl->hostname, hostname, hostname_len);
Paul Bakker75c1a6f2013-08-19 14:25:29 +02002430
Hanno Becker947194e2017-04-07 13:25:49 +01002431 ssl->hostname[hostname_len] = '\0';
2432 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002433
Gilles Peskine434016e2025-02-20 18:49:59 +01002434 ssl->flags |= MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET;
2435
Gilles Peskine449bd832023-01-11 14:50:10 +01002436 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00002437}
Hanno Becker1a9a51c2017-04-07 13:02:16 +01002438#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00002439
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01002440#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01002441void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
2442 int (*f_sni)(void *, mbedtls_ssl_context *,
2443 const unsigned char *, size_t),
2444 void *p_sni)
Paul Bakker5701cdc2012-09-27 21:49:42 +00002445{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002446 conf->f_sni = f_sni;
2447 conf->p_sni = p_sni;
Paul Bakker5701cdc2012-09-27 21:49:42 +00002448}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002449#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +00002450
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002451#if defined(MBEDTLS_SSL_ALPN)
Gilles Peskinec4949d12025-05-27 19:45:29 +02002452int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf,
2453 const char *const *protos)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02002454{
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002455 size_t cur_len, tot_len;
Gilles Peskinec4949d12025-05-27 19:45:29 +02002456 const char *const *p;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002457
2458 /*
Brian J Murray1903fb32016-11-06 04:45:15 -08002459 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
2460 * MUST NOT be truncated."
2461 * We check lengths now rather than later.
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002462 */
2463 tot_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01002464 for (p = protos; *p != NULL; p++) {
2465 cur_len = strlen(*p);
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002466 tot_len += cur_len;
2467
Gilles Peskine449bd832023-01-11 14:50:10 +01002468 if ((cur_len == 0) ||
2469 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
2470 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
2471 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2472 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002473 }
2474
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002475 conf->alpn_list = protos;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002476
Gilles Peskine449bd832023-01-11 14:50:10 +01002477 return 0;
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02002478}
2479
Gilles Peskine449bd832023-01-11 14:50:10 +01002480const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02002481{
Gilles Peskine449bd832023-01-11 14:50:10 +01002482 return ssl->alpn_chosen;
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02002483}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002484#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02002485
Johan Pascalb62bb512015-12-03 21:56:45 +01002486#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +01002487void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
2488 int support_mki_value)
Ron Eldor591f1622018-01-22 12:30:04 +02002489{
2490 conf->dtls_srtp_mki_support = support_mki_value;
2491}
2492
Gilles Peskine449bd832023-01-11 14:50:10 +01002493int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
2494 unsigned char *mki_value,
2495 uint16_t mki_len)
Ron Eldor591f1622018-01-22 12:30:04 +02002496{
Gilles Peskine449bd832023-01-11 14:50:10 +01002497 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
2498 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Ron Eldora9788042018-12-05 11:04:31 +02002499 }
Ron Eldor591f1622018-01-22 12:30:04 +02002500
Gilles Peskine449bd832023-01-11 14:50:10 +01002501 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
2502 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Ron Eldora9788042018-12-05 11:04:31 +02002503 }
Ron Eldor591f1622018-01-22 12:30:04 +02002504
Gilles Peskine449bd832023-01-11 14:50:10 +01002505 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
Ron Eldor591f1622018-01-22 12:30:04 +02002506 ssl->dtls_srtp_info.mki_len = mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01002507 return 0;
Ron Eldor591f1622018-01-22 12:30:04 +02002508}
2509
Gilles Peskine449bd832023-01-11 14:50:10 +01002510int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
2511 const mbedtls_ssl_srtp_profile *profiles)
Johan Pascalb62bb512015-12-03 21:56:45 +01002512{
Johan Pascal253d0262020-09-22 13:04:45 +02002513 const mbedtls_ssl_srtp_profile *p;
2514 size_t list_size = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +01002515
Johan Pascal253d0262020-09-22 13:04:45 +02002516 /* check the profiles list: all entry must be valid,
2517 * its size cannot be more than the total number of supported profiles, currently 4 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002518 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
2519 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
2520 p++) {
2521 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
Johan Pascal76fdf1d2020-10-22 23:31:00 +02002522 list_size++;
Gilles Peskine449bd832023-01-11 14:50:10 +01002523 } else {
Johan Pascal76fdf1d2020-10-22 23:31:00 +02002524 /* unsupported value, stop parsing and set the size to an error value */
2525 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
Johan Pascalb62bb512015-12-03 21:56:45 +01002526 }
2527 }
2528
Gilles Peskine449bd832023-01-11 14:50:10 +01002529 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
2530 conf->dtls_srtp_profile_list = NULL;
2531 conf->dtls_srtp_profile_list_len = 0;
2532 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Johan Pascal253d0262020-09-22 13:04:45 +02002533 }
2534
Johan Pascal9bc97ca2020-09-21 23:44:45 +02002535 conf->dtls_srtp_profile_list = profiles;
Johan Pascal253d0262020-09-22 13:04:45 +02002536 conf->dtls_srtp_profile_list_len = list_size;
Johan Pascalb62bb512015-12-03 21:56:45 +01002537
Gilles Peskine449bd832023-01-11 14:50:10 +01002538 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +01002539}
2540
Gilles Peskine449bd832023-01-11 14:50:10 +01002541void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
2542 mbedtls_dtls_srtp_info *dtls_srtp_info)
Johan Pascalb62bb512015-12-03 21:56:45 +01002543{
Johan Pascal2258a4f2020-10-28 13:53:09 +01002544 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
2545 /* do not copy the mki value if there is no chosen profile */
Gilles Peskine449bd832023-01-11 14:50:10 +01002546 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
Johan Pascal2258a4f2020-10-28 13:53:09 +01002547 dtls_srtp_info->mki_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01002548 } else {
Johan Pascal2258a4f2020-10-28 13:53:09 +01002549 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01002550 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
2551 ssl->dtls_srtp_info.mki_len);
Johan Pascal2258a4f2020-10-28 13:53:09 +01002552 }
Johan Pascalb62bb512015-12-03 21:56:45 +01002553}
Johan Pascalb62bb512015-12-03 21:56:45 +01002554#endif /* MBEDTLS_SSL_DTLS_SRTP */
2555
Janos Follath088ce432017-04-10 12:42:31 +01002556#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01002557void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
2558 char cert_req_ca_list)
Janos Follath088ce432017-04-10 12:42:31 +01002559{
2560 conf->cert_req_ca_list = cert_req_ca_list;
2561}
2562#endif
2563
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002564#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +01002565void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01002566{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002567 conf->encrypt_then_mac = etm;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01002568}
2569#endif
2570
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002571#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +01002572void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02002573{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002574 conf->extended_ms = ems;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02002575}
2576#endif
2577
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002578#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +01002579int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02002580{
Gilles Peskine449bd832023-01-11 14:50:10 +01002581 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
2582 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
2583 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02002584 }
2585
Manuel Pégourié-Gonnard6bf89d62015-05-05 17:01:57 +01002586 conf->mfl_code = mfl_code;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02002587
Gilles Peskine449bd832023-01-11 14:50:10 +01002588 return 0;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02002589}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002590#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02002591
Gilles Peskine449bd832023-01-11 14:50:10 +01002592void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
Paul Bakker48916f92012-09-16 19:57:18 +00002593{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002594 conf->allow_legacy_renegotiation = allow_legacy;
Paul Bakker48916f92012-09-16 19:57:18 +00002595}
2596
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002597#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01002598void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002599{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002600 conf->disable_renegotiation = renegotiation;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002601}
2602
Gilles Peskine449bd832023-01-11 14:50:10 +01002603void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02002604{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002605 conf->renego_max_records = max_records;
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02002606}
2607
Gilles Peskine449bd832023-01-11 14:50:10 +01002608void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
2609 const unsigned char period[8])
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01002610{
Gilles Peskine449bd832023-01-11 14:50:10 +01002611 memcpy(conf->renego_period, period, 8);
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01002612}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002613#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker490ecc82011-10-06 13:04:09 +00002614
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002615#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02002616#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01002617void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02002618{
Manuel Pégourié-Gonnard2b494452015-05-06 10:05:11 +01002619 conf->session_tickets = use_tickets;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02002620}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02002621#endif
Paul Bakker606b4ba2013-08-14 16:52:14 +02002622
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02002623#if defined(MBEDTLS_SSL_SRV_C)
Jerry Yu1ad7ace2022-08-09 13:28:39 +08002624
Jerry Yud0766ec2022-09-22 10:46:57 +08002625#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +01002626void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
2627 uint16_t num_tickets)
Jerry Yu1ad7ace2022-08-09 13:28:39 +08002628{
Jerry Yud0766ec2022-09-22 10:46:57 +08002629 conf->new_session_tickets_count = num_tickets;
Jerry Yu1ad7ace2022-08-09 13:28:39 +08002630}
2631#endif
2632
Gilles Peskine449bd832023-01-11 14:50:10 +01002633void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
2634 mbedtls_ssl_ticket_write_t *f_ticket_write,
2635 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
2636 void *p_ticket)
Paul Bakker606b4ba2013-08-14 16:52:14 +02002637{
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +02002638 conf->f_ticket_write = f_ticket_write;
2639 conf->f_ticket_parse = f_ticket_parse;
2640 conf->p_ticket = p_ticket;
Paul Bakker606b4ba2013-08-14 16:52:14 +02002641}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02002642#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002643#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02002644
Gilles Peskine449bd832023-01-11 14:50:10 +01002645void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
2646 mbedtls_ssl_export_keys_t *f_export_keys,
2647 void *p_export_keys)
Robert Cragie4feb7ae2015-10-02 13:33:37 +01002648{
Hanno Becker7e6c1782021-06-08 09:24:55 +01002649 ssl->f_export_keys = f_export_keys;
2650 ssl->p_export_keys = p_export_keys;
Ron Eldorf5cc10d2019-05-07 18:33:40 +03002651}
Robert Cragie4feb7ae2015-10-02 13:33:37 +01002652
Gilles Peskineb74a1c72018-04-24 13:09:22 +02002653#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002654void mbedtls_ssl_conf_async_private_cb(
2655 mbedtls_ssl_config *conf,
2656 mbedtls_ssl_async_sign_t *f_async_sign,
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002657 mbedtls_ssl_async_resume_t *f_async_resume,
2658 mbedtls_ssl_async_cancel_t *f_async_cancel,
Gilles Peskine449bd832023-01-11 14:50:10 +01002659 void *async_config_data)
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002660{
2661 conf->f_async_sign_start = f_async_sign;
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002662 conf->f_async_resume = f_async_resume;
2663 conf->f_async_cancel = f_async_cancel;
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02002664 conf->p_async_config_data = async_config_data;
2665}
2666
Gilles Peskine449bd832023-01-11 14:50:10 +01002667void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
Gilles Peskine8f97af72018-04-26 11:46:10 +02002668{
Gilles Peskine449bd832023-01-11 14:50:10 +01002669 return conf->p_async_config_data;
Gilles Peskine8f97af72018-04-26 11:46:10 +02002670}
2671
Gilles Peskine449bd832023-01-11 14:50:10 +01002672void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02002673{
Gilles Peskine449bd832023-01-11 14:50:10 +01002674 if (ssl->handshake == NULL) {
2675 return NULL;
2676 } else {
2677 return ssl->handshake->user_async_ctx;
2678 }
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02002679}
2680
Gilles Peskine449bd832023-01-11 14:50:10 +01002681void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
2682 void *ctx)
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02002683{
Gilles Peskine449bd832023-01-11 14:50:10 +01002684 if (ssl->handshake != NULL) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02002685 ssl->handshake->user_async_ctx = ctx;
Gilles Peskine449bd832023-01-11 14:50:10 +01002686 }
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002687}
Gilles Peskineb74a1c72018-04-24 13:09:22 +02002688#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002689
Paul Bakker5121ce52009-01-03 21:22:43 +00002690/*
2691 * SSL get accessors
2692 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002693uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +00002694{
Gilles Peskine449bd832023-01-11 14:50:10 +01002695 if (ssl->session != NULL) {
2696 return ssl->session->verify_result;
2697 }
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +00002698
Gilles Peskine449bd832023-01-11 14:50:10 +01002699 if (ssl->session_negotiate != NULL) {
2700 return ssl->session_negotiate->verify_result;
2701 }
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +00002702
Gilles Peskine449bd832023-01-11 14:50:10 +01002703 return 0xFFFFFFFF;
Paul Bakker5121ce52009-01-03 21:22:43 +00002704}
2705
Gilles Peskine449bd832023-01-11 14:50:10 +01002706int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
Glenn Strauss8f526902022-01-13 00:04:49 -05002707{
Gilles Peskine449bd832023-01-11 14:50:10 +01002708 if (ssl == NULL || ssl->session == NULL) {
2709 return 0;
2710 }
Glenn Strauss8f526902022-01-13 00:04:49 -05002711
Gilles Peskine449bd832023-01-11 14:50:10 +01002712 return ssl->session->ciphersuite;
Glenn Strauss8f526902022-01-13 00:04:49 -05002713}
2714
Gilles Peskine449bd832023-01-11 14:50:10 +01002715const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
Paul Bakker72f62662011-01-16 21:27:44 +00002716{
Gilles Peskine449bd832023-01-11 14:50:10 +01002717 if (ssl == NULL || ssl->session == NULL) {
2718 return NULL;
2719 }
Paul Bakker926c8e42013-03-06 10:23:34 +01002720
Gilles Peskine449bd832023-01-11 14:50:10 +01002721 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
Paul Bakker72f62662011-01-16 21:27:44 +00002722}
2723
Gilles Peskine449bd832023-01-11 14:50:10 +01002724const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
Paul Bakker43ca69c2011-01-15 17:35:19 +00002725{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002726#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01002727 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2728 switch (ssl->tls_version) {
Glenn Strauss60bfe602022-03-14 19:04:24 -04002729 case MBEDTLS_SSL_VERSION_TLS1_2:
Gilles Peskine449bd832023-01-11 14:50:10 +01002730 return "DTLSv1.2";
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01002731 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01002732 return "unknown (DTLS)";
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01002733 }
2734 }
2735#endif
2736
Gilles Peskine449bd832023-01-11 14:50:10 +01002737 switch (ssl->tls_version) {
Glenn Strauss60bfe602022-03-14 19:04:24 -04002738 case MBEDTLS_SSL_VERSION_TLS1_2:
Gilles Peskine449bd832023-01-11 14:50:10 +01002739 return "TLSv1.2";
Glenn Strauss60bfe602022-03-14 19:04:24 -04002740 case MBEDTLS_SSL_VERSION_TLS1_3:
Gilles Peskine449bd832023-01-11 14:50:10 +01002741 return "TLSv1.3";
Paul Bakker43ca69c2011-01-15 17:35:19 +00002742 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01002743 return "unknown";
Paul Bakker43ca69c2011-01-15 17:35:19 +00002744 }
Paul Bakker43ca69c2011-01-15 17:35:19 +00002745}
2746
Waleed Elmelegy6a971fd2023-12-28 17:48:16 +00002747#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2748
2749size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
2750{
2751 const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
2752 size_t record_size_limit = max_len;
2753
2754 if (ssl->session != NULL &&
2755 ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
2756 ssl->session->record_size_limit < max_len) {
2757 record_size_limit = ssl->session->record_size_limit;
2758 }
2759
2760 // TODO: this is currently untested
2761 /* During a handshake, use the value being negotiated */
2762 if (ssl->session_negotiate != NULL &&
2763 ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
2764 ssl->session_negotiate->record_size_limit < max_len) {
2765 record_size_limit = ssl->session_negotiate->record_size_limit;
2766 }
2767
2768 return record_size_limit;
2769}
2770#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2771
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02002772#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +01002773size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002774{
David Horstmann95d516f2021-05-04 18:36:56 +01002775 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002776 size_t read_mfl;
2777
Jerry Yuddda0502022-12-01 19:43:12 +08002778#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002779 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002780 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
2781 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
2782 return ssl_mfl_code_to_length(ssl->conf->mfl_code);
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002783 }
Jerry Yuddda0502022-12-01 19:43:12 +08002784#endif
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002785
2786 /* Check if a smaller max length was negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +01002787 if (ssl->session_out != NULL) {
2788 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
2789 if (read_mfl < max_len) {
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002790 max_len = read_mfl;
2791 }
2792 }
2793
Jerry Yuddda0502022-12-01 19:43:12 +08002794 /* During a handshake, use the value being negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +01002795 if (ssl->session_negotiate != NULL) {
2796 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
2797 if (read_mfl < max_len) {
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002798 max_len = read_mfl;
2799 }
2800 }
2801
Gilles Peskine449bd832023-01-11 14:50:10 +01002802 return max_len;
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002803}
2804
Gilles Peskine449bd832023-01-11 14:50:10 +01002805size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02002806{
2807 size_t max_len;
2808
2809 /*
2810 * Assume mfl_code is correct since it was checked when set
2811 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002812 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02002813
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02002814 /* Check if a smaller max length was negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +01002815 if (ssl->session_out != NULL &&
2816 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
2817 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02002818 }
2819
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02002820 /* During a handshake, use the value being negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +01002821 if (ssl->session_negotiate != NULL &&
2822 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
2823 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02002824 }
2825
Gilles Peskine449bd832023-01-11 14:50:10 +01002826 return max_len;
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02002827}
2828#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2829
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002830#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01002831size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002832{
Andrzej Kurekef43ce62018-10-09 08:24:12 -04002833 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002834 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
2835 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
2836 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) {
2837 return 0;
2838 }
Andrzej Kurekef43ce62018-10-09 08:24:12 -04002839
Gilles Peskine449bd832023-01-11 14:50:10 +01002840 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
2841 return ssl->mtu;
2842 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002843
Gilles Peskine449bd832023-01-11 14:50:10 +01002844 if (ssl->mtu == 0) {
2845 return ssl->handshake->mtu;
2846 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002847
Gilles Peskine449bd832023-01-11 14:50:10 +01002848 return ssl->mtu < ssl->handshake->mtu ?
2849 ssl->mtu : ssl->handshake->mtu;
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002850}
2851#endif /* MBEDTLS_SSL_PROTO_DTLS */
2852
Gilles Peskine449bd832023-01-11 14:50:10 +01002853int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002854{
2855 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
2856
Manuel Pégourié-Gonnard000281e2018-08-21 11:20:58 +02002857#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
Jan Brucknerf482dcc2023-03-15 09:09:06 +01002858 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
Manuel Pégourié-Gonnard000281e2018-08-21 11:20:58 +02002859 !defined(MBEDTLS_SSL_PROTO_DTLS)
2860 (void) ssl;
2861#endif
2862
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002863#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +01002864 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002865
Gilles Peskine449bd832023-01-11 14:50:10 +01002866 if (max_len > mfl) {
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002867 max_len = mfl;
Gilles Peskine449bd832023-01-11 14:50:10 +01002868 }
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002869#endif
2870
Jan Brucknerf482dcc2023-03-15 09:09:06 +01002871#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2872 const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
2873
2874 if (max_len > record_size_limit) {
2875 max_len = record_size_limit;
2876 }
2877#endif
2878
Waleed Elmelegy6a971fd2023-12-28 17:48:16 +00002879 if (ssl->transform_out != NULL &&
2880 ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
Waleed Elmelegyf5017902024-01-09 14:18:34 +00002881 /*
2882 * In TLS 1.3 case, when records are protected, `max_len` as computed
2883 * above is the maximum length of the TLSInnerPlaintext structure that
2884 * along the plaintext payload contains the inner content type (one byte)
2885 * and some zero padding. Given the algorithm used for padding
2886 * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
2887 * the plaintext payload. Round down to a multiple of
2888 * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
2889 * subtract 1.
Waleed Elmelegy6a971fd2023-12-28 17:48:16 +00002890 */
2891 max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
2892 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
2893 }
2894
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002895#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01002896 if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
2897 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
2898 const int ret = mbedtls_ssl_get_record_expansion(ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002899 const size_t overhead = (size_t) ret;
2900
Gilles Peskine449bd832023-01-11 14:50:10 +01002901 if (ret < 0) {
2902 return ret;
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002903 }
2904
Gilles Peskine449bd832023-01-11 14:50:10 +01002905 if (mtu <= overhead) {
2906 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
2907 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2908 }
2909
2910 if (max_len > mtu - overhead) {
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002911 max_len = mtu - overhead;
Gilles Peskine449bd832023-01-11 14:50:10 +01002912 }
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002913 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002914#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002915
Hanno Becker0defedb2018-08-10 12:35:02 +01002916#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
Waleed Elmelegy049cd302023-12-20 17:28:31 +00002917 !defined(MBEDTLS_SSL_PROTO_DTLS) && \
2918 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
Hanno Becker0defedb2018-08-10 12:35:02 +01002919 ((void) ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002920#endif
2921
Gilles Peskine449bd832023-01-11 14:50:10 +01002922 return (int) max_len;
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002923}
2924
Gilles Peskine449bd832023-01-11 14:50:10 +01002925int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
Hanno Becker2d8e99b2021-04-21 06:19:50 +01002926{
2927 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
2928
2929#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2930 (void) ssl;
2931#endif
2932
2933#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +01002934 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
Hanno Becker2d8e99b2021-04-21 06:19:50 +01002935
Gilles Peskine449bd832023-01-11 14:50:10 +01002936 if (max_len > mfl) {
Hanno Becker2d8e99b2021-04-21 06:19:50 +01002937 max_len = mfl;
Gilles Peskine449bd832023-01-11 14:50:10 +01002938 }
Hanno Becker2d8e99b2021-04-21 06:19:50 +01002939#endif
2940
Gilles Peskine449bd832023-01-11 14:50:10 +01002941 return (int) max_len;
Hanno Becker2d8e99b2021-04-21 06:19:50 +01002942}
2943
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002944#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01002945const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
Paul Bakkerb0550d92012-10-30 07:51:03 +00002946{
Gilles Peskine449bd832023-01-11 14:50:10 +01002947 if (ssl == NULL || ssl->session == NULL) {
2948 return NULL;
2949 }
Paul Bakkerb0550d92012-10-30 07:51:03 +00002950
Hanno Beckere6824572019-02-07 13:18:46 +00002951#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +01002952 return ssl->session->peer_cert;
Hanno Beckere6824572019-02-07 13:18:46 +00002953#else
Gilles Peskine449bd832023-01-11 14:50:10 +01002954 return NULL;
Hanno Beckere6824572019-02-07 13:18:46 +00002955#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakkerb0550d92012-10-30 07:51:03 +00002956}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002957#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +00002958
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002959#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01002960int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
2961 mbedtls_ssl_session *dst)
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02002962{
Hanno Beckere810bbc2021-05-14 16:01:05 +01002963 int ret;
2964
Gilles Peskine449bd832023-01-11 14:50:10 +01002965 if (ssl == NULL ||
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02002966 dst == NULL ||
2967 ssl->session == NULL ||
Gilles Peskine449bd832023-01-11 14:50:10 +01002968 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
2969 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02002970 }
2971
Hanno Beckere810bbc2021-05-14 16:01:05 +01002972 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
2973 * idempotent: Each session can only be exported once.
2974 *
2975 * (This is in preparation for TLS 1.3 support where we will
2976 * need the ability to export multiple sessions (aka tickets),
2977 * which will be achieved by calling mbedtls_ssl_get_session()
2978 * multiple times until it fails.)
2979 *
2980 * Check whether we have already exported the current session,
2981 * and fail if so.
2982 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002983 if (ssl->session->exported == 1) {
2984 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2985 }
Hanno Beckere810bbc2021-05-14 16:01:05 +01002986
Gilles Peskine449bd832023-01-11 14:50:10 +01002987 ret = mbedtls_ssl_session_copy(dst, ssl->session);
2988 if (ret != 0) {
2989 return ret;
2990 }
Hanno Beckere810bbc2021-05-14 16:01:05 +01002991
2992 /* Remember that we've exported the session. */
2993 ssl->session->exported = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01002994 return 0;
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02002995}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002996#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02002997
David Horstmanncb01b362024-02-29 17:31:46 +00002998#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2999
3000/* Serialization of TLS 1.2 sessions
David Horstmanne59f9702024-02-29 16:08:57 +00003001 *
David Horstmanncb01b362024-02-29 17:31:46 +00003002 * For more detail, see the description of ssl_session_save().
David Horstmanne59f9702024-02-29 16:08:57 +00003003 */
3004static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
3005 unsigned char *buf,
3006 size_t buf_len)
3007{
3008 unsigned char *p = buf;
3009 size_t used = 0;
3010
3011#if defined(MBEDTLS_HAVE_TIME)
3012 uint64_t start;
3013#endif
3014#if defined(MBEDTLS_X509_CRT_PARSE_C)
3015#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3016 size_t cert_len;
3017#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3018#endif /* MBEDTLS_X509_CRT_PARSE_C */
3019
3020 /*
3021 * Time
3022 */
3023#if defined(MBEDTLS_HAVE_TIME)
3024 used += 8;
3025
3026 if (used <= buf_len) {
3027 start = (uint64_t) session->start;
3028
3029 MBEDTLS_PUT_UINT64_BE(start, p, 0);
3030 p += 8;
3031 }
3032#endif /* MBEDTLS_HAVE_TIME */
3033
3034 /*
3035 * Basic mandatory fields
3036 */
3037 used += 1 /* id_len */
3038 + sizeof(session->id)
3039 + sizeof(session->master)
3040 + 4; /* verify_result */
3041
3042 if (used <= buf_len) {
3043 *p++ = MBEDTLS_BYTE_0(session->id_len);
3044 memcpy(p, session->id, 32);
3045 p += 32;
3046
3047 memcpy(p, session->master, 48);
3048 p += 48;
3049
3050 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
3051 p += 4;
3052 }
3053
3054 /*
3055 * Peer's end-entity certificate
3056 */
3057#if defined(MBEDTLS_X509_CRT_PARSE_C)
3058#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3059 if (session->peer_cert == NULL) {
3060 cert_len = 0;
3061 } else {
3062 cert_len = session->peer_cert->raw.len;
3063 }
3064
3065 used += 3 + cert_len;
3066
3067 if (used <= buf_len) {
3068 *p++ = MBEDTLS_BYTE_2(cert_len);
3069 *p++ = MBEDTLS_BYTE_1(cert_len);
3070 *p++ = MBEDTLS_BYTE_0(cert_len);
3071
3072 if (session->peer_cert != NULL) {
3073 memcpy(p, session->peer_cert->raw.p, cert_len);
3074 p += cert_len;
3075 }
3076 }
3077#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3078 if (session->peer_cert_digest != NULL) {
3079 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
3080 if (used <= buf_len) {
3081 *p++ = (unsigned char) session->peer_cert_digest_type;
3082 *p++ = (unsigned char) session->peer_cert_digest_len;
3083 memcpy(p, session->peer_cert_digest,
3084 session->peer_cert_digest_len);
3085 p += session->peer_cert_digest_len;
3086 }
3087 } else {
3088 used += 2;
3089 if (used <= buf_len) {
3090 *p++ = (unsigned char) MBEDTLS_MD_NONE;
3091 *p++ = 0;
3092 }
3093 }
3094#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3095#endif /* MBEDTLS_X509_CRT_PARSE_C */
3096
3097 /*
3098 * Session ticket if any, plus associated data
3099 */
3100#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3101#if defined(MBEDTLS_SSL_CLI_C)
3102 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3103 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
3104
3105 if (used <= buf_len) {
3106 *p++ = MBEDTLS_BYTE_2(session->ticket_len);
3107 *p++ = MBEDTLS_BYTE_1(session->ticket_len);
3108 *p++ = MBEDTLS_BYTE_0(session->ticket_len);
3109
3110 if (session->ticket != NULL) {
3111 memcpy(p, session->ticket, session->ticket_len);
3112 p += session->ticket_len;
3113 }
3114
3115 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3116 p += 4;
3117 }
3118 }
3119#endif /* MBEDTLS_SSL_CLI_C */
3120#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3121 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3122 used += 8;
3123
3124 if (used <= buf_len) {
3125 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3126 p += 8;
3127 }
3128 }
3129#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3130#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3131
3132 /*
3133 * Misc extension-related info
3134 */
3135#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3136 used += 1;
3137
3138 if (used <= buf_len) {
3139 *p++ = session->mfl_code;
3140 }
3141#endif
3142
3143#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3144 used += 1;
3145
3146 if (used <= buf_len) {
3147 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
3148 }
3149#endif
3150
3151 return used;
3152}
3153
3154MBEDTLS_CHECK_RETURN_CRITICAL
3155static int ssl_tls12_session_load(mbedtls_ssl_session *session,
3156 const unsigned char *buf,
3157 size_t len)
3158{
3159#if defined(MBEDTLS_HAVE_TIME)
3160 uint64_t start;
3161#endif
3162#if defined(MBEDTLS_X509_CRT_PARSE_C)
3163#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3164 size_t cert_len;
3165#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3166#endif /* MBEDTLS_X509_CRT_PARSE_C */
3167
3168 const unsigned char *p = buf;
3169 const unsigned char * const end = buf + len;
3170
3171 /*
3172 * Time
3173 */
3174#if defined(MBEDTLS_HAVE_TIME)
3175 if (8 > (size_t) (end - p)) {
3176 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3177 }
3178
3179 start = MBEDTLS_GET_UINT64_BE(p, 0);
3180 p += 8;
3181
3182 session->start = (time_t) start;
3183#endif /* MBEDTLS_HAVE_TIME */
3184
3185 /*
3186 * Basic mandatory fields
3187 */
3188 if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
3189 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3190 }
3191
3192 session->id_len = *p++;
3193 memcpy(session->id, p, 32);
3194 p += 32;
3195
3196 memcpy(session->master, p, 48);
3197 p += 48;
3198
3199 session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
3200 p += 4;
3201
3202 /* Immediately clear invalid pointer values that have been read, in case
3203 * we exit early before we replaced them with valid ones. */
3204#if defined(MBEDTLS_X509_CRT_PARSE_C)
3205#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3206 session->peer_cert = NULL;
3207#else
3208 session->peer_cert_digest = NULL;
3209#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3210#endif /* MBEDTLS_X509_CRT_PARSE_C */
3211#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
3212 session->ticket = NULL;
3213#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
3214
3215 /*
3216 * Peer certificate
3217 */
3218#if defined(MBEDTLS_X509_CRT_PARSE_C)
3219#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3220 /* Deserialize CRT from the end of the ticket. */
3221 if (3 > (size_t) (end - p)) {
3222 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3223 }
3224
3225 cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
3226 p += 3;
3227
3228 if (cert_len != 0) {
3229 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3230
3231 if (cert_len > (size_t) (end - p)) {
3232 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3233 }
3234
3235 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
3236
3237 if (session->peer_cert == NULL) {
3238 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3239 }
3240
3241 mbedtls_x509_crt_init(session->peer_cert);
3242
3243 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
3244 p, cert_len)) != 0) {
3245 mbedtls_x509_crt_free(session->peer_cert);
3246 mbedtls_free(session->peer_cert);
3247 session->peer_cert = NULL;
3248 return ret;
3249 }
3250
3251 p += cert_len;
3252 }
3253#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3254 /* Deserialize CRT digest from the end of the ticket. */
3255 if (2 > (size_t) (end - p)) {
3256 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3257 }
3258
3259 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
3260 session->peer_cert_digest_len = (size_t) *p++;
3261
3262 if (session->peer_cert_digest_len != 0) {
3263 const mbedtls_md_info_t *md_info =
3264 mbedtls_md_info_from_type(session->peer_cert_digest_type);
3265 if (md_info == NULL) {
3266 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3267 }
3268 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
3269 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3270 }
3271
3272 if (session->peer_cert_digest_len > (size_t) (end - p)) {
3273 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3274 }
3275
3276 session->peer_cert_digest =
3277 mbedtls_calloc(1, session->peer_cert_digest_len);
3278 if (session->peer_cert_digest == NULL) {
3279 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3280 }
3281
3282 memcpy(session->peer_cert_digest, p,
3283 session->peer_cert_digest_len);
3284 p += session->peer_cert_digest_len;
3285 }
3286#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3287#endif /* MBEDTLS_X509_CRT_PARSE_C */
3288
3289 /*
3290 * Session ticket and associated data
3291 */
3292#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3293#if defined(MBEDTLS_SSL_CLI_C)
3294 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3295 if (3 > (size_t) (end - p)) {
3296 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3297 }
3298
3299 session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
3300 p += 3;
3301
3302 if (session->ticket_len != 0) {
3303 if (session->ticket_len > (size_t) (end - p)) {
3304 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3305 }
3306
3307 session->ticket = mbedtls_calloc(1, session->ticket_len);
3308 if (session->ticket == NULL) {
3309 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3310 }
3311
3312 memcpy(session->ticket, p, session->ticket_len);
3313 p += session->ticket_len;
3314 }
3315
3316 if (4 > (size_t) (end - p)) {
3317 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3318 }
3319
3320 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3321 p += 4;
3322 }
3323#endif /* MBEDTLS_SSL_CLI_C */
3324#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3325 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3326 if (8 > (size_t) (end - p)) {
3327 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3328 }
3329 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3330 p += 8;
3331 }
3332#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3333#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3334
3335 /*
3336 * Misc extension-related info
3337 */
3338#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3339 if (1 > (size_t) (end - p)) {
3340 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3341 }
3342
3343 session->mfl_code = *p++;
3344#endif
3345
3346#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3347 if (1 > (size_t) (end - p)) {
3348 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3349 }
3350
3351 session->encrypt_then_mac = *p++;
3352#endif
3353
3354 /* Done, should have consumed entire buffer */
3355 if (p != end) {
3356 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3357 }
3358
3359 return 0;
3360}
3361
3362#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3363
3364#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3365/* Serialization of TLS 1.3 sessions:
3366 *
David Horstmanncb01b362024-02-29 17:31:46 +00003367 * For more detail, see the description of ssl_session_save().
