Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1 | /* |
Hanno Becker | f1a3828 | 2020-02-05 16:14:29 +0000 | [diff] [blame] | 2 | * Generic SSL/TLS messaging layer functions |
| 3 | * (record layer + retransmission state machine) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4 | * |
Bence Szépkúti | 1e14827 | 2020-08-07 13:07:28 +0200 | [diff] [blame] | 5 | * Copyright The Mbed TLS Contributors |
Manuel Pégourié-Gonnard | 37ff140 | 2015-09-04 14:21:07 +0200 | [diff] [blame] | 6 | * SPDX-License-Identifier: Apache-2.0 |
| 7 | * |
| 8 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 9 | * not use this file except in compliance with the License. |
| 10 | * You may obtain a copy of the License at |
| 11 | * |
| 12 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 13 | * |
| 14 | * Unless required by applicable law or agreed to in writing, software |
| 15 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 16 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 17 | * See the License for the specific language governing permissions and |
| 18 | * limitations under the License. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 19 | */ |
| 20 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 21 | * http://www.ietf.org/rfc/rfc2246.txt |
| 22 | * http://www.ietf.org/rfc/rfc4346.txt |
| 23 | */ |
| 24 | |
Gilles Peskine | db09ef6 | 2020-06-03 01:43:33 +0200 | [diff] [blame] | 25 | #include "common.h" |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 26 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 27 | #if defined(MBEDTLS_SSL_TLS_C) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 28 | |
SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 29 | #if defined(MBEDTLS_PLATFORM_C) |
| 30 | #include "mbedtls/platform.h" |
| 31 | #else |
| 32 | #include <stdlib.h> |
| 33 | #define mbedtls_calloc calloc |
| 34 | #define mbedtls_free free |
SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 35 | #endif |
| 36 | |
Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 37 | #include "mbedtls/ssl.h" |
Chris Jones | 84a773f | 2021-03-05 18:38:47 +0000 | [diff] [blame] | 38 | #include "ssl_misc.h" |
Janos Follath | 73c616b | 2019-12-18 15:07:04 +0000 | [diff] [blame] | 39 | #include "mbedtls/debug.h" |
| 40 | #include "mbedtls/error.h" |
Andres Amaya Garcia | 1f6301b | 2018-04-17 09:51:09 -0500 | [diff] [blame] | 41 | #include "mbedtls/platform_util.h" |
Hanno Becker | a835da5 | 2019-05-16 12:39:07 +0100 | [diff] [blame] | 42 | #include "mbedtls/version.h" |
Paul Bakker | 0be444a | 2013-08-27 21:55:01 +0200 | [diff] [blame] | 43 | |
Manuel Pégourié-Gonnard | 045f094 | 2020-07-02 11:34:02 +0200 | [diff] [blame] | 44 | #include "ssl_invasive.h" |
| 45 | |
Rich Evans | 00ab470 | 2015-02-06 13:43:58 +0000 | [diff] [blame] | 46 | #include <string.h> |
| 47 | |
Andrzej Kurek | d6db9be | 2019-01-10 05:27:10 -0500 | [diff] [blame] | 48 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 49 | #include "mbedtls/psa_util.h" |
| 50 | #include "psa/crypto.h" |
| 51 | #endif |
| 52 | |
Janos Follath | 23bdca0 | 2016-10-07 14:47:14 +0100 | [diff] [blame] | 53 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 54 | #include "mbedtls/oid.h" |
Manuel Pégourié-Gonnard | 0408fd1 | 2014-04-11 11:06:22 +0200 | [diff] [blame] | 55 | #endif |
| 56 | |
Hanno Becker | cd9dcda | 2018-08-28 17:18:56 +0100 | [diff] [blame] | 57 | static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ); |
Hanno Becker | 2a43f6f | 2018-08-10 11:12:52 +0100 | [diff] [blame] | 58 | |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 59 | /* |
| 60 | * Start a timer. |
| 61 | * Passing millisecs = 0 cancels a running timer. |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 62 | */ |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 63 | void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs ) |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 64 | { |
Manuel Pégourié-Gonnard | 2e01291 | 2015-05-12 20:55:41 +0200 | [diff] [blame] | 65 | if( ssl->f_set_timer == NULL ) |
| 66 | return; |
| 67 | |
| 68 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) ); |
| 69 | ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs ); |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 70 | } |
| 71 | |
| 72 | /* |
| 73 | * Return -1 is timer is expired, 0 if it isn't. |
| 74 | */ |
Hanno Becker | 7876d12 | 2020-02-05 10:39:31 +0000 | [diff] [blame] | 75 | int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 76 | { |
Manuel Pégourié-Gonnard | 2e01291 | 2015-05-12 20:55:41 +0200 | [diff] [blame] | 77 | if( ssl->f_get_timer == NULL ) |
Manuel Pégourié-Gonnard | 545102e | 2015-05-13 17:28:43 +0200 | [diff] [blame] | 78 | return( 0 ); |
Manuel Pégourié-Gonnard | 2e01291 | 2015-05-12 20:55:41 +0200 | [diff] [blame] | 79 | |
| 80 | if( ssl->f_get_timer( ssl->p_timer ) == 2 ) |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 81 | { |
| 82 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) ); |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 83 | return( -1 ); |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 84 | } |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 85 | |
| 86 | return( 0 ); |
| 87 | } |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 88 | |
TRodziewicz | 4ca18aa | 2021-05-20 14:46:20 +0200 | [diff] [blame] | 89 | static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, |
| 90 | unsigned char *buf, |
| 91 | size_t len, |
| 92 | mbedtls_record *rec ); |
| 93 | |
| 94 | int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, |
| 95 | unsigned char *buf, |
| 96 | size_t buflen ) |
| 97 | { |
| 98 | int ret = 0; |
| 99 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) ); |
| 100 | MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen ); |
| 101 | |
| 102 | /* We don't support record checking in TLS because |
| 103 | * (a) there doesn't seem to be a usecase for it, and |
| 104 | * (b) In TLS 1.0, CBC record decryption has state |
| 105 | * and we'd need to backup the transform here. |
| 106 | */ |
| 107 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) |
| 108 | { |
| 109 | ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| 110 | goto exit; |
| 111 | } |
| 112 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 113 | else |
| 114 | { |
| 115 | mbedtls_record rec; |
| 116 | |
| 117 | ret = ssl_parse_record_header( ssl, buf, buflen, &rec ); |
| 118 | if( ret != 0 ) |
| 119 | { |
| 120 | MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret ); |
| 121 | goto exit; |
| 122 | } |
| 123 | |
| 124 | if( ssl->transform_in != NULL ) |
| 125 | { |
| 126 | ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec ); |
| 127 | if( ret != 0 ) |
| 128 | { |
| 129 | MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret ); |
| 130 | goto exit; |
| 131 | } |
| 132 | } |
| 133 | } |
| 134 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 135 | |
| 136 | exit: |
| 137 | /* On success, we have decrypted the buffer in-place, so make |
| 138 | * sure we don't leak any plaintext data. */ |
| 139 | mbedtls_platform_zeroize( buf, buflen ); |
| 140 | |
| 141 | /* For the purpose of this API, treat messages with unexpected CID |
| 142 | * as well as such from future epochs as unexpected. */ |
| 143 | if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID || |
| 144 | ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) |
| 145 | { |
| 146 | ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; |
| 147 | } |
| 148 | |
| 149 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) ); |
| 150 | return( ret ); |
| 151 | } |
| 152 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 153 | #define SSL_DONT_FORCE_FLUSH 0 |
| 154 | #define SSL_FORCE_FLUSH 1 |
| 155 | |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 156 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 157 | |
Hanno Becker | d584777 | 2018-08-28 10:09:23 +0100 | [diff] [blame] | 158 | /* Forward declarations for functions related to message buffering. */ |
Hanno Becker | d584777 | 2018-08-28 10:09:23 +0100 | [diff] [blame] | 159 | static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl, |
| 160 | uint8_t slot ); |
| 161 | static void ssl_free_buffered_record( mbedtls_ssl_context *ssl ); |
| 162 | static int ssl_load_buffered_message( mbedtls_ssl_context *ssl ); |
| 163 | static int ssl_load_buffered_record( mbedtls_ssl_context *ssl ); |
| 164 | static int ssl_buffer_message( mbedtls_ssl_context *ssl ); |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 165 | static int ssl_buffer_future_record( mbedtls_ssl_context *ssl, |
| 166 | mbedtls_record const *rec ); |
Hanno Becker | ef7afdf | 2018-08-28 17:16:31 +0100 | [diff] [blame] | 167 | static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl ); |
Hanno Becker | d584777 | 2018-08-28 10:09:23 +0100 | [diff] [blame] | 168 | |
Hanno Becker | 11682cc | 2018-08-22 14:41:02 +0100 | [diff] [blame] | 169 | static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl ) |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 170 | { |
Hanno Becker | 8949071 | 2020-02-05 10:50:12 +0000 | [diff] [blame] | 171 | size_t mtu = mbedtls_ssl_get_current_mtu( ssl ); |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 172 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| 173 | size_t out_buf_len = ssl->out_buf_len; |
| 174 | #else |
| 175 | size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; |
| 176 | #endif |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 177 | |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 178 | if( mtu != 0 && mtu < out_buf_len ) |
Hanno Becker | 11682cc | 2018-08-22 14:41:02 +0100 | [diff] [blame] | 179 | return( mtu ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 180 | |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 181 | return( out_buf_len ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 182 | } |
| 183 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 184 | static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl ) |
| 185 | { |
Hanno Becker | 11682cc | 2018-08-22 14:41:02 +0100 | [diff] [blame] | 186 | size_t const bytes_written = ssl->out_left; |
| 187 | size_t const mtu = ssl_get_maximum_datagram_size( ssl ); |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 188 | |
| 189 | /* Double-check that the write-index hasn't gone |
| 190 | * past what we can transmit in a single datagram. */ |
Hanno Becker | 11682cc | 2018-08-22 14:41:02 +0100 | [diff] [blame] | 191 | if( bytes_written > mtu ) |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 192 | { |
| 193 | /* Should never happen... */ |
| 194 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 195 | } |
| 196 | |
| 197 | return( (int) ( mtu - bytes_written ) ); |
| 198 | } |
| 199 | |
| 200 | static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl ) |
| 201 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 202 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 203 | size_t remaining, expansion; |
Andrzej Kurek | 748face | 2018-10-11 07:20:19 -0400 | [diff] [blame] | 204 | size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 205 | |
| 206 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
Andrzej Kurek | 90c6e84 | 2020-04-03 05:25:29 -0400 | [diff] [blame] | 207 | const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl ); |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 208 | |
| 209 | if( max_len > mfl ) |
| 210 | max_len = mfl; |
Hanno Becker | f4b010e | 2018-08-24 10:47:29 +0100 | [diff] [blame] | 211 | |
| 212 | /* By the standard (RFC 6066 Sect. 4), the MFL extension |
| 213 | * only limits the maximum record payload size, so in theory |
| 214 | * we would be allowed to pack multiple records of payload size |
| 215 | * MFL into a single datagram. However, this would mean that there's |
| 216 | * no way to explicitly communicate MTU restrictions to the peer. |
| 217 | * |
| 218 | * The following reduction of max_len makes sure that we never |
| 219 | * write datagrams larger than MFL + Record Expansion Overhead. |
| 220 | */ |
| 221 | if( max_len <= ssl->out_left ) |
| 222 | return( 0 ); |
| 223 | |
| 224 | max_len -= ssl->out_left; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 225 | #endif |
| 226 | |
| 227 | ret = ssl_get_remaining_space_in_datagram( ssl ); |
| 228 | if( ret < 0 ) |
| 229 | return( ret ); |
| 230 | remaining = (size_t) ret; |
| 231 | |
| 232 | ret = mbedtls_ssl_get_record_expansion( ssl ); |
| 233 | if( ret < 0 ) |
| 234 | return( ret ); |
| 235 | expansion = (size_t) ret; |
| 236 | |
| 237 | if( remaining <= expansion ) |
| 238 | return( 0 ); |
| 239 | |
| 240 | remaining -= expansion; |
| 241 | if( remaining >= max_len ) |
| 242 | remaining = max_len; |
| 243 | |
| 244 | return( (int) remaining ); |
| 245 | } |
| 246 | |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 247 | /* |
| 248 | * Double the retransmit timeout value, within the allowed range, |
| 249 | * returning -1 if the maximum value has already been reached. |
| 250 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 251 | static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 252 | { |
| 253 | uint32_t new_timeout; |
| 254 | |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 255 | if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 256 | return( -1 ); |
| 257 | |
Manuel Pégourié-Gonnard | b8eec19 | 2018-08-20 09:34:02 +0200 | [diff] [blame] | 258 | /* Implement the final paragraph of RFC 6347 section 4.1.1.1 |
| 259 | * in the following way: after the initial transmission and a first |
| 260 | * retransmission, back off to a temporary estimated MTU of 508 bytes. |
| 261 | * This value is guaranteed to be deliverable (if not guaranteed to be |
| 262 | * delivered) of any compliant IPv4 (and IPv6) network, and should work |
| 263 | * on most non-IP stacks too. */ |
| 264 | if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min ) |
Andrzej Kurek | 6290dae | 2018-10-05 08:06:01 -0400 | [diff] [blame] | 265 | { |
Manuel Pégourié-Gonnard | b8eec19 | 2018-08-20 09:34:02 +0200 | [diff] [blame] | 266 | ssl->handshake->mtu = 508; |
Andrzej Kurek | 6290dae | 2018-10-05 08:06:01 -0400 | [diff] [blame] | 267 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) ); |
| 268 | } |
Manuel Pégourié-Gonnard | b8eec19 | 2018-08-20 09:34:02 +0200 | [diff] [blame] | 269 | |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 270 | new_timeout = 2 * ssl->handshake->retransmit_timeout; |
| 271 | |
| 272 | /* Avoid arithmetic overflow and range overflow */ |
| 273 | if( new_timeout < ssl->handshake->retransmit_timeout || |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 274 | new_timeout > ssl->conf->hs_timeout_max ) |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 275 | { |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 276 | new_timeout = ssl->conf->hs_timeout_max; |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 277 | } |
| 278 | |
| 279 | ssl->handshake->retransmit_timeout = new_timeout; |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 280 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs", |
| 281 | (unsigned long) ssl->handshake->retransmit_timeout ) ); |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 282 | |
| 283 | return( 0 ); |
| 284 | } |
| 285 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 286 | static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 287 | { |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 288 | ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 289 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs", |
| 290 | (unsigned long) ssl->handshake->retransmit_timeout ) ); |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 291 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 292 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 293 | |
Manuel Pégourié-Gonnard | 0098e7d | 2014-10-28 13:08:59 +0100 | [diff] [blame] | 294 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 295 | * Encryption/decryption functions |
Paul Bakker | f7abd42 | 2013-04-16 13:15:56 +0200 | [diff] [blame] | 296 | */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 297 | |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 298 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || \ |
| 299 | defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 300 | |
| 301 | static size_t ssl_compute_padding_length( size_t len, |
| 302 | size_t granularity ) |
| 303 | { |
| 304 | return( ( granularity - ( len + 1 ) % granularity ) % granularity ); |
| 305 | } |
| 306 | |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 307 | /* This functions transforms a (D)TLS plaintext fragment and a record content |
| 308 | * type into an instance of the (D)TLSInnerPlaintext structure. This is used |
| 309 | * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect |
| 310 | * a record's content type. |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 311 | * |
| 312 | * struct { |
| 313 | * opaque content[DTLSPlaintext.length]; |
| 314 | * ContentType real_type; |
| 315 | * uint8 zeros[length_of_padding]; |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 316 | * } (D)TLSInnerPlaintext; |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 317 | * |
| 318 | * Input: |
| 319 | * - `content`: The beginning of the buffer holding the |
| 320 | * plaintext to be wrapped. |
| 321 | * - `*content_size`: The length of the plaintext in Bytes. |
| 322 | * - `max_len`: The number of Bytes available starting from |
| 323 | * `content`. This must be `>= *content_size`. |
| 324 | * - `rec_type`: The desired record content type. |
| 325 | * |
| 326 | * Output: |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 327 | * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure. |
| 328 | * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure. |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 329 | * |
| 330 | * Returns: |
| 331 | * - `0` on success. |
| 332 | * - A negative error code if `max_len` didn't offer enough space |
| 333 | * for the expansion. |
| 334 | */ |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 335 | static int ssl_build_inner_plaintext( unsigned char *content, |
| 336 | size_t *content_size, |
| 337 | size_t remaining, |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 338 | uint8_t rec_type, |
| 339 | size_t pad ) |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 340 | { |
| 341 | size_t len = *content_size; |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 342 | |
| 343 | /* Write real content type */ |
| 344 | if( remaining == 0 ) |
| 345 | return( -1 ); |
| 346 | content[ len ] = rec_type; |
| 347 | len++; |
| 348 | remaining--; |
| 349 | |
| 350 | if( remaining < pad ) |
| 351 | return( -1 ); |
| 352 | memset( content + len, 0, pad ); |
| 353 | len += pad; |
| 354 | remaining -= pad; |
| 355 | |
| 356 | *content_size = len; |
| 357 | return( 0 ); |
| 358 | } |
| 359 | |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 360 | /* This function parses a (D)TLSInnerPlaintext structure. |
| 361 | * See ssl_build_inner_plaintext() for details. */ |
| 362 | static int ssl_parse_inner_plaintext( unsigned char const *content, |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 363 | size_t *content_size, |
| 364 | uint8_t *rec_type ) |
| 365 | { |
| 366 | size_t remaining = *content_size; |
| 367 | |
| 368 | /* Determine length of padding by skipping zeroes from the back. */ |
| 369 | do |
| 370 | { |
| 371 | if( remaining == 0 ) |
| 372 | return( -1 ); |
| 373 | remaining--; |
| 374 | } while( content[ remaining ] == 0 ); |
| 375 | |
| 376 | *content_size = remaining; |
| 377 | *rec_type = content[ remaining ]; |
| 378 | |
| 379 | return( 0 ); |
| 380 | } |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 381 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || |
| 382 | MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 383 | |
Hanno Becker | d5aeab1 | 2019-05-20 14:50:53 +0100 | [diff] [blame] | 384 | /* `add_data` must have size 13 Bytes if the CID extension is disabled, |
Hanno Becker | c4a190b | 2019-05-08 18:15:21 +0100 | [diff] [blame] | 385 | * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 386 | static void ssl_extract_add_data_from_record( unsigned char* add_data, |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 387 | size_t *add_data_len, |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 388 | mbedtls_record *rec, |
| 389 | unsigned minor_ver ) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 390 | { |
Hanno Becker | d5aeab1 | 2019-05-20 14:50:53 +0100 | [diff] [blame] | 391 | /* Quoting RFC 5246 (TLS 1.2): |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 392 | * |
| 393 | * additional_data = seq_num + TLSCompressed.type + |
| 394 | * TLSCompressed.version + TLSCompressed.length; |
| 395 | * |
Hanno Becker | d5aeab1 | 2019-05-20 14:50:53 +0100 | [diff] [blame] | 396 | * For the CID extension, this is extended as follows |
| 397 | * (quoting draft-ietf-tls-dtls-connection-id-05, |
| 398 | * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05): |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 399 | * |
| 400 | * additional_data = seq_num + DTLSPlaintext.type + |
| 401 | * DTLSPlaintext.version + |
Hanno Becker | d5aeab1 | 2019-05-20 14:50:53 +0100 | [diff] [blame] | 402 | * cid + |
| 403 | * cid_length + |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 404 | * length_of_DTLSInnerPlaintext; |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 405 | * |
| 406 | * For TLS 1.3, the record sequence number is dropped from the AAD |
| 407 | * and encoded within the nonce of the AEAD operation instead. |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 408 | */ |
| 409 | |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 410 | unsigned char *cur = add_data; |
| 411 | |
| 412 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) |
| 413 | if( minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 ) |
| 414 | #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ |
| 415 | { |
| 416 | ((void) minor_ver); |
| 417 | memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); |
| 418 | cur += sizeof( rec->ctr ); |
| 419 | } |
| 420 | |
| 421 | *cur = rec->type; |
| 422 | cur++; |
| 423 | |
| 424 | memcpy( cur, rec->ver, sizeof( rec->ver ) ); |
| 425 | cur += sizeof( rec->ver ); |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 426 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 427 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 95e4bbc | 2019-05-09 11:38:24 +0100 | [diff] [blame] | 428 | if( rec->cid_len != 0 ) |
| 429 | { |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 430 | memcpy( cur, rec->cid, rec->cid_len ); |
| 431 | cur += rec->cid_len; |
| 432 | |
| 433 | *cur = rec->cid_len; |
| 434 | cur++; |
| 435 | |
| 436 | cur[0] = ( rec->data_len >> 8 ) & 0xFF; |
| 437 | cur[1] = ( rec->data_len >> 0 ) & 0xFF; |
| 438 | cur += 2; |
Hanno Becker | 95e4bbc | 2019-05-09 11:38:24 +0100 | [diff] [blame] | 439 | } |
| 440 | else |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 441 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 95e4bbc | 2019-05-09 11:38:24 +0100 | [diff] [blame] | 442 | { |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 443 | cur[0] = ( rec->data_len >> 8 ) & 0xFF; |
| 444 | cur[1] = ( rec->data_len >> 0 ) & 0xFF; |
| 445 | cur += 2; |
Hanno Becker | 95e4bbc | 2019-05-09 11:38:24 +0100 | [diff] [blame] | 446 | } |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 447 | |
| 448 | *add_data_len = cur - add_data; |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 449 | } |
| 450 | |
Hanno Becker | 67a37db | 2020-05-28 16:27:07 +0100 | [diff] [blame] | 451 | #if defined(MBEDTLS_GCM_C) || \ |
| 452 | defined(MBEDTLS_CCM_C) || \ |
| 453 | defined(MBEDTLS_CHACHAPOLY_C) |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 454 | static int ssl_transform_aead_dynamic_iv_is_explicit( |
| 455 | mbedtls_ssl_transform const *transform ) |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 456 | { |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 457 | return( transform->ivlen != transform->fixed_ivlen ); |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 458 | } |
| 459 | |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 460 | /* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV ) |
| 461 | * |
| 462 | * Concretely, this occurs in two variants: |
| 463 | * |
| 464 | * a) Fixed and dynamic IV lengths add up to total IV length, giving |
| 465 | * IV = fixed_iv || dynamic_iv |
| 466 | * |
Hanno Becker | 1595281 | 2020-06-04 13:31:46 +0100 | [diff] [blame] | 467 | * This variant is used in TLS 1.2 when used with GCM or CCM. |
| 468 | * |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 469 | * b) Fixed IV lengths matches total IV length, giving |
| 470 | * IV = fixed_iv XOR ( 0 || dynamic_iv ) |
Hanno Becker | 1595281 | 2020-06-04 13:31:46 +0100 | [diff] [blame] | 471 | * |
| 472 | * This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly. |
| 473 | * |
| 474 | * See also the documentation of mbedtls_ssl_transform. |
Hanno Becker | f486e28 | 2020-06-04 13:33:08 +0100 | [diff] [blame] | 475 | * |
| 476 | * This function has the precondition that |
| 477 | * |
| 478 | * dst_iv_len >= max( fixed_iv_len, dynamic_iv_len ) |
| 479 | * |
| 480 | * which has to be ensured by the caller. If this precondition |
| 481 | * violated, the behavior of this function is undefined. |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 482 | */ |
| 483 | static void ssl_build_record_nonce( unsigned char *dst_iv, |
| 484 | size_t dst_iv_len, |
| 485 | unsigned char const *fixed_iv, |
| 486 | size_t fixed_iv_len, |
| 487 | unsigned char const *dynamic_iv, |
| 488 | size_t dynamic_iv_len ) |
| 489 | { |
| 490 | size_t i; |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 491 | |
| 492 | /* Start with Fixed IV || 0 */ |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 493 | memset( dst_iv, 0, dst_iv_len ); |
| 494 | memcpy( dst_iv, fixed_iv, fixed_iv_len ); |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 495 | |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 496 | dst_iv += dst_iv_len - dynamic_iv_len; |
| 497 | for( i = 0; i < dynamic_iv_len; i++ ) |
| 498 | dst_iv[i] ^= dynamic_iv[i]; |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 499 | } |
Hanno Becker | 67a37db | 2020-05-28 16:27:07 +0100 | [diff] [blame] | 500 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 501 | |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 502 | int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, |
| 503 | mbedtls_ssl_transform *transform, |
| 504 | mbedtls_record *rec, |
| 505 | int (*f_rng)(void *, unsigned char *, size_t), |
| 506 | void *p_rng ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 507 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 508 | mbedtls_cipher_mode_t mode; |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 509 | int auth_done = 0; |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 510 | unsigned char * data; |
Hanno Becker | 92fb4fa | 2019-05-20 14:54:26 +0100 | [diff] [blame] | 511 | unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ]; |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 512 | size_t add_data_len; |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 513 | size_t post_avail; |
| 514 | |
| 515 | /* The SSL context is only used for debugging purposes! */ |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 516 | #if !defined(MBEDTLS_DEBUG_C) |
Manuel Pégourié-Gonnard | a7505d1 | 2019-05-07 10:17:56 +0200 | [diff] [blame] | 517 | ssl = NULL; /* make sure we don't use it except for debug */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 518 | ((void) ssl); |
| 519 | #endif |
| 520 | |
| 521 | /* The PRNG is used for dynamic IV generation that's used |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 522 | * for CBC transformations in TLS 1.2. */ |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 523 | #if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 524 | defined(MBEDTLS_SSL_PROTO_TLS1_2) ) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 525 | ((void) f_rng); |
| 526 | ((void) p_rng); |
| 527 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 528 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 529 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 530 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 531 | if( transform == NULL ) |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 532 | { |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 533 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) ); |
| 534 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 535 | } |
Hanno Becker | 43c24b8 | 2019-05-01 09:45:57 +0100 | [diff] [blame] | 536 | if( rec == NULL |
| 537 | || rec->buf == NULL |
| 538 | || rec->buf_len < rec->data_offset |
| 539 | || rec->buf_len - rec->data_offset < rec->data_len |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 540 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 43c24b8 | 2019-05-01 09:45:57 +0100 | [diff] [blame] | 541 | || rec->cid_len != 0 |
| 542 | #endif |
| 543 | ) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 544 | { |
| 545 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 546 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 547 | } |
| 548 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 549 | data = rec->buf + rec->data_offset; |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 550 | post_avail = rec->buf_len - ( rec->data_len + rec->data_offset ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 551 | MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 552 | data, rec->data_len ); |
| 553 | |
| 554 | mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ); |
| 555 | |
| 556 | if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN ) |
| 557 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 558 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %" MBEDTLS_PRINTF_SIZET |
| 559 | " too large, maximum %" MBEDTLS_PRINTF_SIZET, |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 560 | rec->data_len, |
| 561 | (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) ); |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 562 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 563 | } |
Manuel Pégourié-Gonnard | 60346be | 2014-11-21 11:38:37 +0100 | [diff] [blame] | 564 | |
Hanno Becker | 9231340 | 2020-05-20 13:58:58 +0100 | [diff] [blame] | 565 | /* The following two code paths implement the (D)TLSInnerPlaintext |
| 566 | * structure present in TLS 1.3 and DTLS 1.2 + CID. |
| 567 | * |
| 568 | * See ssl_build_inner_plaintext() for more information. |
| 569 | * |
| 570 | * Note that this changes `rec->data_len`, and hence |
| 571 | * `post_avail` needs to be recalculated afterwards. |
| 572 | * |
| 573 | * Note also that the two code paths cannot occur simultaneously |
| 574 | * since they apply to different versions of the protocol. There |
| 575 | * is hence no risk of double-addition of the inner plaintext. |
| 576 | */ |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 577 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) |
| 578 | if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) |
| 579 | { |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 580 | size_t padding = |
| 581 | ssl_compute_padding_length( rec->data_len, |
TRodziewicz | e8dd709 | 2021-05-12 14:19:11 +0200 | [diff] [blame] | 582 | MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY ); |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 583 | if( ssl_build_inner_plaintext( data, |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 584 | &rec->data_len, |
| 585 | post_avail, |
| 586 | rec->type, |
| 587 | padding ) != 0 ) |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 588 | { |
| 589 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 590 | } |
| 591 | |
| 592 | rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA; |
| 593 | } |
| 594 | #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ |
| 595 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 596 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 597 | /* |
| 598 | * Add CID information |
| 599 | */ |
| 600 | rec->cid_len = transform->out_cid_len; |
| 601 | memcpy( rec->cid, transform->out_cid, transform->out_cid_len ); |
| 602 | MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len ); |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 603 | |
| 604 | if( rec->cid_len != 0 ) |
| 605 | { |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 606 | size_t padding = |
| 607 | ssl_compute_padding_length( rec->data_len, |
TRodziewicz | e8dd709 | 2021-05-12 14:19:11 +0200 | [diff] [blame] | 608 | MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY ); |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 609 | /* |
Hanno Becker | 07dc97d | 2019-05-20 15:08:01 +0100 | [diff] [blame] | 610 | * Wrap plaintext into DTLSInnerPlaintext structure. |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 611 | * See ssl_build_inner_plaintext() for more information. |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 612 | * |
Hanno Becker | 07dc97d | 2019-05-20 15:08:01 +0100 | [diff] [blame] | 613 | * Note that this changes `rec->data_len`, and hence |
| 614 | * `post_avail` needs to be recalculated afterwards. |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 615 | */ |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 616 | if( ssl_build_inner_plaintext( data, |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 617 | &rec->data_len, |
| 618 | post_avail, |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 619 | rec->type, |
| 620 | padding ) != 0 ) |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 621 | { |
| 622 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 623 | } |
| 624 | |
| 625 | rec->type = MBEDTLS_SSL_MSG_CID; |
| 626 | } |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 627 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 628 | |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 629 | post_avail = rec->buf_len - ( rec->data_len + rec->data_offset ); |
| 630 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 631 | /* |
Manuel Pégourié-Gonnard | 0098e7d | 2014-10-28 13:08:59 +0100 | [diff] [blame] | 632 | * Add MAC before if needed |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 633 | */ |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 634 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 635 | if( mode == MBEDTLS_MODE_STREAM || |
| 636 | ( mode == MBEDTLS_MODE_CBC |
| 637 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 638 | && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 639 | #endif |
| 640 | ) ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 641 | { |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 642 | if( post_avail < transform->maclen ) |
| 643 | { |
| 644 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 645 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 646 | } |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 647 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 648 | if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 649 | { |
Hanno Becker | 992b687 | 2017-11-09 18:57:39 +0000 | [diff] [blame] | 650 | unsigned char mac[MBEDTLS_SSL_MAC_ADD]; |
| 651 | |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 652 | ssl_extract_add_data_from_record( add_data, &add_data_len, rec, |
| 653 | transform->minor_ver ); |
Hanno Becker | 992b687 | 2017-11-09 18:57:39 +0000 | [diff] [blame] | 654 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 655 | mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data, |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 656 | add_data_len ); |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 657 | mbedtls_md_hmac_update( &transform->md_ctx_enc, |
| 658 | data, rec->data_len ); |
| 659 | mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac ); |
| 660 | mbedtls_md_hmac_reset( &transform->md_ctx_enc ); |
| 661 | |
| 662 | memcpy( data + rec->data_len, mac, transform->maclen ); |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 663 | } |
| 664 | else |
Paul Bakker | d2f068e | 2013-08-27 21:19:20 +0200 | [diff] [blame] | 665 | #endif |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 666 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 667 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 668 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 669 | } |
| 670 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 671 | MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len, |
| 672 | transform->maclen ); |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 673 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 674 | rec->data_len += transform->maclen; |
| 675 | post_avail -= transform->maclen; |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 676 | auth_done++; |
Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 677 | } |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 678 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 679 | |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 680 | /* |
| 681 | * Encrypt |
| 682 | */ |
Hanno Becker | d086bf0 | 2021-03-22 13:01:27 +0000 | [diff] [blame] | 683 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 684 | if( mode == MBEDTLS_MODE_STREAM ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 685 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 686 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 687 | size_t olen; |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 688 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 689 | "including %d bytes of padding", |
| 690 | rec->data_len, 0 ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 691 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 692 | if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, |
| 693 | transform->iv_enc, transform->ivlen, |
| 694 | data, rec->data_len, |
| 695 | data, &olen ) ) != 0 ) |
Paul Bakker | 45125bc | 2013-09-04 16:47:11 +0200 | [diff] [blame] | 696 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 697 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 698 | return( ret ); |
| 699 | } |
| 700 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 701 | if( rec->data_len != olen ) |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 702 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 703 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 704 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 705 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 706 | } |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 707 | else |
Hanno Becker | d086bf0 | 2021-03-22 13:01:27 +0000 | [diff] [blame] | 708 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 709 | |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 710 | #if defined(MBEDTLS_GCM_C) || \ |
| 711 | defined(MBEDTLS_CCM_C) || \ |
| 712 | defined(MBEDTLS_CHACHAPOLY_C) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 713 | if( mode == MBEDTLS_MODE_GCM || |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 714 | mode == MBEDTLS_MODE_CCM || |
| 715 | mode == MBEDTLS_MODE_CHACHAPOLY ) |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 716 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 717 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 718 | unsigned char iv[12]; |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 719 | unsigned char *dynamic_iv; |
| 720 | size_t dynamic_iv_len; |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 721 | int dynamic_iv_is_explicit = |
| 722 | ssl_transform_aead_dynamic_iv_is_explicit( transform ); |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 723 | |
Hanno Becker | bd5ed1d | 2020-05-21 15:26:39 +0100 | [diff] [blame] | 724 | /* Check that there's space for the authentication tag. */ |
| 725 | if( post_avail < transform->taglen ) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 726 | { |
| 727 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 728 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 729 | } |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 730 | |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 731 | /* |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 732 | * Build nonce for AEAD encryption. |
