blob: babe481ac4ddd131dfd1e31e6873149245794ca4 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 shared functions
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +02004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02005 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +000018 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +000019 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +000020 */
21/*
22 * The SSL 3.0 specification was drafted by Netscape in 1996,
23 * and became an IETF standard in 1999.
24 *
25 * http://wp.netscape.com/eng/ssl3/
26 * http://www.ietf.org/rfc/rfc2246.txt
27 * http://www.ietf.org/rfc/rfc4346.txt
28 */
29
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020030#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000031#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020032#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020033#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020034#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000035
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020036#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000037
SimonBd5800b72016-04-26 07:43:27 +010038#if defined(MBEDTLS_PLATFORM_C)
39#include "mbedtls/platform.h"
40#else
41#include <stdlib.h>
42#define mbedtls_calloc calloc
43#define mbedtls_free free
SimonBd5800b72016-04-26 07:43:27 +010044#endif
45
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000046#include "mbedtls/debug.h"
47#include "mbedtls/ssl.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020048#include "mbedtls/ssl_internal.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050049#include "mbedtls/platform_util.h"
Paul Bakker0be444a2013-08-27 21:55:01 +020050
Rich Evans00ab4702015-02-06 13:43:58 +000051#include <string.h>
52
Janos Follath23bdca02016-10-07 14:47:14 +010053#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000054#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +020055#endif
56
Hanno Becker2a43f6f2018-08-10 11:12:52 +010057static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
Hanno Beckercd9dcda2018-08-28 17:18:56 +010058static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
Hanno Becker2a43f6f2018-08-10 11:12:52 +010059
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +010060/* Length of the "epoch" field in the record header */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020061static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +010062{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020063#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +020064 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +010065 return( 2 );
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +010066#else
67 ((void) ssl);
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +010068#endif
69 return( 0 );
70}
71
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +020072/*
73 * Start a timer.
74 * Passing millisecs = 0 cancels a running timer.
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +020075 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020076static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +020077{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +020078 if( ssl->f_set_timer == NULL )
79 return;
80
81 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
82 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +020083}
84
85/*
86 * Return -1 is timer is expired, 0 if it isn't.
87 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020088static int ssl_check_timer( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +020089{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +020090 if( ssl->f_get_timer == NULL )
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +020091 return( 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +020092
93 if( ssl->f_get_timer( ssl->p_timer ) == 2 )
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +020094 {
95 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +020096 return( -1 );
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +020097 }
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +020098
99 return( 0 );
100}
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200101
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100102static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
103 mbedtls_ssl_transform *transform );
104static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
105 mbedtls_ssl_transform *transform );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100106
107#define SSL_DONT_FORCE_FLUSH 0
108#define SSL_FORCE_FLUSH 1
109
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200110#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +0100111
Hanno Beckerba8cd672019-04-23 12:31:42 +0100112#if defined(MBEDTLS_SSL_CID)
Hanno Beckerb9e7dea2019-04-09 15:22:03 +0100113/* Top-level Connection ID API */
114
Hanno Becker07489862019-04-25 16:01:49 +0100115/* WARNING: The CID feature isn't fully implemented yet
116 * and will not be used. */
Hanno Beckerb9e7dea2019-04-09 15:22:03 +0100117int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
118 int enable,
119 unsigned char const *own_cid,
120 size_t own_cid_len )
121{
Hanno Becker07489862019-04-25 16:01:49 +0100122 ssl->negotiate_cid = enable;
123 if( enable == MBEDTLS_SSL_CID_DISABLED )
124 {
125 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Disable use of CID extension." ) );
126 return( 0 );
127 }
128 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
129
130 if( own_cid_len > MBEDTLS_SSL_CID_IN_LEN_MAX )
131 {
132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID too large: Maximum %u, actual %u",
133 (unsigned) MBEDTLS_SSL_CID_IN_LEN_MAX,
134 (unsigned) own_cid_len ) );
135 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
136 }
137
138 memcpy( ssl->own_cid, own_cid, own_cid_len );
Hanno Beckerb4a56062019-04-30 14:07:31 +0100139 /* Truncation is not an issue here because
140 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
141 ssl->own_cid_len = (uint8_t) own_cid_len;
Hanno Becker07489862019-04-25 16:01:49 +0100142
143 MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
Hanno Beckerb9e7dea2019-04-09 15:22:03 +0100144 return( 0 );
145}
146
Hanno Becker2de89fa2019-04-26 17:08:02 +0100147/* WARNING: The CID feature isn't fully implemented yet
148 * and will not be used. */
Hanno Beckerb9e7dea2019-04-09 15:22:03 +0100149int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
150 int *enabled,
151 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
152 size_t *peer_cid_len )
153{
Hanno Beckerb9e7dea2019-04-09 15:22:03 +0100154 *enabled = MBEDTLS_SSL_CID_DISABLED;
Hanno Becker2de89fa2019-04-26 17:08:02 +0100155
156 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
157 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
158
Hanno Beckercb063f52019-05-03 12:54:52 +0100159 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
160 * were used, but client and server requested the empty CID.
161 * This is indistinguishable from not using the CID extension
162 * in the first place. */
Hanno Becker2de89fa2019-04-26 17:08:02 +0100163 if( ssl->transform_in->in_cid_len == 0 &&
164 ssl->transform_in->out_cid_len == 0 )
165 {
166 return( 0 );
167 }
168
169 *peer_cid_len = ssl->transform_in->out_cid_len;
170 memcpy( peer_cid, ssl->transform_in->out_cid,
171 ssl->transform_in->out_cid_len );
172
173 *enabled = MBEDTLS_SSL_CID_ENABLED;
174
Hanno Beckerb9e7dea2019-04-09 15:22:03 +0100175 return( 0 );
176}
Hanno Beckerba8cd672019-04-23 12:31:42 +0100177#endif /* MBEDTLS_SSL_CID */
Hanno Beckerb9e7dea2019-04-09 15:22:03 +0100178
Hanno Beckerd5847772018-08-28 10:09:23 +0100179/* Forward declarations for functions related to message buffering. */
180static void ssl_buffering_free( mbedtls_ssl_context *ssl );
181static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
182 uint8_t slot );
183static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
184static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
185static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
186static int ssl_buffer_message( mbedtls_ssl_context *ssl );
187static int ssl_buffer_future_record( mbedtls_ssl_context *ssl );
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100188static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
Hanno Beckerd5847772018-08-28 10:09:23 +0100189
Hanno Beckera67dee22018-08-22 10:05:20 +0100190static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
Hanno Becker11682cc2018-08-22 14:41:02 +0100191static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
Hanno Becker2b1e3542018-08-06 11:19:13 +0100192{
Hanno Becker11682cc2018-08-22 14:41:02 +0100193 size_t mtu = ssl_get_current_mtu( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100194
195 if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN )
Hanno Becker11682cc2018-08-22 14:41:02 +0100196 return( mtu );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100197
198 return( MBEDTLS_SSL_OUT_BUFFER_LEN );
199}
200
Hanno Becker67bc7c32018-08-06 11:33:50 +0100201static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
202{
Hanno Becker11682cc2018-08-22 14:41:02 +0100203 size_t const bytes_written = ssl->out_left;
204 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100205
206 /* Double-check that the write-index hasn't gone
207 * past what we can transmit in a single datagram. */
Hanno Becker11682cc2018-08-22 14:41:02 +0100208 if( bytes_written > mtu )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100209 {
210 /* Should never happen... */
211 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
212 }
213
214 return( (int) ( mtu - bytes_written ) );
215}
216
217static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
218{
219 int ret;
220 size_t remaining, expansion;
Andrzej Kurek748face2018-10-11 07:20:19 -0400221 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100222
223#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
224 const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
225
226 if( max_len > mfl )
227 max_len = mfl;
Hanno Beckerf4b010e2018-08-24 10:47:29 +0100228
229 /* By the standard (RFC 6066 Sect. 4), the MFL extension
230 * only limits the maximum record payload size, so in theory
231 * we would be allowed to pack multiple records of payload size
232 * MFL into a single datagram. However, this would mean that there's
233 * no way to explicitly communicate MTU restrictions to the peer.
234 *
235 * The following reduction of max_len makes sure that we never
236 * write datagrams larger than MFL + Record Expansion Overhead.
237 */
238 if( max_len <= ssl->out_left )
239 return( 0 );
240
241 max_len -= ssl->out_left;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100242#endif
243
244 ret = ssl_get_remaining_space_in_datagram( ssl );
245 if( ret < 0 )
246 return( ret );
247 remaining = (size_t) ret;
248
249 ret = mbedtls_ssl_get_record_expansion( ssl );
250 if( ret < 0 )
251 return( ret );
252 expansion = (size_t) ret;
253
254 if( remaining <= expansion )
255 return( 0 );
256
257 remaining -= expansion;
258 if( remaining >= max_len )
259 remaining = max_len;
260
261 return( (int) remaining );
262}
263
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200264/*
265 * Double the retransmit timeout value, within the allowed range,
266 * returning -1 if the maximum value has already been reached.
267 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200268static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200269{
270 uint32_t new_timeout;
271
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200272 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200273 return( -1 );
274
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200275 /* Implement the final paragraph of RFC 6347 section 4.1.1.1
276 * in the following way: after the initial transmission and a first
277 * retransmission, back off to a temporary estimated MTU of 508 bytes.
278 * This value is guaranteed to be deliverable (if not guaranteed to be
279 * delivered) of any compliant IPv4 (and IPv6) network, and should work
280 * on most non-IP stacks too. */
281 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400282 {
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200283 ssl->handshake->mtu = 508;
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400284 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
285 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200286
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200287 new_timeout = 2 * ssl->handshake->retransmit_timeout;
288
289 /* Avoid arithmetic overflow and range overflow */
290 if( new_timeout < ssl->handshake->retransmit_timeout ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200291 new_timeout > ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200292 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200293 new_timeout = ssl->conf->hs_timeout_max;
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200294 }
295
296 ssl->handshake->retransmit_timeout = new_timeout;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200297 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200298 ssl->handshake->retransmit_timeout ) );
299
300 return( 0 );
301}
302
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200303static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200304{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200305 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200306 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200307 ssl->handshake->retransmit_timeout ) );
308}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200309#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200310
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200311#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200312/*
313 * Convert max_fragment_length codes to length.
314 * RFC 6066 says:
315 * enum{
316 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
317 * } MaxFragmentLength;
318 * and we add 0 -> extension unused
319 */
Angus Grattond8213d02016-05-25 20:56:48 +1000320static unsigned int ssl_mfl_code_to_length( int mfl )
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200321{
Angus Grattond8213d02016-05-25 20:56:48 +1000322 switch( mfl )
323 {
324 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
325 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
326 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
327 return 512;
328 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
329 return 1024;
330 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
331 return 2048;
332 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
333 return 4096;
334 default:
335 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
336 }
337}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200338#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200339
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +0200340#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200341static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200342{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200343 mbedtls_ssl_session_free( dst );
344 memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200345
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200346#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200347 if( src->peer_cert != NULL )
348 {
Paul Bakker2292d1f2013-09-15 17:06:49 +0200349 int ret;
350
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200351 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200352 if( dst->peer_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200353 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200354
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200355 mbedtls_x509_crt_init( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200356
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200357 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
Manuel Pégourié-Gonnard4d2a8eb2014-06-13 20:33:27 +0200358 src->peer_cert->raw.len ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200359 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200360 mbedtls_free( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200361 dst->peer_cert = NULL;
362 return( ret );
363 }
364 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200365#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200366
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200367#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200368 if( src->ticket != NULL )
369 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200370 dst->ticket = mbedtls_calloc( 1, src->ticket_len );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200371 if( dst->ticket == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200372 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200373
374 memcpy( dst->ticket, src->ticket, src->ticket_len );
375 }
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200376#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200377
378 return( 0 );
379}
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +0200380#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200381
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200382#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
383int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
Paul Bakker9af723c2014-05-01 13:03:14 +0200384 const unsigned char *key_enc, const unsigned char *key_dec,
385 size_t keylen,
386 const unsigned char *iv_enc, const unsigned char *iv_dec,
387 size_t ivlen,
388 const unsigned char *mac_enc, const unsigned char *mac_dec,
Paul Bakker66d5d072014-06-17 16:39:18 +0200389 size_t maclen ) = NULL;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200390int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
391int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
392int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
393int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
394int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
395#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000396
Paul Bakker5121ce52009-01-03 21:22:43 +0000397/*
398 * Key material generation
399 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200400#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200401static int ssl3_prf( const unsigned char *secret, size_t slen,
402 const char *label,
403 const unsigned char *random, size_t rlen,
Paul Bakker5f70b252012-09-13 14:23:06 +0000404 unsigned char *dstbuf, size_t dlen )
405{
Andres Amaya Garcia33952502017-07-20 16:29:16 +0100406 int ret = 0;
Paul Bakker5f70b252012-09-13 14:23:06 +0000407 size_t i;
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200408 mbedtls_md5_context md5;
409 mbedtls_sha1_context sha1;
Paul Bakker5f70b252012-09-13 14:23:06 +0000410 unsigned char padding[16];
411 unsigned char sha1sum[20];
412 ((void)label);
413
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200414 mbedtls_md5_init( &md5 );
415 mbedtls_sha1_init( &sha1 );
Paul Bakker5b4af392014-06-26 12:09:34 +0200416
Paul Bakker5f70b252012-09-13 14:23:06 +0000417 /*
418 * SSLv3:
419 * block =
420 * MD5( secret + SHA1( 'A' + secret + random ) ) +
421 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
422 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
423 * ...
424 */
425 for( i = 0; i < dlen / 16; i++ )
426 {
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200427 memset( padding, (unsigned char) ('A' + i), 1 + i );
Paul Bakker5f70b252012-09-13 14:23:06 +0000428
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100429 if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100430 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100431 if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100432 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100433 if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100434 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100435 if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100436 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100437 if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100438 goto exit;
Paul Bakker5f70b252012-09-13 14:23:06 +0000439
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100440 if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100441 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100442 if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100443 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100444 if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100445 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100446 if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100447 goto exit;
Paul Bakker5f70b252012-09-13 14:23:06 +0000448 }
449
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100450exit:
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200451 mbedtls_md5_free( &md5 );
452 mbedtls_sha1_free( &sha1 );
Paul Bakker5f70b252012-09-13 14:23:06 +0000453
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500454 mbedtls_platform_zeroize( padding, sizeof( padding ) );
455 mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
Paul Bakker5f70b252012-09-13 14:23:06 +0000456
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100457 return( ret );
Paul Bakker5f70b252012-09-13 14:23:06 +0000458}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200459#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5f70b252012-09-13 14:23:06 +0000460
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200461#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200462static int tls1_prf( const unsigned char *secret, size_t slen,
463 const char *label,
464 const unsigned char *random, size_t rlen,
Paul Bakker23986e52011-04-24 08:57:21 +0000465 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000466{
Paul Bakker23986e52011-04-24 08:57:21 +0000467 size_t nb, hs;
468 size_t i, j, k;
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200469 const unsigned char *S1, *S2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000470 unsigned char tmp[128];
471 unsigned char h_i[20];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200472 const mbedtls_md_info_t *md_info;
473 mbedtls_md_context_t md_ctx;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100474 int ret;
475
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200476 mbedtls_md_init( &md_ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000477
478 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200479 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000480
481 hs = ( slen + 1 ) / 2;
482 S1 = secret;
483 S2 = secret + slen - hs;
484
485 nb = strlen( label );
486 memcpy( tmp + 20, label, nb );
487 memcpy( tmp + 20 + nb, random, rlen );
488 nb += rlen;
489
490 /*
491 * First compute P_md5(secret,label+random)[0..dlen]
492 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200493 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
494 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100495
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200496 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100497 return( ret );
498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200499 mbedtls_md_hmac_starts( &md_ctx, S1, hs );
500 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
501 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000502
503 for( i = 0; i < dlen; i += 16 )
504 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200505 mbedtls_md_hmac_reset ( &md_ctx );
506 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
507 mbedtls_md_hmac_finish( &md_ctx, h_i );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100508
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200509 mbedtls_md_hmac_reset ( &md_ctx );
510 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
511 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000512
513 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
514
515 for( j = 0; j < k; j++ )
516 dstbuf[i + j] = h_i[j];
517 }
518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200519 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100520
Paul Bakker5121ce52009-01-03 21:22:43 +0000521 /*
522 * XOR out with P_sha1(secret,label+random)[0..dlen]
523 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200524 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
525 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100526
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200527 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100528 return( ret );
529
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200530 mbedtls_md_hmac_starts( &md_ctx, S2, hs );
531 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
532 mbedtls_md_hmac_finish( &md_ctx, tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000533
534 for( i = 0; i < dlen; i += 20 )
535 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200536 mbedtls_md_hmac_reset ( &md_ctx );
537 mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
538 mbedtls_md_hmac_finish( &md_ctx, h_i );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100539
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200540 mbedtls_md_hmac_reset ( &md_ctx );
541 mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
542 mbedtls_md_hmac_finish( &md_ctx, tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000543
544 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
545
546 for( j = 0; j < k; j++ )
547 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
548 }
549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200550 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100551
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500552 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
553 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000554
555 return( 0 );
556}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200557#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000558
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200559#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
560static int tls_prf_generic( mbedtls_md_type_t md_type,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100561 const unsigned char *secret, size_t slen,
562 const char *label,
563 const unsigned char *random, size_t rlen,
564 unsigned char *dstbuf, size_t dlen )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000565{
566 size_t nb;
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100567 size_t i, j, k, md_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000568 unsigned char tmp[128];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200569 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
570 const mbedtls_md_info_t *md_info;
571 mbedtls_md_context_t md_ctx;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100572 int ret;
573
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200574 mbedtls_md_init( &md_ctx );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200576 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
577 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100578
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200579 md_len = mbedtls_md_get_size( md_info );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100580
581 if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200582 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000583
584 nb = strlen( label );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100585 memcpy( tmp + md_len, label, nb );
586 memcpy( tmp + md_len + nb, random, rlen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000587 nb += rlen;
588
589 /*
590 * Compute P_<hash>(secret, label + random)[0..dlen]
591 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200592 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100593 return( ret );
594
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200595 mbedtls_md_hmac_starts( &md_ctx, secret, slen );
596 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
597 mbedtls_md_hmac_finish( &md_ctx, tmp );
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100598
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100599 for( i = 0; i < dlen; i += md_len )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000600 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200601 mbedtls_md_hmac_reset ( &md_ctx );
602 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
603 mbedtls_md_hmac_finish( &md_ctx, h_i );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100604
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200605 mbedtls_md_hmac_reset ( &md_ctx );
606 mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
607 mbedtls_md_hmac_finish( &md_ctx, tmp );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000608
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100609 k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000610
611 for( j = 0; j < k; j++ )
612 dstbuf[i + j] = h_i[j];
613 }
614
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200615 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100616
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500617 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
618 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000619
620 return( 0 );
621}
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100622
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200623#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100624static int tls_prf_sha256( const unsigned char *secret, size_t slen,
625 const char *label,
626 const unsigned char *random, size_t rlen,
627 unsigned char *dstbuf, size_t dlen )
628{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200629 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100630 label, random, rlen, dstbuf, dlen ) );
631}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200632#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000633
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200634#if defined(MBEDTLS_SHA512_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200635static int tls_prf_sha384( const unsigned char *secret, size_t slen,
636 const char *label,
637 const unsigned char *random, size_t rlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000638 unsigned char *dstbuf, size_t dlen )
639{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200640 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100641 label, random, rlen, dstbuf, dlen ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000642}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200643#endif /* MBEDTLS_SHA512_C */
644#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000645
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200646static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200647
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200648#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
649 defined(MBEDTLS_SSL_PROTO_TLS1_1)
650static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200651#endif
Paul Bakker380da532012-04-18 16:10:25 +0000652
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200653#if defined(MBEDTLS_SSL_PROTO_SSL3)
654static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );
655static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200656#endif
657
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200658#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
659static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );
660static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200661#endif
662
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200663#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
664#if defined(MBEDTLS_SHA256_C)
665static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
666static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * );
667static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200668#endif
Paul Bakker769075d2012-11-24 11:26:46 +0100669
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200670#if defined(MBEDTLS_SHA512_C)
671static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
672static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );
673static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakker769075d2012-11-24 11:26:46 +0100674#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200675#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000676
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200677int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000678{
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200679 int ret = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000680 unsigned char tmp[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000681 unsigned char keyblk[256];
682 unsigned char *key1;
683 unsigned char *key2;
Paul Bakker68884e32013-01-07 18:20:04 +0100684 unsigned char *mac_enc;
685 unsigned char *mac_dec;
Hanno Becker81c7b182017-11-09 18:39:33 +0000686 size_t mac_key_len;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200687 size_t iv_copy_len;
Hanno Beckere7f2df02017-12-27 08:17:40 +0000688 unsigned keylen;
Hanno Becker8759e162017-12-27 21:34:08 +0000689 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200690 const mbedtls_cipher_info_t *cipher_info;
691 const mbedtls_md_info_t *md_info;
Paul Bakker68884e32013-01-07 18:20:04 +0100692
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200693 mbedtls_ssl_session *session = ssl->session_negotiate;
694 mbedtls_ssl_transform *transform = ssl->transform_negotiate;
695 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Paul Bakker5121ce52009-01-03 21:22:43 +0000696
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200697 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000698
Hanno Becker3307b532017-12-27 21:37:21 +0000699#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
700 transform->encrypt_then_mac = session->encrypt_then_mac;
701#endif
702 transform->minor_ver = ssl->minor_ver;
703
Hanno Becker8759e162017-12-27 21:34:08 +0000704 ciphersuite_info = handshake->ciphersuite_info;
705 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
Paul Bakker68884e32013-01-07 18:20:04 +0100706 if( cipher_info == NULL )
707 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200708 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
Hanno Becker8759e162017-12-27 21:34:08 +0000709 ciphersuite_info->cipher ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200710 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100711 }
712
Hanno Becker8759e162017-12-27 21:34:08 +0000713 md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
Paul Bakker68884e32013-01-07 18:20:04 +0100714 if( md_info == NULL )
715 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
Hanno Becker8759e162017-12-27 21:34:08 +0000717 ciphersuite_info->mac ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200718 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100719 }
720
Hanno Beckerdd0afca2019-04-26 16:22:27 +0100721#if defined(MBEDTLS_SSL_CID)
722 /* Copy own and peer's CID if the use of the CID
723 * extension has been negotiated. */
724 if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
725 {
726 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
Hanno Beckerd91dc372019-04-30 13:52:29 +0100727
728 /* Uncomment this once CID-parsing and support for a change
729 * record content type during record decryption are added. */
730 /* transform->in_cid_len = ssl->own_cid_len; */
731 /* transform->out_cid_len = ssl->handshake->peer_cid_len; */
732 /* memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len ); */
733 /* memcpy( transform->out_cid, ssl->handshake->peer_cid, */
734 /* ssl->handshake->peer_cid_len ); */
Hanno Beckerdd0afca2019-04-26 16:22:27 +0100735
736 MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
737 transform->out_cid_len );
Hanno Becker8013b272019-05-03 12:55:51 +0100738 MBEDTLS_SSL_DEBUG_BUF( 3, "Incoming CID", transform->in_cid,
Hanno Beckerdd0afca2019-04-26 16:22:27 +0100739 transform->in_cid_len );
740 }
741#endif /* MBEDTLS_SSL_CID */
742
Paul Bakker5121ce52009-01-03 21:22:43 +0000743 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000744 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000745 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200746#if defined(MBEDTLS_SSL_PROTO_SSL3)
747 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000748 {
Paul Bakker48916f92012-09-16 19:57:18 +0000749 handshake->tls_prf = ssl3_prf;
750 handshake->calc_verify = ssl_calc_verify_ssl;
751 handshake->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000752 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200753 else
754#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200755#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
756 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000757 {
Paul Bakker48916f92012-09-16 19:57:18 +0000758 handshake->tls_prf = tls1_prf;
759 handshake->calc_verify = ssl_calc_verify_tls;
760 handshake->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000761 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200762 else
763#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200764#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
765#if defined(MBEDTLS_SHA512_C)
766 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
Hanno Becker8759e162017-12-27 21:34:08 +0000767 ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000768 {
Paul Bakker48916f92012-09-16 19:57:18 +0000769 handshake->tls_prf = tls_prf_sha384;
770 handshake->calc_verify = ssl_calc_verify_tls_sha384;
771 handshake->calc_finished = ssl_calc_finished_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000772 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000773 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200774#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200775#if defined(MBEDTLS_SHA256_C)
776 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000777 {
Paul Bakker48916f92012-09-16 19:57:18 +0000778 handshake->tls_prf = tls_prf_sha256;
779 handshake->calc_verify = ssl_calc_verify_tls_sha256;
780 handshake->calc_finished = ssl_calc_finished_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000781 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200782 else
783#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200784#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200785 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200786 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
787 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200788 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000789
790 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000791 * SSLv3:
792 * master =
793 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
794 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
795 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
Paul Bakkerf7abd422013-04-16 13:15:56 +0200796 *
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200797 * TLSv1+:
Paul Bakker5121ce52009-01-03 21:22:43 +0000798 * master = PRF( premaster, "master secret", randbytes )[0..47]
799 */
Paul Bakker0a597072012-09-25 21:55:46 +0000800 if( handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000801 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200802 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
Paul Bakker48916f92012-09-16 19:57:18 +0000803 handshake->pmslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000804
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200805#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
806 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200807 {
808 unsigned char session_hash[48];
809 size_t hash_len;
810
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200811 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200812
813 ssl->handshake->calc_verify( ssl, session_hash );
814
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200815#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
816 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200817 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200818#if defined(MBEDTLS_SHA512_C)
Hanno Becker8759e162017-12-27 21:34:08 +0000819 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200820 {
821 hash_len = 48;
822 }
823 else
824#endif
825 hash_len = 32;
826 }
827 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200828#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200829 hash_len = 36;
830
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200831 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200832
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100833 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
834 "extended master secret",
835 session_hash, hash_len,
836 session->master, 48 );
837 if( ret != 0 )
838 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200839 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100840 return( ret );
841 }
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200842
843 }
844 else
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200845#endif
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100846 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
847 "master secret",
848 handshake->randbytes, 64,
849 session->master, 48 );
850 if( ret != 0 )
851 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200852 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100853 return( ret );
854 }
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200855
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500856 mbedtls_platform_zeroize( handshake->premaster,
857 sizeof(handshake->premaster) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000858 }
859 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200860 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000861
862 /*
863 * Swap the client and server random values.
864 */
Paul Bakker48916f92012-09-16 19:57:18 +0000865 memcpy( tmp, handshake->randbytes, 64 );
866 memcpy( handshake->randbytes, tmp + 32, 32 );
867 memcpy( handshake->randbytes + 32, tmp, 32 );
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500868 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000869
870 /*
871 * SSLv3:
872 * key block =
873 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
874 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
875 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
876 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
877 * ...
878 *
879 * TLSv1:
880 * key block = PRF( master, "key expansion", randbytes )
881 */
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100882 ret = handshake->tls_prf( session->master, 48, "key expansion",
883 handshake->randbytes, 64, keyblk, 256 );
884 if( ret != 0 )
885 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200886 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100887 return( ret );
888 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000889
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200890 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
891 mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
892 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
893 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
894 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000895
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500896 mbedtls_platform_zeroize( handshake->randbytes,
897 sizeof( handshake->randbytes ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000898
899 /*
900 * Determine the appropriate key, IV and MAC length.
901 */
Paul Bakker68884e32013-01-07 18:20:04 +0100902
Hanno Beckere7f2df02017-12-27 08:17:40 +0000903 keylen = cipher_info->key_bitlen / 8;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200904
Hanno Beckerf1229442018-01-03 15:32:31 +0000905#if defined(MBEDTLS_GCM_C) || \
906 defined(MBEDTLS_CCM_C) || \
907 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200908 if( cipher_info->mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200909 cipher_info->mode == MBEDTLS_MODE_CCM ||
910 cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000911 {
Hanno Becker8759e162017-12-27 21:34:08 +0000912 size_t explicit_ivlen;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200913
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200914 transform->maclen = 0;
Hanno Becker81c7b182017-11-09 18:39:33 +0000915 mac_key_len = 0;
Hanno Becker8759e162017-12-27 21:34:08 +0000916 transform->taglen =
917 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200918
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200919 /* All modes haves 96-bit IVs;
920 * GCM and CCM has 4 implicit and 8 explicit bytes
921 * ChachaPoly has all 12 bytes implicit
922 */
Paul Bakker68884e32013-01-07 18:20:04 +0100923 transform->ivlen = 12;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200924 if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
925 transform->fixed_ivlen = 12;
926 else
927 transform->fixed_ivlen = 4;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200928
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200929 /* Minimum length of encrypted record */
930 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
Hanno Becker8759e162017-12-27 21:34:08 +0000931 transform->minlen = explicit_ivlen + transform->taglen;
Paul Bakker68884e32013-01-07 18:20:04 +0100932 }
933 else
Hanno Beckerf1229442018-01-03 15:32:31 +0000934#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
935#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
936 if( cipher_info->mode == MBEDTLS_MODE_STREAM ||
937 cipher_info->mode == MBEDTLS_MODE_CBC )
Paul Bakker68884e32013-01-07 18:20:04 +0100938 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200939 /* Initialize HMAC contexts */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200940 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
941 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100942 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200943 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200944 return( ret );
Paul Bakker68884e32013-01-07 18:20:04 +0100945 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000946
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200947 /* Get MAC length */
Hanno Becker81c7b182017-11-09 18:39:33 +0000948 mac_key_len = mbedtls_md_get_size( md_info );
949 transform->maclen = mac_key_len;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200950
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200951#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200952 /*
953 * If HMAC is to be truncated, we shall keep the leftmost bytes,
954 * (rfc 6066 page 13 or rfc 2104 section 4),
955 * so we only need to adjust the length here.
956 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200957 if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
Hanno Beckere89353a2017-11-20 16:36:41 +0000958 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200959 transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
Hanno Beckere89353a2017-11-20 16:36:41 +0000960
961#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
962 /* Fall back to old, non-compliant version of the truncated
Hanno Becker563423f2017-11-21 17:20:17 +0000963 * HMAC implementation which also truncates the key
964 * (Mbed TLS versions from 1.3 to 2.6.0) */
Hanno Beckere89353a2017-11-20 16:36:41 +0000965 mac_key_len = transform->maclen;
966#endif
967 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200968#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200969
970 /* IV length */
Paul Bakker68884e32013-01-07 18:20:04 +0100971 transform->ivlen = cipher_info->iv_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000972
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200973 /* Minimum length */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200974 if( cipher_info->mode == MBEDTLS_MODE_STREAM )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200975 transform->minlen = transform->maclen;
976 else
Paul Bakker68884e32013-01-07 18:20:04 +0100977 {
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200978 /*
979 * GenericBlockCipher:
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100980 * 1. if EtM is in use: one block plus MAC
981 * otherwise: * first multiple of blocklen greater than maclen
982 * 2. IV except for SSL3 and TLS 1.0
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200983 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200984#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
985 if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100986 {
987 transform->minlen = transform->maclen
988 + cipher_info->block_size;
989 }
990 else
991#endif
992 {
993 transform->minlen = transform->maclen
994 + cipher_info->block_size
995 - transform->maclen % cipher_info->block_size;
996 }
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200998#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
999 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1000 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +02001001 ; /* No need to adjust minlen */
Paul Bakker68884e32013-01-07 18:20:04 +01001002 else
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +02001003#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001004#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1005 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
1006 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +02001007 {
1008 transform->minlen += transform->ivlen;
1009 }
1010 else
1011#endif
1012 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001013 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1014 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +02001015 }
Paul Bakker68884e32013-01-07 18:20:04 +01001016 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001017 }
Hanno Beckerf1229442018-01-03 15:32:31 +00001018 else
1019#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
1020 {
1021 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1022 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1023 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001024
Hanno Beckere7f2df02017-12-27 08:17:40 +00001025 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
1026 (unsigned) keylen,
1027 (unsigned) transform->minlen,
1028 (unsigned) transform->ivlen,
1029 (unsigned) transform->maclen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001030
1031 /*
1032 * Finally setup the cipher contexts, IVs and MAC secrets.
1033 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001034#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001035 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +00001036 {
Hanno Becker81c7b182017-11-09 18:39:33 +00001037 key1 = keyblk + mac_key_len * 2;
Hanno Beckere7f2df02017-12-27 08:17:40 +00001038 key2 = keyblk + mac_key_len * 2 + keylen;
Paul Bakker5121ce52009-01-03 21:22:43 +00001039
Paul Bakker68884e32013-01-07 18:20:04 +01001040 mac_enc = keyblk;
Hanno Becker81c7b182017-11-09 18:39:33 +00001041 mac_dec = keyblk + mac_key_len;
Paul Bakker5121ce52009-01-03 21:22:43 +00001042
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001043 /*
1044 * This is not used in TLS v1.1.
1045 */
Paul Bakker48916f92012-09-16 19:57:18 +00001046 iv_copy_len = ( transform->fixed_ivlen ) ?
1047 transform->fixed_ivlen : transform->ivlen;
Hanno Beckere7f2df02017-12-27 08:17:40 +00001048 memcpy( transform->iv_enc, key2 + keylen, iv_copy_len );
1049 memcpy( transform->iv_dec, key2 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +00001050 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +00001051 }
1052 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001053#endif /* MBEDTLS_SSL_CLI_C */
1054#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001055 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +00001056 {
Hanno Beckere7f2df02017-12-27 08:17:40 +00001057 key1 = keyblk + mac_key_len * 2 + keylen;
Hanno Becker81c7b182017-11-09 18:39:33 +00001058 key2 = keyblk + mac_key_len * 2;
Paul Bakker5121ce52009-01-03 21:22:43 +00001059
Hanno Becker81c7b182017-11-09 18:39:33 +00001060 mac_enc = keyblk + mac_key_len;
Paul Bakker68884e32013-01-07 18:20:04 +01001061 mac_dec = keyblk;
Paul Bakker5121ce52009-01-03 21:22:43 +00001062
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001063 /*
1064 * This is not used in TLS v1.1.
1065 */
Paul Bakker48916f92012-09-16 19:57:18 +00001066 iv_copy_len = ( transform->fixed_ivlen ) ?