David Horstmanne59f9702024-02-29 16:08:57 +00003368 */
3369#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3370MBEDTLS_CHECK_RETURN_CRITICAL
3371static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
3372 unsigned char *buf,
3373 size_t buf_len,
3374 size_t *olen)
3375{
3376 unsigned char *p = buf;
3377#if defined(MBEDTLS_SSL_CLI_C) && \
3378 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3379 size_t hostname_len = (session->hostname == NULL) ?
3380 0 : strlen(session->hostname) + 1;
3381#endif
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003382
3383#if defined(MBEDTLS_SSL_SRV_C) && \
3384 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003385 const size_t alpn_len = (session->ticket_alpn == NULL) ?
Waleed Elmelegyb28ab0a2024-03-13 16:48:28 +00003386 0 : strlen(session->ticket_alpn) + 1;
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003387#endif
David Horstmanne59f9702024-02-29 16:08:57 +00003388 size_t needed = 4 /* ticket_age_add */
3389 + 1 /* ticket_flags */
3390 + 1; /* resumption_key length */
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003391
David Horstmanne59f9702024-02-29 16:08:57 +00003392 *olen = 0;
3393
3394 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
3395 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3396 }
3397 needed += session->resumption_key_len; /* resumption_key */
3398
3399#if defined(MBEDTLS_SSL_EARLY_DATA)
3400 needed += 4; /* max_early_data_size */
3401#endif
3402#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3403 needed += 2; /* record_size_limit */
3404#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3405
3406#if defined(MBEDTLS_HAVE_TIME)
3407 needed += 8; /* ticket_creation_time or ticket_reception_time */
3408#endif
3409
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003410#if defined(MBEDTLS_SSL_SRV_C)
3411 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3412#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003413 needed += 2 /* alpn_len */
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003414 + alpn_len; /* alpn */
3415#endif
3416 }
3417#endif /* MBEDTLS_SSL_SRV_C */
3418
David Horstmanne59f9702024-02-29 16:08:57 +00003419#if defined(MBEDTLS_SSL_CLI_C)
3420 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3421#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3422 needed += 2 /* hostname_len */
3423 + hostname_len; /* hostname */
3424#endif
3425
3426 needed += 4 /* ticket_lifetime */
3427 + 2; /* ticket_len */
3428
3429 /* Check size_t overflow */
3430 if (session->ticket_len > SIZE_MAX - needed) {
3431 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3432 }
3433
3434 needed += session->ticket_len; /* ticket */
3435 }
3436#endif /* MBEDTLS_SSL_CLI_C */
3437
3438 *olen = needed;
3439 if (needed > buf_len) {
3440 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3441 }
3442
3443 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
3444 p[4] = session->ticket_flags;
3445
3446 /* save resumption_key */
3447 p[5] = session->resumption_key_len;
3448 p += 6;
3449 memcpy(p, session->resumption_key, session->resumption_key_len);
3450 p += session->resumption_key_len;
3451
3452#if defined(MBEDTLS_SSL_EARLY_DATA)
3453 MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
3454 p += 4;
3455#endif
3456#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3457 MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
3458 p += 2;
3459#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3460
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003461#if defined(MBEDTLS_SSL_SRV_C)
David Horstmanne59f9702024-02-29 16:08:57 +00003462 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003463#if defined(MBEDTLS_HAVE_TIME)
David Horstmanne59f9702024-02-29 16:08:57 +00003464 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3465 p += 8;
David Horstmanne59f9702024-02-29 16:08:57 +00003466#endif /* MBEDTLS_HAVE_TIME */
3467
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003468#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003469 MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
3470 p += 2;
3471
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003472 if (alpn_len > 0) {
3473 /* save chosen alpn */
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00003474 memcpy(p, session->ticket_alpn, alpn_len);
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003475 p += alpn_len;
3476 }
3477#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3478 }
3479#endif /* MBEDTLS_SSL_SRV_C */
3480
David Horstmanne59f9702024-02-29 16:08:57 +00003481#if defined(MBEDTLS_SSL_CLI_C)
3482 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3483#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3484 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
3485 p += 2;
3486 if (hostname_len > 0) {
3487 /* save host name */
3488 memcpy(p, session->hostname, hostname_len);
3489 p += hostname_len;
3490 }
3491#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3492
3493#if defined(MBEDTLS_HAVE_TIME)
3494 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
3495 p += 8;
3496#endif
3497 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3498 p += 4;
3499
3500 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
3501 p += 2;
3502
3503 if (session->ticket != NULL && session->ticket_len > 0) {
3504 memcpy(p, session->ticket, session->ticket_len);
3505 p += session->ticket_len;
3506 }
3507 }
3508#endif /* MBEDTLS_SSL_CLI_C */
3509 return 0;
3510}
3511
3512MBEDTLS_CHECK_RETURN_CRITICAL
3513static int ssl_tls13_session_load(mbedtls_ssl_session *session,
3514 const unsigned char *buf,
3515 size_t len)
3516{
3517 const unsigned char *p = buf;
3518 const unsigned char *end = buf + len;
3519
3520 if (end - p < 6) {
3521 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3522 }
3523 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
3524 session->ticket_flags = p[4];
3525
3526 /* load resumption_key */
3527 session->resumption_key_len = p[5];
3528 p += 6;
3529
3530 if (end - p < session->resumption_key_len) {
3531 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3532 }
3533
3534 if (sizeof(session->resumption_key) < session->resumption_key_len) {
3535 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3536 }
3537 memcpy(session->resumption_key, p, session->resumption_key_len);
3538 p += session->resumption_key_len;
3539
3540#if defined(MBEDTLS_SSL_EARLY_DATA)
3541 if (end - p < 4) {
3542 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3543 }
3544 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
3545 p += 4;
3546#endif
3547#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3548 if (end - p < 2) {
3549 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3550 }
3551 session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
3552 p += 2;
3553#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3554
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003555#if defined(MBEDTLS_SSL_SRV_C)
David Horstmanne59f9702024-02-29 16:08:57 +00003556 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003557#if defined(MBEDTLS_HAVE_TIME)
David Horstmanne59f9702024-02-29 16:08:57 +00003558 if (end - p < 8) {
3559 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3560 }
3561 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3562 p += 8;
David Horstmanne59f9702024-02-29 16:08:57 +00003563#endif /* MBEDTLS_HAVE_TIME */
3564
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003565#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003566 size_t alpn_len;
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003567
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003568 if (end - p < 2) {
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003569 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3570 }
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00003571
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003572 alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
3573 p += 2;
3574
3575 if (end - p < (long int) alpn_len) {
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00003576 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3577 }
3578
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003579 if (alpn_len > 0) {
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003580 int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
3581 if (ret != 0) {
3582 return ret;
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003583 }
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003584 p += alpn_len;
3585 }
3586#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3587 }
3588#endif /* MBEDTLS_SSL_SRV_C */
3589
David Horstmanne59f9702024-02-29 16:08:57 +00003590#if defined(MBEDTLS_SSL_CLI_C)
3591 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3592#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3593 size_t hostname_len;
3594 /* load host name */
3595 if (end - p < 2) {
3596 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3597 }
3598 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
3599 p += 2;
3600
3601 if (end - p < (long int) hostname_len) {
3602 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3603 }
3604 if (hostname_len > 0) {
3605 session->hostname = mbedtls_calloc(1, hostname_len);
3606 if (session->hostname == NULL) {
3607 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3608 }
3609 memcpy(session->hostname, p, hostname_len);
3610 p += hostname_len;
3611 }
3612#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3613
3614#if defined(MBEDTLS_HAVE_TIME)
3615 if (end - p < 8) {
3616 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3617 }
3618 session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0);
3619 p += 8;
3620#endif
3621 if (end - p < 4) {
3622 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3623 }
3624 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3625 p += 4;
3626
3627 if (end - p < 2) {
3628 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3629 }
3630 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
3631 p += 2;
3632
3633 if (end - p < (long int) session->ticket_len) {
3634 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3635 }
3636 if (session->ticket_len > 0) {
3637 session->ticket = mbedtls_calloc(1, session->ticket_len);
3638 if (session->ticket == NULL) {
3639 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3640 }
3641 memcpy(session->ticket, p, session->ticket_len);
3642 p += session->ticket_len;
3643 }
3644 }
3645#endif /* MBEDTLS_SSL_CLI_C */
3646
3647 return 0;
3648
3649}
3650#else /* MBEDTLS_SSL_SESSION_TICKETS */
3651MBEDTLS_CHECK_RETURN_CRITICAL
3652static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
3653 unsigned char *buf,
3654 size_t buf_len,
3655 size_t *olen)
3656{
3657 ((void) session);
3658 ((void) buf);
3659 ((void) buf_len);
3660 *olen = 0;
3661 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3662}
3663
3664static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
Norbert Fabritiusd36913a2023-01-24 17:48:29 +01003665 const unsigned char *buf,
David Horstmanne59f9702024-02-29 16:08:57 +00003666 size_t buf_len)
3667{
3668 ((void) session);
3669 ((void) buf);
3670 ((void) buf_len);
3671 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3672}
3673#endif /* !MBEDTLS_SSL_SESSION_TICKETS */
3674#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3675
Paul Bakker5121ce52009-01-03 21:22:43 +00003676/*
Hanno Beckera835da52019-05-16 12:39:07 +01003677 * Define ticket header determining Mbed TLS version
3678 * and structure of the ticket.
3679 */
3680
Hanno Becker94ef3b32019-05-16 12:50:45 +01003681/*
Hanno Becker50b59662019-05-28 14:30:45 +01003682 * Define bitflag determining compile-time settings influencing
3683 * structure of serialized SSL sessions.
Hanno Becker94ef3b32019-05-16 12:50:45 +01003684 */
3685
Hanno Becker50b59662019-05-28 14:30:45 +01003686#if defined(MBEDTLS_HAVE_TIME)
Hanno Becker3e088662019-05-29 11:10:18 +01003687#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
Hanno Becker50b59662019-05-28 14:30:45 +01003688#else
Hanno Becker3e088662019-05-29 11:10:18 +01003689#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01003690#endif /* MBEDTLS_HAVE_TIME */
3691
3692#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker3e088662019-05-29 11:10:18 +01003693#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01003694#else
Hanno Becker3e088662019-05-29 11:10:18 +01003695#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01003696#endif /* MBEDTLS_X509_CRT_PARSE_C */
3697
David Horstmann5c5a32f2024-02-13 17:53:35 +00003698#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
David Horstmannf686f1d2024-03-01 11:20:32 +00003699#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
David Horstmann5c5a32f2024-02-13 17:53:35 +00003700#else
David Horstmannf686f1d2024-03-01 11:20:32 +00003701#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
David Horstmann5c5a32f2024-02-13 17:53:35 +00003702#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3703
Hanno Becker94ef3b32019-05-16 12:50:45 +01003704#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
Hanno Becker3e088662019-05-29 11:10:18 +01003705#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01003706#else
Hanno Becker3e088662019-05-29 11:10:18 +01003707#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01003708#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
3709
3710#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Hanno Becker3e088662019-05-29 11:10:18 +01003711#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01003712#else
Hanno Becker3e088662019-05-29 11:10:18 +01003713#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01003714#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3715
Hanno Becker94ef3b32019-05-16 12:50:45 +01003716#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker3e088662019-05-29 11:10:18 +01003717#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01003718#else
Hanno Becker3e088662019-05-29 11:10:18 +01003719#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01003720#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
3721
Hanno Becker94ef3b32019-05-16 12:50:45 +01003722#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3723#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
3724#else
3725#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
3726#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3727
David Horstmann92b258b2024-02-13 17:23:34 +00003728#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3729#define SSL_SERIALIZED_SESSION_CONFIG_SNI 1
3730#else
3731#define SSL_SERIALIZED_SESSION_CONFIG_SNI 0
3732#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3733
3734#if defined(MBEDTLS_SSL_EARLY_DATA)
3735#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1
3736#else
3737#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0
3738#endif /* MBEDTLS_SSL_EARLY_DATA */
3739
3740#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3741#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1
3742#else
3743#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0
3744#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3745
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00003746#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \
3747 defined(MBEDTLS_SSL_EARLY_DATA)
Waleed Elmelegy11025632024-03-07 15:25:52 +00003748#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1
3749#else
3750#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0
3751#endif /* MBEDTLS_SSL_ALPN */
3752
Hanno Becker3e088662019-05-29 11:10:18 +01003753#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
3754#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
3755#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
3756#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
Hanno Becker37bdbe62021-08-01 05:38:58 +01003757#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
3758#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
David Horstmannf686f1d2024-03-01 11:20:32 +00003759#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6
David Horstmann92b258b2024-02-13 17:23:34 +00003760#define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7
3761#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8
3762#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9
Waleed Elmelegy11025632024-03-07 15:25:52 +00003763#define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10
Hanno Becker3e088662019-05-29 11:10:18 +01003764
Hanno Becker50b59662019-05-28 14:30:45 +01003765#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
Gilles Peskine449bd832023-01-11 14:50:10 +01003766 ((uint16_t) ( \
3767 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
3768 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
3769 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
3770 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
3771 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
3772 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
David Horstmann5c5a32f2024-02-13 17:53:35 +00003773 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
David Horstmann71fa1a92024-03-01 12:32:18 +00003774 (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
3775 SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \
David Horstmann92b258b2024-02-13 17:23:34 +00003776 (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \
3777 (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \
3778 SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \
3779 (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \
Waleed Elmelegy11025632024-03-07 15:25:52 +00003780 SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \
Waleed Elmelegy75e33fa2024-03-07 16:57:58 +00003781 (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \
Waleed Elmelegy11025632024-03-07 15:25:52 +00003782 SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT)))
Hanno Becker94ef3b32019-05-16 12:50:45 +01003783
Chien Wong4e9683e2023-12-28 17:07:43 +08003784static const unsigned char ssl_serialized_session_header[] = {
Hanno Becker94ef3b32019-05-16 12:50:45 +01003785 MBEDTLS_VERSION_MAJOR,
3786 MBEDTLS_VERSION_MINOR,
3787 MBEDTLS_VERSION_PATCH,
Gilles Peskine449bd832023-01-11 14:50:10 +01003788 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
3789 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
Hanno Beckerf8787072019-05-16 12:41:07 +01003790};
Hanno Beckera835da52019-05-16 12:39:07 +01003791
3792/*
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02003793 * Serialize a session in the following format:
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02003794 * (in the presentation language of TLS, RFC 8446 section 3)
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02003795 *
David Horstmanncb01b362024-02-29 17:31:46 +00003796 * TLS 1.2 session:
3797 *
3798 * struct {
3799 * #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3800 * opaque ticket<0..2^24-1>; // length 0 means no ticket
3801 * uint32 ticket_lifetime;
3802 * #endif
3803 * } ClientOnlyData;
3804 *
3805 * struct {
3806 * #if defined(MBEDTLS_HAVE_TIME)
3807 * uint64 start_time;
3808 * #endif
3809 * uint8 session_id_len; // at most 32
3810 * opaque session_id[32];
3811 * opaque master[48]; // fixed length in the standard
3812 * uint32 verify_result;
3813 * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
3814 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
3815 * #else
David Horstmann76ba26a2024-03-01 12:03:35 +00003816 * uint8 peer_cert_digest_type;
David Horstmanncb01b362024-02-29 17:31:46 +00003817 * opaque peer_cert_digest<0..2^8-1>
3818 * #endif
3819 * select (endpoint) {
3820 * case client: ClientOnlyData;
3821 * case server: uint64 ticket_creation_time;
3822 * };
3823 * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3824 * uint8 mfl_code; // up to 255 according to standard
3825 * #endif
3826 * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3827 * uint8 encrypt_then_mac; // 0 or 1
3828 * #endif
3829 * } serialized_session_tls12;
3830 *
3831 *
3832 * TLS 1.3 Session:
3833 *
3834 * struct {
3835 * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3836 * opaque hostname<0..2^16-1>;
3837 * #endif
3838 * #if defined(MBEDTLS_HAVE_TIME)
3839 * uint64 ticket_reception_time;
3840 * #endif
3841 * uint32 ticket_lifetime;
3842 * opaque ticket<1..2^16-1>;
3843 * } ClientOnlyData;
3844 *
3845 * struct {
3846 * uint32 ticket_age_add;
3847 * uint8 ticket_flags;
3848 * opaque resumption_key<0..255>;
3849 * #if defined(MBEDTLS_SSL_EARLY_DATA)
3850 * uint32 max_early_data_size;
3851 * #endif
3852 * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3853 * uint16 record_size_limit;
3854 * #endif
3855 * select ( endpoint ) {
3856 * case client: ClientOnlyData;
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00003857 * case server:
David Horstmanncb01b362024-02-29 17:31:46 +00003858 * #if defined(MBEDTLS_HAVE_TIME)
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00003859 * uint64 ticket_creation_time;
David Horstmanncb01b362024-02-29 17:31:46 +00003860 * #endif
Waleed Elmelegyfe9ae082024-03-07 15:47:31 +00003861 * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003862 * opaque ticket_alpn<0..256>;
David Horstmanncb01b362024-02-29 17:31:46 +00003863 * #endif
3864 * };
3865 * } serialized_session_tls13;
3866 *
3867 *
3868 * SSL session:
3869 *
3870 * struct {
Hanno Beckerdc28b6c2019-05-29 11:08:00 +01003871 *
Hanno Beckerdce50972021-08-01 05:39:23 +01003872 * opaque mbedtls_version[3]; // library version: major, minor, patch
3873 * opaque session_format[2]; // library-version specific 16-bit field
3874 * // determining the format of the remaining
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003875 * // serialized data.
Hanno Beckerdc28b6c2019-05-29 11:08:00 +01003876 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003877 * Note: When updating the format, remember to keep
3878 * these version+format bytes.
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02003879 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003880 * // In this version, `session_format` determines
3881 * // the setting of those compile-time
3882 * // configuration options which influence
3883 * // the structure of mbedtls_ssl_session.
3884 *
Glenn Straussda7851c2022-03-14 13:29:48 -04003885 * uint8_t minor_ver; // Protocol minor version. Possible values:
Jerry Yu0c2a7382022-12-06 13:27:25 +08003886 * // - TLS 1.2 (0x0303)
3887 * // - TLS 1.3 (0x0304)
David Horstmann531aca22024-02-29 18:14:28 +00003888 * uint8_t endpoint;
3889 * uint16_t ciphersuite;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003890 *
Glenn Straussda7851c2022-03-14 13:29:48 -04003891 * select (serialized_session.tls_version) {
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003892 *
Glenn Straussda7851c2022-03-14 13:29:48 -04003893 * case MBEDTLS_SSL_VERSION_TLS1_2:
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003894 * serialized_session_tls12 data;
Jerry Yu0c2a7382022-12-06 13:27:25 +08003895 * case MBEDTLS_SSL_VERSION_TLS1_3:
Jerry Yuddda0502022-12-01 19:43:12 +08003896 * serialized_session_tls13 data;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003897 *
3898 * };
3899 *
3900 * } serialized_session;
3901 *
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02003902 */
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003903
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02003904MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01003905static int ssl_session_save(const mbedtls_ssl_session *session,
3906 unsigned char omit_header,
3907 unsigned char *buf,
3908 size_t buf_len,
3909 size_t *olen)
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003910{
3911 unsigned char *p = buf;
3912 size_t used = 0;
Jerry Yu251a12e2022-07-13 15:15:48 +08003913 size_t remaining_len;
Jerry Yue36fdd62022-08-17 21:31:36 +08003914#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3915 size_t out_len;
3916 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3917#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01003918 if (session == NULL) {
3919 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3920 }
Jerry Yu438ddd82022-07-07 06:55:50 +00003921
Gilles Peskine449bd832023-01-11 14:50:10 +01003922 if (!omit_header) {
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003923 /*
3924 * Add Mbed TLS version identifier
3925 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003926 used += sizeof(ssl_serialized_session_header);
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003927
Gilles Peskine449bd832023-01-11 14:50:10 +01003928 if (used <= buf_len) {
3929 memcpy(p, ssl_serialized_session_header,
3930 sizeof(ssl_serialized_session_header));
3931 p += sizeof(ssl_serialized_session_header);
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003932 }
3933 }
3934
3935 /*
Ronald Cron40a4ab02024-01-15 10:21:30 +01003936 * TLS version identifier, endpoint, ciphersuite
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003937 */
Ronald Cron40a4ab02024-01-15 10:21:30 +01003938 used += 1 /* TLS version */
3939 + 1 /* endpoint */
3940 + 2; /* ciphersuite */
Gilles Peskine449bd832023-01-11 14:50:10 +01003941 if (used <= buf_len) {
3942 *p++ = MBEDTLS_BYTE_0(session->tls_version);
Ronald Cron40a4ab02024-01-15 10:21:30 +01003943 *p++ = session->endpoint;
3944 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
3945 p += 2;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003946 }
3947
3948 /* Forward to version-specific serialization routine. */
Jerry Yufca4d572022-07-21 10:37:48 +08003949 remaining_len = (buf_len >= used) ? buf_len - used : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01003950 switch (session->tls_version) {
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003951#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01003952 case MBEDTLS_SSL_VERSION_TLS1_2:
3953 used += ssl_tls12_session_save(session, p, remaining_len);
3954 break;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003955#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3956
Jerry Yu251a12e2022-07-13 15:15:48 +08003957#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01003958 case MBEDTLS_SSL_VERSION_TLS1_3:
3959 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
3960 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
3961 return ret;
3962 }
3963 used += out_len;
3964 break;
Jerry Yu251a12e2022-07-13 15:15:48 +08003965#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3966
Gilles Peskine449bd832023-01-11 14:50:10 +01003967 default:
3968 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003969 }
3970
3971 *olen = used;
Gilles Peskine449bd832023-01-11 14:50:10 +01003972 if (used > buf_len) {
3973 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3974 }
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02003975
Gilles Peskine449bd832023-01-11 14:50:10 +01003976 return 0;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02003977}
3978
3979/*
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02003980 * Public wrapper for ssl_session_save()
3981 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003982int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
3983 unsigned char *buf,
3984 size_t buf_len,
3985 size_t *olen)
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02003986{
Gilles Peskine449bd832023-01-11 14:50:10 +01003987 return ssl_session_save(session, 0, buf, buf_len, olen);
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02003988}
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02003989
Jerry Yuf1b23ca2022-02-18 11:48:47 +08003990/*
3991 * Deserialize session, see mbedtls_ssl_session_save() for format.
3992 *
3993 * This internal version is wrapped by a public function that cleans up in
3994 * case of error, and has an extra option omit_header.
3995 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02003996MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01003997static int ssl_session_load(mbedtls_ssl_session *session,
3998 unsigned char omit_header,
3999 const unsigned char *buf,
4000 size_t len)
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004001{
4002 const unsigned char *p = buf;
4003 const unsigned char * const end = buf + len;
Jerry Yu438ddd82022-07-07 06:55:50 +00004004 size_t remaining_len;
4005
4006
Gilles Peskine449bd832023-01-11 14:50:10 +01004007 if (session == NULL) {
4008 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4009 }
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004010
Gilles Peskine449bd832023-01-11 14:50:10 +01004011 if (!omit_header) {
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004012 /*
4013 * Check Mbed TLS version identifier
4014 */
4015
Gilles Peskine449bd832023-01-11 14:50:10 +01004016 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
4017 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004018 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004019
4020 if (memcmp(p, ssl_serialized_session_header,
4021 sizeof(ssl_serialized_session_header)) != 0) {
4022 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
4023 }
4024 p += sizeof(ssl_serialized_session_header);
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004025 }
4026
4027 /*
Ronald Cron40a4ab02024-01-15 10:21:30 +01004028 * TLS version identifier, endpoint, ciphersuite
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004029 */
Ronald Cron40a4ab02024-01-15 10:21:30 +01004030 if (4 > (size_t) (end - p)) {
Gilles Peskine449bd832023-01-11 14:50:10 +01004031 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4032 }
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +01004033 session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
Ronald Cron40a4ab02024-01-15 10:21:30 +01004034 session->endpoint = *p++;
4035 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0);
4036 p += 2;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004037
4038 /* Dispatch according to TLS version. */
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +00004039 remaining_len = (size_t) (end - p);
Gilles Peskine449bd832023-01-11 14:50:10 +01004040 switch (session->tls_version) {
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004041#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01004042 case MBEDTLS_SSL_VERSION_TLS1_2:
4043 return ssl_tls12_session_load(session, p, remaining_len);
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004044#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4045
Jerry Yu438ddd82022-07-07 06:55:50 +00004046#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01004047 case MBEDTLS_SSL_VERSION_TLS1_3:
4048 return ssl_tls13_session_load(session, p, remaining_len);
Jerry Yu438ddd82022-07-07 06:55:50 +00004049#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4050
Gilles Peskine449bd832023-01-11 14:50:10 +01004051 default:
4052 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004053 }
4054}
4055
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004056/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02004057 * Deserialize session: public wrapper for error cleaning
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004058 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004059int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
4060 const unsigned char *buf,
4061 size_t len)
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004062{
Gilles Peskine449bd832023-01-11 14:50:10 +01004063 int ret = ssl_session_load(session, 0, buf, len);
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004064
Gilles Peskine449bd832023-01-11 14:50:10 +01004065 if (ret != 0) {
4066 mbedtls_ssl_session_free(session);
4067 }
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004068
Gilles Peskine449bd832023-01-11 14:50:10 +01004069 return ret;
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004070}
4071
4072/*
Paul Bakker1961b702013-01-25 14:49:24 +01004073 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +00004074 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02004075MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01004076static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
Hanno Becker41934dd2021-08-07 19:13:43 +01004077{
4078 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4079
Ronald Cron66dbf912022-02-02 15:33:46 +01004080 /*
4081 * We may have not been able to send to the peer all the handshake data
Ronald Cron3f20b772022-03-08 16:00:02 +01004082 * that were written into the output buffer by the previous handshake step,
4083 * if the write to the network callback returned with the
Ronald Cron66dbf912022-02-02 15:33:46 +01004084 * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
4085 * We proceed to the next handshake step only when all data from the
4086 * previous one have been sent to the peer, thus we make sure that this is
4087 * the case here by calling `mbedtls_ssl_flush_output()`. The function may
4088 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
4089 * we have to wait before to go ahead.
4090 * In the case of TLS 1.3, handshake step handlers do not send data to the
4091 * peer. Data are only sent here and through
4092 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
Andrzej Kurek5c65c572022-04-13 14:28:52 -04004093 * alert occurred.
Ronald Cron66dbf912022-02-02 15:33:46 +01004094 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004095 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
4096 return ret;
4097 }
Hanno Becker41934dd2021-08-07 19:13:43 +01004098
4099#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01004100 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4101 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4102 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
4103 return ret;
4104 }
Hanno Becker41934dd2021-08-07 19:13:43 +01004105 }
4106#endif /* MBEDTLS_SSL_PROTO_DTLS */
4107
Gilles Peskine449bd832023-01-11 14:50:10 +01004108 return ret;
Hanno Becker41934dd2021-08-07 19:13:43 +01004109}
4110
Gilles Peskine449bd832023-01-11 14:50:10 +01004111int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +00004112{
Hanno Becker41934dd2021-08-07 19:13:43 +01004113 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +00004114
Gilles Peskine449bd832023-01-11 14:50:10 +01004115 if (ssl == NULL ||
Hanno Becker41934dd2021-08-07 19:13:43 +01004116 ssl->conf == NULL ||
4117 ssl->handshake == NULL ||
Gilles Peskine449bd832023-01-11 14:50:10 +01004118 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
4119 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Becker41934dd2021-08-07 19:13:43 +01004120 }
4121
Gilles Peskine449bd832023-01-11 14:50:10 +01004122 ret = ssl_prepare_handshake_step(ssl);
4123 if (ret != 0) {
4124 return ret;
4125 }
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02004126
Gilles Peskine449bd832023-01-11 14:50:10 +01004127 ret = mbedtls_ssl_handle_pending_alert(ssl);
4128 if (ret != 0) {
Jerry Yue7047812021-09-13 19:26:39 +08004129 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +01004130 }
Jerry Yue7047812021-09-13 19:26:39 +08004131
Tom Cosgrove2fdc7b32022-09-21 12:33:17 +01004132 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
4133 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
4134 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4135
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004136#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01004137 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
4138 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +01004139 mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state)));
Jerry Yub9930e72021-08-06 17:11:51 +08004140
Gilles Peskine449bd832023-01-11 14:50:10 +01004141 switch (ssl->state) {
Ronald Cron9f0fba32022-02-10 16:45:15 +01004142 case MBEDTLS_SSL_HELLO_REQUEST:
Gilles Peskinef670ba52025-03-07 15:09:32 +01004143 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
Tom Cosgrove87d9c6c2022-09-22 09:27:56 +01004144 ret = 0;
Ronald Cron9f0fba32022-02-10 16:45:15 +01004145 break;
Jerry Yub9930e72021-08-06 17:11:51 +08004146
Ronald Cron9f0fba32022-02-10 16:45:15 +01004147 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +01004148 ret = mbedtls_ssl_write_client_hello(ssl);
Ronald Cron9f0fba32022-02-10 16:45:15 +01004149 break;
4150
4151 default:
4152#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01004153 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4154 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4155 } else {
4156 ret = mbedtls_ssl_handshake_client_step(ssl);
4157 }
Ronald Cron9f0fba32022-02-10 16:45:15 +01004158#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01004159 ret = mbedtls_ssl_handshake_client_step(ssl);
Ronald Cron9f0fba32022-02-10 16:45:15 +01004160#else
Gilles Peskine449bd832023-01-11 14:50:10 +01004161 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
Ronald Cron9f0fba32022-02-10 16:45:15 +01004162#endif
4163 }
Jerry Yub9930e72021-08-06 17:11:51 +08004164 }
Ronald Cron6291b232023-03-08 15:51:25 +01004165#endif /* MBEDTLS_SSL_CLI_C */
4166
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004167#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01004168 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Ronald Cron6291b232023-03-08 15:51:25 +01004169#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4170 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
Gilles Peskine449bd832023-01-11 14:50:10 +01004171 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
Ronald Cron6291b232023-03-08 15:51:25 +01004172 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +01004173 ret = mbedtls_ssl_handshake_server_step(ssl);
4174 }
Ronald Cron6291b232023-03-08 15:51:25 +01004175#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4176 ret = mbedtls_ssl_handshake_server_step(ssl);
4177#else
4178 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +00004179#endif
Ronald Cron6291b232023-03-08 15:51:25 +01004180 }
4181#endif /* MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00004182
Gilles Peskine449bd832023-01-11 14:50:10 +01004183 if (ret != 0) {
Jerry Yubbd5a3f2021-09-18 20:50:22 +08004184 /* handshake_step return error. And it is same
4185 * with alert_reason.
4186 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004187 if (ssl->send_alert) {
4188 ret = mbedtls_ssl_handle_pending_alert(ssl);
Jerry Yue7047812021-09-13 19:26:39 +08004189 goto cleanup;
4190 }
4191 }
4192
4193cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +01004194 return ret;
Paul Bakker1961b702013-01-25 14:49:24 +01004195}
4196
4197/*
4198 * Perform the SSL handshake
4199 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004200int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
Paul Bakker1961b702013-01-25 14:49:24 +01004201{
4202 int ret = 0;
4203
Hanno Beckera817ea42020-10-20 15:20:23 +01004204 /* Sanity checks */
4205
Gilles Peskine449bd832023-01-11 14:50:10 +01004206 if (ssl == NULL || ssl->conf == NULL) {
4207 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4208 }
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02004209
Hanno Beckera817ea42020-10-20 15:20:23 +01004210#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01004211 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4212 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
4213 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
4214 "mbedtls_ssl_set_timer_cb() for DTLS"));
4215 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Beckera817ea42020-10-20 15:20:23 +01004216 }
4217#endif /* MBEDTLS_SSL_PROTO_DTLS */
4218
Gilles Peskine449bd832023-01-11 14:50:10 +01004219 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
Paul Bakker1961b702013-01-25 14:49:24 +01004220
Hanno Beckera817ea42020-10-20 15:20:23 +01004221 /* Main handshake loop */
Gilles Peskine449bd832023-01-11 14:50:10 +01004222 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
4223 ret = mbedtls_ssl_handshake_step(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +01004224
Gilles Peskine449bd832023-01-11 14:50:10 +01004225 if (ret != 0) {
Paul Bakker1961b702013-01-25 14:49:24 +01004226 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01004227 }
Paul Bakker1961b702013-01-25 14:49:24 +01004228 }
4229
Gilles Peskine449bd832023-01-11 14:50:10 +01004230 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
Paul Bakker5121ce52009-01-03 21:22:43 +00004231
Gilles Peskine449bd832023-01-11 14:50:10 +01004232 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00004233}
4234
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004235#if defined(MBEDTLS_SSL_RENEGOTIATION)
4236#if defined(MBEDTLS_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00004237/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004238 * Write HelloRequest to request renegotiation on server
Paul Bakker48916f92012-09-16 19:57:18 +00004239 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02004240MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01004241static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004242{
Janos Follath865b3eb2019-12-16 11:46:15 +00004243 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004244
Gilles Peskine449bd832023-01-11 14:50:10 +01004245 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004246
4247 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004248 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4249 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004250
Gilles Peskine449bd832023-01-11 14:50:10 +01004251 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4252 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4253 return ret;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004254 }
4255
Gilles Peskine449bd832023-01-11 14:50:10 +01004256 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004257
Gilles Peskine449bd832023-01-11 14:50:10 +01004258 return 0;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004259}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004260#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004261
4262/*
4263 * Actually renegotiate current connection, triggered by either:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004264 * - any side: calling mbedtls_ssl_renegotiate(),
4265 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
4266 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
Manuel Pégourié-Gonnard55e4ff22014-08-19 11:16:35 +02004267 * the initial handshake is completed.