| 733 | * |
| 734 | * Note: In the case of CCM and GCM in TLS 1.2, the dynamic |
| 735 | * part of the IV is prepended to the ciphertext and |
| 736 | * can be chosen freely - in particular, it need not |
| 737 | * agree with the record sequence number. |
| 738 | * However, since ChaChaPoly as well as all AEAD modes |
| 739 | * in TLS 1.3 use the record sequence number as the |
| 740 | * dynamic part of the nonce, we uniformly use the |
| 741 | * record sequence number here in all cases. |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 742 | */ |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 743 | dynamic_iv = rec->ctr; |
| 744 | dynamic_iv_len = sizeof( rec->ctr ); |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 745 | |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 746 | ssl_build_record_nonce( iv, sizeof( iv ), |
| 747 | transform->iv_enc, |
| 748 | transform->fixed_ivlen, |
| 749 | dynamic_iv, |
| 750 | dynamic_iv_len ); |
Manuel Pégourié-Gonnard | d056ce0 | 2014-10-29 22:29:20 +0100 | [diff] [blame] | 751 | |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 752 | /* |
| 753 | * Build additional data for AEAD encryption. |
| 754 | * This depends on the TLS version. |
| 755 | */ |
| 756 | ssl_extract_add_data_from_record( add_data, &add_data_len, rec, |
| 757 | transform->minor_ver ); |
Hanno Becker | 1f10d76 | 2019-04-26 13:34:37 +0100 | [diff] [blame] | 758 | |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 759 | MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)", |
Hanno Becker | 7cca358 | 2020-06-04 13:27:22 +0100 | [diff] [blame] | 760 | iv, transform->ivlen ); |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 761 | MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)", |
Hanno Becker | 16bf0e2 | 2020-06-04 13:27:34 +0100 | [diff] [blame] | 762 | dynamic_iv, |
| 763 | dynamic_iv_is_explicit ? dynamic_iv_len : 0 ); |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 764 | MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 765 | add_data, add_data_len ); |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 766 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 767 | "including 0 bytes of padding", |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 768 | rec->data_len ) ); |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 769 | |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 770 | /* |
Manuel Pégourié-Gonnard | de7bb44 | 2014-05-13 12:41:10 +0200 | [diff] [blame] | 771 | * Encrypt and authenticate |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 772 | */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 773 | |
Manuel Pégourié-Gonnard | f5cf71e | 2020-12-01 11:43:40 +0100 | [diff] [blame] | 774 | if( ( ret = mbedtls_cipher_auth_encrypt_ext( &transform->cipher_ctx_enc, |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 775 | iv, transform->ivlen, |
Manuel Pégourié-Gonnard | f5cf71e | 2020-12-01 11:43:40 +0100 | [diff] [blame] | 776 | add_data, add_data_len, |
| 777 | data, rec->data_len, /* src */ |
| 778 | data, rec->buf_len - (data - rec->buf), /* dst */ |
| 779 | &rec->data_len, |
| 780 | transform->taglen ) ) != 0 ) |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 781 | { |
TRodziewicz | 18efb73 | 2021-04-29 23:12:19 +0200 | [diff] [blame] | 782 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt_ext", ret ); |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 783 | return( ret ); |
| 784 | } |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 785 | MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", |
Manuel Pégourié-Gonnard | f5cf71e | 2020-12-01 11:43:40 +0100 | [diff] [blame] | 786 | data + rec->data_len - transform->taglen, |
| 787 | transform->taglen ); |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 788 | /* Account for authentication tag. */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 789 | post_avail -= transform->taglen; |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 790 | |
| 791 | /* |
| 792 | * Prefix record content with dynamic IV in case it is explicit. |
| 793 | */ |
Hanno Becker | 1cda266 | 2020-06-04 13:28:28 +0100 | [diff] [blame] | 794 | if( dynamic_iv_is_explicit != 0 ) |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 795 | { |
| 796 | if( rec->data_offset < dynamic_iv_len ) |
| 797 | { |
| 798 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 799 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 800 | } |
| 801 | |
| 802 | memcpy( data - dynamic_iv_len, dynamic_iv, dynamic_iv_len ); |
| 803 | rec->data_offset -= dynamic_iv_len; |
| 804 | rec->data_len += dynamic_iv_len; |
| 805 | } |
| 806 | |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 807 | auth_done++; |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 808 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 809 | else |
Hanno Becker | c3f7b0b | 2020-05-28 16:27:16 +0100 | [diff] [blame] | 810 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 811 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 812 | if( mode == MBEDTLS_MODE_CBC ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 813 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 814 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 815 | size_t padlen, i; |
| 816 | size_t olen; |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 817 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 818 | /* Currently we're always using minimal padding |
| 819 | * (up to 255 bytes would be allowed). */ |
| 820 | padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen; |
| 821 | if( padlen == transform->ivlen ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 822 | padlen = 0; |
| 823 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 824 | /* Check there's enough space in the buffer for the padding. */ |
| 825 | if( post_avail < padlen + 1 ) |
| 826 | { |
| 827 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 828 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 829 | } |
| 830 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 831 | for( i = 0; i <= padlen; i++ ) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 832 | data[rec->data_len + i] = (unsigned char) padlen; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 833 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 834 | rec->data_len += padlen + 1; |
| 835 | post_avail -= padlen + 1; |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 836 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 837 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 838 | /* |
TRodziewicz | 2d8800e | 2021-05-13 19:14:19 +0200 | [diff] [blame] | 839 | * Prepend per-record IV for block cipher in TLS v1.2 as per |
Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 840 | * Method 1 (6.2.3.2. in RFC4346 and RFC5246) |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 841 | */ |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 842 | if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 843 | { |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 844 | if( f_rng == NULL ) |
| 845 | { |
| 846 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) ); |
| 847 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 848 | } |
| 849 | |
| 850 | if( rec->data_offset < transform->ivlen ) |
| 851 | { |
| 852 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 853 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 854 | } |
| 855 | |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 856 | /* |
| 857 | * Generate IV |
| 858 | */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 859 | ret = f_rng( p_rng, transform->iv_enc, transform->ivlen ); |
Paul Bakker | a3d195c | 2011-11-27 21:07:34 +0000 | [diff] [blame] | 860 | if( ret != 0 ) |
| 861 | return( ret ); |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 862 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 863 | memcpy( data - transform->ivlen, transform->iv_enc, |
| 864 | transform->ivlen ); |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 865 | |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 866 | } |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 867 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 868 | |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 869 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " |
| 870 | "including %" MBEDTLS_PRINTF_SIZET |
| 871 | " bytes of IV and %" MBEDTLS_PRINTF_SIZET " bytes of padding", |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 872 | rec->data_len, transform->ivlen, |
Paul Bakker | b9e4e2c | 2014-05-01 14:18:25 +0200 | [diff] [blame] | 873 | padlen + 1 ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 874 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 875 | if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, |
| 876 | transform->iv_enc, |
| 877 | transform->ivlen, |
| 878 | data, rec->data_len, |
| 879 | data, &olen ) ) != 0 ) |
Paul Bakker | 45125bc | 2013-09-04 16:47:11 +0200 | [diff] [blame] | 880 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 881 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 882 | return( ret ); |
| 883 | } |
Paul Bakker | da02a7f | 2013-08-31 17:25:14 +0200 | [diff] [blame] | 884 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 885 | if( rec->data_len != olen ) |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 886 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 887 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 888 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 889 | } |
Paul Bakker | da02a7f | 2013-08-31 17:25:14 +0200 | [diff] [blame] | 890 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 891 | data -= transform->ivlen; |
| 892 | rec->data_offset -= transform->ivlen; |
| 893 | rec->data_len += transform->ivlen; |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 894 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 895 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 896 | if( auth_done == 0 ) |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 897 | { |
Hanno Becker | 3d8c907 | 2018-01-05 16:24:22 +0000 | [diff] [blame] | 898 | unsigned char mac[MBEDTLS_SSL_MAC_ADD]; |
| 899 | |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 900 | /* |
| 901 | * MAC(MAC_write_key, seq_num + |
| 902 | * TLSCipherText.type + |
| 903 | * TLSCipherText.version + |
Manuel Pégourié-Gonnard | 08558e5 | 2014-11-04 14:40:21 +0100 | [diff] [blame] | 904 | * length_of( (IV +) ENC(...) ) + |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 905 | * IV + // except for TLS 1.0 |
| 906 | * ENC(content + padding + padding_length)); |
| 907 | */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 908 | |
| 909 | if( post_avail < transform->maclen) |
| 910 | { |
| 911 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 912 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 913 | } |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 914 | |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 915 | ssl_extract_add_data_from_record( add_data, &add_data_len, |
| 916 | rec, transform->minor_ver ); |
Hanno Becker | 1f10d76 | 2019-04-26 13:34:37 +0100 | [diff] [blame] | 917 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 918 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 919 | MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data, |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 920 | add_data_len ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 921 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 922 | mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data, |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 923 | add_data_len ); |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 924 | mbedtls_md_hmac_update( &transform->md_ctx_enc, |
| 925 | data, rec->data_len ); |
| 926 | mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac ); |
| 927 | mbedtls_md_hmac_reset( &transform->md_ctx_enc ); |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 928 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 929 | memcpy( data + rec->data_len, mac, transform->maclen ); |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 930 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 931 | rec->data_len += transform->maclen; |
| 932 | post_avail -= transform->maclen; |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 933 | auth_done++; |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 934 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 935 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 936 | } |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 937 | else |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 938 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */ |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 939 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 940 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 941 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 942 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 943 | |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 944 | /* Make extra sure authentication was performed, exactly once */ |
| 945 | if( auth_done != 1 ) |
| 946 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 947 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 948 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 949 | } |
| 950 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 951 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 952 | |
| 953 | return( 0 ); |
| 954 | } |
| 955 | |
Manuel Pégourié-Gonnard | ed0e864 | 2020-07-21 11:20:30 +0200 | [diff] [blame] | 956 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) |
Manuel Pégourié-Gonnard | 045f094 | 2020-07-02 11:34:02 +0200 | [diff] [blame] | 957 | /* |
Manuel Pégourié-Gonnard | 6e2a9a7 | 2020-08-25 10:01:00 +0200 | [diff] [blame] | 958 | * Turn a bit into a mask: |
| 959 | * - if bit == 1, return the all-bits 1 mask, aka (size_t) -1 |
| 960 | * - if bit == 0, return the all-bits 0 mask, aka 0 |
Manuel Pégourié-Gonnard | 6d6f8a4 | 2020-09-25 09:56:53 +0200 | [diff] [blame] | 961 | * |
| 962 | * This function can be used to write constant-time code by replacing branches |
| 963 | * with bit operations using masks. |
| 964 | * |
| 965 | * This function is implemented without using comparison operators, as those |
| 966 | * might be translated to branches by some compilers on some platforms. |
Manuel Pégourié-Gonnard | 6e2a9a7 | 2020-08-25 10:01:00 +0200 | [diff] [blame] | 967 | */ |
| 968 | static size_t mbedtls_ssl_cf_mask_from_bit( size_t bit ) |
| 969 | { |
| 970 | /* MSVC has a warning about unary minus on unsigned integer types, |
| 971 | * but this is well-defined and precisely what we want to do here. */ |
| 972 | #if defined(_MSC_VER) |
| 973 | #pragma warning( push ) |
| 974 | #pragma warning( disable : 4146 ) |
| 975 | #endif |
| 976 | return -bit; |
| 977 | #if defined(_MSC_VER) |
| 978 | #pragma warning( pop ) |
| 979 | #endif |
| 980 | } |
| 981 | |
| 982 | /* |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 983 | * Constant-flow mask generation for "less than" comparison: |
| 984 | * - if x < y, return all bits 1, that is (size_t) -1 |
| 985 | * - otherwise, return all bits 0, that is 0 |
| 986 | * |
Manuel Pégourié-Gonnard | 6d6f8a4 | 2020-09-25 09:56:53 +0200 | [diff] [blame] | 987 | * This function can be used to write constant-time code by replacing branches |
| 988 | * with bit operations using masks. |
| 989 | * |
| 990 | * This function is implemented without using comparison operators, as those |
| 991 | * might be translated to branches by some compilers on some platforms. |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 992 | */ |
Manuel Pégourié-Gonnard | 6e2a9a7 | 2020-08-25 10:01:00 +0200 | [diff] [blame] | 993 | static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y ) |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 994 | { |
Manuel Pégourié-Gonnard | 6d6f8a4 | 2020-09-25 09:56:53 +0200 | [diff] [blame] | 995 | /* This has the most significant bit set if and only if x < y */ |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 996 | const size_t sub = x - y; |
| 997 | |
Manuel Pégourié-Gonnard | 6d6f8a4 | 2020-09-25 09:56:53 +0200 | [diff] [blame] | 998 | /* sub1 = (x < y) ? 1 : 0 */ |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 999 | const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 ); |
| 1000 | |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1001 | /* mask = (x < y) ? 0xff... : 0x00... */ |
Manuel Pégourié-Gonnard | 6e2a9a7 | 2020-08-25 10:01:00 +0200 | [diff] [blame] | 1002 | const size_t mask = mbedtls_ssl_cf_mask_from_bit( sub1 ); |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1003 | |
| 1004 | return( mask ); |
| 1005 | } |
| 1006 | |
| 1007 | /* |
| 1008 | * Constant-flow mask generation for "greater or equal" comparison: |
| 1009 | * - if x >= y, return all bits 1, that is (size_t) -1 |
| 1010 | * - otherwise, return all bits 0, that is 0 |
| 1011 | * |
Manuel Pégourié-Gonnard | 6d6f8a4 | 2020-09-25 09:56:53 +0200 | [diff] [blame] | 1012 | * This function can be used to write constant-time code by replacing branches |
| 1013 | * with bit operations using masks. |
| 1014 | * |
| 1015 | * This function is implemented without using comparison operators, as those |
| 1016 | * might be translated to branches by some compilers on some platforms. |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1017 | */ |
Manuel Pégourié-Gonnard | 6e2a9a7 | 2020-08-25 10:01:00 +0200 | [diff] [blame] | 1018 | static size_t mbedtls_ssl_cf_mask_ge( size_t x, size_t y ) |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1019 | { |
Manuel Pégourié-Gonnard | 6e2a9a7 | 2020-08-25 10:01:00 +0200 | [diff] [blame] | 1020 | return( ~mbedtls_ssl_cf_mask_lt( x, y ) ); |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1021 | } |
| 1022 | |
| 1023 | /* |
| 1024 | * Constant-flow boolean "equal" comparison: |
| 1025 | * return x == y |
| 1026 | * |
Manuel Pégourié-Gonnard | 6d6f8a4 | 2020-09-25 09:56:53 +0200 | [diff] [blame] | 1027 | * This function can be used to write constant-time code by replacing branches |
| 1028 | * with bit operations - it can be used in conjunction with |
| 1029 | * mbedtls_ssl_cf_mask_from_bit(). |
| 1030 | * |
| 1031 | * This function is implemented without using comparison operators, as those |
| 1032 | * might be translated to branches by some compilers on some platforms. |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1033 | */ |
Manuel Pégourié-Gonnard | 6e2a9a7 | 2020-08-25 10:01:00 +0200 | [diff] [blame] | 1034 | static size_t mbedtls_ssl_cf_bool_eq( size_t x, size_t y ) |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1035 | { |
| 1036 | /* diff = 0 if x == y, non-zero otherwise */ |
| 1037 | const size_t diff = x ^ y; |
| 1038 | |
| 1039 | /* MSVC has a warning about unary minus on unsigned integer types, |
| 1040 | * but this is well-defined and precisely what we want to do here. */ |
| 1041 | #if defined(_MSC_VER) |
| 1042 | #pragma warning( push ) |
| 1043 | #pragma warning( disable : 4146 ) |
| 1044 | #endif |
| 1045 | |
| 1046 | /* diff_msb's most significant bit is equal to x != y */ |
| 1047 | const size_t diff_msb = ( diff | -diff ); |
| 1048 | |
| 1049 | #if defined(_MSC_VER) |
| 1050 | #pragma warning( pop ) |
| 1051 | #endif |
| 1052 | |
Manuel Pégourié-Gonnard | 6d6f8a4 | 2020-09-25 09:56:53 +0200 | [diff] [blame] | 1053 | /* diff1 = (x != y) ? 1 : 0 */ |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1054 | const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 ); |
| 1055 | |
| 1056 | return( 1 ^ diff1 ); |
| 1057 | } |
| 1058 | |
| 1059 | /* |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1060 | * Constant-flow conditional memcpy: |
| 1061 | * - if c1 == c2, equivalent to memcpy(dst, src, len), |
| 1062 | * - otherwise, a no-op, |
| 1063 | * but with execution flow independent of the values of c1 and c2. |
| 1064 | * |
Manuel Pégourié-Gonnard | 6d6f8a4 | 2020-09-25 09:56:53 +0200 | [diff] [blame] | 1065 | * This function is implemented without using comparison operators, as those |
| 1066 | * might be translated to branches by some compilers on some platforms. |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1067 | */ |
Manuel Pégourié-Gonnard | e747843 | 2020-07-24 11:09:22 +0200 | [diff] [blame] | 1068 | static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst, |
| 1069 | const unsigned char *src, |
| 1070 | size_t len, |
| 1071 | size_t c1, size_t c2 ) |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1072 | { |
Manuel Pégourié-Gonnard | 6e2a9a7 | 2020-08-25 10:01:00 +0200 | [diff] [blame] | 1073 | /* mask = c1 == c2 ? 0xff : 0x00 */ |
| 1074 | const size_t equal = mbedtls_ssl_cf_bool_eq( c1, c2 ); |
Manuel Pégourié-Gonnard | 2a59fb4 | 2020-08-25 11:51:46 +0200 | [diff] [blame] | 1075 | const unsigned char mask = (unsigned char) mbedtls_ssl_cf_mask_from_bit( equal ); |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1076 | |
Manuel Pégourié-Gonnard | 6d6f8a4 | 2020-09-25 09:56:53 +0200 | [diff] [blame] | 1077 | /* dst[i] = c1 == c2 ? src[i] : dst[i] */ |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1078 | for( size_t i = 0; i < len; i++ ) |
Manuel Pégourié-Gonnard | 6d6f8a4 | 2020-09-25 09:56:53 +0200 | [diff] [blame] | 1079 | dst[i] = ( src[i] & mask ) | ( dst[i] & ~mask ); |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1080 | } |
| 1081 | |
| 1082 | /* |
Manuel Pégourié-Gonnard | 045f094 | 2020-07-02 11:34:02 +0200 | [diff] [blame] | 1083 | * Compute HMAC of variable-length data with constant flow. |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1084 | * |
| 1085 | * Only works with MD-5, SHA-1, SHA-256 and SHA-384. |
| 1086 | * (Otherwise, computation of block_size needs to be adapted.) |
Manuel Pégourié-Gonnard | 045f094 | 2020-07-02 11:34:02 +0200 | [diff] [blame] | 1087 | */ |
Manuel Pégourié-Gonnard | 65a6fa3 | 2020-07-09 09:52:17 +0200 | [diff] [blame] | 1088 | MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( |
Manuel Pégourié-Gonnard | 045f094 | 2020-07-02 11:34:02 +0200 | [diff] [blame] | 1089 | mbedtls_md_context_t *ctx, |
| 1090 | const unsigned char *add_data, size_t add_data_len, |
| 1091 | const unsigned char *data, size_t data_len_secret, |
| 1092 | size_t min_data_len, size_t max_data_len, |
| 1093 | unsigned char *output ) |
| 1094 | { |
Manuel Pégourié-Gonnard | 8aa29e3 | 2020-07-07 12:30:39 +0200 | [diff] [blame] | 1095 | /* |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1096 | * This function breaks the HMAC abstraction and uses the md_clone() |
| 1097 | * extension to the MD API in order to get constant-flow behaviour. |
Manuel Pégourié-Gonnard | 8aa29e3 | 2020-07-07 12:30:39 +0200 | [diff] [blame] | 1098 | * |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1099 | * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means |
Manuel Pégourié-Gonnard | baccf80 | 2020-07-22 10:37:27 +0200 | [diff] [blame] | 1100 | * concatenation, and okey/ikey are the XOR of the key with some fixed bit |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1101 | * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx. |
Manuel Pégourié-Gonnard | 8aa29e3 | 2020-07-07 12:30:39 +0200 | [diff] [blame] | 1102 | * |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1103 | * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to |
| 1104 | * minlen, then cloning the context, and for each byte up to maxlen |
| 1105 | * finishing up the hash computation, keeping only the correct result. |
Manuel Pégourié-Gonnard | 8aa29e3 | 2020-07-07 12:30:39 +0200 | [diff] [blame] | 1106 | * |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1107 | * Then we only need to compute HASH(okey + inner_hash) and we're done. |
Manuel Pégourié-Gonnard | 8aa29e3 | 2020-07-07 12:30:39 +0200 | [diff] [blame] | 1108 | */ |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1109 | const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info ); |
Manuel Pégourié-Gonnard | baccf80 | 2020-07-22 10:37:27 +0200 | [diff] [blame] | 1110 | /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5, |
| 1111 | * all of which have the same block size except SHA-384. */ |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1112 | const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64; |
Manuel Pégourié-Gonnard | 9713e13 | 2020-07-22 10:40:31 +0200 | [diff] [blame] | 1113 | const unsigned char * const ikey = ctx->hmac_ctx; |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1114 | const unsigned char * const okey = ikey + block_size; |
| 1115 | const size_t hash_size = mbedtls_md_get_size( ctx->md_info ); |
Manuel Pégourié-Gonnard | 8aa29e3 | 2020-07-07 12:30:39 +0200 | [diff] [blame] | 1116 | |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1117 | unsigned char aux_out[MBEDTLS_MD_MAX_SIZE]; |
| 1118 | mbedtls_md_context_t aux; |
| 1119 | size_t offset; |
Manuel Pégourié-Gonnard | e0765f3 | 2020-07-22 12:22:51 +0200 | [diff] [blame] | 1120 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 8aa29e3 | 2020-07-07 12:30:39 +0200 | [diff] [blame] | 1121 | |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1122 | mbedtls_md_init( &aux ); |
Manuel Pégourié-Gonnard | 44c9fdd | 2020-07-22 10:48:47 +0200 | [diff] [blame] | 1123 | |
| 1124 | #define MD_CHK( func_call ) \ |
| 1125 | do { \ |
| 1126 | ret = (func_call); \ |
| 1127 | if( ret != 0 ) \ |
| 1128 | goto cleanup; \ |
| 1129 | } while( 0 ) |
| 1130 | |
| 1131 | MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) ); |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1132 | |
| 1133 | /* After hmac_start() of hmac_reset(), ikey has already been hashed, |
| 1134 | * so we can start directly with the message */ |
Manuel Pégourié-Gonnard | 44c9fdd | 2020-07-22 10:48:47 +0200 | [diff] [blame] | 1135 | MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) ); |
| 1136 | MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) ); |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1137 | |
| 1138 | /* For each possible length, compute the hash up to that point */ |
| 1139 | for( offset = min_data_len; offset <= max_data_len; offset++ ) |
Manuel Pégourié-Gonnard | 8aa29e3 | 2020-07-07 12:30:39 +0200 | [diff] [blame] | 1140 | { |
Manuel Pégourié-Gonnard | 44c9fdd | 2020-07-22 10:48:47 +0200 | [diff] [blame] | 1141 | MD_CHK( mbedtls_md_clone( &aux, ctx ) ); |
| 1142 | MD_CHK( mbedtls_md_finish( &aux, aux_out ) ); |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1143 | /* Keep only the correct inner_hash in the output buffer */ |
| 1144 | mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size, |
| 1145 | offset, data_len_secret ); |
| 1146 | |
| 1147 | if( offset < max_data_len ) |
Manuel Pégourié-Gonnard | 44c9fdd | 2020-07-22 10:48:47 +0200 | [diff] [blame] | 1148 | MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) ); |
Manuel Pégourié-Gonnard | 8aa29e3 | 2020-07-07 12:30:39 +0200 | [diff] [blame] | 1149 | } |
| 1150 | |
Manuel Pégourié-Gonnard | 5ca21db | 2021-05-17 12:28:08 +0200 | [diff] [blame] | 1151 | /* The context needs to finish() before it starts() again */ |
| 1152 | MD_CHK( mbedtls_md_finish( ctx, aux_out ) ); |
| 1153 | |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1154 | /* Now compute HASH(okey + inner_hash) */ |
Manuel Pégourié-Gonnard | 44c9fdd | 2020-07-22 10:48:47 +0200 | [diff] [blame] | 1155 | MD_CHK( mbedtls_md_starts( ctx ) ); |
| 1156 | MD_CHK( mbedtls_md_update( ctx, okey, block_size ) ); |
| 1157 | MD_CHK( mbedtls_md_update( ctx, output, hash_size ) ); |
| 1158 | MD_CHK( mbedtls_md_finish( ctx, output ) ); |
Manuel Pégourié-Gonnard | 8aa29e3 | 2020-07-07 12:30:39 +0200 | [diff] [blame] | 1159 | |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1160 | /* Done, get ready for next time */ |
Manuel Pégourié-Gonnard | 44c9fdd | 2020-07-22 10:48:47 +0200 | [diff] [blame] | 1161 | MD_CHK( mbedtls_md_hmac_reset( ctx ) ); |
Manuel Pégourié-Gonnard | 045f094 | 2020-07-02 11:34:02 +0200 | [diff] [blame] | 1162 | |
Manuel Pégourié-Gonnard | 44c9fdd | 2020-07-22 10:48:47 +0200 | [diff] [blame] | 1163 | #undef MD_CHK |
| 1164 | |
| 1165 | cleanup: |
Manuel Pégourié-Gonnard | 7a8b1e6 | 2020-07-15 11:52:14 +0200 | [diff] [blame] | 1166 | mbedtls_md_free( &aux ); |
Manuel Pégourié-Gonnard | 44c9fdd | 2020-07-22 10:48:47 +0200 | [diff] [blame] | 1167 | return( ret ); |
Manuel Pégourié-Gonnard | 045f094 | 2020-07-02 11:34:02 +0200 | [diff] [blame] | 1168 | } |
Manuel Pégourié-Gonnard | 7fe2c5f | 2020-08-18 12:02:54 +0200 | [diff] [blame] | 1169 | |
| 1170 | /* |
| 1171 | * Constant-flow memcpy from variable position in buffer. |
| 1172 | * - functionally equivalent to memcpy(dst, src + offset_secret, len) |
Manuel Pégourié-Gonnard | ba6fc97 | 2020-08-24 12:59:55 +0200 | [diff] [blame] | 1173 | * - but with execution flow independent from the value of offset_secret. |
Manuel Pégourié-Gonnard | 7fe2c5f | 2020-08-18 12:02:54 +0200 | [diff] [blame] | 1174 | */ |
| 1175 | MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset( |
| 1176 | unsigned char *dst, |
| 1177 | const unsigned char *src_base, |
| 1178 | size_t offset_secret, |
| 1179 | size_t offset_min, size_t offset_max, |
| 1180 | size_t len ) |
| 1181 | { |
Manuel Pégourié-Gonnard | de1cf2c5 | 2020-08-19 12:35:30 +0200 | [diff] [blame] | 1182 | size_t offset; |
| 1183 | |
| 1184 | for( offset = offset_min; offset <= offset_max; offset++ ) |
| 1185 | { |
| 1186 | mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len, |
| 1187 | offset, offset_secret ); |
| 1188 | } |
Manuel Pégourié-Gonnard | 7fe2c5f | 2020-08-18 12:02:54 +0200 | [diff] [blame] | 1189 | } |
Manuel Pégourié-Gonnard | ed0e864 | 2020-07-21 11:20:30 +0200 | [diff] [blame] | 1190 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ |
Manuel Pégourié-Gonnard | 045f094 | 2020-07-02 11:34:02 +0200 | [diff] [blame] | 1191 | |
Hanno Becker | 605949f | 2019-07-12 08:23:59 +0100 | [diff] [blame] | 1192 | int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 1193 | mbedtls_ssl_transform *transform, |
| 1194 | mbedtls_record *rec ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1195 | { |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1196 | size_t olen; |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1197 | mbedtls_cipher_mode_t mode; |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1198 | int ret, auth_done = 0; |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 1199 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) |
Paul Bakker | 1e5369c | 2013-12-19 16:40:57 +0100 | [diff] [blame] | 1200 | size_t padlen = 0, correct = 1; |
| 1201 | #endif |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1202 | unsigned char* data; |
Hanno Becker | 92fb4fa | 2019-05-20 14:54:26 +0100 | [diff] [blame] | 1203 | unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ]; |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1204 | size_t add_data_len; |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1205 | |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 1206 | #if !defined(MBEDTLS_DEBUG_C) |
Manuel Pégourié-Gonnard | a7505d1 | 2019-05-07 10:17:56 +0200 | [diff] [blame] | 1207 | ssl = NULL; /* make sure we don't use it except for debug */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1208 | ((void) ssl); |
| 1209 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1210 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1211 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1212 | if( rec == NULL || |
| 1213 | rec->buf == NULL || |
| 1214 | rec->buf_len < rec->data_offset || |
| 1215 | rec->buf_len - rec->data_offset < rec->data_len ) |
| 1216 | { |
| 1217 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1218 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1219 | } |
| 1220 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1221 | data = rec->buf + rec->data_offset; |
| 1222 | mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1223 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1224 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1225 | /* |
| 1226 | * Match record's CID with incoming CID. |
| 1227 | */ |
Hanno Becker | 938489a | 2019-05-08 13:02:22 +0100 | [diff] [blame] | 1228 | if( rec->cid_len != transform->in_cid_len || |
| 1229 | memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 ) |
| 1230 | { |
Hanno Becker | 8367ccc | 2019-05-14 11:30:10 +0100 | [diff] [blame] | 1231 | return( MBEDTLS_ERR_SSL_UNEXPECTED_CID ); |
Hanno Becker | 938489a | 2019-05-08 13:02:22 +0100 | [diff] [blame] | 1232 | } |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1233 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1234 | |
Hanno Becker | d086bf0 | 2021-03-22 13:01:27 +0000 | [diff] [blame] | 1235 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1236 | if( mode == MBEDTLS_MODE_STREAM ) |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1237 | { |
| 1238 | padlen = 0; |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1239 | if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec, |
| 1240 | transform->iv_dec, |
| 1241 | transform->ivlen, |
| 1242 | data, rec->data_len, |
| 1243 | data, &olen ) ) != 0 ) |
Paul Bakker | 45125bc | 2013-09-04 16:47:11 +0200 | [diff] [blame] | 1244 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1245 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 1246 | return( ret ); |
| 1247 | } |
| 1248 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1249 | if( rec->data_len != olen ) |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 1250 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1251 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1252 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 1253 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1254 | } |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1255 | else |
Hanno Becker | d086bf0 | 2021-03-22 13:01:27 +0000 | [diff] [blame] | 1256 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */ |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1257 | #if defined(MBEDTLS_GCM_C) || \ |
| 1258 | defined(MBEDTLS_CCM_C) || \ |
| 1259 | defined(MBEDTLS_CHACHAPOLY_C) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1260 | if( mode == MBEDTLS_MODE_GCM || |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1261 | mode == MBEDTLS_MODE_CCM || |
| 1262 | mode == MBEDTLS_MODE_CHACHAPOLY ) |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 1263 | { |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1264 | unsigned char iv[12]; |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1265 | unsigned char *dynamic_iv; |
| 1266 | size_t dynamic_iv_len; |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 1267 | |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1268 | /* |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1269 | * Extract dynamic part of nonce for AEAD decryption. |
| 1270 | * |
| 1271 | * Note: In the case of CCM and GCM in TLS 1.2, the dynamic |
| 1272 | * part of the IV is prepended to the ciphertext and |
| 1273 | * can be chosen freely - in particular, it need not |
| 1274 | * agree with the record sequence number. |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1275 | */ |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1276 | dynamic_iv_len = sizeof( rec->ctr ); |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 1277 | if( ssl_transform_aead_dynamic_iv_is_explicit( transform ) == 1 ) |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1278 | { |
| 1279 | if( rec->data_len < dynamic_iv_len ) |
| 1280 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1281 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET |
| 1282 | " ) < explicit_iv_len (%" MBEDTLS_PRINTF_SIZET ") ", |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1283 | rec->data_len, |
| 1284 | dynamic_iv_len ) ); |
| 1285 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
| 1286 | } |
| 1287 | dynamic_iv = data; |
| 1288 | |
| 1289 | data += dynamic_iv_len; |
| 1290 | rec->data_offset += dynamic_iv_len; |
| 1291 | rec->data_len -= dynamic_iv_len; |
| 1292 | } |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 1293 | else |
| 1294 | { |
| 1295 | dynamic_iv = rec->ctr; |
| 1296 | } |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1297 | |
| 1298 | /* Check that there's space for the authentication tag. */ |
| 1299 | if( rec->data_len < transform->taglen ) |
| 1300 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1301 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET |
| 1302 | ") < taglen (%" MBEDTLS_PRINTF_SIZET ") ", |
Christian von Arnim | 883d304 | 2020-12-01 11:58:29 +0100 | [diff] [blame] | 1303 | rec->data_len, |
| 1304 | transform->taglen ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1305 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Manuel Pégourié-Gonnard | 0bcc4e1 | 2014-06-17 10:54:17 +0200 | [diff] [blame] | 1306 | } |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1307 | rec->data_len -= transform->taglen; |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1308 | |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1309 | /* |
| 1310 | * Prepare nonce from dynamic and static parts. |
| 1311 | */ |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 1312 | ssl_build_record_nonce( iv, sizeof( iv ), |
| 1313 | transform->iv_dec, |
| 1314 | transform->fixed_ivlen, |
| 1315 | dynamic_iv, |
| 1316 | dynamic_iv_len ); |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1317 | |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1318 | /* |
| 1319 | * Build additional data for AEAD encryption. |
| 1320 | * This depends on the TLS version. |
| 1321 | */ |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 1322 | ssl_extract_add_data_from_record( add_data, &add_data_len, rec, |
| 1323 | transform->minor_ver ); |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1324 | MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1325 | add_data, add_data_len ); |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1326 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1327 | /* Because of the check above, we know that there are |
| 1328 | * explicit_iv_len Bytes preceeding data, and taglen |
| 1329 | * bytes following data + data_len. This justifies |
Hanno Becker | 2001665 | 2019-07-10 11:44:13 +0100 | [diff] [blame] | 1330 | * the debug message and the invocation of |
TRodziewicz | 18efb73 | 2021-04-29 23:12:19 +0200 | [diff] [blame] | 1331 | * mbedtls_cipher_auth_decrypt_ext() below. */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1332 | |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1333 | MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen ); |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1334 | MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len, |
Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 1335 | transform->taglen ); |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1336 | |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 1337 | /* |
Manuel Pégourié-Gonnard | de7bb44 | 2014-05-13 12:41:10 +0200 | [diff] [blame] | 1338 | * Decrypt and authenticate |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 1339 | */ |
Manuel Pégourié-Gonnard | f5cf71e | 2020-12-01 11:43:40 +0100 | [diff] [blame] | 1340 | if( ( ret = mbedtls_cipher_auth_decrypt_ext( &transform->cipher_ctx_dec, |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1341 | iv, transform->ivlen, |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1342 | add_data, add_data_len, |
Manuel Pégourié-Gonnard | f5cf71e | 2020-12-01 11:43:40 +0100 | [diff] [blame] | 1343 | data, rec->data_len + transform->taglen, /* src */ |
| 1344 | data, rec->buf_len - (data - rec->buf), &olen, /* dst */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1345 | transform->taglen ) ) != 0 ) |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 1346 | { |
TRodziewicz | 18efb73 | 2021-04-29 23:12:19 +0200 | [diff] [blame] | 1347 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt_ext", ret ); |
Manuel Pégourié-Gonnard | de7bb44 | 2014-05-13 12:41:10 +0200 | [diff] [blame] | 1348 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1349 | if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) |