1067 transform->fixed_ivlen : transform->ivlen;
Hanno Beckere7f2df02017-12-27 08:17:40 +00001068 memcpy( transform->iv_dec, key1 + keylen, iv_copy_len );
1069 memcpy( transform->iv_enc, key1 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +00001070 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +00001071 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01001072 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001073#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01001074 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001075 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1076 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01001077 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001078
Hanno Becker92231322018-01-03 15:32:51 +00001079#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001080#if defined(MBEDTLS_SSL_PROTO_SSL3)
1081 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker68884e32013-01-07 18:20:04 +01001082 {
Hanno Becker92231322018-01-03 15:32:51 +00001083 if( mac_key_len > sizeof( transform->mac_enc ) )
Manuel Pégourié-Gonnard7cfdcb82014-01-18 18:22:55 +01001084 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001085 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1086 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7cfdcb82014-01-18 18:22:55 +01001087 }
1088
Hanno Becker81c7b182017-11-09 18:39:33 +00001089 memcpy( transform->mac_enc, mac_enc, mac_key_len );
1090 memcpy( transform->mac_dec, mac_dec, mac_key_len );
Paul Bakker68884e32013-01-07 18:20:04 +01001091 }
1092 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001093#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1094#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1095 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1096 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Paul Bakker68884e32013-01-07 18:20:04 +01001097 {
Gilles Peskine039fd122018-03-19 19:06:08 +01001098 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
1099 For AEAD-based ciphersuites, there is nothing to do here. */
1100 if( mac_key_len != 0 )
1101 {
1102 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
1103 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
1104 }
Paul Bakker68884e32013-01-07 18:20:04 +01001105 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001106 else
1107#endif
Paul Bakker577e0062013-08-28 11:57:20 +02001108 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001109 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1110 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02001111 }
Hanno Becker92231322018-01-03 15:32:51 +00001112#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Paul Bakker68884e32013-01-07 18:20:04 +01001113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001114#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
1115 if( mbedtls_ssl_hw_record_init != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00001116 {
1117 int ret = 0;
1118
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001119 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
Paul Bakker05ef8352012-05-08 09:17:57 +00001120
Hanno Beckere7f2df02017-12-27 08:17:40 +00001121 if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, keylen,
Paul Bakker07eb38b2012-12-19 14:42:06 +01001122 transform->iv_enc, transform->iv_dec,
1123 iv_copy_len,
Paul Bakker68884e32013-01-07 18:20:04 +01001124 mac_enc, mac_dec,
Hanno Becker81c7b182017-11-09 18:39:33 +00001125 mac_key_len ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +00001126 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001127 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
1128 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +00001129 }
1130 }
Hanno Becker92231322018-01-03 15:32:51 +00001131#else
1132 ((void) mac_dec);
1133 ((void) mac_enc);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001134#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +00001135
Manuel Pégourié-Gonnard024b6df2015-10-19 13:52:53 +02001136#if defined(MBEDTLS_SSL_EXPORT_KEYS)
1137 if( ssl->conf->f_export_keys != NULL )
Robert Cragie4feb7ae2015-10-02 13:33:37 +01001138 {
Manuel Pégourié-Gonnard024b6df2015-10-19 13:52:53 +02001139 ssl->conf->f_export_keys( ssl->conf->p_export_keys,
1140 session->master, keyblk,
Hanno Beckere7f2df02017-12-27 08:17:40 +00001141 mac_key_len, keylen,
Robert Cragie4feb7ae2015-10-02 13:33:37 +01001142 iv_copy_len );
1143 }
1144#endif
1145
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001146 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001147 cipher_info ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001148 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001149 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001150 return( ret );
1151 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001152
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001153 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001154 cipher_info ) ) != 0 )
1155 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001156 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001157 return( ret );
1158 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001160 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +02001161 cipher_info->key_bitlen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001162 MBEDTLS_ENCRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001163 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001164 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001165 return( ret );
1166 }
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001167
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001168 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +02001169 cipher_info->key_bitlen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001170 MBEDTLS_DECRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001171 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001172 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001173 return( ret );
1174 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001175
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001176#if defined(MBEDTLS_CIPHER_MODE_CBC)
1177 if( cipher_info->mode == MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001178 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001179 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
1180 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001181 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001182 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001183 return( ret );
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001184 }
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001186 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
1187 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001188 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001189 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001190 return( ret );
1191 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001192 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001193#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +00001194
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05001195 mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001196
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001197#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker2770fbd2012-07-03 13:30:23 +00001198 // Initialize compression
1199 //
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001200 if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +00001201 {
Paul Bakker16770332013-10-11 09:59:44 +02001202 if( ssl->compress_buf == NULL )
1203 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001204 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
Angus Grattond8213d02016-05-25 20:56:48 +10001205 ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
Paul Bakker16770332013-10-11 09:59:44 +02001206 if( ssl->compress_buf == NULL )
1207 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02001208 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
Angus Grattond8213d02016-05-25 20:56:48 +10001209 MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02001210 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker16770332013-10-11 09:59:44 +02001211 }
1212 }
1213
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001214 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001215
Paul Bakker48916f92012-09-16 19:57:18 +00001216 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
1217 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001218
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001219 if( deflateInit( &transform->ctx_deflate,
1220 Z_DEFAULT_COMPRESSION ) != Z_OK ||
Paul Bakker48916f92012-09-16 19:57:18 +00001221 inflateInit( &transform->ctx_inflate ) != Z_OK )
Paul Bakker2770fbd2012-07-03 13:30:23 +00001222 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001223 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
1224 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001225 }
1226 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001227#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +00001228
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001229 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001230
1231 return( 0 );
1232}
1233
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001234#if defined(MBEDTLS_SSL_PROTO_SSL3)
1235void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +00001236{
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001237 mbedtls_md5_context md5;
1238 mbedtls_sha1_context sha1;
Paul Bakker5121ce52009-01-03 21:22:43 +00001239 unsigned char pad_1[48];
1240 unsigned char pad_2[48];
1241
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001242 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001243
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001244 mbedtls_md5_init( &md5 );
1245 mbedtls_sha1_init( &sha1 );
1246
1247 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
1248 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00001249
Paul Bakker380da532012-04-18 16:10:25 +00001250 memset( pad_1, 0x36, 48 );
1251 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +00001252
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01001253 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
1254 mbedtls_md5_update_ret( &md5, pad_1, 48 );
1255 mbedtls_md5_finish_ret( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +00001256
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01001257 mbedtls_md5_starts_ret( &md5 );
1258 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
1259 mbedtls_md5_update_ret( &md5, pad_2, 48 );
1260 mbedtls_md5_update_ret( &md5, hash, 16 );
1261 mbedtls_md5_finish_ret( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +00001262
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01001263 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
1264 mbedtls_sha1_update_ret( &sha1, pad_1, 40 );
1265 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Paul Bakker380da532012-04-18 16:10:25 +00001266
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01001267 mbedtls_sha1_starts_ret( &sha1 );
1268 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
1269 mbedtls_sha1_update_ret( &sha1, pad_2, 40 );
1270 mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );
1271 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Paul Bakker380da532012-04-18 16:10:25 +00001272
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001273 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
1274 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001275
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001276 mbedtls_md5_free( &md5 );
1277 mbedtls_sha1_free( &sha1 );
Paul Bakker5b4af392014-06-26 12:09:34 +02001278
Paul Bakker380da532012-04-18 16:10:25 +00001279 return;
1280}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001281#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker380da532012-04-18 16:10:25 +00001282
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001283#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
1284void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
Paul Bakker380da532012-04-18 16:10:25 +00001285{
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001286 mbedtls_md5_context md5;
1287 mbedtls_sha1_context sha1;
Paul Bakker380da532012-04-18 16:10:25 +00001288
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001289 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001290
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001291 mbedtls_md5_init( &md5 );
1292 mbedtls_sha1_init( &sha1 );
1293
1294 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
1295 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker380da532012-04-18 16:10:25 +00001296
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01001297 mbedtls_md5_finish_ret( &md5, hash );
1298 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Paul Bakker380da532012-04-18 16:10:25 +00001299
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001300 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
1301 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001302
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001303 mbedtls_md5_free( &md5 );
1304 mbedtls_sha1_free( &sha1 );
Paul Bakker5b4af392014-06-26 12:09:34 +02001305
Paul Bakker380da532012-04-18 16:10:25 +00001306 return;
1307}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001308#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
Paul Bakker380da532012-04-18 16:10:25 +00001309
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001310#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1311#if defined(MBEDTLS_SHA256_C)
1312void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
Paul Bakker380da532012-04-18 16:10:25 +00001313{
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001314 mbedtls_sha256_context sha256;
Paul Bakker380da532012-04-18 16:10:25 +00001315
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001316 mbedtls_sha256_init( &sha256 );
1317
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001318 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001319
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001320 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01001321 mbedtls_sha256_finish_ret( &sha256, hash );
Paul Bakker380da532012-04-18 16:10:25 +00001322
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001323 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
1324 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001325
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001326 mbedtls_sha256_free( &sha256 );
Paul Bakker5b4af392014-06-26 12:09:34 +02001327
Paul Bakker380da532012-04-18 16:10:25 +00001328 return;
1329}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001330#endif /* MBEDTLS_SHA256_C */
Paul Bakker380da532012-04-18 16:10:25 +00001331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001332#if defined(MBEDTLS_SHA512_C)
1333void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
Paul Bakker380da532012-04-18 16:10:25 +00001334{
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001335 mbedtls_sha512_context sha512;
Paul Bakker380da532012-04-18 16:10:25 +00001336
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001337 mbedtls_sha512_init( &sha512 );
1338
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001339 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001340
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001341 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01001342 mbedtls_sha512_finish_ret( &sha512, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +00001343
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001344 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
1345 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001346
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001347 mbedtls_sha512_free( &sha512 );
Paul Bakker5b4af392014-06-26 12:09:34 +02001348
Paul Bakker5121ce52009-01-03 21:22:43 +00001349 return;
1350}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001351#endif /* MBEDTLS_SHA512_C */
1352#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001353
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001354#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1355int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001356{
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001357 unsigned char *p = ssl->handshake->premaster;
1358 unsigned char *end = p + sizeof( ssl->handshake->premaster );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001359 const unsigned char *psk = ssl->conf->psk;
1360 size_t psk_len = ssl->conf->psk_len;
1361
1362 /* If the psk callback was called, use its result */
1363 if( ssl->handshake->psk != NULL )
1364 {
1365 psk = ssl->handshake->psk;
1366 psk_len = ssl->handshake->psk_len;
1367 }
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001368
1369 /*
1370 * PMS = struct {
1371 * opaque other_secret<0..2^16-1>;
1372 * opaque psk<0..2^16-1>;
1373 * };
1374 * with "other_secret" depending on the particular key exchange
1375 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001376#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1377 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001378 {
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001379 if( end - p < 2 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001380 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001381
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001382 *(p++) = (unsigned char)( psk_len >> 8 );
1383 *(p++) = (unsigned char)( psk_len );
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001384
1385 if( end < p || (size_t)( end - p ) < psk_len )
1386 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1387
1388 memset( p, 0, psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001389 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001390 }
1391 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001392#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
1393#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1394 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02001395 {
1396 /*
1397 * other_secret already set by the ClientKeyExchange message,
1398 * and is 48 bytes long
1399 */
Philippe Antoine747fd532018-05-30 09:13:21 +02001400 if( end - p < 2 )
1401 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1402
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02001403 *p++ = 0;
1404 *p++ = 48;
1405 p += 48;
1406 }
1407 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001408#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1409#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1410 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001411 {
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +02001412 int ret;
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +01001413 size_t len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001414
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +02001415 /* Write length only when we know the actual value */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001416 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +01001417 p + 2, end - ( p + 2 ), &len,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01001418 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001419 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001420 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001421 return( ret );
1422 }
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +02001423 *(p++) = (unsigned char)( len >> 8 );
1424 *(p++) = (unsigned char)( len );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001425 p += len;
1426
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001427 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001428 }
1429 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001430#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1431#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1432 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001433 {
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +02001434 int ret;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001435 size_t zlen;
1436
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001437 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
Paul Bakker66d5d072014-06-17 16:39:18 +02001438 p + 2, end - ( p + 2 ),
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01001439 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001440 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001441 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001442 return( ret );
1443 }
1444
1445 *(p++) = (unsigned char)( zlen >> 8 );
1446 *(p++) = (unsigned char)( zlen );
1447 p += zlen;
1448
Janos Follath3fbdada2018-08-15 10:26:53 +01001449 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
1450 MBEDTLS_DEBUG_ECDH_Z );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001451 }
1452 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001453#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001454 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001455 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1456 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001457 }
1458
1459 /* opaque psk<0..2^16-1>; */
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001460 if( end - p < 2 )
1461 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +01001462
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001463 *(p++) = (unsigned char)( psk_len >> 8 );
1464 *(p++) = (unsigned char)( psk_len );
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001465
1466 if( end < p || (size_t)( end - p ) < psk_len )
1467 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1468
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001469 memcpy( p, psk, psk_len );
1470 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001471
1472 ssl->handshake->pmslen = p - ssl->handshake->premaster;
1473
1474 return( 0 );
1475}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001476#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001477
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001478#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00001479/*
1480 * SSLv3.0 MAC functions
1481 */
Manuel Pégourié-Gonnardb053efb2017-12-19 10:03:46 +01001482#define SSL_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +01001483static void ssl_mac( mbedtls_md_context_t *md_ctx,
1484 const unsigned char *secret,
1485 const unsigned char *buf, size_t len,
1486 const unsigned char *ctr, int type,
Manuel Pégourié-Gonnardb053efb2017-12-19 10:03:46 +01001487 unsigned char out[SSL_MAC_MAX_BYTES] )
Paul Bakker5121ce52009-01-03 21:22:43 +00001488{
1489 unsigned char header[11];
1490 unsigned char padding[48];
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +02001491 int padlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001492 int md_size = mbedtls_md_get_size( md_ctx->md_info );
1493 int md_type = mbedtls_md_get_type( md_ctx->md_info );
Paul Bakker68884e32013-01-07 18:20:04 +01001494
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +02001495 /* Only MD5 and SHA-1 supported */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001496 if( md_type == MBEDTLS_MD_MD5 )
Paul Bakker68884e32013-01-07 18:20:04 +01001497 padlen = 48;
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +02001498 else
Paul Bakker68884e32013-01-07 18:20:04 +01001499 padlen = 40;
Paul Bakker5121ce52009-01-03 21:22:43 +00001500
1501 memcpy( header, ctr, 8 );
1502 header[ 8] = (unsigned char) type;
1503 header[ 9] = (unsigned char)( len >> 8 );
1504 header[10] = (unsigned char)( len );
1505
Paul Bakker68884e32013-01-07 18:20:04 +01001506 memset( padding, 0x36, padlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001507 mbedtls_md_starts( md_ctx );
1508 mbedtls_md_update( md_ctx, secret, md_size );
1509 mbedtls_md_update( md_ctx, padding, padlen );
1510 mbedtls_md_update( md_ctx, header, 11 );
1511 mbedtls_md_update( md_ctx, buf, len );
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +01001512 mbedtls_md_finish( md_ctx, out );
Paul Bakker5121ce52009-01-03 21:22:43 +00001513
Paul Bakker68884e32013-01-07 18:20:04 +01001514 memset( padding, 0x5C, padlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001515 mbedtls_md_starts( md_ctx );
1516 mbedtls_md_update( md_ctx, secret, md_size );
1517 mbedtls_md_update( md_ctx, padding, padlen );
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +01001518 mbedtls_md_update( md_ctx, out, md_size );
1519 mbedtls_md_finish( md_ctx, out );
Paul Bakker5f70b252012-09-13 14:23:06 +00001520}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001521#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5f70b252012-09-13 14:23:06 +00001522
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +02001523/* The function below is only used in the Lucky 13 counter-measure in
Hanno Becker30d02cd2018-10-18 15:43:13 +01001524 * mbedtls_ssl_decrypt_buf(). These are the defines that guard the call site. */
Hanno Becker5cc04d52018-01-03 15:24:20 +00001525#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) && \
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +02001526 ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
1527 defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1528 defined(MBEDTLS_SSL_PROTO_TLS1_2) )
1529/* This function makes sure every byte in the memory region is accessed
1530 * (in ascending addresses order) */
1531static void ssl_read_memory( unsigned char *p, size_t len )
1532{
1533 unsigned char acc = 0;
1534 volatile unsigned char force;
1535
1536 for( ; len != 0; p++, len-- )
1537 acc ^= *p;
1538
1539 force = acc;
1540 (void) force;
1541}
1542#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */
1543
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +01001544/*
Paul Bakker5121ce52009-01-03 21:22:43 +00001545 * Encryption/decryption functions
Paul Bakkerf7abd422013-04-16 13:15:56 +02001546 */
Hanno Becker3307b532017-12-27 21:37:21 +00001547
Hanno Becker92c930f2019-04-29 17:31:37 +01001548#if defined(MBEDTLS_SSL_CID)
1549/* This functions transforms a pair of a DTLS plaintext fragment
1550 * and a record content type into an instance of the DTLSInnerPlaintext
1551 * structure:
1552 *
1553 * struct {
1554 * opaque content[DTLSPlaintext.length];
1555 * ContentType real_type;
1556 * uint8 zeros[length_of_padding];
1557 * } DTLSInnerPlaintext;
1558 *
1559 * Input:
1560 * - `content`: The beginning of the buffer holding the
1561 * plaintext to be wrapped.
1562 * - `*content_size`: The length of the plaintext in Bytes.
1563 * - `max_len`: The number of Bytes available starting from
1564 * `content`. This must be `>= *content_size`.
1565 * - `rec_type`: The desired record content type.
1566 *
1567 * Output:
1568 * - `content`: The beginning of the resulting DTLSInnerPlaintext structure.
1569 * - `*content_size`: The length of the resulting DTLSInnerPlaintext structure.
1570 *
1571 * Returns:
1572 * - `0` on success.
1573 * - A negative error code if `max_len` didn't offer enough space
1574 * for the expansion.
1575 */
1576static int ssl_cid_build_inner_plaintext( unsigned char *content,
1577 size_t *content_size,
1578 size_t remaining,
1579 uint8_t rec_type )
1580{
1581 size_t len = *content_size;
1582 size_t pad = ~len & 0xF; /* Pad to a multiple of 16 */
1583
1584 /* Write real content type */
1585 if( remaining == 0 )
1586 return( -1 );
1587 content[ len ] = rec_type;
1588 len++;
1589 remaining--;
1590
1591 if( remaining < pad )
1592 return( -1 );
1593 memset( content + len, 0, pad );
1594 len += pad;
1595 remaining -= pad;
1596
1597 *content_size = len;
1598 return( 0 );
1599}
1600
1601/* This function parses a DTLSInnerPlaintext structure
1602 *
1603 * struct {
1604 * opaque content[DTLSPlaintext.length];
1605 * ContentType real_type;
1606 * uint8 zeros[length_of_padding];
1607 * } DTLSInnerPlaintext;
1608 */
1609static int ssl_cid_parse_inner_plaintext( unsigned char const *content,
1610 size_t *content_size,
1611 uint8_t *rec_type )
1612{
1613 size_t remaining = *content_size;
1614
1615 /* Determine length of padding by skipping zeroes from the back. */
1616 do
1617 {
1618 if( remaining == 0 )
1619 return( -1 );
1620 remaining--;
1621 } while( content[ remaining ] == 0 );
1622
1623 *content_size = remaining;
1624 *rec_type = content[ remaining ];
1625
1626 return( 0 );
1627}
1628#endif /* MBEDTLS_SSL_CID */
1629
Hanno Becker2e7cd5a2019-04-30 15:01:51 +01001630/* add_data must have size ( 13 + MBEDTLS_SSL_CID_LEN_MAX ) Bytes */
Hanno Becker3307b532017-12-27 21:37:21 +00001631static void ssl_extract_add_data_from_record( unsigned char* add_data,
Hanno Beckere83efe62019-04-29 13:52:53 +01001632 size_t *add_data_len,
Hanno Becker3307b532017-12-27 21:37:21 +00001633 mbedtls_record *rec )
1634{
Hanno Beckere83efe62019-04-29 13:52:53 +01001635 /* Quoting RFC 5246:
1636 *
1637 * additional_data = seq_num + TLSCompressed.type +
1638 * TLSCompressed.version + TLSCompressed.length;
1639 *
1640 * For the CID extension, this is extended as follows:
1641 *
1642 * additional_data = seq_num + DTLSPlaintext.type +
1643 * DTLSPlaintext.version +
1644 * cid + // New input
1645 * cid_length + // New input
1646 * length_of_DTLSInnerPlaintext;
1647 */
1648
Hanno Becker3307b532017-12-27 21:37:21 +00001649 memcpy( add_data, rec->ctr, sizeof( rec->ctr ) );
1650 add_data[8] = rec->type;
Hanno Beckere83efe62019-04-29 13:52:53 +01001651 memcpy( add_data + 9, rec->ver, sizeof( rec->ver ) );
1652
1653#if defined(MBEDTLS_SSL_CID)
1654 memcpy( add_data + 11, rec->cid, rec->cid_len );
Hanno Beckere83efe62019-04-29 13:52:53 +01001655 add_data[11 + rec->cid_len + 0] = ( rec->data_len >> 8 ) & 0xFF;
1656 add_data[11 + rec->cid_len + 1] = ( rec->data_len >> 0 ) & 0xFF;
Hanno Beckere83efe62019-04-29 13:52:53 +01001657 *add_data_len = 13 + rec->cid_len;
Hanno Becker505089d2019-05-01 09:45:57 +01001658#else /* MBEDTLS_SSL_CID */
1659 add_data[11 + 0] = ( rec->data_len >> 8 ) & 0xFF;
1660 add_data[11 + 1] = ( rec->data_len >> 0 ) & 0xFF;
Hanno Beckere83efe62019-04-29 13:52:53 +01001661 *add_data_len = 13;
1662#endif /* MBEDTLS_SSL_CID */
Hanno Becker3307b532017-12-27 21:37:21 +00001663}
1664
Hanno Becker611a83b2018-01-03 14:27:32 +00001665int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
1666 mbedtls_ssl_transform *transform,
1667 mbedtls_record *rec,
1668 int (*f_rng)(void *, unsigned char *, size_t),
1669 void *p_rng )
Paul Bakker5121ce52009-01-03 21:22:43 +00001670{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001671 mbedtls_cipher_mode_t mode;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001672 int auth_done = 0;
Hanno Becker3307b532017-12-27 21:37:21 +00001673 unsigned char * data;
Hanno Becker2e7cd5a2019-04-30 15:01:51 +01001674 unsigned char add_data[13 + MBEDTLS_SSL_CID_LEN_MAX ];
Hanno Beckere83efe62019-04-29 13:52:53 +01001675 size_t add_data_len;
Hanno Becker3307b532017-12-27 21:37:21 +00001676 size_t post_avail;
1677
1678 /* The SSL context is only used for debugging purposes! */
Hanno Becker611a83b2018-01-03 14:27:32 +00001679#if !defined(MBEDTLS_DEBUG_C)
Hanno Becker3307b532017-12-27 21:37:21 +00001680 ((void) ssl);
1681#endif
1682
1683 /* The PRNG is used for dynamic IV generation that's used
1684 * for CBC transformations in TLS 1.1 and TLS 1.2. */
1685#if !( defined(MBEDTLS_CIPHER_MODE_CBC) && \
1686 ( defined(MBEDTLS_AES_C) || \
1687 defined(MBEDTLS_ARIA_C) || \
1688 defined(MBEDTLS_CAMELLIA_C) ) && \
1689 ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) )
1690 ((void) f_rng);
1691 ((void) p_rng);
1692#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001693
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001694 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001695
Hanno Becker3307b532017-12-27 21:37:21 +00001696 if( transform == NULL )
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001697 {
Hanno Becker3307b532017-12-27 21:37:21 +00001698 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) );
1699 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1700 }
Hanno Becker505089d2019-05-01 09:45:57 +01001701 if( rec == NULL
1702 || rec->buf == NULL
1703 || rec->buf_len < rec->data_offset
1704 || rec->buf_len - rec->data_offset < rec->data_len
1705#if defined(MBEDTLS_SSL_CID)
1706 || rec->cid_len != 0
1707#endif
1708 )
Hanno Becker3307b532017-12-27 21:37:21 +00001709 {
1710 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001711 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001712 }
1713
Hanno Becker3307b532017-12-27 21:37:21 +00001714 data = rec->buf + rec->data_offset;
Hanno Becker92c930f2019-04-29 17:31:37 +01001715 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001716 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
Hanno Becker3307b532017-12-27 21:37:21 +00001717 data, rec->data_len );
1718
1719 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc );
1720
1721 if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
1722 {
1723 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
1724 (unsigned) rec->data_len,
1725 MBEDTLS_SSL_OUT_CONTENT_LEN ) );
1726 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1727 }
Manuel Pégourié-Gonnard60346be2014-11-21 11:38:37 +01001728
Hanno Beckere83efe62019-04-29 13:52:53 +01001729#if defined(MBEDTLS_SSL_CID)
1730 /*
1731 * Add CID information
1732 */
1733 rec->cid_len = transform->out_cid_len;
1734 memcpy( rec->cid, transform->out_cid, transform->out_cid_len );
1735 MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );
Hanno Becker92c930f2019-04-29 17:31:37 +01001736
1737 if( rec->cid_len != 0 )
1738 {
1739 /*
1740 * Wrap plaintext into DTLSInnerPlaintext structure
1741 *
1742 * struct {
1743 * opaque content[DTLSPlaintext.length];
1744 * ContentType real_type;
1745 * uint8 zeros[length_of_padding];
1746 * } DTLSInnerPlaintext;
1747 *
1748 * and change the record content type.
1749 *
1750 * The rest of the record encryption stays
1751 * unmodified (apart from the inclusion of
1752 * the CID into the additional data for the
1753 * record MAC).
1754 */
1755 if( ssl_cid_build_inner_plaintext( data,
1756 &rec->data_len,
1757 post_avail,
1758 rec->type ) != 0 )
1759 {
1760 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1761 }
1762
1763 rec->type = MBEDTLS_SSL_MSG_CID;
1764 }
Hanno Beckere83efe62019-04-29 13:52:53 +01001765#endif /* MBEDTLS_SSL_CID */
1766
Hanno Becker92c930f2019-04-29 17:31:37 +01001767 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
1768
Paul Bakker5121ce52009-01-03 21:22:43 +00001769 /*
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +01001770 * Add MAC before if needed
Paul Bakker5121ce52009-01-03 21:22:43 +00001771 */
Hanno Becker5cc04d52018-01-03 15:24:20 +00001772#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001773 if( mode == MBEDTLS_MODE_STREAM ||
1774 ( mode == MBEDTLS_MODE_CBC
1775#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker3307b532017-12-27 21:37:21 +00001776 && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001777#endif
1778 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00001779 {
Hanno Becker3307b532017-12-27 21:37:21 +00001780 if( post_avail < transform->maclen )
1781 {
1782 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
1783 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1784 }
1785
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001786#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker3307b532017-12-27 21:37:21 +00001787 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001788 {
Manuel Pégourié-Gonnardb053efb2017-12-19 10:03:46 +01001789 unsigned char mac[SSL_MAC_MAX_BYTES];
Hanno Becker3307b532017-12-27 21:37:21 +00001790 ssl_mac( &transform->md_ctx_enc, transform->mac_enc,
1791 data, rec->data_len, rec->ctr, rec->type, mac );
1792 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001793 }
1794 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001795#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001796#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1797 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker3307b532017-12-27 21:37:21 +00001798 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001799 {
Hanno Becker992b6872017-11-09 18:57:39 +00001800 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
1801
Hanno Beckere83efe62019-04-29 13:52:53 +01001802 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Hanno Becker992b6872017-11-09 18:57:39 +00001803
Hanno Becker3307b532017-12-27 21:37:21 +00001804 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
Hanno Beckere83efe62019-04-29 13:52:53 +01001805 add_data_len );
Hanno Becker3307b532017-12-27 21:37:21 +00001806 mbedtls_md_hmac_update( &transform->md_ctx_enc,
1807 data, rec->data_len );
1808 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
1809 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
1810
1811 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001812 }
1813 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001814#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001815 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001816 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1817 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001818 }
1819
Hanno Becker3307b532017-12-27 21:37:21 +00001820 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len,
1821 transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001822
Hanno Becker3307b532017-12-27 21:37:21 +00001823 rec->data_len += transform->maclen;
1824 post_avail -= transform->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001825 auth_done++;
Paul Bakker577e0062013-08-28 11:57:20 +02001826 }
Hanno Becker5cc04d52018-01-03 15:24:20 +00001827#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +00001828
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001829 /*
1830 * Encrypt
1831 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001832#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1833 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker5121ce52009-01-03 21:22:43 +00001834 {
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001835 int ret;
Hanno Becker3307b532017-12-27 21:37:21 +00001836 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001837 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Hanno Becker3307b532017-12-27 21:37:21 +00001838 "including %d bytes of padding",
1839 rec->data_len, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001840
Hanno Becker3307b532017-12-27 21:37:21 +00001841 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
1842 transform->iv_enc, transform->ivlen,
1843 data, rec->data_len,
1844 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02001845 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001846 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001847 return( ret );
1848 }
1849
Hanno Becker3307b532017-12-27 21:37:21 +00001850 if( rec->data_len != olen )
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001851 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001852 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1853 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001854 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001855 }
Paul Bakker68884e32013-01-07 18:20:04 +01001856 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001857#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Hanno Becker4c6876b2017-12-27 21:28:58 +00001858
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02001859#if defined(MBEDTLS_GCM_C) || \
1860 defined(MBEDTLS_CCM_C) || \
1861 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001862 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02001863 mode == MBEDTLS_MODE_CCM ||
1864 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +00001865 {
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001866 int ret;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02001867 unsigned char iv[12];
Hanno Becker3307b532017-12-27 21:37:21 +00001868 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001869
Hanno Becker3307b532017-12-27 21:37:21 +00001870 /* Check that there's space for both the authentication tag
1871 * and the explicit IV before and after the record content. */
1872 if( post_avail < transform->taglen ||
1873 rec->data_offset < explicit_iv_len )
1874 {
1875 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
1876 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1877 }
Paul Bakkerca4ab492012-04-18 14:23:57 +00001878
Paul Bakker68884e32013-01-07 18:20:04 +01001879 /*
1880 * Generate IV
1881 */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02001882 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
1883 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +02001884 /* GCM and CCM: fixed || explicit (=seqnum) */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02001885 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
Hanno Becker3307b532017-12-27 21:37:21 +00001886 memcpy( iv + transform->fixed_ivlen, rec->ctr,
1887 explicit_iv_len );
1888 /* Prefix record content with explicit IV. */
1889 memcpy( data - explicit_iv_len, rec->ctr, explicit_iv_len );
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02001890 }
1891 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
1892 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +02001893 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02001894 unsigned char i;
1895
1896 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
1897
1898 for( i = 0; i < 8; i++ )
Hanno Becker3307b532017-12-27 21:37:21 +00001899 iv[i+4] ^= rec->ctr[i];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02001900 }
1901 else
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +01001902 {
1903 /* Reminder if we ever add an AEAD mode with a different size */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001904 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1905 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +01001906 }
1907
Hanno Beckere83efe62019-04-29 13:52:53 +01001908 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Hanno Becker08885812019-04-26 13:34:37 +01001909
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02001910 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
1911 iv, transform->ivlen );
1912 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
Hanno Becker3307b532017-12-27 21:37:21 +00001913 data - explicit_iv_len, explicit_iv_len );
1914 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
Hanno Beckere83efe62019-04-29 13:52:53 +01001915 add_data, add_data_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001916 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02001917 "including 0 bytes of padding",
Hanno Becker3307b532017-12-27 21:37:21 +00001918 rec->data_len ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00001919
Paul Bakker68884e32013-01-07 18:20:04 +01001920 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001921 * Encrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001922 */
Hanno Becker3307b532017-12-27 21:37:21 +00001923
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02001924 if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
Hanno Becker3307b532017-12-27 21:37:21 +00001925 iv, transform->ivlen,
Hanno Beckere83efe62019-04-29 13:52:53 +01001926 add_data, add_data_len, /* add data */
Hanno Becker3307b532017-12-27 21:37:21 +00001927 data, rec->data_len, /* source */
1928 data, &rec->data_len, /* destination */
1929 data + rec->data_len, transform->taglen ) ) != 0 )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001930 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001931 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001932 return( ret );
1933 }
1934
Hanno Becker3307b532017-12-27 21:37:21 +00001935 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
1936 data + rec->data_len, transform->taglen );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001937
Hanno Becker3307b532017-12-27 21:37:21 +00001938 rec->data_len += transform->taglen + explicit_iv_len;
1939 rec->data_offset -= explicit_iv_len;
1940 post_avail -= transform->taglen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001941 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001942 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001943 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001944#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1945#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +00001946 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001947 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +00001948 {
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001949 int ret;
Hanno Becker3307b532017-12-27 21:37:21 +00001950 size_t padlen, i;
1951 size_t olen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001952
Hanno Becker3307b532017-12-27 21:37:21 +00001953 /* Currently we're always using minimal padding
1954 * (up to 255 bytes would be allowed). */
1955 padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen;
1956 if( padlen == transform->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00001957 padlen = 0;
1958
Hanno Becker3307b532017-12-27 21:37:21 +00001959 /* Check there's enough space in the buffer for the padding. */
1960 if( post_avail < padlen + 1 )
1961 {
1962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
1963 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1964 }
1965
Paul Bakker5121ce52009-01-03 21:22:43 +00001966 for( i = 0; i <= padlen; i++ )
Hanno Becker3307b532017-12-27 21:37:21 +00001967 data[rec->data_len + i] = (unsigned char) padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +00001968
Hanno Becker3307b532017-12-27 21:37:21 +00001969 rec->data_len += padlen + 1;
1970 post_avail -= padlen + 1;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001971
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001972#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001973 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +00001974 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1975 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001976 */
Hanno Becker3307b532017-12-27 21:37:21 +00001977 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001978 {
Hanno Becker3307b532017-12-27 21:37:21 +00001979 if( f_rng == NULL )
1980 {
1981 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) );
1982 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1983 }
1984
1985 if( rec->data_offset < transform->ivlen )
1986 {
1987 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
1988 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1989 }
1990
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001991 /*
1992 * Generate IV
1993 */
Hanno Becker3307b532017-12-27 21:37:21 +00001994 ret = f_rng( p_rng, transform->iv_enc, transform->ivlen );
Paul Bakkera3d195c2011-11-27 21:07:34 +00001995 if( ret != 0 )
1996 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001997
Hanno Becker3307b532017-12-27 21:37:21 +00001998 memcpy( data - transform->ivlen, transform->iv_enc,
1999 transform->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002000
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002001 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002002#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002003
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002004 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002005 "including %d bytes of IV and %d bytes of padding",
Hanno Becker3307b532017-12-27 21:37:21 +00002006 rec->data_len, transform->ivlen,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02002007 padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002008
Hanno Becker3307b532017-12-27 21:37:21 +00002009 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
2010 transform->iv_enc,
2011 transform->ivlen,
2012 data, rec->data_len,
2013 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02002014 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002015 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +02002016 return( ret );
2017 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02002018
Hanno Becker3307b532017-12-27 21:37:21 +00002019 if( rec->data_len != olen )
Paul Bakkercca5b812013-08-31 17:40:26 +02002020 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002021 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2022 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +02002023 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02002024
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002025#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
Hanno Becker3307b532017-12-27 21:37:21 +00002026 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +02002027 {
2028 /*
2029 * Save IV in SSL3 and TLS1
2030 */
Hanno Becker3307b532017-12-27 21:37:21 +00002031 memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv,
2032 transform->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +00002033 }
Hanno Becker3307b532017-12-27 21:37:21 +00002034 else
Paul Bakkercca5b812013-08-31 17:40:26 +02002035#endif
Hanno Becker3307b532017-12-27 21:37:21 +00002036 {
2037 data -= transform->ivlen;
2038 rec->data_offset -= transform->ivlen;
2039 rec->data_len += transform->ivlen;
2040 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002041
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002042#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002043 if( auth_done == 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002044 {
Hanno Becker3d8c9072018-01-05 16:24:22 +00002045 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
2046
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002047 /*
2048 * MAC(MAC_write_key, seq_num +
2049 * TLSCipherText.type +
2050 * TLSCipherText.version +
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01002051 * length_of( (IV +) ENC(...) ) +
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002052 * IV + // except for TLS 1.0
2053 * ENC(content + padding + padding_length));
2054 */
Hanno Becker3307b532017-12-27 21:37:21 +00002055
2056 if( post_avail < transform->maclen)
2057 {
2058 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
2059 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2060 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002061
Hanno Beckere83efe62019-04-29 13:52:53 +01002062 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002063
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002064 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Hanno Becker3307b532017-12-27 21:37:21 +00002065 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
Hanno Beckere83efe62019-04-29 13:52:53 +01002066 add_data_len );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002067
Hanno Becker3307b532017-12-27 21:37:21 +00002068 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
Hanno Beckere83efe62019-04-29 13:52:53 +01002069 add_data_len );
Hanno Becker3307b532017-12-27 21:37:21 +00002070 mbedtls_md_hmac_update( &transform->md_ctx_enc,
2071 data, rec->data_len );
2072 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
2073 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01002074
Hanno Becker3307b532017-12-27 21:37:21 +00002075 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002076
Hanno Becker3307b532017-12-27 21:37:21 +00002077 rec->data_len += transform->maclen;
2078 post_avail -= transform->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002079 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002080 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002081#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +00002082 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02002083 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002084#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +00002085 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02002086 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002087 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2088 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02002089 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002090
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002091 /* Make extra sure authentication was performed, exactly once */
2092 if( auth_done != 1 )
2093 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002094 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2095 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002096 }
2097
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002098 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002099
2100 return( 0 );
2101}
2102
Hanno Becker611a83b2018-01-03 14:27:32 +00002103int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
2104 mbedtls_ssl_transform *transform,
2105 mbedtls_record *rec )
Paul Bakker5121ce52009-01-03 21:22:43 +00002106{
Hanno Becker4c6876b2017-12-27 21:28:58 +00002107 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002108 mbedtls_cipher_mode_t mode;
Hanno Becker4c6876b2017-12-27 21:28:58 +00002109 int ret, auth_done = 0;
Hanno Becker5cc04d52018-01-03 15:24:20 +00002110#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Paul Bakker1e5369c2013-12-19 16:40:57 +01002111 size_t padlen = 0, correct = 1;
2112#endif
Hanno Becker4c6876b2017-12-27 21:28:58 +00002113 unsigned char* data;
Hanno Becker2e7cd5a2019-04-30 15:01:51 +01002114 unsigned char add_data[13 + MBEDTLS_SSL_CID_LEN_MAX ];
Hanno Beckere83efe62019-04-29 13:52:53 +01002115 size_t add_data_len;
Hanno Becker4c6876b2017-12-27 21:28:58 +00002116
Hanno Becker611a83b2018-01-03 14:27:32 +00002117#if !defined(MBEDTLS_DEBUG_C)
Hanno Becker4c6876b2017-12-27 21:28:58 +00002118 ((void) ssl);
2119#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002120
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
Hanno Becker4c6876b2017-12-27 21:28:58 +00002122 if( transform == NULL )
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002123 {
Hanno Becker4c6876b2017-12-27 21:28:58 +00002124 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to decrypt_buf" ) );
2125 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2126 }
2127 if( rec == NULL ||
2128 rec->buf == NULL ||
2129 rec->buf_len < rec->data_offset ||
2130 rec->buf_len - rec->data_offset < rec->data_len )
2131 {
2132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002133 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002134 }
2135
Hanno Becker4c6876b2017-12-27 21:28:58 +00002136 data = rec->buf + rec->data_offset;
2137 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec );
Paul Bakker5121ce52009-01-03 21:22:43 +00002138
Hanno Beckere83efe62019-04-29 13:52:53 +01002139#if defined(MBEDTLS_SSL_CID)
2140 /*
2141 * Match record's CID with incoming CID.
2142 */
2143
Hanno Becker4c6fe122019-04-30 16:56:40 +01002144 /* Uncomment this once CID parsing is in place */
Hanno Beckere83efe62019-04-29 13:52:53 +01002145 /* if( rec->cid_len != transform->in_cid_len || */
2146 /* memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 ) */
2147 /* { */
2148 /* return( MBEDTLS_ERR_SSL_INVALID_RECORD ); */
2149 /* } */
Hanno Becker4c6fe122019-04-30 16:56:40 +01002150
2151 /* Remove this once CID parsing is in place */
Hanno Beckere83efe62019-04-29 13:52:53 +01002152 rec->cid_len = transform->in_cid_len;
2153 memcpy( rec->cid, transform->in_cid, transform->in_cid_len );
2154 MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );
2155#endif /* MBEDTLS_SSL_CID */
2156
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002157#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
2158 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker68884e32013-01-07 18:20:04 +01002159 {
2160 padlen = 0;
Hanno Becker4c6876b2017-12-27 21:28:58 +00002161 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
2162 transform->iv_dec,
2163 transform->ivlen,
2164 data, rec->data_len,
2165 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02002166 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002167 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02002168 return( ret );
2169 }
2170
Hanno Becker4c6876b2017-12-27 21:28:58 +00002171 if( rec->data_len != olen )
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02002172 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002173 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2174 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02002175 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002176 }
Paul Bakker68884e32013-01-07 18:20:04 +01002177 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002178#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02002179#if defined(MBEDTLS_GCM_C) || \
2180 defined(MBEDTLS_CCM_C) || \
2181 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002182 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02002183 mode == MBEDTLS_MODE_CCM ||
2184 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +00002185 {
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02002186 unsigned char iv[12];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02002187 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +00002188
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02002189 /*
2190 * Compute and update sizes
2191 */
Hanno Becker4c6876b2017-12-27 21:28:58 +00002192 if( rec->data_len < explicit_iv_len + transform->taglen )
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +02002193 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002194 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
Hanno Becker4c6876b2017-12-27 21:28:58 +00002195 "+ taglen (%d)", rec->data_len,
2196 explicit_iv_len, transform->taglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002197 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +02002198 }
Paul Bakker68884e32013-01-07 18:20:04 +01002199
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02002200 /*
2201 * Prepare IV
2202 */
2203 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
2204 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +02002205 /* GCM and CCM: fixed || explicit (transmitted) */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02002206 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
Hanno Becker4c6876b2017-12-27 21:28:58 +00002207 memcpy( iv + transform->fixed_ivlen, data, 8 );
Paul Bakker68884e32013-01-07 18:20:04 +01002208
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02002209 }
2210 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
2211 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +02002212 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02002213 unsigned char i;
2214
2215 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
2216
2217 for( i = 0; i < 8; i++ )
Hanno Becker4c6876b2017-12-27 21:28:58 +00002218 iv[i+4] ^= rec->ctr[i];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02002219 }
2220 else
2221 {
2222 /* Reminder if we ever add an AEAD mode with a different size */
2223 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2224 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2225 }
2226
Hanno Becker4c6876b2017-12-27 21:28:58 +00002227 data += explicit_iv_len;
2228 rec->data_offset += explicit_iv_len;
2229 rec->data_len -= explicit_iv_len + transform->taglen;
2230
Hanno Beckere83efe62019-04-29 13:52:53 +01002231 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Hanno Becker4c6876b2017-12-27 21:28:58 +00002232 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
Hanno Beckere83efe62019-04-29 13:52:53 +01002233 add_data, add_data_len );
Hanno Becker4c6876b2017-12-27 21:28:58 +00002234
2235 memcpy( transform->iv_dec + transform->fixed_ivlen,
2236 data - explicit_iv_len, explicit_iv_len );
2237
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +02002238 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
Hanno Becker4c6876b2017-12-27 21:28:58 +00002239 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len,
Hanno Becker8759e162017-12-27 21:34:08 +00002240 transform->taglen );
Paul Bakker68884e32013-01-07 18:20:04 +01002241
Paul Bakker68884e32013-01-07 18:20:04 +01002242
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02002243 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02002244 * Decrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02002245 */
Hanno Becker4c6876b2017-12-27 21:28:58 +00002246 if( ( ret = mbedtls_cipher_auth_decrypt( &transform->cipher_ctx_dec,
2247 iv, transform->ivlen,
Hanno Beckere83efe62019-04-29 13:52:53 +01002248 add_data, add_data_len,
Hanno Becker4c6876b2017-12-27 21:28:58 +00002249 data, rec->data_len,
2250 data, &olen,
2251 data + rec->data_len,
2252 transform->taglen ) ) != 0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +00002253 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002254 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02002255
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002256 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
2257 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02002258
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02002259 return( ret );
2260 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002261 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +00002262
Hanno Becker4c6876b2017-12-27 21:28:58 +00002263 if( olen != rec->data_len )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02002264 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002265 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2266 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02002267 }
Hanno Becker92c930f2019-04-29 17:31:37 +01002268
Paul Bakkerca4ab492012-04-18 14:23:57 +00002269 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002270 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002271#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
2272#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +00002273 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002274 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +00002275 {
Paul Bakkere47b34b2013-02-27 14:48:00 +01002276 size_t minlen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002277
Paul Bakker5121ce52009-01-03 21:22:43 +00002278 /*
Paul Bakker45829992013-01-03 14:52:21 +01002279 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +00002280 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002281#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker4c6876b2017-12-27 21:28:58 +00002282 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
2283 {
2284 /* The ciphertext is prefixed with the CBC IV. */
2285 minlen += transform->ivlen;
2286 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002287#endif
Paul Bakker45829992013-01-03 14:52:21 +01002288
Hanno Becker4c6876b2017-12-27 21:28:58 +00002289 /* Size considerations:
2290 *
2291 * - The CBC cipher text must not be empty and hence
2292 * at least of size transform->ivlen.
2293 *
2294 * Together with the potential IV-prefix, this explains
2295 * the first of the two checks below.
2296 *
2297 * - The record must contain a MAC, either in plain or
2298 * encrypted, depending on whether Encrypt-then-MAC
2299 * is used or not.
2300 * - If it is, the message contains the IV-prefix,
2301 * the CBC ciphertext, and the MAC.
2302 * - If it is not, the padded plaintext, and hence
2303 * the CBC ciphertext, has at least length maclen + 1
2304 * because there is at least the padding length byte.
2305 *
2306 * As the CBC ciphertext is not empty, both cases give the
2307 * lower bound minlen + maclen + 1 on the record size, which
2308 * we test for in the second check below.