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004268 * If the handshake doesn't complete due to waiting for I/O, it will continue
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004269 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004270 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004271int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl)
Paul Bakker48916f92012-09-16 19:57:18 +00004272{
Janos Follath865b3eb2019-12-16 11:46:15 +00004273 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker48916f92012-09-16 19:57:18 +00004274
Gilles Peskine449bd832023-01-11 14:50:10 +01004275 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
Paul Bakker48916f92012-09-16 19:57:18 +00004276
Gilles Peskine449bd832023-01-11 14:50:10 +01004277 if ((ret = ssl_handshake_init(ssl)) != 0) {
4278 return ret;
4279 }
Paul Bakker48916f92012-09-16 19:57:18 +00004280
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02004281 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
4282 * the ServerHello will have message_seq = 1" */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004283#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01004284 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4285 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
4286 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02004287 ssl->handshake->out_msg_seq = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01004288 } else {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02004289 ssl->handshake->in_msg_seq = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01004290 }
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02004291 }
4292#endif
4293
Gilles Peskinef670ba52025-03-07 15:09:32 +01004294 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004295 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
Paul Bakker48916f92012-09-16 19:57:18 +00004296
Gilles Peskine449bd832023-01-11 14:50:10 +01004297 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4298 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4299 return ret;
Paul Bakker48916f92012-09-16 19:57:18 +00004300 }
4301
Gilles Peskine449bd832023-01-11 14:50:10 +01004302 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
Paul Bakker48916f92012-09-16 19:57:18 +00004303
Gilles Peskine449bd832023-01-11 14:50:10 +01004304 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +00004305}
4306
4307/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004308 * Renegotiate current connection on client,
4309 * or request renegotiation on server
4310 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004311int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004312{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004313 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004314
Gilles Peskine449bd832023-01-11 14:50:10 +01004315 if (ssl == NULL || ssl->conf == NULL) {
4316 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4317 }
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02004318
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004319#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004320 /* On server, just send the request */
Gilles Peskine449bd832023-01-11 14:50:10 +01004321 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4322 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4323 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4324 }
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004325
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004326 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02004327
4328 /* Did we already try/start sending HelloRequest? */
Gilles Peskine449bd832023-01-11 14:50:10 +01004329 if (ssl->out_left != 0) {
4330 return mbedtls_ssl_flush_output(ssl);
4331 }
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02004332
Gilles Peskine449bd832023-01-11 14:50:10 +01004333 return ssl_write_hello_request(ssl);
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004334 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004335#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004336
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004337#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004338 /*
4339 * On client, either start the renegotiation process or,
4340 * if already in progress, continue the handshake
4341 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004342 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
4343 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4344 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004345 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004346
4347 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
4348 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
4349 return ret;
4350 }
4351 } else {
4352 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4353 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4354 return ret;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004355 }
4356 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004357#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004358
Gilles Peskine449bd832023-01-11 14:50:10 +01004359 return ret;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004360}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004361#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004362
Gilles Peskine449bd832023-01-11 14:50:10 +01004363void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
Paul Bakker48916f92012-09-16 19:57:18 +00004364{
Gilles Peskine9b562d52018-04-25 20:32:43 +02004365 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
4366
Gilles Peskine449bd832023-01-11 14:50:10 +01004367 if (handshake == NULL) {
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004368 return;
Gilles Peskine449bd832023-01-11 14:50:10 +01004369 }
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004370
Ronald Crone68ab4f2022-10-05 12:46:29 +02004371#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Jerry Yuf017ee42022-01-12 15:49:48 +08004372#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Jerry Yuf017ee42022-01-12 15:49:48 +08004373 handshake->sig_algs = NULL;
4374#endif /* MBEDTLS_DEPRECATED_REMOVED */
Xiaofei Baic234ecf2022-02-08 09:59:23 +00004375#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01004376 if (ssl->handshake->certificate_request_context) {
4377 mbedtls_free((void *) handshake->certificate_request_context);
Xiaofei Baic234ecf2022-02-08 09:59:23 +00004378 }
4379#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Ronald Crone68ab4f2022-10-05 12:46:29 +02004380#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Jerry Yuf017ee42022-01-12 15:49:48 +08004381
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004382#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Ben Taylorcd2660f2025-03-21 13:13:29 +00004383 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
Ben Taylorc12152e2025-03-21 11:03:04 +00004384 ssl->conf->f_async_cancel(ssl);
4385 handshake->async_in_progress = 0;
Ben Taylor1cd1e012025-03-18 11:50:39 +00004386 }
Ben Taylor6ff2da12025-03-17 09:26:20 +00004387
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004388#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4389
Elena Uziunaite0916cd72024-05-23 17:01:07 +01004390#if defined(PSA_WANT_ALG_SHA_256)
Gilles Peskine449bd832023-01-11 14:50:10 +01004391 psa_hash_abort(&handshake->fin_sha256_psa);
Andrzej Kurekeb342242019-01-29 09:14:33 -05004392#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01004393#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +01004394 psa_hash_abort(&handshake->fin_sha384_psa);
Andrzej Kurekeb342242019-01-29 09:14:33 -05004395#endif
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02004396
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02004397#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01004398 psa_pake_abort(&handshake->psa_pake_ctx);
Valerio Settieb3f7882022-12-08 18:42:58 +01004399 /*
4400 * Opaque keys are not stored in the handshake's data and it's the user
4401 * responsibility to destroy them. Clear ones, instead, are created by
4402 * the TLS library and should be destroyed at the same level
4403 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004404 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
4405 psa_destroy_key(handshake->psa_pake_password);
Valerio Settieb3f7882022-12-08 18:42:58 +01004406 }
Neil Armstrongca7d5062022-05-31 14:43:23 +02004407 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02004408#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01004409 mbedtls_free(handshake->ecjpake_cache);
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02004410 handshake->ecjpake_cache = NULL;
4411 handshake->ecjpake_cache_len = 0;
4412#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02004413#endif
Paul Bakker61d113b2013-07-04 11:51:43 +02004414
Valerio Setti7aeec542023-07-05 18:57:21 +02004415#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +02004416 defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
Janos Follath4ae5c292016-02-10 11:27:43 +00004417 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakker9af723c2014-05-01 13:03:14 +02004418 /* explicit void pointer cast for buggy MS compiler */
Gilles Peskine449bd832023-01-11 14:50:10 +01004419 mbedtls_free((void *) handshake->curves_tls_id);
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02004420#endif
4421
Ronald Cron73fe8df2022-10-05 14:31:43 +02004422#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01004423 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
Neil Armstrong501c9322022-05-03 09:35:09 +02004424 /* The maintenance of the external PSK key slot is the
4425 * user's responsibility. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004426 if (ssl->handshake->psk_opaque_is_internal) {
4427 psa_destroy_key(ssl->handshake->psk_opaque);
Neil Armstrong501c9322022-05-03 09:35:09 +02004428 ssl->handshake->psk_opaque_is_internal = 0;
4429 }
4430 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
4431 }
Ronald Cron73fe8df2022-10-05 14:31:43 +02004432#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01004433
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004434#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4435 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02004436 /*
4437 * Free only the linked list wrapper, not the keys themselves
4438 * since the belong to the SNI callback
4439 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004440 ssl_key_cert_free(handshake->sni_key_cert);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004441#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02004442
Gilles Peskineeccd8882020-03-10 12:19:08 +01004443#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01004444 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
4445 if (handshake->ecrs_peer_cert != NULL) {
4446 mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
4447 mbedtls_free(handshake->ecrs_peer_cert);
Hanno Becker3dad3112019-02-05 17:19:52 +00004448 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02004449#endif
4450
Hanno Becker75173122019-02-06 16:18:31 +00004451#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4452 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +01004453 mbedtls_pk_free(&handshake->peer_pubkey);
Hanno Becker75173122019-02-06 16:18:31 +00004454#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4455
XiaokangQian9b93c0d2022-02-09 06:02:25 +00004456#if defined(MBEDTLS_SSL_CLI_C) && \
Gilles Peskine449bd832023-01-11 14:50:10 +01004457 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
4458 mbedtls_free(handshake->cookie);
XiaokangQian9b93c0d2022-02-09 06:02:25 +00004459#endif /* MBEDTLS_SSL_CLI_C &&
4460 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
XiaokangQian8499b6c2022-01-27 09:00:11 +00004461
4462#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01004463 mbedtls_ssl_flight_free(handshake->flight);
4464 mbedtls_ssl_buffering_free(ssl);
XiaokangQian8499b6c2022-01-27 09:00:11 +00004465#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02004466
Valerio Settiea59c432023-07-25 11:14:03 +02004467#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +02004468 if (handshake->xxdh_psa_privkey_is_external == 0) {
4469 psa_destroy_key(handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +01004470 }
Valerio Settiea59c432023-07-25 11:14:03 +02004471#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
Hanno Becker4a63ed42019-01-08 11:39:35 +00004472
Ronald Cron6f135e12021-12-08 16:57:54 +01004473#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01004474 mbedtls_ssl_transform_free(handshake->transform_handshake);
4475 mbedtls_free(handshake->transform_handshake);
Jerry Yu3d9b5902022-11-04 14:07:25 +08004476#if defined(MBEDTLS_SSL_EARLY_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +01004477 mbedtls_ssl_transform_free(handshake->transform_earlydata);
4478 mbedtls_free(handshake->transform_earlydata);
Jerry Yu3d9b5902022-11-04 14:07:25 +08004479#endif
Ronald Cron6f135e12021-12-08 16:57:54 +01004480#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yuba9c7272021-10-30 11:54:10 +08004481
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05004482
4483#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4484 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
4485 * processes datagrams and the fact that a datagram is allowed to have
4486 * several records in it, it is possible that the I/O buffers are not
4487 * empty at this stage */
Gilles Peskine449bd832023-01-11 14:50:10 +01004488 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
4489 mbedtls_ssl_get_output_buflen(ssl));
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05004490#endif
Hanno Becker3aa186f2021-08-10 09:24:19 +01004491
Jerry Yuba9c7272021-10-30 11:54:10 +08004492 /* mbedtls_platform_zeroize MUST be last one in this function */
Gilles Peskine449bd832023-01-11 14:50:10 +01004493 mbedtls_platform_zeroize(handshake,
4494 sizeof(mbedtls_ssl_handshake_params));
Paul Bakker48916f92012-09-16 19:57:18 +00004495}
4496
Gilles Peskine449bd832023-01-11 14:50:10 +01004497void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
Paul Bakker48916f92012-09-16 19:57:18 +00004498{
Gilles Peskine449bd832023-01-11 14:50:10 +01004499 if (session == NULL) {
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004500 return;
Gilles Peskine449bd832023-01-11 14:50:10 +01004501 }
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004502
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004503#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01004504 ssl_clear_peer_cert(session);
Paul Bakkered27a042013-04-18 22:46:23 +02004505#endif
Paul Bakker0a597072012-09-25 21:55:46 +00004506
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004507#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Xiaokang Qianbc663a02022-10-09 11:14:39 +00004508#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
4509 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01004510 mbedtls_free(session->hostname);
Xiaokang Qian281fd1b2022-09-20 11:35:41 +00004511#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01004512 mbedtls_free(session->ticket);
Paul Bakkera503a632013-08-14 13:48:06 +02004513#endif
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +02004514
Waleed Elmelegy2824a202024-02-23 17:51:47 +00004515#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \
4516 defined(MBEDTLS_SSL_SRV_C)
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00004517 mbedtls_free(session->ticket_alpn);
Paul Bakker5121ce52009-01-03 21:22:43 +00004518#endif
4519
Gilles Peskine449bd832023-01-11 14:50:10 +01004520 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
Paul Bakker5121ce52009-01-03 21:22:43 +00004521}
4522
Manuel Pégourié-Gonnard5c0e3772019-07-23 16:13:17 +02004523#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02004524
4525#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4526#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
4527#else
4528#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
4529#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4530
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02004531#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02004532
4533#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4534#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
4535#else
4536#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
4537#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4538
4539#if defined(MBEDTLS_SSL_ALPN)
4540#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
4541#else
4542#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
4543#endif /* MBEDTLS_SSL_ALPN */
4544
4545#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
4546#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
4547#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
4548#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
4549
4550#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
Gilles Peskine449bd832023-01-11 14:50:10 +01004551 ((uint32_t) ( \
4552 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
4553 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
4554 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
4555 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
4556 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
4557 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
4558 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
4559 0u))
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02004560
Chien Wong4e9683e2023-12-28 17:07:43 +08004561static const unsigned char ssl_serialized_context_header[] = {
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004562 MBEDTLS_VERSION_MAJOR,
4563 MBEDTLS_VERSION_MINOR,
4564 MBEDTLS_VERSION_PATCH,
Gilles Peskine449bd832023-01-11 14:50:10 +01004565 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4566 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4567 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4568 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4569 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004570};
4571
Paul Bakker5121ce52009-01-03 21:22:43 +00004572/*
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004573 * Serialize a full SSL context
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02004574 *
4575 * The format of the serialized data is:
4576 * (in the presentation language of TLS, RFC 8446 section 3)
4577 *
4578 * // header
4579 * opaque mbedtls_version[3]; // major, minor, patch
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004580 * opaque context_format[5]; // version-specific field determining
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02004581 * // the format of the remaining
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004582 * // serialized data.
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02004583 * Note: When updating the format, remember to keep these
4584 * version+format bytes. (We may make their size part of the API.)
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02004585 *
4586 * // session sub-structure
4587 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
4588 * // transform sub-structure
4589 * uint8 random[64]; // ServerHello.random+ClientHello.random
4590 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
4591 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
4592 * // fields from ssl_context
4593 * uint32 badmac_seen; // DTLS: number of records with failing MAC
4594 * uint64 in_window_top; // DTLS: last validated record seq_num
4595 * uint64 in_window; // DTLS: bitmask for replay protection
4596 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
4597 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
4598 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
4599 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
4600 *
4601 * Note that many fields of the ssl_context or sub-structures are not
4602 * serialized, as they fall in one of the following categories:
4603 *
4604 * 1. forced value (eg in_left must be 0)
4605 * 2. pointer to dynamically-allocated memory (eg session, transform)
4606 * 3. value can be re-derived from other data (eg session keys from MS)
4607 * 4. value was temporary (eg content of input buffer)
4608 * 5. value will be provided by the user again (eg I/O callbacks and context)
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004609 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004610int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
4611 unsigned char *buf,
4612 size_t buf_len,
4613 size_t *olen)
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004614{
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004615 unsigned char *p = buf;
4616 size_t used = 0;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004617 size_t session_len;
4618 int ret = 0;
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004619
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02004620 /*
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004621 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
4622 * this function's documentation.
4623 *
4624 * These are due to assumptions/limitations in the implementation. Some of
4625 * them are likely to stay (no handshake in progress) some might go away
4626 * (only DTLS) but are currently used to simplify the implementation.
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02004627 */
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004628 /* The initial handshake must be over */
Gilles Peskine449bd832023-01-11 14:50:10 +01004629 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4630 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
4631 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004632 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004633 if (ssl->handshake != NULL) {
4634 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
4635 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004636 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004637 /* Double-check that sub-structures are indeed ready */
Gilles Peskine449bd832023-01-11 14:50:10 +01004638 if (ssl->transform == NULL || ssl->session == NULL) {
4639 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
4640 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004641 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004642 /* There must be no pending incoming or outgoing data */
Gilles Peskine449bd832023-01-11 14:50:10 +01004643 if (mbedtls_ssl_check_pending(ssl) != 0) {
4644 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
4645 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004646 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004647 if (ssl->out_left != 0) {
4648 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
4649 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004650 }
Dave Rodgman556e8a32022-12-06 16:31:25 +00004651 /* Protocol must be DTLS, not TLS */
Gilles Peskine449bd832023-01-11 14:50:10 +01004652 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
4653 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
4654 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004655 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004656 /* Version must be 1.2 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004657 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
4658 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
4659 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004660 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004661 /* We must be using an AEAD ciphersuite */
Gilles Peskine449bd832023-01-11 14:50:10 +01004662 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
4663 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
4664 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004665 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004666 /* Renegotiation must not be enabled */
4667#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01004668 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
4669 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
4670 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004671 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004672#endif
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004673
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004674 /*
4675 * Version and format identifier
4676 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004677 used += sizeof(ssl_serialized_context_header);
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004678
Gilles Peskine449bd832023-01-11 14:50:10 +01004679 if (used <= buf_len) {
4680 memcpy(p, ssl_serialized_context_header,
4681 sizeof(ssl_serialized_context_header));
4682 p += sizeof(ssl_serialized_context_header);
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004683 }
4684
4685 /*
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004686 * Session (length + data)
4687 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004688 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
4689 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
4690 return ret;
4691 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004692
4693 used += 4 + session_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01004694 if (used <= buf_len) {
4695 MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004696 p += 4;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004697
Gilles Peskine449bd832023-01-11 14:50:10 +01004698 ret = ssl_session_save(ssl->session, 1,
4699 p, session_len, &session_len);
4700 if (ret != 0) {
4701 return ret;
4702 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004703
4704 p += session_len;
4705 }
4706
4707 /*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004708 * Transform
4709 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004710 used += sizeof(ssl->transform->randbytes);
4711 if (used <= buf_len) {
4712 memcpy(p, ssl->transform->randbytes,
4713 sizeof(ssl->transform->randbytes));
4714 p += sizeof(ssl->transform->randbytes);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004715 }
4716
4717#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Dave Rodgmanc37ad442023-11-03 23:36:06 +00004718 used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01004719 if (used <= buf_len) {
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004720 *p++ = ssl->transform->in_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01004721 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004722 p += ssl->transform->in_cid_len;
4723
4724 *p++ = ssl->transform->out_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01004725 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004726 p += ssl->transform->out_cid_len;
4727 }
4728#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4729
4730 /*
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004731 * Saved fields from top-level ssl_context structure
4732 */
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004733 used += 4;
Gilles Peskine449bd832023-01-11 14:50:10 +01004734 if (used <= buf_len) {
4735 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004736 p += 4;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004737 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004738
4739#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4740 used += 16;
Gilles Peskine449bd832023-01-11 14:50:10 +01004741 if (used <= buf_len) {
4742 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004743 p += 8;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004744
Gilles Peskine449bd832023-01-11 14:50:10 +01004745 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004746 p += 8;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004747 }
4748#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4749
4750#if defined(MBEDTLS_SSL_PROTO_DTLS)
4751 used += 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01004752 if (used <= buf_len) {
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004753 *p++ = ssl->disable_datagram_packing;
4754 }
4755#endif /* MBEDTLS_SSL_PROTO_DTLS */
4756
Jerry Yuae0b2e22021-10-08 15:21:19 +08004757 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +01004758 if (used <= buf_len) {
4759 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
Jerry Yuae0b2e22021-10-08 15:21:19 +08004760 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004761 }
4762
4763#if defined(MBEDTLS_SSL_PROTO_DTLS)
4764 used += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +01004765 if (used <= buf_len) {
4766 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004767 p += 2;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004768 }
4769#endif /* MBEDTLS_SSL_PROTO_DTLS */
4770
4771#if defined(MBEDTLS_SSL_ALPN)
4772 {
4773 const uint8_t alpn_len = ssl->alpn_chosen
Gilles Peskine449bd832023-01-11 14:50:10 +01004774 ? (uint8_t) strlen(ssl->alpn_chosen)
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004775 : 0;
4776
4777 used += 1 + alpn_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01004778 if (used <= buf_len) {
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004779 *p++ = alpn_len;
4780
Gilles Peskine449bd832023-01-11 14:50:10 +01004781 if (ssl->alpn_chosen != NULL) {
4782 memcpy(p, ssl->alpn_chosen, alpn_len);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004783 p += alpn_len;
4784 }
4785 }
4786 }
4787#endif /* MBEDTLS_SSL_ALPN */
4788
4789 /*
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004790 * Done
4791 */
4792 *olen = used;
4793
Gilles Peskine449bd832023-01-11 14:50:10 +01004794 if (used > buf_len) {
4795 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4796 }
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004797
Gilles Peskine449bd832023-01-11 14:50:10 +01004798 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004799
Gilles Peskine449bd832023-01-11 14:50:10 +01004800 return mbedtls_ssl_session_reset_int(ssl, 0);
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004801}
4802
4803/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02004804 * Deserialize context, see mbedtls_ssl_context_save() for format.
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004805 *
4806 * This internal version is wrapped by a public function that cleans up in
4807 * case of error.
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004808 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02004809MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01004810static int ssl_context_load(mbedtls_ssl_context *ssl,
4811 const unsigned char *buf,
4812 size_t len)
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004813{
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004814 const unsigned char *p = buf;
4815 const unsigned char * const end = buf + len;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004816 size_t session_len;
Janos Follath865b3eb2019-12-16 11:46:15 +00004817 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek2d59dbc2022-10-13 08:34:38 -04004818#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurek894edde2022-09-29 06:31:14 -04004819 tls_prf_fn prf_func = NULL;
Andrzej Kurek2d59dbc2022-10-13 08:34:38 -04004820#endif
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004821
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004822 /*
4823 * The context should have been freshly setup or reset.
4824 * Give the user an error in case of obvious misuse.
Manuel Pégourié-Gonnard4ca930f2019-07-26 16:31:53 +02004825 * (Checking session is useful because it won't be NULL if we're
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004826 * renegotiating, or if the user mistakenly loaded a session first.)
4827 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004828 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
4829 ssl->session != NULL) {
4830 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004831 }
4832
4833 /*
4834 * We can't check that the config matches the initial one, but we can at
4835 * least check it matches the requirements for serializing.
4836 */
Dave Rodgmane99b24d2023-09-14 15:45:03 +01004837 if (
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004838#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02004839 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004840#endif
Dave Rodgmane99b24d2023-09-14 15:45:03 +01004841 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
4842 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
4843 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2
4844 ) {
Gilles Peskine449bd832023-01-11 14:50:10 +01004845 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004846 }
4847
Gilles Peskine449bd832023-01-11 14:50:10 +01004848 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004849
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004850 /*
4851 * Check version identifier
4852 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004853 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
4854 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004855 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004856
4857 if (memcmp(p, ssl_serialized_context_header,
4858 sizeof(ssl_serialized_context_header)) != 0) {
4859 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
4860 }
4861 p += sizeof(ssl_serialized_context_header);
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004862
4863 /*
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004864 * Session
4865 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004866 if ((size_t) (end - p) < 4) {
4867 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4868 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004869
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +01004870 session_len = MBEDTLS_GET_UINT32_BE(p, 0);
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004871 p += 4;
4872
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004873 /* This has been allocated by ssl_handshake_init(), called by
Hanno Becker43aefe22020-02-05 10:44:56 +00004874 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004875 ssl->session = ssl->session_negotiate;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004876 ssl->session_in = ssl->session;
4877 ssl->session_out = ssl->session;
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004878 ssl->session_negotiate = NULL;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004879
Gilles Peskine449bd832023-01-11 14:50:10 +01004880 if ((size_t) (end - p) < session_len) {
4881 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4882 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004883
Gilles Peskine449bd832023-01-11 14:50:10 +01004884 ret = ssl_session_load(ssl->session, 1, p, session_len);
4885 if (ret != 0) {
4886 mbedtls_ssl_session_free(ssl->session);
4887 return ret;
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02004888 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004889
4890 p += session_len;
4891
4892 /*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004893 * Transform
4894 */
4895
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004896 /* This has been allocated by ssl_handshake_init(), called by
Hanno Becker43aefe22020-02-05 10:44:56 +00004897 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
Jerry Yu2e199812022-12-01 18:57:19 +08004898#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004899 ssl->transform = ssl->transform_negotiate;
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004900 ssl->transform_in = ssl->transform;
4901 ssl->transform_out = ssl->transform;
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004902 ssl->transform_negotiate = NULL;
Jerry Yu2e199812022-12-01 18:57:19 +08004903#endif
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004904
Andrzej Kurek2d59dbc2022-10-13 08:34:38 -04004905#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01004906 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
4907 if (prf_func == NULL) {
4908 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4909 }
Andrzej Kurek894edde2022-09-29 06:31:14 -04004910
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004911 /* Read random bytes and populate structure */
Gilles Peskine449bd832023-01-11 14:50:10 +01004912 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
4913 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4914 }
Andrzej Kurek2d59dbc2022-10-13 08:34:38 -04004915
Gilles Peskine449bd832023-01-11 14:50:10 +01004916 ret = ssl_tls12_populate_transform(ssl->transform,
4917 ssl->session->ciphersuite,
4918 ssl->session->master,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02004919#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01004920 ssl->session->encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02004921#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +01004922 prf_func,
4923 p, /* currently pointing to randbytes */
4924 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
4925 ssl->conf->endpoint,
4926 ssl);
4927 if (ret != 0) {
4928 return ret;
4929 }
Jerry Yu840fbb22022-02-17 14:59:29 +08004930#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004931 p += sizeof(ssl->transform->randbytes);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004932
4933#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4934 /* Read connection IDs and store them */
Gilles Peskine449bd832023-01-11 14:50:10 +01004935 if ((size_t) (end - p) < 1) {
4936 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4937 }
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004938
4939 ssl->transform->in_cid_len = *p++;
4940
Gilles Peskine449bd832023-01-11 14:50:10 +01004941 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
4942 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4943 }
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004944
Gilles Peskine449bd832023-01-11 14:50:10 +01004945 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004946 p += ssl->transform->in_cid_len;
4947
4948 ssl->transform->out_cid_len = *p++;
4949
Gilles Peskine449bd832023-01-11 14:50:10 +01004950 if ((size_t) (end - p) < ssl->transform->out_cid_len) {
4951 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4952 }
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004953
Gilles Peskine449bd832023-01-11 14:50:10 +01004954 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004955 p += ssl->transform->out_cid_len;
4956#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4957
4958 /*
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004959 * Saved fields from top-level ssl_context structure
4960 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004961 if ((size_t) (end - p) < 4) {
4962 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4963 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004964
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +01004965 ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004966 p += 4;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004967
4968#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +01004969 if ((size_t) (end - p) < 16) {
4970 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4971 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004972
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +01004973 ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004974 p += 8;
4975
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +01004976 ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004977 p += 8;
4978#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4979
4980#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01004981 if ((size_t) (end - p) < 1) {
4982 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4983 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004984
4985 ssl->disable_datagram_packing = *p++;
4986#endif /* MBEDTLS_SSL_PROTO_DTLS */
4987
Gilles Peskine449bd832023-01-11 14:50:10 +01004988 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
4989 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4990 }
4991 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
4992 p += sizeof(ssl->cur_out_ctr);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004993
4994#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01004995 if ((size_t) (end - p) < 2) {
4996 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4997 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004998
Dave Rodgmana3d0f612023-11-03 23:34:02 +00004999 ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005000 p += 2;
5001#endif /* MBEDTLS_SSL_PROTO_DTLS */
5002
5003#if defined(MBEDTLS_SSL_ALPN)
5004 {
5005 uint8_t alpn_len;
Gilles Peskinec4949d12025-05-27 19:45:29 +02005006 const char *const *cur;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005007
Gilles Peskine449bd832023-01-11 14:50:10 +01005008 if ((size_t) (end - p) < 1) {
5009 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5010 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005011
5012 alpn_len = *p++;
5013
Gilles Peskine449bd832023-01-11 14:50:10 +01005014 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005015 /* alpn_chosen should point to an item in the configured list */
Gilles Peskine449bd832023-01-11 14:50:10 +01005016 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
5017 if (strlen(*cur) == alpn_len &&
Waleed Elmelegy131b2ff2024-03-14 01:39:39 +00005018 memcmp(p, *cur, alpn_len) == 0) {
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005019 ssl->alpn_chosen = *cur;
5020 break;
5021 }
5022 }
5023 }
5024
5025 /* can only happen on conf mismatch */
Gilles Peskine449bd832023-01-11 14:50:10 +01005026 if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
5027 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5028 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005029
5030 p += alpn_len;
5031 }
5032#endif /* MBEDTLS_SSL_ALPN */
5033
5034 /*
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02005035 * Forced fields from top-level ssl_context structure
5036 *
5037 * Most of them already set to the correct value by mbedtls_ssl_init() and
5038 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
5039 */
Gilles Peskinef670ba52025-03-07 15:09:32 +01005040 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
Glenn Strauss60bfe602022-03-14 19:04:24 -04005041 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02005042
Hanno Becker361b10d2019-08-30 10:42:49 +01005043 /* Adjust pointers for header fields of outgoing records to
5044 * the given transform, accounting for explicit IV and CID. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005045 mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
Hanno Becker361b10d2019-08-30 10:42:49 +01005046
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02005047#if defined(MBEDTLS_SSL_PROTO_DTLS)
5048 ssl->in_epoch = 1;
5049#endif
5050
5051 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
5052 * which we don't want - otherwise we'd end up freeing the wrong transform
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00005053 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
5054 * inappropriately. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005055 if (ssl->handshake != NULL) {
5056 mbedtls_ssl_handshake_free(ssl);
5057 mbedtls_free(ssl->handshake);
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02005058 ssl->handshake = NULL;
5059 }
5060
5061 /*
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005062 * Done - should have consumed entire buffer
5063 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005064 if (p != end) {
5065 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5066 }
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005067
Gilles Peskine449bd832023-01-11 14:50:10 +01005068 return 0;
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005069}
5070
5071/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02005072 * Deserialize context: public wrapper for error cleaning
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005073 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005074int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
5075 const unsigned char *buf,
5076 size_t len)
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005077{
Gilles Peskine449bd832023-01-11 14:50:10 +01005078 int ret = ssl_context_load(context, buf, len);
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005079
Gilles Peskine449bd832023-01-11 14:50:10 +01005080 if (ret != 0) {
5081 mbedtls_ssl_free(context);
5082 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005083
Gilles Peskine449bd832023-01-11 14:50:10 +01005084 return ret;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005085}
Manuel Pégourié-Gonnard5c0e3772019-07-23 16:13:17 +02005086#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005087
5088/*
Paul Bakker5121ce52009-01-03 21:22:43 +00005089 * Free an SSL context
5090 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005091void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +00005092{
Gilles Peskine449bd832023-01-11 14:50:10 +01005093 if (ssl == NULL) {
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005094 return;
Gilles Peskine449bd832023-01-11 14:50:10 +01005095 }
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005096
Gilles Peskine449bd832023-01-11 14:50:10 +01005097 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
Paul Bakker5121ce52009-01-03 21:22:43 +00005098
Gilles Peskine449bd832023-01-11 14:50:10 +01005099 if (ssl->out_buf != NULL) {
sander-visserb8aa2072020-05-06 22:05:13 +02005100#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5101 size_t out_buf_len = ssl->out_buf_len;
5102#else
5103 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
5104#endif
5105
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01005106 mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len);
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05005107 ssl->out_buf = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00005108 }
5109
Gilles Peskine449bd832023-01-11 14:50:10 +01005110 if (ssl->in_buf != NULL) {
sander-visserb8aa2072020-05-06 22:05:13 +02005111#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5112 size_t in_buf_len = ssl->in_buf_len;
5113#else
5114 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
5115#endif
5116
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01005117 mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len);
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05005118 ssl->in_buf = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00005119 }
5120
Gilles Peskine449bd832023-01-11 14:50:10 +01005121 if (ssl->transform) {
5122 mbedtls_ssl_transform_free(ssl->transform);
5123 mbedtls_free(ssl->transform);
Paul Bakker48916f92012-09-16 19:57:18 +00005124 }
5125
Gilles Peskine449bd832023-01-11 14:50:10 +01005126 if (ssl->handshake) {
5127 mbedtls_ssl_handshake_free(ssl);
5128 mbedtls_free(ssl->handshake);
Jerry Yu2e199812022-12-01 18:57:19 +08005129
5130#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01005131 mbedtls_ssl_transform_free(ssl->transform_negotiate);
5132 mbedtls_free(ssl->transform_negotiate);
Jerry Yu2e199812022-12-01 18:57:19 +08005133#endif
5134
Gilles Peskine449bd832023-01-11 14:50:10 +01005135 mbedtls_ssl_session_free(ssl->session_negotiate);
5136 mbedtls_free(ssl->session_negotiate);
Paul Bakker48916f92012-09-16 19:57:18 +00005137 }
5138
Ronald Cron6f135e12021-12-08 16:57:54 +01005139#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01005140 mbedtls_ssl_transform_free(ssl->transform_application);
5141 mbedtls_free(ssl->transform_application);
Ronald Cron6f135e12021-12-08 16:57:54 +01005142#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker3aa186f2021-08-10 09:24:19 +01005143
Gilles Peskine449bd832023-01-11 14:50:10 +01005144 if (ssl->session) {
5145 mbedtls_ssl_session_free(ssl->session);
5146 mbedtls_free(ssl->session);
Paul Bakkerc0463502013-02-14 11:19:38 +01005147 }
5148
Manuel Pégourié-Gonnard55fab2d2015-05-11 16:15:19 +02005149#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine4ac40082025-02-20 18:13:58 +01005150 mbedtls_ssl_free_hostname(ssl);
Paul Bakker0be444a2013-08-27 21:55:01 +02005151#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00005152
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02005153#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005154 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02005155#endif
5156
Gilles Peskine449bd832023-01-11 14:50:10 +01005157 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
Paul Bakker2da561c2009-02-05 18:00:28 +00005158
Paul Bakker86f04f42013-02-14 11:20:09 +01005159 /* Actually clear after last debug message */
Gilles Peskine449bd832023-01-11 14:50:10 +01005160 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
Paul Bakker5121ce52009-01-03 21:22:43 +00005161}
5162
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005163/*
Shaun Case8b0ecbc2021-12-20 21:14:10 -08005164 * Initialize mbedtls_ssl_config
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005165 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005166void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005167{
Gilles Peskine449bd832023-01-11 14:50:10 +01005168 memset(conf, 0, sizeof(mbedtls_ssl_config));
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005169}
5170
Gilles Peskineae270bf2021-06-02 00:05:29 +02005171/* The selection should be the same as mbedtls_x509_crt_profile_default in
5172 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
Gilles Peskineb1940a72021-06-02 15:18:12 +02005173 * curves with a lower resource usage come first.
Manuel Pégourié-Gonnard93d45912025-01-14 11:45:44 +01005174 * See the documentation of mbedtls_ssl_conf_groups() for what we promise
Gilles Peskineb1940a72021-06-02 15:18:12 +02005175 * about this list.