| 1350 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Manuel Pégourié-Gonnard | de7bb44 | 2014-05-13 12:41:10 +0200 | [diff] [blame] | 1351 | |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 1352 | return( ret ); |
| 1353 | } |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1354 | auth_done++; |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 1355 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1356 | /* Double-check that AEAD decryption doesn't change content length. */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1357 | if( olen != rec->data_len ) |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 1358 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1359 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1360 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 1361 | } |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 1362 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1363 | else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1364 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 1365 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1366 | if( mode == MBEDTLS_MODE_CBC ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1367 | { |
Paul Bakker | e47b34b | 2013-02-27 14:48:00 +0100 | [diff] [blame] | 1368 | size_t minlen = 0; |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1369 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1370 | /* |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1371 | * Check immediate ciphertext sanity |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1372 | */ |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1373 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| 1374 | if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1375 | { |
| 1376 | /* The ciphertext is prefixed with the CBC IV. */ |
| 1377 | minlen += transform->ivlen; |
| 1378 | } |
Paul Bakker | d2f068e | 2013-08-27 21:19:20 +0200 | [diff] [blame] | 1379 | #endif |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1380 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1381 | /* Size considerations: |
| 1382 | * |
| 1383 | * - The CBC cipher text must not be empty and hence |
| 1384 | * at least of size transform->ivlen. |
| 1385 | * |
| 1386 | * Together with the potential IV-prefix, this explains |
| 1387 | * the first of the two checks below. |
| 1388 | * |
| 1389 | * - The record must contain a MAC, either in plain or |
| 1390 | * encrypted, depending on whether Encrypt-then-MAC |
| 1391 | * is used or not. |
| 1392 | * - If it is, the message contains the IV-prefix, |
| 1393 | * the CBC ciphertext, and the MAC. |
| 1394 | * - If it is not, the padded plaintext, and hence |
| 1395 | * the CBC ciphertext, has at least length maclen + 1 |
| 1396 | * because there is at least the padding length byte. |
| 1397 | * |
| 1398 | * As the CBC ciphertext is not empty, both cases give the |
| 1399 | * lower bound minlen + maclen + 1 on the record size, which |
| 1400 | * we test for in the second check below. |
| 1401 | */ |
| 1402 | if( rec->data_len < minlen + transform->ivlen || |
| 1403 | rec->data_len < minlen + transform->maclen + 1 ) |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1404 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1405 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET |
| 1406 | ") < max( ivlen(%" MBEDTLS_PRINTF_SIZET |
| 1407 | "), maclen (%" MBEDTLS_PRINTF_SIZET ") " |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1408 | "+ 1 ) ( + expl IV )", rec->data_len, |
| 1409 | transform->ivlen, |
| 1410 | transform->maclen ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1411 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1412 | } |
| 1413 | |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1414 | /* |
| 1415 | * Authenticate before decrypt if enabled |
| 1416 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1417 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1418 | if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1419 | { |
Hanno Becker | 992b687 | 2017-11-09 18:57:39 +0000 | [diff] [blame] | 1420 | unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1421 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1422 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1423 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1424 | /* Update data_len in tandem with add_data. |
| 1425 | * |
| 1426 | * The subtraction is safe because of the previous check |
| 1427 | * data_len >= minlen + maclen + 1. |
| 1428 | * |
| 1429 | * Afterwards, we know that data + data_len is followed by at |
| 1430 | * least maclen Bytes, which justifies the call to |
| 1431 | * mbedtls_ssl_safer_memcmp() below. |
| 1432 | * |
| 1433 | * Further, we still know that data_len > minlen */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1434 | rec->data_len -= transform->maclen; |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 1435 | ssl_extract_add_data_from_record( add_data, &add_data_len, rec, |
| 1436 | transform->minor_ver ); |
Manuel Pégourié-Gonnard | 08558e5 | 2014-11-04 14:40:21 +0100 | [diff] [blame] | 1437 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1438 | /* Calculate expected MAC. */ |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1439 | MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data, |
| 1440 | add_data_len ); |
| 1441 | mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data, |
| 1442 | add_data_len ); |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1443 | mbedtls_md_hmac_update( &transform->md_ctx_dec, |
| 1444 | data, rec->data_len ); |
| 1445 | mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect ); |
| 1446 | mbedtls_md_hmac_reset( &transform->md_ctx_dec ); |
Manuel Pégourié-Gonnard | 08558e5 | 2014-11-04 14:40:21 +0100 | [diff] [blame] | 1447 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1448 | MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, |
| 1449 | transform->maclen ); |
Hanno Becker | 992b687 | 2017-11-09 18:57:39 +0000 | [diff] [blame] | 1450 | MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1451 | transform->maclen ); |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1452 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1453 | /* Compare expected MAC with MAC at the end of the record. */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1454 | if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect, |
| 1455 | transform->maclen ) != 0 ) |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1456 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1457 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1458 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1459 | } |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1460 | auth_done++; |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1461 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1462 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1463 | |
| 1464 | /* |
| 1465 | * Check length sanity |
| 1466 | */ |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1467 | |
| 1468 | /* We know from above that data_len > minlen >= 0, |
| 1469 | * so the following check in particular implies that |
| 1470 | * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1471 | if( rec->data_len % transform->ivlen != 0 ) |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1472 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1473 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET |
| 1474 | ") %% ivlen (%" MBEDTLS_PRINTF_SIZET ") != 0", |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1475 | rec->data_len, transform->ivlen ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1476 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1477 | } |
| 1478 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1479 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1480 | /* |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1481 | * Initialize for prepended IV for block cipher in TLS v1.2 |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1482 | */ |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1483 | if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1484 | { |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1485 | /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1486 | memcpy( transform->iv_dec, data, transform->ivlen ); |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1487 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1488 | data += transform->ivlen; |
| 1489 | rec->data_offset += transform->ivlen; |
| 1490 | rec->data_len -= transform->ivlen; |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1491 | } |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1492 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1493 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1494 | /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */ |
| 1495 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1496 | if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec, |
| 1497 | transform->iv_dec, transform->ivlen, |
| 1498 | data, rec->data_len, data, &olen ) ) != 0 ) |
Paul Bakker | 45125bc | 2013-09-04 16:47:11 +0200 | [diff] [blame] | 1499 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1500 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 1501 | return( ret ); |
| 1502 | } |
Paul Bakker | da02a7f | 2013-08-31 17:25:14 +0200 | [diff] [blame] | 1503 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1504 | /* Double-check that length hasn't changed during decryption. */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1505 | if( rec->data_len != olen ) |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 1506 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1507 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1508 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 1509 | } |
Paul Bakker | da02a7f | 2013-08-31 17:25:14 +0200 | [diff] [blame] | 1510 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1511 | /* Safe since data_len >= minlen + maclen + 1, so after having |
| 1512 | * subtracted at most minlen and maclen up to this point, |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1513 | * data_len > 0 (because of data_len % ivlen == 0, it's actually |
| 1514 | * >= ivlen ). */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1515 | padlen = data[rec->data_len - 1]; |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1516 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1517 | if( auth_done == 1 ) |
| 1518 | { |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1519 | const size_t mask = mbedtls_ssl_cf_mask_ge( |
| 1520 | rec->data_len, |
| 1521 | padlen + 1 ); |
| 1522 | correct &= mask; |
| 1523 | padlen &= mask; |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1524 | } |
| 1525 | else |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1526 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1527 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1528 | if( rec->data_len < transform->maclen + padlen + 1 ) |
| 1529 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1530 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET |
| 1531 | ") < maclen (%" MBEDTLS_PRINTF_SIZET |
| 1532 | ") + padlen (%" MBEDTLS_PRINTF_SIZET ")", |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1533 | rec->data_len, |
| 1534 | transform->maclen, |
| 1535 | padlen + 1 ) ); |
| 1536 | } |
Paul Bakker | d66f070 | 2013-01-31 16:57:45 +0100 | [diff] [blame] | 1537 | #endif |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1538 | |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1539 | const size_t mask = mbedtls_ssl_cf_mask_ge( |
| 1540 | rec->data_len, |
| 1541 | transform->maclen + padlen + 1 ); |
| 1542 | correct &= mask; |
| 1543 | padlen &= mask; |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1544 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1545 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1546 | padlen++; |
| 1547 | |
| 1548 | /* Regardless of the validity of the padding, |
| 1549 | * we have data_len >= padlen here. */ |
| 1550 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1551 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1552 | /* The padding check involves a series of up to 256 |
| 1553 | * consecutive memory reads at the end of the record |
| 1554 | * plaintext buffer. In order to hide the length and |
| 1555 | * validity of the padding, always perform exactly |
| 1556 | * `min(256,plaintext_len)` reads (but take into account |
| 1557 | * only the last `padlen` bytes for the padding check). */ |
| 1558 | size_t pad_count = 0; |
| 1559 | volatile unsigned char* const check = data; |
| 1560 | |
| 1561 | /* Index of first padding byte; it has been ensured above |
| 1562 | * that the subtraction is safe. */ |
| 1563 | size_t const padding_idx = rec->data_len - padlen; |
| 1564 | size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256; |
| 1565 | size_t const start_idx = rec->data_len - num_checks; |
| 1566 | size_t idx; |
| 1567 | |
| 1568 | for( idx = start_idx; idx < rec->data_len; idx++ ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1569 | { |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1570 | /* pad_count += (idx >= padding_idx) && |
| 1571 | * (check[idx] == padlen - 1); |
| 1572 | */ |
| 1573 | const size_t mask = mbedtls_ssl_cf_mask_ge( idx, padding_idx ); |
| 1574 | const size_t equal = mbedtls_ssl_cf_bool_eq( check[idx], |
| 1575 | padlen - 1 ); |
| 1576 | pad_count += mask & equal; |
| 1577 | } |
| 1578 | correct &= mbedtls_ssl_cf_bool_eq( pad_count, padlen ); |
Paul Bakker | e47b34b | 2013-02-27 14:48:00 +0100 | [diff] [blame] | 1579 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1580 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1581 | if( padlen > 0 && correct == 0 ) |
| 1582 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); |
Paul Bakker | d66f070 | 2013-01-31 16:57:45 +0100 | [diff] [blame] | 1583 | #endif |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1584 | padlen &= mbedtls_ssl_cf_mask_from_bit( correct ); |
| 1585 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1586 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1587 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1588 | /* If the padding was found to be invalid, padlen == 0 |
| 1589 | * and the subtraction is safe. If the padding was found valid, |
| 1590 | * padlen hasn't been changed and the previous assertion |
| 1591 | * data_len >= padlen still holds. */ |
| 1592 | rec->data_len -= padlen; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1593 | } |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 1594 | else |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 1595 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */ |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 1596 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1597 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1598 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 1599 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1600 | |
Manuel Pégourié-Gonnard | 6a25cfa | 2018-07-10 11:15:36 +0200 | [diff] [blame] | 1601 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1602 | MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption", |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1603 | data, rec->data_len ); |
Manuel Pégourié-Gonnard | 6a25cfa | 2018-07-10 11:15:36 +0200 | [diff] [blame] | 1604 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1605 | |
| 1606 | /* |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1607 | * Authenticate if not done yet. |
| 1608 | * Compute the MAC regardless of the padding result (RFC4346, CBCTIME). |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1609 | */ |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 1610 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1611 | if( auth_done == 0 ) |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1612 | { |
Hanno Becker | 992b687 | 2017-11-09 18:57:39 +0000 | [diff] [blame] | 1613 | unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; |
Manuel Pégourié-Gonnard | 3c31afa | 2020-08-13 12:08:54 +0200 | [diff] [blame] | 1614 | unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD]; |
Paul Bakker | 1e5369c | 2013-12-19 16:40:57 +0100 | [diff] [blame] | 1615 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1616 | /* If the initial value of padlen was such that |
| 1617 | * data_len < maclen + padlen + 1, then padlen |
| 1618 | * got reset to 1, and the initial check |
| 1619 | * data_len >= minlen + maclen + 1 |
| 1620 | * guarantees that at this point we still |
| 1621 | * have at least data_len >= maclen. |
| 1622 | * |
| 1623 | * If the initial value of padlen was such that |
| 1624 | * data_len >= maclen + padlen + 1, then we have |
| 1625 | * subtracted either padlen + 1 (if the padding was correct) |
| 1626 | * or 0 (if the padding was incorrect) since then, |
| 1627 | * hence data_len >= maclen in any case. |
| 1628 | */ |
| 1629 | rec->data_len -= transform->maclen; |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 1630 | ssl_extract_add_data_from_record( add_data, &add_data_len, rec, |
| 1631 | transform->minor_ver ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1632 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1633 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1634 | /* |
| 1635 | * The next two sizes are the minimum and maximum values of |
| 1636 | * data_len over all padlen values. |
| 1637 | * |
| 1638 | * They're independent of padlen, since we previously did |
| 1639 | * data_len -= padlen. |
| 1640 | * |
| 1641 | * Note that max_len + maclen is never more than the buffer |
| 1642 | * length, as we previously did in_msglen -= maclen too. |
| 1643 | */ |
| 1644 | const size_t max_len = rec->data_len + padlen; |
| 1645 | const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0; |
| 1646 | |
| 1647 | ret = mbedtls_ssl_cf_hmac( &transform->md_ctx_dec, |
| 1648 | add_data, add_data_len, |
| 1649 | data, rec->data_len, min_len, max_len, |
| 1650 | mac_expect ); |
| 1651 | if( ret != 0 ) |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1652 | { |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1653 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret ); |
| 1654 | return( ret ); |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1655 | } |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1656 | |
| 1657 | mbedtls_ssl_cf_memcpy_offset( mac_peer, data, |
| 1658 | rec->data_len, |
| 1659 | min_len, max_len, |
| 1660 | transform->maclen ); |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1661 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1662 | |
Manuel Pégourié-Gonnard | 7b42030 | 2018-06-28 10:38:35 +0200 | [diff] [blame] | 1663 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1664 | MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen ); |
Manuel Pégourié-Gonnard | 3c31afa | 2020-08-13 12:08:54 +0200 | [diff] [blame] | 1665 | MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen ); |
Manuel Pégourié-Gonnard | 7b42030 | 2018-06-28 10:38:35 +0200 | [diff] [blame] | 1666 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1667 | |
Manuel Pégourié-Gonnard | 3c31afa | 2020-08-13 12:08:54 +0200 | [diff] [blame] | 1668 | if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect, |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1669 | transform->maclen ) != 0 ) |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1670 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1671 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
| 1672 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); |
Paul Bakker | e47b34b | 2013-02-27 14:48:00 +0100 | [diff] [blame] | 1673 | #endif |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1674 | correct = 0; |
| 1675 | } |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1676 | auth_done++; |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1677 | } |
Hanno Becker | dd3ab13 | 2018-10-17 14:43:14 +0100 | [diff] [blame] | 1678 | |
| 1679 | /* |
| 1680 | * Finally check the correct flag |
| 1681 | */ |
| 1682 | if( correct == 0 ) |
| 1683 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 1684 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1685 | |
| 1686 | /* Make extra sure authentication was performed, exactly once */ |
| 1687 | if( auth_done != 1 ) |
| 1688 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1689 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1690 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1691 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1692 | |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 1693 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) |
| 1694 | if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) |
| 1695 | { |
| 1696 | /* Remove inner padding and infer true content type. */ |
| 1697 | ret = ssl_parse_inner_plaintext( data, &rec->data_len, |
| 1698 | &rec->type ); |
| 1699 | |
| 1700 | if( ret != 0 ) |
| 1701 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 1702 | } |
| 1703 | #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ |
| 1704 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1705 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 1706 | if( rec->cid_len != 0 ) |
| 1707 | { |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 1708 | ret = ssl_parse_inner_plaintext( data, &rec->data_len, |
| 1709 | &rec->type ); |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 1710 | if( ret != 0 ) |
| 1711 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 1712 | } |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1713 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 1714 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1715 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1716 | |
| 1717 | return( 0 ); |
| 1718 | } |
| 1719 | |
Manuel Pégourié-Gonnard | 0098e7d | 2014-10-28 13:08:59 +0100 | [diff] [blame] | 1720 | #undef MAC_NONE |
| 1721 | #undef MAC_PLAINTEXT |
| 1722 | #undef MAC_CIPHERTEXT |
| 1723 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1724 | /* |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1725 | * Fill the input message buffer by appending data to it. |
| 1726 | * The amount of data already fetched is in ssl->in_left. |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1727 | * |
| 1728 | * If we return 0, is it guaranteed that (at least) nb_want bytes are |
| 1729 | * available (from this read and/or a previous one). Otherwise, an error code |
| 1730 | * is returned (possibly EOF or WANT_READ). |
| 1731 | * |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1732 | * With stream transport (TLS) on success ssl->in_left == nb_want, but |
| 1733 | * with datagram transport (DTLS) on success ssl->in_left >= nb_want, |
| 1734 | * since we always read a whole datagram at once. |
| 1735 | * |
Manuel Pégourié-Gonnard | 64dffc5 | 2014-09-02 13:39:16 +0200 | [diff] [blame] | 1736 | * For DTLS, it is up to the caller to set ssl->next_record_offset when |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1737 | * they're done reading a record. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1738 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1739 | int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1740 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 1741 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1742 | size_t len; |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 1743 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| 1744 | size_t in_buf_len = ssl->in_buf_len; |
| 1745 | #else |
| 1746 | size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; |
| 1747 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1748 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1749 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1750 | |
Manuel Pégourié-Gonnard | e6bdc44 | 2014-09-17 11:34:57 +0200 | [diff] [blame] | 1751 | if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) |
| 1752 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1753 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " |
Manuel Pégourié-Gonnard | 1b511f9 | 2015-05-06 15:54:23 +0100 | [diff] [blame] | 1754 | "or mbedtls_ssl_set_bio()" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1755 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
Manuel Pégourié-Gonnard | e6bdc44 | 2014-09-17 11:34:57 +0200 | [diff] [blame] | 1756 | } |
| 1757 | |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 1758 | if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) ) |
Paul Bakker | 1a1fbba | 2014-04-30 14:38:05 +0200 | [diff] [blame] | 1759 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1760 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) ); |
| 1761 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
Paul Bakker | 1a1fbba | 2014-04-30 14:38:05 +0200 | [diff] [blame] | 1762 | } |
| 1763 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1764 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1765 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1766 | { |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1767 | uint32_t timeout; |
| 1768 | |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1769 | /* |
| 1770 | * The point is, we need to always read a full datagram at once, so we |
| 1771 | * sometimes read more then requested, and handle the additional data. |
| 1772 | * It could be the rest of the current record (while fetching the |
| 1773 | * header) and/or some other records in the same datagram. |
| 1774 | */ |
| 1775 | |
| 1776 | /* |
| 1777 | * Move to the next record in the already read datagram if applicable |
| 1778 | */ |
| 1779 | if( ssl->next_record_offset != 0 ) |
| 1780 | { |
| 1781 | if( ssl->in_left < ssl->next_record_offset ) |
| 1782 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1783 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1784 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1785 | } |
| 1786 | |
| 1787 | ssl->in_left -= ssl->next_record_offset; |
| 1788 | |
| 1789 | if( ssl->in_left != 0 ) |
| 1790 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1791 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %" |
| 1792 | MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1793 | ssl->next_record_offset ) ); |
| 1794 | memmove( ssl->in_hdr, |
| 1795 | ssl->in_hdr + ssl->next_record_offset, |
| 1796 | ssl->in_left ); |
| 1797 | } |
| 1798 | |
| 1799 | ssl->next_record_offset = 0; |
| 1800 | } |
| 1801 | |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1802 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET |
| 1803 | ", nb_want: %" MBEDTLS_PRINTF_SIZET, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1804 | ssl->in_left, nb_want ) ); |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1805 | |
| 1806 | /* |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1807 | * Done if we already have enough data. |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1808 | */ |
| 1809 | if( nb_want <= ssl->in_left) |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 1810 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1811 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1812 | return( 0 ); |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 1813 | } |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1814 | |
| 1815 | /* |
Antonin Décimo | 36e89b5 | 2019-01-23 15:24:37 +0100 | [diff] [blame] | 1816 | * A record can't be split across datagrams. If we need to read but |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1817 | * are not at the beginning of a new record, the caller did something |
| 1818 | * wrong. |
| 1819 | */ |
| 1820 | if( ssl->in_left != 0 ) |
| 1821 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1822 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1823 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1824 | } |
| 1825 | |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1826 | /* |
| 1827 | * Don't even try to read if time's out already. |
| 1828 | * This avoids by-passing the timer when repeatedly receiving messages |
| 1829 | * that will end up being dropped. |
| 1830 | */ |
Hanno Becker | 7876d12 | 2020-02-05 10:39:31 +0000 | [diff] [blame] | 1831 | if( mbedtls_ssl_check_timer( ssl ) != 0 ) |
Hanno Becker | e65ce78 | 2017-05-22 14:47:48 +0100 | [diff] [blame] | 1832 | { |
| 1833 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) ); |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 1834 | ret = MBEDTLS_ERR_SSL_TIMEOUT; |
Hanno Becker | e65ce78 | 2017-05-22 14:47:48 +0100 | [diff] [blame] | 1835 | } |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1836 | else |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 1837 | { |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 1838 | len = in_buf_len - ( ssl->in_hdr - ssl->in_buf ); |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1839 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1840 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1841 | timeout = ssl->handshake->retransmit_timeout; |
| 1842 | else |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1843 | timeout = ssl->conf->read_timeout; |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1844 | |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 1845 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %lu ms", (unsigned long) timeout ) ); |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1846 | |
Manuel Pégourié-Gonnard | 0761733 | 2015-06-24 23:00:03 +0200 | [diff] [blame] | 1847 | if( ssl->f_recv_timeout != NULL ) |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1848 | ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len, |
| 1849 | timeout ); |
| 1850 | else |
| 1851 | ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len ); |
| 1852 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1853 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1854 | |
| 1855 | if( ret == 0 ) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1856 | return( MBEDTLS_ERR_SSL_CONN_EOF ); |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1857 | } |
| 1858 | |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 1859 | if( ret == MBEDTLS_ERR_SSL_TIMEOUT ) |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1860 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1861 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 1862 | mbedtls_ssl_set_timer( ssl, 0 ); |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 1863 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1864 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 1865 | { |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1866 | if( ssl_double_retransmit_timeout( ssl ) != 0 ) |
| 1867 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1868 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) ); |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 1869 | return( MBEDTLS_ERR_SSL_TIMEOUT ); |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1870 | } |
| 1871 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1872 | if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1873 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1874 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1875 | return( ret ); |
| 1876 | } |
| 1877 | |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 1878 | return( MBEDTLS_ERR_SSL_WANT_READ ); |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 1879 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1880 | #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1881 | else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1882 | ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 1883 | { |
Hanno Becker | 786300f | 2020-02-05 10:46:40 +0000 | [diff] [blame] | 1884 | if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 1885 | { |
Hanno Becker | 786300f | 2020-02-05 10:46:40 +0000 | [diff] [blame] | 1886 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request", |
| 1887 | ret ); |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 1888 | return( ret ); |
| 1889 | } |
| 1890 | |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 1891 | return( MBEDTLS_ERR_SSL_WANT_READ ); |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 1892 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1893 | #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 1894 | } |
| 1895 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1896 | if( ret < 0 ) |
| 1897 | return( ret ); |
| 1898 | |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1899 | ssl->in_left = ret; |
| 1900 | } |
| 1901 | else |
| 1902 | #endif |
| 1903 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1904 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET |
| 1905 | ", nb_want: %" MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1906 | ssl->in_left, nb_want ) ); |
| 1907 | |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1908 | while( ssl->in_left < nb_want ) |
| 1909 | { |
| 1910 | len = nb_want - ssl->in_left; |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 1911 | |
Hanno Becker | 7876d12 | 2020-02-05 10:39:31 +0000 | [diff] [blame] | 1912 | if( mbedtls_ssl_check_timer( ssl ) != 0 ) |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 1913 | ret = MBEDTLS_ERR_SSL_TIMEOUT; |
| 1914 | else |
Manuel Pégourié-Gonnard | 0761733 | 2015-06-24 23:00:03 +0200 | [diff] [blame] | 1915 | { |
| 1916 | if( ssl->f_recv_timeout != NULL ) |
| 1917 | { |
| 1918 | ret = ssl->f_recv_timeout( ssl->p_bio, |
| 1919 | ssl->in_hdr + ssl->in_left, len, |
| 1920 | ssl->conf->read_timeout ); |
| 1921 | } |
| 1922 | else |
| 1923 | { |
| 1924 | ret = ssl->f_recv( ssl->p_bio, |
| 1925 | ssl->in_hdr + ssl->in_left, len ); |
| 1926 | } |
| 1927 | } |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1928 | |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1929 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET |
| 1930 | ", nb_want: %" MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | 0761733 | 2015-06-24 23:00:03 +0200 | [diff] [blame] | 1931 | ssl->in_left, nb_want ) ); |
| 1932 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1933 | |
| 1934 | if( ret == 0 ) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1935 | return( MBEDTLS_ERR_SSL_CONN_EOF ); |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1936 | |
| 1937 | if( ret < 0 ) |
| 1938 | return( ret ); |
| 1939 | |
makise-homura | af9513b | 2020-08-24 18:26:27 +0300 | [diff] [blame] | 1940 | if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) ) |
mohammad1603 | 5bd15cb | 2018-02-28 04:30:59 -0800 | [diff] [blame] | 1941 | { |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 1942 | MBEDTLS_SSL_DEBUG_MSG( 1, |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1943 | ( "f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " were requested", |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 1944 | ret, len ) ); |
mohammad1603 | 5bd15cb | 2018-02-28 04:30:59 -0800 | [diff] [blame] | 1945 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 1946 | } |
| 1947 | |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1948 | ssl->in_left += ret; |
| 1949 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1950 | } |
| 1951 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1952 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1953 | |
| 1954 | return( 0 ); |
| 1955 | } |
| 1956 | |
| 1957 | /* |
| 1958 | * Flush any data not yet written |
| 1959 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1960 | int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1961 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 1962 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | 0448462 | 2018-08-06 09:49:38 +0100 | [diff] [blame] | 1963 | unsigned char *buf; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1964 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1965 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1966 | |
Manuel Pégourié-Gonnard | e6bdc44 | 2014-09-17 11:34:57 +0200 | [diff] [blame] | 1967 | if( ssl->f_send == NULL ) |
| 1968 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1969 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " |
Manuel Pégourié-Gonnard | 1b511f9 | 2015-05-06 15:54:23 +0100 | [diff] [blame] | 1970 | "or mbedtls_ssl_set_bio()" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1971 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
Manuel Pégourié-Gonnard | e6bdc44 | 2014-09-17 11:34:57 +0200 | [diff] [blame] | 1972 | } |
| 1973 | |
Manuel Pégourié-Gonnard | 0619348 | 2014-02-14 08:39:32 +0100 | [diff] [blame] | 1974 | /* Avoid incrementing counter if data is flushed */ |
| 1975 | if( ssl->out_left == 0 ) |
| 1976 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1977 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); |
Manuel Pégourié-Gonnard | 0619348 | 2014-02-14 08:39:32 +0100 | [diff] [blame] | 1978 | return( 0 ); |
| 1979 | } |
| 1980 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1981 | while( ssl->out_left > 0 ) |
| 1982 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1983 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %" MBEDTLS_PRINTF_SIZET |
| 1984 | ", out_left: %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 1985 | mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1986 | |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 1987 | buf = ssl->out_hdr - ssl->out_left; |
Manuel Pégourié-Gonnard | e6bdc44 | 2014-09-17 11:34:57 +0200 | [diff] [blame] | 1988 | ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left ); |
Paul Bakker | 186751d | 2012-05-08 13:16:14 +0000 | [diff] [blame] | 1989 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1990 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1991 | |
| 1992 | if( ret <= 0 ) |
| 1993 | return( ret ); |
| 1994 | |
makise-homura | af9513b | 2020-08-24 18:26:27 +0300 | [diff] [blame] | 1995 | if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) ) |
mohammad1603 | 4bbaeb4 | 2018-02-22 04:29:04 -0800 | [diff] [blame] | 1996 | { |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 1997 | MBEDTLS_SSL_DEBUG_MSG( 1, |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1998 | ( "f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " bytes were sent", |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 1999 | ret, ssl->out_left ) ); |
mohammad1603 | 4bbaeb4 | 2018-02-22 04:29:04 -0800 | [diff] [blame] | 2000 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 2001 | } |
| 2002 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2003 | ssl->out_left -= ret; |
| 2004 | } |
| 2005 | |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2006 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 2007 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | 0619348 | 2014-02-14 08:39:32 +0100 | [diff] [blame] | 2008 | { |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2009 | ssl->out_hdr = ssl->out_buf; |
Manuel Pégourié-Gonnard | 0619348 | 2014-02-14 08:39:32 +0100 | [diff] [blame] | 2010 | } |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2011 | else |
| 2012 | #endif |
| 2013 | { |
| 2014 | ssl->out_hdr = ssl->out_buf + 8; |
| 2015 | } |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 2016 | mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out ); |
Manuel Pégourié-Gonnard | 0619348 | 2014-02-14 08:39:32 +0100 | [diff] [blame] | 2017 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2018 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2019 | |
| 2020 | return( 0 ); |
| 2021 | } |
| 2022 | |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2023 | /* |
| 2024 | * Functions to handle the DTLS retransmission state machine |
| 2025 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2026 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2027 | /* |
| 2028 | * Append current handshake message to current outgoing flight |
| 2029 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2030 | static int ssl_flight_append( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2031 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2032 | mbedtls_ssl_flight_item *msg; |