2309 */
2310 if( rec->data_len < minlen + transform->ivlen ||
2311 rec->data_len < minlen + transform->maclen + 1 )
Paul Bakker45829992013-01-03 14:52:21 +01002312 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002313 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
Hanno Becker4c6876b2017-12-27 21:28:58 +00002314 "+ 1 ) ( + expl IV )", rec->data_len,
2315 transform->ivlen,
2316 transform->maclen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002317 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Paul Bakker45829992013-01-03 14:52:21 +01002318 }
2319
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002320 /*
2321 * Authenticate before decrypt if enabled
2322 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002323#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker4c6876b2017-12-27 21:28:58 +00002324 if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002325 {
Hanno Becker992b6872017-11-09 18:57:39 +00002326 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002327
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002328 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002329
Hanno Becker4c6876b2017-12-27 21:28:58 +00002330 /* Safe due to the check data_len >= minlen + maclen + 1 above. */
2331 rec->data_len -= transform->maclen;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002332
Hanno Beckere83efe62019-04-29 13:52:53 +01002333 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01002334
Hanno Beckere83efe62019-04-29 13:52:53 +01002335 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
2336 add_data_len );
2337 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
2338 add_data_len );
Hanno Becker4c6876b2017-12-27 21:28:58 +00002339 mbedtls_md_hmac_update( &transform->md_ctx_dec,
2340 data, rec->data_len );
2341 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
2342 mbedtls_md_hmac_reset( &transform->md_ctx_dec );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01002343
Hanno Becker4c6876b2017-12-27 21:28:58 +00002344 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len,
2345 transform->maclen );
Hanno Becker992b6872017-11-09 18:57:39 +00002346 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
Hanno Becker4c6876b2017-12-27 21:28:58 +00002347 transform->maclen );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002348
Hanno Becker4c6876b2017-12-27 21:28:58 +00002349 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
2350 transform->maclen ) != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002351 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002352 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002353 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002354 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002355 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002356 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002357#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002358
2359 /*
2360 * Check length sanity
2361 */
Hanno Becker4c6876b2017-12-27 21:28:58 +00002362 if( rec->data_len % transform->ivlen != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002363 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002364 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
Hanno Becker4c6876b2017-12-27 21:28:58 +00002365 rec->data_len, transform->ivlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002366 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002367 }
2368
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002369#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002370 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +00002371 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002372 */
Hanno Becker4c6876b2017-12-27 21:28:58 +00002373 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002374 {
Hanno Becker4c6876b2017-12-27 21:28:58 +00002375 /* This is safe because data_len >= minlen + maclen + 1 initially,
2376 * and at this point we have at most subtracted maclen (note that
2377 * minlen == transform->ivlen here). */
2378 memcpy( transform->iv_dec, data, transform->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002379
Hanno Becker4c6876b2017-12-27 21:28:58 +00002380 data += transform->ivlen;
2381 rec->data_offset += transform->ivlen;
2382 rec->data_len -= transform->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002383 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002384#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002385
Hanno Becker4c6876b2017-12-27 21:28:58 +00002386 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
2387 transform->iv_dec, transform->ivlen,
2388 data, rec->data_len, data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02002389 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002390 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +02002391 return( ret );
2392 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02002393
Hanno Becker4c6876b2017-12-27 21:28:58 +00002394 if( rec->data_len != olen )
Paul Bakkercca5b812013-08-31 17:40:26 +02002395 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2397 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +02002398 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02002399
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002400#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
Hanno Becker4c6876b2017-12-27 21:28:58 +00002401 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +02002402 {
2403 /*
2404 * Save IV in SSL3 and TLS1
2405 */
Hanno Becker4c6876b2017-12-27 21:28:58 +00002406 memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv,
2407 transform->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +00002408 }
Paul Bakkercca5b812013-08-31 17:40:26 +02002409#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002410
Hanno Becker4c6876b2017-12-27 21:28:58 +00002411 /* Safe since data_len >= minlen + maclen + 1, so after having
2412 * subtracted at most minlen and maclen up to this point,
2413 * data_len > 0. */
2414 padlen = data[rec->data_len - 1];
Paul Bakker45829992013-01-03 14:52:21 +01002415
Hanno Becker4c6876b2017-12-27 21:28:58 +00002416 if( auth_done == 1 )
2417 {
2418 correct *= ( rec->data_len >= padlen + 1 );
2419 padlen *= ( rec->data_len >= padlen + 1 );
2420 }
2421 else
Paul Bakker45829992013-01-03 14:52:21 +01002422 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002423#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker4c6876b2017-12-27 21:28:58 +00002424 if( rec->data_len < transform->maclen + padlen + 1 )
2425 {
2426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
2427 rec->data_len,
2428 transform->maclen,
2429 padlen + 1 ) );
2430 }
Paul Bakkerd66f0702013-01-31 16:57:45 +01002431#endif
Hanno Becker4c6876b2017-12-27 21:28:58 +00002432
2433 correct *= ( rec->data_len >= transform->maclen + padlen + 1 );
2434 padlen *= ( rec->data_len >= transform->maclen + padlen + 1 );
Paul Bakker45829992013-01-03 14:52:21 +01002435 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002436
Hanno Becker4c6876b2017-12-27 21:28:58 +00002437 padlen++;
2438
2439 /* Regardless of the validity of the padding,
2440 * we have data_len >= padlen here. */
2441
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002442#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker4c6876b2017-12-27 21:28:58 +00002443 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002444 {
Hanno Becker4c6876b2017-12-27 21:28:58 +00002445 if( padlen > transform->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00002446 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002447#if defined(MBEDTLS_SSL_DEBUG_ALL)
2448 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
Hanno Becker4c6876b2017-12-27 21:28:58 +00002449 "should be no more than %d",
2450 padlen, transform->ivlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01002451#endif
Paul Bakker45829992013-01-03 14:52:21 +01002452 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00002453 }
2454 }
2455 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002456#endif /* MBEDTLS_SSL_PROTO_SSL3 */
2457#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2458 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker4c6876b2017-12-27 21:28:58 +00002459 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002460 {
Hanno Becker4c6876b2017-12-27 21:28:58 +00002461 /* The padding check involves a series of up to 256
2462 * consecutive memory reads at the end of the record
2463 * plaintext buffer. In order to hide the length and
2464 * validity of the padding, always perform exactly
2465 * `min(256,plaintext_len)` reads (but take into account
2466 * only the last `padlen` bytes for the padding check). */
2467 size_t pad_count = 0;
2468 size_t real_count = 0;
2469 volatile unsigned char* const check = data;
Paul Bakkere47b34b2013-02-27 14:48:00 +01002470
Hanno Becker4c6876b2017-12-27 21:28:58 +00002471 /* Index of first padding byte; it has been ensured above
2472 * that the subtraction is safe. */
2473 size_t const padding_idx = rec->data_len - padlen;
2474 size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
2475 size_t const start_idx = rec->data_len - num_checks;
2476 size_t idx;
Paul Bakker956c9e02013-12-19 14:42:28 +01002477
Hanno Becker4c6876b2017-12-27 21:28:58 +00002478 for( idx = start_idx; idx < rec->data_len; idx++ )
Paul Bakkerca9c87e2013-09-25 18:52:37 +02002479 {
Hanno Becker4c6876b2017-12-27 21:28:58 +00002480 real_count |= ( idx >= padding_idx );
2481 pad_count += real_count * ( check[idx] == padlen - 1 );
Paul Bakkerca9c87e2013-09-25 18:52:37 +02002482 }
Hanno Becker4c6876b2017-12-27 21:28:58 +00002483 correct &= ( pad_count == padlen );
Paul Bakkere47b34b2013-02-27 14:48:00 +01002484
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002485#if defined(MBEDTLS_SSL_DEBUG_ALL)
Paul Bakker66d5d072014-06-17 16:39:18 +02002486 if( padlen > 0 && correct == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002487 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01002488#endif
Paul Bakkere47b34b2013-02-27 14:48:00 +01002489 padlen &= correct * 0x1FF;
Paul Bakker5121ce52009-01-03 21:22:43 +00002490 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002491 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002492#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2493 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +02002494 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2496 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02002497 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002498
Hanno Becker4c6876b2017-12-27 21:28:58 +00002499 /* If the padding was found to be invalid, padlen == 0
2500 * and the subtraction is safe. If the padding was found valid,
2501 * padlen hasn't been changed and the previous assertion
2502 * data_len >= padlen still holds. */
2503 rec->data_len -= padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +00002504 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02002505 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002506#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +00002507 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02002508 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002509 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2510 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02002511 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002512
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +02002513#if defined(MBEDTLS_SSL_DEBUG_ALL)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002514 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
Hanno Becker4c6876b2017-12-27 21:28:58 +00002515 data, rec->data_len );
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +02002516#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002517
2518 /*
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01002519 * Authenticate if not done yet.
2520 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
Paul Bakker5121ce52009-01-03 21:22:43 +00002521 */
Hanno Becker5cc04d52018-01-03 15:24:20 +00002522#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002523 if( auth_done == 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002524 {
Hanno Becker992b6872017-11-09 18:57:39 +00002525 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Paul Bakker1e5369c2013-12-19 16:40:57 +01002526
Hanno Becker4c6876b2017-12-27 21:28:58 +00002527 /* If the initial value of padlen was such that
2528 * data_len < maclen + padlen + 1, then padlen
2529 * got reset to 1, and the initial check
2530 * data_len >= minlen + maclen + 1
2531 * guarantees that at this point we still
2532 * have at least data_len >= maclen.
2533 *
2534 * If the initial value of padlen was such that
2535 * data_len >= maclen + padlen + 1, then we have
2536 * subtracted either padlen + 1 (if the padding was correct)
2537 * or 0 (if the padding was incorrect) since then,
2538 * hence data_len >= maclen in any case.
2539 */
2540 rec->data_len -= transform->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +00002541
Hanno Beckere83efe62019-04-29 13:52:53 +01002542 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Paul Bakker5121ce52009-01-03 21:22:43 +00002543
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002544#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker4c6876b2017-12-27 21:28:58 +00002545 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002546 {
Hanno Becker4c6876b2017-12-27 21:28:58 +00002547 ssl_mac( &transform->md_ctx_dec,
2548 transform->mac_dec,
2549 data, rec->data_len,
2550 rec->ctr, rec->type,
2551 mac_expect );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002552 }
2553 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002554#endif /* MBEDTLS_SSL_PROTO_SSL3 */
2555#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2556 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker4c6876b2017-12-27 21:28:58 +00002557 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002558 {
2559 /*
2560 * Process MAC and always update for padlen afterwards to make
Gilles Peskine20b44082018-05-29 14:06:49 +02002561 * total time independent of padlen.
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002562 *
2563 * Known timing attacks:
2564 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
2565 *
Gilles Peskine20b44082018-05-29 14:06:49 +02002566 * To compensate for different timings for the MAC calculation
2567 * depending on how much padding was removed (which is determined
2568 * by padlen), process extra_run more blocks through the hash
2569 * function.
2570 *
2571 * The formula in the paper is
2572 * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
2573 * where L1 is the size of the header plus the decrypted message
2574 * plus CBC padding and L2 is the size of the header plus the
2575 * decrypted message. This is for an underlying hash function
2576 * with 64-byte blocks.
2577 * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
2578 * correctly. We round down instead of up, so -56 is the correct
2579 * value for our calculations instead of -55.
2580 *
Gilles Peskine1bd9d582018-06-04 11:58:44 +02002581 * Repeat the formula rather than defining a block_size variable.
2582 * This avoids requiring division by a variable at runtime
2583 * (which would be marginally less efficient and would require
2584 * linking an extra division function in some builds).
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002585 */
2586 size_t j, extra_run = 0;
Hanno Becker4c6876b2017-12-27 21:28:58 +00002587 unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +02002588
2589 /*
2590 * The next two sizes are the minimum and maximum values of
2591 * in_msglen over all padlen values.
2592 *
2593 * They're independent of padlen, since we previously did
2594 * in_msglen -= padlen.
2595 *
2596 * Note that max_len + maclen is never more than the buffer
2597 * length, as we previously did in_msglen -= maclen too.
2598 */
Hanno Becker4c6876b2017-12-27 21:28:58 +00002599 const size_t max_len = rec->data_len + padlen;
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +02002600 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
2601
Hanno Becker4c6876b2017-12-27 21:28:58 +00002602 memset( tmp, 0, sizeof( tmp ) );
2603
2604 switch( mbedtls_md_get_type( transform->md_ctx_dec.md_info ) )
Gilles Peskine20b44082018-05-29 14:06:49 +02002605 {
Gilles Peskined0e55a42018-06-04 12:03:30 +02002606#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
2607 defined(MBEDTLS_SHA256_C)
Gilles Peskine20b44082018-05-29 14:06:49 +02002608 case MBEDTLS_MD_MD5:
2609 case MBEDTLS_MD_SHA1:
Gilles Peskine20b44082018-05-29 14:06:49 +02002610 case MBEDTLS_MD_SHA256:
Gilles Peskine20b44082018-05-29 14:06:49 +02002611 /* 8 bytes of message size, 64-byte compression blocks */
Hanno Beckere83efe62019-04-29 13:52:53 +01002612 extra_run =
2613 ( add_data_len + rec->data_len + padlen + 8 ) / 64 -
2614 ( add_data_len + rec->data_len + 8 ) / 64;
Gilles Peskine20b44082018-05-29 14:06:49 +02002615 break;
2616#endif
Gilles Peskinea7fe25d2018-06-04 12:01:18 +02002617#if defined(MBEDTLS_SHA512_C)
Gilles Peskine20b44082018-05-29 14:06:49 +02002618 case MBEDTLS_MD_SHA384:
Gilles Peskine20b44082018-05-29 14:06:49 +02002619 /* 16 bytes of message size, 128-byte compression blocks */
Hanno Beckere83efe62019-04-29 13:52:53 +01002620 extra_run =
2621 ( add_data_len + rec->data_len + padlen + 16 ) / 128 -
2622 ( add_data_len + rec->data_len + 16 ) / 128;
Gilles Peskine20b44082018-05-29 14:06:49 +02002623 break;
2624#endif
2625 default:
Gilles Peskine5c389842018-06-04 12:02:43 +02002626 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Gilles Peskine20b44082018-05-29 14:06:49 +02002627 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2628 }
Paul Bakkere47b34b2013-02-27 14:48:00 +01002629
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002630 extra_run &= correct * 0xFF;
Paul Bakkere47b34b2013-02-27 14:48:00 +01002631
Hanno Beckere83efe62019-04-29 13:52:53 +01002632 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
2633 add_data_len );
Hanno Becker4c6876b2017-12-27 21:28:58 +00002634 mbedtls_md_hmac_update( &transform->md_ctx_dec, data,
2635 rec->data_len );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +02002636 /* Make sure we access everything even when padlen > 0. This
2637 * makes the synchronisation requirements for just-in-time
2638 * Prime+Probe attacks much tighter and hopefully impractical. */
Hanno Becker4c6876b2017-12-27 21:28:58 +00002639 ssl_read_memory( data + rec->data_len, padlen );
2640 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +02002641
2642 /* Call mbedtls_md_process at least once due to cache attacks
2643 * that observe whether md_process() was called of not */
Manuel Pégourié-Gonnard47fede02015-04-29 01:35:48 +02002644 for( j = 0; j < extra_run + 1; j++ )
Hanno Becker4c6876b2017-12-27 21:28:58 +00002645 mbedtls_md_process( &transform->md_ctx_dec, tmp );
Paul Bakkere47b34b2013-02-27 14:48:00 +01002646
Hanno Becker4c6876b2017-12-27 21:28:58 +00002647 mbedtls_md_hmac_reset( &transform->md_ctx_dec );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +02002648
2649 /* Make sure we access all the memory that could contain the MAC,
2650 * before we check it in the next code block. This makes the
2651 * synchronisation requirements for just-in-time Prime+Probe
2652 * attacks much tighter and hopefully impractical. */
Hanno Becker4c6876b2017-12-27 21:28:58 +00002653 ssl_read_memory( data + min_len,
2654 max_len - min_len + transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002655 }
2656 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002657#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2658 MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002659 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002660 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2661 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002662 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002663
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +02002664#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker4c6876b2017-12-27 21:28:58 +00002665 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
2666 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, transform->maclen );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +02002667#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002668
Hanno Becker4c6876b2017-12-27 21:28:58 +00002669 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
2670 transform->maclen ) != 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002671 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002672#if defined(MBEDTLS_SSL_DEBUG_ALL)
2673 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakkere47b34b2013-02-27 14:48:00 +01002674#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002675 correct = 0;
2676 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002677 auth_done++;
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02002678 }
Hanno Beckerdd3ab132018-10-17 14:43:14 +01002679
2680 /*
2681 * Finally check the correct flag
2682 */
2683 if( correct == 0 )
2684 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Hanno Becker5cc04d52018-01-03 15:24:20 +00002685#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002686
2687 /* Make extra sure authentication was performed, exactly once */
2688 if( auth_done != 1 )
2689 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002690 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2691 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01002692 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002693
Hanno Becker92c930f2019-04-29 17:31:37 +01002694#if defined(MBEDTLS_SSL_CID)
2695 if( rec->cid_len != 0 )
2696 {
2697 ret = ssl_cid_parse_inner_plaintext( data, &rec->data_len,
2698 &rec->type );
2699 if( ret != 0 )
2700 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2701 }
2702#endif /* MBEDTLS_SSL_CID */
2703
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002704 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002705
2706 return( 0 );
2707}
2708
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +01002709#undef MAC_NONE
2710#undef MAC_PLAINTEXT
2711#undef MAC_CIPHERTEXT
2712
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002713#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker2770fbd2012-07-03 13:30:23 +00002714/*
2715 * Compression/decompression functions
2716 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002717static int ssl_compress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +00002718{
2719 int ret;
2720 unsigned char *msg_post = ssl->out_msg;
Andrzej Kurek5462e022018-04-20 07:58:53 -04002721 ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +00002722 size_t len_pre = ssl->out_msglen;
Paul Bakker16770332013-10-11 09:59:44 +02002723 unsigned char *msg_pre = ssl->compress_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +00002724
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002725 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002726
Paul Bakkerabf2f8f2013-06-30 14:57:46 +02002727 if( len_pre == 0 )
2728 return( 0 );
2729
Paul Bakker2770fbd2012-07-03 13:30:23 +00002730 memcpy( msg_pre, ssl->out_msg, len_pre );
2731
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002732 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +00002733 ssl->out_msglen ) );
2734
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002735 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +00002736 ssl->out_msg, ssl->out_msglen );
2737
Paul Bakker48916f92012-09-16 19:57:18 +00002738 ssl->transform_out->ctx_deflate.next_in = msg_pre;
2739 ssl->transform_out->ctx_deflate.avail_in = len_pre;
2740 ssl->transform_out->ctx_deflate.next_out = msg_post;
Angus Grattond8213d02016-05-25 20:56:48 +10002741 ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +00002742
Paul Bakker48916f92012-09-16 19:57:18 +00002743 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002744 if( ret != Z_OK )
2745 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002746 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
2747 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002748 }
2749
Angus Grattond8213d02016-05-25 20:56:48 +10002750 ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
Andrzej Kurek5462e022018-04-20 07:58:53 -04002751 ssl->transform_out->ctx_deflate.avail_out - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +00002752
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002753 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +00002754 ssl->out_msglen ) );
2755
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002756 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +00002757 ssl->out_msg, ssl->out_msglen );
2758
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002759 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002760
2761 return( 0 );
2762}
2763
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002764static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +00002765{
2766 int ret;
2767 unsigned char *msg_post = ssl->in_msg;
Andrzej Kureka9ceef82018-04-24 06:32:44 -04002768 ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +00002769 size_t len_pre = ssl->in_msglen;
Paul Bakker16770332013-10-11 09:59:44 +02002770 unsigned char *msg_pre = ssl->compress_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +00002771
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002772 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002773
Paul Bakkerabf2f8f2013-06-30 14:57:46 +02002774 if( len_pre == 0 )
2775 return( 0 );
2776
Paul Bakker2770fbd2012-07-03 13:30:23 +00002777 memcpy( msg_pre, ssl->in_msg, len_pre );
2778
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002779 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +00002780 ssl->in_msglen ) );
2781
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002782 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +00002783 ssl->in_msg, ssl->in_msglen );
2784
Paul Bakker48916f92012-09-16 19:57:18 +00002785 ssl->transform_in->ctx_inflate.next_in = msg_pre;
2786 ssl->transform_in->ctx_inflate.avail_in = len_pre;
2787 ssl->transform_in->ctx_inflate.next_out = msg_post;
Angus Grattond8213d02016-05-25 20:56:48 +10002788 ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
Andrzej Kureka9ceef82018-04-24 06:32:44 -04002789 header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +00002790
Paul Bakker48916f92012-09-16 19:57:18 +00002791 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002792 if( ret != Z_OK )
2793 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002794 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
2795 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002796 }
2797
Angus Grattond8213d02016-05-25 20:56:48 +10002798 ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
Andrzej Kureka9ceef82018-04-24 06:32:44 -04002799 ssl->transform_in->ctx_inflate.avail_out - header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +00002800
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002801 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +00002802 ssl->in_msglen ) );
2803
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002804 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +00002805 ssl->in_msg, ssl->in_msglen );
2806
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002807 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002808
2809 return( 0 );
2810}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002811#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +00002812
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002813#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2814static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02002815
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002816#if defined(MBEDTLS_SSL_PROTO_DTLS)
2817static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02002818{
2819 /* If renegotiation is not enforced, retransmit until we would reach max
2820 * timeout if we were using the usual handshake doubling scheme */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002821 if( ssl->conf->renego_max_records < 0 )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02002822 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002823 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02002824 unsigned char doublings = 1;
2825
2826 while( ratio != 0 )
2827 {
2828 ++doublings;
2829 ratio >>= 1;
2830 }
2831
2832 if( ++ssl->renego_records_seen > doublings )
2833 {
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +02002834 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02002835 return( 0 );
2836 }
2837 }
2838
2839 return( ssl_write_hello_request( ssl ) );
2840}
2841#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002842#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02002843
Paul Bakker5121ce52009-01-03 21:22:43 +00002844/*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02002845 * Fill the input message buffer by appending data to it.
2846 * The amount of data already fetched is in ssl->in_left.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01002847 *
2848 * If we return 0, is it guaranteed that (at least) nb_want bytes are
2849 * available (from this read and/or a previous one). Otherwise, an error code
2850 * is returned (possibly EOF or WANT_READ).
2851 *
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02002852 * With stream transport (TLS) on success ssl->in_left == nb_want, but
2853 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
2854 * since we always read a whole datagram at once.
2855 *
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +02002856 * For DTLS, it is up to the caller to set ssl->next_record_offset when
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02002857 * they're done reading a record.
Paul Bakker5121ce52009-01-03 21:22:43 +00002858 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002859int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +00002860{
Paul Bakker23986e52011-04-24 08:57:21 +00002861 int ret;
2862 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +00002863
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002864 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002865
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +02002866 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
2867 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002868 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +01002869 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002870 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +02002871 }
2872
Angus Grattond8213d02016-05-25 20:56:48 +10002873 if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
Paul Bakker1a1fbba2014-04-30 14:38:05 +02002874 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002875 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
2876 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1a1fbba2014-04-30 14:38:05 +02002877 }
2878
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002879#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002880 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Paul Bakker5121ce52009-01-03 21:22:43 +00002881 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002882 uint32_t timeout;
2883
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02002884 /* Just to be sure */
2885 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
2886 {
2887 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
2888 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
2889 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2890 }
2891
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02002892 /*
2893 * The point is, we need to always read a full datagram at once, so we
2894 * sometimes read more then requested, and handle the additional data.
2895 * It could be the rest of the current record (while fetching the
2896 * header) and/or some other records in the same datagram.
2897 */
2898
2899 /*
2900 * Move to the next record in the already read datagram if applicable
2901 */
2902 if( ssl->next_record_offset != 0 )
2903 {
2904 if( ssl->in_left < ssl->next_record_offset )
2905 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002906 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2907 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02002908 }
2909
2910 ssl->in_left -= ssl->next_record_offset;
2911
2912 if( ssl->in_left != 0 )
2913 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002914 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02002915 ssl->next_record_offset ) );
2916 memmove( ssl->in_hdr,
2917 ssl->in_hdr + ssl->next_record_offset,
2918 ssl->in_left );
2919 }
2920
2921 ssl->next_record_offset = 0;
2922 }
2923
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002924 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Paul Bakker5121ce52009-01-03 21:22:43 +00002925 ssl->in_left, nb_want ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01002926
2927 /*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02002928 * Done if we already have enough data.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01002929 */
2930 if( nb_want <= ssl->in_left)
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +02002931 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002932 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01002933 return( 0 );
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +02002934 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01002935
2936 /*
2937 * A record can't be split accross datagrams. If we need to read but
2938 * are not at the beginning of a new record, the caller did something
2939 * wrong.
2940 */
2941 if( ssl->in_left != 0 )
2942 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002943 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2944 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01002945 }
2946
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02002947 /*
2948 * Don't even try to read if time's out already.
2949 * This avoids by-passing the timer when repeatedly receiving messages
2950 * that will end up being dropped.
2951 */
2952 if( ssl_check_timer( ssl ) != 0 )
Hanno Beckere65ce782017-05-22 14:47:48 +01002953 {
2954 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +01002955 ret = MBEDTLS_ERR_SSL_TIMEOUT;
Hanno Beckere65ce782017-05-22 14:47:48 +01002956 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002957 else
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +02002958 {
Angus Grattond8213d02016-05-25 20:56:48 +10002959 len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02002960
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002961 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02002962 timeout = ssl->handshake->retransmit_timeout;
2963 else
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002964 timeout = ssl->conf->read_timeout;
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02002965
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002966 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02002967
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +02002968 if( ssl->f_recv_timeout != NULL )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02002969 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
2970 timeout );
2971 else
2972 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
2973
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002974 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02002975
2976 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002977 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02002978 }
2979
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +01002980 if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02002981 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002982 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02002983 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +02002984
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002985 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +02002986 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002987 if( ssl_double_retransmit_timeout( ssl ) != 0 )
2988 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002989 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +01002990 return( MBEDTLS_ERR_SSL_TIMEOUT );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002991 }
2992
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002993 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002994 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002995 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002996 return( ret );
2997 }
2998
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +01002999 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +02003000 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003001#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02003002 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003003 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02003004 {
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02003005 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02003006 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003007 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02003008 return( ret );
3009 }
3010
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +01003011 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02003012 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003013#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +02003014 }
3015
Paul Bakker5121ce52009-01-03 21:22:43 +00003016 if( ret < 0 )
3017 return( ret );
3018
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01003019 ssl->in_left = ret;
3020 }
3021 else
3022#endif
3023 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003024 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02003025 ssl->in_left, nb_want ) );
3026
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01003027 while( ssl->in_left < nb_want )
3028 {
3029 len = nb_want - ssl->in_left;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003030
3031 if( ssl_check_timer( ssl ) != 0 )
3032 ret = MBEDTLS_ERR_SSL_TIMEOUT;
3033 else
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +02003034 {
3035 if( ssl->f_recv_timeout != NULL )
3036 {
3037 ret = ssl->f_recv_timeout( ssl->p_bio,
3038 ssl->in_hdr + ssl->in_left, len,
3039 ssl->conf->read_timeout );
3040 }
3041 else
3042 {
3043 ret = ssl->f_recv( ssl->p_bio,
3044 ssl->in_hdr + ssl->in_left, len );
3045 }
3046 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01003047
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003048 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +02003049 ssl->in_left, nb_want ) );
3050 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01003051
3052 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003053 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01003054
3055 if( ret < 0 )
3056 return( ret );
3057
mohammad160352aecb92018-03-28 23:41:40 -07003058 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16035bd15cb2018-02-28 04:30:59 -08003059 {
Darryl Green11999bb2018-03-13 15:22:58 +00003060 MBEDTLS_SSL_DEBUG_MSG( 1,
3061 ( "f_recv returned %d bytes but only %lu were requested",
mohammad160319d392b2018-04-02 07:25:26 -07003062 ret, (unsigned long)len ) );
mohammad16035bd15cb2018-02-28 04:30:59 -08003063 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3064 }
3065
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +01003066 ssl->in_left += ret;
3067 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003068 }
3069
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003070 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003071
3072 return( 0 );
3073}
3074
3075/*
3076 * Flush any data not yet written
3077 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003078int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003079{
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +01003080 int ret;
Hanno Becker04484622018-08-06 09:49:38 +01003081 unsigned char *buf;
Paul Bakker5121ce52009-01-03 21:22:43 +00003082
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003083 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003084
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +02003085 if( ssl->f_send == NULL )
3086 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003087 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +01003088 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003089 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +02003090 }
3091
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +01003092 /* Avoid incrementing counter if data is flushed */
3093 if( ssl->out_left == 0 )
3094 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003095 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +01003096 return( 0 );
3097 }
3098
Paul Bakker5121ce52009-01-03 21:22:43 +00003099 while( ssl->out_left > 0 )
3100 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003101 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
3102 mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003103
Hanno Becker2b1e3542018-08-06 11:19:13 +01003104 buf = ssl->out_hdr - ssl->out_left;
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +02003105 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +00003106
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003107 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003108
3109 if( ret <= 0 )
3110 return( ret );
3111
mohammad160352aecb92018-03-28 23:41:40 -07003112 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16034bbaeb42018-02-22 04:29:04 -08003113 {
Darryl Green11999bb2018-03-13 15:22:58 +00003114 MBEDTLS_SSL_DEBUG_MSG( 1,
3115 ( "f_send returned %d bytes but only %lu bytes were sent",
mohammad160319d392b2018-04-02 07:25:26 -07003116 ret, (unsigned long)ssl->out_left ) );
mohammad16034bbaeb42018-02-22 04:29:04 -08003117 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3118 }
3119
Paul Bakker5121ce52009-01-03 21:22:43 +00003120 ssl->out_left -= ret;
3121 }
3122
Hanno Becker2b1e3542018-08-06 11:19:13 +01003123#if defined(MBEDTLS_SSL_PROTO_DTLS)
3124 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +01003125 {
Hanno Becker2b1e3542018-08-06 11:19:13 +01003126 ssl->out_hdr = ssl->out_buf;
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +01003127 }
Hanno Becker2b1e3542018-08-06 11:19:13 +01003128 else
3129#endif
3130 {
3131 ssl->out_hdr = ssl->out_buf + 8;
3132 }
3133 ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +01003134
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003135 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003136
3137 return( 0 );
3138}
3139
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003140/*
3141 * Functions to handle the DTLS retransmission state machine
3142 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003143#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003144/*
3145 * Append current handshake message to current outgoing flight
3146 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003147static int ssl_flight_append( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003148{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003149 mbedtls_ssl_flight_item *msg;
Hanno Becker3b235902018-08-06 09:54:53 +01003150 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
3151 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
3152 ssl->out_msg, ssl->out_msglen );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003153
3154 /* Allocate space for current message */
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003155 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003156 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02003157 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003158 sizeof( mbedtls_ssl_flight_item ) ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003159 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003160 }
3161
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003162 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003163 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02003164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003165 mbedtls_free( msg );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003166 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003167 }
3168
3169 /* Copy current handshake message with headers */
3170 memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
3171 msg->len = ssl->out_msglen;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003172 msg->type = ssl->out_msgtype;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003173 msg->next = NULL;
3174
3175 /* Append to the current flight */
3176 if( ssl->handshake->flight == NULL )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003177 ssl->handshake->flight = msg;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003178 else
3179 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003180 mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003181 while( cur->next != NULL )
3182 cur = cur->next;
3183 cur->next = msg;
3184 }
3185
Hanno Becker3b235902018-08-06 09:54:53 +01003186 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003187 return( 0 );
3188}
3189
3190/*
3191 * Free the current flight of handshake messages
3192 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003193static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003194{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003195 mbedtls_ssl_flight_item *cur = flight;
3196 mbedtls_ssl_flight_item *next;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003197
3198 while( cur != NULL )
3199 {
3200 next = cur->next;
3201
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003202 mbedtls_free( cur->p );
3203 mbedtls_free( cur );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003204
3205 cur = next;
3206 }
3207}
3208
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003209#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3210static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +02003211#endif
3212
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003213/*
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003214 * Swap transform_out and out_ctr with the alternative ones
3215 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003216static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003217{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003218 mbedtls_ssl_transform *tmp_transform;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003219 unsigned char tmp_out_ctr[8];
3220
3221 if( ssl->transform_out == ssl->handshake->alt_transform_out )
3222 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003223 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003224 return;
3225 }
3226
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003227 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003228
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +02003229 /* Swap transforms */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003230 tmp_transform = ssl->transform_out;
3231 ssl->transform_out = ssl->handshake->alt_transform_out;
3232 ssl->handshake->alt_transform_out = tmp_transform;
3233
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +02003234 /* Swap epoch + sequence_number */
Hanno Becker19859472018-08-06 09:40:20 +01003235 memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 );
3236 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003237 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +02003238
3239 /* Adjust to the newly activated transform */
Hanno Becker5aa4e2c2018-08-06 09:26:08 +01003240 ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +02003241
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003242#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3243 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +02003244 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003245 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +02003246 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003247 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
3248 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +02003249 }
3250 }
3251#endif
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003252}
3253
3254/*
3255 * Retransmit the current flight of messages.
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02003256 */
3257int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
3258{
3259 int ret = 0;
3260
3261 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
3262
3263 ret = mbedtls_ssl_flight_transmit( ssl );
3264
3265 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
3266
3267 return( ret );
3268}
3269
3270/*
3271 * Transmit or retransmit the current flight of messages.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003272 *
3273 * Need to remember the current message in case flush_output returns
3274 * WANT_WRITE, causing us to exit this function and come back later.
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003275 * This function must be called until state is no longer SENDING.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003276 */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02003277int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003278{
Hanno Becker67bc7c32018-08-06 11:33:50 +01003279 int ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02003280 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003281
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003282 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003283 {
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +02003284 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003285
3286 ssl->handshake->cur_msg = ssl->handshake->flight;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003287 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003288 ssl_swap_epochs( ssl );
3289
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003290 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003291 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003292
3293 while( ssl->handshake->cur_msg != NULL )
3294 {
Hanno Becker67bc7c32018-08-06 11:33:50 +01003295 size_t max_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003296 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
Hanno Becker67bc7c32018-08-06 11:33:50 +01003297
Hanno Beckere1dcb032018-08-17 16:47:58 +01003298 int const is_finished =
3299 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
3300 cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
3301
Hanno Becker04da1892018-08-14 13:22:10 +01003302 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
3303 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
3304
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +02003305 /* Swap epochs before sending Finished: we can't do it after
3306 * sending ChangeCipherSpec, in case write returns WANT_READ.
3307 * Must be done before copying, may change out_msg pointer */
Hanno Beckere1dcb032018-08-17 16:47:58 +01003308 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +02003309 {
Hanno Becker67bc7c32018-08-06 11:33:50 +01003310 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +02003311 ssl_swap_epochs( ssl );
3312 }
3313
Hanno Becker67bc7c32018-08-06 11:33:50 +01003314 ret = ssl_get_remaining_payload_in_datagram( ssl );
3315 if( ret < 0 )
3316 return( ret );
3317 max_frag_len = (size_t) ret;
3318
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003319 /* CCS is copied as is, while HS messages may need fragmentation */
3320 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
3321 {
Hanno Becker67bc7c32018-08-06 11:33:50 +01003322 if( max_frag_len == 0 )
3323 {
3324 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3325 return( ret );
3326
3327 continue;
3328 }
3329
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003330 memcpy( ssl->out_msg, cur->p, cur->len );
Hanno Becker67bc7c32018-08-06 11:33:50 +01003331 ssl->out_msglen = cur->len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003332 ssl->out_msgtype = cur->type;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003333
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003334 /* Update position inside current message */
3335 ssl->handshake->cur_msg_p += cur->len;
3336 }
3337 else
3338 {
3339 const unsigned char * const p = ssl->handshake->cur_msg_p;
3340 const size_t hs_len = cur->len - 12;
3341 const size_t frag_off = p - ( cur->p + 12 );
3342 const size_t rem_len = hs_len - frag_off;
Hanno Becker67bc7c32018-08-06 11:33:50 +01003343 size_t cur_hs_frag_len, max_hs_frag_len;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003344
Hanno Beckere1dcb032018-08-17 16:47:58 +01003345 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
Manuel Pégourié-Gonnarda1071a52018-08-20 11:56:14 +02003346 {
Hanno Beckere1dcb032018-08-17 16:47:58 +01003347 if( is_finished )
Hanno Becker67bc7c32018-08-06 11:33:50 +01003348 ssl_swap_epochs( ssl );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003349
Hanno Becker67bc7c32018-08-06 11:33:50 +01003350 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3351 return( ret );
3352
3353 continue;
3354 }
3355 max_hs_frag_len = max_frag_len - 12;
3356
3357 cur_hs_frag_len = rem_len > max_hs_frag_len ?
3358 max_hs_frag_len : rem_len;
3359
3360 if( frag_off == 0 && cur_hs_frag_len != hs_len )
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +02003361 {
3362 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
Hanno Becker67bc7c32018-08-06 11:33:50 +01003363 (unsigned) cur_hs_frag_len,
3364 (unsigned) max_hs_frag_len ) );
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +02003365 }
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +02003366
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003367 /* Messages are stored with handshake headers as if not fragmented,
3368 * copy beginning of headers then fill fragmentation fields.
3369 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
3370 memcpy( ssl->out_msg, cur->p, 6 );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003371
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003372 ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
3373 ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
3374 ssl->out_msg[8] = ( ( frag_off ) & 0xff );
3375
Hanno Becker67bc7c32018-08-06 11:33:50 +01003376 ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
3377 ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
3378 ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003379
3380 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
3381
Hanno Becker3f7b9732018-08-28 09:53:25 +01003382 /* Copy the handshake message content and set records fields */
Hanno Becker67bc7c32018-08-06 11:33:50 +01003383 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
3384 ssl->out_msglen = cur_hs_frag_len + 12;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003385 ssl->out_msgtype = cur->type;
3386
3387 /* Update position inside current message */
Hanno Becker67bc7c32018-08-06 11:33:50 +01003388 ssl->handshake->cur_msg_p += cur_hs_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003389 }
3390
3391 /* If done with the current message move to the next one if any */
3392 if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
3393 {
3394 if( cur->next != NULL )
3395 {
3396 ssl->handshake->cur_msg = cur->next;
3397 ssl->handshake->cur_msg_p = cur->next->p + 12;
3398 }
3399 else
3400 {
3401 ssl->handshake->cur_msg = NULL;
3402 ssl->handshake->cur_msg_p = NULL;
3403 }
3404 }
3405
3406 /* Actually send the message out */
Hanno Becker04da1892018-08-14 13:22:10 +01003407 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003408 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003409 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003410 return( ret );
3411 }
3412 }
3413
Hanno Becker67bc7c32018-08-06 11:33:50 +01003414 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3415 return( ret );
3416
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +02003417 /* Update state and set timer */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003418 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
3419 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard23b7b702014-09-25 13:50:12 +02003420 else
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02003421 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003422 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +02003423 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
3424 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02003425
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02003426 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003427
3428 return( 0 );
3429}
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003430
3431/*
3432 * To be called when the last message of an incoming flight is received.
3433 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003434void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003435{
3436 /* We won't need to resend that one any more */
3437 ssl_flight_free( ssl->handshake->flight );
3438 ssl->handshake->flight = NULL;
3439 ssl->handshake->cur_msg = NULL;
3440
3441 /* The next incoming flight will start with this msg_seq */
3442 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
3443
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01003444 /* We don't want to remember CCS's across flight boundaries. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +01003445 ssl->handshake->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01003446
Hanno Becker0271f962018-08-16 13:23:47 +01003447 /* Clear future message buffering structure. */
3448 ssl_buffering_free( ssl );
3449
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +02003450 /* Cancel timer */
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02003451 ssl_set_timer( ssl, 0 );
3452
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003453 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3454 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003455 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003456 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003457 }
3458 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003459 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003460}
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02003461
3462/*
3463 * To be called when the last message of an outgoing flight is send.
3464 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003465void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02003466{
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +02003467 ssl_reset_retransmit_timeout( ssl );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +02003468 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02003469
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003470 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3471 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02003472 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003473 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02003474 }
3475 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003476 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02003477}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003478#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003479
Paul Bakker5121ce52009-01-03 21:22:43 +00003480/*
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003481 * Handshake layer functions
Paul Bakker5121ce52009-01-03 21:22:43 +00003482 */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003483
3484/*
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02003485 * Write (DTLS: or queue) current handshake (including CCS) message.
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003486 *
3487 * - fill in handshake headers
3488 * - update handshake checksum
3489 * - DTLS: save message for resending
3490 * - then pass to the record layer
3491 *
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02003492 * DTLS: except for HelloRequest, messages are only queued, and will only be
3493 * actually sent when calling flight_transmit() or resend().