5176 */
Chien Wong4e9683e2023-12-28 17:07:43 +08005177static const uint16_t ssl_preset_default_groups[] = {
Elena Uziunaite0b5d48e2024-07-05 11:48:23 +01005178#if defined(PSA_WANT_ECC_MONTGOMERY_255)
Brett Warrene0edc842021-08-17 09:53:13 +01005179 MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
Gilles Peskineae270bf2021-06-02 00:05:29 +02005180#endif
Elena Uziunaite417d05f2024-07-04 17:46:30 +01005181#if defined(PSA_WANT_ECC_SECP_R1_256)
Brett Warrene0edc842021-08-17 09:53:13 +01005182 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
Gilles Peskineae270bf2021-06-02 00:05:29 +02005183#endif
Elena Uziunaite6b4cd482024-07-04 17:50:11 +01005184#if defined(PSA_WANT_ECC_SECP_R1_384)
Brett Warrene0edc842021-08-17 09:53:13 +01005185 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02005186#endif
Elena Uziunaite0b5d48e2024-07-05 11:48:23 +01005187#if defined(PSA_WANT_ECC_MONTGOMERY_448)
Brett Warrene0edc842021-08-17 09:53:13 +01005188 MBEDTLS_SSL_IANA_TLS_GROUP_X448,
Gilles Peskineb1940a72021-06-02 15:18:12 +02005189#endif
Elena Uziunaite24e24f22024-07-04 17:53:40 +01005190#if defined(PSA_WANT_ECC_SECP_R1_521)
Brett Warrene0edc842021-08-17 09:53:13 +01005191 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02005192#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005193#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
Brett Warrene0edc842021-08-17 09:53:13 +01005194 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
Gilles Peskineae270bf2021-06-02 00:05:29 +02005195#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005196#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
Brett Warrene0edc842021-08-17 09:53:13 +01005197 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02005198#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005199#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
Brett Warrene0edc842021-08-17 09:53:13 +01005200 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02005201#endif
Przemek Stekiel316c19e2023-05-31 15:25:11 +02005202#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel383f4712022-12-12 14:48:57 +01005203 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
5204 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
5205 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
5206 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144,
5207 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192,
5208#endif
Brett Warrene0edc842021-08-17 09:53:13 +01005209 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
Gilles Peskineae270bf2021-06-02 00:05:29 +02005210};
Gilles Peskineae270bf2021-06-02 00:05:29 +02005211
Alexey Tsvetkov2ca34372022-06-07 10:21:05 +03005212static const int ssl_preset_suiteb_ciphersuites[] = {
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005213 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
5214 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
5215 0
5216};
5217
Ronald Crone68ab4f2022-10-05 12:46:29 +02005218#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01005219
Jerry Yu909df7b2022-01-22 11:56:27 +08005220/* NOTICE:
Jerry Yu0b994b82022-01-25 17:22:12 +08005221 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
Jerry Yu370e1462022-01-25 10:36:53 +08005222 * rules SHOULD be upheld.
5223 * - No duplicate entries.
5224 * - But if there is a good reason, do not change the order of the algorithms.
Jerry Yu09a99fc2022-07-28 14:22:17 +08005225 * - ssl_tls12_preset* is for TLS 1.2 use only.
Jerry Yu370e1462022-01-25 10:36:53 +08005226 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
Jerry Yu1a8b4812022-01-20 17:56:50 +08005227 */
Chien Wong4e9683e2023-12-28 17:07:43 +08005228static const uint16_t ssl_preset_default_sig_algs[] = {
Jerry Yu1a8b4812022-01-20 17:56:50 +08005229
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005230#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005231 defined(PSA_WANT_ALG_SHA_256) && \
Valerio Setticf29c5d2023-09-01 09:03:41 +02005232 defined(PSA_WANT_ECC_SECP_R1_256)
Jerry Yued5e9f42022-01-26 11:21:34 +08005233 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005234 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5235#endif
Jerry Yu909df7b2022-01-22 11:56:27 +08005236
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005237#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005238 defined(PSA_WANT_ALG_SHA_384) && \
Valerio Setticf29c5d2023-09-01 09:03:41 +02005239 defined(PSA_WANT_ECC_SECP_R1_384)
Jerry Yu909df7b2022-01-22 11:56:27 +08005240 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005241 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5242#endif
Jerry Yu909df7b2022-01-22 11:56:27 +08005243
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005244#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
Gabor Mezeic15ef932024-06-13 12:53:54 +02005245 defined(PSA_WANT_ALG_SHA_512) && \
Valerio Setticf29c5d2023-09-01 09:03:41 +02005246 defined(PSA_WANT_ECC_SECP_R1_521)
Jerry Yued5e9f42022-01-26 11:21:34 +08005247 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005248 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
5249#endif
Jerry Yu909df7b2022-01-22 11:56:27 +08005250
Gabor Mezeic15ef932024-06-13 12:53:54 +02005251#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(PSA_WANT_ALG_SHA_512)
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005252 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
Yanray Wang1136fad2023-11-22 16:54:31 +08005253#endif
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005254
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005255#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(PSA_WANT_ALG_SHA_384)
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005256 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
Yanray Wang1136fad2023-11-22 16:54:31 +08005257#endif
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005258
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005259#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(PSA_WANT_ALG_SHA_256)
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005260 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
Yanray Wang1136fad2023-11-22 16:54:31 +08005261#endif
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005262
Gabor Mezeic15ef932024-06-13 12:53:54 +02005263#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_512)
Jerry Yu693a47a2022-06-23 14:02:28 +08005264 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
Gabor Mezeic15ef932024-06-13 12:53:54 +02005265#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_512 */
Jerry Yu693a47a2022-06-23 14:02:28 +08005266
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005267#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_384)
Jerry Yu693a47a2022-06-23 14:02:28 +08005268 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005269#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_384 */
Jerry Yu693a47a2022-06-23 14:02:28 +08005270
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005271#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_256)
Jerry Yu693a47a2022-06-23 14:02:28 +08005272 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005273#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 */
Jerry Yu693a47a2022-06-23 14:02:28 +08005274
Gabor Mezei15b95a62022-05-09 16:37:58 +02005275 MBEDTLS_TLS_SIG_NONE
Jerry Yu909df7b2022-01-22 11:56:27 +08005276};
5277
5278/* NOTICE: see above */
5279#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Deomid rojer Ryabkove2d71cc2024-03-18 12:32:30 +00005280static const uint16_t ssl_tls12_preset_default_sig_algs[] = {
Yanray Wang1136fad2023-11-22 16:54:31 +08005281
Gabor Mezeic15ef932024-06-13 12:53:54 +02005282#if defined(PSA_WANT_ALG_SHA_512)
Valerio Settie9646ec2023-08-02 20:02:28 +02005283#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005284 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
Jerry Yu713013f2022-01-17 18:16:35 +08005285#endif
Jerry Yu09a99fc2022-07-28 14:22:17 +08005286#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5287 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
Yanray Wang1136fad2023-11-22 16:54:31 +08005288#endif
Gabor Mezeic1051b62022-05-10 13:13:58 +02005289#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005290 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
Gabor Mezeic1051b62022-05-10 13:13:58 +02005291#endif
Gabor Mezeic15ef932024-06-13 12:53:54 +02005292#endif /* PSA_WANT_ALG_SHA_512 */
Yanray Wang1136fad2023-11-22 16:54:31 +08005293
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005294#if defined(PSA_WANT_ALG_SHA_384)
Valerio Settie9646ec2023-08-02 20:02:28 +02005295#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005296 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
Jerry Yu11f0a9c2022-01-12 18:43:08 +08005297#endif
Jerry Yu09a99fc2022-07-28 14:22:17 +08005298#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5299 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
Yanray Wang1136fad2023-11-22 16:54:31 +08005300#endif
Gabor Mezeic1051b62022-05-10 13:13:58 +02005301#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005302 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
Gabor Mezeic1051b62022-05-10 13:13:58 +02005303#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005304#endif /* PSA_WANT_ALG_SHA_384 */
Yanray Wang1136fad2023-11-22 16:54:31 +08005305
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005306#if defined(PSA_WANT_ALG_SHA_256)
Valerio Settie9646ec2023-08-02 20:02:28 +02005307#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005308 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
Jerry Yu11f0a9c2022-01-12 18:43:08 +08005309#endif
Jerry Yu09a99fc2022-07-28 14:22:17 +08005310#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5311 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
Yanray Wang1136fad2023-11-22 16:54:31 +08005312#endif
Gabor Mezeic1051b62022-05-10 13:13:58 +02005313#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005314 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
Gabor Mezeic1051b62022-05-10 13:13:58 +02005315#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005316#endif /* PSA_WANT_ALG_SHA_256 */
Yanray Wang1136fad2023-11-22 16:54:31 +08005317
Gabor Mezei15b95a62022-05-09 16:37:58 +02005318 MBEDTLS_TLS_SIG_NONE
Jerry Yu909df7b2022-01-22 11:56:27 +08005319};
5320#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Yanray Wang1136fad2023-11-22 16:54:31 +08005321
Jerry Yu909df7b2022-01-22 11:56:27 +08005322/* NOTICE: see above */
Chien Wong4e9683e2023-12-28 17:07:43 +08005323static const uint16_t ssl_preset_suiteb_sig_algs[] = {
Jerry Yu909df7b2022-01-22 11:56:27 +08005324
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005325#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005326 defined(PSA_WANT_ALG_SHA_256) && \
Elena Uziunaite417d05f2024-07-04 17:46:30 +01005327 defined(PSA_WANT_ECC_SECP_R1_256)
Jerry Yu909df7b2022-01-22 11:56:27 +08005328 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005329 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5330#endif
Jerry Yu909df7b2022-01-22 11:56:27 +08005331
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005332#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005333 defined(PSA_WANT_ALG_SHA_384) && \
Elena Uziunaite6b4cd482024-07-04 17:50:11 +01005334 defined(PSA_WANT_ECC_SECP_R1_384)
Jerry Yu53037892022-01-25 11:02:06 +08005335 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005336 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5337#endif
Jerry Yu909df7b2022-01-22 11:56:27 +08005338
Gabor Mezei15b95a62022-05-09 16:37:58 +02005339 MBEDTLS_TLS_SIG_NONE
Jerry Yu713013f2022-01-17 18:16:35 +08005340};
Jerry Yu6106fdc2022-01-12 16:36:14 +08005341
Jerry Yu909df7b2022-01-22 11:56:27 +08005342/* NOTICE: see above */
5343#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Deomid rojer Ryabkov7dddc172024-03-20 00:43:34 +00005344static const uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
Yanray Wang1136fad2023-11-22 16:54:31 +08005345
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005346#if defined(PSA_WANT_ALG_SHA_256)
Valerio Settie9646ec2023-08-02 20:02:28 +02005347#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005348 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
Jerry Yu713013f2022-01-17 18:16:35 +08005349#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005350#endif /* PSA_WANT_ALG_SHA_256 */
Yanray Wang69ceb392023-11-22 16:32:39 +08005351
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005352#if defined(PSA_WANT_ALG_SHA_384)
Valerio Settie9646ec2023-08-02 20:02:28 +02005353#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005354 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
Jerry Yu18c833e2022-01-25 10:55:47 +08005355#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005356#endif /* PSA_WANT_ALG_SHA_384 */
Yanray Wang1136fad2023-11-22 16:54:31 +08005357
Gabor Mezei15b95a62022-05-09 16:37:58 +02005358 MBEDTLS_TLS_SIG_NONE
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01005359};
Jerry Yu909df7b2022-01-22 11:56:27 +08005360#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5361
Ronald Crone68ab4f2022-10-05 12:46:29 +02005362#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005363
Chien Wong4e9683e2023-12-28 17:07:43 +08005364static const uint16_t ssl_preset_suiteb_groups[] = {
Elena Uziunaite417d05f2024-07-04 17:46:30 +01005365#if defined(PSA_WANT_ECC_SECP_R1_256)
Brett Warrene0edc842021-08-17 09:53:13 +01005366 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
Jaeden Amerod4311042019-06-03 08:27:16 +01005367#endif
Elena Uziunaite6b4cd482024-07-04 17:50:11 +01005368#if defined(PSA_WANT_ECC_SECP_R1_384)
Brett Warrene0edc842021-08-17 09:53:13 +01005369 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
Jaeden Amerod4311042019-06-03 08:27:16 +01005370#endif
Brett Warrene0edc842021-08-17 09:53:13 +01005371 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005372};
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005373
Ronald Crone68ab4f2022-10-05 12:46:29 +02005374#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Jerry Yu909df7b2022-01-22 11:56:27 +08005375/* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
Jerry Yu370e1462022-01-25 10:36:53 +08005376 * to make sure there are no duplicated signature algorithm entries. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02005377MBEDTLS_CHECK_RETURN_CRITICAL
Chien Wong4e9683e2023-12-28 17:07:43 +08005378static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
Jerry Yu1a8b4812022-01-20 17:56:50 +08005379{
5380 size_t i, j;
5381 int ret = 0;
Jerry Yu909df7b2022-01-22 11:56:27 +08005382
Gilles Peskine449bd832023-01-11 14:50:10 +01005383 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
5384 for (j = 0; j < i; j++) {
5385 if (sig_algs[i] != sig_algs[j]) {
Jerry Yuf377d642022-01-25 10:43:59 +08005386 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01005387 }
5388 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
5389 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
5390 sig_algs[i], j, i);
Jerry Yuf377d642022-01-25 10:43:59 +08005391 ret = -1;
Jerry Yu1a8b4812022-01-20 17:56:50 +08005392 }
5393 }
Gilles Peskine449bd832023-01-11 14:50:10 +01005394 return ret;
Jerry Yu1a8b4812022-01-20 17:56:50 +08005395}
5396
Ronald Crone68ab4f2022-10-05 12:46:29 +02005397#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Jerry Yu1a8b4812022-01-20 17:56:50 +08005398
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005399/*
Tillmann Karras588ad502015-09-25 04:27:22 +02005400 * Load default in mbedtls_ssl_config
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005401 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005402int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
5403 int endpoint, int transport, int preset)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005404{
Ronald Crone68ab4f2022-10-05 12:46:29 +02005405#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005406 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
5407 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
5408 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu1a8b4812022-01-20 17:56:50 +08005409 }
5410
Gilles Peskine449bd832023-01-11 14:50:10 +01005411 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
5412 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
5413 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu1a8b4812022-01-20 17:56:50 +08005414 }
Jerry Yu909df7b2022-01-22 11:56:27 +08005415
5416#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01005417 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
5418 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
5419 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu909df7b2022-01-22 11:56:27 +08005420 }
5421
Gilles Peskine449bd832023-01-11 14:50:10 +01005422 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
5423 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
5424 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu909df7b2022-01-22 11:56:27 +08005425 }
5426#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Ronald Crone68ab4f2022-10-05 12:46:29 +02005427#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Jerry Yu1a8b4812022-01-20 17:56:50 +08005428
Manuel Pégourié-Gonnard0de074f2015-05-14 12:58:01 +02005429 /* Use the functions here so that they are covered in tests,
5430 * but otherwise access member directly for efficiency */
Gilles Peskine449bd832023-01-11 14:50:10 +01005431 mbedtls_ssl_conf_endpoint(conf, endpoint);
5432 mbedtls_ssl_conf_transport(conf, transport);
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005433
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005434 /*
5435 * Things that are common to all presets
5436 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02005437#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005438 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02005439 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
5440#if defined(MBEDTLS_SSL_SESSION_TICKETS)
5441 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
5442#endif
5443 }
5444#endif
5445
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005446#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5447 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
5448#endif
5449
5450#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
5451 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
5452#endif
5453
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02005454#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005455 conf->f_cookie_write = ssl_cookie_write_dummy;
5456 conf->f_cookie_check = ssl_cookie_check_dummy;
5457#endif
5458
5459#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5460 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
5461#endif
5462
Janos Follath088ce432017-04-10 12:42:31 +01005463#if defined(MBEDTLS_SSL_SRV_C)
5464 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
TRodziewicz3946f792021-06-14 12:11:18 +02005465 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
Janos Follath088ce432017-04-10 12:42:31 +01005466#endif
5467
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005468#if defined(MBEDTLS_SSL_PROTO_DTLS)
5469 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
5470 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
5471#endif
5472
5473#if defined(MBEDTLS_SSL_RENEGOTIATION)
5474 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
Gilles Peskine449bd832023-01-11 14:50:10 +01005475 memset(conf->renego_period, 0x00, 2);
5476 memset(conf->renego_period + 2, 0xFF, 6);
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005477#endif
5478
Ronald Cron6f135e12021-12-08 16:57:54 +01005479#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu6ee56aa2022-12-06 17:47:22 +08005480
5481#if defined(MBEDTLS_SSL_EARLY_DATA)
Yanray Wangd5ed36f2023-11-07 11:40:43 +08005482 mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
Jerry Yu6ee56aa2022-12-06 17:47:22 +08005483#if defined(MBEDTLS_SSL_SRV_C)
Yanray Wang07517612023-11-07 11:47:36 +08005484 mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
Jerry Yu6ee56aa2022-12-06 17:47:22 +08005485#endif
5486#endif /* MBEDTLS_SSL_EARLY_DATA */
5487
Jerry Yud0766ec2022-09-22 10:46:57 +08005488#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yu1ad7ace2022-08-09 13:28:39 +08005489 mbedtls_ssl_conf_new_session_tickets(
Gilles Peskine449bd832023-01-11 14:50:10 +01005490 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS);
Jerry Yu1ad7ace2022-08-09 13:28:39 +08005491#endif
Hanno Becker71f1ed62021-07-24 06:01:47 +01005492 /*
5493 * Allow all TLS 1.3 key exchange modes by default.
5494 */
Xiaofei Bai746f9482021-11-12 08:53:56 +00005495 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
Ronald Cron6f135e12021-12-08 16:57:54 +01005496#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker71f1ed62021-07-24 06:01:47 +01005497
Gilles Peskine449bd832023-01-11 14:50:10 +01005498 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Glenn Strauss2dfcea22022-03-14 17:26:42 -04005499#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
XiaokangQian4d3a6042022-04-21 13:46:17 +00005500 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
XiaokangQian060d8672022-04-21 09:24:56 +00005501 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
XiaokangQian4d3a6042022-04-21 13:46:17 +00005502#else
Gilles Peskine449bd832023-01-11 14:50:10 +01005503 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQian060d8672022-04-21 09:24:56 +00005504#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01005505 } else {
XiaokangQian4d3a6042022-04-21 13:46:17 +00005506#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Ronald Cron097ba142023-03-08 16:18:00 +01005507 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5508 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQian4d3a6042022-04-21 13:46:17 +00005509#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
5510 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5511 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5512#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
5513 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5514 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5515#else
Gilles Peskine449bd832023-01-11 14:50:10 +01005516 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQian4d3a6042022-04-21 13:46:17 +00005517#endif
5518 }
Glenn Strauss2dfcea22022-03-14 17:26:42 -04005519
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005520 /*
5521 * Preset-specific defaults
5522 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005523 switch (preset) {
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005524 /*
5525 * NSA Suite B
5526 */
5527 case MBEDTLS_SSL_PRESET_SUITEB:
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005528
Hanno Beckerd60b6c62021-04-29 12:04:11 +01005529 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005530
5531#if defined(MBEDTLS_X509_CRT_PARSE_C)
5532 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005533#endif
5534
Ronald Crone68ab4f2022-10-05 12:46:29 +02005535#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Jerry Yu909df7b2022-01-22 11:56:27 +08005536#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01005537 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
Jerry Yu909df7b2022-01-22 11:56:27 +08005538 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
Gilles Peskine449bd832023-01-11 14:50:10 +01005539 } else
Jerry Yu909df7b2022-01-22 11:56:27 +08005540#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005541 conf->sig_algs = ssl_preset_suiteb_sig_algs;
Ronald Crone68ab4f2022-10-05 12:46:29 +02005542#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005543
Brett Warrene0edc842021-08-17 09:53:13 +01005544 conf->group_list = ssl_preset_suiteb_groups;
Manuel Pégourié-Gonnardc98204e2015-08-11 04:21:01 +02005545 break;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005546
5547 /*
5548 * Default
5549 */
5550 default:
Ronald Cronf6606552022-03-15 11:23:25 +01005551
Hanno Beckerd60b6c62021-04-29 12:04:11 +01005552 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005553
5554#if defined(MBEDTLS_X509_CRT_PARSE_C)
5555 conf->cert_profile = &mbedtls_x509_crt_profile_default;
5556#endif
5557
Ronald Crone68ab4f2022-10-05 12:46:29 +02005558#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Jerry Yu909df7b2022-01-22 11:56:27 +08005559#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01005560 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
Jerry Yu909df7b2022-01-22 11:56:27 +08005561 conf->sig_algs = ssl_tls12_preset_default_sig_algs;
Gilles Peskine449bd832023-01-11 14:50:10 +01005562 } else
Jerry Yu909df7b2022-01-22 11:56:27 +08005563#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005564 conf->sig_algs = ssl_preset_default_sig_algs;
Ronald Crone68ab4f2022-10-05 12:46:29 +02005565#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005566
Brett Warrene0edc842021-08-17 09:53:13 +01005567 conf->group_list = ssl_preset_default_groups;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005568 }
5569
Gilles Peskine449bd832023-01-11 14:50:10 +01005570 return 0;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005571}
5572
5573/*
5574 * Free mbedtls_ssl_config
5575 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005576void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005577{
Troy-Butlerda73abc2024-04-02 13:37:31 -04005578 if (conf == NULL) {
5579 return;
5580 }
5581
Ronald Cron73fe8df2022-10-05 14:31:43 +02005582#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005583 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
Neil Armstrong501c9322022-05-03 09:35:09 +02005584 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
5585 }
Gilles Peskine449bd832023-01-11 14:50:10 +01005586 if (conf->psk != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01005587 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
Azim Khan27e8a122018-03-21 14:24:11 +00005588 conf->psk = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005589 conf->psk_len = 0;
junyeonLEE316b1622017-12-20 16:29:30 +09005590 }
5591
Gilles Peskine449bd832023-01-11 14:50:10 +01005592 if (conf->psk_identity != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01005593 mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len);
Azim Khan27e8a122018-03-21 14:24:11 +00005594 conf->psk_identity = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005595 conf->psk_identity_len = 0;
5596 }
Ronald Cron73fe8df2022-10-05 14:31:43 +02005597#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005598
5599#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005600 ssl_key_cert_free(conf->key_cert);
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005601#endif
5602
Gilles Peskine449bd832023-01-11 14:50:10 +01005603 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005604}
5605
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +02005606#if defined(MBEDTLS_PK_C) && \
Valerio Settie9646ec2023-08-02 20:02:28 +02005607 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005608/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005609 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005610 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005611unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005612{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005613#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005614 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
5615 return MBEDTLS_SSL_SIG_RSA;
5616 }
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005617#endif
Valerio Settie9646ec2023-08-02 20:02:28 +02005618#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005619 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
5620 return MBEDTLS_SSL_SIG_ECDSA;
5621 }
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005622#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01005623 return MBEDTLS_SSL_SIG_ANON;
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005624}
5625
Gilles Peskine449bd832023-01-11 14:50:10 +01005626unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
Hanno Becker7e5437a2017-04-28 17:15:26 +01005627{
Gilles Peskine449bd832023-01-11 14:50:10 +01005628 switch (type) {
Hanno Becker7e5437a2017-04-28 17:15:26 +01005629 case MBEDTLS_PK_RSA:
Gilles Peskine449bd832023-01-11 14:50:10 +01005630 return MBEDTLS_SSL_SIG_RSA;
Hanno Becker7e5437a2017-04-28 17:15:26 +01005631 case MBEDTLS_PK_ECDSA:
5632 case MBEDTLS_PK_ECKEY:
Gilles Peskine449bd832023-01-11 14:50:10 +01005633 return MBEDTLS_SSL_SIG_ECDSA;
Hanno Becker7e5437a2017-04-28 17:15:26 +01005634 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01005635 return MBEDTLS_SSL_SIG_ANON;
Hanno Becker7e5437a2017-04-28 17:15:26 +01005636 }
5637}
5638
Gilles Peskine449bd832023-01-11 14:50:10 +01005639mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005640{
Gilles Peskine449bd832023-01-11 14:50:10 +01005641 switch (sig) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005642#if defined(MBEDTLS_RSA_C)
5643 case MBEDTLS_SSL_SIG_RSA:
Gilles Peskine449bd832023-01-11 14:50:10 +01005644 return MBEDTLS_PK_RSA;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005645#endif
Valerio Settie9646ec2023-08-02 20:02:28 +02005646#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005647 case MBEDTLS_SSL_SIG_ECDSA:
Gilles Peskine449bd832023-01-11 14:50:10 +01005648 return MBEDTLS_PK_ECDSA;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005649#endif
5650 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01005651 return MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005652 }
5653}
Valerio Settie9646ec2023-08-02 20:02:28 +02005654#endif /* MBEDTLS_PK_C &&
5655 ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005656
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02005657/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005658 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02005659 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005660mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005661{
Gilles Peskine449bd832023-01-11 14:50:10 +01005662 switch (hash) {
Elena Uziunaiteb66a9912024-05-10 14:25:58 +01005663#if defined(PSA_WANT_ALG_MD5)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005664 case MBEDTLS_SSL_HASH_MD5:
Gilles Peskine449bd832023-01-11 14:50:10 +01005665 return MBEDTLS_MD_MD5;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005666#endif
Elena Uziunaite9fc5be02024-09-04 18:12:59 +01005667#if defined(PSA_WANT_ALG_SHA_1)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005668 case MBEDTLS_SSL_HASH_SHA1:
Gilles Peskine449bd832023-01-11 14:50:10 +01005669 return MBEDTLS_MD_SHA1;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005670#endif
Elena Uziunaitefcc9afa2024-05-23 14:43:22 +01005671#if defined(PSA_WANT_ALG_SHA_224)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005672 case MBEDTLS_SSL_HASH_SHA224:
Gilles Peskine449bd832023-01-11 14:50:10 +01005673 return MBEDTLS_MD_SHA224;
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02005674#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005675#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005676 case MBEDTLS_SSL_HASH_SHA256:
Gilles Peskine449bd832023-01-11 14:50:10 +01005677 return MBEDTLS_MD_SHA256;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005678#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005679#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005680 case MBEDTLS_SSL_HASH_SHA384:
Gilles Peskine449bd832023-01-11 14:50:10 +01005681 return MBEDTLS_MD_SHA384;
Mateusz Starzyk3352a532021-04-06 14:28:22 +02005682#endif
Gabor Mezeic15ef932024-06-13 12:53:54 +02005683#if defined(PSA_WANT_ALG_SHA_512)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005684 case MBEDTLS_SSL_HASH_SHA512:
Gilles Peskine449bd832023-01-11 14:50:10 +01005685 return MBEDTLS_MD_SHA512;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005686#endif
5687 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01005688 return MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005689 }
5690}
5691
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005692/*
5693 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
5694 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005695unsigned char mbedtls_ssl_hash_from_md_alg(int md)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005696{
Gilles Peskine449bd832023-01-11 14:50:10 +01005697 switch (md) {
Elena Uziunaiteb66a9912024-05-10 14:25:58 +01005698#if defined(PSA_WANT_ALG_MD5)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005699 case MBEDTLS_MD_MD5:
Gilles Peskine449bd832023-01-11 14:50:10 +01005700 return MBEDTLS_SSL_HASH_MD5;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005701#endif
Elena Uziunaite9fc5be02024-09-04 18:12:59 +01005702#if defined(PSA_WANT_ALG_SHA_1)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005703 case MBEDTLS_MD_SHA1:
Gilles Peskine449bd832023-01-11 14:50:10 +01005704 return MBEDTLS_SSL_HASH_SHA1;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005705#endif
Elena Uziunaitefcc9afa2024-05-23 14:43:22 +01005706#if defined(PSA_WANT_ALG_SHA_224)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005707 case MBEDTLS_MD_SHA224:
Gilles Peskine449bd832023-01-11 14:50:10 +01005708 return MBEDTLS_SSL_HASH_SHA224;
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02005709#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005710#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005711 case MBEDTLS_MD_SHA256:
Gilles Peskine449bd832023-01-11 14:50:10 +01005712 return MBEDTLS_SSL_HASH_SHA256;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005713#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005714#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005715 case MBEDTLS_MD_SHA384:
Gilles Peskine449bd832023-01-11 14:50:10 +01005716 return MBEDTLS_SSL_HASH_SHA384;
Mateusz Starzyk3352a532021-04-06 14:28:22 +02005717#endif
Gabor Mezeic15ef932024-06-13 12:53:54 +02005718#if defined(PSA_WANT_ALG_SHA_512)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005719 case MBEDTLS_MD_SHA512:
Gilles Peskine449bd832023-01-11 14:50:10 +01005720 return MBEDTLS_SSL_HASH_SHA512;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005721#endif
5722 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01005723 return MBEDTLS_SSL_HASH_NONE;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005724 }
5725}
5726
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005727/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005728 * Check if a curve proposed by the peer is in our list.
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02005729 * Return 0 if we're willing to use it, -1 otherwise.