Hanno Becker | 3b23590 | 2018-08-06 09:54:53 +0100 | [diff] [blame] | 2033 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) ); |
| 2034 | MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight", |
| 2035 | ssl->out_msg, ssl->out_msglen ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2036 | |
| 2037 | /* Allocate space for current message */ |
Manuel Pégourié-Gonnard | 7551cb9 | 2015-05-26 16:04:06 +0200 | [diff] [blame] | 2038 | if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2039 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2040 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed", |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2041 | sizeof( mbedtls_ssl_flight_item ) ) ); |
Manuel Pégourié-Gonnard | 6a8ca33 | 2015-05-28 09:33:39 +0200 | [diff] [blame] | 2042 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2043 | } |
| 2044 | |
Manuel Pégourié-Gonnard | 7551cb9 | 2015-05-26 16:04:06 +0200 | [diff] [blame] | 2045 | if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2046 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2047 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed", |
| 2048 | ssl->out_msglen ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2049 | mbedtls_free( msg ); |
Manuel Pégourié-Gonnard | 6a8ca33 | 2015-05-28 09:33:39 +0200 | [diff] [blame] | 2050 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2051 | } |
| 2052 | |
| 2053 | /* Copy current handshake message with headers */ |
| 2054 | memcpy( msg->p, ssl->out_msg, ssl->out_msglen ); |
| 2055 | msg->len = ssl->out_msglen; |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2056 | msg->type = ssl->out_msgtype; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2057 | msg->next = NULL; |
| 2058 | |
| 2059 | /* Append to the current flight */ |
| 2060 | if( ssl->handshake->flight == NULL ) |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2061 | ssl->handshake->flight = msg; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2062 | else |
| 2063 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2064 | mbedtls_ssl_flight_item *cur = ssl->handshake->flight; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2065 | while( cur->next != NULL ) |
| 2066 | cur = cur->next; |
| 2067 | cur->next = msg; |
| 2068 | } |
| 2069 | |
Hanno Becker | 3b23590 | 2018-08-06 09:54:53 +0100 | [diff] [blame] | 2070 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2071 | return( 0 ); |
| 2072 | } |
| 2073 | |
| 2074 | /* |
| 2075 | * Free the current flight of handshake messages |
| 2076 | */ |
Hanno Becker | 533ab5f | 2020-02-05 10:49:13 +0000 | [diff] [blame] | 2077 | void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2078 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2079 | mbedtls_ssl_flight_item *cur = flight; |
| 2080 | mbedtls_ssl_flight_item *next; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2081 | |
| 2082 | while( cur != NULL ) |
| 2083 | { |
| 2084 | next = cur->next; |
| 2085 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2086 | mbedtls_free( cur->p ); |
| 2087 | mbedtls_free( cur ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2088 | |
| 2089 | cur = next; |
| 2090 | } |
| 2091 | } |
| 2092 | |
| 2093 | /* |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2094 | * Swap transform_out and out_ctr with the alternative ones |
| 2095 | */ |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2096 | static int ssl_swap_epochs( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2097 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2098 | mbedtls_ssl_transform *tmp_transform; |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2099 | unsigned char tmp_out_ctr[8]; |
| 2100 | |
| 2101 | if( ssl->transform_out == ssl->handshake->alt_transform_out ) |
| 2102 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2103 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) ); |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2104 | return( 0 ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2105 | } |
| 2106 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2107 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2108 | |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2109 | /* Swap transforms */ |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2110 | tmp_transform = ssl->transform_out; |
| 2111 | ssl->transform_out = ssl->handshake->alt_transform_out; |
| 2112 | ssl->handshake->alt_transform_out = tmp_transform; |
| 2113 | |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2114 | /* Swap epoch + sequence_number */ |
Hanno Becker | 1985947 | 2018-08-06 09:40:20 +0100 | [diff] [blame] | 2115 | memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 ); |
| 2116 | memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2117 | memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 ); |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2118 | |
| 2119 | /* Adjust to the newly activated transform */ |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 2120 | mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out ); |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2121 | |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2122 | return( 0 ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2123 | } |
| 2124 | |
| 2125 | /* |
| 2126 | * Retransmit the current flight of messages. |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2127 | */ |
| 2128 | int mbedtls_ssl_resend( mbedtls_ssl_context *ssl ) |
| 2129 | { |
| 2130 | int ret = 0; |
| 2131 | |
| 2132 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) ); |
| 2133 | |
| 2134 | ret = mbedtls_ssl_flight_transmit( ssl ); |
| 2135 | |
| 2136 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) ); |
| 2137 | |
| 2138 | return( ret ); |
| 2139 | } |
| 2140 | |
| 2141 | /* |
| 2142 | * Transmit or retransmit the current flight of messages. |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2143 | * |
| 2144 | * Need to remember the current message in case flush_output returns |
| 2145 | * WANT_WRITE, causing us to exit this function and come back later. |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2146 | * This function must be called until state is no longer SENDING. |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2147 | */ |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2148 | int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2149 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2150 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2151 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2152 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2153 | if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING ) |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2154 | { |
Manuel Pégourié-Gonnard | 19c62f9 | 2018-08-16 10:50:39 +0200 | [diff] [blame] | 2155 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2156 | |
| 2157 | ssl->handshake->cur_msg = ssl->handshake->flight; |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2158 | ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12; |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2159 | ret = ssl_swap_epochs( ssl ); |
| 2160 | if( ret != 0 ) |
| 2161 | return( ret ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2162 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2163 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING; |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2164 | } |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2165 | |
| 2166 | while( ssl->handshake->cur_msg != NULL ) |
| 2167 | { |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2168 | size_t max_frag_len; |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2169 | const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2170 | |
Hanno Becker | e1dcb03 | 2018-08-17 16:47:58 +0100 | [diff] [blame] | 2171 | int const is_finished = |
| 2172 | ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 2173 | cur->p[0] == MBEDTLS_SSL_HS_FINISHED ); |
| 2174 | |
Hanno Becker | 04da189 | 2018-08-14 13:22:10 +0100 | [diff] [blame] | 2175 | uint8_t const force_flush = ssl->disable_datagram_packing == 1 ? |
| 2176 | SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH; |
| 2177 | |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2178 | /* Swap epochs before sending Finished: we can't do it after |
| 2179 | * sending ChangeCipherSpec, in case write returns WANT_READ. |
| 2180 | * Must be done before copying, may change out_msg pointer */ |
Hanno Becker | e1dcb03 | 2018-08-17 16:47:58 +0100 | [diff] [blame] | 2181 | if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) ) |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2182 | { |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2183 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) ); |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2184 | ret = ssl_swap_epochs( ssl ); |
| 2185 | if( ret != 0 ) |
| 2186 | return( ret ); |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2187 | } |
| 2188 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2189 | ret = ssl_get_remaining_payload_in_datagram( ssl ); |
| 2190 | if( ret < 0 ) |
| 2191 | return( ret ); |
| 2192 | max_frag_len = (size_t) ret; |
| 2193 | |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2194 | /* CCS is copied as is, while HS messages may need fragmentation */ |
| 2195 | if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) |
| 2196 | { |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2197 | if( max_frag_len == 0 ) |
| 2198 | { |
| 2199 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
| 2200 | return( ret ); |
| 2201 | |
| 2202 | continue; |
| 2203 | } |
| 2204 | |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2205 | memcpy( ssl->out_msg, cur->p, cur->len ); |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2206 | ssl->out_msglen = cur->len; |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2207 | ssl->out_msgtype = cur->type; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2208 | |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2209 | /* Update position inside current message */ |
| 2210 | ssl->handshake->cur_msg_p += cur->len; |
| 2211 | } |
| 2212 | else |
| 2213 | { |
| 2214 | const unsigned char * const p = ssl->handshake->cur_msg_p; |
| 2215 | const size_t hs_len = cur->len - 12; |
| 2216 | const size_t frag_off = p - ( cur->p + 12 ); |
| 2217 | const size_t rem_len = hs_len - frag_off; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2218 | size_t cur_hs_frag_len, max_hs_frag_len; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2219 | |
Hanno Becker | e1dcb03 | 2018-08-17 16:47:58 +0100 | [diff] [blame] | 2220 | if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) ) |
Manuel Pégourié-Gonnard | a1071a5 | 2018-08-20 11:56:14 +0200 | [diff] [blame] | 2221 | { |
Hanno Becker | e1dcb03 | 2018-08-17 16:47:58 +0100 | [diff] [blame] | 2222 | if( is_finished ) |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2223 | { |
| 2224 | ret = ssl_swap_epochs( ssl ); |
| 2225 | if( ret != 0 ) |
| 2226 | return( ret ); |
| 2227 | } |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2228 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2229 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
| 2230 | return( ret ); |
| 2231 | |
| 2232 | continue; |
| 2233 | } |
| 2234 | max_hs_frag_len = max_frag_len - 12; |
| 2235 | |
| 2236 | cur_hs_frag_len = rem_len > max_hs_frag_len ? |
| 2237 | max_hs_frag_len : rem_len; |
| 2238 | |
| 2239 | if( frag_off == 0 && cur_hs_frag_len != hs_len ) |
Manuel Pégourié-Gonnard | 19c62f9 | 2018-08-16 10:50:39 +0200 | [diff] [blame] | 2240 | { |
| 2241 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)", |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2242 | (unsigned) cur_hs_frag_len, |
| 2243 | (unsigned) max_hs_frag_len ) ); |
Manuel Pégourié-Gonnard | 19c62f9 | 2018-08-16 10:50:39 +0200 | [diff] [blame] | 2244 | } |
Manuel Pégourié-Gonnard | b747c6c | 2018-08-12 13:28:53 +0200 | [diff] [blame] | 2245 | |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2246 | /* Messages are stored with handshake headers as if not fragmented, |
| 2247 | * copy beginning of headers then fill fragmentation fields. |
| 2248 | * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */ |
| 2249 | memcpy( ssl->out_msg, cur->p, 6 ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2250 | |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2251 | ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff ); |
| 2252 | ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff ); |
| 2253 | ssl->out_msg[8] = ( ( frag_off ) & 0xff ); |
| 2254 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2255 | ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff ); |
| 2256 | ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff ); |
| 2257 | ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff ); |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2258 | |
| 2259 | MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 ); |
| 2260 | |
Hanno Becker | 3f7b973 | 2018-08-28 09:53:25 +0100 | [diff] [blame] | 2261 | /* Copy the handshake message content and set records fields */ |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2262 | memcpy( ssl->out_msg + 12, p, cur_hs_frag_len ); |
| 2263 | ssl->out_msglen = cur_hs_frag_len + 12; |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2264 | ssl->out_msgtype = cur->type; |
| 2265 | |
| 2266 | /* Update position inside current message */ |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2267 | ssl->handshake->cur_msg_p += cur_hs_frag_len; |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2268 | } |
| 2269 | |
| 2270 | /* If done with the current message move to the next one if any */ |
| 2271 | if( ssl->handshake->cur_msg_p >= cur->p + cur->len ) |
| 2272 | { |
| 2273 | if( cur->next != NULL ) |
| 2274 | { |
| 2275 | ssl->handshake->cur_msg = cur->next; |
| 2276 | ssl->handshake->cur_msg_p = cur->next->p + 12; |
| 2277 | } |
| 2278 | else |
| 2279 | { |
| 2280 | ssl->handshake->cur_msg = NULL; |
| 2281 | ssl->handshake->cur_msg_p = NULL; |
| 2282 | } |
| 2283 | } |
| 2284 | |
| 2285 | /* Actually send the message out */ |
Hanno Becker | 04da189 | 2018-08-14 13:22:10 +0100 | [diff] [blame] | 2286 | if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2287 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2288 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2289 | return( ret ); |
| 2290 | } |
| 2291 | } |
| 2292 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2293 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
| 2294 | return( ret ); |
| 2295 | |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2296 | /* Update state and set timer */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2297 | if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) |
| 2298 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; |
Manuel Pégourié-Gonnard | 23b7b70 | 2014-09-25 13:50:12 +0200 | [diff] [blame] | 2299 | else |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 2300 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2301 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 2302 | mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 2303 | } |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2304 | |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2305 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2306 | |
| 2307 | return( 0 ); |
| 2308 | } |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2309 | |
| 2310 | /* |
| 2311 | * To be called when the last message of an incoming flight is received. |
| 2312 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2313 | void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2314 | { |
| 2315 | /* We won't need to resend that one any more */ |
Hanno Becker | 533ab5f | 2020-02-05 10:49:13 +0000 | [diff] [blame] | 2316 | mbedtls_ssl_flight_free( ssl->handshake->flight ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2317 | ssl->handshake->flight = NULL; |
| 2318 | ssl->handshake->cur_msg = NULL; |
| 2319 | |
| 2320 | /* The next incoming flight will start with this msg_seq */ |
| 2321 | ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq; |
| 2322 | |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 2323 | /* We don't want to remember CCS's across flight boundaries. */ |
Hanno Becker | d7f8ae2 | 2018-08-16 09:45:56 +0100 | [diff] [blame] | 2324 | ssl->handshake->buffering.seen_ccs = 0; |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 2325 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2326 | /* Clear future message buffering structure. */ |
Hanno Becker | 533ab5f | 2020-02-05 10:49:13 +0000 | [diff] [blame] | 2327 | mbedtls_ssl_buffering_free( ssl ); |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2328 | |
Manuel Pégourié-Gonnard | 6c1fa3a | 2014-10-01 16:58:16 +0200 | [diff] [blame] | 2329 | /* Cancel timer */ |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 2330 | mbedtls_ssl_set_timer( ssl, 0 ); |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2331 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2332 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 2333 | ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2334 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2335 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2336 | } |
| 2337 | else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2338 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2339 | } |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2340 | |
| 2341 | /* |
| 2342 | * To be called when the last message of an outgoing flight is send. |
| 2343 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2344 | void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2345 | { |
Manuel Pégourié-Gonnard | 6c1fa3a | 2014-10-01 16:58:16 +0200 | [diff] [blame] | 2346 | ssl_reset_retransmit_timeout( ssl ); |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 2347 | mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2348 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2349 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 2350 | ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2351 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2352 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2353 | } |
| 2354 | else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2355 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2356 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2357 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2358 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2359 | /* |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2360 | * Handshake layer functions |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2361 | */ |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2362 | |
| 2363 | /* |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2364 | * Write (DTLS: or queue) current handshake (including CCS) message. |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2365 | * |
| 2366 | * - fill in handshake headers |
| 2367 | * - update handshake checksum |
| 2368 | * - DTLS: save message for resending |
| 2369 | * - then pass to the record layer |
| 2370 | * |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2371 | * DTLS: except for HelloRequest, messages are only queued, and will only be |
| 2372 | * actually sent when calling flight_transmit() or resend(). |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2373 | * |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2374 | * Inputs: |
| 2375 | * - ssl->out_msglen: 4 + actual handshake message len |
| 2376 | * (4 is the size of handshake headers for TLS) |
| 2377 | * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc) |
| 2378 | * - ssl->out_msg + 4: the handshake message body |
| 2379 | * |
Manuel Pégourié-Gonnard | 065a2a3 | 2018-08-20 11:09:26 +0200 | [diff] [blame] | 2380 | * Outputs, ie state before passing to flight_append() or write_record(): |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2381 | * - ssl->out_msglen: the length of the record contents |
| 2382 | * (including handshake headers but excluding record headers) |
| 2383 | * - ssl->out_msg: the record contents (handshake headers + content) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2384 | */ |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2385 | int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2386 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2387 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2388 | const size_t hs_len = ssl->out_msglen - 4; |
| 2389 | const unsigned char hs_type = ssl->out_msg[0]; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2390 | |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2391 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) ); |
| 2392 | |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2393 | /* |
| 2394 | * Sanity checks |
| 2395 | */ |
Hanno Becker | c83d2b3 | 2018-08-22 16:05:47 +0100 | [diff] [blame] | 2396 | if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2397 | ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) |
| 2398 | { |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 2399 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 2400 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2401 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2402 | |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2403 | /* Whenever we send anything different from a |
| 2404 | * HelloRequest we should be in a handshake - double check. */ |
| 2405 | if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 2406 | hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) && |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2407 | ssl->handshake == NULL ) |
| 2408 | { |
| 2409 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 2410 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 2411 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2412 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2413 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2414 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2415 | ssl->handshake != NULL && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2416 | ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2417 | { |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2418 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 2419 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2420 | } |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2421 | #endif |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2422 | |
Hanno Becker | b50a253 | 2018-08-06 11:52:54 +0100 | [diff] [blame] | 2423 | /* Double-check that we did not exceed the bounds |
| 2424 | * of the outgoing record buffer. |
| 2425 | * This should never fail as the various message |
| 2426 | * writing functions must obey the bounds of the |
| 2427 | * outgoing record buffer, but better be safe. |
| 2428 | * |
| 2429 | * Note: We deliberately do not check for the MTU or MFL here. |
| 2430 | */ |
| 2431 | if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN ) |
| 2432 | { |
| 2433 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: " |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2434 | "size %" MBEDTLS_PRINTF_SIZET |
| 2435 | ", maximum %" MBEDTLS_PRINTF_SIZET, |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 2436 | ssl->out_msglen, |
| 2437 | (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) ); |
Hanno Becker | b50a253 | 2018-08-06 11:52:54 +0100 | [diff] [blame] | 2438 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 2439 | } |
| 2440 | |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2441 | /* |
| 2442 | * Fill handshake headers |
| 2443 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2444 | if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2445 | { |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2446 | ssl->out_msg[1] = (unsigned char)( hs_len >> 16 ); |
| 2447 | ssl->out_msg[2] = (unsigned char)( hs_len >> 8 ); |
| 2448 | ssl->out_msg[3] = (unsigned char)( hs_len ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2449 | |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2450 | /* |
| 2451 | * DTLS has additional fields in the Handshake layer, |
| 2452 | * between the length field and the actual payload: |
| 2453 | * uint16 message_seq; |
| 2454 | * uint24 fragment_offset; |
| 2455 | * uint24 fragment_length; |
| 2456 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2457 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2458 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2459 | { |
Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 2460 | /* Make room for the additional DTLS fields */ |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 2461 | if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 ) |
Hanno Becker | 9648f8b | 2017-09-18 10:55:54 +0100 | [diff] [blame] | 2462 | { |
| 2463 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: " |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2464 | "size %" MBEDTLS_PRINTF_SIZET ", maximum %" MBEDTLS_PRINTF_SIZET, |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 2465 | hs_len, |
| 2466 | (size_t) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) ); |
Hanno Becker | 9648f8b | 2017-09-18 10:55:54 +0100 | [diff] [blame] | 2467 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 2468 | } |
| 2469 | |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2470 | memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len ); |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2471 | ssl->out_msglen += 8; |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2472 | |
Manuel Pégourié-Gonnard | c392b24 | 2014-08-19 17:53:11 +0200 | [diff] [blame] | 2473 | /* Write message_seq and update it, except for HelloRequest */ |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2474 | if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) |
Manuel Pégourié-Gonnard | c392b24 | 2014-08-19 17:53:11 +0200 | [diff] [blame] | 2475 | { |
Manuel Pégourié-Gonnard | d9ba0d9 | 2014-09-02 18:30:26 +0200 | [diff] [blame] | 2476 | ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF; |
| 2477 | ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF; |
| 2478 | ++( ssl->handshake->out_msg_seq ); |
Manuel Pégourié-Gonnard | c392b24 | 2014-08-19 17:53:11 +0200 | [diff] [blame] | 2479 | } |
| 2480 | else |
| 2481 | { |
| 2482 | ssl->out_msg[4] = 0; |
| 2483 | ssl->out_msg[5] = 0; |
| 2484 | } |
Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 2485 | |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2486 | /* Handshake hashes are computed without fragmentation, |
| 2487 | * so set frag_offset = 0 and frag_len = hs_len for now */ |
Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 2488 | memset( ssl->out_msg + 6, 0x00, 3 ); |
| 2489 | memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ); |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2490 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2491 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2492 | |
Hanno Becker | 0207e53 | 2018-08-28 10:28:28 +0100 | [diff] [blame] | 2493 | /* Update running hashes of handshake messages seen */ |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2494 | if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) |
| 2495 | ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2496 | } |
| 2497 | |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2498 | /* Either send now, or just save to be sent (and resent) later */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2499 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2500 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2501 | ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 2502 | hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2503 | { |
| 2504 | if( ( ret = ssl_flight_append( ssl ) ) != 0 ) |
| 2505 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2506 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2507 | return( ret ); |
| 2508 | } |
| 2509 | } |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2510 | else |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2511 | #endif |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2512 | { |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2513 | if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 ) |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2514 | { |
| 2515 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret ); |
| 2516 | return( ret ); |
| 2517 | } |
| 2518 | } |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2519 | |
| 2520 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) ); |
| 2521 | |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2522 | return( 0 ); |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2523 | } |
| 2524 | |
| 2525 | /* |
| 2526 | * Record layer functions |
| 2527 | */ |
| 2528 | |
| 2529 | /* |
| 2530 | * Write current record. |
| 2531 | * |
| 2532 | * Uses: |
| 2533 | * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS) |
| 2534 | * - ssl->out_msglen: length of the record content (excl headers) |
| 2535 | * - ssl->out_msg: record content |
| 2536 | */ |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2537 | int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2538 | { |
| 2539 | int ret, done = 0; |
| 2540 | size_t len = ssl->out_msglen; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2541 | uint8_t flush = force_flush; |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2542 | |
| 2543 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2544 | |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2545 | if( !done ) |
| 2546 | { |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2547 | unsigned i; |
| 2548 | size_t protected_record_size; |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 2549 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| 2550 | size_t out_buf_len = ssl->out_buf_len; |
| 2551 | #else |
| 2552 | size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; |
| 2553 | #endif |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 2554 | /* Skip writing the record content type to after the encryption, |
| 2555 | * as it may change when using the CID extension. */ |
| 2556 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2557 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2558 | ssl->conf->transport, ssl->out_hdr + 1 ); |
Manuel Pégourié-Gonnard | 507e1e4 | 2014-02-13 11:17:34 +0100 | [diff] [blame] | 2559 | |
Hanno Becker | 1985947 | 2018-08-06 09:40:20 +0100 | [diff] [blame] | 2560 | memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 ); |
Manuel Pégourié-Gonnard | 507e1e4 | 2014-02-13 11:17:34 +0100 | [diff] [blame] | 2561 | ssl->out_len[0] = (unsigned char)( len >> 8 ); |
| 2562 | ssl->out_len[1] = (unsigned char)( len ); |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2563 | |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2564 | if( ssl->transform_out != NULL ) |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2565 | { |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 2566 | mbedtls_record rec; |
| 2567 | |
| 2568 | rec.buf = ssl->out_iv; |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 2569 | rec.buf_len = out_buf_len - ( ssl->out_iv - ssl->out_buf ); |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 2570 | rec.data_len = ssl->out_msglen; |
| 2571 | rec.data_offset = ssl->out_msg - rec.buf; |
| 2572 | |
| 2573 | memcpy( &rec.ctr[0], ssl->out_ctr, 8 ); |
| 2574 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, |
| 2575 | ssl->conf->transport, rec.ver ); |
| 2576 | rec.type = ssl->out_msgtype; |
| 2577 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 2578 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 43c24b8 | 2019-05-01 09:45:57 +0100 | [diff] [blame] | 2579 | /* The CID is set by mbedtls_ssl_encrypt_buf(). */ |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 2580 | rec.cid_len = 0; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 2581 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 2582 | |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 2583 | if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec, |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 2584 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2585 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2586 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2587 | return( ret ); |
| 2588 | } |
| 2589 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 2590 | if( rec.data_offset != 0 ) |
| 2591 | { |
| 2592 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 2593 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 2594 | } |
| 2595 | |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 2596 | /* Update the record content type and CID. */ |
| 2597 | ssl->out_msgtype = rec.type; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 2598 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID ) |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 2599 | memcpy( ssl->out_cid, rec.cid, rec.cid_len ); |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 2600 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 78f839d | 2019-03-14 12:56:23 +0000 | [diff] [blame] | 2601 | ssl->out_msglen = len = rec.data_len; |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 2602 | ssl->out_len[0] = (unsigned char)( rec.data_len >> 8 ); |
| 2603 | ssl->out_len[1] = (unsigned char)( rec.data_len ); |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2604 | } |
| 2605 | |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 2606 | protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2607 | |
| 2608 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 2609 | /* In case of DTLS, double-check that we don't exceed |
| 2610 | * the remaining space in the datagram. */ |
| 2611 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 2612 | { |
Hanno Becker | 554b0af | 2018-08-22 20:33:41 +0100 | [diff] [blame] | 2613 | ret = ssl_get_remaining_space_in_datagram( ssl ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2614 | if( ret < 0 ) |
| 2615 | return( ret ); |
| 2616 | |
| 2617 | if( protected_record_size > (size_t) ret ) |
| 2618 | { |
| 2619 | /* Should never happen */ |
| 2620 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 2621 | } |
| 2622 | } |
| 2623 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2624 | |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 2625 | /* Now write the potentially updated record content type. */ |
| 2626 | ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; |
| 2627 | |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 2628 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %u, " |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2629 | "version = [%u:%u], msglen = %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | ecbdf1c | 2018-08-28 09:53:54 +0100 | [diff] [blame] | 2630 | ssl->out_hdr[0], ssl->out_hdr[1], |
| 2631 | ssl->out_hdr[2], len ) ); |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2632 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2633 | MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", |
Hanno Becker | ecbdf1c | 2018-08-28 09:53:54 +0100 | [diff] [blame] | 2634 | ssl->out_hdr, protected_record_size ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2635 | |
| 2636 | ssl->out_left += protected_record_size; |
| 2637 | ssl->out_hdr += protected_record_size; |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 2638 | mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2639 | |
Hanno Becker | dd77229 | 2020-02-05 10:38:31 +0000 | [diff] [blame] | 2640 | for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- ) |
Hanno Becker | 0448462 | 2018-08-06 09:49:38 +0100 | [diff] [blame] | 2641 | if( ++ssl->cur_out_ctr[i - 1] != 0 ) |
| 2642 | break; |
| 2643 | |
| 2644 | /* The loop goes to its end iff the counter is wrapping */ |
Hanno Becker | dd77229 | 2020-02-05 10:38:31 +0000 | [diff] [blame] | 2645 | if( i == mbedtls_ssl_ep_len( ssl ) ) |
Hanno Becker | 0448462 | 2018-08-06 09:49:38 +0100 | [diff] [blame] | 2646 | { |
| 2647 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) ); |
| 2648 | return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); |
| 2649 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2650 | } |
| 2651 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2652 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | 47db877 | 2018-08-21 13:32:13 +0100 | [diff] [blame] | 2653 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 2654 | flush == SSL_DONT_FORCE_FLUSH ) |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2655 | { |
Hanno Becker | 1f5a15d | 2018-08-21 13:31:31 +0100 | [diff] [blame] | 2656 | size_t remaining; |
| 2657 | ret = ssl_get_remaining_payload_in_datagram( ssl ); |
| 2658 | if( ret < 0 ) |
| 2659 | { |
| 2660 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram", |
| 2661 | ret ); |
| 2662 | return( ret ); |
| 2663 | } |
| 2664 | |
| 2665 | remaining = (size_t) ret; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2666 | if( remaining == 0 ) |
Hanno Becker | f0da667 | 2018-08-28 09:55:10 +0100 | [diff] [blame] | 2667 | { |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2668 | flush = SSL_FORCE_FLUSH; |
Hanno Becker | f0da667 | 2018-08-28 09:55:10 +0100 | [diff] [blame] | 2669 | } |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2670 | else |
| 2671 | { |
Hanno Becker | 513815a | 2018-08-20 11:56:09 +0100 | [diff] [blame] | 2672 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) ); |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2673 | } |
| 2674 | } |
| 2675 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 2676 | |
| 2677 | if( ( flush == SSL_FORCE_FLUSH ) && |
| 2678 | ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2679 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2680 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2681 | return( ret ); |
| 2682 | } |
| 2683 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2684 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2685 | |
| 2686 | return( 0 ); |
| 2687 | } |
| 2688 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2689 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | e25e3b7 | 2018-08-16 09:30:53 +0100 | [diff] [blame] | 2690 | |
| 2691 | static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl ) |
| 2692 | { |
| 2693 | if( ssl->in_msglen < ssl->in_hslen || |
| 2694 | memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 || |
| 2695 | memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 ) |
| 2696 | { |
| 2697 | return( 1 ); |
| 2698 | } |
| 2699 | return( 0 ); |
| 2700 | } |
Hanno Becker | 44650b7 | 2018-08-16 12:51:11 +0100 | [diff] [blame] | 2701 | |
Hanno Becker | cd9dcda | 2018-08-28 17:18:56 +0100 | [diff] [blame] | 2702 | static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl ) |
Hanno Becker | 44650b7 | 2018-08-16 12:51:11 +0100 | [diff] [blame] | 2703 | { |
| 2704 | return( ( ssl->in_msg[9] << 16 ) | |
| 2705 | ( ssl->in_msg[10] << 8 ) | |
| 2706 | ssl->in_msg[11] ); |
| 2707 | } |
| 2708 | |
Hanno Becker | cd9dcda | 2018-08-28 17:18:56 +0100 | [diff] [blame] | 2709 | static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl ) |
Hanno Becker | 44650b7 | 2018-08-16 12:51:11 +0100 | [diff] [blame] | 2710 | { |
| 2711 | return( ( ssl->in_msg[6] << 16 ) | |
| 2712 | ( ssl->in_msg[7] << 8 ) | |
| 2713 | ssl->in_msg[8] ); |
| 2714 | } |
| 2715 | |
Hanno Becker | cd9dcda | 2018-08-28 17:18:56 +0100 | [diff] [blame] | 2716 | static int ssl_check_hs_header( mbedtls_ssl_context const *ssl ) |
Hanno Becker | 44650b7 | 2018-08-16 12:51:11 +0100 | [diff] [blame] | 2717 | { |
| 2718 | uint32_t msg_len, frag_off, frag_len; |
| 2719 | |
| 2720 | msg_len = ssl_get_hs_total_len( ssl ); |
| 2721 | frag_off = ssl_get_hs_frag_off( ssl ); |
| 2722 | frag_len = ssl_get_hs_frag_len( ssl ); |
| 2723 | |
| 2724 | if( frag_off > msg_len ) |
| 2725 | return( -1 ); |
| 2726 | |
| 2727 | if( frag_len > msg_len - frag_off ) |
| 2728 | return( -1 ); |
| 2729 | |