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003494 *
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003495 * Inputs:
3496 * - ssl->out_msglen: 4 + actual handshake message len
3497 * (4 is the size of handshake headers for TLS)
3498 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
3499 * - ssl->out_msg + 4: the handshake message body
3500 *
Manuel Pégourié-Gonnard065a2a32018-08-20 11:09:26 +02003501 * Outputs, ie state before passing to flight_append() or write_record():
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003502 * - ssl->out_msglen: the length of the record contents
3503 * (including handshake headers but excluding record headers)
3504 * - ssl->out_msg: the record contents (handshake headers + content)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003505 */
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003506int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003507{
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003508 int ret;
3509 const size_t hs_len = ssl->out_msglen - 4;
3510 const unsigned char hs_type = ssl->out_msg[0];
Paul Bakker5121ce52009-01-03 21:22:43 +00003511
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003512 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
3513
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003514 /*
3515 * Sanity checks
3516 */
Hanno Beckerc83d2b32018-08-22 16:05:47 +01003517 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003518 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
3519 {
Hanno Beckerc83d2b32018-08-22 16:05:47 +01003520 /* In SSLv3, the client might send a NoCertificate alert. */
3521#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
3522 if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
3523 ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
3524 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
3525#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
3526 {
3527 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3528 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3529 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003530 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003531
Hanno Beckerf6d6e302018-11-07 11:57:51 +00003532 /* Whenever we send anything different from a
3533 * HelloRequest we should be in a handshake - double check. */
3534 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3535 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003536 ssl->handshake == NULL )
3537 {
3538 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3539 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3540 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003541
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003542#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02003543 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003544 ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003545 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003546 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003547 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3548 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003549 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003550#endif
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003551
Hanno Beckerb50a2532018-08-06 11:52:54 +01003552 /* Double-check that we did not exceed the bounds
3553 * of the outgoing record buffer.
3554 * This should never fail as the various message
3555 * writing functions must obey the bounds of the
3556 * outgoing record buffer, but better be safe.
3557 *
3558 * Note: We deliberately do not check for the MTU or MFL here.
3559 */
3560 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
3561 {
3562 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
3563 "size %u, maximum %u",
3564 (unsigned) ssl->out_msglen,
3565 (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
3566 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3567 }
3568
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003569 /*
3570 * Fill handshake headers
3571 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003572 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00003573 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003574 ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
3575 ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );
3576 ssl->out_msg[3] = (unsigned char)( hs_len );
Paul Bakker5121ce52009-01-03 21:22:43 +00003577
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +01003578 /*
3579 * DTLS has additional fields in the Handshake layer,
3580 * between the length field and the actual payload:
3581 * uint16 message_seq;
3582 * uint24 fragment_offset;
3583 * uint24 fragment_length;
3584 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003585#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02003586 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +01003587 {
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +01003588 /* Make room for the additional DTLS fields */
Angus Grattond8213d02016-05-25 20:56:48 +10003589 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
Hanno Becker9648f8b2017-09-18 10:55:54 +01003590 {
3591 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
3592 "size %u, maximum %u",
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003593 (unsigned) ( hs_len ),
Angus Grattond8213d02016-05-25 20:56:48 +10003594 (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
Hanno Becker9648f8b2017-09-18 10:55:54 +01003595 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3596 }
3597
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003598 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +01003599 ssl->out_msglen += 8;
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +01003600
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +02003601 /* Write message_seq and update it, except for HelloRequest */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003602 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +02003603 {
Manuel Pégourié-Gonnardd9ba0d92014-09-02 18:30:26 +02003604 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
3605 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
3606 ++( ssl->handshake->out_msg_seq );
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +02003607 }
3608 else
3609 {
3610 ssl->out_msg[4] = 0;
3611 ssl->out_msg[5] = 0;
3612 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +01003613
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003614 /* Handshake hashes are computed without fragmentation,
3615 * so set frag_offset = 0 and frag_len = hs_len for now */
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +01003616 memset( ssl->out_msg + 6, 0x00, 3 );
3617 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +01003618 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003619#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +01003620
Hanno Becker0207e532018-08-28 10:28:28 +01003621 /* Update running hashes of handshake messages seen */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +02003622 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
3623 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00003624 }
3625
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02003626 /* Either send now, or just save to be sent (and resent) later */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003627#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02003628 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckerf6d6e302018-11-07 11:57:51 +00003629 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3630 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003631 {
3632 if( ( ret = ssl_flight_append( ssl ) ) != 0 )
3633 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003634 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003635 return( ret );
3636 }
3637 }
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02003638 else
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003639#endif
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02003640 {
Hanno Becker67bc7c32018-08-06 11:33:50 +01003641 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02003642 {
3643 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3644 return( ret );
3645 }
3646 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003647
3648 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
3649
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02003650 return( 0 );
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003651}
3652
3653/*
3654 * Record layer functions
3655 */
3656
3657/*
3658 * Write current record.
3659 *
3660 * Uses:
3661 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
3662 * - ssl->out_msglen: length of the record content (excl headers)
3663 * - ssl->out_msg: record content
3664 */
Hanno Becker67bc7c32018-08-06 11:33:50 +01003665int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003666{
3667 int ret, done = 0;
3668 size_t len = ssl->out_msglen;
Hanno Becker67bc7c32018-08-06 11:33:50 +01003669 uint8_t flush = force_flush;
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02003670
3671 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02003672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003673#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +00003674 if( ssl->transform_out != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003675 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +00003676 {
3677 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
3678 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003679 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +00003680 return( ret );
3681 }
3682
3683 len = ssl->out_msglen;
3684 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003685#endif /*MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +00003686
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003687#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3688 if( mbedtls_ssl_hw_record_write != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00003689 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003690 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003691
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003692 ret = mbedtls_ssl_hw_record_write( ssl );
3693 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +00003694 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003695 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
3696 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +00003697 }
Paul Bakkerc7878112012-12-19 14:41:14 +01003698
3699 if( ret == 0 )
3700 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +00003701 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003702#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +00003703 if( !done )
3704 {
Hanno Becker2b1e3542018-08-06 11:19:13 +01003705 unsigned i;
3706 size_t protected_record_size;
3707
Paul Bakker05ef8352012-05-08 09:17:57 +00003708 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003709 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02003710 ssl->conf->transport, ssl->out_hdr + 1 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +01003711
Hanno Becker19859472018-08-06 09:40:20 +01003712 memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +01003713 ssl->out_len[0] = (unsigned char)( len >> 8 );
3714 ssl->out_len[1] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +00003715
Paul Bakker48916f92012-09-16 19:57:18 +00003716 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00003717 {
Hanno Becker3307b532017-12-27 21:37:21 +00003718 mbedtls_record rec;
3719
3720 rec.buf = ssl->out_iv;
3721 rec.buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN -
3722 ( ssl->out_iv - ssl->out_buf );
3723 rec.data_len = ssl->out_msglen;
3724 rec.data_offset = ssl->out_msg - rec.buf;
3725
3726 memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
3727 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
3728 ssl->conf->transport, rec.ver );
3729 rec.type = ssl->out_msgtype;
3730
Hanno Becker505089d2019-05-01 09:45:57 +01003731#if defined(MBEDTLS_SSL_CID)
3732 /* The CID is set by mbedtls_ssl_encrypt_buf(). */
Hanno Beckere83efe62019-04-29 13:52:53 +01003733 rec.cid_len = 0;
Hanno Becker505089d2019-05-01 09:45:57 +01003734#endif /* MBEDTLS_SSL_CID */
Hanno Beckere83efe62019-04-29 13:52:53 +01003735
Hanno Becker611a83b2018-01-03 14:27:32 +00003736 if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec,
Hanno Becker3307b532017-12-27 21:37:21 +00003737 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +00003738 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003739 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
Paul Bakker05ef8352012-05-08 09:17:57 +00003740 return( ret );
3741 }
3742
Hanno Becker3307b532017-12-27 21:37:21 +00003743 if( rec.data_offset != 0 )
3744 {
3745 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3746 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3747 }
3748
Hanno Beckerc5aee962019-03-14 12:56:23 +00003749 ssl->out_msglen = len = rec.data_len;
Hanno Becker3307b532017-12-27 21:37:21 +00003750 ssl->out_len[0] = (unsigned char)( rec.data_len >> 8 );
3751 ssl->out_len[1] = (unsigned char)( rec.data_len );
Paul Bakker05ef8352012-05-08 09:17:57 +00003752 }
3753
Hanno Becker2b1e3542018-08-06 11:19:13 +01003754 protected_record_size = len + mbedtls_ssl_hdr_len( ssl );
3755
3756#if defined(MBEDTLS_SSL_PROTO_DTLS)
3757 /* In case of DTLS, double-check that we don't exceed
3758 * the remaining space in the datagram. */
3759 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3760 {
Hanno Becker554b0af2018-08-22 20:33:41 +01003761 ret = ssl_get_remaining_space_in_datagram( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +01003762 if( ret < 0 )
3763 return( ret );
3764
3765 if( protected_record_size > (size_t) ret )
3766 {
3767 /* Should never happen */
3768 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3769 }
3770 }
3771#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker05ef8352012-05-08 09:17:57 +00003772
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003773 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
Hanno Beckerecbdf1c2018-08-28 09:53:54 +01003774 "version = [%d:%d], msglen = %d",
3775 ssl->out_hdr[0], ssl->out_hdr[1],
3776 ssl->out_hdr[2], len ) );
Paul Bakker05ef8352012-05-08 09:17:57 +00003777
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003778 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
Hanno Beckerecbdf1c2018-08-28 09:53:54 +01003779 ssl->out_hdr, protected_record_size );
Hanno Becker2b1e3542018-08-06 11:19:13 +01003780
3781 ssl->out_left += protected_record_size;
3782 ssl->out_hdr += protected_record_size;
3783 ssl_update_out_pointers( ssl, ssl->transform_out );
3784
Hanno Becker04484622018-08-06 09:49:38 +01003785 for( i = 8; i > ssl_ep_len( ssl ); i-- )
3786 if( ++ssl->cur_out_ctr[i - 1] != 0 )
3787 break;
3788
3789 /* The loop goes to its end iff the counter is wrapping */
3790 if( i == ssl_ep_len( ssl ) )
3791 {
3792 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
3793 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3794 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003795 }
3796
Hanno Becker67bc7c32018-08-06 11:33:50 +01003797#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker47db8772018-08-21 13:32:13 +01003798 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3799 flush == SSL_DONT_FORCE_FLUSH )
Hanno Becker67bc7c32018-08-06 11:33:50 +01003800 {
Hanno Becker1f5a15d2018-08-21 13:31:31 +01003801 size_t remaining;
3802 ret = ssl_get_remaining_payload_in_datagram( ssl );
3803 if( ret < 0 )
3804 {
3805 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
3806 ret );
3807 return( ret );
3808 }
3809
3810 remaining = (size_t) ret;
Hanno Becker67bc7c32018-08-06 11:33:50 +01003811 if( remaining == 0 )
Hanno Beckerf0da6672018-08-28 09:55:10 +01003812 {
Hanno Becker67bc7c32018-08-06 11:33:50 +01003813 flush = SSL_FORCE_FLUSH;
Hanno Beckerf0da6672018-08-28 09:55:10 +01003814 }
Hanno Becker67bc7c32018-08-06 11:33:50 +01003815 else
3816 {
Hanno Becker513815a2018-08-20 11:56:09 +01003817 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
Hanno Becker67bc7c32018-08-06 11:33:50 +01003818 }
3819 }
3820#endif /* MBEDTLS_SSL_PROTO_DTLS */
3821
3822 if( ( flush == SSL_FORCE_FLUSH ) &&
3823 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003824 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003825 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003826 return( ret );
3827 }
3828
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003829 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003830
3831 return( 0 );
3832}
3833
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003834#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckere25e3b72018-08-16 09:30:53 +01003835
3836static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
3837{
3838 if( ssl->in_msglen < ssl->in_hslen ||
3839 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
3840 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
3841 {
3842 return( 1 );
3843 }
3844 return( 0 );
3845}
Hanno Becker44650b72018-08-16 12:51:11 +01003846
Hanno Beckercd9dcda2018-08-28 17:18:56 +01003847static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +01003848{
3849 return( ( ssl->in_msg[9] << 16 ) |
3850 ( ssl->in_msg[10] << 8 ) |
3851 ssl->in_msg[11] );
3852}
3853
Hanno Beckercd9dcda2018-08-28 17:18:56 +01003854static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +01003855{
3856 return( ( ssl->in_msg[6] << 16 ) |
3857 ( ssl->in_msg[7] << 8 ) |
3858 ssl->in_msg[8] );
3859}
3860
Hanno Beckercd9dcda2018-08-28 17:18:56 +01003861static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +01003862{
3863 uint32_t msg_len, frag_off, frag_len;
3864
3865 msg_len = ssl_get_hs_total_len( ssl );
3866 frag_off = ssl_get_hs_frag_off( ssl );
3867 frag_len = ssl_get_hs_frag_len( ssl );
3868
3869 if( frag_off > msg_len )
3870 return( -1 );
3871
3872 if( frag_len > msg_len - frag_off )
3873 return( -1 );
3874
3875 if( frag_len + 12 > ssl->in_msglen )
3876 return( -1 );
3877
3878 return( 0 );
3879}
3880
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +02003881/*
3882 * Mark bits in bitmask (used for DTLS HS reassembly)
3883 */
3884static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
3885{
3886 unsigned int start_bits, end_bits;
3887
3888 start_bits = 8 - ( offset % 8 );
3889 if( start_bits != 8 )
3890 {
3891 size_t first_byte_idx = offset / 8;
3892
Manuel Pégourié-Gonnardac030522014-09-02 14:23:40 +02003893 /* Special case */
3894 if( len <= start_bits )
3895 {
3896 for( ; len != 0; len-- )
3897 mask[first_byte_idx] |= 1 << ( start_bits - len );
3898
3899 /* Avoid potential issues with offset or len becoming invalid */
3900 return;
3901 }
3902
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +02003903 offset += start_bits; /* Now offset % 8 == 0 */
3904 len -= start_bits;
3905
3906 for( ; start_bits != 0; start_bits-- )
3907 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
3908 }
3909
3910 end_bits = len % 8;
3911 if( end_bits != 0 )
3912 {
3913 size_t last_byte_idx = ( offset + len ) / 8;
3914
3915 len -= end_bits; /* Now len % 8 == 0 */
3916
3917 for( ; end_bits != 0; end_bits-- )
3918 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
3919 }
3920
3921 memset( mask + offset / 8, 0xFF, len / 8 );
3922}
3923
3924/*
3925 * Check that bitmask is full
3926 */
3927static int ssl_bitmask_check( unsigned char *mask, size_t len )
3928{
3929 size_t i;
3930
3931 for( i = 0; i < len / 8; i++ )
3932 if( mask[i] != 0xFF )
3933 return( -1 );
3934
3935 for( i = 0; i < len % 8; i++ )
3936 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
3937 return( -1 );
3938
3939 return( 0 );
3940}
3941
Hanno Becker56e205e2018-08-16 09:06:12 +01003942/* msg_len does not include the handshake header */
Hanno Becker65dc8852018-08-23 09:40:49 +01003943static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
Hanno Becker2a97b0e2018-08-21 15:47:49 +01003944 unsigned add_bitmap )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +02003945{
Hanno Becker56e205e2018-08-16 09:06:12 +01003946 size_t alloc_len;
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +02003947
Hanno Becker56e205e2018-08-16 09:06:12 +01003948 alloc_len = 12; /* Handshake header */
3949 alloc_len += msg_len; /* Content buffer */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +02003950
Hanno Beckerd07df862018-08-16 09:14:58 +01003951 if( add_bitmap )
3952 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +02003953
Hanno Becker2a97b0e2018-08-21 15:47:49 +01003954 return( alloc_len );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +02003955}
Hanno Becker56e205e2018-08-16 09:06:12 +01003956
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003957#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +02003958
Hanno Beckercd9dcda2018-08-28 17:18:56 +01003959static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
Hanno Becker12555c62018-08-16 12:47:53 +01003960{
3961 return( ( ssl->in_msg[1] << 16 ) |
3962 ( ssl->in_msg[2] << 8 ) |
3963 ssl->in_msg[3] );
3964}
Hanno Beckere25e3b72018-08-16 09:30:53 +01003965
Simon Butcher99000142016-10-13 17:21:01 +01003966int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +01003967{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003968 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +02003969 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003970 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +02003971 ssl->in_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003972 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +02003973 }
3974
Hanno Becker12555c62018-08-16 12:47:53 +01003975 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +01003976
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003977 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +01003978 " %d, type = %d, hslen = %d",
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +01003979 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +01003980
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003981#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02003982 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +01003983 {
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +02003984 int ret;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02003985 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +02003986
Hanno Becker44650b72018-08-16 12:51:11 +01003987 if( ssl_check_hs_header( ssl ) != 0 )
3988 {
3989 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
3990 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3991 }
3992
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02003993 if( ssl->handshake != NULL &&
Hanno Beckerc76c6192017-06-06 10:03:17 +01003994 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
3995 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
3996 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3997 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02003998 {
Hanno Becker9e1ec222018-08-15 15:54:43 +01003999 if( recv_msg_seq > ssl->handshake->in_msg_seq )
4000 {
4001 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
4002 recv_msg_seq,
4003 ssl->handshake->in_msg_seq ) );
4004 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4005 }
4006
Manuel Pégourié-Gonnardfc572dd2014-10-09 17:56:57 +02004007 /* Retransmit only on last message from previous flight, to avoid
4008 * too many retransmissions.
4009 * Besides, No sane server ever retransmits HelloVerifyRequest */
4010 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004011 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +02004012 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004013 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +02004014 "message_seq = %d, start_of_flight = %d",
4015 recv_msg_seq,
4016 ssl->handshake->in_flight_start_seq ) );
4017
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004018 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +02004019 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004020 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +02004021 return( ret );
4022 }
4023 }
4024 else
4025 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004026 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +02004027 "message_seq = %d, expected = %d",
4028 recv_msg_seq,
4029 ssl->handshake->in_msg_seq ) );
4030 }
4031
Hanno Becker90333da2017-10-10 11:27:13 +01004032 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02004033 }
4034 /* Wait until message completion to increment in_msg_seq */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +02004035
Hanno Becker6d97ef52018-08-16 13:09:04 +01004036 /* Message reassembly is handled alongside buffering of future
4037 * messages; the commonality is that both handshake fragments and
Hanno Becker83ab41c2018-08-28 17:19:38 +01004038 * future messages cannot be forwarded immediately to the
Hanno Becker6d97ef52018-08-16 13:09:04 +01004039 * handshake logic layer. */
Hanno Beckere25e3b72018-08-16 09:30:53 +01004040 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +02004041 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004042 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
Hanno Becker6d97ef52018-08-16 13:09:04 +01004043 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +02004044 }
4045 }
4046 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004047#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +02004048 /* With TLS we don't handle fragmentation (for now) */
4049 if( ssl->in_msglen < ssl->in_hslen )
4050 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004051 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
4052 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +01004053 }
4054
Simon Butcher99000142016-10-13 17:21:01 +01004055 return( 0 );
4056}
4057
4058void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
4059{
Hanno Becker0271f962018-08-16 13:23:47 +01004060 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Simon Butcher99000142016-10-13 17:21:01 +01004061
Hanno Becker0271f962018-08-16 13:23:47 +01004062 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +02004063 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +01004064 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +02004065 }
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +01004066
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02004067 /* Handshake message is complete, increment counter */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004068#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004069 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02004070 ssl->handshake != NULL )
4071 {
Hanno Becker0271f962018-08-16 13:23:47 +01004072 unsigned offset;
4073 mbedtls_ssl_hs_buffer *hs_buf;
Hanno Beckere25e3b72018-08-16 09:30:53 +01004074
Hanno Becker0271f962018-08-16 13:23:47 +01004075 /* Increment handshake sequence number */
4076 hs->in_msg_seq++;
4077
4078 /*
4079 * Clear up handshake buffering and reassembly structure.
4080 */
4081
4082 /* Free first entry */
Hanno Beckere605b192018-08-21 15:59:07 +01004083 ssl_buffering_free_slot( ssl, 0 );
Hanno Becker0271f962018-08-16 13:23:47 +01004084
4085 /* Shift all other entries */
Hanno Beckere605b192018-08-21 15:59:07 +01004086 for( offset = 0, hs_buf = &hs->buffering.hs[0];
4087 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
Hanno Becker0271f962018-08-16 13:23:47 +01004088 offset++, hs_buf++ )
4089 {
4090 *hs_buf = *(hs_buf + 1);
4091 }
4092
4093 /* Create a fresh last entry */
4094 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02004095 }
4096#endif
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +01004097}
4098
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02004099/*
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004100 * DTLS anti-replay: RFC 6347 4.1.2.6
4101 *
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +02004102 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
4103 * Bit n is set iff record number in_window_top - n has been seen.
4104 *
4105 * Usually, in_window_top is the last record number seen and the lsb of
4106 * in_window is set. The only exception is the initial state (record number 0
4107 * not seen yet).
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004108 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004109#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4110static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004111{
4112 ssl->in_window_top = 0;
4113 ssl->in_window = 0;
4114}
4115
4116static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
4117{
4118 return( ( (uint64_t) buf[0] << 40 ) |
4119 ( (uint64_t) buf[1] << 32 ) |
4120 ( (uint64_t) buf[2] << 24 ) |
4121 ( (uint64_t) buf[3] << 16 ) |
4122 ( (uint64_t) buf[4] << 8 ) |
4123 ( (uint64_t) buf[5] ) );
4124}
4125
4126/*
4127 * Return 0 if sequence number is acceptable, -1 otherwise
4128 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004129int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004130{
4131 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
4132 uint64_t bit;
4133
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004134 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02004135 return( 0 );
4136
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004137 if( rec_seqnum > ssl->in_window_top )
4138 return( 0 );
4139
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +02004140 bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004141
4142 if( bit >= 64 )
4143 return( -1 );
4144
4145 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
4146 return( -1 );
4147
4148 return( 0 );
4149}
4150
4151/*
4152 * Update replay window on new validated record
4153 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004154void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004155{
4156 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
4157
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004158 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02004159 return;
4160
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004161 if( rec_seqnum > ssl->in_window_top )
4162 {
4163 /* Update window_top and the contents of the window */
4164 uint64_t shift = rec_seqnum - ssl->in_window_top;
4165
4166 if( shift >= 64 )
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +02004167 ssl->in_window = 1;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004168 else
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +02004169 {
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004170 ssl->in_window <<= shift;
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +02004171 ssl->in_window |= 1;
4172 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004173
4174 ssl->in_window_top = rec_seqnum;
4175 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004176 else
4177 {
4178 /* Mark that number as seen in the current window */
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +02004179 uint64_t bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004180
4181 if( bit < 64 ) /* Always true, but be extra sure */
4182 ssl->in_window |= (uint64_t) 1 << bit;
4183 }
4184}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004185#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004186
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +02004187#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004188/* Forward declaration */
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02004189static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
4190
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004191/*
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004192 * Without any SSL context, check if a datagram looks like a ClientHello with
4193 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
Simon Butcher0789aed2015-09-11 17:15:17 +01004194 * Both input and output include full DTLS headers.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004195 *
4196 * - if cookie is valid, return 0
4197 * - if ClientHello looks superficially valid but cookie is not,
4198 * fill obuf and set olen, then
4199 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
4200 * - otherwise return a specific error code
4201 */
4202static int ssl_check_dtls_clihlo_cookie(
4203 mbedtls_ssl_cookie_write_t *f_cookie_write,
4204 mbedtls_ssl_cookie_check_t *f_cookie_check,
4205 void *p_cookie,
4206 const unsigned char *cli_id, size_t cli_id_len,
4207 const unsigned char *in, size_t in_len,
4208 unsigned char *obuf, size_t buf_len, size_t *olen )
4209{
4210 size_t sid_len, cookie_len;
4211 unsigned char *p;
4212
4213 if( f_cookie_write == NULL || f_cookie_check == NULL )
4214 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4215
4216 /*
4217 * Structure of ClientHello with record and handshake headers,
4218 * and expected values. We don't need to check a lot, more checks will be
4219 * done when actually parsing the ClientHello - skipping those checks
4220 * avoids code duplication and does not make cookie forging any easier.
4221 *
4222 * 0-0 ContentType type; copied, must be handshake
4223 * 1-2 ProtocolVersion version; copied
4224 * 3-4 uint16 epoch; copied, must be 0
4225 * 5-10 uint48 sequence_number; copied
4226 * 11-12 uint16 length; (ignored)
4227 *
4228 * 13-13 HandshakeType msg_type; (ignored)
4229 * 14-16 uint24 length; (ignored)
4230 * 17-18 uint16 message_seq; copied
4231 * 19-21 uint24 fragment_offset; copied, must be 0
4232 * 22-24 uint24 fragment_length; (ignored)
4233 *
4234 * 25-26 ProtocolVersion client_version; (ignored)
4235 * 27-58 Random random; (ignored)
4236 * 59-xx SessionID session_id; 1 byte len + sid_len content
4237 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
4238 * ...
4239 *
4240 * Minimum length is 61 bytes.
4241 */
4242 if( in_len < 61 ||
4243 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
4244 in[3] != 0 || in[4] != 0 ||
4245 in[19] != 0 || in[20] != 0 || in[21] != 0 )
4246 {
4247 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4248 }
4249
4250 sid_len = in[59];
4251 if( sid_len > in_len - 61 )
4252 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4253
4254 cookie_len = in[60 + sid_len];
4255 if( cookie_len > in_len - 60 )
4256 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4257
4258 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
4259 cli_id, cli_id_len ) == 0 )
4260 {
4261 /* Valid cookie */
4262 return( 0 );
4263 }
4264
4265 /*
4266 * If we get here, we've got an invalid cookie, let's prepare HVR.
4267 *
4268 * 0-0 ContentType type; copied
4269 * 1-2 ProtocolVersion version; copied
4270 * 3-4 uint16 epoch; copied
4271 * 5-10 uint48 sequence_number; copied
4272 * 11-12 uint16 length; olen - 13
4273 *
4274 * 13-13 HandshakeType msg_type; hello_verify_request
4275 * 14-16 uint24 length; olen - 25
4276 * 17-18 uint16 message_seq; copied
4277 * 19-21 uint24 fragment_offset; copied
4278 * 22-24 uint24 fragment_length; olen - 25
4279 *
4280 * 25-26 ProtocolVersion server_version; 0xfe 0xff
4281 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
4282 *
4283 * Minimum length is 28.
4284 */
4285 if( buf_len < 28 )
4286 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
4287
4288 /* Copy most fields and adapt others */
4289 memcpy( obuf, in, 25 );
4290 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
4291 obuf[25] = 0xfe;
4292 obuf[26] = 0xff;
4293
4294 /* Generate and write actual cookie */
4295 p = obuf + 28;
4296 if( f_cookie_write( p_cookie,
4297 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
4298 {
4299 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4300 }
4301
4302 *olen = p - obuf;
4303
4304 /* Go back and fill length fields */
4305 obuf[27] = (unsigned char)( *olen - 28 );
4306
4307 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
4308 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
4309 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
4310
4311 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
4312 obuf[12] = (unsigned char)( ( *olen - 13 ) );
4313
4314 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
4315}
4316
4317/*
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004318 * Handle possible client reconnect with the same UDP quadruplet
4319 * (RFC 6347 Section 4.2.8).
4320 *
4321 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
4322 * that looks like a ClientHello.
4323 *
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004324 * - if the input looks like a ClientHello without cookies,
4325 * send back HelloVerifyRequest, then
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004326 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004327 * - if the input looks like a ClientHello with a valid cookie,
4328 * reset the session of the current context, and
Manuel Pégourié-Gonnardbe619c12015-09-08 11:21:21 +02004329 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004330 * - if anything goes wrong, return a specific error code
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004331 *
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004332 * mbedtls_ssl_read_record() will ignore the record if anything else than
Simon Butcherd0bf6a32015-09-11 17:34:49 +01004333 * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
4334 * cannot not return 0.
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004335 */
4336static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
4337{
4338 int ret;
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004339 size_t len;
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004340
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004341 ret = ssl_check_dtls_clihlo_cookie(
4342 ssl->conf->f_cookie_write,
4343 ssl->conf->f_cookie_check,
4344 ssl->conf->p_cookie,
4345 ssl->cli_id, ssl->cli_id_len,
4346 ssl->in_buf, ssl->in_left,
Angus Grattond8213d02016-05-25 20:56:48 +10004347 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004348
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004349 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
4350
4351 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004352 {
Brian J Murray1903fb32016-11-06 04:45:15 -08004353 /* Don't check write errors as we can't do anything here.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004354 * If the error is permanent we'll catch it later,
4355 * if it's not, then hopefully it'll work next time. */
4356 (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
4357
4358 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004359 }
4360
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004361 if( ret == 0 )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004362 {
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02004363 /* Got a valid cookie, partially reset context */
4364 if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
4365 {
4366 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
4367 return( ret );
4368 }
4369
4370 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004371 }
4372
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004373 return( ret );
4374}
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +02004375#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +02004376
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +02004377/*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02004378 * ContentType type;
4379 * ProtocolVersion version;
4380 * uint16 epoch; // DTLS only
4381 * uint48 sequence_number; // DTLS only
4382 * uint16 length;
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +01004383 *
4384 * Return 0 if header looks sane (and, for DTLS, the record is expected)
Simon Butcher207990d2015-12-16 01:51:30 +00004385 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +01004386 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
4387 *
4388 * With DTLS, mbedtls_ssl_read_record() will:
Simon Butcher207990d2015-12-16 01:51:30 +00004389 * 1. proceed with the record if this function returns 0
4390 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
4391 * 3. return CLIENT_RECONNECT if this function return that value
4392 * 4. drop the whole datagram if this function returns anything else.
4393 * Point 2 is needed when the peer is resending, and we have already received
4394 * the first record from a datagram but are still waiting for the others.
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02004395 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004396static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00004397{
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +01004398 int major_ver, minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +00004399
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004400 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +02004401
Paul Bakker5121ce52009-01-03 21:22:43 +00004402 ssl->in_msgtype = ssl->in_hdr[0];
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +01004403 ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004404 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004405
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004406 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
Paul Bakker5121ce52009-01-03 21:22:43 +00004407 "version = [%d:%d], msglen = %d",
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +02004408 ssl->in_msgtype,
4409 major_ver, minor_ver, ssl->in_msglen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00004410
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +02004411 /* Check record type */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004412 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
4413 ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
4414 ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
4415 ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +02004416 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004417 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
Andres Amaya Garcia2fad94b2017-06-26 15:11:59 +01004418
4419#if defined(MBEDTLS_SSL_PROTO_DTLS)
Andres Amaya Garcia01692532017-06-28 09:26:46 +01004420 /* Silently ignore invalid DTLS records as recommended by RFC 6347
4421 * Section 4.1.2.7 */
Andres Amaya Garcia2fad94b2017-06-26 15:11:59 +01004422 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4423#endif /* MBEDTLS_SSL_PROTO_DTLS */
4424 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4425 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
4426
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004427 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +02004428 }
4429
4430 /* Check version */
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +01004431 if( major_ver != ssl->major_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +00004432 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004433 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
4434 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00004435 }
4436
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004437 if( minor_ver > ssl->conf->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +00004438 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
4440 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00004441 }
4442
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +02004443 /* Check length against the size of our buffer */
Angus Grattond8213d02016-05-25 20:56:48 +10004444 if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +02004445 - (size_t)( ssl->in_msg - ssl->in_buf ) )
Paul Bakker1a1fbba2014-04-30 14:38:05 +02004446 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004447 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4448 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker1a1fbba2014-04-30 14:38:05 +02004449 }
4450
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +01004451 /*
Hanno Becker52c6dc62017-05-26 16:07:36 +01004452 * DTLS-related tests.
4453 * Check epoch before checking length constraint because
4454 * the latter varies with the epoch. E.g., if a ChangeCipherSpec
4455 * message gets duplicated before the corresponding Finished message,
4456 * the second ChangeCipherSpec should be discarded because it belongs
4457 * to an old epoch, but not because its length is shorter than
4458 * the minimum record length for packets using the new record transform.
4459 * Note that these two kinds of failures are handled differently,
4460 * as an unexpected record is silently skipped but an invalid
4461 * record leads to the entire datagram being dropped.
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +01004462 */
4463#if defined(MBEDTLS_SSL_PROTO_DTLS)
4464 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4465 {
4466 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
4467
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +01004468 /* Check epoch (and sequence number) with DTLS */
4469 if( rec_epoch != ssl->in_epoch )
4470 {
4471 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
4472 "expected %d, received %d",
4473 ssl->in_epoch, rec_epoch ) );
4474
4475#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
4476 /*
4477 * Check for an epoch 0 ClientHello. We can't use in_msg here to
4478 * access the first byte of record content (handshake type), as we
4479 * have an active transform (possibly iv_len != 0), so use the
4480 * fact that the record header len is 13 instead.
4481 */
4482 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4483 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
4484 rec_epoch == 0 &&
4485 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
4486 ssl->in_left > 13 &&
4487 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
4488 {
4489 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
4490 "from the same port" ) );
4491 return( ssl_handle_possible_reconnect( ssl ) );
4492 }
4493 else
4494#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Hanno Becker5f066e72018-08-16 14:56:31 +01004495 {
4496 /* Consider buffering the record. */
4497 if( rec_epoch == (unsigned int) ssl->in_epoch + 1 )
4498 {
4499 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
4500 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4501 }
4502
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +01004503 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
Hanno Becker5f066e72018-08-16 14:56:31 +01004504 }
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +01004505 }
4506
4507#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4508 /* Replay detection only works for the current epoch */
4509 if( rec_epoch == ssl->in_epoch &&
4510 mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
4511 {
4512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
4513 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4514 }
4515#endif
Hanno Becker52c6dc62017-05-26 16:07:36 +01004516
Hanno Becker52c6dc62017-05-26 16:07:36 +01004517 /* Drop unexpected ApplicationData records,
4518 * except at the beginning of renegotiations */
4519 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
4520 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
4521#if defined(MBEDTLS_SSL_RENEGOTIATION)
4522 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
4523 ssl->state == MBEDTLS_SSL_SERVER_HELLO )
4524#endif
4525 )
4526 {
4527 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
4528 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4529 }
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +01004530 }
4531#endif /* MBEDTLS_SSL_PROTO_DTLS */
4532
Hanno Becker52c6dc62017-05-26 16:07:36 +01004533
4534 /* Check length against bounds of the current transform and version */
4535 if( ssl->transform_in == NULL )
4536 {
4537 if( ssl->in_msglen < 1 ||
Angus Grattond8213d02016-05-25 20:56:48 +10004538 ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker52c6dc62017-05-26 16:07:36 +01004539 {
4540 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4541 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4542 }
4543 }
4544 else
4545 {
4546 if( ssl->in_msglen < ssl->transform_in->minlen )
4547 {
4548 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4549 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4550 }
4551
4552#if defined(MBEDTLS_SSL_PROTO_SSL3)
4553 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
Angus Grattond8213d02016-05-25 20:56:48 +10004554 ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker52c6dc62017-05-26 16:07:36 +01004555 {
4556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4557 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4558 }
4559#endif
4560#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
4561 defined(MBEDTLS_SSL_PROTO_TLS1_2)
4562 /*
4563 * TLS encrypted messages can have up to 256 bytes of padding
4564 */
4565 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
4566 ssl->in_msglen > ssl->transform_in->minlen +
Angus Grattond8213d02016-05-25 20:56:48 +10004567 MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
Hanno Becker52c6dc62017-05-26 16:07:36 +01004568 {
4569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4570 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4571 }
4572#endif
4573 }
4574
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02004575 return( 0 );
4576}
Paul Bakker5121ce52009-01-03 21:22:43 +00004577
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02004578/*
4579 * If applicable, decrypt (and decompress) record content
4580 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004581static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02004582{
4583 int ret, done = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02004584
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004585 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
4586 ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00004587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004588#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
4589 if( mbedtls_ssl_hw_record_read != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00004590 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004591 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
Paul Bakker05ef8352012-05-08 09:17:57 +00004592
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004593 ret = mbedtls_ssl_hw_record_read( ssl );
4594 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +00004595 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004596 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
4597 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +00004598 }
Paul Bakkerc7878112012-12-19 14:41:14 +01004599
4600 if( ret == 0 )
4601 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +00004602 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004603#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker48916f92012-09-16 19:57:18 +00004604 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00004605 {
Hanno Becker4c6876b2017-12-27 21:28:58 +00004606 mbedtls_record rec;
4607
4608 rec.buf = ssl->in_iv;
4609 rec.buf_len = MBEDTLS_SSL_IN_BUFFER_LEN
4610 - ( ssl->in_iv - ssl->in_buf );
4611 rec.data_len = ssl->in_msglen;
4612 rec.data_offset = 0;
4613
4614 memcpy( &rec.ctr[0], ssl->in_ctr, 8 );
4615 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
4616 ssl->conf->transport, rec.ver );
4617 rec.type = ssl->in_msgtype;
Hanno Becker611a83b2018-01-03 14:27:32 +00004618 if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
4619 &rec ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00004620 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004621 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00004622 return( ret );
4623 }
4624
Hanno Becker93012fe2018-08-07 14:30:18 +01004625 if( ssl->in_iv + rec.data_offset != ssl->in_msg )
4626 {
4627 /* Should never happen */
4628 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4629 }
Paul Bakker5121ce52009-01-03 21:22:43 +00004630
Hanno Becker4c6876b2017-12-27 21:28:58 +00004631 ssl->in_msglen = rec.data_len;
4632 ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 );
4633 ssl->in_len[1] = (unsigned char)( rec.data_len );
4634
Paul Bakker5121ce52009-01-03 21:22:43 +00004635 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
4636 ssl->in_msg, ssl->in_msglen );
4637
Angus Grattond8213d02016-05-25 20:56:48 +10004638 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
Paul Bakker5121ce52009-01-03 21:22:43 +00004639 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004640 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4641 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00004642 }
Hanno Becker4c6876b2017-12-27 21:28:58 +00004643 else if( ssl->in_msglen == 0 )
4644 {
4645#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4646 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
4647 && ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
4648 {
4649 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
4650 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
4651 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4652 }
4653#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4654
4655 ssl->nb_zero++;
4656
4657 /*
4658 * Three or more empty messages may be a DoS attack
4659 * (excessive CPU consumption).
4660 */
4661 if( ssl->nb_zero > 3 )
4662 {
4663 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
4664 "messages, possible DoS attack" ) );
4665 /* Q: Is that the right error code? */
4666 return( MBEDTLS_ERR_SSL_INVALID_MAC );
4667 }
4668 }
4669 else
4670 ssl->nb_zero = 0;
4671
4672#if defined(MBEDTLS_SSL_PROTO_DTLS)
4673 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4674 {
4675 ; /* in_ctr read from peer, not maintained internally */
4676 }
4677 else
4678#endif
4679 {
4680 unsigned i;
4681 for( i = 8; i > ssl_ep_len( ssl ); i-- )
4682 if( ++ssl->in_ctr[i - 1] != 0 )
4683 break;
4684
4685 /* The loop goes to its end iff the counter is wrapping */
4686 if( i == ssl_ep_len( ssl ) )
4687 {
4688 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
4689 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
4690 }
4691 }
4692
Paul Bakker5121ce52009-01-03 21:22:43 +00004693 }
4694
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004695#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +00004696 if( ssl->transform_in != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004697 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +00004698 {
4699 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
4700 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004701 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +00004702 return( ret );
4703 }
Paul Bakker2770fbd2012-07-03 13:30:23 +00004704 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004705#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +00004706
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004707#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004708 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +02004709 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004710 mbedtls_ssl_dtls_replay_update( ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +02004711 }
4712#endif
4713
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02004714 return( 0 );
4715}
4716
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004717static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02004718
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02004719/*
4720 * Read a record.