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005730 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005731int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id)
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005732{
Manuel Pégourié-Gonnard6402c352025-01-14 12:23:56 +01005733 const uint16_t *group_list = ssl->conf->group_list;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005734
Gilles Peskine449bd832023-01-11 14:50:10 +01005735 if (group_list == NULL) {
5736 return -1;
Brett Warrene0edc842021-08-17 09:53:13 +01005737 }
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005738
Gilles Peskine449bd832023-01-11 14:50:10 +01005739 for (; *group_list != 0; group_list++) {
5740 if (*group_list == tls_id) {
5741 return 0;
5742 }
5743 }
5744
5745 return -1;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005746}
Manuel Pégourié-Gonnard0d63b842022-01-18 13:10:56 +01005747
Elena Uziunaite8dde3b32024-07-05 12:10:21 +01005748#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
Manuel Pégourié-Gonnard0d63b842022-01-18 13:10:56 +01005749/*
5750 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
5751 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005752int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
Manuel Pégourié-Gonnard0d63b842022-01-18 13:10:56 +01005753{
Gilles Peskine449bd832023-01-11 14:50:10 +01005754 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Leonid Rozenboim19e59732022-08-08 16:52:38 -07005755
Gilles Peskine449bd832023-01-11 14:50:10 +01005756 if (tls_id == 0) {
Leonid Rozenboim19e59732022-08-08 16:52:38 -07005757 return -1;
Gilles Peskine449bd832023-01-11 14:50:10 +01005758 }
Leonid Rozenboim19e59732022-08-08 16:52:38 -07005759
Gilles Peskine449bd832023-01-11 14:50:10 +01005760 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
Manuel Pégourié-Gonnard0d63b842022-01-18 13:10:56 +01005761}
Elena Uziunaite8dde3b32024-07-05 12:10:21 +01005762#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
Valerio Setti67419f02023-01-04 16:12:42 +01005763
Valerio Setti18c9fed2022-12-30 17:44:24 +01005764static const struct {
5765 uint16_t tls_id;
5766 mbedtls_ecp_group_id ecp_group_id;
5767 psa_ecc_family_t psa_family;
5768 uint16_t bits;
Valerio Setti18c9fed2022-12-30 17:44:24 +01005769} tls_id_match_table[] =
5770{
Elena Uziunaite24e24f22024-07-04 17:53:40 +01005771#if defined(PSA_WANT_ECC_SECP_R1_521)
Valerio Settiacd32c02023-06-29 18:06:29 +02005772 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005773#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005774#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
Valerio Settiacd32c02023-06-29 18:06:29 +02005775 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005776#endif
Elena Uziunaite6b4cd482024-07-04 17:50:11 +01005777#if defined(PSA_WANT_ECC_SECP_R1_384)
Valerio Settiacd32c02023-06-29 18:06:29 +02005778 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005779#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005780#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
Valerio Settiacd32c02023-06-29 18:06:29 +02005781 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005782#endif
Elena Uziunaite417d05f2024-07-04 17:46:30 +01005783#if defined(PSA_WANT_ECC_SECP_R1_256)
Valerio Settiacd32c02023-06-29 18:06:29 +02005784 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005785#endif
Elena Uziunaite9e85c9f2024-07-04 18:37:34 +01005786#if defined(PSA_WANT_ECC_SECP_K1_256)
Valerio Settiacd32c02023-06-29 18:06:29 +02005787 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005788#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005789#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
Valerio Settiacd32c02023-06-29 18:06:29 +02005790 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005791#endif
Elena Uziunaiteeaa0cf02024-07-04 17:41:25 +01005792#if defined(PSA_WANT_ECC_SECP_R1_224)
Valerio Settiacd32c02023-06-29 18:06:29 +02005793 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005794#endif
Elena Uziunaitea3632862024-07-04 13:52:43 +01005795#if defined(PSA_WANT_ECC_SECP_R1_192)
Valerio Settiacd32c02023-06-29 18:06:29 +02005796 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005797#endif
Elena Uziunaite9e85c9f2024-07-04 18:37:34 +01005798#if defined(PSA_WANT_ECC_SECP_K1_192)
Valerio Settiacd32c02023-06-29 18:06:29 +02005799 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005800#endif
Elena Uziunaite0b5d48e2024-07-05 11:48:23 +01005801#if defined(PSA_WANT_ECC_MONTGOMERY_255)
Valerio Settiacd32c02023-06-29 18:06:29 +02005802 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005803#endif
Elena Uziunaite0b5d48e2024-07-05 11:48:23 +01005804#if defined(PSA_WANT_ECC_MONTGOMERY_448)
Valerio Settiacd32c02023-06-29 18:06:29 +02005805 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005806#endif
Valerio Settiacd32c02023-06-29 18:06:29 +02005807 { 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005808};
5809
Gilles Peskine449bd832023-01-11 14:50:10 +01005810int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
Przemek Stekielda4fba62023-06-02 14:52:28 +02005811 psa_key_type_t *type,
Gilles Peskine449bd832023-01-11 14:50:10 +01005812 size_t *bits)
Valerio Setti18c9fed2022-12-30 17:44:24 +01005813{
Gilles Peskine449bd832023-01-11 14:50:10 +01005814 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
5815 if (tls_id_match_table[i].tls_id == tls_id) {
Przemek Stekielda4fba62023-06-02 14:52:28 +02005816 if (type != NULL) {
5817 *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
Gilles Peskine449bd832023-01-11 14:50:10 +01005818 }
5819 if (bits != NULL) {
Valerio Setti18c9fed2022-12-30 17:44:24 +01005820 *bits = tls_id_match_table[i].bits;
Gilles Peskine449bd832023-01-11 14:50:10 +01005821 }
Valerio Setti18c9fed2022-12-30 17:44:24 +01005822 return PSA_SUCCESS;
5823 }
5824 }
5825
5826 return PSA_ERROR_NOT_SUPPORTED;
5827}
5828
Gilles Peskine449bd832023-01-11 14:50:10 +01005829mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
Valerio Setti18c9fed2022-12-30 17:44:24 +01005830{
Gilles Peskine449bd832023-01-11 14:50:10 +01005831 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
5832 if (tls_id_match_table[i].tls_id == tls_id) {
Valerio Setti18c9fed2022-12-30 17:44:24 +01005833 return tls_id_match_table[i].ecp_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +01005834 }
Valerio Setti18c9fed2022-12-30 17:44:24 +01005835 }
5836
5837 return MBEDTLS_ECP_DP_NONE;
5838}
5839
Gilles Peskine449bd832023-01-11 14:50:10 +01005840uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
Valerio Setti18c9fed2022-12-30 17:44:24 +01005841{
Gilles Peskine449bd832023-01-11 14:50:10 +01005842 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
5843 i++) {
5844 if (tls_id_match_table[i].ecp_group_id == grp_id) {
Valerio Setti18c9fed2022-12-30 17:44:24 +01005845 return tls_id_match_table[i].tls_id;
Gilles Peskine449bd832023-01-11 14:50:10 +01005846 }
Valerio Setti18c9fed2022-12-30 17:44:24 +01005847 }
5848
5849 return 0;
5850}
5851
Valerio Setti67419f02023-01-04 16:12:42 +01005852#if defined(MBEDTLS_DEBUG_C)
Valerio Settiacd32c02023-06-29 18:06:29 +02005853static const struct {
5854 uint16_t tls_id;
5855 const char *name;
5856} tls_id_curve_name_table[] =
5857{
Valerio Setti54e23792023-07-07 10:49:27 +02005858 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },
5859 { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },
5860 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },
5861 { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },
5862 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
5863 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
5864 { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
5865 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
5866 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
5867 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
5868 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
5869 { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
5870 { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
Valerio Settiacd32c02023-06-29 18:06:29 +02005871 { 0, NULL },
5872};
5873
Gilles Peskine449bd832023-01-11 14:50:10 +01005874const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
Valerio Setti18c9fed2022-12-30 17:44:24 +01005875{
Valerio Settiacd32c02023-06-29 18:06:29 +02005876 for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) {
5877 if (tls_id_curve_name_table[i].tls_id == tls_id) {
5878 return tls_id_curve_name_table[i].name;
Gilles Peskine449bd832023-01-11 14:50:10 +01005879 }
Valerio Setti18c9fed2022-12-30 17:44:24 +01005880 }
5881
5882 return NULL;
5883}
Valerio Setti67419f02023-01-04 16:12:42 +01005884#endif
Valerio Setti18c9fed2022-12-30 17:44:24 +01005885
Gilles Peskine449bd832023-01-11 14:50:10 +01005886int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
5887 const mbedtls_md_type_t md,
5888 unsigned char *dst,
5889 size_t dst_len,
5890 size_t *olen)
Jerry Yu148165c2021-09-24 23:20:59 +08005891{
Ronald Cronf6893e12022-01-07 22:09:01 +01005892 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5893 psa_hash_operation_t *hash_operation_to_clone;
5894 psa_hash_operation_t hash_operation = psa_hash_operation_init();
5895
Jerry Yu148165c2021-09-24 23:20:59 +08005896 *olen = 0;
Ronald Cronf6893e12022-01-07 22:09:01 +01005897
Gilles Peskine449bd832023-01-11 14:50:10 +01005898 switch (md) {
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005899#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +01005900 case MBEDTLS_MD_SHA384:
5901 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
5902 break;
Ronald Cronf6893e12022-01-07 22:09:01 +01005903#endif
5904
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005905#if defined(PSA_WANT_ALG_SHA_256)
Gilles Peskine449bd832023-01-11 14:50:10 +01005906 case MBEDTLS_MD_SHA256:
5907 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
5908 break;
Ronald Cronf6893e12022-01-07 22:09:01 +01005909#endif
5910
Gilles Peskine449bd832023-01-11 14:50:10 +01005911 default:
5912 goto exit;
5913 }
5914
5915 status = psa_hash_clone(hash_operation_to_clone, &hash_operation);
5916 if (status != PSA_SUCCESS) {
Ronald Cronf6893e12022-01-07 22:09:01 +01005917 goto exit;
5918 }
5919
Gilles Peskine449bd832023-01-11 14:50:10 +01005920 status = psa_hash_finish(&hash_operation, dst, dst_len, olen);
5921 if (status != PSA_SUCCESS) {
Ronald Cronf6893e12022-01-07 22:09:01 +01005922 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01005923 }
Ronald Cronf6893e12022-01-07 22:09:01 +01005924
5925exit:
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005926#if !defined(PSA_WANT_ALG_SHA_384) && \
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005927 !defined(PSA_WANT_ALG_SHA_256)
Andrzej Kurekeabeb302022-10-17 07:52:51 -04005928 (void) ssl;
5929#endif
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05005930 return PSA_TO_MBEDTLS_ERR(status);
Jerry Yu148165c2021-09-24 23:20:59 +08005931}
Jerry Yu24c0ec32021-09-09 14:21:07 +08005932
Ronald Crone68ab4f2022-10-05 12:46:29 +02005933#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Gabor Mezei078e8032022-04-27 21:17:56 +02005934/* mbedtls_ssl_parse_sig_alg_ext()
5935 *
5936 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
5937 * value (TLS 1.3 RFC8446):
5938 * enum {
5939 * ....
5940 * ecdsa_secp256r1_sha256( 0x0403 ),
5941 * ecdsa_secp384r1_sha384( 0x0503 ),
5942 * ecdsa_secp521r1_sha512( 0x0603 ),
5943 * ....
5944 * } SignatureScheme;
5945 *
5946 * struct {
5947 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
5948 * } SignatureSchemeList;
5949 *
5950 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
5951 * value (TLS 1.2 RFC5246):
5952 * enum {
5953 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
5954 * sha512(6), (255)
5955 * } HashAlgorithm;
5956 *
5957 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
5958 * SignatureAlgorithm;
5959 *
5960 * struct {
5961 * HashAlgorithm hash;
5962 * SignatureAlgorithm signature;
5963 * } SignatureAndHashAlgorithm;
5964 *
5965 * SignatureAndHashAlgorithm
5966 * supported_signature_algorithms<2..2^16-2>;
5967 *
5968 * The TLS 1.3 signature algorithm extension was defined to be a compatible
5969 * generalization of the TLS 1.2 signature algorithm extension.
5970 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
5971 * `SignatureScheme` field of TLS 1.3
5972 *
5973 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005974int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
5975 const unsigned char *buf,
5976 const unsigned char *end)
Gabor Mezei078e8032022-04-27 21:17:56 +02005977{
5978 const unsigned char *p = buf;
5979 size_t supported_sig_algs_len = 0;
5980 const unsigned char *supported_sig_algs_end;
5981 uint16_t sig_alg;
5982 uint32_t common_idx = 0;
5983
Gilles Peskine449bd832023-01-11 14:50:10 +01005984 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
5985 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0);
Gabor Mezei078e8032022-04-27 21:17:56 +02005986 p += 2;
5987
Gilles Peskine449bd832023-01-11 14:50:10 +01005988 memset(ssl->handshake->received_sig_algs, 0,
5989 sizeof(ssl->handshake->received_sig_algs));
Gabor Mezei078e8032022-04-27 21:17:56 +02005990
Gilles Peskine449bd832023-01-11 14:50:10 +01005991 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len);
Gabor Mezei078e8032022-04-27 21:17:56 +02005992 supported_sig_algs_end = p + supported_sig_algs_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01005993 while (p < supported_sig_algs_end) {
5994 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2);
5995 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
Gabor Mezei078e8032022-04-27 21:17:56 +02005996 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +01005997 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s",
5998 sig_alg,
5999 mbedtls_ssl_sig_alg_to_str(sig_alg)));
Jerry Yu2fe6c632022-06-29 10:02:38 +08006000#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01006001 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
6002 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) &&
6003 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) {
Gabor Mezei078e8032022-04-27 21:17:56 +02006004 continue;
Jerry Yu2fe6c632022-06-29 10:02:38 +08006005 }
6006#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gabor Mezei078e8032022-04-27 21:17:56 +02006007
Gilles Peskine449bd832023-01-11 14:50:10 +01006008 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s",
6009 mbedtls_ssl_sig_alg_to_str(sig_alg)));
Gabor Mezei078e8032022-04-27 21:17:56 +02006010
Gilles Peskine449bd832023-01-11 14:50:10 +01006011 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) {
Gabor Mezei078e8032022-04-27 21:17:56 +02006012 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
6013 common_idx += 1;
6014 }
6015 }
6016 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006017 if (p != end) {
6018 MBEDTLS_SSL_DEBUG_MSG(1,
6019 ("Signature algorithms extension length misaligned"));
6020 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
6021 MBEDTLS_ERR_SSL_DECODE_ERROR);
6022 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gabor Mezei078e8032022-04-27 21:17:56 +02006023 }
6024
Gilles Peskine449bd832023-01-11 14:50:10 +01006025 if (common_idx == 0) {
6026 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common"));
6027 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
6028 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
6029 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Gabor Mezei078e8032022-04-27 21:17:56 +02006030 }
6031
Gabor Mezei15b95a62022-05-09 16:37:58 +02006032 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
Gilles Peskine449bd832023-01-11 14:50:10 +01006033 return 0;
Gabor Mezei078e8032022-04-27 21:17:56 +02006034}
6035
Ronald Crone68ab4f2022-10-05 12:46:29 +02006036#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Gabor Mezei078e8032022-04-27 21:17:56 +02006037
Jerry Yudc7bd172022-02-17 13:44:15 +08006038#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6039
Jerry Yudc7bd172022-02-17 13:44:15 +08006040
Gilles Peskine449bd832023-01-11 14:50:10 +01006041static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
6042 mbedtls_svc_key_id_t key,
6043 psa_algorithm_t alg,
6044 const unsigned char *raw_psk, size_t raw_psk_length,
6045 const unsigned char *seed, size_t seed_length,
6046 const unsigned char *label, size_t label_length,
6047 const unsigned char *other_secret,
6048 size_t other_secret_length,
6049 size_t capacity)
Jerry Yudc7bd172022-02-17 13:44:15 +08006050{
6051 psa_status_t status;
6052
Gilles Peskine449bd832023-01-11 14:50:10 +01006053 status = psa_key_derivation_setup(derivation, alg);
6054 if (status != PSA_SUCCESS) {
6055 return status;
6056 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006057
Gilles Peskine449bd832023-01-11 14:50:10 +01006058 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
6059 status = psa_key_derivation_input_bytes(derivation,
6060 PSA_KEY_DERIVATION_INPUT_SEED,
6061 seed, seed_length);
6062 if (status != PSA_SUCCESS) {
6063 return status;
Przemek Stekiel1f027032022-04-05 17:12:11 +02006064 }
6065
Gilles Peskine449bd832023-01-11 14:50:10 +01006066 if (other_secret != NULL) {
6067 status = psa_key_derivation_input_bytes(derivation,
6068 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
6069 other_secret, other_secret_length);
6070 if (status != PSA_SUCCESS) {
6071 return status;
6072 }
6073 }
6074
6075 if (mbedtls_svc_key_id_is_null(key)) {
Jerry Yudc7bd172022-02-17 13:44:15 +08006076 status = psa_key_derivation_input_bytes(
6077 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
Gilles Peskine449bd832023-01-11 14:50:10 +01006078 raw_psk, raw_psk_length);
6079 } else {
Jerry Yudc7bd172022-02-17 13:44:15 +08006080 status = psa_key_derivation_input_key(
Gilles Peskine449bd832023-01-11 14:50:10 +01006081 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
Jerry Yudc7bd172022-02-17 13:44:15 +08006082 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006083 if (status != PSA_SUCCESS) {
6084 return status;
6085 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006086
Gilles Peskine449bd832023-01-11 14:50:10 +01006087 status = psa_key_derivation_input_bytes(derivation,
6088 PSA_KEY_DERIVATION_INPUT_LABEL,
6089 label, label_length);
6090 if (status != PSA_SUCCESS) {
6091 return status;
6092 }
6093 } else {
6094 return PSA_ERROR_NOT_SUPPORTED;
Jerry Yudc7bd172022-02-17 13:44:15 +08006095 }
6096
Gilles Peskine449bd832023-01-11 14:50:10 +01006097 status = psa_key_derivation_set_capacity(derivation, capacity);
6098 if (status != PSA_SUCCESS) {
6099 return status;
6100 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006101
Gilles Peskine449bd832023-01-11 14:50:10 +01006102 return PSA_SUCCESS;
Jerry Yudc7bd172022-02-17 13:44:15 +08006103}
6104
Andrzej Kurek57d10632022-10-24 10:32:01 -04006105#if defined(PSA_WANT_ALG_SHA_384) || \
6106 defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006107MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006108static int tls_prf_generic(mbedtls_md_type_t md_type,
6109 const unsigned char *secret, size_t slen,
Max Fillingerf2dda152024-10-23 15:47:23 +02006110 const char *label, size_t label_len,
Gilles Peskine449bd832023-01-11 14:50:10 +01006111 const unsigned char *random, size_t rlen,
6112 unsigned char *dstbuf, size_t dlen)
Jerry Yudc7bd172022-02-17 13:44:15 +08006113{
6114 psa_status_t status;
6115 psa_algorithm_t alg;
6116 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
6117 psa_key_derivation_operation_t derivation =
6118 PSA_KEY_DERIVATION_OPERATION_INIT;
6119
Gilles Peskine449bd832023-01-11 14:50:10 +01006120 if (md_type == MBEDTLS_MD_SHA384) {
Jerry Yudc7bd172022-02-17 13:44:15 +08006121 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
Gilles Peskine449bd832023-01-11 14:50:10 +01006122 } else {
Jerry Yudc7bd172022-02-17 13:44:15 +08006123 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
Gilles Peskine449bd832023-01-11 14:50:10 +01006124 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006125
6126 /* Normally a "secret" should be long enough to be impossible to
6127 * find by brute force, and in particular should not be empty. But
6128 * this PRF is also used to derive an IV, in particular in EAP-TLS,
6129 * and for this use case it makes sense to have a 0-length "secret".
6130 * Since the key API doesn't allow importing a key of length 0,
6131 * keep master_key=0, which setup_psa_key_derivation() understands
6132 * to mean a 0-length "secret" input. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006133 if (slen != 0) {
Jerry Yudc7bd172022-02-17 13:44:15 +08006134 psa_key_attributes_t key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +01006135 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
6136 psa_set_key_algorithm(&key_attributes, alg);
6137 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
Jerry Yudc7bd172022-02-17 13:44:15 +08006138
Gilles Peskine449bd832023-01-11 14:50:10 +01006139 status = psa_import_key(&key_attributes, secret, slen, &master_key);
6140 if (status != PSA_SUCCESS) {
6141 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6142 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006143 }
6144
Gilles Peskine449bd832023-01-11 14:50:10 +01006145 status = setup_psa_key_derivation(&derivation,
6146 master_key, alg,
6147 NULL, 0,
6148 random, rlen,
6149 (unsigned char const *) label,
Max Fillingerf2dda152024-10-23 15:47:23 +02006150 label_len,
Gilles Peskine449bd832023-01-11 14:50:10 +01006151 NULL, 0,
6152 dlen);
6153 if (status != PSA_SUCCESS) {
6154 psa_key_derivation_abort(&derivation);
6155 psa_destroy_key(master_key);
6156 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Jerry Yudc7bd172022-02-17 13:44:15 +08006157 }
6158
Gilles Peskine449bd832023-01-11 14:50:10 +01006159 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
6160 if (status != PSA_SUCCESS) {
6161 psa_key_derivation_abort(&derivation);
6162 psa_destroy_key(master_key);
6163 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Jerry Yudc7bd172022-02-17 13:44:15 +08006164 }
6165
Gilles Peskine449bd832023-01-11 14:50:10 +01006166 status = psa_key_derivation_abort(&derivation);
6167 if (status != PSA_SUCCESS) {
6168 psa_destroy_key(master_key);
6169 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Jerry Yudc7bd172022-02-17 13:44:15 +08006170 }
6171
Gilles Peskine449bd832023-01-11 14:50:10 +01006172 if (!mbedtls_svc_key_id_is_null(master_key)) {
6173 status = psa_destroy_key(master_key);
6174 }
6175 if (status != PSA_SUCCESS) {
6176 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6177 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006178
Gilles Peskine449bd832023-01-11 14:50:10 +01006179 return 0;
Jerry Yudc7bd172022-02-17 13:44:15 +08006180}
Andrzej Kurek57d10632022-10-24 10:32:01 -04006181#endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
Jerry Yudc7bd172022-02-17 13:44:15 +08006182
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006183#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006184MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006185static int tls_prf_sha256(const unsigned char *secret, size_t slen,
6186 const char *label,
6187 const unsigned char *random, size_t rlen,
6188 unsigned char *dstbuf, size_t dlen)
Jerry Yudc7bd172022-02-17 13:44:15 +08006189{
Gilles Peskine449bd832023-01-11 14:50:10 +01006190 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
Max Fillingerf2dda152024-10-23 15:47:23 +02006191 label, strlen(label), random, rlen, dstbuf, dlen);
Jerry Yudc7bd172022-02-17 13:44:15 +08006192}
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006193#endif /* PSA_WANT_ALG_SHA_256*/
Jerry Yudc7bd172022-02-17 13:44:15 +08006194
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006195#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006196MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006197static int tls_prf_sha384(const unsigned char *secret, size_t slen,
6198 const char *label,
6199 const unsigned char *random, size_t rlen,
6200 unsigned char *dstbuf, size_t dlen)
Jerry Yudc7bd172022-02-17 13:44:15 +08006201{
Gilles Peskine449bd832023-01-11 14:50:10 +01006202 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
Max Fillingerf2dda152024-10-23 15:47:23 +02006203 label, strlen(label), random, rlen, dstbuf, dlen);
Jerry Yudc7bd172022-02-17 13:44:15 +08006204}
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006205#endif /* PSA_WANT_ALG_SHA_384*/
Jerry Yudc7bd172022-02-17 13:44:15 +08006206
Jerry Yuf009d862022-02-17 14:01:37 +08006207/*
6208 * Set appropriate PRF function and other SSL / TLS1.2 functions
6209 *
6210 * Inputs:
Jerry Yuf009d862022-02-17 14:01:37 +08006211 * - hash associated with the ciphersuite (only used by TLS 1.2)
6212 *
6213 * Outputs:
6214 * - the tls_prf, calc_verify and calc_finished members of handshake structure
6215 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006216MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006217static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
6218 mbedtls_md_type_t hash)
Jerry Yuf009d862022-02-17 14:01:37 +08006219{
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006220#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +01006221 if (hash == MBEDTLS_MD_SHA384) {
Jerry Yuf009d862022-02-17 14:01:37 +08006222 handshake->tls_prf = tls_prf_sha384;
6223 handshake->calc_verify = ssl_calc_verify_tls_sha384;
6224 handshake->calc_finished = ssl_calc_finished_tls_sha384;
Gilles Peskine449bd832023-01-11 14:50:10 +01006225 } else
Jerry Yuf009d862022-02-17 14:01:37 +08006226#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006227#if defined(PSA_WANT_ALG_SHA_256)
Jerry Yuf009d862022-02-17 14:01:37 +08006228 {
Ronald Cron81591aa2022-03-07 09:05:51 +01006229 (void) hash;
Jerry Yuf009d862022-02-17 14:01:37 +08006230 handshake->tls_prf = tls_prf_sha256;
6231 handshake->calc_verify = ssl_calc_verify_tls_sha256;
6232 handshake->calc_finished = ssl_calc_finished_tls_sha256;
6233 }
Ronald Cron81591aa2022-03-07 09:05:51 +01006234#else
Jerry Yuf009d862022-02-17 14:01:37 +08006235 {
Jerry Yuf009d862022-02-17 14:01:37 +08006236 (void) handshake;
Ronald Cron81591aa2022-03-07 09:05:51 +01006237 (void) hash;
Gilles Peskine449bd832023-01-11 14:50:10 +01006238 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yuf009d862022-02-17 14:01:37 +08006239 }
Ronald Cron81591aa2022-03-07 09:05:51 +01006240#endif
Jerry Yuf009d862022-02-17 14:01:37 +08006241
Gilles Peskine449bd832023-01-11 14:50:10 +01006242 return 0;
Jerry Yuf009d862022-02-17 14:01:37 +08006243}
Jerry Yud6ab2352022-02-17 14:03:43 +08006244
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006245/*
6246 * Compute master secret if needed
6247 *
6248 * Parameters:
6249 * [in/out] handshake
6250 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
6251 * (PSA-PSK) ciphersuite_info, psk_opaque
6252 * [out] premaster (cleared)
6253 * [out] master
6254 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
6255 * debug: conf->f_dbg, conf->p_dbg
6256 * EMS: passed to calc_verify (debug + session_negotiate)
Ronald Crona25cf582022-03-07 11:10:36 +01006257 * PSA-PSA: conf
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006258 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006259MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006260static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
6261 unsigned char *master,
6262 const mbedtls_ssl_context *ssl)
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006263{
6264 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6265
6266 /* cf. RFC 5246, Section 8.1:
6267 * "The master secret is always exactly 48 bytes in length." */
6268 size_t const master_secret_len = 48;
6269
6270#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6271 unsigned char session_hash[48];
6272#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
6273
6274 /* The label for the KDF used for key expansion.
6275 * This is either "master secret" or "extended master secret"
6276 * depending on whether the Extended Master Secret extension
6277 * is used. */
6278 char const *lbl = "master secret";
6279
Przemek Stekielae4ed302022-04-05 17:15:55 +02006280 /* The seed for the KDF used for key expansion.
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006281 * - If the Extended Master Secret extension is not used,
6282 * this is ClientHello.Random + ServerHello.Random
6283 * (see Sect. 8.1 in RFC 5246).
6284 * - If the Extended Master Secret extension is used,
6285 * this is the transcript of the handshake so far.
6286 * (see Sect. 4 in RFC 7627). */
Przemek Stekielae4ed302022-04-05 17:15:55 +02006287 unsigned char const *seed = handshake->randbytes;
6288 size_t seed_len = 64;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006289
6290#if !defined(MBEDTLS_DEBUG_C) && \
6291 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
Manuel Pégourié-Gonnard07a1edd2025-01-23 11:04:48 +01006292 !defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006293 ssl = NULL; /* make sure we don't use it except for those cases */
6294 (void) ssl;
6295#endif
6296
Gilles Peskine449bd832023-01-11 14:50:10 +01006297 if (handshake->resume != 0) {
6298 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
6299 return 0;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006300 }
6301
6302#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +01006303 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006304 lbl = "extended master secret";
Przemek Stekielae4ed302022-04-05 17:15:55 +02006305 seed = session_hash;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +01006306 ret = handshake->calc_verify(ssl, session_hash, &seed_len);
6307 if (ret != 0) {
6308 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
6309 }
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006310
Gilles Peskine449bd832023-01-11 14:50:10 +01006311 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
6312 session_hash, seed_len);
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006313 }
Przemek Stekiel169bf0b2022-04-29 07:53:29 +02006314#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006315
Manuel Pégourié-Gonnard07a1edd2025-01-23 11:04:48 +01006316#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01006317 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) {
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006318 /* Perform PSK-to-MS expansion in a single step. */
6319 psa_status_t status;
6320 psa_algorithm_t alg;
6321 mbedtls_svc_key_id_t psk;
6322 psa_key_derivation_operation_t derivation =
6323 PSA_KEY_DERIVATION_OPERATION_INIT;
Dave Rodgman2eab4622023-10-05 13:30:37 +01006324 mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006325
Gilles Peskine449bd832023-01-11 14:50:10 +01006326 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006327
Gilles Peskine449bd832023-01-11 14:50:10 +01006328 psk = mbedtls_ssl_get_opaque_psk(ssl);
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006329
Gilles Peskine449bd832023-01-11 14:50:10 +01006330 if (hash_alg == MBEDTLS_MD_SHA384) {
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006331 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
Gilles Peskine449bd832023-01-11 14:50:10 +01006332 } else {
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006333 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
Gilles Peskine449bd832023-01-11 14:50:10 +01006334 }
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006335
Przemek Stekiel51a1f362022-04-13 08:57:06 +02006336 size_t other_secret_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01006337 unsigned char *other_secret = NULL;
Przemek Stekielc2033402022-04-05 17:19:41 +02006338
Gilles Peskine449bd832023-01-11 14:50:10 +01006339 switch (handshake->ciphersuite_info->key_exchange) {
Przemek Stekiel19b80f82022-04-14 08:29:31 +02006340 /* Provide other secret.
Przemek Stekiel51a1f362022-04-13 08:57:06 +02006341 * Other secret is stored in premaster, where first 2 bytes hold the
Przemek Stekiel19b80f82022-04-14 08:29:31 +02006342 * length of the other key.
Przemek Stekielc2033402022-04-05 17:19:41 +02006343 */
Przemek Stekiel19b80f82022-04-14 08:29:31 +02006344 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
6345 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
6346 other_secret = handshake->premaster + 2;
6347 break;
6348 default:
6349 break;
Przemek Stekielc2033402022-04-05 17:19:41 +02006350 }
6351
Gilles Peskine449bd832023-01-11 14:50:10 +01006352 status = setup_psa_key_derivation(&derivation, psk, alg,
6353 ssl->conf->psk, ssl->conf->psk_len,
6354 seed, seed_len,
6355 (unsigned char const *) lbl,
6356 (size_t) strlen(lbl),
6357 other_secret, other_secret_len,
6358 master_secret_len);
6359 if (status != PSA_SUCCESS) {
6360 psa_key_derivation_abort(&derivation);
6361 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006362 }
6363
Gilles Peskine449bd832023-01-11 14:50:10 +01006364 status = psa_key_derivation_output_bytes(&derivation,
6365 master,
6366 master_secret_len);
6367 if (status != PSA_SUCCESS) {
6368 psa_key_derivation_abort(&derivation);
6369 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006370 }
6371
Gilles Peskine449bd832023-01-11 14:50:10 +01006372 status = psa_key_derivation_abort(&derivation);
6373 if (status != PSA_SUCCESS) {
6374 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6375 }
6376 } else
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006377#endif
6378 {
Manuel Pégourié-Gonnard07a1edd2025-01-23 11:04:48 +01006379#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01006380 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Neil Armstrongca7d5062022-05-31 14:43:23 +02006381 psa_status_t status;
6382 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
6383 psa_key_derivation_operation_t derivation =
6384 PSA_KEY_DERIVATION_OPERATION_INIT;
6385
Gilles Peskine449bd832023-01-11 14:50:10 +01006386 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE"));
Neil Armstrongca7d5062022-05-31 14:43:23 +02006387
6388 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
6389
Gilles Peskine449bd832023-01-11 14:50:10 +01006390 status = psa_key_derivation_setup(&derivation, alg);
6391 if (status != PSA_SUCCESS) {
6392 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Neil Armstrongca7d5062022-05-31 14:43:23 +02006393 }
6394
Gilles Peskine449bd832023-01-11 14:50:10 +01006395 status = psa_key_derivation_set_capacity(&derivation,
6396 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
6397 if (status != PSA_SUCCESS) {
6398 psa_key_derivation_abort(&derivation);
6399 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Neil Armstrongca7d5062022-05-31 14:43:23 +02006400 }
6401
Gilles Peskine449bd832023-01-11 14:50:10 +01006402 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
6403 &derivation);
6404 if (status != PSA_SUCCESS) {
6405 psa_key_derivation_abort(&derivation);
6406 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Neil Armstrongca7d5062022-05-31 14:43:23 +02006407 }
6408
Gilles Peskine449bd832023-01-11 14:50:10 +01006409 status = psa_key_derivation_output_bytes(&derivation,
6410 handshake->premaster,
6411 handshake->pmslen);
6412 if (status != PSA_SUCCESS) {
6413 psa_key_derivation_abort(&derivation);
6414 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6415 }
6416
6417 status = psa_key_derivation_abort(&derivation);
6418 if (status != PSA_SUCCESS) {
6419 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Neil Armstrongca7d5062022-05-31 14:43:23 +02006420 }
6421 }
6422#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01006423 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
6424 lbl, seed, seed_len,
6425 master,
6426 master_secret_len);
6427 if (ret != 0) {
6428 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
6429 return ret;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006430 }
6431
Gilles Peskine449bd832023-01-11 14:50:10 +01006432 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
6433 handshake->premaster,
6434 handshake->pmslen);
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006435
Gilles Peskine449bd832023-01-11 14:50:10 +01006436 mbedtls_platform_zeroize(handshake->premaster,
6437 sizeof(handshake->premaster));
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006438 }
6439
Gilles Peskine449bd832023-01-11 14:50:10 +01006440 return 0;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006441}
6442
Gilles Peskine449bd832023-01-11 14:50:10 +01006443int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
Jerry Yud62f87e2022-02-17 14:09:02 +08006444{
6445 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6446 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
6447 ssl->handshake->ciphersuite_info;
6448
Gilles Peskine449bd832023-01-11 14:50:10 +01006449 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
Jerry Yud62f87e2022-02-17 14:09:02 +08006450
6451 /* Set PRF, calc_verify and calc_finished function pointers */
Gilles Peskine449bd832023-01-11 14:50:10 +01006452 ret = ssl_set_handshake_prfs(ssl->handshake,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +01006453 (mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +01006454 if (ret != 0) {
6455 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
6456 return ret;
Jerry Yud62f87e2022-02-17 14:09:02 +08006457 }
6458
6459 /* Compute master secret if needed */
Gilles Peskine449bd832023-01-11 14:50:10 +01006460 ret = ssl_compute_master(ssl->handshake,
6461 ssl->session_negotiate->master,
6462 ssl);
6463 if (ret != 0) {
6464 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
6465 return ret;
Jerry Yud62f87e2022-02-17 14:09:02 +08006466 }
6467
6468 /* Swap the client and server random values:
6469 * - MS derivation wanted client+server (RFC 5246 8.1)
6470 * - key derivation wants server+client (RFC 5246 6.3) */
6471 {
6472 unsigned char tmp[64];
Gilles Peskine449bd832023-01-11 14:50:10 +01006473 memcpy(tmp, ssl->handshake->randbytes, 64);
6474 memcpy(ssl->handshake->randbytes, tmp + 32, 32);
6475 memcpy(ssl->handshake->randbytes + 32, tmp, 32);
6476 mbedtls_platform_zeroize(tmp, sizeof(tmp));
Jerry Yud62f87e2022-02-17 14:09:02 +08006477 }
6478
6479 /* Populate transform structure */
Gilles Peskine449bd832023-01-11 14:50:10 +01006480 ret = ssl_tls12_populate_transform(ssl->transform_negotiate,
6481 ssl->session_negotiate->ciphersuite,
6482 ssl->session_negotiate->master,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02006483#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01006484 ssl->session_negotiate->encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02006485#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +01006486 ssl->handshake->tls_prf,
6487 ssl->handshake->randbytes,
6488 ssl->tls_version,
6489 ssl->conf->endpoint,
6490 ssl);
6491 if (ret != 0) {
6492 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret);
6493 return ret;
Jerry Yud62f87e2022-02-17 14:09:02 +08006494 }
6495
6496 /* We no longer need Server/ClientHello.random values */
Gilles Peskine449bd832023-01-11 14:50:10 +01006497 mbedtls_platform_zeroize(ssl->handshake->randbytes,
6498 sizeof(ssl->handshake->randbytes));
Jerry Yud62f87e2022-02-17 14:09:02 +08006499
Gilles Peskine449bd832023-01-11 14:50:10 +01006500 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
Jerry Yud62f87e2022-02-17 14:09:02 +08006501
Gilles Peskine449bd832023-01-11 14:50:10 +01006502 return 0;
Jerry Yud62f87e2022-02-17 14:09:02 +08006503}
Jerry Yu8392e0d2022-02-17 14:10:24 +08006504
Gilles Peskine449bd832023-01-11 14:50:10 +01006505int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
Ronald Cron4dcbca92022-03-07 10:21:40 +01006506{
Gilles Peskine449bd832023-01-11 14:50:10 +01006507 switch (md) {
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006508#if defined(PSA_WANT_ALG_SHA_384)
Ronald Cron4dcbca92022-03-07 10:21:40 +01006509 case MBEDTLS_SSL_HASH_SHA384:
6510 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
6511 break;
6512#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006513#if defined(PSA_WANT_ALG_SHA_256)
Ronald Cron4dcbca92022-03-07 10:21:40 +01006514 case MBEDTLS_SSL_HASH_SHA256:
6515 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
6516 break;
6517#endif
6518 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01006519 return -1;
Ronald Cron4dcbca92022-03-07 10:21:40 +01006520 }
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006521#if !defined(PSA_WANT_ALG_SHA_384) && \
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006522 !defined(PSA_WANT_ALG_SHA_256)
Andrzej Kurekeabeb302022-10-17 07:52:51 -04006523 (void) ssl;
6524#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01006525 return 0;
Ronald Cron4dcbca92022-03-07 10:21:40 +01006526}
6527
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006528static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
6529 const psa_hash_operation_t *hs_op,
6530 size_t buffer_size,
6531 unsigned char *hash,
6532 size_t *hlen)
6533{
6534 psa_status_t status;
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02006535 psa_hash_operation_t cloned_op = psa_hash_operation_init();
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006536
6537#if !defined(MBEDTLS_DEBUG_C)
6538 (void) ssl;
6539#endif
6540 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02006541 status = psa_hash_clone(hs_op, &cloned_op);
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006542 if (status != PSA_SUCCESS) {
6543 goto exit;
6544 }
6545
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02006546 status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006547 if (status != PSA_SUCCESS) {
6548 goto exit;
6549 }
6550
6551 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
6552 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
6553
6554exit:
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02006555 psa_hash_abort(&cloned_op);
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006556 return mbedtls_md_error_from_psa(status);
6557}
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006558
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006559#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +01006560int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
6561 unsigned char *hash,
6562 size_t *hlen)
Jerry Yu8392e0d2022-02-17 14:10:24 +08006563{
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006564 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
6565 hash, hlen);
Jerry Yu8392e0d2022-02-17 14:10:24 +08006566}
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006567#endif /* PSA_WANT_ALG_SHA_256 */
Jerry Yu8392e0d2022-02-17 14:10:24 +08006568
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006569#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +01006570int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
6571 unsigned char *hash,
6572 size_t *hlen)
Jerry Yuc1cb3842022-02-17 14:13:48 +08006573{
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006574 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
6575 hash, hlen);
Jerry Yuc1cb3842022-02-17 14:13:48 +08006576}
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006577#endif /* PSA_WANT_ALG_SHA_384 */
Jerry Yuc1cb3842022-02-17 14:13:48 +08006578
Jerry Yuc2c673d2022-02-17 14:20:39 +08006579#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006580MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006581static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
Jerry Yuc2c673d2022-02-17 14:20:39 +08006582
6583#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01006584int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl)
Jerry Yuc2c673d2022-02-17 14:20:39 +08006585{
6586 /* If renegotiation is not enforced, retransmit until we would reach max
6587 * timeout if we were using the usual handshake doubling scheme */
Gilles Peskine449bd832023-01-11 14:50:10 +01006588 if (ssl->conf->renego_max_records < 0) {
Jerry Yuc2c673d2022-02-17 14:20:39 +08006589 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
6590 unsigned char doublings = 1;
6591
Gilles Peskine449bd832023-01-11 14:50:10 +01006592 while (ratio != 0) {
Jerry Yuc2c673d2022-02-17 14:20:39 +08006593 ++doublings;
6594 ratio >>= 1;
6595 }
6596
Gilles Peskine449bd832023-01-11 14:50:10 +01006597 if (++ssl->renego_records_seen > doublings) {
6598 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
6599 return 0;
Jerry Yuc2c673d2022-02-17 14:20:39 +08006600 }
6601 }
6602
Gilles Peskine449bd832023-01-11 14:50:10 +01006603 return ssl_write_hello_request(ssl);
Jerry Yuc2c673d2022-02-17 14:20:39 +08006604}
6605#endif
6606#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Jerry Yud9526692022-02-17 14:23:47 +08006607
Jerry Yud9526692022-02-17 14:23:47 +08006608/*
6609 * Handshake functions
6610 */
6611#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
6612/* No certificate support -> dummy functions */
Gilles Peskine449bd832023-01-11 14:50:10 +01006613int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
Jerry Yud9526692022-02-17 14:23:47 +08006614{
6615 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6616 ssl->handshake->ciphersuite_info;
6617
Gilles Peskine449bd832023-01-11 14:50:10 +01006618 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006619
Gilles Peskine449bd832023-01-11 14:50:10 +01006620 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6621 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
Gilles Peskinef670ba52025-03-07 15:09:32 +01006622 mbedtls_ssl_handshake_increment_state(ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +01006623 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08006624 }
6625
Gilles Peskine449bd832023-01-11 14:50:10 +01006626 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6627 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006628}
6629
Gilles Peskine449bd832023-01-11 14:50:10 +01006630int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
Jerry Yud9526692022-02-17 14:23:47 +08006631{
6632 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6633 ssl->handshake->ciphersuite_info;
6634
Gilles Peskine449bd832023-01-11 14:50:10 +01006635 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006636
Gilles Peskine449bd832023-01-11 14:50:10 +01006637 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6638 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
Gilles Peskinef670ba52025-03-07 15:09:32 +01006639 mbedtls_ssl_handshake_increment_state(ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +01006640 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08006641 }
6642
Gilles Peskine449bd832023-01-11 14:50:10 +01006643 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6644 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006645}
6646
6647#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
6648/* Some certificate support -> implement write and parse */
6649
Gilles Peskine449bd832023-01-11 14:50:10 +01006650int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
Jerry Yud9526692022-02-17 14:23:47 +08006651{
6652 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
6653 size_t i, n;
6654 const mbedtls_x509_crt *crt;
6655 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6656 ssl->handshake->ciphersuite_info;
6657
Gilles Peskine449bd832023-01-11 14:50:10 +01006658 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006659
Gilles Peskine449bd832023-01-11 14:50:10 +01006660 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6661 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
Gilles Peskinef670ba52025-03-07 15:09:32 +01006662 mbedtls_ssl_handshake_increment_state(ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +01006663 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08006664 }
6665
6666#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01006667 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
6668 if (ssl->handshake->client_auth == 0) {
6669 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
Gilles Peskinef670ba52025-03-07 15:09:32 +01006670 mbedtls_ssl_handshake_increment_state(ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +01006671 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08006672 }
6673 }
6674#endif /* MBEDTLS_SSL_CLI_C */
6675#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01006676 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
6677 if (mbedtls_ssl_own_cert(ssl) == NULL) {
Jerry Yud9526692022-02-17 14:23:47 +08006678 /* Should never happen because we shouldn't have picked the
6679 * ciphersuite if we don't have a certificate. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006680 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006681 }
6682 }
6683#endif
6684
Gilles Peskine449bd832023-01-11 14:50:10 +01006685 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
Jerry Yud9526692022-02-17 14:23:47 +08006686
6687 /*
6688 * 0 . 0 handshake type
6689 * 1 . 3 handshake length
6690 * 4 . 6 length of all certs
6691 * 7 . 9 length of cert. 1
6692 * 10 . n-1 peer certificate
6693 * n . n+2 length of cert. 2
6694 * n+3 . ... upper level cert, etc.