| 2730 | if( frag_len + 12 > ssl->in_msglen ) |
| 2731 | return( -1 ); |
| 2732 | |
| 2733 | return( 0 ); |
| 2734 | } |
| 2735 | |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 2736 | /* |
| 2737 | * Mark bits in bitmask (used for DTLS HS reassembly) |
| 2738 | */ |
| 2739 | static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len ) |
| 2740 | { |
| 2741 | unsigned int start_bits, end_bits; |
| 2742 | |
| 2743 | start_bits = 8 - ( offset % 8 ); |
| 2744 | if( start_bits != 8 ) |
| 2745 | { |
| 2746 | size_t first_byte_idx = offset / 8; |
| 2747 | |
Manuel Pégourié-Gonnard | ac03052 | 2014-09-02 14:23:40 +0200 | [diff] [blame] | 2748 | /* Special case */ |
| 2749 | if( len <= start_bits ) |
| 2750 | { |
| 2751 | for( ; len != 0; len-- ) |
| 2752 | mask[first_byte_idx] |= 1 << ( start_bits - len ); |
| 2753 | |
| 2754 | /* Avoid potential issues with offset or len becoming invalid */ |
| 2755 | return; |
| 2756 | } |
| 2757 | |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 2758 | offset += start_bits; /* Now offset % 8 == 0 */ |
| 2759 | len -= start_bits; |
| 2760 | |
| 2761 | for( ; start_bits != 0; start_bits-- ) |
| 2762 | mask[first_byte_idx] |= 1 << ( start_bits - 1 ); |
| 2763 | } |
| 2764 | |
| 2765 | end_bits = len % 8; |
| 2766 | if( end_bits != 0 ) |
| 2767 | { |
| 2768 | size_t last_byte_idx = ( offset + len ) / 8; |
| 2769 | |
| 2770 | len -= end_bits; /* Now len % 8 == 0 */ |
| 2771 | |
| 2772 | for( ; end_bits != 0; end_bits-- ) |
| 2773 | mask[last_byte_idx] |= 1 << ( 8 - end_bits ); |
| 2774 | } |
| 2775 | |
| 2776 | memset( mask + offset / 8, 0xFF, len / 8 ); |
| 2777 | } |
| 2778 | |
| 2779 | /* |
| 2780 | * Check that bitmask is full |
| 2781 | */ |
| 2782 | static int ssl_bitmask_check( unsigned char *mask, size_t len ) |
| 2783 | { |
| 2784 | size_t i; |
| 2785 | |
| 2786 | for( i = 0; i < len / 8; i++ ) |
| 2787 | if( mask[i] != 0xFF ) |
| 2788 | return( -1 ); |
| 2789 | |
| 2790 | for( i = 0; i < len % 8; i++ ) |
| 2791 | if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 ) |
| 2792 | return( -1 ); |
| 2793 | |
| 2794 | return( 0 ); |
| 2795 | } |
| 2796 | |
Hanno Becker | 56e205e | 2018-08-16 09:06:12 +0100 | [diff] [blame] | 2797 | /* msg_len does not include the handshake header */ |
Hanno Becker | 65dc885 | 2018-08-23 09:40:49 +0100 | [diff] [blame] | 2798 | static size_t ssl_get_reassembly_buffer_size( size_t msg_len, |
Hanno Becker | 2a97b0e | 2018-08-21 15:47:49 +0100 | [diff] [blame] | 2799 | unsigned add_bitmap ) |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2800 | { |
Hanno Becker | 56e205e | 2018-08-16 09:06:12 +0100 | [diff] [blame] | 2801 | size_t alloc_len; |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 2802 | |
Hanno Becker | 56e205e | 2018-08-16 09:06:12 +0100 | [diff] [blame] | 2803 | alloc_len = 12; /* Handshake header */ |
| 2804 | alloc_len += msg_len; /* Content buffer */ |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2805 | |
Hanno Becker | d07df86 | 2018-08-16 09:14:58 +0100 | [diff] [blame] | 2806 | if( add_bitmap ) |
| 2807 | alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */ |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 2808 | |
Hanno Becker | 2a97b0e | 2018-08-21 15:47:49 +0100 | [diff] [blame] | 2809 | return( alloc_len ); |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2810 | } |
Hanno Becker | 56e205e | 2018-08-16 09:06:12 +0100 | [diff] [blame] | 2811 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2812 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2813 | |
Hanno Becker | cd9dcda | 2018-08-28 17:18:56 +0100 | [diff] [blame] | 2814 | static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ) |
Hanno Becker | 12555c6 | 2018-08-16 12:47:53 +0100 | [diff] [blame] | 2815 | { |
| 2816 | return( ( ssl->in_msg[1] << 16 ) | |
| 2817 | ( ssl->in_msg[2] << 8 ) | |
| 2818 | ssl->in_msg[3] ); |
| 2819 | } |
Hanno Becker | e25e3b7 | 2018-08-16 09:30:53 +0100 | [diff] [blame] | 2820 | |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 2821 | int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2822 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2823 | if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) ) |
Manuel Pégourié-Gonnard | 9d1d719 | 2014-09-03 11:01:14 +0200 | [diff] [blame] | 2824 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2825 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %" MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | 9d1d719 | 2014-09-03 11:01:14 +0200 | [diff] [blame] | 2826 | ssl->in_msglen ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2827 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Manuel Pégourié-Gonnard | 9d1d719 | 2014-09-03 11:01:14 +0200 | [diff] [blame] | 2828 | } |
| 2829 | |
Hanno Becker | 12555c6 | 2018-08-16 12:47:53 +0100 | [diff] [blame] | 2830 | ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl ); |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2831 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2832 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2833 | " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2834 | ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2835 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2836 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2837 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2838 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2839 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2840 | unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2841 | |
Hanno Becker | 44650b7 | 2018-08-16 12:51:11 +0100 | [diff] [blame] | 2842 | if( ssl_check_hs_header( ssl ) != 0 ) |
| 2843 | { |
| 2844 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) ); |
| 2845 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 2846 | } |
| 2847 | |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2848 | if( ssl->handshake != NULL && |
Hanno Becker | c76c619 | 2017-06-06 10:03:17 +0100 | [diff] [blame] | 2849 | ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && |
| 2850 | recv_msg_seq != ssl->handshake->in_msg_seq ) || |
| 2851 | ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && |
| 2852 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) ) |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2853 | { |
Hanno Becker | 9e1ec22 | 2018-08-15 15:54:43 +0100 | [diff] [blame] | 2854 | if( recv_msg_seq > ssl->handshake->in_msg_seq ) |
| 2855 | { |
| 2856 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)", |
| 2857 | recv_msg_seq, |
| 2858 | ssl->handshake->in_msg_seq ) ); |
| 2859 | return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); |
| 2860 | } |
| 2861 | |
Manuel Pégourié-Gonnard | fc572dd | 2014-10-09 17:56:57 +0200 | [diff] [blame] | 2862 | /* Retransmit only on last message from previous flight, to avoid |
| 2863 | * too many retransmissions. |
| 2864 | * Besides, No sane server ever retransmits HelloVerifyRequest */ |
| 2865 | if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2866 | ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 2867 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2868 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, " |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 2869 | "message_seq = %u, start_of_flight = %u", |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 2870 | recv_msg_seq, |
| 2871 | ssl->handshake->in_flight_start_seq ) ); |
| 2872 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2873 | if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 2874 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2875 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 2876 | return( ret ); |
| 2877 | } |
| 2878 | } |
| 2879 | else |
| 2880 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2881 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: " |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 2882 | "message_seq = %u, expected = %u", |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 2883 | recv_msg_seq, |
| 2884 | ssl->handshake->in_msg_seq ) ); |
| 2885 | } |
| 2886 | |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 2887 | return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2888 | } |
| 2889 | /* Wait until message completion to increment in_msg_seq */ |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2890 | |
Hanno Becker | 6d97ef5 | 2018-08-16 13:09:04 +0100 | [diff] [blame] | 2891 | /* Message reassembly is handled alongside buffering of future |
| 2892 | * messages; the commonality is that both handshake fragments and |
Hanno Becker | 83ab41c | 2018-08-28 17:19:38 +0100 | [diff] [blame] | 2893 | * future messages cannot be forwarded immediately to the |
Hanno Becker | 6d97ef5 | 2018-08-16 13:09:04 +0100 | [diff] [blame] | 2894 | * handshake logic layer. */ |
Hanno Becker | e25e3b7 | 2018-08-16 09:30:53 +0100 | [diff] [blame] | 2895 | if( ssl_hs_is_proper_fragment( ssl ) == 1 ) |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2896 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2897 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) ); |
Hanno Becker | 6d97ef5 | 2018-08-16 13:09:04 +0100 | [diff] [blame] | 2898 | return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2899 | } |
| 2900 | } |
| 2901 | else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2902 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2903 | /* With TLS we don't handle fragmentation (for now) */ |
| 2904 | if( ssl->in_msglen < ssl->in_hslen ) |
| 2905 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2906 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); |
| 2907 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2908 | } |
| 2909 | |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 2910 | return( 0 ); |
| 2911 | } |
| 2912 | |
| 2913 | void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ) |
| 2914 | { |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2915 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 2916 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2917 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL ) |
Manuel Pégourié-Gonnard | 14bf706 | 2015-06-23 14:07:13 +0200 | [diff] [blame] | 2918 | { |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2919 | ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); |
Manuel Pégourié-Gonnard | 14bf706 | 2015-06-23 14:07:13 +0200 | [diff] [blame] | 2920 | } |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2921 | |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2922 | /* Handshake message is complete, increment counter */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2923 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2924 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2925 | ssl->handshake != NULL ) |
| 2926 | { |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2927 | unsigned offset; |
| 2928 | mbedtls_ssl_hs_buffer *hs_buf; |
Hanno Becker | e25e3b7 | 2018-08-16 09:30:53 +0100 | [diff] [blame] | 2929 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2930 | /* Increment handshake sequence number */ |
| 2931 | hs->in_msg_seq++; |
| 2932 | |
| 2933 | /* |
| 2934 | * Clear up handshake buffering and reassembly structure. |
| 2935 | */ |
| 2936 | |
| 2937 | /* Free first entry */ |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 2938 | ssl_buffering_free_slot( ssl, 0 ); |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2939 | |
| 2940 | /* Shift all other entries */ |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 2941 | for( offset = 0, hs_buf = &hs->buffering.hs[0]; |
| 2942 | offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS; |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2943 | offset++, hs_buf++ ) |
| 2944 | { |
| 2945 | *hs_buf = *(hs_buf + 1); |
| 2946 | } |
| 2947 | |
| 2948 | /* Create a fresh last entry */ |
| 2949 | memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) ); |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2950 | } |
| 2951 | #endif |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2952 | } |
| 2953 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 2954 | /* |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 2955 | * DTLS anti-replay: RFC 6347 4.1.2.6 |
| 2956 | * |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 2957 | * in_window is a field of bits numbered from 0 (lsb) to 63 (msb). |
| 2958 | * Bit n is set iff record number in_window_top - n has been seen. |
| 2959 | * |
| 2960 | * Usually, in_window_top is the last record number seen and the lsb of |
| 2961 | * in_window is set. The only exception is the initial state (record number 0 |
| 2962 | * not seen yet). |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 2963 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2964 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
Hanno Becker | 7e8e6a6 | 2020-02-05 10:45:48 +0000 | [diff] [blame] | 2965 | void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 2966 | { |
| 2967 | ssl->in_window_top = 0; |
| 2968 | ssl->in_window = 0; |
| 2969 | } |
| 2970 | |
| 2971 | static inline uint64_t ssl_load_six_bytes( unsigned char *buf ) |
| 2972 | { |
| 2973 | return( ( (uint64_t) buf[0] << 40 ) | |
| 2974 | ( (uint64_t) buf[1] << 32 ) | |
| 2975 | ( (uint64_t) buf[2] << 24 ) | |
| 2976 | ( (uint64_t) buf[3] << 16 ) | |
| 2977 | ( (uint64_t) buf[4] << 8 ) | |
| 2978 | ( (uint64_t) buf[5] ) ); |
| 2979 | } |
| 2980 | |
Arto Kinnunen | 7f8089b | 2019-10-29 11:13:33 +0200 | [diff] [blame] | 2981 | static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr ) |
| 2982 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2983 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Arto Kinnunen | 7f8089b | 2019-10-29 11:13:33 +0200 | [diff] [blame] | 2984 | unsigned char *original_in_ctr; |
| 2985 | |
| 2986 | // save original in_ctr |
| 2987 | original_in_ctr = ssl->in_ctr; |
| 2988 | |
| 2989 | // use counter from record |
| 2990 | ssl->in_ctr = record_in_ctr; |
| 2991 | |
| 2992 | ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl ); |
| 2993 | |
| 2994 | // restore the counter |
| 2995 | ssl->in_ctr = original_in_ctr; |
| 2996 | |
| 2997 | return ret; |
| 2998 | } |
| 2999 | |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3000 | /* |
| 3001 | * Return 0 if sequence number is acceptable, -1 otherwise |
| 3002 | */ |
Hanno Becker | 0183d69 | 2019-07-12 08:50:37 +0100 | [diff] [blame] | 3003 | int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl ) |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3004 | { |
| 3005 | uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); |
| 3006 | uint64_t bit; |
| 3007 | |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3008 | if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) |
Manuel Pégourié-Gonnard | 2739313 | 2014-09-24 14:41:11 +0200 | [diff] [blame] | 3009 | return( 0 ); |
| 3010 | |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3011 | if( rec_seqnum > ssl->in_window_top ) |
| 3012 | return( 0 ); |
| 3013 | |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 3014 | bit = ssl->in_window_top - rec_seqnum; |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3015 | |
| 3016 | if( bit >= 64 ) |
| 3017 | return( -1 ); |
| 3018 | |
| 3019 | if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 ) |
| 3020 | return( -1 ); |
| 3021 | |
| 3022 | return( 0 ); |
| 3023 | } |
| 3024 | |
| 3025 | /* |
| 3026 | * Update replay window on new validated record |
| 3027 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3028 | void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3029 | { |
| 3030 | uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); |
| 3031 | |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3032 | if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) |
Manuel Pégourié-Gonnard | 2739313 | 2014-09-24 14:41:11 +0200 | [diff] [blame] | 3033 | return; |
| 3034 | |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3035 | if( rec_seqnum > ssl->in_window_top ) |
| 3036 | { |
| 3037 | /* Update window_top and the contents of the window */ |
| 3038 | uint64_t shift = rec_seqnum - ssl->in_window_top; |
| 3039 | |
| 3040 | if( shift >= 64 ) |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 3041 | ssl->in_window = 1; |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3042 | else |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 3043 | { |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3044 | ssl->in_window <<= shift; |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 3045 | ssl->in_window |= 1; |
| 3046 | } |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3047 | |
| 3048 | ssl->in_window_top = rec_seqnum; |
| 3049 | } |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3050 | else |
| 3051 | { |
| 3052 | /* Mark that number as seen in the current window */ |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 3053 | uint64_t bit = ssl->in_window_top - rec_seqnum; |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3054 | |
| 3055 | if( bit < 64 ) /* Always true, but be extra sure */ |
| 3056 | ssl->in_window |= (uint64_t) 1 << bit; |
| 3057 | } |
| 3058 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3059 | #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3060 | |
Manuel Pégourié-Gonnard | ddfe5d2 | 2015-09-09 12:46:16 +0200 | [diff] [blame] | 3061 | #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3062 | /* |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3063 | * Without any SSL context, check if a datagram looks like a ClientHello with |
| 3064 | * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message. |
Simon Butcher | 0789aed | 2015-09-11 17:15:17 +0100 | [diff] [blame] | 3065 | * Both input and output include full DTLS headers. |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3066 | * |
| 3067 | * - if cookie is valid, return 0 |
| 3068 | * - if ClientHello looks superficially valid but cookie is not, |
| 3069 | * fill obuf and set olen, then |
| 3070 | * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED |
| 3071 | * - otherwise return a specific error code |
| 3072 | */ |
| 3073 | static int ssl_check_dtls_clihlo_cookie( |
| 3074 | mbedtls_ssl_cookie_write_t *f_cookie_write, |
| 3075 | mbedtls_ssl_cookie_check_t *f_cookie_check, |
| 3076 | void *p_cookie, |
| 3077 | const unsigned char *cli_id, size_t cli_id_len, |
| 3078 | const unsigned char *in, size_t in_len, |
| 3079 | unsigned char *obuf, size_t buf_len, size_t *olen ) |
| 3080 | { |
| 3081 | size_t sid_len, cookie_len; |
| 3082 | unsigned char *p; |
| 3083 | |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3084 | /* |
| 3085 | * Structure of ClientHello with record and handshake headers, |
| 3086 | * and expected values. We don't need to check a lot, more checks will be |
| 3087 | * done when actually parsing the ClientHello - skipping those checks |
| 3088 | * avoids code duplication and does not make cookie forging any easier. |
| 3089 | * |
| 3090 | * 0-0 ContentType type; copied, must be handshake |
| 3091 | * 1-2 ProtocolVersion version; copied |
| 3092 | * 3-4 uint16 epoch; copied, must be 0 |
| 3093 | * 5-10 uint48 sequence_number; copied |
| 3094 | * 11-12 uint16 length; (ignored) |
| 3095 | * |
| 3096 | * 13-13 HandshakeType msg_type; (ignored) |
| 3097 | * 14-16 uint24 length; (ignored) |
| 3098 | * 17-18 uint16 message_seq; copied |
| 3099 | * 19-21 uint24 fragment_offset; copied, must be 0 |
| 3100 | * 22-24 uint24 fragment_length; (ignored) |
| 3101 | * |
| 3102 | * 25-26 ProtocolVersion client_version; (ignored) |
| 3103 | * 27-58 Random random; (ignored) |
| 3104 | * 59-xx SessionID session_id; 1 byte len + sid_len content |
| 3105 | * 60+ opaque cookie<0..2^8-1>; 1 byte len + content |
| 3106 | * ... |
| 3107 | * |
| 3108 | * Minimum length is 61 bytes. |
| 3109 | */ |
| 3110 | if( in_len < 61 || |
| 3111 | in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || |
| 3112 | in[3] != 0 || in[4] != 0 || |
| 3113 | in[19] != 0 || in[20] != 0 || in[21] != 0 ) |
| 3114 | { |
| 3115 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| 3116 | } |
| 3117 | |
| 3118 | sid_len = in[59]; |
| 3119 | if( sid_len > in_len - 61 ) |
| 3120 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| 3121 | |
| 3122 | cookie_len = in[60 + sid_len]; |
| 3123 | if( cookie_len > in_len - 60 ) |
| 3124 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| 3125 | |
| 3126 | if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len, |
| 3127 | cli_id, cli_id_len ) == 0 ) |
| 3128 | { |
| 3129 | /* Valid cookie */ |
| 3130 | return( 0 ); |
| 3131 | } |
| 3132 | |
| 3133 | /* |
| 3134 | * If we get here, we've got an invalid cookie, let's prepare HVR. |
| 3135 | * |
| 3136 | * 0-0 ContentType type; copied |
| 3137 | * 1-2 ProtocolVersion version; copied |
| 3138 | * 3-4 uint16 epoch; copied |
| 3139 | * 5-10 uint48 sequence_number; copied |
| 3140 | * 11-12 uint16 length; olen - 13 |
| 3141 | * |
| 3142 | * 13-13 HandshakeType msg_type; hello_verify_request |
| 3143 | * 14-16 uint24 length; olen - 25 |
| 3144 | * 17-18 uint16 message_seq; copied |
| 3145 | * 19-21 uint24 fragment_offset; copied |
| 3146 | * 22-24 uint24 fragment_length; olen - 25 |
| 3147 | * |
| 3148 | * 25-26 ProtocolVersion server_version; 0xfe 0xff |
| 3149 | * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie |
| 3150 | * |
| 3151 | * Minimum length is 28. |
| 3152 | */ |
| 3153 | if( buf_len < 28 ) |
| 3154 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 3155 | |
| 3156 | /* Copy most fields and adapt others */ |
| 3157 | memcpy( obuf, in, 25 ); |
| 3158 | obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; |
| 3159 | obuf[25] = 0xfe; |
| 3160 | obuf[26] = 0xff; |
| 3161 | |
| 3162 | /* Generate and write actual cookie */ |
| 3163 | p = obuf + 28; |
| 3164 | if( f_cookie_write( p_cookie, |
| 3165 | &p, obuf + buf_len, cli_id, cli_id_len ) != 0 ) |
| 3166 | { |
| 3167 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 3168 | } |
| 3169 | |
| 3170 | *olen = p - obuf; |
| 3171 | |
| 3172 | /* Go back and fill length fields */ |
| 3173 | obuf[27] = (unsigned char)( *olen - 28 ); |
| 3174 | |
| 3175 | obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 ); |
| 3176 | obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 ); |
| 3177 | obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) ); |
| 3178 | |
| 3179 | obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 ); |
| 3180 | obuf[12] = (unsigned char)( ( *olen - 13 ) ); |
| 3181 | |
| 3182 | return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); |
| 3183 | } |
| 3184 | |
| 3185 | /* |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3186 | * Handle possible client reconnect with the same UDP quadruplet |
| 3187 | * (RFC 6347 Section 4.2.8). |
| 3188 | * |
| 3189 | * Called by ssl_parse_record_header() in case we receive an epoch 0 record |
| 3190 | * that looks like a ClientHello. |
| 3191 | * |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3192 | * - if the input looks like a ClientHello without cookies, |
Manuel Pégourié-Gonnard | 824655c | 2020-03-11 12:51:42 +0100 | [diff] [blame] | 3193 | * send back HelloVerifyRequest, then return 0 |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3194 | * - if the input looks like a ClientHello with a valid cookie, |
| 3195 | * reset the session of the current context, and |
Manuel Pégourié-Gonnard | be619c1 | 2015-09-08 11:21:21 +0200 | [diff] [blame] | 3196 | * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3197 | * - if anything goes wrong, return a specific error code |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3198 | * |
Manuel Pégourié-Gonnard | 824655c | 2020-03-11 12:51:42 +0100 | [diff] [blame] | 3199 | * This function is called (through ssl_check_client_reconnect()) when an |
| 3200 | * unexpected record is found in ssl_get_next_record(), which will discard the |
| 3201 | * record if we return 0, and bubble up the return value otherwise (this |
| 3202 | * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected |
| 3203 | * errors, and is the right thing to do in both cases). |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3204 | */ |
| 3205 | static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) |
| 3206 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3207 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3208 | size_t len; |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3209 | |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 3210 | if( ssl->conf->f_cookie_write == NULL || |
| 3211 | ssl->conf->f_cookie_check == NULL ) |
| 3212 | { |
| 3213 | /* If we can't use cookies to verify reachability of the peer, |
| 3214 | * drop the record. */ |
Manuel Pégourié-Gonnard | 243d70f | 2020-03-31 12:07:47 +0200 | [diff] [blame] | 3215 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no cookie callbacks, " |
| 3216 | "can't check reconnect validity" ) ); |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 3217 | return( 0 ); |
| 3218 | } |
| 3219 | |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3220 | ret = ssl_check_dtls_clihlo_cookie( |
| 3221 | ssl->conf->f_cookie_write, |
| 3222 | ssl->conf->f_cookie_check, |
| 3223 | ssl->conf->p_cookie, |
| 3224 | ssl->cli_id, ssl->cli_id_len, |
| 3225 | ssl->in_buf, ssl->in_left, |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 3226 | ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len ); |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3227 | |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3228 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret ); |
| 3229 | |
| 3230 | if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3231 | { |
Manuel Pégourié-Gonnard | 243d70f | 2020-03-31 12:07:47 +0200 | [diff] [blame] | 3232 | int send_ret; |
| 3233 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) ); |
| 3234 | MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", |
| 3235 | ssl->out_buf, len ); |
Brian J Murray | 1903fb3 | 2016-11-06 04:45:15 -0800 | [diff] [blame] | 3236 | /* Don't check write errors as we can't do anything here. |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3237 | * If the error is permanent we'll catch it later, |
| 3238 | * if it's not, then hopefully it'll work next time. */ |
Manuel Pégourié-Gonnard | 243d70f | 2020-03-31 12:07:47 +0200 | [diff] [blame] | 3239 | send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len ); |
| 3240 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret ); |
| 3241 | (void) send_ret; |
| 3242 | |
Manuel Pégourié-Gonnard | 824655c | 2020-03-11 12:51:42 +0100 | [diff] [blame] | 3243 | return( 0 ); |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3244 | } |
| 3245 | |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3246 | if( ret == 0 ) |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3247 | { |
Manuel Pégourié-Gonnard | 243d70f | 2020-03-31 12:07:47 +0200 | [diff] [blame] | 3248 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) ); |
Hanno Becker | 43aefe2 | 2020-02-05 10:44:56 +0000 | [diff] [blame] | 3249 | if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 ) |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3250 | { |
| 3251 | MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret ); |
| 3252 | return( ret ); |
| 3253 | } |
| 3254 | |
| 3255 | return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT ); |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3256 | } |
| 3257 | |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3258 | return( ret ); |
| 3259 | } |
Manuel Pégourié-Gonnard | ddfe5d2 | 2015-09-09 12:46:16 +0200 | [diff] [blame] | 3260 | #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3261 | |
Hanno Becker | f661c9c | 2019-05-03 13:25:54 +0100 | [diff] [blame] | 3262 | static int ssl_check_record_type( uint8_t record_type ) |
| 3263 | { |
| 3264 | if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE && |
| 3265 | record_type != MBEDTLS_SSL_MSG_ALERT && |
| 3266 | record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && |
| 3267 | record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA ) |
| 3268 | { |
| 3269 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3270 | } |
| 3271 | |
| 3272 | return( 0 ); |
| 3273 | } |
| 3274 | |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3275 | /* |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3276 | * ContentType type; |
| 3277 | * ProtocolVersion version; |
| 3278 | * uint16 epoch; // DTLS only |
| 3279 | * uint48 sequence_number; // DTLS only |
| 3280 | * uint16 length; |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3281 | * |
| 3282 | * Return 0 if header looks sane (and, for DTLS, the record is expected) |
Simon Butcher | 207990d | 2015-12-16 01:51:30 +0000 | [diff] [blame] | 3283 | * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad, |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3284 | * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected. |
| 3285 | * |
| 3286 | * With DTLS, mbedtls_ssl_read_record() will: |
Simon Butcher | 207990d | 2015-12-16 01:51:30 +0000 | [diff] [blame] | 3287 | * 1. proceed with the record if this function returns 0 |
| 3288 | * 2. drop only the current record if this function returns UNEXPECTED_RECORD |
| 3289 | * 3. return CLIENT_RECONNECT if this function return that value |
| 3290 | * 4. drop the whole datagram if this function returns anything else. |
| 3291 | * Point 2 is needed when the peer is resending, and we have already received |
| 3292 | * the first record from a datagram but are still waiting for the others. |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3293 | */ |
Hanno Becker | 331de3d | 2019-07-12 11:10:16 +0100 | [diff] [blame] | 3294 | static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3295 | unsigned char *buf, |
| 3296 | size_t len, |
| 3297 | mbedtls_record *rec ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3298 | { |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 3299 | int major_ver, minor_ver; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3300 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3301 | size_t const rec_hdr_type_offset = 0; |
| 3302 | size_t const rec_hdr_type_len = 1; |
Manuel Pégourié-Gonnard | 64dffc5 | 2014-09-02 13:39:16 +0200 | [diff] [blame] | 3303 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3304 | size_t const rec_hdr_version_offset = rec_hdr_type_offset + |
| 3305 | rec_hdr_type_len; |
| 3306 | size_t const rec_hdr_version_len = 2; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3307 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3308 | size_t const rec_hdr_ctr_len = 8; |
| 3309 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | f546625 | 2019-07-25 10:13:02 +0100 | [diff] [blame] | 3310 | uint32_t rec_epoch; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3311 | size_t const rec_hdr_ctr_offset = rec_hdr_version_offset + |
| 3312 | rec_hdr_version_len; |
| 3313 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3314 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3315 | size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset + |
| 3316 | rec_hdr_ctr_len; |
Hanno Becker | f546625 | 2019-07-25 10:13:02 +0100 | [diff] [blame] | 3317 | size_t rec_hdr_cid_len = 0; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3318 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| 3319 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3320 | |
| 3321 | size_t rec_hdr_len_offset; /* To be determined */ |
| 3322 | size_t const rec_hdr_len_len = 2; |
| 3323 | |
| 3324 | /* |
| 3325 | * Check minimum lengths for record header. |
| 3326 | */ |
| 3327 | |
| 3328 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3329 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 3330 | { |
| 3331 | rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len; |
| 3332 | } |
| 3333 | else |
| 3334 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3335 | { |
| 3336 | rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len; |
| 3337 | } |
| 3338 | |
| 3339 | if( len < rec_hdr_len_offset + rec_hdr_len_len ) |
| 3340 | { |
| 3341 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header of length %u", |
| 3342 | (unsigned) len, |
| 3343 | (unsigned)( rec_hdr_len_len + rec_hdr_len_len ) ) ); |
| 3344 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3345 | } |
| 3346 | |
| 3347 | /* |
| 3348 | * Parse and validate record content type |
| 3349 | */ |
| 3350 | |
| 3351 | rec->type = buf[ rec_hdr_type_offset ]; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3352 | |
| 3353 | /* Check record content type */ |
| 3354 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| 3355 | rec->cid_len = 0; |
| 3356 | |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3357 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3358 | ssl->conf->cid_len != 0 && |
| 3359 | rec->type == MBEDTLS_SSL_MSG_CID ) |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3360 | { |
| 3361 | /* Shift pointers to account for record header including CID |
| 3362 | * struct { |
| 3363 | * ContentType special_type = tls12_cid; |
| 3364 | * ProtocolVersion version; |
| 3365 | * uint16 epoch; |
| 3366 | * uint48 sequence_number; |
Hanno Becker | 8e55b0f | 2019-05-23 17:03:19 +0100 | [diff] [blame] | 3367 | * opaque cid[cid_length]; // Additional field compared to |
| 3368 | * // default DTLS record format |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3369 | * uint16 length; |
| 3370 | * opaque enc_content[DTLSCiphertext.length]; |
| 3371 | * } DTLSCiphertext; |
| 3372 | */ |
| 3373 | |
| 3374 | /* So far, we only support static CID lengths |
| 3375 | * fixed in the configuration. */ |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3376 | rec_hdr_cid_len = ssl->conf->cid_len; |
| 3377 | rec_hdr_len_offset += rec_hdr_cid_len; |
Hanno Becker | e538d82 | 2019-07-10 14:50:10 +0100 | [diff] [blame] | 3378 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3379 | if( len < rec_hdr_len_offset + rec_hdr_len_len ) |
Hanno Becker | e538d82 | 2019-07-10 14:50:10 +0100 | [diff] [blame] | 3380 | { |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3381 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header including CID, length %u", |
| 3382 | (unsigned) len, |
| 3383 | (unsigned)( rec_hdr_len_offset + rec_hdr_len_len ) ) ); |
Hanno Becker | 59be60e | 2019-07-10 14:53:43 +0100 | [diff] [blame] | 3384 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Hanno Becker | e538d82 | 2019-07-10 14:50:10 +0100 | [diff] [blame] | 3385 | } |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3386 | |
Manuel Pégourié-Gonnard | 7e821b5 | 2019-08-02 10:17:15 +0200 | [diff] [blame] | 3387 | /* configured CID len is guaranteed at most 255, see |
| 3388 | * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */ |
| 3389 | rec->cid_len = (uint8_t) rec_hdr_cid_len; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3390 | memcpy( rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len ); |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3391 | } |
| 3392 | else |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3393 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Manuel Pégourié-Gonnard | edcbe54 | 2014-08-11 19:27:24 +0200 | [diff] [blame] | 3394 | { |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3395 | if( ssl_check_record_type( rec->type ) ) |
| 3396 | { |
Hanno Becker | 5422981 | 2019-07-12 14:40:00 +0100 | [diff] [blame] | 3397 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type %u", |
| 3398 | (unsigned) rec->type ) ); |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3399 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3400 | } |
Manuel Pégourié-Gonnard | edcbe54 | 2014-08-11 19:27:24 +0200 | [diff] [blame] | 3401 | } |
| 3402 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3403 | /* |
| 3404 | * Parse and validate record version |
| 3405 | */ |
| 3406 | |
Hanno Becker | d0b66d0 | 2019-07-26 08:07:03 +0100 | [diff] [blame] | 3407 | rec->ver[0] = buf[ rec_hdr_version_offset + 0 ]; |
| 3408 | rec->ver[1] = buf[ rec_hdr_version_offset + 1 ]; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3409 | mbedtls_ssl_read_version( &major_ver, &minor_ver, |
| 3410 | ssl->conf->transport, |
Hanno Becker | d0b66d0 | 2019-07-26 08:07:03 +0100 | [diff] [blame] | 3411 | &rec->ver[0] ); |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3412 | |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 3413 | if( major_ver != ssl->major_ver ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3414 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3415 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); |
| 3416 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3417 | } |
| 3418 | |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3419 | if( minor_ver > ssl->conf->max_minor_ver ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3420 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3421 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); |
| 3422 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3423 | } |
| 3424 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3425 | /* |
| 3426 | * Parse/Copy record sequence number. |
| 3427 | */ |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3428 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3429 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3430 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Paul Bakker | 1a1fbba | 2014-04-30 14:38:05 +0200 | [diff] [blame] | 3431 | { |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3432 | /* Copy explicit record sequence number from input buffer. */ |
| 3433 | memcpy( &rec->ctr[0], buf + rec_hdr_ctr_offset, |
| 3434 | rec_hdr_ctr_len ); |
Paul Bakker | 1a1fbba | 2014-04-30 14:38:05 +0200 | [diff] [blame] | 3435 | } |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3436 | else |
| 3437 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3438 | { |
| 3439 | /* Copy implicit record sequence number from SSL context structure. */ |
| 3440 | memcpy( &rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len ); |
| 3441 | } |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 3442 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3443 | /* |
| 3444 | * Parse record length. |
| 3445 | */ |
| 3446 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3447 | rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len; |
Hanno Becker | 9eca276 | 2019-07-25 10:16:37 +0100 | [diff] [blame] | 3448 | rec->data_len = ( (size_t) buf[ rec_hdr_len_offset + 0 ] << 8 ) | |
| 3449 | ( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 ); |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3450 | MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3451 | |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 3452 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %u, " |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 3453 | "version = [%d:%d], msglen = %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3454 | rec->type, |
| 3455 | major_ver, minor_ver, rec->data_len ) ); |
| 3456 | |
| 3457 | rec->buf = buf; |
| 3458 | rec->buf_len = rec->data_offset + rec->data_len; |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3459 | |
Hanno Becker | d417cc9 | 2019-07-26 08:20:27 +0100 | [diff] [blame] | 3460 | if( rec->data_len == 0 ) |
| 3461 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3462 | |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3463 | /* |
Hanno Becker | 52c6dc6 | 2017-05-26 16:07:36 +0100 | [diff] [blame] | 3464 | * DTLS-related tests. |
| 3465 | * Check epoch before checking length constraint because |
| 3466 | * the latter varies with the epoch. E.g., if a ChangeCipherSpec |
| 3467 | * message gets duplicated before the corresponding Finished message, |
| 3468 | * the second ChangeCipherSpec should be discarded because it belongs |
| 3469 | * to an old epoch, but not because its length is shorter than |
| 3470 | * the minimum record length for packets using the new record transform. |
| 3471 | * Note that these two kinds of failures are handled differently, |
| 3472 | * as an unexpected record is silently skipped but an invalid |
| 3473 | * record leads to the entire datagram being dropped. |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3474 | */ |