4721 *
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +02004722 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
4723 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
4724 *
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02004725 */
Hanno Becker1097b342018-08-15 14:09:41 +01004726
4727/* Helper functions for mbedtls_ssl_read_record(). */
4728static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
Hanno Beckere74d5562018-08-15 14:26:08 +01004729static int ssl_get_next_record( mbedtls_ssl_context *ssl );
4730static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
Hanno Becker4162b112018-08-15 14:05:04 +01004731
Hanno Becker327c93b2018-08-15 13:56:18 +01004732int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
Hanno Becker3a0aad12018-08-20 09:44:02 +01004733 unsigned update_hs_digest )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02004734{
4735 int ret;
4736
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004737 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02004738
Hanno Beckeraf0665d2017-05-24 09:16:26 +01004739 if( ssl->keep_current_message == 0 )
4740 {
4741 do {
Simon Butcher99000142016-10-13 17:21:01 +01004742
Hanno Becker26994592018-08-15 14:14:59 +01004743 ret = ssl_consume_current_message( ssl );
Hanno Becker90333da2017-10-10 11:27:13 +01004744 if( ret != 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +01004745 return( ret );
Hanno Becker26994592018-08-15 14:14:59 +01004746
Hanno Beckere74d5562018-08-15 14:26:08 +01004747 if( ssl_record_is_in_progress( ssl ) == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +01004748 {
Hanno Becker40f50842018-08-15 14:48:01 +01004749#if defined(MBEDTLS_SSL_PROTO_DTLS)
4750 int have_buffered = 0;
Hanno Beckere74d5562018-08-15 14:26:08 +01004751
Hanno Becker40f50842018-08-15 14:48:01 +01004752 /* We only check for buffered messages if the
4753 * current datagram is fully consumed. */
4754 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckeref7afdf2018-08-28 17:16:31 +01004755 ssl_next_record_is_in_datagram( ssl ) == 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +01004756 {
Hanno Becker40f50842018-08-15 14:48:01 +01004757 if( ssl_load_buffered_message( ssl ) == 0 )
4758 have_buffered = 1;
4759 }
4760
4761 if( have_buffered == 0 )
4762#endif /* MBEDTLS_SSL_PROTO_DTLS */
4763 {
4764 ret = ssl_get_next_record( ssl );
4765 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
4766 continue;
4767
4768 if( ret != 0 )
4769 {
Hanno Beckerc573ac32018-08-28 17:15:25 +01004770 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
Hanno Becker40f50842018-08-15 14:48:01 +01004771 return( ret );
4772 }
Hanno Beckere74d5562018-08-15 14:26:08 +01004773 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +01004774 }
4775
4776 ret = mbedtls_ssl_handle_message_type( ssl );
4777
Hanno Becker40f50842018-08-15 14:48:01 +01004778#if defined(MBEDTLS_SSL_PROTO_DTLS)
4779 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4780 {
4781 /* Buffer future message */
4782 ret = ssl_buffer_message( ssl );
4783 if( ret != 0 )
4784 return( ret );
4785
4786 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
4787 }
4788#endif /* MBEDTLS_SSL_PROTO_DTLS */
4789
Hanno Becker90333da2017-10-10 11:27:13 +01004790 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||
4791 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
Hanno Beckeraf0665d2017-05-24 09:16:26 +01004792
4793 if( 0 != ret )
Simon Butcher99000142016-10-13 17:21:01 +01004794 {
Hanno Becker05c4fc82017-11-09 14:34:06 +00004795 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
Simon Butcher99000142016-10-13 17:21:01 +01004796 return( ret );
4797 }
4798
Hanno Becker327c93b2018-08-15 13:56:18 +01004799 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
Hanno Becker3a0aad12018-08-20 09:44:02 +01004800 update_hs_digest == 1 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +01004801 {
4802 mbedtls_ssl_update_handshake_status( ssl );
4803 }
Simon Butcher99000142016-10-13 17:21:01 +01004804 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +01004805 else
Simon Butcher99000142016-10-13 17:21:01 +01004806 {
Hanno Becker02f59072018-08-15 14:00:24 +01004807 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +01004808 ssl->keep_current_message = 0;
Simon Butcher99000142016-10-13 17:21:01 +01004809 }
4810
4811 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
4812
4813 return( 0 );
4814}
4815
Hanno Becker40f50842018-08-15 14:48:01 +01004816#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckeref7afdf2018-08-28 17:16:31 +01004817static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
Simon Butcher99000142016-10-13 17:21:01 +01004818{
Hanno Becker40f50842018-08-15 14:48:01 +01004819 if( ssl->in_left > ssl->next_record_offset )
4820 return( 1 );
Simon Butcher99000142016-10-13 17:21:01 +01004821
Hanno Becker40f50842018-08-15 14:48:01 +01004822 return( 0 );
4823}
4824
4825static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
4826{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01004827 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker37f95322018-08-16 13:55:32 +01004828 mbedtls_ssl_hs_buffer * hs_buf;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01004829 int ret = 0;
4830
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01004831 if( hs == NULL )
4832 return( -1 );
4833
Hanno Beckere00ae372018-08-20 09:39:42 +01004834 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
4835
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01004836 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
4837 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4838 {
4839 /* Check if we have seen a ChangeCipherSpec before.
4840 * If yes, synthesize a CCS record. */
Hanno Becker4422bbb2018-08-20 09:40:19 +01004841 if( !hs->buffering.seen_ccs )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01004842 {
4843 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
4844 ret = -1;
Hanno Becker0d4b3762018-08-20 09:36:59 +01004845 goto exit;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01004846 }
4847
Hanno Becker39b8bc92018-08-28 17:17:13 +01004848 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01004849 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
4850 ssl->in_msglen = 1;
4851 ssl->in_msg[0] = 1;
4852
4853 /* As long as they are equal, the exact value doesn't matter. */
4854 ssl->in_left = 0;
4855 ssl->next_record_offset = 0;
4856
Hanno Beckerd7f8ae22018-08-16 09:45:56 +01004857 hs->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01004858 goto exit;
4859 }
Hanno Becker37f95322018-08-16 13:55:32 +01004860
Hanno Beckerb8f50142018-08-28 10:01:34 +01004861#if defined(MBEDTLS_DEBUG_C)
Hanno Becker37f95322018-08-16 13:55:32 +01004862 /* Debug only */
4863 {
4864 unsigned offset;
4865 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
4866 {
4867 hs_buf = &hs->buffering.hs[offset];
4868 if( hs_buf->is_valid == 1 )
4869 {
4870 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
4871 hs->in_msg_seq + offset,
Hanno Beckera591c482018-08-28 17:20:00 +01004872 hs_buf->is_complete ? "fully" : "partially" ) );
Hanno Becker37f95322018-08-16 13:55:32 +01004873 }
4874 }
4875 }
Hanno Beckerb8f50142018-08-28 10:01:34 +01004876#endif /* MBEDTLS_DEBUG_C */
Hanno Becker37f95322018-08-16 13:55:32 +01004877
4878 /* Check if we have buffered and/or fully reassembled the
4879 * next handshake message. */
4880 hs_buf = &hs->buffering.hs[0];
4881 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
4882 {
4883 /* Synthesize a record containing the buffered HS message. */
4884 size_t msg_len = ( hs_buf->data[1] << 16 ) |
4885 ( hs_buf->data[2] << 8 ) |
4886 hs_buf->data[3];
4887
4888 /* Double-check that we haven't accidentally buffered
4889 * a message that doesn't fit into the input buffer. */
4890 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
4891 {
4892 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4893 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4894 }
4895
4896 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
4897 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
4898 hs_buf->data, msg_len + 12 );
4899
4900 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4901 ssl->in_hslen = msg_len + 12;
4902 ssl->in_msglen = msg_len + 12;
4903 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
4904
4905 ret = 0;
4906 goto exit;
4907 }
4908 else
4909 {
4910 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
4911 hs->in_msg_seq ) );
4912 }
4913
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01004914 ret = -1;
4915
4916exit:
4917
4918 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
4919 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +01004920}
4921
Hanno Beckera02b0b42018-08-21 17:20:27 +01004922static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
4923 size_t desired )
4924{
4925 int offset;
4926 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker6e12c1e2018-08-24 14:39:15 +01004927 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
4928 (unsigned) desired ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +01004929
Hanno Becker01315ea2018-08-21 17:22:17 +01004930 /* Get rid of future records epoch first, if such exist. */
4931 ssl_free_buffered_record( ssl );
4932
4933 /* Check if we have enough space available now. */
4934 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4935 hs->buffering.total_bytes_buffered ) )
4936 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +01004937 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
Hanno Becker01315ea2018-08-21 17:22:17 +01004938 return( 0 );
4939 }
Hanno Beckera02b0b42018-08-21 17:20:27 +01004940
Hanno Becker4f432ad2018-08-28 10:02:32 +01004941 /* We don't have enough space to buffer the next expected handshake
4942 * message. Remove buffers used for future messages to gain space,
4943 * starting with the most distant one. */
Hanno Beckera02b0b42018-08-21 17:20:27 +01004944 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
4945 offset >= 0; offset-- )
4946 {
4947 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
4948 offset ) );
4949
Hanno Beckerb309b922018-08-23 13:18:05 +01004950 ssl_buffering_free_slot( ssl, (uint8_t) offset );
Hanno Beckera02b0b42018-08-21 17:20:27 +01004951
4952 /* Check if we have enough space available now. */
4953 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4954 hs->buffering.total_bytes_buffered ) )
4955 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +01004956 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +01004957 return( 0 );
4958 }
4959 }
4960
4961 return( -1 );
4962}
4963
Hanno Becker40f50842018-08-15 14:48:01 +01004964static int ssl_buffer_message( mbedtls_ssl_context *ssl )
4965{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01004966 int ret = 0;
4967 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4968
4969 if( hs == NULL )
4970 return( 0 );
4971
4972 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
4973
4974 switch( ssl->in_msgtype )
4975 {
4976 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
4977 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
Hanno Beckere678eaa2018-08-21 14:57:46 +01004978
Hanno Beckerd7f8ae22018-08-16 09:45:56 +01004979 hs->buffering.seen_ccs = 1;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01004980 break;
4981
4982 case MBEDTLS_SSL_MSG_HANDSHAKE:
Hanno Becker37f95322018-08-16 13:55:32 +01004983 {
4984 unsigned recv_msg_seq_offset;
4985 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
4986 mbedtls_ssl_hs_buffer *hs_buf;
4987 size_t msg_len = ssl->in_hslen - 12;
4988
4989 /* We should never receive an old handshake
4990 * message - double-check nonetheless. */
4991 if( recv_msg_seq < ssl->handshake->in_msg_seq )
4992 {
4993 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4994 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4995 }
4996
4997 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
4998 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
4999 {
5000 /* Silently ignore -- message too far in the future */
5001 MBEDTLS_SSL_DEBUG_MSG( 2,
5002 ( "Ignore future HS message with sequence number %u, "
5003 "buffering window %u - %u",
5004 recv_msg_seq, ssl->handshake->in_msg_seq,
5005 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
5006
5007 goto exit;
5008 }
5009
5010 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
5011 recv_msg_seq, recv_msg_seq_offset ) );
5012
5013 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
5014
5015 /* Check if the buffering for this seq nr has already commenced. */
Hanno Becker4422bbb2018-08-20 09:40:19 +01005016 if( !hs_buf->is_valid )
Hanno Becker37f95322018-08-16 13:55:32 +01005017 {
Hanno Becker2a97b0e2018-08-21 15:47:49 +01005018 size_t reassembly_buf_sz;
5019
Hanno Becker37f95322018-08-16 13:55:32 +01005020 hs_buf->is_fragmented =
5021 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
5022
5023 /* We copy the message back into the input buffer
5024 * after reassembly, so check that it's not too large.
5025 * This is an implementation-specific limitation
5026 * and not one from the standard, hence it is not
5027 * checked in ssl_check_hs_header(). */
Hanno Becker96a6c692018-08-21 15:56:03 +01005028 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker37f95322018-08-16 13:55:32 +01005029 {
5030 /* Ignore message */
5031 goto exit;
5032 }
5033
Hanno Beckere0b150f2018-08-21 15:51:03 +01005034 /* Check if we have enough space to buffer the message. */
5035 if( hs->buffering.total_bytes_buffered >
5036 MBEDTLS_SSL_DTLS_MAX_BUFFERING )
5037 {
5038 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5039 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5040 }
5041
Hanno Becker2a97b0e2018-08-21 15:47:49 +01005042 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
5043 hs_buf->is_fragmented );
Hanno Beckere0b150f2018-08-21 15:51:03 +01005044
5045 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
5046 hs->buffering.total_bytes_buffered ) )
5047 {
5048 if( recv_msg_seq_offset > 0 )
5049 {
5050 /* If we can't buffer a future message because
5051 * of space limitations -- ignore. */
5052 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
5053 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
5054 (unsigned) hs->buffering.total_bytes_buffered ) );
5055 goto exit;
5056 }
Hanno Beckere1801392018-08-21 16:51:05 +01005057 else
5058 {
5059 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
5060 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
5061 (unsigned) hs->buffering.total_bytes_buffered ) );
5062 }
Hanno Beckere0b150f2018-08-21 15:51:03 +01005063
Hanno Beckera02b0b42018-08-21 17:20:27 +01005064 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
Hanno Becker55e9e2a2018-08-21 16:07:55 +01005065 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +01005066 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
5067 (unsigned) msg_len,
5068 (unsigned) reassembly_buf_sz,
5069 MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Hanno Beckere0b150f2018-08-21 15:51:03 +01005070 (unsigned) hs->buffering.total_bytes_buffered ) );
Hanno Becker55e9e2a2018-08-21 16:07:55 +01005071 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
5072 goto exit;
5073 }
Hanno Beckere0b150f2018-08-21 15:51:03 +01005074 }
5075
5076 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
5077 msg_len ) );
5078
Hanno Becker2a97b0e2018-08-21 15:47:49 +01005079 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
5080 if( hs_buf->data == NULL )
Hanno Becker37f95322018-08-16 13:55:32 +01005081 {
Hanno Beckere0b150f2018-08-21 15:51:03 +01005082 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
Hanno Becker37f95322018-08-16 13:55:32 +01005083 goto exit;
5084 }
Hanno Beckere0b150f2018-08-21 15:51:03 +01005085 hs_buf->data_len = reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +01005086
5087 /* Prepare final header: copy msg_type, length and message_seq,
5088 * then add standardised fragment_offset and fragment_length */
5089 memcpy( hs_buf->data, ssl->in_msg, 6 );
5090 memset( hs_buf->data + 6, 0, 3 );
5091 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
5092
5093 hs_buf->is_valid = 1;
Hanno Beckere0b150f2018-08-21 15:51:03 +01005094
5095 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +01005096 }
5097 else
5098 {
5099 /* Make sure msg_type and length are consistent */
5100 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
5101 {
5102 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
5103 /* Ignore */
5104 goto exit;
5105 }
5106 }
5107
Hanno Becker4422bbb2018-08-20 09:40:19 +01005108 if( !hs_buf->is_complete )
Hanno Becker37f95322018-08-16 13:55:32 +01005109 {
5110 size_t frag_len, frag_off;
5111 unsigned char * const msg = hs_buf->data + 12;
5112
5113 /*
5114 * Check and copy current fragment
5115 */
5116
5117 /* Validation of header fields already done in
5118 * mbedtls_ssl_prepare_handshake_record(). */
5119 frag_off = ssl_get_hs_frag_off( ssl );
5120 frag_len = ssl_get_hs_frag_len( ssl );
5121
5122 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
5123 frag_off, frag_len ) );
5124 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
5125
5126 if( hs_buf->is_fragmented )
5127 {
5128 unsigned char * const bitmask = msg + msg_len;
5129 ssl_bitmask_set( bitmask, frag_off, frag_len );
5130 hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
5131 msg_len ) == 0 );
5132 }
5133 else
5134 {
5135 hs_buf->is_complete = 1;
5136 }
5137
5138 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
5139 hs_buf->is_complete ? "" : "not yet " ) );
5140 }
5141
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01005142 break;
Hanno Becker37f95322018-08-16 13:55:32 +01005143 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01005144
5145 default:
Hanno Becker360bef32018-08-28 10:04:33 +01005146 /* We don't buffer other types of messages. */
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01005147 break;
5148 }
5149
5150exit:
5151
5152 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
5153 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +01005154}
5155#endif /* MBEDTLS_SSL_PROTO_DTLS */
5156
Hanno Becker1097b342018-08-15 14:09:41 +01005157static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005158{
Hanno Becker4a810fb2017-05-24 16:27:30 +01005159 /*
Hanno Becker4a810fb2017-05-24 16:27:30 +01005160 * Consume last content-layer message and potentially
5161 * update in_msglen which keeps track of the contents'
5162 * consumption state.
5163 *
5164 * (1) Handshake messages:
5165 * Remove last handshake message, move content
5166 * and adapt in_msglen.
5167 *
5168 * (2) Alert messages:
5169 * Consume whole record content, in_msglen = 0.
5170 *
Hanno Becker4a810fb2017-05-24 16:27:30 +01005171 * (3) Change cipher spec:
5172 * Consume whole record content, in_msglen = 0.
5173 *
5174 * (4) Application data:
5175 * Don't do anything - the record layer provides
5176 * the application data as a stream transport
5177 * and consumes through mbedtls_ssl_read only.
5178 *
5179 */
5180
5181 /* Case (1): Handshake messages */
5182 if( ssl->in_hslen != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005183 {
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +01005184 /* Hard assertion to be sure that no application data
5185 * is in flight, as corrupting ssl->in_msglen during
5186 * ssl->in_offt != NULL is fatal. */
5187 if( ssl->in_offt != NULL )
5188 {
5189 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5190 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5191 }
5192
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005193 /*
5194 * Get next Handshake message in the current record
5195 */
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005196
Hanno Becker4a810fb2017-05-24 16:27:30 +01005197 /* Notes:
Hanno Beckere72489d2017-10-23 13:23:50 +01005198 * (1) in_hslen is not necessarily the size of the
Hanno Becker4a810fb2017-05-24 16:27:30 +01005199 * current handshake content: If DTLS handshake
5200 * fragmentation is used, that's the fragment
5201 * size instead. Using the total handshake message
Hanno Beckere72489d2017-10-23 13:23:50 +01005202 * size here is faulty and should be changed at
5203 * some point.
Hanno Becker4a810fb2017-05-24 16:27:30 +01005204 * (2) While it doesn't seem to cause problems, one
5205 * has to be very careful not to assume that in_hslen
5206 * is always <= in_msglen in a sensible communication.
5207 * Again, it's wrong for DTLS handshake fragmentation.
5208 * The following check is therefore mandatory, and
5209 * should not be treated as a silently corrected assertion.
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +01005210 * Additionally, ssl->in_hslen might be arbitrarily out of
5211 * bounds after handling a DTLS message with an unexpected
5212 * sequence number, see mbedtls_ssl_prepare_handshake_record.
Hanno Becker4a810fb2017-05-24 16:27:30 +01005213 */
5214 if( ssl->in_hslen < ssl->in_msglen )
5215 {
5216 ssl->in_msglen -= ssl->in_hslen;
5217 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
5218 ssl->in_msglen );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005219
Hanno Becker4a810fb2017-05-24 16:27:30 +01005220 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
5221 ssl->in_msg, ssl->in_msglen );
5222 }
5223 else
5224 {
5225 ssl->in_msglen = 0;
5226 }
Manuel Pégourié-Gonnard4a175362014-09-09 17:45:31 +02005227
Hanno Becker4a810fb2017-05-24 16:27:30 +01005228 ssl->in_hslen = 0;
5229 }
5230 /* Case (4): Application data */
5231 else if( ssl->in_offt != NULL )
5232 {
5233 return( 0 );
5234 }
5235 /* Everything else (CCS & Alerts) */
5236 else
5237 {
5238 ssl->in_msglen = 0;
5239 }
5240
Hanno Becker1097b342018-08-15 14:09:41 +01005241 return( 0 );
5242}
Hanno Becker4a810fb2017-05-24 16:27:30 +01005243
Hanno Beckere74d5562018-08-15 14:26:08 +01005244static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
5245{
Hanno Becker4a810fb2017-05-24 16:27:30 +01005246 if( ssl->in_msglen > 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +01005247 return( 1 );
5248
5249 return( 0 );
5250}
5251
Hanno Becker5f066e72018-08-16 14:56:31 +01005252#if defined(MBEDTLS_SSL_PROTO_DTLS)
5253
5254static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
5255{
5256 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5257 if( hs == NULL )
5258 return;
5259
Hanno Becker01315ea2018-08-21 17:22:17 +01005260 if( hs->buffering.future_record.data != NULL )
Hanno Becker4a810fb2017-05-24 16:27:30 +01005261 {
Hanno Becker01315ea2018-08-21 17:22:17 +01005262 hs->buffering.total_bytes_buffered -=
5263 hs->buffering.future_record.len;
5264
5265 mbedtls_free( hs->buffering.future_record.data );
5266 hs->buffering.future_record.data = NULL;
5267 }
Hanno Becker5f066e72018-08-16 14:56:31 +01005268}
5269
5270static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
5271{
5272 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5273 unsigned char * rec;
5274 size_t rec_len;
5275 unsigned rec_epoch;
5276
5277 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5278 return( 0 );
5279
5280 if( hs == NULL )
5281 return( 0 );
5282
Hanno Becker5f066e72018-08-16 14:56:31 +01005283 rec = hs->buffering.future_record.data;
5284 rec_len = hs->buffering.future_record.len;
5285 rec_epoch = hs->buffering.future_record.epoch;
5286
5287 if( rec == NULL )
5288 return( 0 );
5289
Hanno Becker4cb782d2018-08-20 11:19:05 +01005290 /* Only consider loading future records if the
5291 * input buffer is empty. */
Hanno Beckeref7afdf2018-08-28 17:16:31 +01005292 if( ssl_next_record_is_in_datagram( ssl ) == 1 )
Hanno Becker4cb782d2018-08-20 11:19:05 +01005293 return( 0 );
5294
Hanno Becker5f066e72018-08-16 14:56:31 +01005295 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
5296
5297 if( rec_epoch != ssl->in_epoch )
5298 {
5299 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
5300 goto exit;
5301 }
5302
5303 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
5304
5305 /* Double-check that the record is not too large */
5306 if( rec_len > MBEDTLS_SSL_IN_BUFFER_LEN -
5307 (size_t)( ssl->in_hdr - ssl->in_buf ) )
5308 {
5309 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5310 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5311 }
5312
5313 memcpy( ssl->in_hdr, rec, rec_len );
5314 ssl->in_left = rec_len;
5315 ssl->next_record_offset = 0;
5316
5317 ssl_free_buffered_record( ssl );
5318
5319exit:
5320 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
5321 return( 0 );
5322}
5323
5324static int ssl_buffer_future_record( mbedtls_ssl_context *ssl )
5325{
5326 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5327 size_t const rec_hdr_len = 13;
Hanno Becker01315ea2018-08-21 17:22:17 +01005328 size_t const total_buf_sz = rec_hdr_len + ssl->in_msglen;
Hanno Becker5f066e72018-08-16 14:56:31 +01005329
5330 /* Don't buffer future records outside handshakes. */
5331 if( hs == NULL )
5332 return( 0 );
5333
5334 /* Only buffer handshake records (we are only interested
5335 * in Finished messages). */
5336 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
5337 return( 0 );
5338
5339 /* Don't buffer more than one future epoch record. */
5340 if( hs->buffering.future_record.data != NULL )
5341 return( 0 );
5342
Hanno Becker01315ea2018-08-21 17:22:17 +01005343 /* Don't buffer record if there's not enough buffering space remaining. */
5344 if( total_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
5345 hs->buffering.total_bytes_buffered ) )
5346 {
5347 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
5348 (unsigned) total_buf_sz, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
5349 (unsigned) hs->buffering.total_bytes_buffered ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005350 return( 0 );
5351 }
5352
Hanno Becker5f066e72018-08-16 14:56:31 +01005353 /* Buffer record */
5354 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
5355 ssl->in_epoch + 1 ) );
5356 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", ssl->in_hdr,
5357 rec_hdr_len + ssl->in_msglen );
5358
5359 /* ssl_parse_record_header() only considers records
5360 * of the next epoch as candidates for buffering. */
5361 hs->buffering.future_record.epoch = ssl->in_epoch + 1;
Hanno Becker01315ea2018-08-21 17:22:17 +01005362 hs->buffering.future_record.len = total_buf_sz;
Hanno Becker5f066e72018-08-16 14:56:31 +01005363
5364 hs->buffering.future_record.data =
5365 mbedtls_calloc( 1, hs->buffering.future_record.len );
5366 if( hs->buffering.future_record.data == NULL )
5367 {
5368 /* If we run out of RAM trying to buffer a
5369 * record from the next epoch, just ignore. */
5370 return( 0 );
5371 }
5372
Hanno Becker01315ea2018-08-21 17:22:17 +01005373 memcpy( hs->buffering.future_record.data, ssl->in_hdr, total_buf_sz );
Hanno Becker5f066e72018-08-16 14:56:31 +01005374
Hanno Becker01315ea2018-08-21 17:22:17 +01005375 hs->buffering.total_bytes_buffered += total_buf_sz;
Hanno Becker5f066e72018-08-16 14:56:31 +01005376 return( 0 );
5377}
5378
5379#endif /* MBEDTLS_SSL_PROTO_DTLS */
5380
Hanno Beckere74d5562018-08-15 14:26:08 +01005381static int ssl_get_next_record( mbedtls_ssl_context *ssl )
Hanno Becker1097b342018-08-15 14:09:41 +01005382{
5383 int ret;
5384
Hanno Becker5f066e72018-08-16 14:56:31 +01005385#if defined(MBEDTLS_SSL_PROTO_DTLS)
5386 /* We might have buffered a future record; if so,
5387 * and if the epoch matches now, load it.
5388 * On success, this call will set ssl->in_left to
5389 * the length of the buffered record, so that
5390 * the calls to ssl_fetch_input() below will
5391 * essentially be no-ops. */
5392 ret = ssl_load_buffered_record( ssl );
5393 if( ret != 0 )
5394 return( ret );
5395#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker4a810fb2017-05-24 16:27:30 +01005396
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005397 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005398 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005399 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005400 return( ret );
5401 }
5402
5403 if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02005404 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005405#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardbe619c12015-09-08 11:21:21 +02005406 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5407 ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02005408 {
Hanno Becker5f066e72018-08-16 14:56:31 +01005409 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
5410 {
5411 ret = ssl_buffer_future_record( ssl );
5412 if( ret != 0 )
5413 return( ret );
5414
5415 /* Fall through to handling of unexpected records */
5416 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
5417 }
5418
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +01005419 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
5420 {
5421 /* Skip unexpected record (but not whole datagram) */
5422 ssl->next_record_offset = ssl->in_msglen
5423 + mbedtls_ssl_hdr_len( ssl );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02005424
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +01005425 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
5426 "(header)" ) );
5427 }
5428 else
5429 {
5430 /* Skip invalid record and the rest of the datagram */
5431 ssl->next_record_offset = 0;
5432 ssl->in_left = 0;
5433
5434 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
5435 "(header)" ) );
5436 }
5437
5438 /* Get next record */
Hanno Becker90333da2017-10-10 11:27:13 +01005439 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02005440 }
5441#endif
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005442 return( ret );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02005443 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005444
5445 /*
5446 * Read and optionally decrypt the message contents
5447 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005448 if( ( ret = mbedtls_ssl_fetch_input( ssl,
5449 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005450 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005451 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005452 return( ret );
5453 }
5454
5455 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005456#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005457 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Beckere65ce782017-05-22 14:47:48 +01005458 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005459 ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
Hanno Beckere65ce782017-05-22 14:47:48 +01005460 if( ssl->next_record_offset < ssl->in_left )
5461 {
5462 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
5463 }
5464 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005465 else
5466#endif
5467 ssl->in_left = 0;
5468
5469 if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02005470 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005471#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005472 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02005473 {
5474 /* Silently discard invalid records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005475 if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD ||
5476 ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02005477 {
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +02005478 /* Except when waiting for Finished as a bad mac here
5479 * probably means something went wrong in the handshake
5480 * (eg wrong psk used, mitm downgrade attempt, etc.) */
5481 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
5482 ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
5483 {
5484#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
5485 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
5486 {
5487 mbedtls_ssl_send_alert_message( ssl,
5488 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5489 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
5490 }
5491#endif
5492 return( ret );
5493 }
5494
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005495#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005496 if( ssl->conf->badmac_limit != 0 &&
5497 ++ssl->badmac_seen >= ssl->conf->badmac_limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02005498 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005499 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
5500 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02005501 }
5502#endif
5503
Hanno Becker4a810fb2017-05-24 16:27:30 +01005504 /* As above, invalid records cause
5505 * dismissal of the whole datagram. */
5506
5507 ssl->next_record_offset = 0;
5508 ssl->in_left = 0;
5509
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005510 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
Hanno Becker90333da2017-10-10 11:27:13 +01005511 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02005512 }
5513
5514 return( ret );
5515 }
5516 else
5517#endif
5518 {
5519 /* Error out (and send alert) on invalid records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005520#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
5521 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02005522 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005523 mbedtls_ssl_send_alert_message( ssl,
5524 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5525 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +02005526 }
5527#endif
5528 return( ret );
5529 }
5530 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005531
Simon Butcher99000142016-10-13 17:21:01 +01005532 return( 0 );
5533}
5534
5535int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
5536{
5537 int ret;
5538
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02005539 /*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +02005540 * Handle particular types of records
5541 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005542 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00005543 {
Simon Butcher99000142016-10-13 17:21:01 +01005544 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
5545 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +01005546 return( ret );
Simon Butcher99000142016-10-13 17:21:01 +01005547 }
Paul Bakker5121ce52009-01-03 21:22:43 +00005548 }
5549
Hanno Beckere678eaa2018-08-21 14:57:46 +01005550 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01005551 {
Hanno Beckere678eaa2018-08-21 14:57:46 +01005552 if( ssl->in_msglen != 1 )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01005553 {
Hanno Beckere678eaa2018-08-21 14:57:46 +01005554 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
5555 ssl->in_msglen ) );
5556 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01005557 }
5558
Hanno Beckere678eaa2018-08-21 14:57:46 +01005559 if( ssl->in_msg[0] != 1 )
5560 {
5561 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
5562 ssl->in_msg[0] ) );
5563 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
5564 }
5565
5566#if defined(MBEDTLS_SSL_PROTO_DTLS)
5567 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5568 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
5569 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
5570 {
5571 if( ssl->handshake == NULL )
5572 {
5573 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
5574 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
5575 }
5576
5577 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
5578 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
5579 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01005580#endif
Hanno Beckere678eaa2018-08-21 14:57:46 +01005581 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +01005582
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005583 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Paul Bakker5121ce52009-01-03 21:22:43 +00005584 {
Angus Gratton1a7a17e2018-06-20 15:43:50 +10005585 if( ssl->in_msglen != 2 )
5586 {
5587 /* Note: Standard allows for more than one 2 byte alert
5588 to be packed in a single message, but Mbed TLS doesn't
5589 currently support this. */
5590 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
5591 ssl->in_msglen ) );
5592 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
5593 }
5594
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005595 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +00005596 ssl->in_msg[0], ssl->in_msg[1] ) );
5597
5598 /*
Simon Butcher459a9502015-10-27 16:09:03 +00005599 * Ignore non-fatal alerts, except close_notify and no_renegotiation
Paul Bakker5121ce52009-01-03 21:22:43 +00005600 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005601 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +00005602 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005603 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
Paul Bakker2770fbd2012-07-03 13:30:23 +00005604 ssl->in_msg[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005605 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00005606 }
5607
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005608 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5609 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +00005610 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005611 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
5612 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00005613 }
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +02005614
5615#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
5616 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5617 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
5618 {
Hanno Becker90333da2017-10-10 11:27:13 +01005619 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +02005620 /* Will be handled when trying to parse ServerHello */
5621 return( 0 );
5622 }
5623#endif
5624
5625#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
5626 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
5627 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5628 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5629 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
5630 {
5631 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
5632 /* Will be handled in mbedtls_ssl_parse_certificate() */
5633 return( 0 );
5634 }
5635#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
5636
5637 /* Silently ignore: fetch new message */
Simon Butcher99000142016-10-13 17:21:01 +01005638 return MBEDTLS_ERR_SSL_NON_FATAL;
Paul Bakker5121ce52009-01-03 21:22:43 +00005639 }
5640
Hanno Beckerc76c6192017-06-06 10:03:17 +01005641#if defined(MBEDTLS_SSL_PROTO_DTLS)
5642 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5643 ssl->handshake != NULL &&
5644 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5645 {
5646 ssl_handshake_wrapup_free_hs_transform( ssl );
5647 }
5648#endif
5649
Paul Bakker5121ce52009-01-03 21:22:43 +00005650 return( 0 );
5651}
5652
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005653int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00005654{
5655 int ret;
5656
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005657 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5658 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5659 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00005660 {
5661 return( ret );
5662 }
5663
5664 return( 0 );
5665}
5666
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005667int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
Paul Bakker0a925182012-04-16 06:46:41 +00005668 unsigned char level,
5669 unsigned char message )
5670{
5671 int ret;
5672
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02005673 if( ssl == NULL || ssl->conf == NULL )
5674 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005676 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02005677 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
Paul Bakker0a925182012-04-16 06:46:41 +00005678
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005679 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
Paul Bakker0a925182012-04-16 06:46:41 +00005680 ssl->out_msglen = 2;
5681 ssl->out_msg[0] = level;
5682 ssl->out_msg[1] = message;
5683
Hanno Becker67bc7c32018-08-06 11:33:50 +01005684 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +00005685 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005686 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker0a925182012-04-16 06:46:41 +00005687 return( ret );
5688 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005689 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
Paul Bakker0a925182012-04-16 06:46:41 +00005690
5691 return( 0 );
5692}
5693
Paul Bakker5121ce52009-01-03 21:22:43 +00005694/*
5695 * Handshake functions
5696 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005697#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
5698 !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
5699 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
5700 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
5701 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
5702 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
5703 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskinef9828522017-05-03 12:28:43 +02005704/* No certificate support -> dummy functions */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005705int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00005706{
Hanno Becker8759e162017-12-27 21:34:08 +00005707 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00005708
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005709 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005710
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005711 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
5712 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Manuel Pégourié-Gonnard25dbeb02015-09-16 17:30:03 +02005713 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
5714 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02005715 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005716 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02005717 ssl->state++;
5718 return( 0 );
5719 }
5720
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005721 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5722 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005723}
5724
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005725int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005726{
Hanno Becker8759e162017-12-27 21:34:08 +00005727 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005728
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005729 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005730
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005731 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
5732 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Manuel Pégourié-Gonnard25dbeb02015-09-16 17:30:03 +02005733 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
5734 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005735 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005736 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005737 ssl->state++;
5738 return( 0 );
5739 }
5740
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005741 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5742 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005743}
Gilles Peskinef9828522017-05-03 12:28:43 +02005744
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005745#else
Gilles Peskinef9828522017-05-03 12:28:43 +02005746/* Some certificate support -> implement write and parse */
5747
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005748int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005749{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005750 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005751 size_t i, n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005752 const mbedtls_x509_crt *crt;
Hanno Becker8759e162017-12-27 21:34:08 +00005753 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005754
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005755 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005756
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005757 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
5758 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Manuel Pégourié-Gonnard25dbeb02015-09-16 17:30:03 +02005759 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
5760 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005761 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005762 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02005763 ssl->state++;
5764 return( 0 );
5765 }
5766
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005767#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005768 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +00005769 {
5770 if( ssl->client_auth == 0 )
5771 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005772 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005773 ssl->state++;
5774 return( 0 );
5775 }
5776
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005777#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00005778 /*
5779 * If using SSLv3 and got no cert, send an Alert message
5780 * (otherwise an empty Certificate message will be sent).
5781 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005782 if( mbedtls_ssl_own_cert( ssl ) == NULL &&
5783 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00005784 {
5785 ssl->out_msglen = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005786 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
5787 ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
5788 ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +00005789
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005790 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005791 goto write_msg;
5792 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005793#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +00005794 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005795#endif /* MBEDTLS_SSL_CLI_C */
5796#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005797 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +00005798 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005799 if( mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00005800 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005801 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
5802 return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +00005803 }
5804 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01005805#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00005806
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005807 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005808
5809 /*
5810 * 0 . 0 handshake type
5811 * 1 . 3 handshake length
5812 * 4 . 6 length of all certs
5813 * 7 . 9 length of cert. 1
5814 * 10 . n-1 peer certificate
5815 * n . n+2 length of cert. 2
5816 * n+3 . ... upper level cert, etc.