6695 */
6696 i = 7;
Gilles Peskine449bd832023-01-11 14:50:10 +01006697 crt = mbedtls_ssl_own_cert(ssl);
Jerry Yud9526692022-02-17 14:23:47 +08006698
Gilles Peskine449bd832023-01-11 14:50:10 +01006699 while (crt != NULL) {
Jerry Yud9526692022-02-17 14:23:47 +08006700 n = crt->raw.len;
Gilles Peskine449bd832023-01-11 14:50:10 +01006701 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
6702 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
6703 " > %" MBEDTLS_PRINTF_SIZET,
6704 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
6705 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Jerry Yud9526692022-02-17 14:23:47 +08006706 }
6707
Gilles Peskine449bd832023-01-11 14:50:10 +01006708 ssl->out_msg[i] = MBEDTLS_BYTE_2(n);
6709 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n);
6710 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n);
Jerry Yud9526692022-02-17 14:23:47 +08006711
Gilles Peskine449bd832023-01-11 14:50:10 +01006712 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n);
Jerry Yud9526692022-02-17 14:23:47 +08006713 i += n; crt = crt->next;
6714 }
6715
Gilles Peskine449bd832023-01-11 14:50:10 +01006716 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7);
6717 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7);
6718 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7);
Jerry Yud9526692022-02-17 14:23:47 +08006719
6720 ssl->out_msglen = i;
6721 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
6722 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
6723
Gilles Peskinef670ba52025-03-07 15:09:32 +01006724 mbedtls_ssl_handshake_increment_state(ssl);
Jerry Yud9526692022-02-17 14:23:47 +08006725
Gilles Peskine449bd832023-01-11 14:50:10 +01006726 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
6727 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
6728 return ret;
Jerry Yud9526692022-02-17 14:23:47 +08006729 }
6730
Gilles Peskine449bd832023-01-11 14:50:10 +01006731 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006732
Gilles Peskine449bd832023-01-11 14:50:10 +01006733 return ret;
Jerry Yud9526692022-02-17 14:23:47 +08006734}
6735
6736#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
6737
6738#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006739MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006740static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
6741 unsigned char *crt_buf,
6742 size_t crt_buf_len)
Jerry Yud9526692022-02-17 14:23:47 +08006743{
6744 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
6745
Gilles Peskine449bd832023-01-11 14:50:10 +01006746 if (peer_crt == NULL) {
6747 return -1;
6748 }
Jerry Yud9526692022-02-17 14:23:47 +08006749
Gilles Peskine449bd832023-01-11 14:50:10 +01006750 if (peer_crt->raw.len != crt_buf_len) {
6751 return -1;
6752 }
Jerry Yud9526692022-02-17 14:23:47 +08006753
Gilles Peskine449bd832023-01-11 14:50:10 +01006754 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len);
Jerry Yud9526692022-02-17 14:23:47 +08006755}
6756#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006757MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006758static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
6759 unsigned char *crt_buf,
6760 size_t crt_buf_len)
Jerry Yud9526692022-02-17 14:23:47 +08006761{
6762 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6763 unsigned char const * const peer_cert_digest =
6764 ssl->session->peer_cert_digest;
6765 mbedtls_md_type_t const peer_cert_digest_type =
6766 ssl->session->peer_cert_digest_type;
6767 mbedtls_md_info_t const * const digest_info =
Gilles Peskine449bd832023-01-11 14:50:10 +01006768 mbedtls_md_info_from_type(peer_cert_digest_type);
Jerry Yud9526692022-02-17 14:23:47 +08006769 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
6770 size_t digest_len;
6771
Gilles Peskine449bd832023-01-11 14:50:10 +01006772 if (peer_cert_digest == NULL || digest_info == NULL) {
6773 return -1;
6774 }
Jerry Yud9526692022-02-17 14:23:47 +08006775
Gilles Peskine449bd832023-01-11 14:50:10 +01006776 digest_len = mbedtls_md_get_size(digest_info);
6777 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) {
6778 return -1;
6779 }
Jerry Yud9526692022-02-17 14:23:47 +08006780
Gilles Peskine449bd832023-01-11 14:50:10 +01006781 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
6782 if (ret != 0) {
6783 return -1;
6784 }
Jerry Yud9526692022-02-17 14:23:47 +08006785
Gilles Peskine449bd832023-01-11 14:50:10 +01006786 return memcmp(tmp_digest, peer_cert_digest, digest_len);
Jerry Yud9526692022-02-17 14:23:47 +08006787}
6788#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
6789#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
6790
6791/*
6792 * Once the certificate message is read, parse it into a cert chain and
6793 * perform basic checks, but leave actual verification to the caller
6794 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006795MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006796static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
6797 mbedtls_x509_crt *chain)
Jerry Yud9526692022-02-17 14:23:47 +08006798{
6799 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6800#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01006801 int crt_cnt = 0;
Jerry Yud9526692022-02-17 14:23:47 +08006802#endif
6803 size_t i, n;
6804 uint8_t alert;
6805
Gilles Peskine449bd832023-01-11 14:50:10 +01006806 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
6807 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6808 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6809 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
6810 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Jerry Yud9526692022-02-17 14:23:47 +08006811 }
6812
Gilles Peskine449bd832023-01-11 14:50:10 +01006813 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) {
6814 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6815 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
6816 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Jerry Yud9526692022-02-17 14:23:47 +08006817 }
6818
Gilles Peskine449bd832023-01-11 14:50:10 +01006819 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
6820 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6821 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6822 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
6823 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006824 }
6825
Gilles Peskine449bd832023-01-11 14:50:10 +01006826 i = mbedtls_ssl_hs_hdr_len(ssl);
Jerry Yud9526692022-02-17 14:23:47 +08006827
6828 /*
6829 * Same message structure as in mbedtls_ssl_write_certificate()
6830 */
Dave Rodgmana3d0f612023-11-03 23:34:02 +00006831 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
Jerry Yud9526692022-02-17 14:23:47 +08006832
Gilles Peskine449bd832023-01-11 14:50:10 +01006833 if (ssl->in_msg[i] != 0 ||
6834 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
6835 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6836 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6837 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
6838 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006839 }
6840
6841 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
6842 i += 3;
6843
6844 /* Iterate through and parse the CRTs in the provided chain. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006845 while (i < ssl->in_hslen) {
Jerry Yud9526692022-02-17 14:23:47 +08006846 /* Check that there's room for the next CRT's length fields. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006847 if (i + 3 > ssl->in_hslen) {
6848 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6849 mbedtls_ssl_send_alert_message(ssl,
6850 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6851 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
6852 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006853 }
6854 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
6855 * anything beyond 2**16 ~ 64K. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006856 if (ssl->in_msg[i] != 0) {
6857 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6858 mbedtls_ssl_send_alert_message(ssl,
6859 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6860 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
6861 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Jerry Yud9526692022-02-17 14:23:47 +08006862 }
6863
6864 /* Read length of the next CRT in the chain. */
Dave Rodgmana3d0f612023-11-03 23:34:02 +00006865 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
Jerry Yud9526692022-02-17 14:23:47 +08006866 i += 3;
6867
Gilles Peskine449bd832023-01-11 14:50:10 +01006868 if (n < 128 || i + n > ssl->in_hslen) {
6869 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6870 mbedtls_ssl_send_alert_message(ssl,
6871 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6872 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
6873 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006874 }
6875
6876 /* Check if we're handling the first CRT in the chain. */
6877#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01006878 if (crt_cnt++ == 0 &&
Jerry Yud9526692022-02-17 14:23:47 +08006879 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
Gilles Peskine449bd832023-01-11 14:50:10 +01006880 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Jerry Yud9526692022-02-17 14:23:47 +08006881 /* During client-side renegotiation, check that the server's
6882 * end-CRTs hasn't changed compared to the initial handshake,
6883 * mitigating the triple handshake attack. On success, reuse
6884 * the original end-CRT instead of parsing it again. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006885 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
6886 if (ssl_check_peer_crt_unchanged(ssl,
6887 &ssl->in_msg[i],
6888 n) != 0) {
6889 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
6890 mbedtls_ssl_send_alert_message(ssl,
6891 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6892 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
6893 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Jerry Yud9526692022-02-17 14:23:47 +08006894 }
6895
6896 /* Now we can safely free the original chain. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006897 ssl_clear_peer_cert(ssl->session);
Jerry Yud9526692022-02-17 14:23:47 +08006898 }
6899#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
6900
6901 /* Parse the next certificate in the chain. */
6902#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +01006903 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
Jerry Yud9526692022-02-17 14:23:47 +08006904#else
6905 /* If we don't need to store the CRT chain permanently, parse
6906 * it in-place from the input buffer instead of making a copy. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006907 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
Jerry Yud9526692022-02-17 14:23:47 +08006908#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006909 switch (ret) {
Jerry Yud9526692022-02-17 14:23:47 +08006910 case 0: /*ok*/
Gilles Peskine4c832212025-05-07 23:05:12 +02006911 case MBEDTLS_ERR_X509_UNKNOWN_OID:
Jerry Yud9526692022-02-17 14:23:47 +08006912 /* Ignore certificate with an unknown algorithm: maybe a
6913 prior certificate was already trusted. */
6914 break;
6915
6916 case MBEDTLS_ERR_X509_ALLOC_FAILED:
6917 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
6918 goto crt_parse_der_failed;
6919
6920 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
6921 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6922 goto crt_parse_der_failed;
6923
6924 default:
6925 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
Gilles Peskine449bd832023-01-11 14:50:10 +01006926crt_parse_der_failed:
6927 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
6928 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
6929 return ret;
Jerry Yud9526692022-02-17 14:23:47 +08006930 }
6931
6932 i += n;
6933 }
6934
Gilles Peskine449bd832023-01-11 14:50:10 +01006935 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
6936 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08006937}
6938
6939#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006940MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006941static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl)
Jerry Yud9526692022-02-17 14:23:47 +08006942{
Gilles Peskine449bd832023-01-11 14:50:10 +01006943 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
6944 return -1;
6945 }
Jerry Yud9526692022-02-17 14:23:47 +08006946
Gilles Peskine449bd832023-01-11 14:50:10 +01006947 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
Jerry Yud9526692022-02-17 14:23:47 +08006948 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
6949 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
Gilles Peskine449bd832023-01-11 14:50:10 +01006950 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
6951 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
6952 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08006953 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006954 return -1;
Jerry Yud9526692022-02-17 14:23:47 +08006955}
6956#endif /* MBEDTLS_SSL_SRV_C */
6957
6958/* Check if a certificate message is expected.
6959 * Return either
6960 * - SSL_CERTIFICATE_EXPECTED, or
6961 * - SSL_CERTIFICATE_SKIP
6962 * indicating whether a Certificate message is expected or not.
6963 */
6964#define SSL_CERTIFICATE_EXPECTED 0
6965#define SSL_CERTIFICATE_SKIP 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006966MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006967static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
6968 int authmode)
Jerry Yud9526692022-02-17 14:23:47 +08006969{
6970 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6971 ssl->handshake->ciphersuite_info;
6972
Gilles Peskine449bd832023-01-11 14:50:10 +01006973 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6974 return SSL_CERTIFICATE_SKIP;
6975 }
Jerry Yud9526692022-02-17 14:23:47 +08006976
6977#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01006978 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Gilles Peskine449bd832023-01-11 14:50:10 +01006979 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
Jerry Yud9526692022-02-17 14:23:47 +08006980 ssl->session_negotiate->verify_result =
6981 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
Gilles Peskine449bd832023-01-11 14:50:10 +01006982 return SSL_CERTIFICATE_SKIP;
Jerry Yud9526692022-02-17 14:23:47 +08006983 }
6984 }
6985#else
6986 ((void) authmode);
6987#endif /* MBEDTLS_SSL_SRV_C */
6988
Gilles Peskine449bd832023-01-11 14:50:10 +01006989 return SSL_CERTIFICATE_EXPECTED;
Jerry Yud9526692022-02-17 14:23:47 +08006990}
6991
Jerry Yud9526692022-02-17 14:23:47 +08006992#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006993MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006994static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
6995 unsigned char *start, size_t len)
Jerry Yud9526692022-02-17 14:23:47 +08006996{
6997 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6998 /* Remember digest of the peer's end-CRT. */
6999 ssl->session_negotiate->peer_cert_digest =
Gilles Peskine449bd832023-01-11 14:50:10 +01007000 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
7001 if (ssl->session_negotiate->peer_cert_digest == NULL) {
7002 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
7003 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
7004 mbedtls_ssl_send_alert_message(ssl,
7005 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7006 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
Jerry Yud9526692022-02-17 14:23:47 +08007007
Gilles Peskine449bd832023-01-11 14:50:10 +01007008 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Jerry Yud9526692022-02-17 14:23:47 +08007009 }
7010
Gilles Peskine449bd832023-01-11 14:50:10 +01007011 ret = mbedtls_md(mbedtls_md_info_from_type(
7012 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
7013 start, len,
7014 ssl->session_negotiate->peer_cert_digest);
Jerry Yud9526692022-02-17 14:23:47 +08007015
7016 ssl->session_negotiate->peer_cert_digest_type =
7017 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
7018 ssl->session_negotiate->peer_cert_digest_len =
7019 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
7020
Gilles Peskine449bd832023-01-11 14:50:10 +01007021 return ret;
Jerry Yud9526692022-02-17 14:23:47 +08007022}
7023
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02007024MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01007025static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
7026 unsigned char *start, size_t len)
Jerry Yud9526692022-02-17 14:23:47 +08007027{
7028 unsigned char *end = start + len;
7029 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7030
7031 /* Make a copy of the peer's raw public key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007032 mbedtls_pk_init(&ssl->handshake->peer_pubkey);
7033 ret = mbedtls_pk_parse_subpubkey(&start, end,
7034 &ssl->handshake->peer_pubkey);
7035 if (ret != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007036 /* We should have parsed the public key before. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007037 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08007038 }
7039
Gilles Peskine449bd832023-01-11 14:50:10 +01007040 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08007041}
7042#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7043
Gilles Peskine449bd832023-01-11 14:50:10 +01007044int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
Jerry Yud9526692022-02-17 14:23:47 +08007045{
7046 int ret = 0;
7047 int crt_expected;
Manuel Pégourié-Gonnard58ab9ba2024-08-14 09:47:38 +02007048 /* Authmode: precedence order is SNI if used else configuration */
Jerry Yud9526692022-02-17 14:23:47 +08007049#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7050 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
7051 ? ssl->handshake->sni_authmode
7052 : ssl->conf->authmode;
7053#else
7054 const int authmode = ssl->conf->authmode;
7055#endif
7056 void *rs_ctx = NULL;
7057 mbedtls_x509_crt *chain = NULL;
7058
Gilles Peskine449bd832023-01-11 14:50:10 +01007059 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08007060
Gilles Peskine449bd832023-01-11 14:50:10 +01007061 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
7062 if (crt_expected == SSL_CERTIFICATE_SKIP) {
7063 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08007064 goto exit;
7065 }
7066
7067#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01007068 if (ssl->handshake->ecrs_enabled &&
7069 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
Jerry Yud9526692022-02-17 14:23:47 +08007070 chain = ssl->handshake->ecrs_peer_cert;
7071 ssl->handshake->ecrs_peer_cert = NULL;
7072 goto crt_verify;
7073 }
7074#endif
7075
Gilles Peskine449bd832023-01-11 14:50:10 +01007076 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007077 /* mbedtls_ssl_read_record may have sent an alert already. We
7078 let it decide whether to alert. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007079 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
Jerry Yud9526692022-02-17 14:23:47 +08007080 goto exit;
7081 }
7082
7083#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007084 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007085 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
7086
Gilles Peskine449bd832023-01-11 14:50:10 +01007087 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) {
Jerry Yud9526692022-02-17 14:23:47 +08007088 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Gilles Peskine449bd832023-01-11 14:50:10 +01007089 }
Jerry Yud9526692022-02-17 14:23:47 +08007090
7091 goto exit;
7092 }
7093#endif /* MBEDTLS_SSL_SRV_C */
7094
7095 /* Clear existing peer CRT structure in case we tried to
7096 * reuse a session but it failed, and allocate a new one. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007097 ssl_clear_peer_cert(ssl->session_negotiate);
Jerry Yud9526692022-02-17 14:23:47 +08007098
Gilles Peskine449bd832023-01-11 14:50:10 +01007099 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
7100 if (chain == NULL) {
7101 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
7102 sizeof(mbedtls_x509_crt)));
7103 mbedtls_ssl_send_alert_message(ssl,
7104 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7105 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
Jerry Yud9526692022-02-17 14:23:47 +08007106
7107 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
7108 goto exit;
7109 }
Gilles Peskine449bd832023-01-11 14:50:10 +01007110 mbedtls_x509_crt_init(chain);
Jerry Yud9526692022-02-17 14:23:47 +08007111
Gilles Peskine449bd832023-01-11 14:50:10 +01007112 ret = ssl_parse_certificate_chain(ssl, chain);
7113 if (ret != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007114 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01007115 }
Jerry Yud9526692022-02-17 14:23:47 +08007116
7117#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01007118 if (ssl->handshake->ecrs_enabled) {
Jerry Yud9526692022-02-17 14:23:47 +08007119 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
Gilles Peskine449bd832023-01-11 14:50:10 +01007120 }
Jerry Yud9526692022-02-17 14:23:47 +08007121
7122crt_verify:
Gilles Peskine449bd832023-01-11 14:50:10 +01007123 if (ssl->handshake->ecrs_enabled) {
Jerry Yud9526692022-02-17 14:23:47 +08007124 rs_ctx = &ssl->handshake->ecrs_ctx;
Gilles Peskine449bd832023-01-11 14:50:10 +01007125 }
Jerry Yud9526692022-02-17 14:23:47 +08007126#endif
7127
Manuel Pégourié-Gonnard19dd9f52024-08-16 11:03:42 +02007128 ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain,
7129 ssl->handshake->ciphersuite_info,
7130 rs_ctx);
Gilles Peskine449bd832023-01-11 14:50:10 +01007131 if (ret != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007132 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01007133 }
Jerry Yud9526692022-02-17 14:23:47 +08007134
7135#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7136 {
7137 unsigned char *crt_start, *pk_start;
7138 size_t crt_len, pk_len;
7139
7140 /* We parse the CRT chain without copying, so
7141 * these pointers point into the input buffer,
7142 * and are hence still valid after freeing the
7143 * CRT chain. */
7144
7145 crt_start = chain->raw.p;
7146 crt_len = chain->raw.len;
7147
7148 pk_start = chain->pk_raw.p;
7149 pk_len = chain->pk_raw.len;
7150
7151 /* Free the CRT structures before computing
7152 * digest and copying the peer's public key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007153 mbedtls_x509_crt_free(chain);
7154 mbedtls_free(chain);
Jerry Yud9526692022-02-17 14:23:47 +08007155 chain = NULL;
7156
Gilles Peskine449bd832023-01-11 14:50:10 +01007157 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
7158 if (ret != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007159 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01007160 }
Jerry Yud9526692022-02-17 14:23:47 +08007161
Gilles Peskine449bd832023-01-11 14:50:10 +01007162 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
7163 if (ret != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007164 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01007165 }
Jerry Yud9526692022-02-17 14:23:47 +08007166 }
7167#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7168 /* Pass ownership to session structure. */
7169 ssl->session_negotiate->peer_cert = chain;
7170 chain = NULL;
7171#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7172
Gilles Peskine449bd832023-01-11 14:50:10 +01007173 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08007174
7175exit:
7176
Gilles Peskine449bd832023-01-11 14:50:10 +01007177 if (ret == 0) {
Gilles Peskinef670ba52025-03-07 15:09:32 +01007178 mbedtls_ssl_handshake_increment_state(ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +01007179 }
Jerry Yud9526692022-02-17 14:23:47 +08007180
7181#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01007182 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
Jerry Yud9526692022-02-17 14:23:47 +08007183 ssl->handshake->ecrs_peer_cert = chain;
7184 chain = NULL;
7185 }
7186#endif
7187
Gilles Peskine449bd832023-01-11 14:50:10 +01007188 if (chain != NULL) {
7189 mbedtls_x509_crt_free(chain);
7190 mbedtls_free(chain);
Jerry Yud9526692022-02-17 14:23:47 +08007191 }
7192
Gilles Peskine449bd832023-01-11 14:50:10 +01007193 return ret;
Jerry Yud9526692022-02-17 14:23:47 +08007194}
7195#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
7196
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007197static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
7198 unsigned char *padbuf, size_t hlen,
7199 unsigned char *buf, int from)
Jerry Yu615bd6f2022-02-17 14:25:15 +08007200{
Dave Rodgmanc37ad442023-11-03 23:36:06 +00007201 unsigned int len = 12;
Jerry Yu615bd6f2022-02-17 14:25:15 +08007202 const char *sender;
Jerry Yu615bd6f2022-02-17 14:25:15 +08007203 psa_status_t status;
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007204 psa_hash_operation_t *hs_op = ctx;
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02007205 psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007206 size_t hash_size;
Jerry Yu615bd6f2022-02-17 14:25:15 +08007207
7208 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +01007209 if (!session) {
Jerry Yu615bd6f2022-02-17 14:25:15 +08007210 session = ssl->session;
Gilles Peskine449bd832023-01-11 14:50:10 +01007211 }
Jerry Yu615bd6f2022-02-17 14:25:15 +08007212
Gilles Peskine449bd832023-01-11 14:50:10 +01007213 sender = (from == MBEDTLS_SSL_IS_CLIENT)
Jerry Yu615bd6f2022-02-17 14:25:15 +08007214 ? "client finished"
7215 : "server finished";
7216
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007217 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
Jerry Yu615bd6f2022-02-17 14:25:15 +08007218
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02007219 status = psa_hash_clone(hs_op, &cloned_op);
Gilles Peskine449bd832023-01-11 14:50:10 +01007220 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnarde1a4caa2023-02-06 10:14:25 +01007221 goto exit;
Jerry Yu615bd6f2022-02-17 14:25:15 +08007222 }
7223
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02007224 status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01007225 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnarde1a4caa2023-02-06 10:14:25 +01007226 goto exit;
Jerry Yu615bd6f2022-02-17 14:25:15 +08007227 }
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007228 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007229
7230 MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
7231
Jerry Yu615bd6f2022-02-17 14:25:15 +08007232 /*
7233 * TLSv1.2:
7234 * hash = PRF( master, finished_label,
7235 * Hash( handshake ) )[0.11]
7236 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007237 ssl->handshake->tls_prf(session->master, 48, sender,
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007238 padbuf, hlen, buf, len);
Jerry Yu615bd6f2022-02-17 14:25:15 +08007239
Gilles Peskine449bd832023-01-11 14:50:10 +01007240 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
Jerry Yu615bd6f2022-02-17 14:25:15 +08007241
Paul Elliottecb95be2023-08-11 16:41:04 +01007242 mbedtls_platform_zeroize(padbuf, hlen);
Jerry Yu615bd6f2022-02-17 14:25:15 +08007243
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007244 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
Manuel Pégourié-Gonnarde1a4caa2023-02-06 10:14:25 +01007245
7246exit:
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02007247 psa_hash_abort(&cloned_op);
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +02007248 return mbedtls_md_error_from_psa(status);
Jerry Yu615bd6f2022-02-17 14:25:15 +08007249}
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007250
Elena Uziunaite0916cd72024-05-23 17:01:07 +01007251#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007252static int ssl_calc_finished_tls_sha256(
7253 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
7254{
7255 unsigned char padbuf[32];
7256 return ssl_calc_finished_tls_generic(ssl,
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007257 &ssl->handshake->fin_sha256_psa,
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007258 padbuf, sizeof(padbuf),
7259 buf, from);
7260}
Elena Uziunaite0916cd72024-05-23 17:01:07 +01007261#endif /* PSA_WANT_ALG_SHA_256*/
Jerry Yu615bd6f2022-02-17 14:25:15 +08007262
Jerry Yub7ba49e2022-02-17 14:25:53 +08007263
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01007264#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +01007265static int ssl_calc_finished_tls_sha384(
Gilles Peskine449bd832023-01-11 14:50:10 +01007266 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
Jerry Yub7ba49e2022-02-17 14:25:53 +08007267{
Jerry Yub7ba49e2022-02-17 14:25:53 +08007268 unsigned char padbuf[48];
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007269 return ssl_calc_finished_tls_generic(ssl,
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007270 &ssl->handshake->fin_sha384_psa,
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007271 padbuf, sizeof(padbuf),
7272 buf, from);
Jerry Yub7ba49e2022-02-17 14:25:53 +08007273}
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01007274#endif /* PSA_WANT_ALG_SHA_384*/
Jerry Yub7ba49e2022-02-17 14:25:53 +08007275
Gilles Peskine449bd832023-01-11 14:50:10 +01007276void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
Jerry Yuaef00152022-02-17 14:27:31 +08007277{
Gilles Peskine449bd832023-01-11 14:50:10 +01007278 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
Jerry Yuaef00152022-02-17 14:27:31 +08007279
7280 /*
7281 * Free our handshake params
7282 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007283 mbedtls_ssl_handshake_free(ssl);
7284 mbedtls_free(ssl->handshake);
Jerry Yuaef00152022-02-17 14:27:31 +08007285 ssl->handshake = NULL;
7286
7287 /*
Shaun Case8b0ecbc2021-12-20 21:14:10 -08007288 * Free the previous transform and switch in the current one
Jerry Yuaef00152022-02-17 14:27:31 +08007289 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007290 if (ssl->transform) {
7291 mbedtls_ssl_transform_free(ssl->transform);
7292 mbedtls_free(ssl->transform);
Jerry Yuaef00152022-02-17 14:27:31 +08007293 }
7294 ssl->transform = ssl->transform_negotiate;
7295 ssl->transform_negotiate = NULL;
7296
Gilles Peskine449bd832023-01-11 14:50:10 +01007297 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
Jerry Yuaef00152022-02-17 14:27:31 +08007298}
7299
Gilles Peskine449bd832023-01-11 14:50:10 +01007300void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
Jerry Yu2a9fff52022-02-17 14:28:51 +08007301{
7302 int resume = ssl->handshake->resume;
7303
Gilles Peskine449bd832023-01-11 14:50:10 +01007304 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
Jerry Yu2a9fff52022-02-17 14:28:51 +08007305
7306#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01007307 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Jerry Yu2a9fff52022-02-17 14:28:51 +08007308 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
7309 ssl->renego_records_seen = 0;
7310 }
7311#endif
7312
7313 /*
7314 * Free the previous session and switch in the current one
7315 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007316 if (ssl->session) {
Jerry Yu2a9fff52022-02-17 14:28:51 +08007317#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
7318 /* RFC 7366 3.1: keep the EtM state */
7319 ssl->session_negotiate->encrypt_then_mac =
Gilles Peskine449bd832023-01-11 14:50:10 +01007320 ssl->session->encrypt_then_mac;
Jerry Yu2a9fff52022-02-17 14:28:51 +08007321#endif
7322
Gilles Peskine449bd832023-01-11 14:50:10 +01007323 mbedtls_ssl_session_free(ssl->session);
7324 mbedtls_free(ssl->session);
Jerry Yu2a9fff52022-02-17 14:28:51 +08007325 }
7326 ssl->session = ssl->session_negotiate;
7327 ssl->session_negotiate = NULL;
7328
7329 /*
7330 * Add cache entry
7331 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007332 if (ssl->conf->f_set_cache != NULL &&
Jerry Yu2a9fff52022-02-17 14:28:51 +08007333 ssl->session->id_len != 0 &&
Gilles Peskine449bd832023-01-11 14:50:10 +01007334 resume == 0) {
7335 if (ssl->conf->f_set_cache(ssl->conf->p_cache,
7336 ssl->session->id,
7337 ssl->session->id_len,
7338 ssl->session) != 0) {
7339 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
7340 }
Jerry Yu2a9fff52022-02-17 14:28:51 +08007341 }
7342
7343#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01007344 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
7345 ssl->handshake->flight != NULL) {
Jerry Yu2a9fff52022-02-17 14:28:51 +08007346 /* Cancel handshake timer */
Gilles Peskine449bd832023-01-11 14:50:10 +01007347 mbedtls_ssl_set_timer(ssl, 0);
Jerry Yu2a9fff52022-02-17 14:28:51 +08007348
7349 /* Keep last flight around in case we need to resend it:
7350 * we need the handshake and transform structures for that */
Gilles Peskine449bd832023-01-11 14:50:10 +01007351 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
7352 } else
Jerry Yu2a9fff52022-02-17 14:28:51 +08007353#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01007354 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
Jerry Yu2a9fff52022-02-17 14:28:51 +08007355
Gilles Peskinef670ba52025-03-07 15:09:32 +01007356 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
Jerry Yu2a9fff52022-02-17 14:28:51 +08007357
Gilles Peskine449bd832023-01-11 14:50:10 +01007358 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
Jerry Yu2a9fff52022-02-17 14:28:51 +08007359}
7360
Gilles Peskine449bd832023-01-11 14:50:10 +01007361int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007362{
Dave Rodgmanc37ad442023-11-03 23:36:06 +00007363 int ret;
7364 unsigned int hash_len;
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007365
Gilles Peskine449bd832023-01-11 14:50:10 +01007366 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007367
Gilles Peskine449bd832023-01-11 14:50:10 +01007368 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007369
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +01007370 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
7371 if (ret != 0) {
7372 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
David Horstmann816b7122025-03-07 17:20:59 +00007373 return ret;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +01007374 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007375
7376 /*
7377 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
7378 * may define some other value. Currently (early 2016), no defined
7379 * ciphersuite does this (and this is unlikely to change as activity has
7380 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
7381 */
7382 hash_len = 12;
7383
7384#if defined(MBEDTLS_SSL_RENEGOTIATION)
7385 ssl->verify_data_len = hash_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01007386 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007387#endif
7388
7389 ssl->out_msglen = 4 + hash_len;
7390 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7391 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
7392
7393 /*
7394 * In case of session resuming, invert the client and server
7395 * ChangeCipherSpec messages order.