| 3475 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3476 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 3477 | { |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3478 | rec_epoch = ( rec->ctr[0] << 8 ) | rec->ctr[1]; |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3479 | |
Hanno Becker | 955a5c9 | 2019-07-10 17:12:07 +0100 | [diff] [blame] | 3480 | /* Check that the datagram is large enough to contain a record |
| 3481 | * of the advertised length. */ |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3482 | if( len < rec->data_offset + rec->data_len ) |
Hanno Becker | 955a5c9 | 2019-07-10 17:12:07 +0100 | [diff] [blame] | 3483 | { |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3484 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram of length %u too small to contain record of advertised length %u.", |
| 3485 | (unsigned) len, |
| 3486 | (unsigned)( rec->data_offset + rec->data_len ) ) ); |
Hanno Becker | 955a5c9 | 2019-07-10 17:12:07 +0100 | [diff] [blame] | 3487 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3488 | } |
Hanno Becker | 37cfe73 | 2019-07-10 17:20:01 +0100 | [diff] [blame] | 3489 | |
Hanno Becker | 37cfe73 | 2019-07-10 17:20:01 +0100 | [diff] [blame] | 3490 | /* Records from other, non-matching epochs are silently discarded. |
| 3491 | * (The case of same-port Client reconnects must be considered in |
| 3492 | * the caller). */ |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3493 | if( rec_epoch != ssl->in_epoch ) |
| 3494 | { |
| 3495 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: " |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 3496 | "expected %u, received %lu", |
| 3497 | ssl->in_epoch, (unsigned long) rec_epoch ) ); |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3498 | |
Hanno Becker | 552f747 | 2019-07-19 10:59:12 +0100 | [diff] [blame] | 3499 | /* Records from the next epoch are considered for buffering |
| 3500 | * (concretely: early Finished messages). */ |
| 3501 | if( rec_epoch == (unsigned) ssl->in_epoch + 1 ) |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3502 | { |
Hanno Becker | 552f747 | 2019-07-19 10:59:12 +0100 | [diff] [blame] | 3503 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) ); |
| 3504 | return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3505 | } |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 3506 | |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 3507 | return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3508 | } |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3509 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
Hanno Becker | 37cfe73 | 2019-07-10 17:20:01 +0100 | [diff] [blame] | 3510 | /* For records from the correct epoch, check whether their |
| 3511 | * sequence number has been seen before. */ |
Arto Kinnunen | 7f8089b | 2019-10-29 11:13:33 +0200 | [diff] [blame] | 3512 | else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl, |
| 3513 | &rec->ctr[0] ) != 0 ) |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3514 | { |
| 3515 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) ); |
| 3516 | return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); |
| 3517 | } |
| 3518 | #endif |
| 3519 | } |
| 3520 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3521 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3522 | return( 0 ); |
| 3523 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3524 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3525 | |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 3526 | #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) |
| 3527 | static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl ) |
| 3528 | { |
| 3529 | unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; |
| 3530 | |
| 3531 | /* |
| 3532 | * Check for an epoch 0 ClientHello. We can't use in_msg here to |
| 3533 | * access the first byte of record content (handshake type), as we |
| 3534 | * have an active transform (possibly iv_len != 0), so use the |
| 3535 | * fact that the record header len is 13 instead. |
| 3536 | */ |
| 3537 | if( rec_epoch == 0 && |
| 3538 | ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && |
| 3539 | ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && |
| 3540 | ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 3541 | ssl->in_left > 13 && |
| 3542 | ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) |
| 3543 | { |
| 3544 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect " |
| 3545 | "from the same port" ) ); |
| 3546 | return( ssl_handle_possible_reconnect( ssl ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3547 | } |
| 3548 | |
| 3549 | return( 0 ); |
| 3550 | } |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 3551 | #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3552 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3553 | /* |
Manuel Pégourié-Gonnard | c40b685 | 2020-01-03 12:18:49 +0100 | [diff] [blame] | 3554 | * If applicable, decrypt record content |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3555 | */ |
Hanno Becker | fdf6604 | 2019-07-11 13:07:45 +0100 | [diff] [blame] | 3556 | static int ssl_prepare_record_content( mbedtls_ssl_context *ssl, |
| 3557 | mbedtls_record *rec ) |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3558 | { |
| 3559 | int ret, done = 0; |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 3560 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3561 | MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network", |
Hanno Becker | fdf6604 | 2019-07-11 13:07:45 +0100 | [diff] [blame] | 3562 | rec->buf, rec->buf_len ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3563 | |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 3564 | if( !done && ssl->transform_in != NULL ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3565 | { |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3566 | unsigned char const old_msg_type = rec->type; |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3567 | |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 3568 | if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, |
Hanno Becker | fdf6604 | 2019-07-11 13:07:45 +0100 | [diff] [blame] | 3569 | rec ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3570 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3571 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); |
Hanno Becker | 8367ccc | 2019-05-14 11:30:10 +0100 | [diff] [blame] | 3572 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3573 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 8367ccc | 2019-05-14 11:30:10 +0100 | [diff] [blame] | 3574 | if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID && |
| 3575 | ssl->conf->ignore_unexpected_cid |
| 3576 | == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ) |
| 3577 | { |
Hanno Becker | e8d6afd | 2019-05-24 10:11:06 +0100 | [diff] [blame] | 3578 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) ); |
Hanno Becker | 16ded98 | 2019-05-08 13:02:55 +0100 | [diff] [blame] | 3579 | ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; |
Hanno Becker | 8367ccc | 2019-05-14 11:30:10 +0100 | [diff] [blame] | 3580 | } |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3581 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 16ded98 | 2019-05-08 13:02:55 +0100 | [diff] [blame] | 3582 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3583 | return( ret ); |
| 3584 | } |
| 3585 | |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3586 | if( old_msg_type != rec->type ) |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 3587 | { |
| 3588 | MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d", |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3589 | old_msg_type, rec->type ) ); |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 3590 | } |
| 3591 | |
Hanno Becker | 1c0c37f | 2018-08-07 14:29:29 +0100 | [diff] [blame] | 3592 | MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt", |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3593 | rec->buf + rec->data_offset, rec->data_len ); |
Hanno Becker | 1c0c37f | 2018-08-07 14:29:29 +0100 | [diff] [blame] | 3594 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3595 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 3596 | /* We have already checked the record content type |
| 3597 | * in ssl_parse_record_header(), failing or silently |
| 3598 | * dropping the record in the case of an unknown type. |
| 3599 | * |
| 3600 | * Since with the use of CIDs, the record content type |
| 3601 | * might change during decryption, re-check the record |
| 3602 | * content type, but treat a failure as fatal this time. */ |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3603 | if( ssl_check_record_type( rec->type ) ) |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 3604 | { |
| 3605 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); |
| 3606 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3607 | } |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3608 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 3609 | |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3610 | if( rec->data_len == 0 ) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3611 | { |
| 3612 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| 3613 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3614 | && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA ) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3615 | { |
| 3616 | /* TLS v1.2 explicitly disallows zero-length messages which are not application data */ |
| 3617 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) ); |
| 3618 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3619 | } |
| 3620 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| 3621 | |
| 3622 | ssl->nb_zero++; |
| 3623 | |
| 3624 | /* |
| 3625 | * Three or more empty messages may be a DoS attack |
| 3626 | * (excessive CPU consumption). |
| 3627 | */ |
| 3628 | if( ssl->nb_zero > 3 ) |
| 3629 | { |
| 3630 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty " |
Hanno Becker | 6e7700d | 2019-05-08 10:38:32 +0100 | [diff] [blame] | 3631 | "messages, possible DoS attack" ) ); |
| 3632 | /* Treat the records as if they were not properly authenticated, |
| 3633 | * thereby failing the connection if we see more than allowed |
| 3634 | * by the configured bad MAC threshold. */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3635 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
| 3636 | } |
| 3637 | } |
| 3638 | else |
| 3639 | ssl->nb_zero = 0; |
| 3640 | |
| 3641 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3642 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 3643 | { |
| 3644 | ; /* in_ctr read from peer, not maintained internally */ |
| 3645 | } |
| 3646 | else |
| 3647 | #endif |
| 3648 | { |
| 3649 | unsigned i; |
Hanno Becker | dd77229 | 2020-02-05 10:38:31 +0000 | [diff] [blame] | 3650 | for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- ) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3651 | if( ++ssl->in_ctr[i - 1] != 0 ) |
| 3652 | break; |
| 3653 | |
| 3654 | /* The loop goes to its end iff the counter is wrapping */ |
Hanno Becker | dd77229 | 2020-02-05 10:38:31 +0000 | [diff] [blame] | 3655 | if( i == mbedtls_ssl_ep_len( ssl ) ) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3656 | { |
| 3657 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); |
| 3658 | return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); |
| 3659 | } |
| 3660 | } |
| 3661 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3662 | } |
| 3663 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3664 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3665 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | b47368a | 2014-09-24 13:29:58 +0200 | [diff] [blame] | 3666 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3667 | mbedtls_ssl_dtls_replay_update( ssl ); |
Manuel Pégourié-Gonnard | b47368a | 2014-09-24 13:29:58 +0200 | [diff] [blame] | 3668 | } |
| 3669 | #endif |
| 3670 | |
Hanno Becker | d96e10b | 2019-07-09 17:30:02 +0100 | [diff] [blame] | 3671 | /* Check actual (decrypted) record content length against |
| 3672 | * configured maximum. */ |
| 3673 | if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN ) |
| 3674 | { |
| 3675 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); |
| 3676 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3677 | } |
| 3678 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3679 | return( 0 ); |
| 3680 | } |
| 3681 | |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 3682 | /* |
| 3683 | * Read a record. |
| 3684 | * |
Manuel Pégourié-Gonnard | fbdf06c | 2015-10-23 11:13:28 +0200 | [diff] [blame] | 3685 | * Silently ignore non-fatal alert (and for DTLS, invalid records as well, |
| 3686 | * RFC 6347 4.1.2.7) and continue reading until a valid record is found. |
| 3687 | * |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 3688 | */ |
Hanno Becker | 1097b34 | 2018-08-15 14:09:41 +0100 | [diff] [blame] | 3689 | |
| 3690 | /* Helper functions for mbedtls_ssl_read_record(). */ |
| 3691 | static int ssl_consume_current_message( mbedtls_ssl_context *ssl ); |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 3692 | static int ssl_get_next_record( mbedtls_ssl_context *ssl ); |
| 3693 | static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl ); |
Hanno Becker | 4162b11 | 2018-08-15 14:05:04 +0100 | [diff] [blame] | 3694 | |
Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 3695 | int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl, |
Hanno Becker | 3a0aad1 | 2018-08-20 09:44:02 +0100 | [diff] [blame] | 3696 | unsigned update_hs_digest ) |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3697 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3698 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3699 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3700 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) ); |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3701 | |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3702 | if( ssl->keep_current_message == 0 ) |
| 3703 | { |
| 3704 | do { |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3705 | |
Hanno Becker | 2699459 | 2018-08-15 14:14:59 +0100 | [diff] [blame] | 3706 | ret = ssl_consume_current_message( ssl ); |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 3707 | if( ret != 0 ) |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3708 | return( ret ); |
Hanno Becker | 2699459 | 2018-08-15 14:14:59 +0100 | [diff] [blame] | 3709 | |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 3710 | if( ssl_record_is_in_progress( ssl ) == 0 ) |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3711 | { |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3712 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3713 | int have_buffered = 0; |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 3714 | |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3715 | /* We only check for buffered messages if the |
| 3716 | * current datagram is fully consumed. */ |
| 3717 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
Hanno Becker | ef7afdf | 2018-08-28 17:16:31 +0100 | [diff] [blame] | 3718 | ssl_next_record_is_in_datagram( ssl ) == 0 ) |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 3719 | { |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3720 | if( ssl_load_buffered_message( ssl ) == 0 ) |
| 3721 | have_buffered = 1; |
| 3722 | } |
| 3723 | |
| 3724 | if( have_buffered == 0 ) |
| 3725 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3726 | { |
| 3727 | ret = ssl_get_next_record( ssl ); |
| 3728 | if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ) |
| 3729 | continue; |
| 3730 | |
| 3731 | if( ret != 0 ) |
| 3732 | { |
Hanno Becker | c573ac3 | 2018-08-28 17:15:25 +0100 | [diff] [blame] | 3733 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret ); |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3734 | return( ret ); |
| 3735 | } |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 3736 | } |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3737 | } |
| 3738 | |
| 3739 | ret = mbedtls_ssl_handle_message_type( ssl ); |
| 3740 | |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3741 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3742 | if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) |
| 3743 | { |
| 3744 | /* Buffer future message */ |
| 3745 | ret = ssl_buffer_message( ssl ); |
| 3746 | if( ret != 0 ) |
| 3747 | return( ret ); |
| 3748 | |
| 3749 | ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; |
| 3750 | } |
| 3751 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3752 | |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 3753 | } while( MBEDTLS_ERR_SSL_NON_FATAL == ret || |
| 3754 | MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret ); |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3755 | |
| 3756 | if( 0 != ret ) |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3757 | { |
Hanno Becker | 05c4fc8 | 2017-11-09 14:34:06 +0000 | [diff] [blame] | 3758 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret ); |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3759 | return( ret ); |
| 3760 | } |
| 3761 | |
Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 3762 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
Hanno Becker | 3a0aad1 | 2018-08-20 09:44:02 +0100 | [diff] [blame] | 3763 | update_hs_digest == 1 ) |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3764 | { |
| 3765 | mbedtls_ssl_update_handshake_status( ssl ); |
| 3766 | } |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3767 | } |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3768 | else |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3769 | { |
Hanno Becker | 02f5907 | 2018-08-15 14:00:24 +0100 | [diff] [blame] | 3770 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) ); |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3771 | ssl->keep_current_message = 0; |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3772 | } |
| 3773 | |
| 3774 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) ); |
| 3775 | |
| 3776 | return( 0 ); |
| 3777 | } |
| 3778 | |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3779 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | ef7afdf | 2018-08-28 17:16:31 +0100 | [diff] [blame] | 3780 | static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl ) |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3781 | { |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3782 | if( ssl->in_left > ssl->next_record_offset ) |
| 3783 | return( 1 ); |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3784 | |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3785 | return( 0 ); |
| 3786 | } |
| 3787 | |
| 3788 | static int ssl_load_buffered_message( mbedtls_ssl_context *ssl ) |
| 3789 | { |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3790 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3791 | mbedtls_ssl_hs_buffer * hs_buf; |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3792 | int ret = 0; |
| 3793 | |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3794 | if( hs == NULL ) |
| 3795 | return( -1 ); |
| 3796 | |
Hanno Becker | e00ae37 | 2018-08-20 09:39:42 +0100 | [diff] [blame] | 3797 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) ); |
| 3798 | |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3799 | if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC || |
| 3800 | ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) |
| 3801 | { |
| 3802 | /* Check if we have seen a ChangeCipherSpec before. |
| 3803 | * If yes, synthesize a CCS record. */ |
Hanno Becker | 4422bbb | 2018-08-20 09:40:19 +0100 | [diff] [blame] | 3804 | if( !hs->buffering.seen_ccs ) |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3805 | { |
| 3806 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) ); |
| 3807 | ret = -1; |
Hanno Becker | 0d4b376 | 2018-08-20 09:36:59 +0100 | [diff] [blame] | 3808 | goto exit; |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3809 | } |
| 3810 | |
Hanno Becker | 39b8bc9 | 2018-08-28 17:17:13 +0100 | [diff] [blame] | 3811 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) ); |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3812 | ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; |
| 3813 | ssl->in_msglen = 1; |
| 3814 | ssl->in_msg[0] = 1; |
| 3815 | |
| 3816 | /* As long as they are equal, the exact value doesn't matter. */ |
| 3817 | ssl->in_left = 0; |
| 3818 | ssl->next_record_offset = 0; |
| 3819 | |
Hanno Becker | d7f8ae2 | 2018-08-16 09:45:56 +0100 | [diff] [blame] | 3820 | hs->buffering.seen_ccs = 0; |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3821 | goto exit; |
| 3822 | } |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3823 | |
Hanno Becker | b8f5014 | 2018-08-28 10:01:34 +0100 | [diff] [blame] | 3824 | #if defined(MBEDTLS_DEBUG_C) |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3825 | /* Debug only */ |
| 3826 | { |
| 3827 | unsigned offset; |
| 3828 | for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ ) |
| 3829 | { |
| 3830 | hs_buf = &hs->buffering.hs[offset]; |
| 3831 | if( hs_buf->is_valid == 1 ) |
| 3832 | { |
| 3833 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.", |
| 3834 | hs->in_msg_seq + offset, |
Hanno Becker | a591c48 | 2018-08-28 17:20:00 +0100 | [diff] [blame] | 3835 | hs_buf->is_complete ? "fully" : "partially" ) ); |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3836 | } |
| 3837 | } |
| 3838 | } |
Hanno Becker | b8f5014 | 2018-08-28 10:01:34 +0100 | [diff] [blame] | 3839 | #endif /* MBEDTLS_DEBUG_C */ |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3840 | |
| 3841 | /* Check if we have buffered and/or fully reassembled the |
| 3842 | * next handshake message. */ |
| 3843 | hs_buf = &hs->buffering.hs[0]; |
| 3844 | if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) ) |
| 3845 | { |
| 3846 | /* Synthesize a record containing the buffered HS message. */ |
| 3847 | size_t msg_len = ( hs_buf->data[1] << 16 ) | |
| 3848 | ( hs_buf->data[2] << 8 ) | |
| 3849 | hs_buf->data[3]; |
| 3850 | |
| 3851 | /* Double-check that we haven't accidentally buffered |
| 3852 | * a message that doesn't fit into the input buffer. */ |
| 3853 | if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN ) |
| 3854 | { |
| 3855 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 3856 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 3857 | } |
| 3858 | |
| 3859 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) ); |
| 3860 | MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)", |
| 3861 | hs_buf->data, msg_len + 12 ); |
| 3862 | |
| 3863 | ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3864 | ssl->in_hslen = msg_len + 12; |
| 3865 | ssl->in_msglen = msg_len + 12; |
| 3866 | memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen ); |
| 3867 | |
| 3868 | ret = 0; |
| 3869 | goto exit; |
| 3870 | } |
| 3871 | else |
| 3872 | { |
| 3873 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered", |
| 3874 | hs->in_msg_seq ) ); |
| 3875 | } |
| 3876 | |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3877 | ret = -1; |
| 3878 | |
| 3879 | exit: |
| 3880 | |
| 3881 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) ); |
| 3882 | return( ret ); |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3883 | } |
| 3884 | |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3885 | static int ssl_buffer_make_space( mbedtls_ssl_context *ssl, |
| 3886 | size_t desired ) |
| 3887 | { |
| 3888 | int offset; |
| 3889 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
Hanno Becker | 6e12c1e | 2018-08-24 14:39:15 +0100 | [diff] [blame] | 3890 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available", |
| 3891 | (unsigned) desired ) ); |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3892 | |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 3893 | /* Get rid of future records epoch first, if such exist. */ |
| 3894 | ssl_free_buffered_record( ssl ); |
| 3895 | |
| 3896 | /* Check if we have enough space available now. */ |
| 3897 | if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - |
| 3898 | hs->buffering.total_bytes_buffered ) ) |
| 3899 | { |
Hanno Becker | 6e12c1e | 2018-08-24 14:39:15 +0100 | [diff] [blame] | 3900 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) ); |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 3901 | return( 0 ); |
| 3902 | } |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3903 | |
Hanno Becker | 4f432ad | 2018-08-28 10:02:32 +0100 | [diff] [blame] | 3904 | /* We don't have enough space to buffer the next expected handshake |
| 3905 | * message. Remove buffers used for future messages to gain space, |
| 3906 | * starting with the most distant one. */ |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3907 | for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1; |
| 3908 | offset >= 0; offset-- ) |
| 3909 | { |
| 3910 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message", |
| 3911 | offset ) ); |
| 3912 | |
Hanno Becker | b309b92 | 2018-08-23 13:18:05 +0100 | [diff] [blame] | 3913 | ssl_buffering_free_slot( ssl, (uint8_t) offset ); |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3914 | |
| 3915 | /* Check if we have enough space available now. */ |
| 3916 | if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - |
| 3917 | hs->buffering.total_bytes_buffered ) ) |
| 3918 | { |
Hanno Becker | 6e12c1e | 2018-08-24 14:39:15 +0100 | [diff] [blame] | 3919 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) ); |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3920 | return( 0 ); |
| 3921 | } |
| 3922 | } |
| 3923 | |
| 3924 | return( -1 ); |
| 3925 | } |
| 3926 | |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3927 | static int ssl_buffer_message( mbedtls_ssl_context *ssl ) |
| 3928 | { |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3929 | int ret = 0; |
| 3930 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
| 3931 | |
| 3932 | if( hs == NULL ) |
| 3933 | return( 0 ); |
| 3934 | |
| 3935 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) ); |
| 3936 | |
| 3937 | switch( ssl->in_msgtype ) |
| 3938 | { |
| 3939 | case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC: |
| 3940 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) ); |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 3941 | |
Hanno Becker | d7f8ae2 | 2018-08-16 09:45:56 +0100 | [diff] [blame] | 3942 | hs->buffering.seen_ccs = 1; |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3943 | break; |
| 3944 | |
| 3945 | case MBEDTLS_SSL_MSG_HANDSHAKE: |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3946 | { |
| 3947 | unsigned recv_msg_seq_offset; |
| 3948 | unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; |
| 3949 | mbedtls_ssl_hs_buffer *hs_buf; |
| 3950 | size_t msg_len = ssl->in_hslen - 12; |
| 3951 | |
| 3952 | /* We should never receive an old handshake |
| 3953 | * message - double-check nonetheless. */ |
| 3954 | if( recv_msg_seq < ssl->handshake->in_msg_seq ) |
| 3955 | { |
| 3956 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 3957 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 3958 | } |
| 3959 | |
| 3960 | recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq; |
| 3961 | if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS ) |
| 3962 | { |
| 3963 | /* Silently ignore -- message too far in the future */ |
| 3964 | MBEDTLS_SSL_DEBUG_MSG( 2, |
| 3965 | ( "Ignore future HS message with sequence number %u, " |
| 3966 | "buffering window %u - %u", |
| 3967 | recv_msg_seq, ssl->handshake->in_msg_seq, |
| 3968 | ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) ); |
| 3969 | |
| 3970 | goto exit; |
| 3971 | } |
| 3972 | |
| 3973 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ", |
| 3974 | recv_msg_seq, recv_msg_seq_offset ) ); |
| 3975 | |
| 3976 | hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ]; |
| 3977 | |
| 3978 | /* Check if the buffering for this seq nr has already commenced. */ |
Hanno Becker | 4422bbb | 2018-08-20 09:40:19 +0100 | [diff] [blame] | 3979 | if( !hs_buf->is_valid ) |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3980 | { |
Hanno Becker | 2a97b0e | 2018-08-21 15:47:49 +0100 | [diff] [blame] | 3981 | size_t reassembly_buf_sz; |
| 3982 | |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3983 | hs_buf->is_fragmented = |
| 3984 | ( ssl_hs_is_proper_fragment( ssl ) == 1 ); |
| 3985 | |
| 3986 | /* We copy the message back into the input buffer |
| 3987 | * after reassembly, so check that it's not too large. |
| 3988 | * This is an implementation-specific limitation |
| 3989 | * and not one from the standard, hence it is not |
| 3990 | * checked in ssl_check_hs_header(). */ |
Hanno Becker | 96a6c69 | 2018-08-21 15:56:03 +0100 | [diff] [blame] | 3991 | if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN ) |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3992 | { |
| 3993 | /* Ignore message */ |
| 3994 | goto exit; |
| 3995 | } |
| 3996 | |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 3997 | /* Check if we have enough space to buffer the message. */ |
| 3998 | if( hs->buffering.total_bytes_buffered > |
| 3999 | MBEDTLS_SSL_DTLS_MAX_BUFFERING ) |
| 4000 | { |
| 4001 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 4002 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 4003 | } |
| 4004 | |
Hanno Becker | 2a97b0e | 2018-08-21 15:47:49 +0100 | [diff] [blame] | 4005 | reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len, |
| 4006 | hs_buf->is_fragmented ); |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4007 | |
| 4008 | if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - |
| 4009 | hs->buffering.total_bytes_buffered ) ) |
| 4010 | { |
| 4011 | if( recv_msg_seq_offset > 0 ) |
| 4012 | { |
| 4013 | /* If we can't buffer a future message because |
| 4014 | * of space limitations -- ignore. */ |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4015 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET |
| 4016 | " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET |
| 4017 | " (already %" MBEDTLS_PRINTF_SIZET |
| 4018 | " bytes buffered) -- ignore\n", |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 4019 | msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4020 | hs->buffering.total_bytes_buffered ) ); |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4021 | goto exit; |
| 4022 | } |
Hanno Becker | e180139 | 2018-08-21 16:51:05 +0100 | [diff] [blame] | 4023 | else |
| 4024 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4025 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET |
| 4026 | " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET |
| 4027 | " (already %" MBEDTLS_PRINTF_SIZET |
| 4028 | " bytes buffered) -- attempt to make space by freeing buffered future messages\n", |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 4029 | msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4030 | hs->buffering.total_bytes_buffered ) ); |
Hanno Becker | e180139 | 2018-08-21 16:51:05 +0100 | [diff] [blame] | 4031 | } |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4032 | |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 4033 | if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 ) |
Hanno Becker | 55e9e2a | 2018-08-21 16:07:55 +0100 | [diff] [blame] | 4034 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4035 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %" MBEDTLS_PRINTF_SIZET |
| 4036 | " (%" MBEDTLS_PRINTF_SIZET " with bitmap) would exceed" |
| 4037 | " the compile-time limit %" MBEDTLS_PRINTF_SIZET |
| 4038 | " (already %" MBEDTLS_PRINTF_SIZET |
| 4039 | " bytes buffered) -- fail\n", |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4040 | msg_len, |
| 4041 | reassembly_buf_sz, |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 4042 | (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4043 | hs->buffering.total_bytes_buffered ) ); |
Hanno Becker | 55e9e2a | 2018-08-21 16:07:55 +0100 | [diff] [blame] | 4044 | ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
| 4045 | goto exit; |
| 4046 | } |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4047 | } |
| 4048 | |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4049 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4050 | msg_len ) ); |
| 4051 | |
Hanno Becker | 2a97b0e | 2018-08-21 15:47:49 +0100 | [diff] [blame] | 4052 | hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz ); |
| 4053 | if( hs_buf->data == NULL ) |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4054 | { |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4055 | ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4056 | goto exit; |
| 4057 | } |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4058 | hs_buf->data_len = reassembly_buf_sz; |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4059 | |
| 4060 | /* Prepare final header: copy msg_type, length and message_seq, |
| 4061 | * then add standardised fragment_offset and fragment_length */ |
| 4062 | memcpy( hs_buf->data, ssl->in_msg, 6 ); |
| 4063 | memset( hs_buf->data + 6, 0, 3 ); |
| 4064 | memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 ); |
| 4065 | |
| 4066 | hs_buf->is_valid = 1; |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4067 | |
| 4068 | hs->buffering.total_bytes_buffered += reassembly_buf_sz; |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4069 | } |
| 4070 | else |
| 4071 | { |
| 4072 | /* Make sure msg_type and length are consistent */ |
| 4073 | if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 ) |
| 4074 | { |
| 4075 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) ); |
| 4076 | /* Ignore */ |
| 4077 | goto exit; |
| 4078 | } |
| 4079 | } |
| 4080 | |
Hanno Becker | 4422bbb | 2018-08-20 09:40:19 +0100 | [diff] [blame] | 4081 | if( !hs_buf->is_complete ) |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4082 | { |
| 4083 | size_t frag_len, frag_off; |
| 4084 | unsigned char * const msg = hs_buf->data + 12; |
| 4085 | |
| 4086 | /* |
| 4087 | * Check and copy current fragment |
| 4088 | */ |
| 4089 | |
| 4090 | /* Validation of header fields already done in |
| 4091 | * mbedtls_ssl_prepare_handshake_record(). */ |
| 4092 | frag_off = ssl_get_hs_frag_off( ssl ); |
| 4093 | frag_len = ssl_get_hs_frag_len( ssl ); |
| 4094 | |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4095 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %" MBEDTLS_PRINTF_SIZET |
| 4096 | ", length = %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4097 | frag_off, frag_len ) ); |
| 4098 | memcpy( msg + frag_off, ssl->in_msg + 12, frag_len ); |
| 4099 | |
| 4100 | if( hs_buf->is_fragmented ) |
| 4101 | { |
| 4102 | unsigned char * const bitmask = msg + msg_len; |
| 4103 | ssl_bitmask_set( bitmask, frag_off, frag_len ); |
| 4104 | hs_buf->is_complete = ( ssl_bitmask_check( bitmask, |
| 4105 | msg_len ) == 0 ); |
| 4106 | } |
| 4107 | else |
| 4108 | { |
| 4109 | hs_buf->is_complete = 1; |
| 4110 | } |
| 4111 | |
| 4112 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete", |
| 4113 | hs_buf->is_complete ? "" : "not yet " ) ); |
| 4114 | } |
| 4115 | |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4116 | break; |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4117 | } |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4118 | |
| 4119 | default: |
Hanno Becker | 360bef3 | 2018-08-28 10:04:33 +0100 | [diff] [blame] | 4120 | /* We don't buffer other types of messages. */ |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4121 | break; |
| 4122 | } |
| 4123 | |
| 4124 | exit: |
| 4125 | |
| 4126 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) ); |
| 4127 | return( ret ); |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 4128 | } |
| 4129 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 4130 | |
Hanno Becker | 1097b34 | 2018-08-15 14:09:41 +0100 | [diff] [blame] | 4131 | static int ssl_consume_current_message( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4132 | { |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4133 | /* |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4134 | * Consume last content-layer message and potentially |
| 4135 | * update in_msglen which keeps track of the contents' |
| 4136 | * consumption state. |
| 4137 | * |
| 4138 | * (1) Handshake messages: |
| 4139 | * Remove last handshake message, move content |
| 4140 | * and adapt in_msglen. |
| 4141 | * |
| 4142 | * (2) Alert messages: |
| 4143 | * Consume whole record content, in_msglen = 0. |
| 4144 | * |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4145 | * (3) Change cipher spec: |
| 4146 | * Consume whole record content, in_msglen = 0. |
| 4147 | * |
| 4148 | * (4) Application data: |
| 4149 | * Don't do anything - the record layer provides |
| 4150 | * the application data as a stream transport |
| 4151 | * and consumes through mbedtls_ssl_read only. |
| 4152 | * |
| 4153 | */ |
| 4154 | |
| 4155 | /* Case (1): Handshake messages */ |
| 4156 | if( ssl->in_hslen != 0 ) |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4157 | { |
Hanno Becker | bb9dd0c | 2017-06-08 11:55:34 +0100 | [diff] [blame] | 4158 | /* Hard assertion to be sure that no application data |
| 4159 | * is in flight, as corrupting ssl->in_msglen during |
| 4160 | * ssl->in_offt != NULL is fatal. */ |
| 4161 | if( ssl->in_offt != NULL ) |
| 4162 | { |
| 4163 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 4164 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 4165 | } |
| 4166 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4167 | /* |
| 4168 | * Get next Handshake message in the current record |
| 4169 | */ |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4170 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4171 | /* Notes: |
Hanno Becker | e72489d | 2017-10-23 13:23:50 +0100 | [diff] [blame] | 4172 | * (1) in_hslen is not necessarily the size of the |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4173 | * current handshake content: If DTLS handshake |
| 4174 | * fragmentation is used, that's the fragment |
| 4175 | * size instead. Using the total handshake message |
Hanno Becker | e72489d | 2017-10-23 13:23:50 +0100 | [diff] [blame] | 4176 | * size here is faulty and should be changed at |
| 4177 | * some point. |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4178 | * (2) While it doesn't seem to cause problems, one |
| 4179 | * has to be very careful not to assume that in_hslen |
| 4180 | * is always <= in_msglen in a sensible communication. |
| 4181 | * Again, it's wrong for DTLS handshake fragmentation. |
| 4182 | * The following check is therefore mandatory, and |
| 4183 | * should not be treated as a silently corrected assertion. |
Hanno Becker | bb9dd0c | 2017-06-08 11:55:34 +0100 | [diff] [blame] | 4184 | * Additionally, ssl->in_hslen might be arbitrarily out of |
| 4185 | * bounds after handling a DTLS message with an unexpected |
| 4186 | * sequence number, see mbedtls_ssl_prepare_handshake_record. |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4187 | */ |
| 4188 | if( ssl->in_hslen < ssl->in_msglen ) |
| 4189 | { |
| 4190 | ssl->in_msglen -= ssl->in_hslen; |
| 4191 | memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen, |
| 4192 | ssl->in_msglen ); |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4193 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4194 | MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record", |
| 4195 | ssl->in_msg, ssl->in_msglen ); |
| 4196 | } |
| 4197 | else |
| 4198 | { |
| 4199 | ssl->in_msglen = 0; |
| 4200 | } |
Manuel Pégourié-Gonnard | 4a17536 | 2014-09-09 17:45:31 +0200 | [diff] [blame] | 4201 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4202 | ssl->in_hslen = 0; |
| 4203 | } |
| 4204 | /* Case (4): Application data */ |
| 4205 | else if( ssl->in_offt != NULL ) |
| 4206 | { |
| 4207 | return( 0 ); |
| 4208 | } |
| 4209 | /* Everything else (CCS & Alerts) */ |
| 4210 | else |
| 4211 | { |
| 4212 | ssl->in_msglen = 0; |
| 4213 | } |
| 4214 | |
Hanno Becker | 1097b34 | 2018-08-15 14:09:41 +0100 | [diff] [blame] | 4215 | return( 0 ); |