5817 */
5818 i = 7;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005819 crt = mbedtls_ssl_own_cert( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00005820
Paul Bakker29087132010-03-21 21:03:34 +00005821 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00005822 {
5823 n = crt->raw.len;
Angus Grattond8213d02016-05-25 20:56:48 +10005824 if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
Paul Bakker5121ce52009-01-03 21:22:43 +00005825 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
Angus Grattond8213d02016-05-25 20:56:48 +10005827 i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005828 return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00005829 }
5830
5831 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
5832 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
5833 ssl->out_msg[i + 2] = (unsigned char)( n );
5834
5835 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
5836 i += n; crt = crt->next;
5837 }
5838
5839 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
5840 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
5841 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
5842
5843 ssl->out_msglen = i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005844 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
5845 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
Paul Bakker5121ce52009-01-03 21:22:43 +00005846
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +02005847#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00005848write_msg:
Paul Bakkerd2f068e2013-08-27 21:19:20 +02005849#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00005850
5851 ssl->state++;
5852
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02005853 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00005854 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02005855 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00005856 return( ret );
5857 }
5858
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005859 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005860
Paul Bakkered27a042013-04-18 22:46:23 +02005861 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00005862}
5863
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02005864/*
5865 * Once the certificate message is read, parse it into a cert chain and
5866 * perform basic checks, but leave actual verification to the caller
5867 */
5868static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00005869{
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02005870 int ret;
Paul Bakker23986e52011-04-24 08:57:21 +00005871 size_t i, n;
Gilles Peskine064a85c2017-05-10 10:46:40 +02005872 uint8_t alert;
Paul Bakker5121ce52009-01-03 21:22:43 +00005873
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005874#if defined(MBEDTLS_SSL_SRV_C)
5875#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00005876 /*
5877 * Check if the client sent an empty certificate
5878 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005879 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005880 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00005881 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +00005882 if( ssl->in_msglen == 2 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005883 ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
5884 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5885 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +00005886 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005887 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005888
Gilles Peskine1cc8e342017-05-03 16:28:34 +02005889 /* The client was asked for a certificate but didn't send
5890 one. The client should know what's going on, so we
5891 don't send an alert. */
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01005892 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02005893 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00005894 }
5895 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005896#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +00005897
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005898#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
5899 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005900 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005901 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00005902 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005903 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
5904 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
5905 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
5906 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00005907 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005908 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005909
Gilles Peskine1cc8e342017-05-03 16:28:34 +02005910 /* The client was asked for a certificate but didn't send
5911 one. The client should know what's going on, so we
5912 don't send an alert. */
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01005913 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02005914 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00005915 }
5916 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005917#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
5918 MBEDTLS_SSL_PROTO_TLS1_2 */
5919#endif /* MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00005920
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005921 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00005922 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005923 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02005924 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5925 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005926 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00005927 }
5928
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005929 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||
5930 ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
Paul Bakker5121ce52009-01-03 21:22:43 +00005931 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005932 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02005933 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5934 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005935 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00005936 }
5937
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005938 i = mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00005939
Paul Bakker5121ce52009-01-03 21:22:43 +00005940 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005941 * Same message structure as in mbedtls_ssl_write_certificate()
Paul Bakker5121ce52009-01-03 21:22:43 +00005942 */
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00005943 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
Paul Bakker5121ce52009-01-03 21:22:43 +00005944
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00005945 if( ssl->in_msg[i] != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005946 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00005947 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005948 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02005949 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5950 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005951 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00005952 }
5953
Manuel Pégourié-Gonnardbfb355c2013-09-07 17:27:43 +02005954 /* In case we tried to reuse a session but it failed */
5955 if( ssl->session_negotiate->peer_cert != NULL )
5956 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005957 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
5958 mbedtls_free( ssl->session_negotiate->peer_cert );
Manuel Pégourié-Gonnardbfb355c2013-09-07 17:27:43 +02005959 }
5960
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02005961 if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005962 sizeof( mbedtls_x509_crt ) ) ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00005963 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02005964 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005965 sizeof( mbedtls_x509_crt ) ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02005966 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5967 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02005968 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +00005969 }
5970
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005971 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
Paul Bakker5121ce52009-01-03 21:22:43 +00005972
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00005973 i += 3;
Paul Bakker5121ce52009-01-03 21:22:43 +00005974
5975 while( i < ssl->in_hslen )
5976 {
Philippe Antoine747fd532018-05-30 09:13:21 +02005977 if ( i + 3 > ssl->in_hslen ) {
5978 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
5979 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5980 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
5981 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
5982 }
Paul Bakker5121ce52009-01-03 21:22:43 +00005983 if( ssl->in_msg[i] != 0 )
5984 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005985 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02005986 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5987 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005988 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00005989 }
5990
5991 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
5992 | (unsigned int) ssl->in_msg[i + 2];
5993 i += 3;
5994
5995 if( n < 128 || i + n > ssl->in_hslen )
5996 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005997 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02005998 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5999 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006000 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00006001 }
6002
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006003 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
Paul Bakkerddf26b42013-09-18 13:46:23 +02006004 ssl->in_msg + i, n );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006005 switch( ret )
Paul Bakker5121ce52009-01-03 21:22:43 +00006006 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006007 case 0: /*ok*/
6008 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
6009 /* Ignore certificate with an unknown algorithm: maybe a
6010 prior certificate was already trusted. */
6011 break;
6012
6013 case MBEDTLS_ERR_X509_ALLOC_FAILED:
6014 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
6015 goto crt_parse_der_failed;
6016
6017 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
6018 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6019 goto crt_parse_der_failed;
6020
6021 default:
6022 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
6023 crt_parse_der_failed:
6024 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006025 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00006026 return( ret );
6027 }
6028
6029 i += n;
6030 }
6031
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006032 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
Paul Bakker5121ce52009-01-03 21:22:43 +00006033
Manuel Pégourié-Gonnard796c6f32014-03-10 09:34:49 +01006034 /*
6035 * On client, make sure the server cert doesn't change during renego to
6036 * avoid "triple handshake" attack: https://secure-resumption.com/
6037 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006038#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006039 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006040 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard796c6f32014-03-10 09:34:49 +01006041 {
6042 if( ssl->session->peer_cert == NULL )
6043 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006044 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006045 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6046 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006047 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Manuel Pégourié-Gonnard796c6f32014-03-10 09:34:49 +01006048 }
6049
6050 if( ssl->session->peer_cert->raw.len !=
6051 ssl->session_negotiate->peer_cert->raw.len ||
6052 memcmp( ssl->session->peer_cert->raw.p,
6053 ssl->session_negotiate->peer_cert->raw.p,
6054 ssl->session->peer_cert->raw.len ) != 0 )
6055 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006056 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006057 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6058 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006059 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Manuel Pégourié-Gonnard796c6f32014-03-10 09:34:49 +01006060 }
6061 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006062#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard796c6f32014-03-10 09:34:49 +01006063
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02006064 return( 0 );
6065}
6066
6067int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
6068{
6069 int ret;
6070 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
Hanno Becker8759e162017-12-27 21:34:08 +00006071 ssl->handshake->ciphersuite_info;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02006072#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
6073 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
6074 ? ssl->handshake->sni_authmode
6075 : ssl->conf->authmode;
6076#else
6077 const int authmode = ssl->conf->authmode;
6078#endif
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02006079 void *rs_ctx = NULL;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02006080
6081 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
6082
6083 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
6084 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
6085 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
6086 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
6087 {
6088 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
6089 ssl->state++;
6090 return( 0 );
6091 }
6092
6093#if defined(MBEDTLS_SSL_SRV_C)
6094 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
6095 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
6096 {
6097 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
6098 ssl->state++;
6099 return( 0 );
6100 }
6101
6102 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
6103 authmode == MBEDTLS_SSL_VERIFY_NONE )
6104 {
6105 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
6106 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02006107
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02006108 ssl->state++;
6109 return( 0 );
6110 }
6111#endif
6112
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02006113#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6114 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02006115 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02006116 {
6117 goto crt_verify;
6118 }
6119#endif
6120
Manuel Pégourié-Gonnard125af942018-09-11 11:08:12 +02006121 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02006122 {
6123 /* mbedtls_ssl_read_record may have sent an alert already. We
6124 let it decide whether to alert. */
6125 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
6126 return( ret );
6127 }
6128
6129 if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 )
6130 {
6131#if defined(MBEDTLS_SSL_SRV_C)
6132 if( ret == MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE &&
6133 authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
6134 {
6135 ret = 0;
6136 }
6137#endif
6138
6139 ssl->state++;
6140 return( ret );
6141 }
6142
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02006143#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6144 if( ssl->handshake->ecrs_enabled)
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02006145 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02006146
6147crt_verify:
6148 if( ssl->handshake->ecrs_enabled)
6149 rs_ctx = &ssl->handshake->ecrs_ctx;
6150#endif
6151
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02006152 if( authmode != MBEDTLS_SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +00006153 {
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +02006154 mbedtls_x509_crt *ca_chain;
6155 mbedtls_x509_crl *ca_crl;
6156
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +02006157#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +02006158 if( ssl->handshake->sni_ca_chain != NULL )
6159 {
6160 ca_chain = ssl->handshake->sni_ca_chain;
6161 ca_crl = ssl->handshake->sni_ca_crl;
6162 }
6163 else
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +02006164#endif
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +02006165 {
6166 ca_chain = ssl->conf->ca_chain;
6167 ca_crl = ssl->conf->ca_crl;
6168 }
6169
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006170 /*
6171 * Main check: verify certificate
6172 */
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02006173 ret = mbedtls_x509_crt_verify_restartable(
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +02006174 ssl->session_negotiate->peer_cert,
6175 ca_chain, ca_crl,
6176 ssl->conf->cert_profile,
6177 ssl->hostname,
6178 &ssl->session_negotiate->verify_result,
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02006179 ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +00006180
6181 if( ret != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006182 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006183 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006184 }
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006185
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02006186#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6187 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +02006188 return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02006189#endif
6190
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006191 /*
6192 * Secondary checks: always done, but change 'ret' only if it was 0
6193 */
6194
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02006195#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006196 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006197 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006198
6199 /* If certificate uses an EC key, make sure the curve is OK */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006200 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006201 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006202 {
Hanno Becker39ae8cd2017-05-08 16:31:14 +01006203 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
6204
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006206 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006207 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006208 }
6209 }
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02006210#endif /* MBEDTLS_ECP_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00006211
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006212 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
Hanno Becker39ae8cd2017-05-08 16:31:14 +01006213 ciphersuite_info,
6214 ! ssl->conf->endpoint,
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006215 &ssl->session_negotiate->verify_result ) != 0 )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006216 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006217 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006218 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006219 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006220 }
6221
Hanno Becker39ae8cd2017-05-08 16:31:14 +01006222 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
6223 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
6224 * with details encoded in the verification flags. All other kinds
6225 * of error codes, including those from the user provided f_vrfy
6226 * functions, are treated as fatal and lead to a failure of
6227 * ssl_parse_certificate even if verification was optional. */
6228 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
6229 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
6230 ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
6231 {
Paul Bakker5121ce52009-01-03 21:22:43 +00006232 ret = 0;
Hanno Becker39ae8cd2017-05-08 16:31:14 +01006233 }
6234
6235 if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
6236 {
6237 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
6238 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
6239 }
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006240
6241 if( ret != 0 )
6242 {
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02006243 uint8_t alert;
6244
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006245 /* The certificate may have been rejected for several reasons.
6246 Pick one and send the corresponding alert. Which alert to send
6247 may be a subject of debate in some cases. */
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006248 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
6249 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
6250 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
6251 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
6252 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
6253 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6254 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
6255 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6256 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
6257 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6258 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
6259 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6260 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
6261 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6262 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
6263 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
6264 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
6265 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
6266 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
6267 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
Gilles Peskine8498cb32017-05-10 15:39:40 +02006268 else
6269 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006270 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6271 alert );
6272 }
Hanno Becker39ae8cd2017-05-08 16:31:14 +01006273
Hanno Beckere6706e62017-05-15 16:05:15 +01006274#if defined(MBEDTLS_DEBUG_C)
6275 if( ssl->session_negotiate->verify_result != 0 )
6276 {
6277 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
6278 ssl->session_negotiate->verify_result ) );
6279 }
6280 else
6281 {
6282 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
6283 }
6284#endif /* MBEDTLS_DEBUG_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00006285 }
6286
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02006287 ssl->state++;
6288
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006289 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006290
6291 return( ret );
6292}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006293#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
6294 !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
6295 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
6296 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
6297 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
6298 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
6299 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00006300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006301int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00006302{
6303 int ret;
6304
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006305 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006306
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006307 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +00006308 ssl->out_msglen = 1;
6309 ssl->out_msg[0] = 1;
6310
Paul Bakker5121ce52009-01-03 21:22:43 +00006311 ssl->state++;
6312
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02006313 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00006314 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02006315 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00006316 return( ret );
6317 }
6318
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006319 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006320
6321 return( 0 );
6322}
6323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006324int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00006325{
6326 int ret;
6327
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006328 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006329
Hanno Becker327c93b2018-08-15 13:56:18 +01006330 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00006331 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006332 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00006333 return( ret );
6334 }
6335
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006336 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Paul Bakker5121ce52009-01-03 21:22:43 +00006337 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006338 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006339 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6340 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006341 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00006342 }
6343
Hanno Beckere678eaa2018-08-21 14:57:46 +01006344 /* CCS records are only accepted if they have length 1 and content '1',
6345 * so we don't need to check this here. */
Paul Bakker5121ce52009-01-03 21:22:43 +00006346
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02006347 /*
6348 * Switch to our negotiated transform and session parameters for inbound
6349 * data.
6350 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006351 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02006352 ssl->transform_in = ssl->transform_negotiate;
6353 ssl->session_in = ssl->session_negotiate;
6354
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006355#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006356 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02006357 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006358#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02006359 ssl_dtls_replay_reset( ssl );
6360#endif
6361
6362 /* Increment epoch */
6363 if( ++ssl->in_epoch == 0 )
6364 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006365 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006366 /* This is highly unlikely to happen for legitimate reasons, so
6367 treat it as an attack and don't send an alert. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006368 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02006369 }
6370 }
6371 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006372#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02006373 memset( ssl->in_ctr, 0, 8 );
6374
Hanno Becker5aa4e2c2018-08-06 09:26:08 +01006375 ssl_update_in_pointers( ssl, ssl->transform_negotiate );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02006376
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006377#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
6378 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02006379 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006380 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02006381 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006382 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006383 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6384 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006385 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02006386 }
6387 }
6388#endif
6389
Paul Bakker5121ce52009-01-03 21:22:43 +00006390 ssl->state++;
6391
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006392 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006393
6394 return( 0 );
6395}
6396
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006397void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
6398 const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
Paul Bakker380da532012-04-18 16:10:25 +00006399{
Paul Bakkerfb08fd22013-08-27 15:06:26 +02006400 ((void) ciphersuite_info);
Paul Bakker769075d2012-11-24 11:26:46 +01006401
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006402#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6403 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6404 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker48916f92012-09-16 19:57:18 +00006405 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
Paul Bakker380da532012-04-18 16:10:25 +00006406 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02006407#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006408#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6409#if defined(MBEDTLS_SHA512_C)
6410 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Paul Bakkerd2f068e2013-08-27 21:19:20 +02006411 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
6412 else
6413#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006414#if defined(MBEDTLS_SHA256_C)
6415 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
Paul Bakker48916f92012-09-16 19:57:18 +00006416 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02006417 else
6418#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006419#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02006420 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02006422 return;
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02006423 }
Paul Bakker380da532012-04-18 16:10:25 +00006424}
Paul Bakkerf7abd422013-04-16 13:15:56 +02006425
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006426void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02006427{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006428#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6429 defined(MBEDTLS_SSL_PROTO_TLS1_1)
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006430 mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 );
6431 mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02006432#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006433#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6434#if defined(MBEDTLS_SHA256_C)
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006435 mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02006436#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006437#if defined(MBEDTLS_SHA512_C)
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006438 mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02006439#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006440#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02006441}
6442
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006443static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02006444 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00006445{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006446#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6447 defined(MBEDTLS_SSL_PROTO_TLS1_1)
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006448 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
6449 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02006450#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006451#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6452#if defined(MBEDTLS_SHA256_C)
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006453 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02006454#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006455#if defined(MBEDTLS_SHA512_C)
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006456 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker769075d2012-11-24 11:26:46 +01006457#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006458#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00006459}
6460
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006461#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6462 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6463static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02006464 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00006465{
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006466 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
6467 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00006468}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02006469#endif
Paul Bakker380da532012-04-18 16:10:25 +00006470
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006471#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6472#if defined(MBEDTLS_SHA256_C)
6473static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02006474 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00006475{
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006476 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00006477}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02006478#endif
Paul Bakker380da532012-04-18 16:10:25 +00006479
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006480#if defined(MBEDTLS_SHA512_C)
6481static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02006482 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00006483{
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006484 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00006485}
Paul Bakker769075d2012-11-24 11:26:46 +01006486#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006487#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00006488
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006489#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakker1ef83d62012-04-11 12:09:53 +00006490static void ssl_calc_finished_ssl(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006491 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +00006492{
Paul Bakker3c2122f2013-06-24 19:03:14 +02006493 const char *sender;
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006494 mbedtls_md5_context md5;
6495 mbedtls_sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +00006496
Paul Bakker5121ce52009-01-03 21:22:43 +00006497 unsigned char padbuf[48];
6498 unsigned char md5sum[16];
6499 unsigned char sha1sum[20];
6500
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006501 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00006502 if( !session )
6503 session = ssl->session;
6504
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006505 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006506
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02006507 mbedtls_md5_init( &md5 );
6508 mbedtls_sha1_init( &sha1 );
6509
6510 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
6511 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00006512
6513 /*
6514 * SSLv3:
6515 * hash =
6516 * MD5( master + pad2 +
6517 * MD5( handshake + sender + master + pad1 ) )
6518 * + SHA1( master + pad2 +
6519 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00006520 */
6521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006522#if !defined(MBEDTLS_MD5_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006523 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
6524 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02006525#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00006526
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006527#if !defined(MBEDTLS_SHA1_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006528 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
6529 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02006530#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00006531
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006532 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
Paul Bakker3c2122f2013-06-24 19:03:14 +02006533 : "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +00006534
Paul Bakker1ef83d62012-04-11 12:09:53 +00006535 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +00006536
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006537 mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );
6538 mbedtls_md5_update_ret( &md5, session->master, 48 );
6539 mbedtls_md5_update_ret( &md5, padbuf, 48 );
6540 mbedtls_md5_finish_ret( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +00006541
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006542 mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );
6543 mbedtls_sha1_update_ret( &sha1, session->master, 48 );
6544 mbedtls_sha1_update_ret( &sha1, padbuf, 40 );
6545 mbedtls_sha1_finish_ret( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +00006546
Paul Bakker1ef83d62012-04-11 12:09:53 +00006547 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +00006548
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006549 mbedtls_md5_starts_ret( &md5 );
6550 mbedtls_md5_update_ret( &md5, session->master, 48 );
6551 mbedtls_md5_update_ret( &md5, padbuf, 48 );
6552 mbedtls_md5_update_ret( &md5, md5sum, 16 );
6553 mbedtls_md5_finish_ret( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +00006554
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006555 mbedtls_sha1_starts_ret( &sha1 );
6556 mbedtls_sha1_update_ret( &sha1, session->master, 48 );
6557 mbedtls_sha1_update_ret( &sha1, padbuf , 40 );
6558 mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );
6559 mbedtls_sha1_finish_ret( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +00006560
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006561 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +00006562
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006563 mbedtls_md5_free( &md5 );
6564 mbedtls_sha1_free( &sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00006565
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006566 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
6567 mbedtls_platform_zeroize( md5sum, sizeof( md5sum ) );
6568 mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006569
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006570 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006571}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006572#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +00006573
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006574#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
Paul Bakker1ef83d62012-04-11 12:09:53 +00006575static void ssl_calc_finished_tls(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006576 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +00006577{
Paul Bakker1ef83d62012-04-11 12:09:53 +00006578 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02006579 const char *sender;
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006580 mbedtls_md5_context md5;
6581 mbedtls_sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +00006582 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +00006583
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006584 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00006585 if( !session )
6586 session = ssl->session;
6587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006588 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006589
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02006590 mbedtls_md5_init( &md5 );
6591 mbedtls_sha1_init( &sha1 );
6592
6593 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
6594 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00006595
Paul Bakker1ef83d62012-04-11 12:09:53 +00006596 /*
6597 * TLSv1:
6598 * hash = PRF( master, finished_label,
6599 * MD5( handshake ) + SHA1( handshake ) )[0..11]
6600 */
Paul Bakker5121ce52009-01-03 21:22:43 +00006601
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006602#if !defined(MBEDTLS_MD5_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006603 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
6604 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02006605#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00006606
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006607#if !defined(MBEDTLS_SHA1_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006608 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
6609 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02006610#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00006611
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006612 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02006613 ? "client finished"
6614 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +00006615
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006616 mbedtls_md5_finish_ret( &md5, padbuf );
6617 mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006618
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02006619 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00006620 padbuf, 36, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006621
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006622 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006623
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006624 mbedtls_md5_free( &md5 );
6625 mbedtls_sha1_free( &sha1 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006626
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006627 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006628
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006629 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006630}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006631#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00006632
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006633#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6634#if defined(MBEDTLS_SHA256_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +00006635static void ssl_calc_finished_tls_sha256(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006636 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker1ef83d62012-04-11 12:09:53 +00006637{
6638 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02006639 const char *sender;
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006640 mbedtls_sha256_context sha256;
Paul Bakker1ef83d62012-04-11 12:09:53 +00006641 unsigned char padbuf[32];
6642
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006643 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00006644 if( !session )
6645 session = ssl->session;
6646
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02006647 mbedtls_sha256_init( &sha256 );
6648
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006649 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006650
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02006651 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006652
6653 /*
6654 * TLSv1.2:
6655 * hash = PRF( master, finished_label,
6656 * Hash( handshake ) )[0.11]
6657 */
6658
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006659#if !defined(MBEDTLS_SHA256_ALT)
6660 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006661 sha256.state, sizeof( sha256.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02006662#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00006663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006664 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02006665 ? "client finished"
6666 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +00006667
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006668 mbedtls_sha256_finish_ret( &sha256, padbuf );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006669
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02006670 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00006671 padbuf, 32, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006673 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006674
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006675 mbedtls_sha256_free( &sha256 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006676
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006677 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006678
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006679 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006680}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006681#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +00006682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006683#if defined(MBEDTLS_SHA512_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +00006684static void ssl_calc_finished_tls_sha384(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006685 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakkerca4ab492012-04-18 14:23:57 +00006686{
6687 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02006688 const char *sender;
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006689 mbedtls_sha512_context sha512;
Paul Bakkerca4ab492012-04-18 14:23:57 +00006690 unsigned char padbuf[48];
6691
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006692 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00006693 if( !session )
6694 session = ssl->session;
6695
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02006696 mbedtls_sha512_init( &sha512 );
6697
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006698 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00006699
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02006700 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
Paul Bakkerca4ab492012-04-18 14:23:57 +00006701
6702 /*
6703 * TLSv1.2:
6704 * hash = PRF( master, finished_label,
6705 * Hash( handshake ) )[0.11]
6706 */
6707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006708#if !defined(MBEDTLS_SHA512_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006709 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
6710 sha512.state, sizeof( sha512.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02006711#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00006712
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006713 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02006714 ? "client finished"
6715 : "server finished";
Paul Bakkerca4ab492012-04-18 14:23:57 +00006716
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01006717 mbedtls_sha512_finish_ret( &sha512, padbuf );
Paul Bakkerca4ab492012-04-18 14:23:57 +00006718
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02006719 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00006720 padbuf, 48, buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00006721
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006722 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00006723
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02006724 mbedtls_sha512_free( &sha512 );
Paul Bakkerca4ab492012-04-18 14:23:57 +00006725
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006726 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00006727
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006728 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00006729}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006730#endif /* MBEDTLS_SHA512_C */
6731#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +00006732
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006733static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00006734{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006735 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00006736
6737 /*
6738 * Free our handshake params
6739 */
Gilles Peskine9b562d52018-04-25 20:32:43 +02006740 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006741 mbedtls_free( ssl->handshake );
Paul Bakker48916f92012-09-16 19:57:18 +00006742 ssl->handshake = NULL;
6743
6744 /*
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02006745 * Free the previous transform and swith in the current one
Paul Bakker48916f92012-09-16 19:57:18 +00006746 */
6747 if( ssl->transform )
6748 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006749 mbedtls_ssl_transform_free( ssl->transform );
6750 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00006751 }
6752 ssl->transform = ssl->transform_negotiate;
6753 ssl->transform_negotiate = NULL;
6754
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006755 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02006756}
6757
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006758void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02006759{
6760 int resume = ssl->handshake->resume;
6761
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006762 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02006763
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006764#if defined(MBEDTLS_SSL_RENEGOTIATION)
6765 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02006766 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006767 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02006768 ssl->renego_records_seen = 0;
6769 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01006770#endif
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02006771
6772 /*
6773 * Free the previous session and switch in the current one
6774 */
Paul Bakker0a597072012-09-25 21:55:46 +00006775 if( ssl->session )
6776 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006777#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard1a034732014-11-04 17:36:18 +01006778 /* RFC 7366 3.1: keep the EtM state */
6779 ssl->session_negotiate->encrypt_then_mac =
6780 ssl->session->encrypt_then_mac;
6781#endif
6782
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006783 mbedtls_ssl_session_free( ssl->session );
6784 mbedtls_free( ssl->session );
Paul Bakker0a597072012-09-25 21:55:46 +00006785 }
6786 ssl->session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00006787 ssl->session_negotiate = NULL;
6788
Paul Bakker0a597072012-09-25 21:55:46 +00006789 /*
6790 * Add cache entry
6791 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006792 if( ssl->conf->f_set_cache != NULL &&
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02006793 ssl->session->id_len != 0 &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02006794 resume == 0 )
6795 {
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +01006796 if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006797 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02006798 }
Paul Bakker0a597072012-09-25 21:55:46 +00006799
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006800#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006801 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02006802 ssl->handshake->flight != NULL )
6803 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02006804 /* Cancel handshake timer */
6805 ssl_set_timer( ssl, 0 );
6806
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02006807 /* Keep last flight around in case we need to resend it:
6808 * we need the handshake and transform structures for that */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006809 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02006810 }
6811 else
6812#endif
6813 ssl_handshake_wrapup_free_hs_transform( ssl );
6814
Paul Bakker48916f92012-09-16 19:57:18 +00006815 ssl->state++;
6816
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006817 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00006818}
6819
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006820int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
Paul Bakker1ef83d62012-04-11 12:09:53 +00006821{
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02006822 int ret, hash_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +00006823
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006824 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006825
Hanno Becker5aa4e2c2018-08-06 09:26:08 +01006826 ssl_update_out_pointers( ssl, ssl->transform_negotiate );
Paul Bakker92be97b2013-01-02 17:30:03 +01006827
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006828 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
Paul Bakker1ef83d62012-04-11 12:09:53 +00006829
Manuel Pégourié-Gonnard214a8482016-02-22 11:27:26 +01006830 /*
6831 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
6832 * may define some other value. Currently (early 2016), no defined
6833 * ciphersuite does this (and this is unlikely to change as activity has
6834 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
6835 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006836 hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
Paul Bakker5121ce52009-01-03 21:22:43 +00006837
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006838#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00006839 ssl->verify_data_len = hash_len;
6840 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01006841#endif
Paul Bakker48916f92012-09-16 19:57:18 +00006842
Paul Bakker5121ce52009-01-03 21:22:43 +00006843 ssl->out_msglen = 4 + hash_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006844 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
6845 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
Paul Bakker5121ce52009-01-03 21:22:43 +00006846
6847 /*
6848 * In case of session resuming, invert the client and server
6849 * ChangeCipherSpec messages order.
6850 */
Paul Bakker0a597072012-09-25 21:55:46 +00006851 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00006852 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006853#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006854 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006855 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01006856#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006857#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006858 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006859 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01006860#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00006861 }
6862 else
6863 ssl->state++;
6864
Paul Bakker48916f92012-09-16 19:57:18 +00006865 /*
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02006866 * Switch to our negotiated transform and session parameters for outbound
6867 * data.
Paul Bakker48916f92012-09-16 19:57:18 +00006868 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006869 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +01006870
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006871#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006872 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02006873 {
6874 unsigned char i;
6875
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02006876 /* Remember current epoch settings for resending */
6877 ssl->handshake->alt_transform_out = ssl->transform_out;
Hanno Becker19859472018-08-06 09:40:20 +01006878 memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02006879
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02006880 /* Set sequence_number to zero */
Hanno Becker19859472018-08-06 09:40:20 +01006881 memset( ssl->cur_out_ctr + 2, 0, 6 );
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02006882
6883 /* Increment epoch */
6884 for( i = 2; i > 0; i-- )
Hanno Becker19859472018-08-06 09:40:20 +01006885 if( ++ssl->cur_out_ctr[i - 1] != 0 )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02006886 break;
6887
6888 /* The loop goes to its end iff the counter is wrapping */
6889 if( i == 0 )
6890 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006891 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
6892 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02006893 }
6894 }
6895 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006896#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker19859472018-08-06 09:40:20 +01006897 memset( ssl->cur_out_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +00006898
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02006899 ssl->transform_out = ssl->transform_negotiate;
6900 ssl->session_out = ssl->session_negotiate;
6901
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006902#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
6903 if( mbedtls_ssl_hw_record_activate != NULL )
Paul Bakker07eb38b2012-12-19 14:42:06 +01006904 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006905 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
Paul Bakker07eb38b2012-12-19 14:42:06 +01006906 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006907 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
6908 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker07eb38b2012-12-19 14:42:06 +01006909 }
6910 }
6911#endif
6912
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006913#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006914 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006915 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02006916#endif
6917
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02006918 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00006919 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02006920 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00006921 return( ret );
6922 }
6923
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02006924#if defined(MBEDTLS_SSL_PROTO_DTLS)
6925 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
6926 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
6927 {
6928 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
6929 return( ret );
6930 }
6931#endif
6932
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006933 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006934
6935 return( 0 );
6936}
6937
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006938#if defined(MBEDTLS_SSL_PROTO_SSL3)
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00006939#define SSL_MAX_HASH_LEN 36
6940#else
6941#define SSL_MAX_HASH_LEN 12
6942#endif
6943
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006944int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00006945{
Paul Bakker23986e52011-04-24 08:57:21 +00006946 int ret;
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02006947 unsigned int hash_len;
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00006948 unsigned char buf[SSL_MAX_HASH_LEN];
Paul Bakker5121ce52009-01-03 21:22:43 +00006949
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006950 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006951
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006952 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00006953
Hanno Becker327c93b2018-08-15 13:56:18 +01006954 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00006955 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006956 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00006957 return( ret );
6958 }
6959
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006960 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00006961 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006963 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6964 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006965 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00006966 }
6967
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00006968 /* There is currently no ciphersuite using another length with TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006969#if defined(MBEDTLS_SSL_PROTO_SSL3)
6970 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00006971 hash_len = 36;
6972 else
6973#endif
6974 hash_len = 12;
Paul Bakker5121ce52009-01-03 21:22:43 +00006975
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006976 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||
6977 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
Paul Bakker5121ce52009-01-03 21:22:43 +00006978 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006979 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006980 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6981 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006982 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +00006983 }
6984
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006985 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
Manuel Pégourié-Gonnard4abc3272014-09-10 12:02:46 +00006986 buf, hash_len ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00006987 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02006989 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6990 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006991 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +00006992 }
6993
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006994#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00006995 ssl->verify_data_len = hash_len;
6996 memcpy( ssl->peer_verify_data, buf, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01006997#endif
Paul Bakker48916f92012-09-16 19:57:18 +00006998
Paul Bakker0a597072012-09-25 21:55:46 +00006999 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00007000 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007001#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02007002 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007003 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01007004#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007005#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02007006 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007007 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01007008#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00007009 }
7010 else
7011 ssl->state++;
7012
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007013#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02007014 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007015 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02007016#endif
7017
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007018 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00007019
7020 return( 0 );
7021}
7022
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007023static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007024{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007025 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007026
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007027#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
7028 defined(MBEDTLS_SSL_PROTO_TLS1_1)
7029 mbedtls_md5_init( &handshake->fin_md5 );
7030 mbedtls_sha1_init( &handshake->fin_sha1 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01007031 mbedtls_md5_starts_ret( &handshake->fin_md5 );
7032 mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007033#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007034#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
7035#if defined(MBEDTLS_SHA256_C)
7036 mbedtls_sha256_init( &handshake->fin_sha256 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01007037 mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007038#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007039#if defined(MBEDTLS_SHA512_C)
7040 mbedtls_sha512_init( &handshake->fin_sha512 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01007041 mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007042#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007043#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007044
7045 handshake->update_checksum = ssl_update_checksum_start;
Hanno Becker7e5437a2017-04-28 17:15:26 +01007046
7047#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
7048 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7049 mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
7050#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007051
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007052#if defined(MBEDTLS_DHM_C)
7053 mbedtls_dhm_init( &handshake->dhm_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007054#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007055#if defined(MBEDTLS_ECDH_C)
7056 mbedtls_ecdh_init( &handshake->ecdh_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007057#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02007058#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02007059 mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02007060#if defined(MBEDTLS_SSL_CLI_C)
7061 handshake->ecjpake_cache = NULL;
7062 handshake->ecjpake_cache_len = 0;
7063#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02007064#endif
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02007065
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02007066#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +02007067 mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02007068#endif
7069
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02007070#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7071 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
7072#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007073}
7074
Hanno Becker611a83b2018-01-03 14:27:32 +00007075void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007076{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007077 memset( transform, 0, sizeof(mbedtls_ssl_transform) );
Paul Bakker84bbeb52014-07-01 14:53:22 +02007078
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007079 mbedtls_cipher_init( &transform->cipher_ctx_enc );
7080 mbedtls_cipher_init( &transform->cipher_ctx_dec );
Paul Bakker84bbeb52014-07-01 14:53:22 +02007081
Hanno Becker92231322018-01-03 15:32:51 +00007082#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007083 mbedtls_md_init( &transform->md_ctx_enc );
7084 mbedtls_md_init( &transform->md_ctx_dec );
Hanno Becker92231322018-01-03 15:32:51 +00007085#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007086}
7087
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007088void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007089{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007090 memset( session, 0, sizeof(mbedtls_ssl_session) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007091}
7092
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007093static int ssl_handshake_init( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00007094{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007095 /* Clear old handshake information if present */
Paul Bakker48916f92012-09-16 19:57:18 +00007096 if( ssl->transform_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007097 mbedtls_ssl_transform_free( ssl->transform_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007098 if( ssl->session_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007099 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007100 if( ssl->handshake )
Gilles Peskine9b562d52018-04-25 20:32:43 +02007101 mbedtls_ssl_handshake_free( ssl );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007102
7103 /*
7104 * Either the pointers are now NULL or cleared properly and can be freed.
7105 * Now allocate missing structures.
7106 */
7107 if( ssl->transform_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02007108 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02007109 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02007110 }
Paul Bakker48916f92012-09-16 19:57:18 +00007111
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007112 if( ssl->session_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02007113 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02007114 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02007115 }
Paul Bakker48916f92012-09-16 19:57:18 +00007116
Paul Bakker82788fb2014-10-20 13:59:19 +02007117 if( ssl->handshake == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02007118 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02007119 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02007120 }
Paul Bakker48916f92012-09-16 19:57:18 +00007121
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007122 /* All pointers should exist and can be directly freed without issue */
Paul Bakker48916f92012-09-16 19:57:18 +00007123 if( ssl->handshake == NULL ||
7124 ssl->transform_negotiate == NULL ||
7125 ssl->session_negotiate == NULL )
7126 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02007127 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007128
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007129 mbedtls_free( ssl->handshake );
7130 mbedtls_free( ssl->transform_negotiate );
7131 mbedtls_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007132
7133 ssl->handshake = NULL;
7134 ssl->transform_negotiate = NULL;
7135 ssl->session_negotiate = NULL;
7136
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02007137 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker48916f92012-09-16 19:57:18 +00007138 }
7139
Paul Bakkeraccaffe2014-06-26 13:37:14 +02007140 /* Initialize structures */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007141 mbedtls_ssl_session_init( ssl->session_negotiate );
Hanno Becker611a83b2018-01-03 14:27:32 +00007142 mbedtls_ssl_transform_init( ssl->transform_negotiate );
Paul Bakker968afaa2014-07-09 11:09:24 +02007143 ssl_handshake_params_init( ssl->handshake );
7144
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007145#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02007146 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7147 {
7148 ssl->handshake->alt_transform_out = ssl->transform_out;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02007149
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02007150 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
7151 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
7152 else
7153 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02007154
7155 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02007156 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02007157#endif
7158
Paul Bakker48916f92012-09-16 19:57:18 +00007159 return( 0 );
7160}
7161
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02007162#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02007163/* Dummy cookie callbacks for defaults */
7164static int ssl_cookie_write_dummy( void *ctx,
7165 unsigned char **p, unsigned char *end,
7166 const unsigned char *cli_id, size_t cli_id_len )
7167{
7168 ((void) ctx);
7169 ((void) p);
7170 ((void) end);
7171 ((void) cli_id);
7172 ((void) cli_id_len);
7173
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007174 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02007175}
7176
7177static int ssl_cookie_check_dummy( void *ctx,
7178 const unsigned char *cookie, size_t cookie_len,
7179 const unsigned char *cli_id, size_t cli_id_len )
7180{
7181 ((void) ctx);
7182 ((void) cookie);
7183 ((void) cookie_len);
7184 ((void) cli_id);
7185 ((void) cli_id_len);
7186
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007187 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02007188}
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02007189#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02007190
Hanno Becker5aa4e2c2018-08-06 09:26:08 +01007191/* Once ssl->out_hdr as the address of the beginning of the
7192 * next outgoing record is set, deduce the other pointers.
7193 *
7194 * Note: For TLS, we save the implicit record sequence number
7195 * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
7196 * and the caller has to make sure there's space for this.
7197 */
7198
7199static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
7200 mbedtls_ssl_transform *transform )
7201{
7202#if defined(MBEDTLS_SSL_PROTO_DTLS)
7203 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7204 {
7205 ssl->out_ctr = ssl->out_hdr + 3;
7206 ssl->out_len = ssl->out_hdr + 11;
7207 ssl->out_iv = ssl->out_hdr + 13;
7208 }
7209 else
7210#endif
7211 {
7212 ssl->out_ctr = ssl->out_hdr - 8;
7213 ssl->out_len = ssl->out_hdr + 3;
7214 ssl->out_iv = ssl->out_hdr + 5;
7215 }
7216
7217 /* Adjust out_msg to make space for explicit IV, if used. */
7218 if( transform != NULL &&
7219 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
7220 {
7221 ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
7222 }
7223 else
7224 ssl->out_msg = ssl->out_iv;
7225}
7226
7227/* Once ssl->in_hdr as the address of the beginning of the
7228 * next incoming record is set, deduce the other pointers.
7229 *
7230 * Note: For TLS, we save the implicit record sequence number
7231 * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
7232 * and the caller has to make sure there's space for this.
7233 */
7234
7235static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
7236 mbedtls_ssl_transform *transform )
7237{
7238#if defined(MBEDTLS_SSL_PROTO_DTLS)
7239 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7240 {
7241 ssl->in_ctr = ssl->in_hdr + 3;
7242 ssl->in_len = ssl->in_hdr + 11;
7243 ssl->in_iv = ssl->in_hdr + 13;
7244 }
7245 else
7246#endif
7247 {
7248 ssl->in_ctr = ssl->in_hdr - 8;
7249 ssl->in_len = ssl->in_hdr + 3;
7250 ssl->in_iv = ssl->in_hdr + 5;
7251 }
7252
7253 /* Offset in_msg from in_iv to allow space for explicit IV, if used. */
7254 if( transform != NULL &&
7255 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
7256 {
7257 ssl->in_msg = ssl->in_iv + transform->ivlen - transform->fixed_ivlen;
7258 }
7259 else
7260 ssl->in_msg = ssl->in_iv;
7261}
7262
Paul Bakker5121ce52009-01-03 21:22:43 +00007263/*
7264 * Initialize an SSL context
7265 */
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02007266void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
7267{
7268 memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
7269}
7270
7271/*
7272 * Setup an SSL context
7273 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +01007274
7275static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
7276{
7277 /* Set the incoming and outgoing record pointers. */
7278#if defined(MBEDTLS_SSL_PROTO_DTLS)
7279 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7280 {
7281 ssl->out_hdr = ssl->out_buf;
7282 ssl->in_hdr = ssl->in_buf;
7283 }
7284 else
7285#endif /* MBEDTLS_SSL_PROTO_DTLS */
7286 {
7287 ssl->out_hdr = ssl->out_buf + 8;
7288 ssl->in_hdr = ssl->in_buf + 8;
7289 }
7290
7291 /* Derive other internal pointers. */
7292 ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
7293 ssl_update_in_pointers ( ssl, NULL /* no transform enabled */ );
7294}
7295
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +02007296int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +02007297 const mbedtls_ssl_config *conf )
Paul Bakker5121ce52009-01-03 21:22:43 +00007298{
Paul Bakker48916f92012-09-16 19:57:18 +00007299 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00007300
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +02007301 ssl->conf = conf;
Paul Bakker62f2dee2012-09-28 07:31:51 +00007302
7303 /*
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +01007304 * Prepare base structures
Paul Bakker62f2dee2012-09-28 07:31:51 +00007305 */
k-stachowiakc9a5f022018-07-24 13:53:31 +02007306
7307 /* Set to NULL in case of an error condition */
7308 ssl->out_buf = NULL;
k-stachowiaka47911c2018-07-04 17:41:58 +02007309
Angus Grattond8213d02016-05-25 20:56:48 +10007310 ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
7311 if( ssl->in_buf == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00007312 {
Angus Grattond8213d02016-05-25 20:56:48 +10007313 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
k-stachowiak9f7798e2018-07-31 16:52:32 +02007314 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02007315 goto error;
Angus Grattond8213d02016-05-25 20:56:48 +10007316 }
7317
7318 ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
7319 if( ssl->out_buf == NULL )
7320 {
7321 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
k-stachowiak9f7798e2018-07-31 16:52:32 +02007322 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02007323 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +00007324 }
7325
Hanno Becker2a43f6f2018-08-10 11:12:52 +01007326 ssl_reset_in_out_pointers( ssl );
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02007327
Paul Bakker48916f92012-09-16 19:57:18 +00007328 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
k-stachowiaka47911c2018-07-04 17:41:58 +02007329 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +00007330
7331 return( 0 );
k-stachowiaka47911c2018-07-04 17:41:58 +02007332
7333error:
7334 mbedtls_free( ssl->in_buf );
7335 mbedtls_free( ssl->out_buf );
7336
7337 ssl->conf = NULL;
7338
7339 ssl->in_buf = NULL;
7340 ssl->out_buf = NULL;
7341
7342 ssl->in_hdr = NULL;
7343 ssl->in_ctr = NULL;
7344 ssl->in_len = NULL;
7345 ssl->in_iv = NULL;
7346 ssl->in_msg = NULL;
7347
7348 ssl->out_hdr = NULL;
7349 ssl->out_ctr = NULL;
7350 ssl->out_len = NULL;
7351 ssl->out_iv = NULL;
7352 ssl->out_msg = NULL;
7353
k-stachowiak9f7798e2018-07-31 16:52:32 +02007354 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00007355}
7356
7357/*
Paul Bakker7eb013f2011-10-06 12:37:39 +00007358 * Reset an initialized and used SSL context for re-use while retaining
7359 * all application-set variables, function pointers and data.
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02007360 *
7361 * If partial is non-zero, keep data in the input buffer and client ID.
7362 * (Use when a DTLS client reconnects from the same port.)
Paul Bakker7eb013f2011-10-06 12:37:39 +00007363 */
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02007364static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
Paul Bakker7eb013f2011-10-06 12:37:39 +00007365{
Paul Bakker48916f92012-09-16 19:57:18 +00007366 int ret;
7367
Hanno Becker7e772132018-08-10 12:38:21 +01007368#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || \
7369 !defined(MBEDTLS_SSL_SRV_C)
7370 ((void) partial);
7371#endif
7372
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007373 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01007374
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02007375 /* Cancel any possibly running timer */
7376 ssl_set_timer( ssl, 0 );
7377
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007378#if defined(MBEDTLS_SSL_RENEGOTIATION)
7379 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01007380 ssl->renego_records_seen = 0;
Paul Bakker48916f92012-09-16 19:57:18 +00007381
7382 ssl->verify_data_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007383 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
7384 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01007385#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007386 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +00007387
Paul Bakker7eb013f2011-10-06 12:37:39 +00007388 ssl->in_offt = NULL;
Hanno Beckerf29d4702018-08-10 11:31:15 +01007389 ssl_reset_in_out_pointers( ssl );
Paul Bakker7eb013f2011-10-06 12:37:39 +00007390
7391 ssl->in_msgtype = 0;
7392 ssl->in_msglen = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007393#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02007394 ssl->next_record_offset = 0;
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02007395 ssl->in_epoch = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02007396#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007397#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +02007398 ssl_dtls_replay_reset( ssl );
7399#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +00007400
7401 ssl->in_hslen = 0;
7402 ssl->nb_zero = 0;
Hanno Beckeraf0665d2017-05-24 09:16:26 +01007403
7404 ssl->keep_current_message = 0;
Paul Bakker7eb013f2011-10-06 12:37:39 +00007405
7406 ssl->out_msgtype = 0;
7407 ssl->out_msglen = 0;
7408 ssl->out_left = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007409#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
7410 if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01007411 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01007412#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +00007413
Hanno Becker19859472018-08-06 09:40:20 +01007414 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
7415
Paul Bakker48916f92012-09-16 19:57:18 +00007416 ssl->transform_in = NULL;
7417 ssl->transform_out = NULL;
Paul Bakker7eb013f2011-10-06 12:37:39 +00007418
Hanno Becker78640902018-08-13 16:35:15 +01007419 ssl->session_in = NULL;
7420 ssl->session_out = NULL;
7421
Angus Grattond8213d02016-05-25 20:56:48 +10007422 memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
Hanno Becker4ccbf062018-08-10 11:20:38 +01007423
7424#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02007425 if( partial == 0 )
Hanno Becker4ccbf062018-08-10 11:20:38 +01007426#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
7427 {
7428 ssl->in_left = 0;
Angus Grattond8213d02016-05-25 20:56:48 +10007429 memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
Hanno Becker4ccbf062018-08-10 11:20:38 +01007430 }
Paul Bakker05ef8352012-05-08 09:17:57 +00007431
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007432#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
7433 if( mbedtls_ssl_hw_record_reset != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00007434 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
7436 if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
Paul Bakker2770fbd2012-07-03 13:30:23 +00007437 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007438 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
7439 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +00007440 }
Paul Bakker05ef8352012-05-08 09:17:57 +00007441 }
7442#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +00007443
Paul Bakker48916f92012-09-16 19:57:18 +00007444 if( ssl->transform )
Paul Bakker2770fbd2012-07-03 13:30:23 +00007445 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007446 mbedtls_ssl_transform_free( ssl->transform );
7447 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00007448 ssl->transform = NULL;
Paul Bakker2770fbd2012-07-03 13:30:23 +00007449 }
Paul Bakker48916f92012-09-16 19:57:18 +00007450
Paul Bakkerc0463502013-02-14 11:19:38 +01007451 if( ssl->session )
7452 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007453 mbedtls_ssl_session_free( ssl->session );
7454 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01007455 ssl->session = NULL;
7456 }
7457
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007458#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02007459 ssl->alpn_chosen = NULL;
7460#endif
7461
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02007462#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Hanno Becker4ccbf062018-08-10 11:20:38 +01007463#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02007464 if( partial == 0 )
Hanno Becker4ccbf062018-08-10 11:20:38 +01007465#endif
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02007466 {
7467 mbedtls_free( ssl->cli_id );
7468 ssl->cli_id = NULL;
7469 ssl->cli_id_len = 0;
7470 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02007471#endif
7472
Paul Bakker48916f92012-09-16 19:57:18 +00007473 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
7474 return( ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +00007475
7476 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +00007477}
7478
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02007479/*
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02007480 * Reset an initialized and used SSL context for re-use while retaining
7481 * all application-set variables, function pointers and data.