7396 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007397 if (ssl->handshake->resume != 0) {
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007398#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007399 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
Gilles Peskinef670ba52025-03-07 15:09:32 +01007400 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
Gilles Peskine449bd832023-01-11 14:50:10 +01007401 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007402#endif
7403#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007404 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Gilles Peskinef670ba52025-03-07 15:09:32 +01007405 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
Gilles Peskine449bd832023-01-11 14:50:10 +01007406 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007407#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01007408 } else {
Gilles Peskinef670ba52025-03-07 15:09:32 +01007409 mbedtls_ssl_handshake_increment_state(ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +01007410 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007411
7412 /*
7413 * Switch to our negotiated transform and session parameters for outbound
7414 * data.
7415 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007416 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007417
7418#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01007419 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007420 unsigned char i;
7421
7422 /* Remember current epoch settings for resending */
7423 ssl->handshake->alt_transform_out = ssl->transform_out;
Gilles Peskine449bd832023-01-11 14:50:10 +01007424 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
7425 sizeof(ssl->handshake->alt_out_ctr));
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007426
7427 /* Set sequence_number to zero */
Gilles Peskine449bd832023-01-11 14:50:10 +01007428 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2);
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007429
7430
7431 /* Increment epoch */
Gilles Peskine449bd832023-01-11 14:50:10 +01007432 for (i = 2; i > 0; i--) {
7433 if (++ssl->cur_out_ctr[i - 1] != 0) {
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007434 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01007435 }
7436 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007437
7438 /* The loop goes to its end iff the counter is wrapping */
Gilles Peskine449bd832023-01-11 14:50:10 +01007439 if (i == 0) {
7440 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
7441 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007442 }
Gilles Peskine449bd832023-01-11 14:50:10 +01007443 } else
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007444#endif /* MBEDTLS_SSL_PROTO_DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +01007445 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007446
7447 ssl->transform_out = ssl->transform_negotiate;
7448 ssl->session_out = ssl->session_negotiate;
7449
7450#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01007451 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
7452 mbedtls_ssl_send_flight_completed(ssl);
7453 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007454#endif
7455
Gilles Peskine449bd832023-01-11 14:50:10 +01007456 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
7457 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
7458 return ret;
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007459 }
7460
7461#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01007462 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
7463 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
7464 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
7465 return ret;
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007466 }
7467#endif
7468
Gilles Peskine449bd832023-01-11 14:50:10 +01007469 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007470
Gilles Peskine449bd832023-01-11 14:50:10 +01007471 return 0;
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007472}
7473
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007474#define SSL_MAX_HASH_LEN 12
7475
Gilles Peskine449bd832023-01-11 14:50:10 +01007476int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007477{
7478 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7479 unsigned int hash_len = 12;
7480 unsigned char buf[SSL_MAX_HASH_LEN];
7481
Gilles Peskine449bd832023-01-11 14:50:10 +01007482 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007483
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +01007484 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
7485 if (ret != 0) {
7486 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
David Horstmann816b7122025-03-07 17:20:59 +00007487 return ret;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +01007488 }
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007489
Gilles Peskine449bd832023-01-11 14:50:10 +01007490 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
7491 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007492 goto exit;
7493 }
7494
Gilles Peskine449bd832023-01-11 14:50:10 +01007495 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
7496 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
7497 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7498 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007499 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7500 goto exit;
7501 }
7502
Gilles Peskine449bd832023-01-11 14:50:10 +01007503 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) {
7504 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7505 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007506 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7507 goto exit;
7508 }
7509
Gilles Peskine449bd832023-01-11 14:50:10 +01007510 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
7511 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
7512 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7513 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007514 ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
7515 goto exit;
7516 }
7517
Gilles Peskine449bd832023-01-11 14:50:10 +01007518 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
7519 buf, hash_len) != 0) {
7520 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
7521 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7522 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007523 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
7524 goto exit;
7525 }
7526
7527#if defined(MBEDTLS_SSL_RENEGOTIATION)
7528 ssl->verify_data_len = hash_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01007529 memcpy(ssl->peer_verify_data, buf, hash_len);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007530#endif
7531
Gilles Peskine449bd832023-01-11 14:50:10 +01007532 if (ssl->handshake->resume != 0) {
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007533#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007534 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
Gilles Peskinef670ba52025-03-07 15:09:32 +01007535 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
Gilles Peskine449bd832023-01-11 14:50:10 +01007536 }
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007537#endif
7538#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007539 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Gilles Peskinef670ba52025-03-07 15:09:32 +01007540 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
Gilles Peskine449bd832023-01-11 14:50:10 +01007541 }
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007542#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01007543 } else {
Gilles Peskinef670ba52025-03-07 15:09:32 +01007544 mbedtls_ssl_handshake_increment_state(ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +01007545 }
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007546
7547#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01007548 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
7549 mbedtls_ssl_recv_flight_completed(ssl);
7550 }
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007551#endif
7552
Gilles Peskine449bd832023-01-11 14:50:10 +01007553 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007554
7555exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01007556 mbedtls_platform_zeroize(buf, hash_len);
7557 return ret;
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007558}
7559
Jerry Yu392112c2022-02-17 14:34:10 +08007560#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
7561/*
7562 * Helper to get TLS 1.2 PRF from ciphersuite
7563 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
7564 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007565static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
Jerry Yu392112c2022-02-17 14:34:10 +08007566{
Jerry Yu392112c2022-02-17 14:34:10 +08007567 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +01007568 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01007569#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +01007570 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
7571 return tls_prf_sha384;
7572 } else
Jerry Yu392112c2022-02-17 14:34:10 +08007573#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01007574#if defined(PSA_WANT_ALG_SHA_256)
Andrzej Kurek894edde2022-09-29 06:31:14 -04007575 {
Gilles Peskine449bd832023-01-11 14:50:10 +01007576 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
7577 return tls_prf_sha256;
7578 }
Andrzej Kurek894edde2022-09-29 06:31:14 -04007579 }
7580#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01007581#if !defined(PSA_WANT_ALG_SHA_384) && \
Elena Uziunaite0916cd72024-05-23 17:01:07 +01007582 !defined(PSA_WANT_ALG_SHA_256)
Andrzej Kurek894edde2022-09-29 06:31:14 -04007583 (void) ciphersuite_info;
7584#endif
Andrzej Kurekeabeb302022-10-17 07:52:51 -04007585
Gilles Peskine449bd832023-01-11 14:50:10 +01007586 return NULL;
Jerry Yu392112c2022-02-17 14:34:10 +08007587}
7588#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
Jerry Yue93ffcd2022-02-17 14:37:06 +08007589
Gilles Peskine449bd832023-01-11 14:50:10 +01007590static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
Jerry Yue93ffcd2022-02-17 14:37:06 +08007591{
7592 ((void) tls_prf);
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01007593#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +01007594 if (tls_prf == tls_prf_sha384) {
7595 return MBEDTLS_SSL_TLS_PRF_SHA384;
7596 } else
Jerry Yue93ffcd2022-02-17 14:37:06 +08007597#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01007598#if defined(PSA_WANT_ALG_SHA_256)
Gilles Peskine449bd832023-01-11 14:50:10 +01007599 if (tls_prf == tls_prf_sha256) {
7600 return MBEDTLS_SSL_TLS_PRF_SHA256;
7601 } else
Jerry Yue93ffcd2022-02-17 14:37:06 +08007602#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01007603 return MBEDTLS_SSL_TLS_PRF_NONE;
Jerry Yue93ffcd2022-02-17 14:37:06 +08007604}
7605
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007606/*
7607 * Populate a transform structure with session keys and all the other
7608 * necessary information.
7609 *
7610 * Parameters:
7611 * - [in/out]: transform: structure to populate
7612 * [in] must be just initialised with mbedtls_ssl_transform_init()
7613 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
7614 * - [in] ciphersuite
7615 * - [in] master
7616 * - [in] encrypt_then_mac
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007617 * - [in] tls_prf: pointer to PRF to use for key derivation
7618 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
Glenn Strauss07c64162022-03-14 12:34:51 -04007619 * - [in] tls_version: TLS version
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007620 * - [in] endpoint: client or server
7621 * - [in] ssl: used for:
7622 * - ssl->conf->{f,p}_export_keys
7623 * [in] optionally used for:
7624 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
7625 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02007626MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01007627static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
7628 int ciphersuite,
7629 const unsigned char master[48],
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007630#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01007631 int encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007632#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +01007633 ssl_tls_prf_t tls_prf,
7634 const unsigned char randbytes[64],
7635 mbedtls_ssl_protocol_version tls_version,
7636 unsigned endpoint,
7637 const mbedtls_ssl_context *ssl)
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007638{
7639 int ret = 0;
7640 unsigned char keyblk[256];
7641 unsigned char *key1;
7642 unsigned char *key2;
7643 unsigned char *mac_enc;
7644 unsigned char *mac_dec;
7645 size_t mac_key_len = 0;
7646 size_t iv_copy_len;
7647 size_t keylen;
7648 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Neil Armstrong7fea33e2022-04-01 15:40:25 +02007649 mbedtls_ssl_mode_t ssl_mode;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007650
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007651 psa_key_type_t key_type;
7652 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7653 psa_algorithm_t alg;
Neil Armstronge4512952022-03-08 09:08:22 +01007654 psa_algorithm_t mac_alg = 0;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007655 size_t key_bits;
7656 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007657
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007658 /*
7659 * Some data just needs copying into the structure
7660 */
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007661#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007662 transform->encrypt_then_mac = encrypt_then_mac;
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007663#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Glenn Strauss07c64162022-03-14 12:34:51 -04007664 transform->tls_version = tls_version;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007665
Max Fillinger2fe35f62024-10-25 00:52:24 +02007666#if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
Gilles Peskine449bd832023-01-11 14:50:10 +01007667 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007668#endif
7669
7670#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01007671 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007672 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
7673 * generation separate. This should never happen. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007674 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007675 }
7676#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
7677
7678 /*
7679 * Get various info structures
7680 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007681 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
7682 if (ciphersuite_info == NULL) {
7683 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
7684 ciphersuite));
7685 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007686 }
7687
Neil Armstrongab555e02022-04-04 11:07:59 +02007688 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007689#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01007690 encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007691#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +01007692 ciphersuite_info);
Neil Armstrong7fea33e2022-04-01 15:40:25 +02007693
Gilles Peskine449bd832023-01-11 14:50:10 +01007694 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
Neil Armstronga0eeb7f2022-04-01 17:36:10 +02007695 transform->taglen =
7696 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Gilles Peskine449bd832023-01-11 14:50:10 +01007697 }
Neil Armstronga0eeb7f2022-04-01 17:36:10 +02007698
Dave Rodgman2eab4622023-10-05 13:30:37 +01007699 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher,
Gilles Peskine449bd832023-01-11 14:50:10 +01007700 transform->taglen,
7701 &alg,
7702 &key_type,
7703 &key_bits)) != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05007704 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +01007705 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
Neil Armstronga0eeb7f2022-04-01 17:36:10 +02007706 goto end;
7707 }
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007708
Dave Rodgman2eab4622023-10-05 13:30:37 +01007709 mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +01007710 if (mac_alg == 0) {
Manuel Pégourié-Gonnard2d6d9932023-03-28 11:38:08 +02007711 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
Gilles Peskine449bd832023-01-11 14:50:10 +01007712 (unsigned) ciphersuite_info->mac));
7713 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Neil Armstronge4512952022-03-08 09:08:22 +01007714 }
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007715
7716#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
7717 /* Copy own and peer's CID if the use of the CID
7718 * extension has been negotiated. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007719 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
7720 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007721
7722 transform->in_cid_len = ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01007723 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
7724 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
7725 transform->in_cid_len);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007726
7727 transform->out_cid_len = ssl->handshake->peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01007728 memcpy(transform->out_cid, ssl->handshake->peer_cid,
7729 ssl->handshake->peer_cid_len);
7730 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
7731 transform->out_cid_len);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007732 }
7733#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
7734
7735 /*
7736 * Compute key block using the PRF
7737 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007738 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
7739 if (ret != 0) {
7740 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
7741 return ret;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007742 }
7743
Gilles Peskine449bd832023-01-11 14:50:10 +01007744 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
7745 mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
7746 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
7747 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
7748 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007749
7750 /*
7751 * Determine the appropriate key, IV and MAC length.
7752 */
7753
Neil Armstronga0eeb7f2022-04-01 17:36:10 +02007754 keylen = PSA_BITS_TO_BYTES(key_bits);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007755
Valerio Settie5707042023-10-11 11:54:42 +02007756#if defined(MBEDTLS_SSL_HAVE_AEAD)
Gilles Peskine449bd832023-01-11 14:50:10 +01007757 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007758 size_t explicit_ivlen;
7759
7760 transform->maclen = 0;
7761 mac_key_len = 0;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007762
7763 /* All modes haves 96-bit IVs, but the length of the static parts vary
7764 * with mode and version:
7765 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
7766 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
7767 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
7768 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
7769 * sequence number).
7770 */
7771 transform->ivlen = 12;
David Horstmann3b2276a2022-10-06 14:49:08 +01007772
7773 int is_chachapoly = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01007774 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20);
David Horstmann3b2276a2022-10-06 14:49:08 +01007775
Gilles Peskine449bd832023-01-11 14:50:10 +01007776 if (is_chachapoly) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007777 transform->fixed_ivlen = 12;
Gilles Peskine449bd832023-01-11 14:50:10 +01007778 } else {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007779 transform->fixed_ivlen = 4;
Gilles Peskine449bd832023-01-11 14:50:10 +01007780 }
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007781
7782 /* Minimum length of encrypted record */
7783 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
7784 transform->minlen = explicit_ivlen + transform->taglen;
Gilles Peskine449bd832023-01-11 14:50:10 +01007785 } else
Valerio Settie5707042023-10-11 11:54:42 +02007786#endif /* MBEDTLS_SSL_HAVE_AEAD */
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007787#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +01007788 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
Neil Armstrong7fea33e2022-04-01 15:40:25 +02007789 ssl_mode == MBEDTLS_SSL_MODE_CBC ||
Gilles Peskine449bd832023-01-11 14:50:10 +01007790 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
Gilles Peskine449bd832023-01-11 14:50:10 +01007791 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
Neil Armstronga0eeb7f2022-04-01 17:36:10 +02007792
Neil Armstronge4512952022-03-08 09:08:22 +01007793 /* Get MAC length */
7794 mac_key_len = PSA_HASH_LENGTH(mac_alg);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007795 transform->maclen = mac_key_len;
7796
7797 /* IV length */
Gilles Peskine449bd832023-01-11 14:50:10 +01007798 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007799
7800 /* Minimum length */
Gilles Peskine449bd832023-01-11 14:50:10 +01007801 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007802 transform->minlen = transform->maclen;
Gilles Peskine449bd832023-01-11 14:50:10 +01007803 } else {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007804 /*
7805 * GenericBlockCipher:
7806 * 1. if EtM is in use: one block plus MAC
7807 * otherwise: * first multiple of blocklen greater than maclen
7808 * 2. IV
7809 */
7810#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +01007811 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007812 transform->minlen = transform->maclen
Gilles Peskine449bd832023-01-11 14:50:10 +01007813 + block_size;
7814 } else
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007815#endif
7816 {
7817 transform->minlen = transform->maclen
Gilles Peskine449bd832023-01-11 14:50:10 +01007818 + block_size
7819 - transform->maclen % block_size;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007820 }
7821
Gilles Peskine449bd832023-01-11 14:50:10 +01007822 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007823 transform->minlen += transform->ivlen;
Gilles Peskine449bd832023-01-11 14:50:10 +01007824 } else {
7825 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007826 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7827 goto end;
7828 }
7829 }
Gilles Peskine449bd832023-01-11 14:50:10 +01007830 } else
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007831#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
7832 {
Gilles Peskine449bd832023-01-11 14:50:10 +01007833 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7834 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007835 }
7836
Gilles Peskine449bd832023-01-11 14:50:10 +01007837 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
7838 (unsigned) keylen,
7839 (unsigned) transform->minlen,
7840 (unsigned) transform->ivlen,
7841 (unsigned) transform->maclen));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007842
7843 /*
7844 * Finally setup the cipher contexts, IVs and MAC secrets.
7845 */
7846#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007847 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007848 key1 = keyblk + mac_key_len * 2;
7849 key2 = keyblk + mac_key_len * 2 + keylen;
7850
7851 mac_enc = keyblk;
7852 mac_dec = keyblk + mac_key_len;
7853
Gilles Peskine449bd832023-01-11 14:50:10 +01007854 iv_copy_len = (transform->fixed_ivlen) ?
7855 transform->fixed_ivlen : transform->ivlen;
7856 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len);
7857 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
7858 iv_copy_len);
7859 } else
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007860#endif /* MBEDTLS_SSL_CLI_C */
7861#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007862 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007863 key1 = keyblk + mac_key_len * 2 + keylen;
7864 key2 = keyblk + mac_key_len * 2;
7865
7866 mac_enc = keyblk + mac_key_len;
7867 mac_dec = keyblk;
7868
Gilles Peskine449bd832023-01-11 14:50:10 +01007869 iv_copy_len = (transform->fixed_ivlen) ?
7870 transform->fixed_ivlen : transform->ivlen;
7871 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len);
7872 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
7873 iv_copy_len);
7874 } else
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007875#endif /* MBEDTLS_SSL_SRV_C */
7876 {
Gilles Peskine449bd832023-01-11 14:50:10 +01007877 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007878 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7879 goto end;
7880 }
7881
Paul Elliott4fb19552023-10-18 12:15:30 +01007882 if (ssl->f_export_keys != NULL) {
Gilles Peskine449bd832023-01-11 14:50:10 +01007883 ssl->f_export_keys(ssl->p_export_keys,
7884 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
7885 master, 48,
7886 randbytes + 32,
7887 randbytes,
7888 tls_prf_get_type(tls_prf));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007889 }
7890
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007891 transform->psa_alg = alg;
7892
Gilles Peskine449bd832023-01-11 14:50:10 +01007893 if (alg != MBEDTLS_SSL_NULL_CIPHER) {
7894 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
7895 psa_set_key_algorithm(&attributes, alg);
7896 psa_set_key_type(&attributes, key_type);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007897
Gilles Peskine449bd832023-01-11 14:50:10 +01007898 if ((status = psa_import_key(&attributes,
7899 key1,
7900 PSA_BITS_TO_BYTES(key_bits),
7901 &transform->psa_key_enc)) != PSA_SUCCESS) {
7902 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05007903 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +01007904 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007905 goto end;
7906 }
7907
Gilles Peskine449bd832023-01-11 14:50:10 +01007908 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007909
Gilles Peskine449bd832023-01-11 14:50:10 +01007910 if ((status = psa_import_key(&attributes,
7911 key2,
7912 PSA_BITS_TO_BYTES(key_bits),
7913 &transform->psa_key_dec)) != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05007914 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +01007915 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007916 goto end;
7917 }
7918 }
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007919
Neil Armstrong29c0c042022-03-17 17:47:28 +01007920#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
7921 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
7922 For AEAD-based ciphersuites, there is nothing to do here. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007923 if (mac_key_len != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +01007924 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg);
Neil Armstrong29c0c042022-03-17 17:47:28 +01007925
Gilles Peskine449bd832023-01-11 14:50:10 +01007926 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
7927 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg));
7928 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
Neil Armstrong29c0c042022-03-17 17:47:28 +01007929
Gilles Peskine449bd832023-01-11 14:50:10 +01007930 if ((status = psa_import_key(&attributes,
7931 mac_enc, mac_key_len,
7932 &transform->psa_mac_enc)) != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05007933 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +01007934 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
Neil Armstrong29c0c042022-03-17 17:47:28 +01007935 goto end;
7936 }
7937
Gilles Peskine449bd832023-01-11 14:50:10 +01007938 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) ||
7939 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING)
Andrzej Kurek8c95ac42022-08-17 16:17:00 -04007940#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01007941 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED)
Andrzej Kurek8c95ac42022-08-17 16:17:00 -04007942#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01007943 )) {
Neil Armstrong29c0c042022-03-17 17:47:28 +01007944 /* mbedtls_ct_hmac() requires the key to be exportable */
Gilles Peskine449bd832023-01-11 14:50:10 +01007945 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
7946 PSA_KEY_USAGE_VERIFY_HASH);
7947 } else {
7948 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7949 }
Neil Armstrong29c0c042022-03-17 17:47:28 +01007950
Gilles Peskine449bd832023-01-11 14:50:10 +01007951 if ((status = psa_import_key(&attributes,
7952 mac_dec, mac_key_len,
7953 &transform->psa_mac_dec)) != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05007954 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +01007955 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
Neil Armstrong29c0c042022-03-17 17:47:28 +01007956 goto end;
7957 }
Neil Armstrong29c0c042022-03-17 17:47:28 +01007958 }
7959#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
7960
7961 ((void) mac_dec);
7962 ((void) mac_enc);
7963
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007964end:
Gilles Peskine449bd832023-01-11 14:50:10 +01007965 mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
7966 return ret;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007967}
7968
Manuel Pégourié-Gonnard07a1edd2025-01-23 11:04:48 +01007969#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Valerio Setti6b3dab02022-11-17 17:14:54 +01007970int mbedtls_psa_ecjpake_read_round(
Gilles Peskine449bd832023-01-11 14:50:10 +01007971 psa_pake_operation_t *pake_ctx,
7972 const unsigned char *buf,
7973 size_t len, mbedtls_ecjpake_rounds_t round)
Valerio Settia08b1a42022-11-17 15:10:02 +01007974{
7975 psa_status_t status;
7976 size_t input_offset = 0;
Valerio Setti819de862022-11-17 18:05:19 +01007977 /*
Valerio Setti6b3dab02022-11-17 17:14:54 +01007978 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
7979 * At round two perform a single cycle
7980 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007981 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
Valerio Settia08b1a42022-11-17 15:10:02 +01007982
Gilles Peskine449bd832023-01-11 14:50:10 +01007983 for (; remaining_steps > 0; remaining_steps--) {
7984 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
Valerio Settia08b1a42022-11-17 15:10:02 +01007985 step <= PSA_PAKE_STEP_ZK_PROOF;
Gilles Peskine449bd832023-01-11 14:50:10 +01007986 ++step) {
Valerio Settia08b1a42022-11-17 15:10:02 +01007987 /* Length is stored at the first byte */
7988 size_t length = buf[input_offset];
7989 input_offset += 1;
7990
Gilles Peskine449bd832023-01-11 14:50:10 +01007991 if (input_offset + length > len) {
Valerio Settia08b1a42022-11-17 15:10:02 +01007992 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
7993 }
7994
Gilles Peskine449bd832023-01-11 14:50:10 +01007995 status = psa_pake_input(pake_ctx, step,
7996 buf + input_offset, length);
7997 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05007998 return PSA_TO_MBEDTLS_ERR(status);
Valerio Settia08b1a42022-11-17 15:10:02 +01007999 }
8000
8001 input_offset += length;
8002 }
8003 }
8004
Gilles Peskine449bd832023-01-11 14:50:10 +01008005 if (input_offset != len) {
Valerio Setti61ea17d2022-11-18 12:11:00 +01008006 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Gilles Peskine449bd832023-01-11 14:50:10 +01008007 }
Valerio Setti30ebe112022-11-17 16:23:34 +01008008
Gilles Peskine449bd832023-01-11 14:50:10 +01008009 return 0;
Valerio Settia08b1a42022-11-17 15:10:02 +01008010}
8011
Valerio Setti6b3dab02022-11-17 17:14:54 +01008012int mbedtls_psa_ecjpake_write_round(
Gilles Peskine449bd832023-01-11 14:50:10 +01008013 psa_pake_operation_t *pake_ctx,
8014 unsigned char *buf,
8015 size_t len, size_t *olen,
8016 mbedtls_ecjpake_rounds_t round)
Valerio Settia08b1a42022-11-17 15:10:02 +01008017{
8018 psa_status_t status;
8019 size_t output_offset = 0;
8020 size_t output_len;
Valerio Setti819de862022-11-17 18:05:19 +01008021 /*
Valerio Setti6b3dab02022-11-17 17:14:54 +01008022 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
8023 * At round two perform a single cycle
8024 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008025 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
Valerio Settia08b1a42022-11-17 15:10:02 +01008026
Gilles Peskine449bd832023-01-11 14:50:10 +01008027 for (; remaining_steps > 0; remaining_steps--) {
8028 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
8029 step <= PSA_PAKE_STEP_ZK_PROOF;
8030 ++step) {
Valerio Setti79f6b6b2022-11-21 14:17:03 +01008031 /*
Valerio Settid4a9b1a2022-11-22 11:11:10 +01008032 * For each step, prepend 1 byte with the length of the data as
8033 * given by psa_pake_output().
Valerio Setti79f6b6b2022-11-21 14:17:03 +01008034 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008035 status = psa_pake_output(pake_ctx, step,
8036 buf + output_offset + 1,
8037 len - output_offset - 1,
8038 &output_len);
8039 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05008040 return PSA_TO_MBEDTLS_ERR(status);
Valerio Settia08b1a42022-11-17 15:10:02 +01008041 }
8042
Valerio Setti99d88c12022-11-22 16:03:43 +01008043 *(buf + output_offset) = (uint8_t) output_len;
Valerio Setti79f6b6b2022-11-21 14:17:03 +01008044
8045 output_offset += output_len + 1;
Valerio Settia08b1a42022-11-17 15:10:02 +01008046 }
8047 }
8048
8049 *olen = output_offset;
8050
Gilles Peskine449bd832023-01-11 14:50:10 +01008051 return 0;
Valerio Settia08b1a42022-11-17 15:10:02 +01008052}
Manuel Pégourié-Gonnard07a1edd2025-01-23 11:04:48 +01008053#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Valerio Settia08b1a42022-11-17 15:10:02 +01008054
Gilles Peskine449bd832023-01-11 14:50:10 +01008055int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
8056 unsigned char *hash, size_t *hashlen,
8057 unsigned char *data, size_t data_len,
8058 mbedtls_md_type_t md_alg)
Jerry Yuee40f9d2022-02-17 14:55:16 +08008059{
8060 psa_status_t status;
8061 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
Manuel Pégourié-Gonnard2d6d9932023-03-28 11:38:08 +02008062 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
Jerry Yuee40f9d2022-02-17 14:55:16 +08008063
Gilles Peskine449bd832023-01-11 14:50:10 +01008064 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
Jerry Yuee40f9d2022-02-17 14:55:16 +08008065
Gilles Peskine449bd832023-01-11 14:50:10 +01008066 if ((status = psa_hash_setup(&hash_operation,
8067 hash_alg)) != PSA_SUCCESS) {
8068 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
Jerry Yuee40f9d2022-02-17 14:55:16 +08008069 goto exit;
8070 }
8071
Gilles Peskine449bd832023-01-11 14:50:10 +01008072 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
8073 64)) != PSA_SUCCESS) {
8074 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
Jerry Yuee40f9d2022-02-17 14:55:16 +08008075 goto exit;
8076 }
8077
Gilles Peskine449bd832023-01-11 14:50:10 +01008078 if ((status = psa_hash_update(&hash_operation,
8079 data, data_len)) != PSA_SUCCESS) {
8080 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
Jerry Yuee40f9d2022-02-17 14:55:16 +08008081 goto exit;
8082 }
8083
Gilles Peskine449bd832023-01-11 14:50:10 +01008084 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE,
8085 hashlen)) != PSA_SUCCESS) {
8086 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
8087 goto exit;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008088 }
8089
8090exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008091 if (status != PSA_SUCCESS) {
8092 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8093 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
8094 switch (status) {
Jerry Yuee40f9d2022-02-17 14:55:16 +08008095 case PSA_ERROR_NOT_SUPPORTED:
Gilles Peskine449bd832023-01-11 14:50:10 +01008096 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008097 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
8098 case PSA_ERROR_BUFFER_TOO_SMALL:
Gilles Peskine449bd832023-01-11 14:50:10 +01008099 return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008100 case PSA_ERROR_INSUFFICIENT_MEMORY:
Gilles Peskine449bd832023-01-11 14:50:10 +01008101 return MBEDTLS_ERR_MD_ALLOC_FAILED;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008102 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01008103 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008104 }
8105 }
Gilles Peskine449bd832023-01-11 14:50:10 +01008106 return 0;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008107}
8108
Jerry Yuee40f9d2022-02-17 14:55:16 +08008109
Jerry Yud9d91da2022-02-17 14:57:06 +08008110#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
8111
Gabor Mezeia3d016c2022-05-10 12:44:09 +02008112/* Find the preferred hash for a given signature algorithm. */
8113unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +01008114 mbedtls_ssl_context *ssl,
8115 unsigned int sig_alg)
Jerry Yud9d91da2022-02-17 14:57:06 +08008116{
Gabor Mezei078e8032022-04-27 21:17:56 +02008117 unsigned int i;
Gabor Mezeia3d016c2022-05-10 12:44:09 +02008118 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
Gabor Mezei078e8032022-04-27 21:17:56 +02008119
Gilles Peskine449bd832023-01-11 14:50:10 +01008120 if (sig_alg == MBEDTLS_SSL_SIG_ANON) {
8121 return MBEDTLS_SSL_HASH_NONE;
8122 }
Gabor Mezei078e8032022-04-27 21:17:56 +02008123
Gilles Peskine449bd832023-01-11 14:50:10 +01008124 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008125 unsigned int hash_alg_received =
Gilles Peskine449bd832023-01-11 14:50:10 +01008126 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
8127 received_sig_algs[i]);
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008128 unsigned int sig_alg_received =
Gilles Peskine449bd832023-01-11 14:50:10 +01008129 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
8130 received_sig_algs[i]);
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008131
Manuel Pégourié-Gonnard47bb3802023-06-05 12:40:32 +02008132 mbedtls_md_type_t md_alg =
8133 mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received);
8134 if (md_alg == MBEDTLS_MD_NONE) {
8135 continue;
8136 }
8137
Gilles Peskine449bd832023-01-11 14:50:10 +01008138 if (sig_alg == sig_alg_received) {
Gilles Peskine449bd832023-01-11 14:50:10 +01008139 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
Neil Armstrong96eceb82022-06-30 18:05:05 +02008140 psa_algorithm_t psa_hash_alg =
Manuel Pégourié-Gonnard47bb3802023-06-05 12:40:32 +02008141 mbedtls_md_psa_alg_from_type(md_alg);
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008142
Gilles Peskine449bd832023-01-11 14:50:10 +01008143 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
8144 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
8145 PSA_ALG_ECDSA(psa_hash_alg),
8146 PSA_KEY_USAGE_SIGN_HASH)) {
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008147 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01008148 }
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008149
Gilles Peskine449bd832023-01-11 14:50:10 +01008150 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
8151 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
8152 PSA_ALG_RSA_PKCS1V15_SIGN(
8153 psa_hash_alg),
8154 PSA_KEY_USAGE_SIGN_HASH)) {
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008155 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01008156 }
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008157 }
Neil Armstrong96eceb82022-06-30 18:05:05 +02008158
Gilles Peskine449bd832023-01-11 14:50:10 +01008159 return hash_alg_received;
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008160 }
Jerry Yud9d91da2022-02-17 14:57:06 +08008161 }
Jerry Yud9d91da2022-02-17 14:57:06 +08008162
Gilles Peskine449bd832023-01-11 14:50:10 +01008163 return MBEDTLS_SSL_HASH_NONE;
Jerry Yud9d91da2022-02-17 14:57:06 +08008164}
8165
8166#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
8167
Jerry Yudc7bd172022-02-17 13:44:15 +08008168#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
8169
XiaokangQian75d40ef2022-04-20 11:05:24 +00008170int mbedtls_ssl_validate_ciphersuite(
8171 const mbedtls_ssl_context *ssl,
8172 const mbedtls_ssl_ciphersuite_t *suite_info,
8173 mbedtls_ssl_protocol_version min_tls_version,
Gilles Peskine449bd832023-01-11 14:50:10 +01008174 mbedtls_ssl_protocol_version max_tls_version)
XiaokangQian75d40ef2022-04-20 11:05:24 +00008175{
8176 (void) ssl;
8177
Gilles Peskine449bd832023-01-11 14:50:10 +01008178 if (suite_info == NULL) {
8179 return -1;
8180 }
XiaokangQian75d40ef2022-04-20 11:05:24 +00008181
Gilles Peskine449bd832023-01-11 14:50:10 +01008182 if ((suite_info->min_tls_version > max_tls_version) ||
8183 (suite_info->max_tls_version < min_tls_version)) {
8184 return -1;
XiaokangQian75d40ef2022-04-20 11:05:24 +00008185 }
8186
XiaokangQian060d8672022-04-21 09:24:56 +00008187#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
XiaokangQian75d40ef2022-04-20 11:05:24 +00008188#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01008189 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
Manuel Pégourié-Gonnard88800dd2025-01-23 11:01:35 +01008190 ssl->handshake->psa_pake_ctx_is_ok != 1) {
Gilles Peskine449bd832023-01-11 14:50:10 +01008191 return -1;
XiaokangQian75d40ef2022-04-20 11:05:24 +00008192 }
8193#endif
8194
8195 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
8196#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01008197 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
8198 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
8199 return -1;
XiaokangQian75d40ef2022-04-20 11:05:24 +00008200 }
8201#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
8202#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
8203
Gilles Peskine449bd832023-01-11 14:50:10 +01008204 return 0;
XiaokangQian75d40ef2022-04-20 11:05:24 +00008205}
8206
Ronald Crone68ab4f2022-10-05 12:46:29 +02008207#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
XiaokangQianeaf36512022-04-24 09:07:44 +00008208/*
8209 * Function for writing a signature algorithm extension.