| 4216 | } |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4217 | |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 4218 | static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl ) |
| 4219 | { |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4220 | if( ssl->in_msglen > 0 ) |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 4221 | return( 1 ); |
| 4222 | |
| 4223 | return( 0 ); |
| 4224 | } |
| 4225 | |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4226 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4227 | |
| 4228 | static void ssl_free_buffered_record( mbedtls_ssl_context *ssl ) |
| 4229 | { |
| 4230 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
| 4231 | if( hs == NULL ) |
| 4232 | return; |
| 4233 | |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 4234 | if( hs->buffering.future_record.data != NULL ) |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4235 | { |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 4236 | hs->buffering.total_bytes_buffered -= |
| 4237 | hs->buffering.future_record.len; |
| 4238 | |
| 4239 | mbedtls_free( hs->buffering.future_record.data ); |
| 4240 | hs->buffering.future_record.data = NULL; |
| 4241 | } |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4242 | } |
| 4243 | |
| 4244 | static int ssl_load_buffered_record( mbedtls_ssl_context *ssl ) |
| 4245 | { |
| 4246 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
| 4247 | unsigned char * rec; |
| 4248 | size_t rec_len; |
| 4249 | unsigned rec_epoch; |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 4250 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| 4251 | size_t in_buf_len = ssl->in_buf_len; |
| 4252 | #else |
| 4253 | size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; |
| 4254 | #endif |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4255 | if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 4256 | return( 0 ); |
| 4257 | |
| 4258 | if( hs == NULL ) |
| 4259 | return( 0 ); |
| 4260 | |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4261 | rec = hs->buffering.future_record.data; |
| 4262 | rec_len = hs->buffering.future_record.len; |
| 4263 | rec_epoch = hs->buffering.future_record.epoch; |
| 4264 | |
| 4265 | if( rec == NULL ) |
| 4266 | return( 0 ); |
| 4267 | |
Hanno Becker | 4cb782d | 2018-08-20 11:19:05 +0100 | [diff] [blame] | 4268 | /* Only consider loading future records if the |
| 4269 | * input buffer is empty. */ |
Hanno Becker | ef7afdf | 2018-08-28 17:16:31 +0100 | [diff] [blame] | 4270 | if( ssl_next_record_is_in_datagram( ssl ) == 1 ) |
Hanno Becker | 4cb782d | 2018-08-20 11:19:05 +0100 | [diff] [blame] | 4271 | return( 0 ); |
| 4272 | |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4273 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) ); |
| 4274 | |
| 4275 | if( rec_epoch != ssl->in_epoch ) |
| 4276 | { |
| 4277 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) ); |
| 4278 | goto exit; |
| 4279 | } |
| 4280 | |
| 4281 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) ); |
| 4282 | |
| 4283 | /* Double-check that the record is not too large */ |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 4284 | if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) ) |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4285 | { |
| 4286 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 4287 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 4288 | } |
| 4289 | |
| 4290 | memcpy( ssl->in_hdr, rec, rec_len ); |
| 4291 | ssl->in_left = rec_len; |
| 4292 | ssl->next_record_offset = 0; |
| 4293 | |
| 4294 | ssl_free_buffered_record( ssl ); |
| 4295 | |
| 4296 | exit: |
| 4297 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) ); |
| 4298 | return( 0 ); |
| 4299 | } |
| 4300 | |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4301 | static int ssl_buffer_future_record( mbedtls_ssl_context *ssl, |
| 4302 | mbedtls_record const *rec ) |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4303 | { |
| 4304 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4305 | |
| 4306 | /* Don't buffer future records outside handshakes. */ |
| 4307 | if( hs == NULL ) |
| 4308 | return( 0 ); |
| 4309 | |
| 4310 | /* Only buffer handshake records (we are only interested |
| 4311 | * in Finished messages). */ |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4312 | if( rec->type != MBEDTLS_SSL_MSG_HANDSHAKE ) |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4313 | return( 0 ); |
| 4314 | |
| 4315 | /* Don't buffer more than one future epoch record. */ |
| 4316 | if( hs->buffering.future_record.data != NULL ) |
| 4317 | return( 0 ); |
| 4318 | |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 4319 | /* Don't buffer record if there's not enough buffering space remaining. */ |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4320 | if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 4321 | hs->buffering.total_bytes_buffered ) ) |
| 4322 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4323 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %" MBEDTLS_PRINTF_SIZET |
| 4324 | " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET |
| 4325 | " (already %" MBEDTLS_PRINTF_SIZET |
| 4326 | " bytes buffered) -- ignore\n", |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 4327 | rec->buf_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4328 | hs->buffering.total_bytes_buffered ) ); |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4329 | return( 0 ); |
| 4330 | } |
| 4331 | |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4332 | /* Buffer record */ |
| 4333 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u", |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4334 | ssl->in_epoch + 1U ) ); |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4335 | MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len ); |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4336 | |
| 4337 | /* ssl_parse_record_header() only considers records |
| 4338 | * of the next epoch as candidates for buffering. */ |
| 4339 | hs->buffering.future_record.epoch = ssl->in_epoch + 1; |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4340 | hs->buffering.future_record.len = rec->buf_len; |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4341 | |
| 4342 | hs->buffering.future_record.data = |
| 4343 | mbedtls_calloc( 1, hs->buffering.future_record.len ); |
| 4344 | if( hs->buffering.future_record.data == NULL ) |
| 4345 | { |
| 4346 | /* If we run out of RAM trying to buffer a |
| 4347 | * record from the next epoch, just ignore. */ |
| 4348 | return( 0 ); |
| 4349 | } |
| 4350 | |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4351 | memcpy( hs->buffering.future_record.data, rec->buf, rec->buf_len ); |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4352 | |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4353 | hs->buffering.total_bytes_buffered += rec->buf_len; |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4354 | return( 0 ); |
| 4355 | } |
| 4356 | |
| 4357 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 4358 | |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 4359 | static int ssl_get_next_record( mbedtls_ssl_context *ssl ) |
Hanno Becker | 1097b34 | 2018-08-15 14:09:41 +0100 | [diff] [blame] | 4360 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4361 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 4362 | mbedtls_record rec; |
Hanno Becker | 1097b34 | 2018-08-15 14:09:41 +0100 | [diff] [blame] | 4363 | |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4364 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4365 | /* We might have buffered a future record; if so, |
| 4366 | * and if the epoch matches now, load it. |
| 4367 | * On success, this call will set ssl->in_left to |
| 4368 | * the length of the buffered record, so that |
| 4369 | * the calls to ssl_fetch_input() below will |
| 4370 | * essentially be no-ops. */ |
| 4371 | ret = ssl_load_buffered_record( ssl ); |
| 4372 | if( ret != 0 ) |
| 4373 | return( ret ); |
| 4374 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4375 | |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 4376 | /* Ensure that we have enough space available for the default form |
| 4377 | * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS, |
| 4378 | * with no space for CIDs counted in). */ |
| 4379 | ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) ); |
| 4380 | if( ret != 0 ) |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4381 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4382 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4383 | return( ret ); |
| 4384 | } |
| 4385 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 4386 | ret = ssl_parse_record_header( ssl, ssl->in_hdr, ssl->in_left, &rec ); |
| 4387 | if( ret != 0 ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4388 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4389 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4390 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4391 | { |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4392 | if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) |
| 4393 | { |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4394 | ret = ssl_buffer_future_record( ssl, &rec ); |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4395 | if( ret != 0 ) |
| 4396 | return( ret ); |
| 4397 | |
| 4398 | /* Fall through to handling of unexpected records */ |
| 4399 | ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; |
| 4400 | } |
| 4401 | |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 4402 | if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ) |
| 4403 | { |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4404 | #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) |
Hanno Becker | d8bf8ce | 2019-07-12 09:23:47 +0100 | [diff] [blame] | 4405 | /* Reset in pointers to default state for TLS/DTLS records, |
| 4406 | * assuming no CID and no offset between record content and |
| 4407 | * record plaintext. */ |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4408 | mbedtls_ssl_update_in_pointers( ssl ); |
Hanno Becker | d8bf8ce | 2019-07-12 09:23:47 +0100 | [diff] [blame] | 4409 | |
Hanno Becker | 7ae20e0 | 2019-07-12 08:33:49 +0100 | [diff] [blame] | 4410 | /* Setup internal message pointers from record structure. */ |
| 4411 | ssl->in_msgtype = rec.type; |
| 4412 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| 4413 | ssl->in_len = ssl->in_cid + rec.cid_len; |
| 4414 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| 4415 | ssl->in_iv = ssl->in_msg = ssl->in_len + 2; |
| 4416 | ssl->in_msglen = rec.data_len; |
| 4417 | |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4418 | ret = ssl_check_client_reconnect( ssl ); |
Manuel Pégourié-Gonnard | 243d70f | 2020-03-31 12:07:47 +0200 | [diff] [blame] | 4419 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_client_reconnect", ret ); |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4420 | if( ret != 0 ) |
| 4421 | return( ret ); |
| 4422 | #endif |
| 4423 | |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 4424 | /* Skip unexpected record (but not whole datagram) */ |
Hanno Becker | 4acada3 | 2019-07-11 12:48:53 +0100 | [diff] [blame] | 4425 | ssl->next_record_offset = rec.buf_len; |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4426 | |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 4427 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record " |
| 4428 | "(header)" ) ); |
| 4429 | } |
| 4430 | else |
| 4431 | { |
| 4432 | /* Skip invalid record and the rest of the datagram */ |
| 4433 | ssl->next_record_offset = 0; |
| 4434 | ssl->in_left = 0; |
| 4435 | |
| 4436 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record " |
| 4437 | "(header)" ) ); |
| 4438 | } |
| 4439 | |
| 4440 | /* Get next record */ |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 4441 | return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4442 | } |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4443 | else |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4444 | #endif |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4445 | { |
| 4446 | return( ret ); |
| 4447 | } |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4448 | } |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4449 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4450 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 4451 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Hanno Becker | e65ce78 | 2017-05-22 14:47:48 +0100 | [diff] [blame] | 4452 | { |
Hanno Becker | a881479 | 2019-07-10 15:01:45 +0100 | [diff] [blame] | 4453 | /* Remember offset of next record within datagram. */ |
Hanno Becker | f50da50 | 2019-07-11 12:50:10 +0100 | [diff] [blame] | 4454 | ssl->next_record_offset = rec.buf_len; |
Hanno Becker | e65ce78 | 2017-05-22 14:47:48 +0100 | [diff] [blame] | 4455 | if( ssl->next_record_offset < ssl->in_left ) |
| 4456 | { |
| 4457 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) ); |
| 4458 | } |
| 4459 | } |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4460 | else |
| 4461 | #endif |
Hanno Becker | a881479 | 2019-07-10 15:01:45 +0100 | [diff] [blame] | 4462 | { |
Hanno Becker | 955a5c9 | 2019-07-10 17:12:07 +0100 | [diff] [blame] | 4463 | /* |
| 4464 | * Fetch record contents from underlying transport. |
| 4465 | */ |
Hanno Becker | a317566 | 2019-07-11 12:50:29 +0100 | [diff] [blame] | 4466 | ret = mbedtls_ssl_fetch_input( ssl, rec.buf_len ); |
Hanno Becker | a881479 | 2019-07-10 15:01:45 +0100 | [diff] [blame] | 4467 | if( ret != 0 ) |
| 4468 | { |
| 4469 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
| 4470 | return( ret ); |
| 4471 | } |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4472 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4473 | ssl->in_left = 0; |
Hanno Becker | a881479 | 2019-07-10 15:01:45 +0100 | [diff] [blame] | 4474 | } |
| 4475 | |
| 4476 | /* |
| 4477 | * Decrypt record contents. |
| 4478 | */ |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4479 | |
Hanno Becker | fdf6604 | 2019-07-11 13:07:45 +0100 | [diff] [blame] | 4480 | if( ( ret = ssl_prepare_record_content( ssl, &rec ) ) != 0 ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4481 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4482 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 4483 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4484 | { |
| 4485 | /* Silently discard invalid records */ |
Hanno Becker | 82e2a39 | 2019-05-03 16:36:59 +0100 | [diff] [blame] | 4486 | if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4487 | { |
Manuel Pégourié-Gonnard | 0a88574 | 2015-08-04 12:08:35 +0200 | [diff] [blame] | 4488 | /* Except when waiting for Finished as a bad mac here |
| 4489 | * probably means something went wrong in the handshake |
| 4490 | * (eg wrong psk used, mitm downgrade attempt, etc.) */ |
| 4491 | if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED || |
| 4492 | ssl->state == MBEDTLS_SSL_SERVER_FINISHED ) |
| 4493 | { |
| 4494 | #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) |
| 4495 | if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) |
| 4496 | { |
| 4497 | mbedtls_ssl_send_alert_message( ssl, |
| 4498 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 4499 | MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); |
| 4500 | } |
| 4501 | #endif |
| 4502 | return( ret ); |
| 4503 | } |
| 4504 | |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 4505 | if( ssl->conf->badmac_limit != 0 && |
| 4506 | ++ssl->badmac_seen >= ssl->conf->badmac_limit ) |
Manuel Pégourié-Gonnard | b0643d1 | 2014-10-14 18:30:36 +0200 | [diff] [blame] | 4507 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4508 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); |
| 4509 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Manuel Pégourié-Gonnard | b0643d1 | 2014-10-14 18:30:36 +0200 | [diff] [blame] | 4510 | } |
Manuel Pégourié-Gonnard | b0643d1 | 2014-10-14 18:30:36 +0200 | [diff] [blame] | 4511 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4512 | /* As above, invalid records cause |
| 4513 | * dismissal of the whole datagram. */ |
| 4514 | |
| 4515 | ssl->next_record_offset = 0; |
| 4516 | ssl->in_left = 0; |
| 4517 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4518 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) ); |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 4519 | return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4520 | } |
| 4521 | |
| 4522 | return( ret ); |
| 4523 | } |
| 4524 | else |
| 4525 | #endif |
| 4526 | { |
| 4527 | /* Error out (and send alert) on invalid records */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4528 | #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) |
| 4529 | if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4530 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4531 | mbedtls_ssl_send_alert_message( ssl, |
| 4532 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 4533 | MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4534 | } |
| 4535 | #endif |
| 4536 | return( ret ); |
| 4537 | } |
| 4538 | } |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4539 | |
Hanno Becker | 44d89b2 | 2019-07-12 09:40:44 +0100 | [diff] [blame] | 4540 | |
| 4541 | /* Reset in pointers to default state for TLS/DTLS records, |
| 4542 | * assuming no CID and no offset between record content and |
| 4543 | * record plaintext. */ |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4544 | mbedtls_ssl_update_in_pointers( ssl ); |
Hanno Becker | 44d89b2 | 2019-07-12 09:40:44 +0100 | [diff] [blame] | 4545 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| 4546 | ssl->in_len = ssl->in_cid + rec.cid_len; |
| 4547 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
irwir | 89af51f | 2019-09-26 21:04:56 +0300 | [diff] [blame] | 4548 | ssl->in_iv = ssl->in_len + 2; |
Hanno Becker | 44d89b2 | 2019-07-12 09:40:44 +0100 | [diff] [blame] | 4549 | |
Hanno Becker | 8685c82 | 2019-07-12 09:37:30 +0100 | [diff] [blame] | 4550 | /* The record content type may change during decryption, |
| 4551 | * so re-read it. */ |
| 4552 | ssl->in_msgtype = rec.type; |
| 4553 | /* Also update the input buffer, because unfortunately |
| 4554 | * the server-side ssl_parse_client_hello() reparses the |
| 4555 | * record header when receiving a ClientHello initiating |
| 4556 | * a renegotiation. */ |
| 4557 | ssl->in_hdr[0] = rec.type; |
| 4558 | ssl->in_msg = rec.buf + rec.data_offset; |
| 4559 | ssl->in_msglen = rec.data_len; |
| 4560 | ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 ); |
| 4561 | ssl->in_len[1] = (unsigned char)( rec.data_len ); |
| 4562 | |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4563 | return( 0 ); |
| 4564 | } |
| 4565 | |
| 4566 | int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) |
| 4567 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4568 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4569 | |
Manuel Pégourié-Gonnard | abf1624 | 2014-09-23 09:42:16 +0200 | [diff] [blame] | 4570 | /* |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4571 | * Handle particular types of records |
| 4572 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4573 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4574 | { |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4575 | if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 ) |
| 4576 | { |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 4577 | return( ret ); |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4578 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4579 | } |
| 4580 | |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4581 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4582 | { |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4583 | if( ssl->in_msglen != 1 ) |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4584 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4585 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4586 | ssl->in_msglen ) ); |
| 4587 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4588 | } |
| 4589 | |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4590 | if( ssl->in_msg[0] != 1 ) |
| 4591 | { |
| 4592 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x", |
| 4593 | ssl->in_msg[0] ) ); |
| 4594 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 4595 | } |
| 4596 | |
| 4597 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4598 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 4599 | ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && |
| 4600 | ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) |
| 4601 | { |
| 4602 | if( ssl->handshake == NULL ) |
| 4603 | { |
| 4604 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) ); |
| 4605 | return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); |
| 4606 | } |
| 4607 | |
| 4608 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) ); |
| 4609 | return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); |
| 4610 | } |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4611 | #endif |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4612 | } |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4613 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4614 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4615 | { |
Angus Gratton | 1a7a17e | 2018-06-20 15:43:50 +1000 | [diff] [blame] | 4616 | if( ssl->in_msglen != 2 ) |
| 4617 | { |
| 4618 | /* Note: Standard allows for more than one 2 byte alert |
| 4619 | to be packed in a single message, but Mbed TLS doesn't |
| 4620 | currently support this. */ |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4621 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %" MBEDTLS_PRINTF_SIZET, |
Angus Gratton | 1a7a17e | 2018-06-20 15:43:50 +1000 | [diff] [blame] | 4622 | ssl->in_msglen ) ); |
| 4623 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 4624 | } |
| 4625 | |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4626 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%u:%u]", |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4627 | ssl->in_msg[0], ssl->in_msg[1] ) ); |
| 4628 | |
| 4629 | /* |
Simon Butcher | 459a950 | 2015-10-27 16:09:03 +0000 | [diff] [blame] | 4630 | * Ignore non-fatal alerts, except close_notify and no_renegotiation |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4631 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4632 | if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4633 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4634 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)", |
Paul Bakker | 2770fbd | 2012-07-03 13:30:23 +0000 | [diff] [blame] | 4635 | ssl->in_msg[1] ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4636 | return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4637 | } |
| 4638 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4639 | if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && |
| 4640 | ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4641 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4642 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) ); |
| 4643 | return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4644 | } |
Manuel Pégourié-Gonnard | fbdf06c | 2015-10-23 11:13:28 +0200 | [diff] [blame] | 4645 | |
| 4646 | #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED) |
| 4647 | if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && |
| 4648 | ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) |
| 4649 | { |
Mateusz Starzyk | f5c5351 | 2021-04-15 13:28:52 +0200 | [diff] [blame] | 4650 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a no renegotiation alert" ) ); |
Manuel Pégourié-Gonnard | fbdf06c | 2015-10-23 11:13:28 +0200 | [diff] [blame] | 4651 | /* Will be handled when trying to parse ServerHello */ |
| 4652 | return( 0 ); |
| 4653 | } |
| 4654 | #endif |
Manuel Pégourié-Gonnard | fbdf06c | 2015-10-23 11:13:28 +0200 | [diff] [blame] | 4655 | /* Silently ignore: fetch new message */ |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4656 | return MBEDTLS_ERR_SSL_NON_FATAL; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4657 | } |
| 4658 | |
Hanno Becker | c76c619 | 2017-06-06 10:03:17 +0100 | [diff] [blame] | 4659 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | 37ae952 | 2019-05-03 16:54:26 +0100 | [diff] [blame] | 4660 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Hanno Becker | c76c619 | 2017-06-06 10:03:17 +0100 | [diff] [blame] | 4661 | { |
Hanno Becker | 37ae952 | 2019-05-03 16:54:26 +0100 | [diff] [blame] | 4662 | /* Drop unexpected ApplicationData records, |
| 4663 | * except at the beginning of renegotiations */ |
| 4664 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA && |
| 4665 | ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER |
| 4666 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 4667 | && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 4668 | ssl->state == MBEDTLS_SSL_SERVER_HELLO ) |
Hanno Becker | c76c619 | 2017-06-06 10:03:17 +0100 | [diff] [blame] | 4669 | #endif |
Hanno Becker | 37ae952 | 2019-05-03 16:54:26 +0100 | [diff] [blame] | 4670 | ) |
| 4671 | { |
| 4672 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) ); |
| 4673 | return( MBEDTLS_ERR_SSL_NON_FATAL ); |
| 4674 | } |
| 4675 | |
| 4676 | if( ssl->handshake != NULL && |
| 4677 | ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) |
| 4678 | { |
Hanno Becker | ce5f5fd | 2020-02-05 10:47:44 +0000 | [diff] [blame] | 4679 | mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl ); |
Hanno Becker | 37ae952 | 2019-05-03 16:54:26 +0100 | [diff] [blame] | 4680 | } |
| 4681 | } |
Hanno Becker | 4a4af9f | 2019-05-08 16:26:21 +0100 | [diff] [blame] | 4682 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Hanno Becker | c76c619 | 2017-06-06 10:03:17 +0100 | [diff] [blame] | 4683 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4684 | return( 0 ); |
| 4685 | } |
| 4686 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4687 | int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ) |
Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 4688 | { |
irwir | 6c0da64 | 2019-09-26 21:07:41 +0300 | [diff] [blame] | 4689 | return( mbedtls_ssl_send_alert_message( ssl, |
| 4690 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 4691 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ); |
Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 4692 | } |
| 4693 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4694 | int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4695 | unsigned char level, |
| 4696 | unsigned char message ) |
| 4697 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4698 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4699 | |
Manuel Pégourié-Gonnard | f81ee2e | 2015-09-01 17:43:40 +0200 | [diff] [blame] | 4700 | if( ssl == NULL || ssl->conf == NULL ) |
| 4701 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 4702 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4703 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); |
Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 4704 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message )); |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4705 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4706 | ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4707 | ssl->out_msglen = 2; |
| 4708 | ssl->out_msg[0] = level; |
| 4709 | ssl->out_msg[1] = message; |
| 4710 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 4711 | if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 ) |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4712 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4713 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4714 | return( ret ); |
| 4715 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4716 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) ); |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4717 | |
| 4718 | return( 0 ); |
| 4719 | } |
| 4720 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4721 | int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4722 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4723 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4724 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4725 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4726 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4727 | ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4728 | ssl->out_msglen = 1; |
| 4729 | ssl->out_msg[0] = 1; |
| 4730 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4731 | ssl->state++; |
| 4732 | |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 4733 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4734 | { |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 4735 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4736 | return( ret ); |
| 4737 | } |
| 4738 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4739 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4740 | |
| 4741 | return( 0 ); |
| 4742 | } |
| 4743 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4744 | int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4745 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4746 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4747 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4748 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4749 | |
Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 4750 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4751 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4752 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4753 | return( ret ); |
| 4754 | } |
| 4755 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4756 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4757 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4758 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); |
Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 4759 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 4760 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4761 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4762 | } |
| 4763 | |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4764 | /* CCS records are only accepted if they have length 1 and content '1', |
| 4765 | * so we don't need to check this here. */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4766 | |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4767 | /* |
| 4768 | * Switch to our negotiated transform and session parameters for inbound |
| 4769 | * data. |
| 4770 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4771 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4772 | ssl->transform_in = ssl->transform_negotiate; |
| 4773 | ssl->session_in = ssl->session_negotiate; |
| 4774 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4775 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 4776 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4777 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4778 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
Hanno Becker | 7e8e6a6 | 2020-02-05 10:45:48 +0000 | [diff] [blame] | 4779 | mbedtls_ssl_dtls_replay_reset( ssl ); |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4780 | #endif |
| 4781 | |
| 4782 | /* Increment epoch */ |
| 4783 | if( ++ssl->in_epoch == 0 ) |
| 4784 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4785 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); |
Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 4786 | /* This is highly unlikely to happen for legitimate reasons, so |
| 4787 | treat it as an attack and don't send an alert. */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4788 | return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4789 | } |
| 4790 | } |
| 4791 | else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4792 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4793 | memset( ssl->in_ctr, 0, 8 ); |
| 4794 | |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4795 | mbedtls_ssl_update_in_pointers( ssl ); |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4796 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4797 | ssl->state++; |
| 4798 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4799 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4800 | |
| 4801 | return( 0 ); |
| 4802 | } |
| 4803 | |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4804 | /* Once ssl->out_hdr as the address of the beginning of the |
| 4805 | * next outgoing record is set, deduce the other pointers. |
| 4806 | * |
| 4807 | * Note: For TLS, we save the implicit record sequence number |
| 4808 | * (entering MAC computation) in the 8 bytes before ssl->out_hdr, |
| 4809 | * and the caller has to make sure there's space for this. |
| 4810 | */ |
| 4811 | |
Hanno Becker | c0eefa8 | 2020-05-28 07:17:36 +0100 | [diff] [blame] | 4812 | static size_t ssl_transform_get_explicit_iv_len( |
| 4813 | mbedtls_ssl_transform const *transform ) |
| 4814 | { |
TRodziewicz | ef73f01 | 2021-05-13 14:53:36 +0200 | [diff] [blame] | 4815 | if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) |
Hanno Becker | c0eefa8 | 2020-05-28 07:17:36 +0100 | [diff] [blame] | 4816 | return( 0 ); |
| 4817 | |
| 4818 | return( transform->ivlen - transform->fixed_ivlen ); |
| 4819 | } |
| 4820 | |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4821 | void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl, |
| 4822 | mbedtls_ssl_transform *transform ) |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4823 | { |
| 4824 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4825 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 4826 | { |
| 4827 | ssl->out_ctr = ssl->out_hdr + 3; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4828 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4829 | ssl->out_cid = ssl->out_ctr + 8; |
| 4830 | ssl->out_len = ssl->out_cid; |
| 4831 | if( transform != NULL ) |
| 4832 | ssl->out_len += transform->out_cid_len; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4833 | #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4834 | ssl->out_len = ssl->out_ctr + 8; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4835 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4836 | ssl->out_iv = ssl->out_len + 2; |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4837 | } |
| 4838 | else |
| 4839 | #endif |
| 4840 | { |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4841 | ssl->out_len = ssl->out_hdr + 3; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4842 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 4c3eb7c | 2019-05-08 16:43:21 +0100 | [diff] [blame] | 4843 | ssl->out_cid = ssl->out_len; |
| 4844 | #endif |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4845 | ssl->out_iv = ssl->out_hdr + 5; |
| 4846 | } |
| 4847 | |
Hanno Becker | c0eefa8 | 2020-05-28 07:17:36 +0100 | [diff] [blame] | 4848 | ssl->out_msg = ssl->out_iv; |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4849 | /* Adjust out_msg to make space for explicit IV, if used. */ |
Hanno Becker | c0eefa8 | 2020-05-28 07:17:36 +0100 | [diff] [blame] | 4850 | if( transform != NULL ) |
| 4851 | ssl->out_msg += ssl_transform_get_explicit_iv_len( transform ); |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4852 | } |
| 4853 | |
| 4854 | /* Once ssl->in_hdr as the address of the beginning of the |
| 4855 | * next incoming record is set, deduce the other pointers. |
| 4856 | * |
| 4857 | * Note: For TLS, we save the implicit record sequence number |
| 4858 | * (entering MAC computation) in the 8 bytes before ssl->in_hdr, |
| 4859 | * and the caller has to make sure there's space for this. |
| 4860 | */ |
| 4861 | |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4862 | void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ) |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4863 | { |
Hanno Becker | 79594fd | 2019-05-08 09:38:41 +0100 | [diff] [blame] | 4864 | /* This function sets the pointers to match the case |
| 4865 | * of unprotected TLS/DTLS records, with both ssl->in_iv |
| 4866 | * and ssl->in_msg pointing to the beginning of the record |
| 4867 | * content. |
| 4868 | * |
| 4869 | * When decrypting a protected record, ssl->in_msg |
| 4870 | * will be shifted to point to the beginning of the |
| 4871 | * record plaintext. |
| 4872 | */ |
| 4873 | |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4874 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4875 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 4876 | { |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4877 | /* This sets the header pointers to match records |
| 4878 | * without CID. When we receive a record containing |
| 4879 | * a CID, the fields are shifted accordingly in |
| 4880 | * ssl_parse_record_header(). */ |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4881 | ssl->in_ctr = ssl->in_hdr + 3; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4882 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4883 | ssl->in_cid = ssl->in_ctr + 8; |
| 4884 | ssl->in_len = ssl->in_cid; /* Default: no CID */ |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4885 | #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4886 | ssl->in_len = ssl->in_ctr + 8; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4887 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4888 | ssl->in_iv = ssl->in_len + 2; |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4889 | } |
| 4890 | else |
| 4891 | #endif |
| 4892 | { |
| 4893 | ssl->in_ctr = ssl->in_hdr - 8; |
| 4894 | ssl->in_len = ssl->in_hdr + 3; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4895 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 4c3eb7c | 2019-05-08 16:43:21 +0100 | [diff] [blame] | 4896 | ssl->in_cid = ssl->in_len; |
| 4897 | #endif |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4898 | ssl->in_iv = ssl->in_hdr + 5; |
| 4899 | } |
| 4900 | |
Hanno Becker | 79594fd | 2019-05-08 09:38:41 +0100 | [diff] [blame] | 4901 | /* This will be adjusted at record decryption time. */ |
| 4902 | ssl->in_msg = ssl->in_iv; |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4903 | } |
| 4904 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4905 | /* |
Manuel Pégourié-Gonnard | 41d479e | 2015-04-29 00:48:22 +0200 | [diff] [blame] | 4906 | * Setup an SSL context |
| 4907 | */ |
Hanno Becker | 2a43f6f | 2018-08-10 11:12:52 +0100 | [diff] [blame] | 4908 | |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4909 | void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl ) |
Hanno Becker | 2a43f6f | 2018-08-10 11:12:52 +0100 | [diff] [blame] | 4910 | { |
| 4911 | /* Set the incoming and outgoing record pointers. */ |
| 4912 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4913 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 4914 | { |
| 4915 | ssl->out_hdr = ssl->out_buf; |
| 4916 | ssl->in_hdr = ssl->in_buf; |
| 4917 | } |
| 4918 | else |
| 4919 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 4920 | { |
Hanno Becker | 12078f4 | 2021-03-02 15:28:41 +0000 | [diff] [blame] | 4921 | ssl->out_ctr = ssl->out_buf; |
Hanno Becker | 2a43f6f | 2018-08-10 11:12:52 +0100 | [diff] [blame] | 4922 | ssl->out_hdr = ssl->out_buf + 8; |
| 4923 | ssl->in_hdr = ssl->in_buf + 8; |
| 4924 | } |
| 4925 | |
| 4926 | /* Derive other internal pointers. */ |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4927 | mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ ); |
| 4928 | mbedtls_ssl_update_in_pointers ( ssl ); |
Hanno Becker | 2a43f6f | 2018-08-10 11:12:52 +0100 | [diff] [blame] | 4929 | } |
| 4930 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4931 | /* |
| 4932 | * SSL get accessors |
| 4933 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4934 | size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4935 | { |
| 4936 | return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); |
| 4937 | } |
| 4938 | |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 4939 | int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl ) |
| 4940 | { |
| 4941 | /* |
| 4942 | * Case A: We're currently holding back |
| 4943 | * a message for further processing. |