7482 */
7483int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
7484{
7485 return( ssl_session_reset_int( ssl, 0 ) );
7486}
7487
7488/*
Paul Bakker5121ce52009-01-03 21:22:43 +00007489 * SSL set accessors
7490 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007491void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
Paul Bakker5121ce52009-01-03 21:22:43 +00007492{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007493 conf->endpoint = endpoint;
Paul Bakker5121ce52009-01-03 21:22:43 +00007494}
7495
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02007496void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01007497{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007498 conf->transport = transport;
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01007499}
7500
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007501#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007502void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02007503{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007504 conf->anti_replay = mode;
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02007505}
7506#endif
7507
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007508#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007509void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02007510{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007511 conf->badmac_limit = limit;
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02007512}
7513#endif
7514
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007515#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker04da1892018-08-14 13:22:10 +01007516
Hanno Becker1841b0a2018-08-24 11:13:57 +01007517void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
7518 unsigned allow_packing )
Hanno Becker04da1892018-08-14 13:22:10 +01007519{
7520 ssl->disable_datagram_packing = !allow_packing;
7521}
7522
7523void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
7524 uint32_t min, uint32_t max )
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02007525{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007526 conf->hs_timeout_min = min;
7527 conf->hs_timeout_max = max;
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02007528}
7529#endif
7530
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007531void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
Paul Bakker5121ce52009-01-03 21:22:43 +00007532{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007533 conf->authmode = authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +00007534}
7535
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007536#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007537void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02007538 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
Paul Bakkerb63b0af2011-01-13 17:54:59 +00007539 void *p_vrfy )
7540{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007541 conf->f_vrfy = f_vrfy;
7542 conf->p_vrfy = p_vrfy;
Paul Bakkerb63b0af2011-01-13 17:54:59 +00007543}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007544#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +00007545
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007546void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
Paul Bakkera3d195c2011-11-27 21:07:34 +00007547 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +00007548 void *p_rng )
7549{
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01007550 conf->f_rng = f_rng;
7551 conf->p_rng = p_rng;
Paul Bakker5121ce52009-01-03 21:22:43 +00007552}
7553
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007554void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardfd474232015-06-23 16:34:24 +02007555 void (*f_dbg)(void *, int, const char *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +00007556 void *p_dbg )
7557{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007558 conf->f_dbg = f_dbg;
7559 conf->p_dbg = p_dbg;
Paul Bakker5121ce52009-01-03 21:22:43 +00007560}
7561
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007562void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02007563 void *p_bio,
Simon Butchere846b512016-03-01 17:31:49 +00007564 mbedtls_ssl_send_t *f_send,
7565 mbedtls_ssl_recv_t *f_recv,
7566 mbedtls_ssl_recv_timeout_t *f_recv_timeout )
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02007567{
7568 ssl->p_bio = p_bio;
7569 ssl->f_send = f_send;
7570 ssl->f_recv = f_recv;
7571 ssl->f_recv_timeout = f_recv_timeout;
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01007572}
7573
Manuel Pégourié-Gonnard6e7aaca2018-08-20 10:37:23 +02007574#if defined(MBEDTLS_SSL_PROTO_DTLS)
7575void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
7576{
7577 ssl->mtu = mtu;
7578}
7579#endif
7580
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007581void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01007582{
7583 conf->read_timeout = timeout;
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02007584}
7585
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02007586void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
7587 void *p_timer,
Simon Butchere846b512016-03-01 17:31:49 +00007588 mbedtls_ssl_set_timer_t *f_set_timer,
7589 mbedtls_ssl_get_timer_t *f_get_timer )
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02007590{
7591 ssl->p_timer = p_timer;
7592 ssl->f_set_timer = f_set_timer;
7593 ssl->f_get_timer = f_get_timer;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02007594
7595 /* Make sure we start with no timer running */
7596 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02007597}
7598
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007599#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007600void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +01007601 void *p_cache,
7602 int (*f_get_cache)(void *, mbedtls_ssl_session *),
7603 int (*f_set_cache)(void *, const mbedtls_ssl_session *) )
Paul Bakker5121ce52009-01-03 21:22:43 +00007604{
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +01007605 conf->p_cache = p_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007606 conf->f_get_cache = f_get_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007607 conf->f_set_cache = f_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +00007608}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007609#endif /* MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00007610
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007611#if defined(MBEDTLS_SSL_CLI_C)
7612int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
Paul Bakker5121ce52009-01-03 21:22:43 +00007613{
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02007614 int ret;
7615
7616 if( ssl == NULL ||
7617 session == NULL ||
7618 ssl->session_negotiate == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02007619 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02007620 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007621 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02007622 }
7623
7624 if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
7625 return( ret );
7626
Paul Bakker0a597072012-09-25 21:55:46 +00007627 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02007628
7629 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00007630}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007631#endif /* MBEDTLS_SSL_CLI_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00007632
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007633void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007634 const int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +00007635{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007636 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
7637 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
7638 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
7639 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
Paul Bakker8f4ddae2013-04-15 15:09:54 +02007640}
7641
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007642void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02007643 const int *ciphersuites,
Paul Bakker8f4ddae2013-04-15 15:09:54 +02007644 int major, int minor )
7645{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007646 if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
Paul Bakker8f4ddae2013-04-15 15:09:54 +02007647 return;
7648
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007649 if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker8f4ddae2013-04-15 15:09:54 +02007650 return;
7651
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007652 conf->ciphersuite_list[minor] = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +00007653}
7654
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007655#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +02007656void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
Nicholas Wilson2088e2e2015-09-08 16:53:18 +01007657 const mbedtls_x509_crt_profile *profile )
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +02007658{
7659 conf->cert_profile = profile;
7660}
7661
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02007662/* Append a new keycert entry to a (possibly empty) list */
7663static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
7664 mbedtls_x509_crt *cert,
7665 mbedtls_pk_context *key )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02007666{
niisato8ee24222018-06-25 19:05:48 +09007667 mbedtls_ssl_key_cert *new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02007668
niisato8ee24222018-06-25 19:05:48 +09007669 new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
7670 if( new_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02007671 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02007672
niisato8ee24222018-06-25 19:05:48 +09007673 new_cert->cert = cert;
7674 new_cert->key = key;
7675 new_cert->next = NULL;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02007676
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02007677 /* Update head is the list was null, else add to the end */
7678 if( *head == NULL )
Paul Bakker0333b972013-11-04 17:08:28 +01007679 {
niisato8ee24222018-06-25 19:05:48 +09007680 *head = new_cert;
Paul Bakker0333b972013-11-04 17:08:28 +01007681 }
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02007682 else
7683 {
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02007684 mbedtls_ssl_key_cert *cur = *head;
7685 while( cur->next != NULL )
7686 cur = cur->next;
niisato8ee24222018-06-25 19:05:48 +09007687 cur->next = new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02007688 }
7689
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02007690 return( 0 );
7691}
7692
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007693int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02007694 mbedtls_x509_crt *own_cert,
7695 mbedtls_pk_context *pk_key )
7696{
Manuel Pégourié-Gonnard17a40cd2015-05-10 23:17:17 +02007697 return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02007698}
7699
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007700void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01007701 mbedtls_x509_crt *ca_chain,
7702 mbedtls_x509_crl *ca_crl )
Paul Bakker5121ce52009-01-03 21:22:43 +00007703{
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01007704 conf->ca_chain = ca_chain;
7705 conf->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +00007706}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007707#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +00007708
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02007709#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7710int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
7711 mbedtls_x509_crt *own_cert,
7712 mbedtls_pk_context *pk_key )
7713{
7714 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
7715 own_cert, pk_key ) );
7716}
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +02007717
7718void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
7719 mbedtls_x509_crt *ca_chain,
7720 mbedtls_x509_crl *ca_crl )
7721{
7722 ssl->handshake->sni_ca_chain = ca_chain;
7723 ssl->handshake->sni_ca_crl = ca_crl;
7724}
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02007725
7726void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
7727 int authmode )
7728{
7729 ssl->handshake->sni_authmode = authmode;
7730}
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02007731#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
7732
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02007733#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02007734/*
7735 * Set EC J-PAKE password for current handshake
7736 */
7737int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
7738 const unsigned char *pw,
7739 size_t pw_len )
7740{
7741 mbedtls_ecjpake_role role;
7742
Janos Follath8eb64132016-06-03 15:40:57 +01007743 if( ssl->handshake == NULL || ssl->conf == NULL )
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02007744 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7745
7746 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
7747 role = MBEDTLS_ECJPAKE_SERVER;
7748 else
7749 role = MBEDTLS_ECJPAKE_CLIENT;
7750
7751 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
7752 role,
7753 MBEDTLS_MD_SHA256,
7754 MBEDTLS_ECP_DP_SECP256R1,
7755 pw, pw_len ) );
7756}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02007757#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02007758
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007759#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007760int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01007761 const unsigned char *psk, size_t psk_len,
7762 const unsigned char *psk_identity, size_t psk_identity_len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02007763{
Paul Bakker6db455e2013-09-18 17:29:31 +02007764 if( psk == NULL || psk_identity == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007765 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker6db455e2013-09-18 17:29:31 +02007766
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007767 if( psk_len > MBEDTLS_PSK_MAX_LEN )
7768 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +01007769
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02007770 /* Identity len will be encoded on two bytes */
7771 if( ( psk_identity_len >> 16 ) != 0 ||
Angus Grattond8213d02016-05-25 20:56:48 +10007772 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02007773 {
7774 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7775 }
7776
Andres Amaya Garciabbafd342017-07-05 14:25:21 +01007777 if( conf->psk != NULL )
Paul Bakker6db455e2013-09-18 17:29:31 +02007778 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05007779 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
Andres Amaya Garciabbafd342017-07-05 14:25:21 +01007780
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01007781 mbedtls_free( conf->psk );
Manuel Pégourié-Gonnard173c7902015-10-20 19:56:45 +02007782 conf->psk = NULL;
Andres Amaya Garciabbafd342017-07-05 14:25:21 +01007783 conf->psk_len = 0;
7784 }
7785 if( conf->psk_identity != NULL )
7786 {
7787 mbedtls_free( conf->psk_identity );
Manuel Pégourié-Gonnard173c7902015-10-20 19:56:45 +02007788 conf->psk_identity = NULL;
Andres Amaya Garciabbafd342017-07-05 14:25:21 +01007789 conf->psk_identity_len = 0;
Paul Bakker6db455e2013-09-18 17:29:31 +02007790 }
7791
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02007792 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ||
7793 ( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL )
Mansour Moufidf81088b2015-02-17 13:10:21 -05007794 {
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01007795 mbedtls_free( conf->psk );
Manuel Pégourié-Gonnard24417f02015-09-28 18:09:45 +02007796 mbedtls_free( conf->psk_identity );
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01007797 conf->psk = NULL;
Manuel Pégourié-Gonnard24417f02015-09-28 18:09:45 +02007798 conf->psk_identity = NULL;
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02007799 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Mansour Moufidf81088b2015-02-17 13:10:21 -05007800 }
Paul Bakker6db455e2013-09-18 17:29:31 +02007801
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01007802 conf->psk_len = psk_len;
7803 conf->psk_identity_len = psk_identity_len;
Paul Bakker6db455e2013-09-18 17:29:31 +02007804
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01007805 memcpy( conf->psk, psk, conf->psk_len );
7806 memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
Paul Bakker6db455e2013-09-18 17:29:31 +02007807
7808 return( 0 );
7809}
7810
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01007811int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
7812 const unsigned char *psk, size_t psk_len )
7813{
7814 if( psk == NULL || ssl->handshake == NULL )
7815 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7816
7817 if( psk_len > MBEDTLS_PSK_MAX_LEN )
7818 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7819
7820 if( ssl->handshake->psk != NULL )
Andres Amaya Garciaa0049882017-06-26 11:35:17 +01007821 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05007822 mbedtls_platform_zeroize( ssl->handshake->psk,
7823 ssl->handshake->psk_len );
Simon Butcher5b8d1d62015-10-04 22:06:51 +01007824 mbedtls_free( ssl->handshake->psk );
Andres Amaya Garciabbafd342017-07-05 14:25:21 +01007825 ssl->handshake->psk_len = 0;
Andres Amaya Garciaa0049882017-06-26 11:35:17 +01007826 }
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01007827
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02007828 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02007829 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01007830
7831 ssl->handshake->psk_len = psk_len;
7832 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
7833
7834 return( 0 );
7835}
7836
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007837void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007838 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
Paul Bakker6db455e2013-09-18 17:29:31 +02007839 size_t),
7840 void *p_psk )
7841{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007842 conf->f_psk = f_psk;
7843 conf->p_psk = p_psk;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02007844}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007845#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakker43b7e352011-01-18 15:27:19 +00007846
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +02007847#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Hanno Becker470a8c42017-10-04 15:28:46 +01007848
7849#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007850int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +00007851{
7852 int ret;
7853
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +01007854 if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ||
7855 ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
7856 {
7857 mbedtls_mpi_free( &conf->dhm_P );
7858 mbedtls_mpi_free( &conf->dhm_G );
Paul Bakker5121ce52009-01-03 21:22:43 +00007859 return( ret );
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +01007860 }
Paul Bakker5121ce52009-01-03 21:22:43 +00007861
7862 return( 0 );
7863}
Hanno Becker470a8c42017-10-04 15:28:46 +01007864#endif /* MBEDTLS_DEPRECATED_REMOVED */
Paul Bakker5121ce52009-01-03 21:22:43 +00007865
Hanno Beckera90658f2017-10-04 15:29:08 +01007866int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
7867 const unsigned char *dhm_P, size_t P_len,
7868 const unsigned char *dhm_G, size_t G_len )
7869{
7870 int ret;
7871
7872 if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
7873 ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
7874 {
7875 mbedtls_mpi_free( &conf->dhm_P );
7876 mbedtls_mpi_free( &conf->dhm_G );
7877 return( ret );
7878 }
7879
7880 return( 0 );
7881}
Paul Bakker5121ce52009-01-03 21:22:43 +00007882
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007883int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
Paul Bakker1b57b062011-01-06 15:48:19 +00007884{
7885 int ret;
7886
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +01007887 if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ||
7888 ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
7889 {
7890 mbedtls_mpi_free( &conf->dhm_P );
7891 mbedtls_mpi_free( &conf->dhm_G );
Paul Bakker1b57b062011-01-06 15:48:19 +00007892 return( ret );
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +01007893 }
Paul Bakker1b57b062011-01-06 15:48:19 +00007894
7895 return( 0 );
7896}
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +02007897#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
Paul Bakker1b57b062011-01-06 15:48:19 +00007898
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +02007899#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
7900/*
7901 * Set the minimum length for Diffie-Hellman parameters
7902 */
7903void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
7904 unsigned int bitlen )
7905{
7906 conf->dhm_min_bitlen = bitlen;
7907}
7908#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
7909
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +02007910#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02007911/*
7912 * Set allowed/preferred hashes for handshake signatures
7913 */
7914void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
7915 const int *hashes )
7916{
7917 conf->sig_hashes = hashes;
7918}
Hanno Becker947194e2017-04-07 13:25:49 +01007919#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02007920
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02007921#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01007922/*
7923 * Set the allowed elliptic curves
7924 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007925void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007926 const mbedtls_ecp_group_id *curve_list )
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01007927{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007928 conf->curve_list = curve_list;
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01007929}
Hanno Becker947194e2017-04-07 13:25:49 +01007930#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01007931
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01007932#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007933int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +00007934{
Hanno Becker947194e2017-04-07 13:25:49 +01007935 /* Initialize to suppress unnecessary compiler warning */
7936 size_t hostname_len = 0;
7937
7938 /* Check if new hostname is valid before
7939 * making any change to current one */
Hanno Becker947194e2017-04-07 13:25:49 +01007940 if( hostname != NULL )
7941 {
7942 hostname_len = strlen( hostname );
7943
7944 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
7945 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7946 }
7947
7948 /* Now it's clear that we will overwrite the old hostname,
7949 * so we can free it safely */
7950
7951 if( ssl->hostname != NULL )
7952 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05007953 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Hanno Becker947194e2017-04-07 13:25:49 +01007954 mbedtls_free( ssl->hostname );
7955 }
7956
7957 /* Passing NULL as hostname shall clear the old one */
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +01007958
Paul Bakker5121ce52009-01-03 21:22:43 +00007959 if( hostname == NULL )
Hanno Becker947194e2017-04-07 13:25:49 +01007960 {
7961 ssl->hostname = NULL;
7962 }
7963 else
7964 {
7965 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
Hanno Becker947194e2017-04-07 13:25:49 +01007966 if( ssl->hostname == NULL )
7967 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker75c1a6f2013-08-19 14:25:29 +02007968
Hanno Becker947194e2017-04-07 13:25:49 +01007969 memcpy( ssl->hostname, hostname, hostname_len );
Paul Bakker75c1a6f2013-08-19 14:25:29 +02007970
Hanno Becker947194e2017-04-07 13:25:49 +01007971 ssl->hostname[hostname_len] = '\0';
7972 }
Paul Bakker5121ce52009-01-03 21:22:43 +00007973
7974 return( 0 );
7975}
Hanno Becker1a9a51c2017-04-07 13:02:16 +01007976#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00007977
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01007978#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007979void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007980 int (*f_sni)(void *, mbedtls_ssl_context *,
Paul Bakker5701cdc2012-09-27 21:49:42 +00007981 const unsigned char *, size_t),
7982 void *p_sni )
7983{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02007984 conf->f_sni = f_sni;
7985 conf->p_sni = p_sni;
Paul Bakker5701cdc2012-09-27 21:49:42 +00007986}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007987#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +00007988
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007989#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02007990int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02007991{
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02007992 size_t cur_len, tot_len;
7993 const char **p;
7994
7995 /*
Brian J Murray1903fb32016-11-06 04:45:15 -08007996 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
7997 * MUST NOT be truncated."
7998 * We check lengths now rather than later.
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02007999 */
8000 tot_len = 0;
8001 for( p = protos; *p != NULL; p++ )
8002 {
8003 cur_len = strlen( *p );
8004 tot_len += cur_len;
8005
8006 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008007 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02008008 }
8009
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02008010 conf->alpn_list = protos;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02008011
8012 return( 0 );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02008013}
8014
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008015const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02008016{
Paul Bakkerd8bb8262014-06-17 14:06:49 +02008017 return( ssl->alpn_chosen );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02008018}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008019#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02008020
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02008021void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker490ecc82011-10-06 13:04:09 +00008022{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02008023 conf->max_major_ver = major;
8024 conf->max_minor_ver = minor;
Paul Bakker490ecc82011-10-06 13:04:09 +00008025}
8026
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02008027void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker1d29fb52012-09-28 13:28:45 +00008028{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02008029 conf->min_major_ver = major;
8030 conf->min_minor_ver = minor;
Paul Bakker1d29fb52012-09-28 13:28:45 +00008031}
8032
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008033#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02008034void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +02008035{
Manuel Pégourié-Gonnard684b0592015-05-06 09:27:31 +01008036 conf->fallback = fallback;
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +02008037}
8038#endif
8039
Janos Follath088ce432017-04-10 12:42:31 +01008040#if defined(MBEDTLS_SSL_SRV_C)
8041void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
8042 char cert_req_ca_list )
8043{
8044 conf->cert_req_ca_list = cert_req_ca_list;
8045}
8046#endif
8047
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008048#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02008049void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01008050{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02008051 conf->encrypt_then_mac = etm;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01008052}
8053#endif
8054
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008055#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02008056void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02008057{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02008058 conf->extended_ms = ems;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02008059}
8060#endif
8061
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +02008062#if defined(MBEDTLS_ARC4_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02008063void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +01008064{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02008065 conf->arc4_disabled = arc4;
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +01008066}
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +02008067#endif
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +01008068
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008069#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02008070int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02008071{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008072 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
Angus Grattond8213d02016-05-25 20:56:48 +10008073 ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02008074 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008075 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02008076 }
8077
Manuel Pégourié-Gonnard6bf89d62015-05-05 17:01:57 +01008078 conf->mfl_code = mfl_code;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02008079
8080 return( 0 );
8081}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008082#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02008083
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008084#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02008085void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +02008086{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02008087 conf->trunc_hmac = truncate;
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +02008088}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008089#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +02008090
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008091#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02008092void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01008093{
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +01008094 conf->cbc_record_splitting = split;
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01008095}
8096#endif
8097
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02008098void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
Paul Bakker48916f92012-09-16 19:57:18 +00008099{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02008100 conf->allow_legacy_renegotiation = allow_legacy;
Paul Bakker48916f92012-09-16 19:57:18 +00008101}
8102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008103#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02008104void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01008105{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02008106 conf->disable_renegotiation = renegotiation;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01008107}
8108
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02008109void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02008110{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02008111 conf->renego_max_records = max_records;
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02008112}
8113
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02008114void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01008115 const unsigned char period[8] )
8116{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02008117 memcpy( conf->renego_period, period, 8 );
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01008118}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008119#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +00008120
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008121#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02008122#if defined(MBEDTLS_SSL_CLI_C)
8123void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02008124{
Manuel Pégourié-Gonnard2b494452015-05-06 10:05:11 +01008125 conf->session_tickets = use_tickets;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02008126}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02008127#endif
Paul Bakker606b4ba2013-08-14 16:52:14 +02008128
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02008129#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +02008130void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
8131 mbedtls_ssl_ticket_write_t *f_ticket_write,
8132 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
8133 void *p_ticket )
Paul Bakker606b4ba2013-08-14 16:52:14 +02008134{
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +02008135 conf->f_ticket_write = f_ticket_write;
8136 conf->f_ticket_parse = f_ticket_parse;
8137 conf->p_ticket = p_ticket;
Paul Bakker606b4ba2013-08-14 16:52:14 +02008138}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02008139#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008140#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02008141
Robert Cragie4feb7ae2015-10-02 13:33:37 +01008142#if defined(MBEDTLS_SSL_EXPORT_KEYS)
8143void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
8144 mbedtls_ssl_export_keys_t *f_export_keys,
8145 void *p_export_keys )
8146{
8147 conf->f_export_keys = f_export_keys;
8148 conf->p_export_keys = p_export_keys;
8149}
8150#endif
8151
Gilles Peskineb74a1c72018-04-24 13:09:22 +02008152#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine8bf79f62018-01-05 21:11:53 +01008153void mbedtls_ssl_conf_async_private_cb(
8154 mbedtls_ssl_config *conf,
8155 mbedtls_ssl_async_sign_t *f_async_sign,
8156 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
8157 mbedtls_ssl_async_resume_t *f_async_resume,
8158 mbedtls_ssl_async_cancel_t *f_async_cancel,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02008159 void *async_config_data )
Gilles Peskine8bf79f62018-01-05 21:11:53 +01008160{
8161 conf->f_async_sign_start = f_async_sign;
8162 conf->f_async_decrypt_start = f_async_decrypt;
8163 conf->f_async_resume = f_async_resume;
8164 conf->f_async_cancel = f_async_cancel;
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02008165 conf->p_async_config_data = async_config_data;
8166}
8167
Gilles Peskine8f97af72018-04-26 11:46:10 +02008168void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
8169{
8170 return( conf->p_async_config_data );
8171}
8172
Gilles Peskine1febfef2018-04-30 11:54:39 +02008173void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02008174{
8175 if( ssl->handshake == NULL )
8176 return( NULL );
8177 else
8178 return( ssl->handshake->user_async_ctx );
8179}
8180
Gilles Peskine1febfef2018-04-30 11:54:39 +02008181void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02008182 void *ctx )
8183{
8184 if( ssl->handshake != NULL )
8185 ssl->handshake->user_async_ctx = ctx;
Gilles Peskine8bf79f62018-01-05 21:11:53 +01008186}
Gilles Peskineb74a1c72018-04-24 13:09:22 +02008187#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine8bf79f62018-01-05 21:11:53 +01008188
Paul Bakker5121ce52009-01-03 21:22:43 +00008189/*
8190 * SSL get accessors
8191 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008192size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00008193{
8194 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
8195}
8196
Hanno Becker8b170a02017-10-10 11:51:19 +01008197int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
8198{
8199 /*
8200 * Case A: We're currently holding back
8201 * a message for further processing.
8202 */
8203
8204 if( ssl->keep_current_message == 1 )
8205 {
Hanno Beckera6fb0892017-10-23 13:17:48 +01008206 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +01008207 return( 1 );
8208 }
8209
8210 /*
8211 * Case B: Further records are pending in the current datagram.
8212 */
8213
8214#if defined(MBEDTLS_SSL_PROTO_DTLS)
8215 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8216 ssl->in_left > ssl->next_record_offset )
8217 {
Hanno Beckera6fb0892017-10-23 13:17:48 +01008218 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +01008219 return( 1 );
8220 }
8221#endif /* MBEDTLS_SSL_PROTO_DTLS */
8222
8223 /*
8224 * Case C: A handshake message is being processed.
8225 */
8226
Hanno Becker8b170a02017-10-10 11:51:19 +01008227 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
8228 {
Hanno Beckera6fb0892017-10-23 13:17:48 +01008229 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +01008230 return( 1 );
8231 }
8232
8233 /*
8234 * Case D: An application data message is being processed
8235 */
8236 if( ssl->in_offt != NULL )
8237 {
Hanno Beckera6fb0892017-10-23 13:17:48 +01008238 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +01008239 return( 1 );
8240 }
8241
8242 /*
8243 * In all other cases, the rest of the message can be dropped.
Hanno Beckerc573ac32018-08-28 17:15:25 +01008244 * As in ssl_get_next_record, this needs to be adapted if
Hanno Becker8b170a02017-10-10 11:51:19 +01008245 * we implement support for multiple alerts in single records.
8246 */
8247
8248 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
8249 return( 0 );
8250}
8251
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02008252uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00008253{
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +00008254 if( ssl->session != NULL )
8255 return( ssl->session->verify_result );
8256
8257 if( ssl->session_negotiate != NULL )
8258 return( ssl->session_negotiate->verify_result );
8259
Manuel Pégourié-Gonnard6ab9b002015-05-14 11:25:04 +02008260 return( 0xFFFFFFFF );
Paul Bakker5121ce52009-01-03 21:22:43 +00008261}
8262
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008263const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +00008264{
Paul Bakker926c8e42013-03-06 10:23:34 +01008265 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02008266 return( NULL );
Paul Bakker926c8e42013-03-06 10:23:34 +01008267
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008268 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +00008269}
8270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008271const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
Paul Bakker43ca69c2011-01-15 17:35:19 +00008272{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008273#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008274 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01008275 {
8276 switch( ssl->minor_ver )
8277 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008278 case MBEDTLS_SSL_MINOR_VERSION_2:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01008279 return( "DTLSv1.0" );
8280
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008281 case MBEDTLS_SSL_MINOR_VERSION_3:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01008282 return( "DTLSv1.2" );
8283
8284 default:
8285 return( "unknown (DTLS)" );
8286 }
8287 }
8288#endif
8289
Paul Bakker43ca69c2011-01-15 17:35:19 +00008290 switch( ssl->minor_ver )
8291 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008292 case MBEDTLS_SSL_MINOR_VERSION_0:
Paul Bakker43ca69c2011-01-15 17:35:19 +00008293 return( "SSLv3.0" );
8294
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008295 case MBEDTLS_SSL_MINOR_VERSION_1:
Paul Bakker43ca69c2011-01-15 17:35:19 +00008296 return( "TLSv1.0" );
8297
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008298 case MBEDTLS_SSL_MINOR_VERSION_2:
Paul Bakker43ca69c2011-01-15 17:35:19 +00008299 return( "TLSv1.1" );
8300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008301 case MBEDTLS_SSL_MINOR_VERSION_3:
Paul Bakker1ef83d62012-04-11 12:09:53 +00008302 return( "TLSv1.2" );
8303
Paul Bakker43ca69c2011-01-15 17:35:19 +00008304 default:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01008305 return( "unknown" );
Paul Bakker43ca69c2011-01-15 17:35:19 +00008306 }
Paul Bakker43ca69c2011-01-15 17:35:19 +00008307}
8308
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008309int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +02008310{
Hanno Becker3136ede2018-08-17 15:28:19 +01008311 size_t transform_expansion = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008312 const mbedtls_ssl_transform *transform = ssl->transform_out;
Hanno Becker5b559ac2018-08-03 09:40:07 +01008313 unsigned block_size;
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +02008314
Hanno Becker78640902018-08-13 16:35:15 +01008315 if( transform == NULL )
8316 return( (int) mbedtls_ssl_hdr_len( ssl ) );
8317
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008318#if defined(MBEDTLS_ZLIB_SUPPORT)
8319 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
8320 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +02008321#endif
8322
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008323 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +02008324 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008325 case MBEDTLS_MODE_GCM:
8326 case MBEDTLS_MODE_CCM:
Hanno Becker5b559ac2018-08-03 09:40:07 +01008327 case MBEDTLS_MODE_CHACHAPOLY:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008328 case MBEDTLS_MODE_STREAM:
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +02008329 transform_expansion = transform->minlen;
8330 break;
8331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008332 case MBEDTLS_MODE_CBC:
Hanno Becker5b559ac2018-08-03 09:40:07 +01008333
8334 block_size = mbedtls_cipher_get_block_size(
8335 &transform->cipher_ctx_enc );
8336
Hanno Becker3136ede2018-08-17 15:28:19 +01008337 /* Expansion due to the addition of the MAC. */
8338 transform_expansion += transform->maclen;
8339
8340 /* Expansion due to the addition of CBC padding;
8341 * Theoretically up to 256 bytes, but we never use
8342 * more than the block size of the underlying cipher. */
8343 transform_expansion += block_size;
8344
8345 /* For TLS 1.1 or higher, an explicit IV is added
8346 * after the record header. */
Hanno Becker5b559ac2018-08-03 09:40:07 +01008347#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
8348 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Hanno Becker3136ede2018-08-17 15:28:19 +01008349 transform_expansion += block_size;
Hanno Becker5b559ac2018-08-03 09:40:07 +01008350#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker3136ede2018-08-17 15:28:19 +01008351
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +02008352 break;
8353
8354 default:
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +02008355 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008356 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +02008357 }
8358
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +02008359 return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +02008360}
8361
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02008362#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
8363size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
8364{
8365 size_t max_len;
8366
8367 /*
8368 * Assume mfl_code is correct since it was checked when set
8369 */
Angus Grattond8213d02016-05-25 20:56:48 +10008370 max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02008371
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02008372 /* Check if a smaller max length was negotiated */
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02008373 if( ssl->session_out != NULL &&
Angus Grattond8213d02016-05-25 20:56:48 +10008374 ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02008375 {
Angus Grattond8213d02016-05-25 20:56:48 +10008376 max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02008377 }
8378
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02008379 /* During a handshake, use the value being negotiated */
8380 if( ssl->session_negotiate != NULL &&
8381 ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
8382 {
8383 max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
8384 }
8385
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02008386 return( max_len );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02008387}
8388#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
8389
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02008390#if defined(MBEDTLS_SSL_PROTO_DTLS)
8391static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
8392{
Andrzej Kurekef43ce62018-10-09 08:24:12 -04008393 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
8394 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
8395 ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
8396 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
8397 return ( 0 );
8398
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02008399 if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
8400 return( ssl->mtu );
8401
8402 if( ssl->mtu == 0 )
8403 return( ssl->handshake->mtu );
8404
8405 return( ssl->mtu < ssl->handshake->mtu ?
8406 ssl->mtu : ssl->handshake->mtu );
8407}
8408#endif /* MBEDTLS_SSL_PROTO_DTLS */
8409
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02008410int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
8411{
8412 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
8413
Manuel Pégourié-Gonnard000281e2018-08-21 11:20:58 +02008414#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
8415 !defined(MBEDTLS_SSL_PROTO_DTLS)
8416 (void) ssl;
8417#endif
8418
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02008419#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
8420 const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
8421
8422 if( max_len > mfl )
8423 max_len = mfl;
8424#endif
8425
8426#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02008427 if( ssl_get_current_mtu( ssl ) != 0 )
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02008428 {
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02008429 const size_t mtu = ssl_get_current_mtu( ssl );
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02008430 const int ret = mbedtls_ssl_get_record_expansion( ssl );
8431 const size_t overhead = (size_t) ret;
8432
8433 if( ret < 0 )
8434 return( ret );
8435
8436 if( mtu <= overhead )
8437 {
8438 MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
8439 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
8440 }
8441
8442 if( max_len > mtu - overhead )
8443 max_len = mtu - overhead;
8444 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02008445#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02008446
Hanno Becker0defedb2018-08-10 12:35:02 +01008447#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
8448 !defined(MBEDTLS_SSL_PROTO_DTLS)
8449 ((void) ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02008450#endif
8451
8452 return( (int) max_len );
8453}
8454
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008455#if defined(MBEDTLS_X509_CRT_PARSE_C)
8456const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
Paul Bakkerb0550d92012-10-30 07:51:03 +00008457{
8458 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02008459 return( NULL );
Paul Bakkerb0550d92012-10-30 07:51:03 +00008460
Paul Bakkerd8bb8262014-06-17 14:06:49 +02008461 return( ssl->session->peer_cert );
Paul Bakkerb0550d92012-10-30 07:51:03 +00008462}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008463#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +00008464
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008465#if defined(MBEDTLS_SSL_CLI_C)
8466int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02008467{
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02008468 if( ssl == NULL ||
8469 dst == NULL ||
8470 ssl->session == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008471 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02008472 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008473 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02008474 }
8475
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02008476 return( ssl_session_copy( dst, ssl->session ) );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02008477}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008478#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02008479
Paul Bakker5121ce52009-01-03 21:22:43 +00008480/*
Paul Bakker1961b702013-01-25 14:49:24 +01008481 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +00008482 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008483int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00008484{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008485 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +00008486
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02008487 if( ssl == NULL || ssl->conf == NULL )
8488 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008490#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008491 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008492 ret = mbedtls_ssl_handshake_client_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00008493#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008494#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008495 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008496 ret = mbedtls_ssl_handshake_server_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00008497#endif
8498
Paul Bakker1961b702013-01-25 14:49:24 +01008499 return( ret );
8500}
8501
8502/*
8503 * Perform the SSL handshake
8504 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008505int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
Paul Bakker1961b702013-01-25 14:49:24 +01008506{
8507 int ret = 0;
8508
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02008509 if( ssl == NULL || ssl->conf == NULL )
8510 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8511
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008512 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
Paul Bakker1961b702013-01-25 14:49:24 +01008513
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008514 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker1961b702013-01-25 14:49:24 +01008515 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008516 ret = mbedtls_ssl_handshake_step( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01008517
8518 if( ret != 0 )
8519 break;
8520 }
8521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008522 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00008523
8524 return( ret );
8525}
8526
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008527#if defined(MBEDTLS_SSL_RENEGOTIATION)
8528#if defined(MBEDTLS_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00008529/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008530 * Write HelloRequest to request renegotiation on server
Paul Bakker48916f92012-09-16 19:57:18 +00008531 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008532static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008533{
8534 int ret;
8535
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008536 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008537
8538 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008539 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
8540 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008541
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02008542 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008543 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02008544 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008545 return( ret );
8546 }
8547
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008548 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008549
8550 return( 0 );
8551}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008552#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008553
8554/*
8555 * Actually renegotiate current connection, triggered by either:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008556 * - any side: calling mbedtls_ssl_renegotiate(),
8557 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
8558 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
Manuel Pégourié-Gonnard55e4ff22014-08-19 11:16:35 +02008559 * the initial handshake is completed.
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008560 * If the handshake doesn't complete due to waiting for I/O, it will continue
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008561 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008562 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008563static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00008564{
8565 int ret;
8566
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008567 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00008568
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008569 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
8570 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +00008571
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02008572 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
8573 * the ServerHello will have message_seq = 1" */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008574#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008575 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008576 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02008577 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008578 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02008579 ssl->handshake->out_msg_seq = 1;
8580 else
8581 ssl->handshake->in_msg_seq = 1;
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02008582 }
8583#endif
8584
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008585 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
8586 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
Paul Bakker48916f92012-09-16 19:57:18 +00008587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008588 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00008589 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008590 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker48916f92012-09-16 19:57:18 +00008591 return( ret );
8592 }
8593
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008594 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00008595
8596 return( 0 );
8597}
8598
8599/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008600 * Renegotiate current connection on client,
8601 * or request renegotiation on server
8602 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008603int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008604{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008605 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008606
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02008607 if( ssl == NULL || ssl->conf == NULL )
8608 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8609
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008610#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008611 /* On server, just send the request */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008612 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008613 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008614 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
8615 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008616
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008617 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02008618
8619 /* Did we already try/start sending HelloRequest? */
8620 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008621 return( mbedtls_ssl_flush_output( ssl ) );
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02008622
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008623 return( ssl_write_hello_request( ssl ) );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008624 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008625#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008626
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008627#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008628 /*
8629 * On client, either start the renegotiation process or,
8630 * if already in progress, continue the handshake
8631 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008632 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008633 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008634 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
8635 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008636
8637 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
8638 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008639 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008640 return( ret );
8641 }
8642 }
8643 else
8644 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008645 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008646 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008647 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008648 return( ret );
8649 }
8650 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008651#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01008652
Paul Bakker37ce0ff2013-10-31 14:32:04 +01008653 return( ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01008654}
8655
8656/*
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01008657 * Check record counters and renegotiate if they're above the limit.
8658 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008659static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01008660{
Andres AG2196c7f2016-12-15 17:01:16 +00008661 size_t ep_len = ssl_ep_len( ssl );
8662 int in_ctr_cmp;
8663 int out_ctr_cmp;
8664
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008665 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
8666 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008667 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01008668 {
8669 return( 0 );
8670 }
8671
Andres AG2196c7f2016-12-15 17:01:16 +00008672 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
8673 ssl->conf->renego_period + ep_len, 8 - ep_len );
Hanno Becker19859472018-08-06 09:40:20 +01008674 out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
Andres AG2196c7f2016-12-15 17:01:16 +00008675 ssl->conf->renego_period + ep_len, 8 - ep_len );
8676
8677 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01008678 {
8679 return( 0 );
8680 }
8681
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +02008682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008683 return( mbedtls_ssl_renegotiate( ssl ) );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01008684}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008685#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +00008686
8687/*
8688 * Receive application data decrypted from the SSL layer
8689 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008690int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +00008691{
Hanno Becker4a810fb2017-05-24 16:27:30 +01008692 int ret;
Paul Bakker23986e52011-04-24 08:57:21 +00008693 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +00008694
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02008695 if( ssl == NULL || ssl->conf == NULL )
8696 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8697
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008698 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00008699
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008700#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008701 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02008702 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008703 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02008704 return( ret );
8705
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02008706 if( ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008707 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02008708 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02008709 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02008710 return( ret );
8711 }
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02008712 }
8713#endif
8714
Hanno Becker4a810fb2017-05-24 16:27:30 +01008715 /*
8716 * Check if renegotiation is necessary and/or handshake is
8717 * in process. If yes, perform/continue, and fall through
8718 * if an unexpected packet is received while the client
8719 * is waiting for the ServerHello.