8210 *
8211 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
8212 * value (TLS 1.3 RFC8446):
8213 * enum {
8214 * ....
8215 * ecdsa_secp256r1_sha256( 0x0403 ),
8216 * ecdsa_secp384r1_sha384( 0x0503 ),
8217 * ecdsa_secp521r1_sha512( 0x0603 ),
8218 * ....
8219 * } SignatureScheme;
8220 *
8221 * struct {
8222 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
8223 * } SignatureSchemeList;
8224 *
8225 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
8226 * value (TLS 1.2 RFC5246):
8227 * enum {
8228 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
8229 * sha512(6), (255)
8230 * } HashAlgorithm;
8231 *
8232 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
8233 * SignatureAlgorithm;
8234 *
8235 * struct {
8236 * HashAlgorithm hash;
8237 * SignatureAlgorithm signature;
8238 * } SignatureAndHashAlgorithm;
8239 *
8240 * SignatureAndHashAlgorithm
8241 * supported_signature_algorithms<2..2^16-2>;
8242 *
8243 * The TLS 1.3 signature algorithm extension was defined to be a compatible
8244 * generalization of the TLS 1.2 signature algorithm extension.
8245 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
8246 * `SignatureScheme` field of TLS 1.3
8247 *
8248 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008249int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
8250 const unsigned char *end, size_t *out_len)
XiaokangQianeaf36512022-04-24 09:07:44 +00008251{
8252 unsigned char *p = buf;
8253 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
8254 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
8255
8256 *out_len = 0;
8257
Gilles Peskine449bd832023-01-11 14:50:10 +01008258 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension"));
XiaokangQianeaf36512022-04-24 09:07:44 +00008259
8260 /* Check if we have space for header and length field:
8261 * - extension_type (2 bytes)
8262 * - extension_data_length (2 bytes)
8263 * - supported_signature_algorithms_length (2 bytes)
8264 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008265 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
XiaokangQianeaf36512022-04-24 09:07:44 +00008266 p += 6;
8267
8268 /*
8269 * Write supported_signature_algorithms
8270 */
8271 supported_sig_alg = p;
Gilles Peskine449bd832023-01-11 14:50:10 +01008272 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
8273 if (sig_alg == NULL) {
8274 return MBEDTLS_ERR_SSL_BAD_CONFIG;
8275 }
XiaokangQianeaf36512022-04-24 09:07:44 +00008276
Gilles Peskine449bd832023-01-11 14:50:10 +01008277 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
8278 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s",
8279 *sig_alg,
8280 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
8281 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
XiaokangQianeaf36512022-04-24 09:07:44 +00008282 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01008283 }
8284 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
8285 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
XiaokangQianeaf36512022-04-24 09:07:44 +00008286 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +01008287 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s",
8288 *sig_alg,
8289 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
XiaokangQianeaf36512022-04-24 09:07:44 +00008290 }
8291
8292 /* Length of supported_signature_algorithms */
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +00008293 supported_sig_alg_len = (size_t) (p - supported_sig_alg);
Gilles Peskine449bd832023-01-11 14:50:10 +01008294 if (supported_sig_alg_len == 0) {
8295 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
8296 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
XiaokangQianeaf36512022-04-24 09:07:44 +00008297 }
8298
Gilles Peskine449bd832023-01-11 14:50:10 +01008299 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0);
8300 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
8301 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
XiaokangQianeaf36512022-04-24 09:07:44 +00008302
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +00008303 *out_len = (size_t) (p - buf);
XiaokangQianeaf36512022-04-24 09:07:44 +00008304
8305#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01008306 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
XiaokangQianeaf36512022-04-24 09:07:44 +00008307#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu0c354a22022-08-29 15:25:36 +08008308
Gilles Peskine449bd832023-01-11 14:50:10 +01008309 return 0;
XiaokangQianeaf36512022-04-24 09:07:44 +00008310}
Ronald Crone68ab4f2022-10-05 12:46:29 +02008311#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
XiaokangQianeaf36512022-04-24 09:07:44 +00008312
XiaokangQian40a35232022-05-07 09:02:40 +00008313#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
XiaokangQian9b2b7712022-05-17 02:57:00 +00008314/*
8315 * mbedtls_ssl_parse_server_name_ext
8316 *
8317 * Structure of server_name extension:
8318 *
8319 * enum {
8320 * host_name(0), (255)
8321 * } NameType;
8322 * opaque HostName<1..2^16-1>;
8323 *
8324 * struct {
8325 * NameType name_type;
8326 * select (name_type) {
8327 * case host_name: HostName;
8328 * } name;
8329 * } ServerName;
8330 * struct {
8331 * ServerName server_name_list<1..2^16-1>
8332 * } ServerNameList;
8333 */
Ronald Cronce7d76e2022-07-08 18:56:49 +02008334MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01008335int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
8336 const unsigned char *buf,
8337 const unsigned char *end)
XiaokangQian40a35232022-05-07 09:02:40 +00008338{
8339 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8340 const unsigned char *p = buf;
XiaokangQian9b2b7712022-05-17 02:57:00 +00008341 size_t server_name_list_len, hostname_len;
8342 const unsigned char *server_name_list_end;
XiaokangQian40a35232022-05-07 09:02:40 +00008343
Gilles Peskine449bd832023-01-11 14:50:10 +01008344 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
XiaokangQian40a35232022-05-07 09:02:40 +00008345
Gilles Peskine449bd832023-01-11 14:50:10 +01008346 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
8347 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian40a35232022-05-07 09:02:40 +00008348 p += 2;
8349
Gilles Peskine449bd832023-01-11 14:50:10 +01008350 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len);
XiaokangQian9b2b7712022-05-17 02:57:00 +00008351 server_name_list_end = p + server_name_list_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01008352 while (p < server_name_list_end) {
8353 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3);
8354 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1);
8355 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end,
8356 hostname_len + 3);
XiaokangQian40a35232022-05-07 09:02:40 +00008357
Gilles Peskine449bd832023-01-11 14:50:10 +01008358 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
XiaokangQian75fe8c72022-06-15 09:42:45 +00008359 /* sni_name is intended to be used only during the parsing of the
8360 * ClientHello message (it is reset to NULL before the end of
8361 * the message parsing). Thus it is ok to just point to the
8362 * reception buffer and not make a copy of it.
8363 */
XiaokangQianf2a94202022-05-20 06:44:24 +00008364 ssl->handshake->sni_name = p + 3;
8365 ssl->handshake->sni_name_len = hostname_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01008366 if (ssl->conf->f_sni == NULL) {
8367 return 0;
XiaokangQian40a35232022-05-07 09:02:40 +00008368 }
Gilles Peskine449bd832023-01-11 14:50:10 +01008369 ret = ssl->conf->f_sni(ssl->conf->p_sni,
8370 ssl, p + 3, hostname_len);
8371 if (ret != 0) {
8372 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
8373 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
8374 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME);
8375 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME;
8376 }
8377 return 0;
XiaokangQian40a35232022-05-07 09:02:40 +00008378 }
8379
8380 p += hostname_len + 3;
8381 }
8382
Gilles Peskine449bd832023-01-11 14:50:10 +01008383 return 0;
XiaokangQian40a35232022-05-07 09:02:40 +00008384}
8385#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
8386
XiaokangQianacb39922022-06-17 10:18:48 +00008387#if defined(MBEDTLS_SSL_ALPN)
Ronald Cronce7d76e2022-07-08 18:56:49 +02008388MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01008389int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
8390 const unsigned char *buf,
8391 const unsigned char *end)
XiaokangQianacb39922022-06-17 10:18:48 +00008392{
8393 const unsigned char *p = buf;
XiaokangQianc7403452022-06-23 03:24:12 +00008394 size_t protocol_name_list_len;
XiaokangQian95d5f542022-06-24 02:29:26 +00008395 const unsigned char *protocol_name_list;
8396 const unsigned char *protocol_name_list_end;
XiaokangQianc7403452022-06-23 03:24:12 +00008397 size_t protocol_name_len;
XiaokangQianacb39922022-06-17 10:18:48 +00008398
8399 /* If ALPN not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +01008400 if (ssl->conf->alpn_list == NULL) {
8401 return 0;
8402 }
XiaokangQianacb39922022-06-17 10:18:48 +00008403
8404 /*
XiaokangQianc7403452022-06-23 03:24:12 +00008405 * RFC7301, section 3.1
8406 * opaque ProtocolName<1..2^8-1>;
XiaokangQianacb39922022-06-17 10:18:48 +00008407 *
XiaokangQianc7403452022-06-23 03:24:12 +00008408 * struct {
8409 * ProtocolName protocol_name_list<2..2^16-1>
8410 * } ProtocolNameList;
XiaokangQianacb39922022-06-17 10:18:48 +00008411 */
8412
XiaokangQianc7403452022-06-23 03:24:12 +00008413 /*
XiaokangQian0b776e22022-06-24 09:04:59 +00008414 * protocol_name_list_len 2 bytes
8415 * protocol_name_len 1 bytes
8416 * protocol_name >=1 byte
XiaokangQianc7403452022-06-23 03:24:12 +00008417 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008418 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
XiaokangQianacb39922022-06-17 10:18:48 +00008419
Gilles Peskine449bd832023-01-11 14:50:10 +01008420 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQianacb39922022-06-17 10:18:48 +00008421 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +01008422 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
XiaokangQian95d5f542022-06-24 02:29:26 +00008423 protocol_name_list = p;
8424 protocol_name_list_end = p + protocol_name_list_len;
XiaokangQianacb39922022-06-17 10:18:48 +00008425
8426 /* Validate peer's list (lengths) */
Gilles Peskine449bd832023-01-11 14:50:10 +01008427 while (p < protocol_name_list_end) {
XiaokangQian95d5f542022-06-24 02:29:26 +00008428 protocol_name_len = *p++;
Gilles Peskine449bd832023-01-11 14:50:10 +01008429 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end,
8430 protocol_name_len);
8431 if (protocol_name_len == 0) {
XiaokangQian95d5f542022-06-24 02:29:26 +00008432 MBEDTLS_SSL_PEND_FATAL_ALERT(
8433 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
Gilles Peskine449bd832023-01-11 14:50:10 +01008434 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
8435 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQian95d5f542022-06-24 02:29:26 +00008436 }
8437
8438 p += protocol_name_len;
XiaokangQianacb39922022-06-17 10:18:48 +00008439 }
8440
8441 /* Use our order of preference */
Gilles Peskinec4949d12025-05-27 19:45:29 +02008442 for (const char *const *alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
Gilles Peskine449bd832023-01-11 14:50:10 +01008443 size_t const alpn_len = strlen(*alpn);
XiaokangQian95d5f542022-06-24 02:29:26 +00008444 p = protocol_name_list;
Gilles Peskine449bd832023-01-11 14:50:10 +01008445 while (p < protocol_name_list_end) {
XiaokangQian95d5f542022-06-24 02:29:26 +00008446 protocol_name_len = *p++;
Gilles Peskine449bd832023-01-11 14:50:10 +01008447 if (protocol_name_len == alpn_len &&
8448 memcmp(p, *alpn, alpn_len) == 0) {
XiaokangQianacb39922022-06-17 10:18:48 +00008449 ssl->alpn_chosen = *alpn;
Gilles Peskine449bd832023-01-11 14:50:10 +01008450 return 0;
XiaokangQianacb39922022-06-17 10:18:48 +00008451 }
XiaokangQian95d5f542022-06-24 02:29:26 +00008452
8453 p += protocol_name_len;
XiaokangQianacb39922022-06-17 10:18:48 +00008454 }
8455 }
8456
XiaokangQian95d5f542022-06-24 02:29:26 +00008457 /* If we get here, no match was found */
XiaokangQianacb39922022-06-17 10:18:48 +00008458 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +01008459 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
8460 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL);
8461 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL;
XiaokangQianacb39922022-06-17 10:18:48 +00008462}
8463
Gilles Peskine449bd832023-01-11 14:50:10 +01008464int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
8465 unsigned char *buf,
8466 unsigned char *end,
8467 size_t *out_len)
XiaokangQianacb39922022-06-17 10:18:48 +00008468{
8469 unsigned char *p = buf;
XiaokangQian95d5f542022-06-24 02:29:26 +00008470 size_t protocol_name_len;
XiaokangQianc7403452022-06-23 03:24:12 +00008471 *out_len = 0;
XiaokangQianacb39922022-06-17 10:18:48 +00008472
Gilles Peskine449bd832023-01-11 14:50:10 +01008473 if (ssl->alpn_chosen == NULL) {
8474 return 0;
XiaokangQianacb39922022-06-17 10:18:48 +00008475 }
8476
Gilles Peskine449bd832023-01-11 14:50:10 +01008477 protocol_name_len = strlen(ssl->alpn_chosen);
8478 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len);
XiaokangQianacb39922022-06-17 10:18:48 +00008479
Gilles Peskine449bd832023-01-11 14:50:10 +01008480 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension"));
XiaokangQianacb39922022-06-17 10:18:48 +00008481 /*
8482 * 0 . 1 ext identifier
8483 * 2 . 3 ext length
8484 * 4 . 5 protocol list length
8485 * 6 . 6 protocol name length
8486 * 7 . 7+n protocol name
8487 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008488 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
XiaokangQianacb39922022-06-17 10:18:48 +00008489
XiaokangQian95d5f542022-06-24 02:29:26 +00008490 *out_len = 7 + protocol_name_len;
XiaokangQianacb39922022-06-17 10:18:48 +00008491
Gilles Peskine449bd832023-01-11 14:50:10 +01008492 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2);
8493 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4);
XiaokangQian0b776e22022-06-24 09:04:59 +00008494 /* Note: the length of the chosen protocol has been checked to be less
8495 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
8496 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008497 p[6] = MBEDTLS_BYTE_0(protocol_name_len);
XiaokangQianacb39922022-06-17 10:18:48 +00008498
Gilles Peskine449bd832023-01-11 14:50:10 +01008499 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len);
Jerry Yub95dd362022-11-08 21:19:34 +08008500
8501#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01008502 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
Jerry Yub95dd362022-11-08 21:19:34 +08008503#endif
8504
Gilles Peskine449bd832023-01-11 14:50:10 +01008505 return 0;
XiaokangQianacb39922022-06-17 10:18:48 +00008506}
8507#endif /* MBEDTLS_SSL_ALPN */
8508
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008509#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
Xiaokang Qian03409292022-10-12 02:49:52 +00008510 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
Xiaokang Qianed0620c2022-10-12 06:58:13 +00008511 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
Xiaokang Qianed3afcd2022-10-12 08:31:11 +00008512 defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01008513int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
8514 const char *hostname)
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008515{
8516 /* Initialize to suppress unnecessary compiler warning */
8517 size_t hostname_len = 0;
8518
8519 /* Check if new hostname is valid before
8520 * making any change to current one */
Gilles Peskine449bd832023-01-11 14:50:10 +01008521 if (hostname != NULL) {
8522 hostname_len = strlen(hostname);
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008523
Gilles Peskine449bd832023-01-11 14:50:10 +01008524 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
8525 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8526 }
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008527 }
8528
8529 /* Now it's clear that we will overwrite the old hostname,
8530 * so we can free it safely */
Gilles Peskine449bd832023-01-11 14:50:10 +01008531 if (session->hostname != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01008532 mbedtls_zeroize_and_free(session->hostname,
Gilles Peskine449bd832023-01-11 14:50:10 +01008533 strlen(session->hostname));
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008534 }
8535
8536 /* Passing NULL as hostname shall clear the old one */
Gilles Peskine449bd832023-01-11 14:50:10 +01008537 if (hostname == NULL) {
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008538 session->hostname = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01008539 } else {
8540 session->hostname = mbedtls_calloc(1, hostname_len + 1);
8541 if (session->hostname == NULL) {
8542 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
8543 }
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008544
Gilles Peskine449bd832023-01-11 14:50:10 +01008545 memcpy(session->hostname, hostname, hostname_len);
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008546 }
8547
Gilles Peskine449bd832023-01-11 14:50:10 +01008548 return 0;
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008549}
Xiaokang Qian03409292022-10-12 02:49:52 +00008550#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
8551 MBEDTLS_SSL_SESSION_TICKETS &&
Xiaokang Qianed0620c2022-10-12 06:58:13 +00008552 MBEDTLS_SSL_SERVER_NAME_INDICATION &&
Xiaokang Qianed3afcd2022-10-12 08:31:11 +00008553 MBEDTLS_SSL_CLI_C */
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008554
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00008555#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
8556 defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00008557int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
8558 const char *alpn)
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00008559{
8560 size_t alpn_len = 0;
8561
8562 if (alpn != NULL) {
8563 alpn_len = strlen(alpn);
8564
8565 if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) {
8566 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8567 }
8568 }
8569
8570 if (session->ticket_alpn != NULL) {
8571 mbedtls_zeroize_and_free(session->ticket_alpn,
8572 strlen(session->ticket_alpn));
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00008573 session->ticket_alpn = NULL;
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00008574 }
8575
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00008576 if (alpn != NULL) {
8577 session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1);
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00008578 if (session->ticket_alpn == NULL) {
8579 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
8580 }
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00008581 memcpy(session->ticket_alpn, alpn, alpn_len);
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00008582 }
8583
8584 return 0;
8585}
8586#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard5398e582024-08-20 12:14:43 +02008587
8588/*
8589 * The following functions are used by 1.2 and 1.3, client and server.
8590 */
8591#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
8592int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
8593 const mbedtls_ssl_ciphersuite_t *ciphersuite,
8594 int recv_endpoint,
8595 mbedtls_ssl_protocol_version tls_version,
8596 uint32_t *flags)
8597{
8598 int ret = 0;
8599 unsigned int usage = 0;
8600 const char *ext_oid;
8601 size_t ext_len;
8602
8603 /*
8604 * keyUsage
8605 */
8606
8607 /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants
8608 * to check what a compliant client will think while choosing which cert
8609 * to send to the client. */
8610#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
8611 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
8612 recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
8613 /* TLS 1.2 server part of the key exchange */
8614 switch (ciphersuite->key_exchange) {
Manuel Pégourié-Gonnard5398e582024-08-20 12:14:43 +02008615 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
8616 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
8617 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
8618 break;
8619
8620 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
8621 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
8622 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
8623 break;
8624
8625 /* Don't use default: we want warnings when adding new values */
8626 case MBEDTLS_KEY_EXCHANGE_NONE:
8627 case MBEDTLS_KEY_EXCHANGE_PSK:
Manuel Pégourié-Gonnard5398e582024-08-20 12:14:43 +02008628 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
8629 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
8630 usage = 0;
8631 }
8632 } else
8633#endif
8634 {
8635 /* This is either TLS 1.3 authentication, which always uses signatures,
8636 * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only
8637 * options we implement, both using signatures. */
8638 (void) tls_version;
8639 (void) ciphersuite;
8640 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
8641 }
8642
8643 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
8644 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
8645 ret = -1;
8646 }
8647
8648 /*
8649 * extKeyUsage
8650 */
8651
8652 if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
8653 ext_oid = MBEDTLS_OID_SERVER_AUTH;
8654 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
8655 } else {
8656 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
8657 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
8658 }
8659
8660 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
8661 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
8662 ret = -1;
8663 }
8664
8665 return ret;
8666}
8667
Gilles Peskine4ac40082025-02-20 18:13:58 +01008668static int get_hostname_for_verification(mbedtls_ssl_context *ssl,
8669 const char **hostname)
8670{
8671 if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) {
8672 MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname"));
Gilles Peskine488b9192025-02-13 14:39:02 +01008673 if (mbedtls_ssl_conf_get_endpoint(ssl->conf) == MBEDTLS_SSL_IS_CLIENT &&
8674 ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
8675 return MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME;
8676 }
Gilles Peskine4ac40082025-02-20 18:13:58 +01008677 }
8678
8679 *hostname = ssl->hostname;
8680 if (*hostname == NULL) {
8681 MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification"));
8682 }
8683
8684 return 0;
8685}
8686
Manuel Pégourié-Gonnard5398e582024-08-20 12:14:43 +02008687int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
8688 int authmode,
8689 mbedtls_x509_crt *chain,
8690 const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
8691 void *rs_ctx)
8692{
8693 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
8694 return 0;
8695 }
8696
8697 /*
8698 * Primary check: use the appropriate X.509 verification function
8699 */
8700 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
8701 void *p_vrfy;
8702 if (ssl->f_vrfy != NULL) {
8703 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
8704 f_vrfy = ssl->f_vrfy;
8705 p_vrfy = ssl->p_vrfy;
8706 } else {
8707 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
8708 f_vrfy = ssl->conf->f_vrfy;
8709 p_vrfy = ssl->conf->p_vrfy;
8710 }
8711
Gilles Peskine4ac40082025-02-20 18:13:58 +01008712 const char *hostname = "";
8713 int ret = get_hostname_for_verification(ssl, &hostname);
8714 if (ret != 0) {
8715 MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret);
8716 return ret;
8717 }
8718
Manuel Pégourié-Gonnard5398e582024-08-20 12:14:43 +02008719 int have_ca_chain_or_callback = 0;
8720#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
8721 if (ssl->conf->f_ca_cb != NULL) {
8722 ((void) rs_ctx);
8723 have_ca_chain_or_callback = 1;
8724
8725 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
8726 ret = mbedtls_x509_crt_verify_with_ca_cb(
8727 chain,
8728 ssl->conf->f_ca_cb,
8729 ssl->conf->p_ca_cb,
8730 ssl->conf->cert_profile,
Gilles Peskine4ac40082025-02-20 18:13:58 +01008731 hostname,
Manuel Pégourié-Gonnard5398e582024-08-20 12:14:43 +02008732 &ssl->session_negotiate->verify_result,
8733 f_vrfy, p_vrfy);
8734 } else
8735#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
8736 {
8737 mbedtls_x509_crt *ca_chain;
8738 mbedtls_x509_crl *ca_crl;
8739#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
8740 if (ssl->handshake->sni_ca_chain != NULL) {
8741 ca_chain = ssl->handshake->sni_ca_chain;
8742 ca_crl = ssl->handshake->sni_ca_crl;
8743 } else
8744#endif
8745 {
8746 ca_chain = ssl->conf->ca_chain;
8747 ca_crl = ssl->conf->ca_crl;
8748 }
8749
8750 if (ca_chain != NULL) {
8751 have_ca_chain_or_callback = 1;
8752 }
8753
8754 ret = mbedtls_x509_crt_verify_restartable(
8755 chain,
8756 ca_chain, ca_crl,
8757 ssl->conf->cert_profile,
Gilles Peskine4ac40082025-02-20 18:13:58 +01008758 hostname,
Manuel Pégourié-Gonnard5398e582024-08-20 12:14:43 +02008759 &ssl->session_negotiate->verify_result,
8760 f_vrfy, p_vrfy, rs_ctx);
8761 }
8762
8763 if (ret != 0) {
8764 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
8765 }
8766
8767#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8768 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
8769 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
8770 }
8771#endif
8772
8773 /*
8774 * Secondary checks: always done, but change 'ret' only if it was 0
8775 */
8776
8777 /* With TLS 1.2 and ECC certs, check that the curve used by the
8778 * certificate is on our list of acceptable curves.
8779 *
8780 * With TLS 1.3 this is not needed because the curve is part of the
8781 * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when
8782 * we validate the signature made with the key associated to this cert.
8783 */
8784#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
8785 defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
8786 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
8787 mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) {
8788 if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) {
8789 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
8790 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
8791 if (ret == 0) {
8792 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
8793 }
8794 }
8795 }
8796#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
8797
8798 /* Check X.509 usage extensions (keyUsage, extKeyUsage) */
8799 if (mbedtls_ssl_check_cert_usage(chain,
8800 ciphersuite_info,
8801 ssl->conf->endpoint,
8802 ssl->tls_version,
8803 &ssl->session_negotiate->verify_result) != 0) {
8804 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
8805 if (ret == 0) {
8806 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
8807 }
8808 }
8809
8810 /* With authmode optional, we want to keep going if the certificate was
8811 * unacceptable, but still fail on other errors (out of memory etc),
8812 * including fatal errors from the f_vrfy callback.
8813 *
8814 * The only acceptable errors are:
8815 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check;
8816 * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks.
8817 * Anything else is a fatal error. */
8818 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
8819 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
8820 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
8821 ret = 0;
8822 }
8823
8824 /* Return a specific error as this is a user error: inconsistent
8825 * configuration - can't verify without trust anchors. */
8826 if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
8827 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
8828 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
8829 }
8830
8831 if (ret != 0) {
8832 uint8_t alert;
8833
8834 /* The certificate may have been rejected for several reasons.
8835 Pick one and send the corresponding alert. Which alert to send
8836 may be a subject of debate in some cases. */
8837 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
8838 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
8839 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
8840 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
8841 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
8842 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
8843 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
8844 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
8845 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
8846 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
8847 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
8848 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
8849 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
8850 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
8851 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
8852 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
8853 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
8854 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
8855 } else {
8856 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
8857 }
8858 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8859 alert);
8860 }
8861
8862#if defined(MBEDTLS_DEBUG_C)
8863 if (ssl->session_negotiate->verify_result != 0) {
8864 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
8865 (unsigned int) ssl->session_negotiate->verify_result));
8866 } else {
8867 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
8868 }
8869#endif /* MBEDTLS_DEBUG_C */
8870
8871 return ret;
8872}
8873#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
8874
Max Fillinger2fe35f62024-10-25 00:52:24 +02008875#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
Max Fillinger281fb792024-10-23 18:35:09 +02008876
Max Fillinger29beade2024-09-21 11:06:28 +02008877#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008878static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl,
8879 const mbedtls_md_type_t hash_alg,
Max Fillinger7b722202024-09-21 10:48:57 +02008880 uint8_t *out,
8881 const size_t key_len,
8882 const char *label,
8883 const size_t label_len,
8884 const unsigned char *context,
8885 const size_t context_len,
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008886 const int use_context)
8887{
8888 int ret = 0;
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008889 unsigned char *prf_input = NULL;
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008890
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008891 /* The input to the PRF is client_random, then server_random.
8892 * If a context is provided, this is then followed by the context length
8893 * as a 16-bit big-endian integer, and then the context itself. */
Max Fillinger155cea02024-10-23 16:32:54 +02008894 const size_t randbytes_len = MBEDTLS_CLIENT_HELLO_RANDOM_LEN + MBEDTLS_SERVER_HELLO_RANDOM_LEN;
8895 size_t prf_input_len = randbytes_len;
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008896 if (use_context) {
Max Fillinger155cea02024-10-23 16:32:54 +02008897 if (context_len > UINT16_MAX) {
8898 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8899 }
8900
8901 /* This does not overflow a 32-bit size_t because the current value of
8902 * prf_input_len is 64 (length of client_random + server_random) and
8903 * context_len fits into two bytes (checked above). */
8904 prf_input_len += sizeof(uint16_t) + context_len;
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008905 }
Max Fillinger155cea02024-10-23 16:32:54 +02008906
8907 prf_input = mbedtls_calloc(prf_input_len, sizeof(unsigned char));
8908 if (prf_input == NULL) {
8909 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
8910 }
8911
8912 memcpy(prf_input,
8913 ssl->transform->randbytes + MBEDTLS_SERVER_HELLO_RANDOM_LEN,
8914 MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
8915 memcpy(prf_input + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
8916 ssl->transform->randbytes,
8917 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
8918 if (use_context) {
8919 MBEDTLS_PUT_UINT16_BE(context_len, prf_input, randbytes_len);
8920 memcpy(prf_input + randbytes_len + sizeof(uint16_t), context, context_len);
8921 }
8922 ret = tls_prf_generic(hash_alg, ssl->session->master, sizeof(ssl->session->master),
Max Fillingerf2dda152024-10-23 15:47:23 +02008923 label, label_len,
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008924 prf_input, prf_input_len,
8925 out, key_len);
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008926 mbedtls_free(prf_input);
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008927 return ret;
8928}
Max Fillinger281fb792024-10-23 18:35:09 +02008929#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008930
Max Fillinger29beade2024-09-21 11:06:28 +02008931#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008932static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl,
8933 const mbedtls_md_type_t hash_alg,
Max Fillinger7b722202024-09-21 10:48:57 +02008934 uint8_t *out,
8935 const size_t key_len,
8936 const char *label,
8937 const size_t label_len,
8938 const unsigned char *context,
8939 const size_t context_len)
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008940{
8941 const psa_algorithm_t psa_hash_alg = mbedtls_md_psa_alg_from_type(hash_alg);
8942 const size_t hash_len = PSA_HASH_LENGTH(hash_alg);
8943 const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret;
8944
Max Fillinger9c5bae52024-11-21 12:33:46 +01008945 /* The length of the label must be at most 249 bytes to fit into the HkdfLabel
Max Fillingerc6fd1a22024-11-01 16:05:34 +01008946 * struct as defined in RFC 8446, Section 7.1.
Max Fillinger3e129182024-10-29 19:18:54 +01008947 *
Max Fillingerc6fd1a22024-11-01 16:05:34 +01008948 * The length of the context is unlimited even though the context field in the
Max Fillinger9c5bae52024-11-21 12:33:46 +01008949 * struct can only hold up to 255 bytes. This is because we place a *hash* of
Max Fillingerc6fd1a22024-11-01 16:05:34 +01008950 * the context in the field. */
Max Fillinger9c5bae52024-11-21 12:33:46 +01008951 if (label_len > 249) {
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008952 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8953 }
8954
8955 return mbedtls_ssl_tls13_exporter(psa_hash_alg, secret, hash_len,
Max Fillinger7b722202024-09-21 10:48:57 +02008956 (const unsigned char *) label, label_len,
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008957 context, context_len, out, key_len);
8958}
Max Fillinger281fb792024-10-23 18:35:09 +02008959#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) */
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008960
8961int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
Max Fillinger9c9989f2024-08-14 16:44:50 +02008962 uint8_t *out, const size_t key_len,
8963 const char *label, const size_t label_len,
8964 const unsigned char *context, const size_t context_len,
8965 const int use_context)
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008966{
8967 if (!mbedtls_ssl_is_handshake_over(ssl)) {
Max Fillinger53d91682024-11-18 18:22:51 +01008968 /* TODO: Change this to a more appropriate error code when one is available. */
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008969 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8970 }
8971
Max Fillingerc6fd1a22024-11-01 16:05:34 +01008972 if (key_len > MBEDTLS_SSL_EXPORT_MAX_KEY_LEN) {
8973 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8974 }
8975
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008976 int ciphersuite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(ssl);
8977 const mbedtls_ssl_ciphersuite_t *ciphersuite = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
8978 const mbedtls_md_type_t hash_alg = ciphersuite->mac;
8979
8980 switch (mbedtls_ssl_get_version_number(ssl)) {
Max Fillinger29beade2024-09-21 11:06:28 +02008981#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008982 case MBEDTLS_SSL_VERSION_TLS1_2:
8983 return mbedtls_ssl_tls12_export_keying_material(ssl, hash_alg, out, key_len,
8984 label, label_len,
8985 context, context_len, use_context);
Max Fillinger29beade2024-09-21 11:06:28 +02008986#endif
8987#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008988 case MBEDTLS_SSL_VERSION_TLS1_3:
Max Fillinger7b722202024-09-21 10:48:57 +02008989 return mbedtls_ssl_tls13_export_keying_material(ssl,
8990 hash_alg,
8991 out,
8992 key_len,
8993 label,
8994 label_len,
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008995 use_context ? context : NULL,
8996 use_context ? context_len : 0);
Max Fillinger29beade2024-09-21 11:06:28 +02008997#endif
Max Fillingerbd81c9d2024-07-22 14:43:56 +02008998 default:
8999 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
9000 }
9001}
9002
Max Fillinger2fe35f62024-10-25 00:52:24 +02009003#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
Max Fillinger281fb792024-10-23 18:35:09 +02009004
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009005#endif /* MBEDTLS_SSL_TLS_C */