| 4944 | */ |
| 4945 | |
| 4946 | if( ssl->keep_current_message == 1 ) |
| 4947 | { |
Hanno Becker | a6fb089 | 2017-10-23 13:17:48 +0100 | [diff] [blame] | 4948 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) ); |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 4949 | return( 1 ); |
| 4950 | } |
| 4951 | |
| 4952 | /* |
| 4953 | * Case B: Further records are pending in the current datagram. |
| 4954 | */ |
| 4955 | |
| 4956 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4957 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 4958 | ssl->in_left > ssl->next_record_offset ) |
| 4959 | { |
Hanno Becker | a6fb089 | 2017-10-23 13:17:48 +0100 | [diff] [blame] | 4960 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) ); |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 4961 | return( 1 ); |
| 4962 | } |
| 4963 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 4964 | |
| 4965 | /* |
| 4966 | * Case C: A handshake message is being processed. |
| 4967 | */ |
| 4968 | |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 4969 | if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen ) |
| 4970 | { |
Hanno Becker | a6fb089 | 2017-10-23 13:17:48 +0100 | [diff] [blame] | 4971 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) ); |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 4972 | return( 1 ); |
| 4973 | } |
| 4974 | |
| 4975 | /* |
| 4976 | * Case D: An application data message is being processed |
| 4977 | */ |
| 4978 | if( ssl->in_offt != NULL ) |
| 4979 | { |
Hanno Becker | a6fb089 | 2017-10-23 13:17:48 +0100 | [diff] [blame] | 4980 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) ); |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 4981 | return( 1 ); |
| 4982 | } |
| 4983 | |
| 4984 | /* |
| 4985 | * In all other cases, the rest of the message can be dropped. |
Hanno Becker | c573ac3 | 2018-08-28 17:15:25 +0100 | [diff] [blame] | 4986 | * As in ssl_get_next_record, this needs to be adapted if |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 4987 | * we implement support for multiple alerts in single records. |
| 4988 | */ |
| 4989 | |
| 4990 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) ); |
| 4991 | return( 0 ); |
| 4992 | } |
| 4993 | |
Paul Bakker | 43ca69c | 2011-01-15 17:35:19 +0000 | [diff] [blame] | 4994 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4995 | int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 4996 | { |
Hanno Becker | 3136ede | 2018-08-17 15:28:19 +0100 | [diff] [blame] | 4997 | size_t transform_expansion = 0; |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4998 | const mbedtls_ssl_transform *transform = ssl->transform_out; |
Hanno Becker | 5b559ac | 2018-08-03 09:40:07 +0100 | [diff] [blame] | 4999 | unsigned block_size; |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5000 | |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 5001 | size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl ); |
| 5002 | |
Hanno Becker | 7864090 | 2018-08-13 16:35:15 +0100 | [diff] [blame] | 5003 | if( transform == NULL ) |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 5004 | return( (int) out_hdr_len ); |
Hanno Becker | 7864090 | 2018-08-13 16:35:15 +0100 | [diff] [blame] | 5005 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5006 | switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) ) |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5007 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5008 | case MBEDTLS_MODE_GCM: |
| 5009 | case MBEDTLS_MODE_CCM: |
Hanno Becker | 5b559ac | 2018-08-03 09:40:07 +0100 | [diff] [blame] | 5010 | case MBEDTLS_MODE_CHACHAPOLY: |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5011 | case MBEDTLS_MODE_STREAM: |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5012 | transform_expansion = transform->minlen; |
| 5013 | break; |
| 5014 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5015 | case MBEDTLS_MODE_CBC: |
Hanno Becker | 5b559ac | 2018-08-03 09:40:07 +0100 | [diff] [blame] | 5016 | |
| 5017 | block_size = mbedtls_cipher_get_block_size( |
| 5018 | &transform->cipher_ctx_enc ); |
| 5019 | |
Hanno Becker | 3136ede | 2018-08-17 15:28:19 +0100 | [diff] [blame] | 5020 | /* Expansion due to the addition of the MAC. */ |
| 5021 | transform_expansion += transform->maclen; |
| 5022 | |
| 5023 | /* Expansion due to the addition of CBC padding; |
| 5024 | * Theoretically up to 256 bytes, but we never use |
| 5025 | * more than the block size of the underlying cipher. */ |
| 5026 | transform_expansion += block_size; |
| 5027 | |
TRodziewicz | 4ca18aa | 2021-05-20 14:46:20 +0200 | [diff] [blame] | 5028 | /* For TLS 1.2 or higher, an explicit IV is added |
Hanno Becker | 3136ede | 2018-08-17 15:28:19 +0100 | [diff] [blame] | 5029 | * after the record header. */ |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 5030 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| 5031 | if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) |
Hanno Becker | 3136ede | 2018-08-17 15:28:19 +0100 | [diff] [blame] | 5032 | transform_expansion += block_size; |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 5033 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Hanno Becker | 3136ede | 2018-08-17 15:28:19 +0100 | [diff] [blame] | 5034 | |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5035 | break; |
| 5036 | |
| 5037 | default: |
Manuel Pégourié-Gonnard | cb0d212 | 2015-07-22 11:52:11 +0200 | [diff] [blame] | 5038 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5039 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5040 | } |
| 5041 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 5042 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 6cbad55 | 2019-05-08 15:40:11 +0100 | [diff] [blame] | 5043 | if( transform->out_cid_len != 0 ) |
| 5044 | transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 5045 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 6cbad55 | 2019-05-08 15:40:11 +0100 | [diff] [blame] | 5046 | |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 5047 | return( (int)( out_hdr_len + transform_expansion ) ); |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5048 | } |
| 5049 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5050 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
Manuel Pégourié-Gonnard | 214eed3 | 2013-10-30 13:06:54 +0100 | [diff] [blame] | 5051 | /* |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5052 | * Check record counters and renegotiate if they're above the limit. |
| 5053 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5054 | static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5055 | { |
Hanno Becker | dd77229 | 2020-02-05 10:38:31 +0000 | [diff] [blame] | 5056 | size_t ep_len = mbedtls_ssl_ep_len( ssl ); |
Andres AG | 2196c7f | 2016-12-15 17:01:16 +0000 | [diff] [blame] | 5057 | int in_ctr_cmp; |
| 5058 | int out_ctr_cmp; |
| 5059 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5060 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || |
| 5061 | ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5062 | ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5063 | { |
| 5064 | return( 0 ); |
| 5065 | } |
| 5066 | |
Andres AG | 2196c7f | 2016-12-15 17:01:16 +0000 | [diff] [blame] | 5067 | in_ctr_cmp = memcmp( ssl->in_ctr + ep_len, |
| 5068 | ssl->conf->renego_period + ep_len, 8 - ep_len ); |
Hanno Becker | 1985947 | 2018-08-06 09:40:20 +0100 | [diff] [blame] | 5069 | out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len, |
Andres AG | 2196c7f | 2016-12-15 17:01:16 +0000 | [diff] [blame] | 5070 | ssl->conf->renego_period + ep_len, 8 - ep_len ); |
| 5071 | |
| 5072 | if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 ) |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5073 | { |
| 5074 | return( 0 ); |
| 5075 | } |
| 5076 | |
Manuel Pégourié-Gonnard | cb0d212 | 2015-07-22 11:52:11 +0200 | [diff] [blame] | 5077 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5078 | return( mbedtls_ssl_renegotiate( ssl ) ); |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5079 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5080 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5081 | |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5082 | /* This function is called from mbedtls_ssl_read() when a handshake message is |
Hanno Becker | f26cc72 | 2021-04-21 07:30:13 +0100 | [diff] [blame] | 5083 | * received after the initial handshake. In this context, handshake messages |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5084 | * may only be sent for the purpose of initiating renegotiations. |
| 5085 | * |
| 5086 | * This function is introduced as a separate helper since the handling |
| 5087 | * of post-handshake handshake messages changes significantly in TLS 1.3, |
| 5088 | * and having a helper function allows to distinguish between TLS <= 1.2 and |
| 5089 | * TLS 1.3 in the future without bloating the logic of mbedtls_ssl_read(). |
| 5090 | */ |
Hanno Becker | cad3dba | 2020-11-24 06:57:13 +0000 | [diff] [blame] | 5091 | static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5092 | { |
Hanno Becker | fae12cf | 2021-04-21 07:20:20 +0100 | [diff] [blame] | 5093 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5094 | |
| 5095 | /* |
| 5096 | * - For client-side, expect SERVER_HELLO_REQUEST. |
| 5097 | * - For server-side, expect CLIENT_HELLO. |
| 5098 | * - Fail (TLS) or silently drop record (DTLS) in other cases. |
| 5099 | */ |
| 5100 | |
| 5101 | #if defined(MBEDTLS_SSL_CLI_C) |
| 5102 | if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && |
| 5103 | ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || |
| 5104 | ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) |
| 5105 | { |
| 5106 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) ); |
| 5107 | |
| 5108 | /* With DTLS, drop the packet (probably from last handshake) */ |
| 5109 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5110 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 5111 | { |
| 5112 | return( 0 ); |
| 5113 | } |
| 5114 | #endif |
| 5115 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
| 5116 | } |
| 5117 | #endif /* MBEDTLS_SSL_CLI_C */ |
| 5118 | |
| 5119 | #if defined(MBEDTLS_SSL_SRV_C) |
| 5120 | if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && |
| 5121 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) |
| 5122 | { |
| 5123 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); |
| 5124 | |
| 5125 | /* With DTLS, drop the packet (probably from last handshake) */ |
| 5126 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5127 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 5128 | { |
| 5129 | return( 0 ); |
| 5130 | } |
| 5131 | #endif |
| 5132 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
| 5133 | } |
| 5134 | #endif /* MBEDTLS_SSL_SRV_C */ |
| 5135 | |
| 5136 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 5137 | /* Determine whether renegotiation attempt should be accepted */ |
| 5138 | if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || |
| 5139 | ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 5140 | ssl->conf->allow_legacy_renegotiation == |
| 5141 | MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) ) |
| 5142 | { |
| 5143 | /* |
| 5144 | * Accept renegotiation request |
| 5145 | */ |
| 5146 | |
| 5147 | /* DTLS clients need to know renego is server-initiated */ |
| 5148 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5149 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 5150 | ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) |
| 5151 | { |
| 5152 | ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; |
| 5153 | } |
| 5154 | #endif |
| 5155 | ret = mbedtls_ssl_start_renegotiation( ssl ); |
| 5156 | if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && |
| 5157 | ret != 0 ) |
| 5158 | { |
| 5159 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation", |
| 5160 | ret ); |
| 5161 | return( ret ); |
| 5162 | } |
| 5163 | } |
| 5164 | else |
| 5165 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| 5166 | { |
| 5167 | /* |
| 5168 | * Refuse renegotiation |
| 5169 | */ |
| 5170 | |
| 5171 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); |
| 5172 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 5173 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5174 | if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) |
| 5175 | { |
| 5176 | if( ( ret = mbedtls_ssl_send_alert_message( ssl, |
| 5177 | MBEDTLS_SSL_ALERT_LEVEL_WARNING, |
| 5178 | MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 ) |
| 5179 | { |
| 5180 | return( ret ); |
| 5181 | } |
| 5182 | } |
| 5183 | else |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 5184 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5185 | { |
| 5186 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 5187 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 5188 | } |
| 5189 | } |
| 5190 | |
| 5191 | return( 0 ); |
| 5192 | } |
| 5193 | |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5194 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5195 | * Receive application data decrypted from the SSL layer |
| 5196 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5197 | int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5198 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 5199 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 5200 | size_t n; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5201 | |
Manuel Pégourié-Gonnard | f81ee2e | 2015-09-01 17:43:40 +0200 | [diff] [blame] | 5202 | if( ssl == NULL || ssl->conf == NULL ) |
| 5203 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 5204 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5205 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5206 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5207 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5208 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | abf1624 | 2014-09-23 09:42:16 +0200 | [diff] [blame] | 5209 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5210 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | abf1624 | 2014-09-23 09:42:16 +0200 | [diff] [blame] | 5211 | return( ret ); |
| 5212 | |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5213 | if( ssl->handshake != NULL && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5214 | ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5215 | { |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 5216 | if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5217 | return( ret ); |
| 5218 | } |
Manuel Pégourié-Gonnard | abf1624 | 2014-09-23 09:42:16 +0200 | [diff] [blame] | 5219 | } |
| 5220 | #endif |
| 5221 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5222 | /* |
| 5223 | * Check if renegotiation is necessary and/or handshake is |
| 5224 | * in process. If yes, perform/continue, and fall through |
| 5225 | * if an unexpected packet is received while the client |
| 5226 | * is waiting for the ServerHello. |
| 5227 | * |
| 5228 | * (There is no equivalent to the last condition on |
| 5229 | * the server-side as it is not treated as within |
| 5230 | * a handshake while waiting for the ClientHello |
| 5231 | * after a renegotiation request.) |
| 5232 | */ |
| 5233 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5234 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5235 | ret = ssl_check_ctr_renegotiate( ssl ); |
| 5236 | if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && |
| 5237 | ret != 0 ) |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5238 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5239 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5240 | return( ret ); |
| 5241 | } |
| 5242 | #endif |
| 5243 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5244 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5245 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5246 | ret = mbedtls_ssl_handshake( ssl ); |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5247 | if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && |
| 5248 | ret != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5249 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5250 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5251 | return( ret ); |
| 5252 | } |
| 5253 | } |
| 5254 | |
Hanno Becker | e41158b | 2017-10-23 13:30:32 +0100 | [diff] [blame] | 5255 | /* Loop as long as no application data record is available */ |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 5256 | while( ssl->in_offt == NULL ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5257 | { |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 5258 | /* Start timer if not already running */ |
Manuel Pégourié-Gonnard | 545102e | 2015-05-13 17:28:43 +0200 | [diff] [blame] | 5259 | if( ssl->f_get_timer != NULL && |
| 5260 | ssl->f_get_timer( ssl->p_timer ) == -1 ) |
| 5261 | { |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 5262 | mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout ); |
Manuel Pégourié-Gonnard | 545102e | 2015-05-13 17:28:43 +0200 | [diff] [blame] | 5263 | } |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 5264 | |
Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 5265 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5266 | { |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5267 | if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) |
| 5268 | return( 0 ); |
Paul Bakker | 831a755 | 2011-05-18 13:32:51 +0000 | [diff] [blame] | 5269 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5270 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
| 5271 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5272 | } |
| 5273 | |
| 5274 | if( ssl->in_msglen == 0 && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5275 | ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5276 | { |
| 5277 | /* |
| 5278 | * OpenSSL sends empty messages to randomize the IV |
| 5279 | */ |
Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 5280 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5281 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5282 | if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) |
Paul Bakker | 831a755 | 2011-05-18 13:32:51 +0000 | [diff] [blame] | 5283 | return( 0 ); |
| 5284 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5285 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5286 | return( ret ); |
| 5287 | } |
| 5288 | } |
| 5289 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5290 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5291 | { |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5292 | ret = ssl_handle_hs_message_post_handshake( ssl ); |
| 5293 | if( ret != 0) |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5294 | { |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5295 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_handle_hs_message_post_handshake", |
| 5296 | ret ); |
| 5297 | return( ret ); |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5298 | } |
Manuel Pégourié-Gonnard | f26a1e8 | 2014-08-19 12:28:50 +0200 | [diff] [blame] | 5299 | |
Hanno Becker | f26cc72 | 2021-04-21 07:30:13 +0100 | [diff] [blame] | 5300 | /* At this point, we don't know whether the renegotiation triggered |
| 5301 | * by the post-handshake message has been completed or not. The cases |
| 5302 | * to consider are the following: |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 5303 | * 1) The renegotiation is complete. In this case, no new record |
| 5304 | * has been read yet. |
| 5305 | * 2) The renegotiation is incomplete because the client received |
| 5306 | * an application data record while awaiting the ServerHello. |
| 5307 | * 3) The renegotiation is incomplete because the client received |
| 5308 | * a non-handshake, non-application data message while awaiting |
| 5309 | * the ServerHello. |
Hanno Becker | f26cc72 | 2021-04-21 07:30:13 +0100 | [diff] [blame] | 5310 | * |
| 5311 | * In each of these cases, looping will be the proper action: |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 5312 | * - For 1), the next iteration will read a new record and check |
| 5313 | * if it's application data. |
| 5314 | * - For 2), the loop condition isn't satisfied as application data |
| 5315 | * is present, hence continue is the same as break |
| 5316 | * - For 3), the loop condition is satisfied and read_record |
| 5317 | * will re-deliver the message that was held back by the client |
| 5318 | * when expecting the ServerHello. |
| 5319 | */ |
Hanno Becker | f26cc72 | 2021-04-21 07:30:13 +0100 | [diff] [blame] | 5320 | |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 5321 | continue; |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5322 | } |
Hanno Becker | 21df7f9 | 2017-10-17 11:03:26 +0100 | [diff] [blame] | 5323 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5324 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) |
Manuel Pégourié-Gonnard | 6d8404d | 2013-10-30 16:41:45 +0100 | [diff] [blame] | 5325 | { |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5326 | if( ssl->conf->renego_max_records >= 0 ) |
Manuel Pégourié-Gonnard | a9964db | 2014-07-03 19:29:16 +0200 | [diff] [blame] | 5327 | { |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5328 | if( ++ssl->renego_records_seen > ssl->conf->renego_max_records ) |
Manuel Pégourié-Gonnard | df3acd8 | 2014-10-15 15:07:45 +0200 | [diff] [blame] | 5329 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5330 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " |
Manuel Pégourié-Gonnard | df3acd8 | 2014-10-15 15:07:45 +0200 | [diff] [blame] | 5331 | "but not honored by client" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5332 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
Manuel Pégourié-Gonnard | df3acd8 | 2014-10-15 15:07:45 +0200 | [diff] [blame] | 5333 | } |
Manuel Pégourié-Gonnard | a9964db | 2014-07-03 19:29:16 +0200 | [diff] [blame] | 5334 | } |
Manuel Pégourié-Gonnard | 6d8404d | 2013-10-30 16:41:45 +0100 | [diff] [blame] | 5335 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5336 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
Manuel Pégourié-Gonnard | f26a1e8 | 2014-08-19 12:28:50 +0200 | [diff] [blame] | 5337 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5338 | /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */ |
| 5339 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) |
Manuel Pégourié-Gonnard | f26a1e8 | 2014-08-19 12:28:50 +0200 | [diff] [blame] | 5340 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5341 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 5342 | return( MBEDTLS_ERR_SSL_WANT_READ ); |
Manuel Pégourié-Gonnard | f26a1e8 | 2014-08-19 12:28:50 +0200 | [diff] [blame] | 5343 | } |
| 5344 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5345 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5346 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5347 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); |
| 5348 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5349 | } |
| 5350 | |
| 5351 | ssl->in_offt = ssl->in_msg; |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 5352 | |
Manuel Pégourié-Gonnard | ba958b8 | 2014-10-09 16:13:44 +0200 | [diff] [blame] | 5353 | /* We're going to return something now, cancel timer, |
| 5354 | * except if handshake (renegotiation) is in progress */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5355 | if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 5356 | mbedtls_ssl_set_timer( ssl, 0 ); |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5357 | |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 5358 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5359 | /* If we requested renego but received AppData, resend HelloRequest. |
| 5360 | * Do it now, after setting in_offt, to avoid taking this branch |
| 5361 | * again if ssl_write_hello_request() returns WANT_WRITE */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5362 | #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5363 | if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5364 | ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5365 | { |
Hanno Becker | 786300f | 2020-02-05 10:46:40 +0000 | [diff] [blame] | 5366 | if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5367 | { |
Hanno Becker | 786300f | 2020-02-05 10:46:40 +0000 | [diff] [blame] | 5368 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request", |
| 5369 | ret ); |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5370 | return( ret ); |
| 5371 | } |
| 5372 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5373 | #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5374 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5375 | } |
| 5376 | |
| 5377 | n = ( len < ssl->in_msglen ) |
| 5378 | ? len : ssl->in_msglen; |
| 5379 | |
| 5380 | memcpy( buf, ssl->in_offt, n ); |
| 5381 | ssl->in_msglen -= n; |
| 5382 | |
gabor-mezei-arm | a321413 | 2020-07-15 10:55:00 +0200 | [diff] [blame] | 5383 | /* Zeroising the plaintext buffer to erase unused application data |
| 5384 | from the memory. */ |
| 5385 | mbedtls_platform_zeroize( ssl->in_offt, n ); |
| 5386 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5387 | if( ssl->in_msglen == 0 ) |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5388 | { |
| 5389 | /* all bytes consumed */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5390 | ssl->in_offt = NULL; |
Hanno Becker | bdf3905 | 2017-06-09 10:42:03 +0100 | [diff] [blame] | 5391 | ssl->keep_current_message = 0; |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5392 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5393 | else |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5394 | { |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5395 | /* more data available */ |
| 5396 | ssl->in_offt += n; |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5397 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5398 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5399 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5400 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 5401 | return( (int) n ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5402 | } |
| 5403 | |
| 5404 | /* |
Andres Amaya Garcia | 5b92352 | 2017-09-28 14:41:17 +0100 | [diff] [blame] | 5405 | * Send application data to be encrypted by the SSL layer, taking care of max |
| 5406 | * fragment length and buffer size. |
| 5407 | * |
| 5408 | * According to RFC 5246 Section 6.2.1: |
| 5409 | * |
| 5410 | * Zero-length fragments of Application data MAY be sent as they are |
| 5411 | * potentially useful as a traffic analysis countermeasure. |
| 5412 | * |
| 5413 | * Therefore, it is possible that the input message length is 0 and the |
| 5414 | * corresponding return code is 0 on success. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5415 | */ |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5416 | static int ssl_write_real( mbedtls_ssl_context *ssl, |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5417 | const unsigned char *buf, size_t len ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5418 | { |
Manuel Pégourié-Gonnard | 9468ff1 | 2017-09-21 13:49:50 +0200 | [diff] [blame] | 5419 | int ret = mbedtls_ssl_get_max_out_record_payload( ssl ); |
| 5420 | const size_t max_len = (size_t) ret; |
| 5421 | |
| 5422 | if( ret < 0 ) |
| 5423 | { |
| 5424 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret ); |
| 5425 | return( ret ); |
| 5426 | } |
| 5427 | |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5428 | if( len > max_len ) |
| 5429 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5430 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5431 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5432 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5433 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 5434 | "maximum fragment length: %" MBEDTLS_PRINTF_SIZET |
| 5435 | " > %" MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5436 | len, max_len ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5437 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5438 | } |
| 5439 | else |
| 5440 | #endif |
| 5441 | len = max_len; |
| 5442 | } |
Paul Bakker | 887bd50 | 2011-06-08 13:10:54 +0000 | [diff] [blame] | 5443 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5444 | if( ssl->out_left != 0 ) |
| 5445 | { |
Andres Amaya Garcia | 5b92352 | 2017-09-28 14:41:17 +0100 | [diff] [blame] | 5446 | /* |
| 5447 | * The user has previously tried to send the data and |
| 5448 | * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially |
| 5449 | * written. In this case, we expect the high-level write function |
| 5450 | * (e.g. mbedtls_ssl_write()) to be called with the same parameters |
| 5451 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5452 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5453 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5454 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5455 | return( ret ); |
| 5456 | } |
| 5457 | } |
Paul Bakker | 887bd50 | 2011-06-08 13:10:54 +0000 | [diff] [blame] | 5458 | else |
Paul Bakker | 1fd00bf | 2011-03-14 20:50:15 +0000 | [diff] [blame] | 5459 | { |
Andres Amaya Garcia | 5b92352 | 2017-09-28 14:41:17 +0100 | [diff] [blame] | 5460 | /* |
| 5461 | * The user is trying to send a message the first time, so we need to |
| 5462 | * copy the data into the internal buffers and setup the data structure |
| 5463 | * to keep track of partial writes |
| 5464 | */ |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5465 | ssl->out_msglen = len; |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5466 | ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5467 | memcpy( ssl->out_msg, buf, len ); |
Paul Bakker | 887bd50 | 2011-06-08 13:10:54 +0000 | [diff] [blame] | 5468 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 5469 | if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 ) |
Paul Bakker | 887bd50 | 2011-06-08 13:10:54 +0000 | [diff] [blame] | 5470 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5471 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); |
Paul Bakker | 887bd50 | 2011-06-08 13:10:54 +0000 | [diff] [blame] | 5472 | return( ret ); |
| 5473 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5474 | } |
| 5475 | |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5476 | return( (int) len ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5477 | } |
| 5478 | |
| 5479 | /* |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5480 | * Write application data (public-facing wrapper) |
| 5481 | */ |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5482 | int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5483 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 5484 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5485 | |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5486 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5487 | |
Manuel Pégourié-Gonnard | f81ee2e | 2015-09-01 17:43:40 +0200 | [diff] [blame] | 5488 | if( ssl == NULL || ssl->conf == NULL ) |
| 5489 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 5490 | |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5491 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5492 | if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) |
| 5493 | { |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5494 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5495 | return( ret ); |
| 5496 | } |
| 5497 | #endif |
| 5498 | |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5499 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5500 | { |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5501 | if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5502 | { |
Manuel Pégourié-Gonnard | 151dc77 | 2015-05-14 13:55:51 +0200 | [diff] [blame] | 5503 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5504 | return( ret ); |
| 5505 | } |
| 5506 | } |
| 5507 | |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5508 | ret = ssl_write_real( ssl, buf, len ); |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5509 | |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5510 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5511 | |
| 5512 | return( ret ); |
| 5513 | } |
| 5514 | |
| 5515 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5516 | * Notify the peer that the connection is being closed |
| 5517 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5518 | int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5519 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 5520 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5521 | |
Manuel Pégourié-Gonnard | f81ee2e | 2015-09-01 17:43:40 +0200 | [diff] [blame] | 5522 | if( ssl == NULL || ssl->conf == NULL ) |
| 5523 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 5524 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5525 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5526 | |
Manuel Pégourié-Gonnard | a13500f | 2014-08-19 16:14:04 +0200 | [diff] [blame] | 5527 | if( ssl->out_left != 0 ) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5528 | return( mbedtls_ssl_flush_output( ssl ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5529 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5530 | if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5531 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5532 | if( ( ret = mbedtls_ssl_send_alert_message( ssl, |
| 5533 | MBEDTLS_SSL_ALERT_LEVEL_WARNING, |
| 5534 | MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5535 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5536 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5537 | return( ret ); |
| 5538 | } |
| 5539 | } |
| 5540 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5541 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5542 | |
Manuel Pégourié-Gonnard | a13500f | 2014-08-19 16:14:04 +0200 | [diff] [blame] | 5543 | return( 0 ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5544 | } |
| 5545 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5546 | void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5547 | { |
Paul Bakker | accaffe | 2014-06-26 13:37:14 +0200 | [diff] [blame] | 5548 | if( transform == NULL ) |
| 5549 | return; |
| 5550 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5551 | mbedtls_cipher_free( &transform->cipher_ctx_enc ); |
| 5552 | mbedtls_cipher_free( &transform->cipher_ctx_dec ); |
Manuel Pégourié-Gonnard | f71e587 | 2013-09-23 17:12:43 +0200 | [diff] [blame] | 5553 | |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 5554 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5555 | mbedtls_md_free( &transform->md_ctx_enc ); |
| 5556 | mbedtls_md_free( &transform->md_ctx_dec ); |
Hanno Becker | d56ed24 | 2018-01-03 15:32:51 +0000 | [diff] [blame] | 5557 | #endif |
Paul Bakker | 61d113b | 2013-07-04 11:51:43 +0200 | [diff] [blame] | 5558 | |
Andres Amaya Garcia | 1f6301b | 2018-04-17 09:51:09 -0500 | [diff] [blame] | 5559 | mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) ); |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5560 | } |
| 5561 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 5562 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5563 | |
Hanno Becker | 533ab5f | 2020-02-05 10:49:13 +0000 | [diff] [blame] | 5564 | void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl ) |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 5565 | { |
| 5566 | unsigned offset; |
| 5567 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
| 5568 | |
| 5569 | if( hs == NULL ) |
| 5570 | return; |
| 5571 | |
Hanno Becker | 283f5ef | 2018-08-24 09:34:47 +0100 | [diff] [blame] | 5572 | ssl_free_buffered_record( ssl ); |
| 5573 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 5574 | for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ ) |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 5575 | ssl_buffering_free_slot( ssl, offset ); |
| 5576 | } |
| 5577 | |
| 5578 | static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl, |
| 5579 | uint8_t slot ) |
| 5580 | { |
| 5581 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
| 5582 | mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot]; |
Hanno Becker | b309b92 | 2018-08-23 13:18:05 +0100 | [diff] [blame] | 5583 | |
| 5584 | if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS ) |
| 5585 | return; |
| 5586 | |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 5587 | if( hs_buf->is_valid == 1 ) |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 5588 | { |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 5589 | hs->buffering.total_bytes_buffered -= hs_buf->data_len; |
Hanno Becker | 805f2e1 | 2018-10-12 16:31:41 +0100 | [diff] [blame] | 5590 | mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len ); |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 5591 | mbedtls_free( hs_buf->data ); |
| 5592 | memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) ); |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 5593 | } |
| 5594 | } |
| 5595 | |
| 5596 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 5597 | |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5598 | /* |
| 5599 | * Convert version numbers to/from wire format |
| 5600 | * and, for DTLS, to/from TLS equivalent. |
| 5601 | * |
| 5602 | * For TLS this is the identity. |
Brian J Murray | 1903fb3 | 2016-11-06 04:45:15 -0800 | [diff] [blame] | 5603 | * For DTLS, use 1's complement (v -> 255 - v, and then map as follows: |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5604 | * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1) |
| 5605 | * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2) |
| 5606 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5607 | void mbedtls_ssl_write_version( int major, int minor, int transport, |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5608 | unsigned char ver[2] ) |
| 5609 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5610 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5611 | if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5612 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5613 | if( minor == MBEDTLS_SSL_MINOR_VERSION_2 ) |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5614 | --minor; /* DTLS 1.0 stored as TLS 1.1 internally */ |
| 5615 | |
| 5616 | ver[0] = (unsigned char)( 255 - ( major - 2 ) ); |
| 5617 | ver[1] = (unsigned char)( 255 - ( minor - 1 ) ); |
| 5618 | } |
Manuel Pégourié-Gonnard | 34c1011 | 2014-03-25 13:36:22 +0100 | [diff] [blame] | 5619 | else |
| 5620 | #else |
| 5621 | ((void) transport); |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5622 | #endif |
Manuel Pégourié-Gonnard | 34c1011 | 2014-03-25 13:36:22 +0100 | [diff] [blame] | 5623 | { |
| 5624 | ver[0] = (unsigned char) major; |
| 5625 | ver[1] = (unsigned char) minor; |
| 5626 | } |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5627 | } |
| 5628 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5629 | void mbedtls_ssl_read_version( int *major, int *minor, int transport, |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5630 | const unsigned char ver[2] ) |
| 5631 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5632 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5633 | if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5634 | { |
| 5635 | *major = 255 - ver[0] + 2; |
| 5636 | *minor = 255 - ver[1] + 1; |
| 5637 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5638 | if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 ) |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5639 | ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */ |
| 5640 | } |
Manuel Pégourié-Gonnard | 34c1011 | 2014-03-25 13:36:22 +0100 | [diff] [blame] | 5641 | else |
| 5642 | #else |
| 5643 | ((void) transport); |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5644 | #endif |
Manuel Pégourié-Gonnard | 34c1011 | 2014-03-25 13:36:22 +0100 | [diff] [blame] | 5645 | { |
| 5646 | *major = ver[0]; |
| 5647 | *minor = ver[1]; |
| 5648 | } |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5649 | } |
| 5650 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5651 | #endif /* MBEDTLS_SSL_TLS_C */ |