8720 *
8721 * (There is no equivalent to the last condition on
8722 * the server-side as it is not treated as within
8723 * a handshake while waiting for the ClientHello
8724 * after a renegotiation request.)
8725 */
8726
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008727#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +01008728 ret = ssl_check_ctr_renegotiate( ssl );
8729 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
8730 ret != 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01008731 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008732 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01008733 return( ret );
8734 }
8735#endif
8736
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008737 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +00008738 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008739 ret = mbedtls_ssl_handshake( ssl );
Hanno Becker4a810fb2017-05-24 16:27:30 +01008740 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
8741 ret != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00008742 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008743 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00008744 return( ret );
8745 }
8746 }
8747
Hanno Beckere41158b2017-10-23 13:30:32 +01008748 /* Loop as long as no application data record is available */
Hanno Becker90333da2017-10-10 11:27:13 +01008749 while( ssl->in_offt == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00008750 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02008751 /* Start timer if not already running */
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +02008752 if( ssl->f_get_timer != NULL &&
8753 ssl->f_get_timer( ssl->p_timer ) == -1 )
8754 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008755 ssl_set_timer( ssl, ssl->conf->read_timeout );
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +02008756 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02008757
Hanno Becker327c93b2018-08-15 13:56:18 +01008758 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00008759 {
Hanno Becker4a810fb2017-05-24 16:27:30 +01008760 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
8761 return( 0 );
Paul Bakker831a7552011-05-18 13:32:51 +00008762
Hanno Becker4a810fb2017-05-24 16:27:30 +01008763 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
8764 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00008765 }
8766
8767 if( ssl->in_msglen == 0 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008768 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +00008769 {
8770 /*
8771 * OpenSSL sends empty messages to randomize the IV
8772 */
Hanno Becker327c93b2018-08-15 13:56:18 +01008773 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00008774 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008775 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
Paul Bakker831a7552011-05-18 13:32:51 +00008776 return( 0 );
8777
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008778 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00008779 return( ret );
8780 }
8781 }
8782
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008783 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +00008784 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008785 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00008786
Hanno Becker4a810fb2017-05-24 16:27:30 +01008787 /*
8788 * - For client-side, expect SERVER_HELLO_REQUEST.
8789 * - For server-side, expect CLIENT_HELLO.
8790 * - Fail (TLS) or silently drop record (DTLS) in other cases.
8791 */
8792
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008793#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008794 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008795 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
Hanno Becker4a810fb2017-05-24 16:27:30 +01008796 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
Paul Bakker48916f92012-09-16 19:57:18 +00008797 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008798 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +02008799
8800 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008801#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008802 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +01008803 {
8804 continue;
8805 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +02008806#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008807 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +02008808 }
Hanno Becker4a810fb2017-05-24 16:27:30 +01008809#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +02008810
Hanno Becker4a810fb2017-05-24 16:27:30 +01008811#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008812 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008813 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +02008814 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008815 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +02008816
8817 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008818#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008819 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +01008820 {
8821 continue;
8822 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +02008823#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008824 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker48916f92012-09-16 19:57:18 +00008825 }
Hanno Becker4a810fb2017-05-24 16:27:30 +01008826#endif /* MBEDTLS_SSL_SRV_C */
8827
Hanno Becker21df7f92017-10-17 11:03:26 +01008828#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +01008829 /* Determine whether renegotiation attempt should be accepted */
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +01008830 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
8831 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
8832 ssl->conf->allow_legacy_renegotiation ==
8833 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
8834 {
8835 /*
8836 * Accept renegotiation request
8837 */
Paul Bakker48916f92012-09-16 19:57:18 +00008838
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +01008839 /* DTLS clients need to know renego is server-initiated */
8840#if defined(MBEDTLS_SSL_PROTO_DTLS)
8841 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8842 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
8843 {
8844 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
8845 }
8846#endif
8847 ret = ssl_start_renegotiation( ssl );
8848 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
8849 ret != 0 )
8850 {
8851 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
8852 return( ret );
8853 }
8854 }
8855 else
Hanno Becker21df7f92017-10-17 11:03:26 +01008856#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +00008857 {
Hanno Becker4a810fb2017-05-24 16:27:30 +01008858 /*
8859 * Refuse renegotiation
8860 */
8861
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008862 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00008863
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008864#if defined(MBEDTLS_SSL_PROTO_SSL3)
8865 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker48916f92012-09-16 19:57:18 +00008866 {
Gilles Peskine92e44262017-05-10 17:27:49 +02008867 /* SSLv3 does not have a "no_renegotiation" warning, so
8868 we send a fatal alert and abort the connection. */
8869 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8870 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
8871 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00008872 }
8873 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008874#endif /* MBEDTLS_SSL_PROTO_SSL3 */
8875#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
8876 defined(MBEDTLS_SSL_PROTO_TLS1_2)
8877 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00008878 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008879 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
8880 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
8881 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00008882 {
8883 return( ret );
8884 }
Paul Bakker48916f92012-09-16 19:57:18 +00008885 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02008886 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008887#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
8888 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +02008889 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008890 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
8891 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02008892 }
Paul Bakker48916f92012-09-16 19:57:18 +00008893 }
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +02008894
Hanno Becker90333da2017-10-10 11:27:13 +01008895 /* At this point, we don't know whether the renegotiation has been
8896 * completed or not. The cases to consider are the following:
8897 * 1) The renegotiation is complete. In this case, no new record
8898 * has been read yet.
8899 * 2) The renegotiation is incomplete because the client received
8900 * an application data record while awaiting the ServerHello.
8901 * 3) The renegotiation is incomplete because the client received
8902 * a non-handshake, non-application data message while awaiting
8903 * the ServerHello.
8904 * In each of these case, looping will be the proper action:
8905 * - For 1), the next iteration will read a new record and check
8906 * if it's application data.
8907 * - For 2), the loop condition isn't satisfied as application data
8908 * is present, hence continue is the same as break
8909 * - For 3), the loop condition is satisfied and read_record
8910 * will re-deliver the message that was held back by the client
8911 * when expecting the ServerHello.
8912 */
8913 continue;
Paul Bakker48916f92012-09-16 19:57:18 +00008914 }
Hanno Becker21df7f92017-10-17 11:03:26 +01008915#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008916 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +01008917 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008918 if( ssl->conf->renego_max_records >= 0 )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02008919 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008920 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02008921 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008922 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02008923 "but not honored by client" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008924 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02008925 }
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02008926 }
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +01008927 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008928#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +02008929
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008930 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
8931 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +02008932 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008933 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +01008934 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +02008935 }
8936
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008937 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +00008938 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008939 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
8940 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00008941 }
8942
8943 ssl->in_offt = ssl->in_msg;
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02008944
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +02008945 /* We're going to return something now, cancel timer,
8946 * except if handshake (renegotiation) is in progress */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008947 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +02008948 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02008949
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02008950#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02008951 /* If we requested renego but received AppData, resend HelloRequest.
8952 * Do it now, after setting in_offt, to avoid taking this branch
8953 * again if ssl_write_hello_request() returns WANT_WRITE */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008954#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02008955 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008956 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02008957 {
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02008958 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02008959 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008960 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02008961 return( ret );
8962 }
8963 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008964#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Hanno Becker4a810fb2017-05-24 16:27:30 +01008965#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +00008966 }
8967
8968 n = ( len < ssl->in_msglen )
8969 ? len : ssl->in_msglen;
8970
8971 memcpy( buf, ssl->in_offt, n );
8972 ssl->in_msglen -= n;
8973
8974 if( ssl->in_msglen == 0 )
Hanno Becker4a810fb2017-05-24 16:27:30 +01008975 {
8976 /* all bytes consumed */
Paul Bakker5121ce52009-01-03 21:22:43 +00008977 ssl->in_offt = NULL;
Hanno Beckerbdf39052017-06-09 10:42:03 +01008978 ssl->keep_current_message = 0;
Hanno Becker4a810fb2017-05-24 16:27:30 +01008979 }
Paul Bakker5121ce52009-01-03 21:22:43 +00008980 else
Hanno Becker4a810fb2017-05-24 16:27:30 +01008981 {
Paul Bakker5121ce52009-01-03 21:22:43 +00008982 /* more data available */
8983 ssl->in_offt += n;
Hanno Becker4a810fb2017-05-24 16:27:30 +01008984 }
Paul Bakker5121ce52009-01-03 21:22:43 +00008985
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008986 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00008987
Paul Bakker23986e52011-04-24 08:57:21 +00008988 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +00008989}
8990
8991/*
Andres Amaya Garcia5b923522017-09-28 14:41:17 +01008992 * Send application data to be encrypted by the SSL layer, taking care of max
8993 * fragment length and buffer size.
8994 *
8995 * According to RFC 5246 Section 6.2.1:
8996 *
8997 * Zero-length fragments of Application data MAY be sent as they are
8998 * potentially useful as a traffic analysis countermeasure.
8999 *
9000 * Therefore, it is possible that the input message length is 0 and the
9001 * corresponding return code is 0 on success.
Paul Bakker5121ce52009-01-03 21:22:43 +00009002 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +02009003static int ssl_write_real( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009004 const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +00009005{
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02009006 int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
9007 const size_t max_len = (size_t) ret;
9008
9009 if( ret < 0 )
9010 {
9011 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
9012 return( ret );
9013 }
9014
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +02009015 if( len > max_len )
9016 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009017#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02009018 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +02009019 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009020 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +02009021 "maximum fragment length: %d > %d",
9022 len, max_len ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009023 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +02009024 }
9025 else
9026#endif
9027 len = max_len;
9028 }
Paul Bakker887bd502011-06-08 13:10:54 +00009029
Paul Bakker5121ce52009-01-03 21:22:43 +00009030 if( ssl->out_left != 0 )
9031 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +01009032 /*
9033 * The user has previously tried to send the data and
9034 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
9035 * written. In this case, we expect the high-level write function
9036 * (e.g. mbedtls_ssl_write()) to be called with the same parameters
9037 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009038 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00009039 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009040 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00009041 return( ret );
9042 }
9043 }
Paul Bakker887bd502011-06-08 13:10:54 +00009044 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +00009045 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +01009046 /*
9047 * The user is trying to send a message the first time, so we need to
9048 * copy the data into the internal buffers and setup the data structure
9049 * to keep track of partial writes
9050 */
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +02009051 ssl->out_msglen = len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009052 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +02009053 memcpy( ssl->out_msg, buf, len );
Paul Bakker887bd502011-06-08 13:10:54 +00009054
Hanno Becker67bc7c32018-08-06 11:33:50 +01009055 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker887bd502011-06-08 13:10:54 +00009056 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009057 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker887bd502011-06-08 13:10:54 +00009058 return( ret );
9059 }
Paul Bakker5121ce52009-01-03 21:22:43 +00009060 }
9061
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +02009062 return( (int) len );
Paul Bakker5121ce52009-01-03 21:22:43 +00009063}
9064
9065/*
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01009066 * Write application data, doing 1/n-1 splitting if necessary.
9067 *
9068 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01009069 * then the caller will call us again with the same arguments, so
Hanno Becker2b187c42017-09-18 14:58:11 +01009070 * remember whether we already did the split or not.
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01009071 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009072#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +02009073static int ssl_write_split( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009074 const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01009075{
9076 int ret;
9077
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +01009078 if( ssl->conf->cbc_record_splitting ==
9079 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01009080 len <= 1 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009081 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
9082 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
9083 != MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01009084 {
9085 return( ssl_write_real( ssl, buf, len ) );
9086 }
9087
9088 if( ssl->split_done == 0 )
9089 {
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +01009090 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01009091 return( ret );
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +01009092 ssl->split_done = 1;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01009093 }
9094
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +01009095 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
9096 return( ret );
9097 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01009098
9099 return( ret + 1 );
9100}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009101#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01009102
9103/*
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009104 * Write application data (public-facing wrapper)
9105 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +02009106int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009107{
9108 int ret;
9109
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +02009110 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009111
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02009112 if( ssl == NULL || ssl->conf == NULL )
9113 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
9114
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +02009115#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009116 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
9117 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +02009118 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009119 return( ret );
9120 }
9121#endif
9122
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +02009123 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009124 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +02009125 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009126 {
Manuel Pégourié-Gonnard151dc772015-05-14 13:55:51 +02009127 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009128 return( ret );
9129 }
9130 }
9131
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +02009132#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009133 ret = ssl_write_split( ssl, buf, len );
9134#else
9135 ret = ssl_write_real( ssl, buf, len );
9136#endif
9137
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +02009138 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02009139
9140 return( ret );
9141}
9142
9143/*
Paul Bakker5121ce52009-01-03 21:22:43 +00009144 * Notify the peer that the connection is being closed
9145 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009146int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00009147{
9148 int ret;
9149
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02009150 if( ssl == NULL || ssl->conf == NULL )
9151 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
9152
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009153 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00009154
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +02009155 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009156 return( mbedtls_ssl_flush_output( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00009157
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009158 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +00009159 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009160 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
9161 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
9162 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00009163 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009164 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00009165 return( ret );
9166 }
9167 }
9168
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009169 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00009170
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +02009171 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00009172}
9173
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009174void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
Paul Bakker48916f92012-09-16 19:57:18 +00009175{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02009176 if( transform == NULL )
9177 return;
9178
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009179#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +00009180 deflateEnd( &transform->ctx_deflate );
9181 inflateEnd( &transform->ctx_inflate );
9182#endif
9183
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009184 mbedtls_cipher_free( &transform->cipher_ctx_enc );
9185 mbedtls_cipher_free( &transform->cipher_ctx_dec );
Manuel Pégourié-Gonnardf71e5872013-09-23 17:12:43 +02009186
Hanno Becker92231322018-01-03 15:32:51 +00009187#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009188 mbedtls_md_free( &transform->md_ctx_enc );
9189 mbedtls_md_free( &transform->md_ctx_dec );
Hanno Becker92231322018-01-03 15:32:51 +00009190#endif
Paul Bakker61d113b2013-07-04 11:51:43 +02009191
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05009192 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
Paul Bakker48916f92012-09-16 19:57:18 +00009193}
9194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009195#if defined(MBEDTLS_X509_CRT_PARSE_C)
9196static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02009197{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009198 mbedtls_ssl_key_cert *cur = key_cert, *next;
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02009199
9200 while( cur != NULL )
9201 {
9202 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009203 mbedtls_free( cur );
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02009204 cur = next;
9205 }
9206}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009207#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02009208
Hanno Becker0271f962018-08-16 13:23:47 +01009209#if defined(MBEDTLS_SSL_PROTO_DTLS)
9210
9211static void ssl_buffering_free( mbedtls_ssl_context *ssl )
9212{
9213 unsigned offset;
9214 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
9215
9216 if( hs == NULL )
9217 return;
9218
Hanno Becker283f5ef2018-08-24 09:34:47 +01009219 ssl_free_buffered_record( ssl );
9220
Hanno Becker0271f962018-08-16 13:23:47 +01009221 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
Hanno Beckere605b192018-08-21 15:59:07 +01009222 ssl_buffering_free_slot( ssl, offset );
9223}
9224
9225static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
9226 uint8_t slot )
9227{
9228 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
9229 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
Hanno Beckerb309b922018-08-23 13:18:05 +01009230
9231 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
9232 return;
9233
Hanno Beckere605b192018-08-21 15:59:07 +01009234 if( hs_buf->is_valid == 1 )
Hanno Becker0271f962018-08-16 13:23:47 +01009235 {
Hanno Beckere605b192018-08-21 15:59:07 +01009236 hs->buffering.total_bytes_buffered -= hs_buf->data_len;
Hanno Becker805f2e12018-10-12 16:31:41 +01009237 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
Hanno Beckere605b192018-08-21 15:59:07 +01009238 mbedtls_free( hs_buf->data );
9239 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Hanno Becker0271f962018-08-16 13:23:47 +01009240 }
9241}
9242
9243#endif /* MBEDTLS_SSL_PROTO_DTLS */
9244
Gilles Peskine9b562d52018-04-25 20:32:43 +02009245void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00009246{
Gilles Peskine9b562d52018-04-25 20:32:43 +02009247 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
9248
Paul Bakkeraccaffe2014-06-26 13:37:14 +02009249 if( handshake == NULL )
9250 return;
9251
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02009252#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
9253 if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
9254 {
Gilles Peskine8f97af72018-04-26 11:46:10 +02009255 ssl->conf->f_async_cancel( ssl );
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02009256 handshake->async_in_progress = 0;
9257 }
9258#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
9259
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02009260#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
9261 defined(MBEDTLS_SSL_PROTO_TLS1_1)
9262 mbedtls_md5_free( &handshake->fin_md5 );
9263 mbedtls_sha1_free( &handshake->fin_sha1 );
9264#endif
9265#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
9266#if defined(MBEDTLS_SHA256_C)
9267 mbedtls_sha256_free( &handshake->fin_sha256 );
9268#endif
9269#if defined(MBEDTLS_SHA512_C)
9270 mbedtls_sha512_free( &handshake->fin_sha512 );
9271#endif
9272#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9273
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009274#if defined(MBEDTLS_DHM_C)
9275 mbedtls_dhm_free( &handshake->dhm_ctx );
Paul Bakker48916f92012-09-16 19:57:18 +00009276#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009277#if defined(MBEDTLS_ECDH_C)
9278 mbedtls_ecdh_free( &handshake->ecdh_ctx );
Paul Bakker61d113b2013-07-04 11:51:43 +02009279#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02009280#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02009281 mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02009282#if defined(MBEDTLS_SSL_CLI_C)
9283 mbedtls_free( handshake->ecjpake_cache );
9284 handshake->ecjpake_cache = NULL;
9285 handshake->ecjpake_cache_len = 0;
9286#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02009287#endif
Paul Bakker61d113b2013-07-04 11:51:43 +02009288
Janos Follath4ae5c292016-02-10 11:27:43 +00009289#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
9290 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakker9af723c2014-05-01 13:03:14 +02009291 /* explicit void pointer cast for buggy MS compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009292 mbedtls_free( (void *) handshake->curves );
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02009293#endif
9294
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01009295#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
9296 if( handshake->psk != NULL )
9297 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05009298 mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01009299 mbedtls_free( handshake->psk );
9300 }
9301#endif
9302
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009303#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
9304 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02009305 /*
9306 * Free only the linked list wrapper, not the keys themselves
9307 * since the belong to the SNI callback
9308 */
9309 if( handshake->sni_key_cert != NULL )
9310 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009311 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02009312
9313 while( cur != NULL )
9314 {
9315 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009316 mbedtls_free( cur );
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02009317 cur = next;
9318 }
9319 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009320#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02009321
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02009322#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +02009323 mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02009324#endif
9325
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009326#if defined(MBEDTLS_SSL_PROTO_DTLS)
9327 mbedtls_free( handshake->verify_cookie );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +02009328 ssl_flight_free( handshake->flight );
Hanno Becker0271f962018-08-16 13:23:47 +01009329 ssl_buffering_free( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02009330#endif
9331
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05009332 mbedtls_platform_zeroize( handshake,
9333 sizeof( mbedtls_ssl_handshake_params ) );
Paul Bakker48916f92012-09-16 19:57:18 +00009334}
9335
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009336void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
Paul Bakker48916f92012-09-16 19:57:18 +00009337{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02009338 if( session == NULL )
9339 return;
9340
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009341#if defined(MBEDTLS_X509_CRT_PARSE_C)
Paul Bakker0a597072012-09-25 21:55:46 +00009342 if( session->peer_cert != NULL )
Paul Bakker48916f92012-09-16 19:57:18 +00009343 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009344 mbedtls_x509_crt_free( session->peer_cert );
9345 mbedtls_free( session->peer_cert );
Paul Bakker48916f92012-09-16 19:57:18 +00009346 }
Paul Bakkered27a042013-04-18 22:46:23 +02009347#endif
Paul Bakker0a597072012-09-25 21:55:46 +00009348
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02009349#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009350 mbedtls_free( session->ticket );
Paul Bakkera503a632013-08-14 13:48:06 +02009351#endif
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +02009352
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05009353 mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
Paul Bakker48916f92012-09-16 19:57:18 +00009354}
9355
Paul Bakker5121ce52009-01-03 21:22:43 +00009356/*
9357 * Free an SSL context
9358 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009359void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00009360{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02009361 if( ssl == NULL )
9362 return;
9363
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009364 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00009365
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +01009366 if( ssl->out_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00009367 {
Angus Grattond8213d02016-05-25 20:56:48 +10009368 mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009369 mbedtls_free( ssl->out_buf );
Paul Bakker5121ce52009-01-03 21:22:43 +00009370 }
9371
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +01009372 if( ssl->in_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00009373 {
Angus Grattond8213d02016-05-25 20:56:48 +10009374 mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009375 mbedtls_free( ssl->in_buf );
Paul Bakker5121ce52009-01-03 21:22:43 +00009376 }
9377
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009378#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker16770332013-10-11 09:59:44 +02009379 if( ssl->compress_buf != NULL )
9380 {
Angus Grattond8213d02016-05-25 20:56:48 +10009381 mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009382 mbedtls_free( ssl->compress_buf );
Paul Bakker16770332013-10-11 09:59:44 +02009383 }
9384#endif
9385
Paul Bakker48916f92012-09-16 19:57:18 +00009386 if( ssl->transform )
9387 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009388 mbedtls_ssl_transform_free( ssl->transform );
9389 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00009390 }
9391
9392 if( ssl->handshake )
9393 {
Gilles Peskine9b562d52018-04-25 20:32:43 +02009394 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009395 mbedtls_ssl_transform_free( ssl->transform_negotiate );
9396 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +00009397
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009398 mbedtls_free( ssl->handshake );
9399 mbedtls_free( ssl->transform_negotiate );
9400 mbedtls_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +00009401 }
9402
Paul Bakkerc0463502013-02-14 11:19:38 +01009403 if( ssl->session )
9404 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009405 mbedtls_ssl_session_free( ssl->session );
9406 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01009407 }
9408
Manuel Pégourié-Gonnard55fab2d2015-05-11 16:15:19 +02009409#if defined(MBEDTLS_X509_CRT_PARSE_C)
Paul Bakker66d5d072014-06-17 16:39:18 +02009410 if( ssl->hostname != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00009411 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05009412 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009413 mbedtls_free( ssl->hostname );
Paul Bakker5121ce52009-01-03 21:22:43 +00009414 }
Paul Bakker0be444a2013-08-27 21:55:01 +02009415#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00009416
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009417#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
9418 if( mbedtls_ssl_hw_record_finish != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00009419 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009420 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
9421 mbedtls_ssl_hw_record_finish( ssl );
Paul Bakker05ef8352012-05-08 09:17:57 +00009422 }
9423#endif
9424
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02009425#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009426 mbedtls_free( ssl->cli_id );
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02009427#endif
9428
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009429 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +00009430
Paul Bakker86f04f42013-02-14 11:20:09 +01009431 /* Actually clear after last debug message */
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05009432 mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00009433}
9434
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009435/*
9436 * Initialze mbedtls_ssl_config
9437 */
9438void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
9439{
9440 memset( conf, 0, sizeof( mbedtls_ssl_config ) );
9441}
9442
Simon Butcherc97b6972015-12-27 23:48:17 +00009443#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01009444static int ssl_preset_default_hashes[] = {
9445#if defined(MBEDTLS_SHA512_C)
9446 MBEDTLS_MD_SHA512,
9447 MBEDTLS_MD_SHA384,
9448#endif
9449#if defined(MBEDTLS_SHA256_C)
9450 MBEDTLS_MD_SHA256,
9451 MBEDTLS_MD_SHA224,
9452#endif
Gilles Peskine5d2511c2017-05-12 13:16:40 +02009453#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01009454 MBEDTLS_MD_SHA1,
9455#endif
9456 MBEDTLS_MD_NONE
9457};
Simon Butcherc97b6972015-12-27 23:48:17 +00009458#endif
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01009459
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009460static int ssl_preset_suiteb_ciphersuites[] = {
9461 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
9462 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
9463 0
9464};
9465
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +02009466#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009467static int ssl_preset_suiteb_hashes[] = {
9468 MBEDTLS_MD_SHA256,
9469 MBEDTLS_MD_SHA384,
9470 MBEDTLS_MD_NONE
9471};
9472#endif
9473
9474#if defined(MBEDTLS_ECP_C)
9475static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
9476 MBEDTLS_ECP_DP_SECP256R1,
9477 MBEDTLS_ECP_DP_SECP384R1,
9478 MBEDTLS_ECP_DP_NONE
9479};
9480#endif
9481
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009482/*
Tillmann Karras588ad502015-09-25 04:27:22 +02009483 * Load default in mbedtls_ssl_config
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009484 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02009485int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009486 int endpoint, int transport, int preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009487{
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +02009488#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009489 int ret;
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +02009490#endif
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009491
Manuel Pégourié-Gonnard0de074f2015-05-14 12:58:01 +02009492 /* Use the functions here so that they are covered in tests,
9493 * but otherwise access member directly for efficiency */
9494 mbedtls_ssl_conf_endpoint( conf, endpoint );
9495 mbedtls_ssl_conf_transport( conf, transport );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009496
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009497 /*
9498 * Things that are common to all presets
9499 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02009500#if defined(MBEDTLS_SSL_CLI_C)
9501 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
9502 {
9503 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
9504#if defined(MBEDTLS_SSL_SESSION_TICKETS)
9505 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
9506#endif
9507 }
9508#endif
9509
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +02009510#if defined(MBEDTLS_ARC4_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009511 conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +02009512#endif
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009513
9514#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
9515 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
9516#endif
9517
9518#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
9519 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
9520#endif
9521
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +01009522#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
9523 conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
9524#endif
9525
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02009526#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009527 conf->f_cookie_write = ssl_cookie_write_dummy;
9528 conf->f_cookie_check = ssl_cookie_check_dummy;
9529#endif
9530
9531#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
9532 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
9533#endif
9534
Janos Follath088ce432017-04-10 12:42:31 +01009535#if defined(MBEDTLS_SSL_SRV_C)
9536 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
9537#endif
9538
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009539#if defined(MBEDTLS_SSL_PROTO_DTLS)
9540 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
9541 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
9542#endif
9543
9544#if defined(MBEDTLS_SSL_RENEGOTIATION)
9545 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
Andres AG2196c7f2016-12-15 17:01:16 +00009546 memset( conf->renego_period, 0x00, 2 );
9547 memset( conf->renego_period + 2, 0xFF, 6 );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009548#endif
9549
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009550#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
9551 if( endpoint == MBEDTLS_SSL_IS_SERVER )
9552 {
Hanno Becker00d0a682017-10-04 13:14:29 +01009553 const unsigned char dhm_p[] =
9554 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
9555 const unsigned char dhm_g[] =
9556 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
9557
Hanno Beckera90658f2017-10-04 15:29:08 +01009558 if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
9559 dhm_p, sizeof( dhm_p ),
9560 dhm_g, sizeof( dhm_g ) ) ) != 0 )
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009561 {
9562 return( ret );
9563 }
9564 }
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +02009565#endif
9566
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009567 /*
9568 * Preset-specific defaults
9569 */
9570 switch( preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009571 {
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009572 /*
9573 * NSA Suite B
9574 */
9575 case MBEDTLS_SSL_PRESET_SUITEB:
9576 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
9577 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
9578 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
9579 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
9580
9581 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
9582 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
9583 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
9584 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
9585 ssl_preset_suiteb_ciphersuites;
9586
9587#if defined(MBEDTLS_X509_CRT_PARSE_C)
9588 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009589#endif
9590
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +02009591#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009592 conf->sig_hashes = ssl_preset_suiteb_hashes;
9593#endif
9594
9595#if defined(MBEDTLS_ECP_C)
9596 conf->curve_list = ssl_preset_suiteb_curves;
9597#endif
Manuel Pégourié-Gonnardc98204e2015-08-11 04:21:01 +02009598 break;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009599
9600 /*
9601 * Default
9602 */
9603 default:
Ron Eldor5e9f14d2017-05-28 10:46:38 +03009604 conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
9605 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
9606 MBEDTLS_SSL_MIN_MAJOR_VERSION :
9607 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
9608 conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
9609 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
9610 MBEDTLS_SSL_MIN_MINOR_VERSION :
9611 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009612 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
9613 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
9614
9615#if defined(MBEDTLS_SSL_PROTO_DTLS)
9616 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
9617 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
9618#endif
9619
9620 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
9621 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
9622 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
9623 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
9624 mbedtls_ssl_list_ciphersuites();
9625
9626#if defined(MBEDTLS_X509_CRT_PARSE_C)
9627 conf->cert_profile = &mbedtls_x509_crt_profile_default;
9628#endif
9629
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +02009630#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01009631 conf->sig_hashes = ssl_preset_default_hashes;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02009632#endif
9633
9634#if defined(MBEDTLS_ECP_C)
9635 conf->curve_list = mbedtls_ecp_grp_id_list();
9636#endif
9637
9638#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
9639 conf->dhm_min_bitlen = 1024;
9640#endif
9641 }
9642
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009643 return( 0 );
9644}
9645
9646/*
9647 * Free mbedtls_ssl_config
9648 */
9649void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
9650{
9651#if defined(MBEDTLS_DHM_C)
9652 mbedtls_mpi_free( &conf->dhm_P );
9653 mbedtls_mpi_free( &conf->dhm_G );
9654#endif
9655
9656#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
9657 if( conf->psk != NULL )
9658 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05009659 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009660 mbedtls_free( conf->psk );
Azim Khan27e8a122018-03-21 14:24:11 +00009661 conf->psk = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009662 conf->psk_len = 0;
junyeonLEE316b1622017-12-20 16:29:30 +09009663 }
9664
9665 if( conf->psk_identity != NULL )
9666 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05009667 mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
junyeonLEE316b1622017-12-20 16:29:30 +09009668 mbedtls_free( conf->psk_identity );
Azim Khan27e8a122018-03-21 14:24:11 +00009669 conf->psk_identity = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009670 conf->psk_identity_len = 0;
9671 }
9672#endif
9673
9674#if defined(MBEDTLS_X509_CRT_PARSE_C)
9675 ssl_key_cert_free( conf->key_cert );
9676#endif
9677
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05009678 mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02009679}
9680
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +02009681#if defined(MBEDTLS_PK_C) && \
9682 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02009683/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009684 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02009685 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009686unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02009687{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009688#if defined(MBEDTLS_RSA_C)
9689 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
9690 return( MBEDTLS_SSL_SIG_RSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02009691#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009692#if defined(MBEDTLS_ECDSA_C)
9693 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
9694 return( MBEDTLS_SSL_SIG_ECDSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02009695#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009696 return( MBEDTLS_SSL_SIG_ANON );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02009697}
9698
Hanno Becker7e5437a2017-04-28 17:15:26 +01009699unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
9700{
9701 switch( type ) {
9702 case MBEDTLS_PK_RSA:
9703 return( MBEDTLS_SSL_SIG_RSA );
9704 case MBEDTLS_PK_ECDSA:
9705 case MBEDTLS_PK_ECKEY:
9706 return( MBEDTLS_SSL_SIG_ECDSA );
9707 default:
9708 return( MBEDTLS_SSL_SIG_ANON );
9709 }
9710}
9711
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009712mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02009713{
9714 switch( sig )
9715 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009716#if defined(MBEDTLS_RSA_C)
9717 case MBEDTLS_SSL_SIG_RSA:
9718 return( MBEDTLS_PK_RSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02009719#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009720#if defined(MBEDTLS_ECDSA_C)
9721 case MBEDTLS_SSL_SIG_ECDSA:
9722 return( MBEDTLS_PK_ECDSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02009723#endif
9724 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009725 return( MBEDTLS_PK_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02009726 }
9727}
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +02009728#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02009729
Hanno Becker7e5437a2017-04-28 17:15:26 +01009730#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
9731 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
9732
9733/* Find an entry in a signature-hash set matching a given hash algorithm. */
9734mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
9735 mbedtls_pk_type_t sig_alg )
9736{
9737 switch( sig_alg )
9738 {
9739 case MBEDTLS_PK_RSA:
9740 return( set->rsa );
9741 case MBEDTLS_PK_ECDSA:
9742 return( set->ecdsa );
9743 default:
9744 return( MBEDTLS_MD_NONE );
9745 }
9746}
9747
9748/* Add a signature-hash-pair to a signature-hash set */
9749void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
9750 mbedtls_pk_type_t sig_alg,
9751 mbedtls_md_type_t md_alg )
9752{
9753 switch( sig_alg )
9754 {
9755 case MBEDTLS_PK_RSA:
9756 if( set->rsa == MBEDTLS_MD_NONE )
9757 set->rsa = md_alg;
9758 break;
9759
9760 case MBEDTLS_PK_ECDSA:
9761 if( set->ecdsa == MBEDTLS_MD_NONE )
9762 set->ecdsa = md_alg;
9763 break;
9764
9765 default:
9766 break;
9767 }
9768}
9769
9770/* Allow exactly one hash algorithm for each signature. */
9771void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
9772 mbedtls_md_type_t md_alg )
9773{
9774 set->rsa = md_alg;
9775 set->ecdsa = md_alg;
9776}
9777
9778#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
9779 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
9780
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02009781/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02009782 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02009783 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009784mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02009785{
9786 switch( hash )
9787 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009788#if defined(MBEDTLS_MD5_C)
9789 case MBEDTLS_SSL_HASH_MD5:
9790 return( MBEDTLS_MD_MD5 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02009791#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009792#if defined(MBEDTLS_SHA1_C)
9793 case MBEDTLS_SSL_HASH_SHA1:
9794 return( MBEDTLS_MD_SHA1 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02009795#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009796#if defined(MBEDTLS_SHA256_C)
9797 case MBEDTLS_SSL_HASH_SHA224:
9798 return( MBEDTLS_MD_SHA224 );
9799 case MBEDTLS_SSL_HASH_SHA256:
9800 return( MBEDTLS_MD_SHA256 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02009801#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009802#if defined(MBEDTLS_SHA512_C)
9803 case MBEDTLS_SSL_HASH_SHA384:
9804 return( MBEDTLS_MD_SHA384 );
9805 case MBEDTLS_SSL_HASH_SHA512:
9806 return( MBEDTLS_MD_SHA512 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02009807#endif
9808 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009809 return( MBEDTLS_MD_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02009810 }
9811}
9812
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02009813/*
9814 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
9815 */
9816unsigned char mbedtls_ssl_hash_from_md_alg( int md )
9817{
9818 switch( md )
9819 {
9820#if defined(MBEDTLS_MD5_C)
9821 case MBEDTLS_MD_MD5:
9822 return( MBEDTLS_SSL_HASH_MD5 );
9823#endif
9824#if defined(MBEDTLS_SHA1_C)
9825 case MBEDTLS_MD_SHA1:
9826 return( MBEDTLS_SSL_HASH_SHA1 );
9827#endif
9828#if defined(MBEDTLS_SHA256_C)
9829 case MBEDTLS_MD_SHA224:
9830 return( MBEDTLS_SSL_HASH_SHA224 );
9831 case MBEDTLS_MD_SHA256:
9832 return( MBEDTLS_SSL_HASH_SHA256 );
9833#endif
9834#if defined(MBEDTLS_SHA512_C)
9835 case MBEDTLS_MD_SHA384:
9836 return( MBEDTLS_SSL_HASH_SHA384 );
9837 case MBEDTLS_MD_SHA512:
9838 return( MBEDTLS_SSL_HASH_SHA512 );
9839#endif
9840 default:
9841 return( MBEDTLS_SSL_HASH_NONE );
9842 }
9843}
9844
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02009845#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01009846/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02009847 * Check if a curve proposed by the peer is in our list.
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02009848 * Return 0 if we're willing to use it, -1 otherwise.
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01009849 */
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02009850int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01009851{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009852 const mbedtls_ecp_group_id *gid;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01009853
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02009854 if( ssl->conf->curve_list == NULL )
9855 return( -1 );
9856
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02009857 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01009858 if( *gid == grp_id )
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02009859 return( 0 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01009860
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02009861 return( -1 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01009862}
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02009863#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009864
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +02009865#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02009866/*
9867 * Check if a hash proposed by the peer is in our list.
9868 * Return 0 if we're willing to use it, -1 otherwise.
9869 */
9870int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
9871 mbedtls_md_type_t md )
9872{
9873 const int *cur;
9874
9875 if( ssl->conf->sig_hashes == NULL )
9876 return( -1 );
9877
9878 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
9879 if( *cur == (int) md )
9880 return( 0 );
9881
9882 return( -1 );
9883}
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +02009884#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02009885
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009886#if defined(MBEDTLS_X509_CRT_PARSE_C)
9887int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
9888 const mbedtls_ssl_ciphersuite_t *ciphersuite,
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01009889 int cert_endpoint,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02009890 uint32_t *flags )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009891{
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01009892 int ret = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009893#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009894 int usage = 0;
9895#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009896#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02009897 const char *ext_oid;
9898 size_t ext_len;
9899#endif
9900
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009901#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
9902 !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02009903 ((void) cert);
9904 ((void) cert_endpoint);
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01009905 ((void) flags);
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02009906#endif
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009907
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009908#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
9909 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009910 {
9911 /* Server part of the key exchange */
9912 switch( ciphersuite->key_exchange )
9913 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009914 case MBEDTLS_KEY_EXCHANGE_RSA:
9915 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01009916 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009917 break;
9918
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009919 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
9920 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
9921 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
9922 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009923 break;
9924
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009925 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
9926 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01009927 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009928 break;
9929
9930 /* Don't use default: we want warnings when adding new values */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009931 case MBEDTLS_KEY_EXCHANGE_NONE:
9932 case MBEDTLS_KEY_EXCHANGE_PSK:
9933 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
9934 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +02009935 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009936 usage = 0;
9937 }
9938 }
9939 else
9940 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009941 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
9942 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009943 }
9944
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009945 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01009946 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01009947 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01009948 ret = -1;
9949 }
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02009950#else
9951 ((void) ciphersuite);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009952#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009953
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009954#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
9955 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02009956 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009957 ext_oid = MBEDTLS_OID_SERVER_AUTH;
9958 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02009959 }
9960 else
9961 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009962 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
9963 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02009964 }
9965
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009966 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01009967 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01009968 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01009969 ret = -1;
9970 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009971#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02009972
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01009973 return( ret );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02009974}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009975#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard3a306b92014-04-29 15:11:17 +02009976
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +01009977/*
9978 * Convert version numbers to/from wire format
9979 * and, for DTLS, to/from TLS equivalent.
9980 *
9981 * For TLS this is the identity.
Brian J Murray1903fb32016-11-06 04:45:15 -08009982 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +01009983 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
9984 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
9985 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009986void mbedtls_ssl_write_version( int major, int minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +01009987 unsigned char ver[2] )
9988{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009989#if defined(MBEDTLS_SSL_PROTO_DTLS)
9990 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +01009991 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02009992 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +01009993 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
9994
9995 ver[0] = (unsigned char)( 255 - ( major - 2 ) );
9996 ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
9997 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +01009998 else
9999#else
10000 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +010010001#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +010010002 {
10003 ver[0] = (unsigned char) major;
10004 ver[1] = (unsigned char) minor;
10005 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +010010006}
10007
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020010008void mbedtls_ssl_read_version( int *major, int *minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +010010009 const unsigned char ver[2] )
10010{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020010011#if defined(MBEDTLS_SSL_PROTO_DTLS)
10012 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +010010013 {
10014 *major = 255 - ver[0] + 2;
10015 *minor = 255 - ver[1] + 1;
10016
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020010017 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +010010018 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
10019 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +010010020 else
10021#else
10022 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +010010023#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +010010024 {
10025 *major = ver[0];
10026 *minor = ver[1];
10027 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +010010028}
10029
Simon Butcher99000142016-10-13 17:21:01 +010010030int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
10031{
10032#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
10033 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
10034 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
10035
10036 switch( md )
10037 {
10038#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
10039#if defined(MBEDTLS_MD5_C)
10040 case MBEDTLS_SSL_HASH_MD5:
Janos Follath182013f2016-10-25 10:50:22 +010010041 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
Simon Butcher99000142016-10-13 17:21:01 +010010042#endif
10043#if defined(MBEDTLS_SHA1_C)
10044 case MBEDTLS_SSL_HASH_SHA1:
10045 ssl->handshake->calc_verify = ssl_calc_verify_tls;
10046 break;
10047#endif
10048#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
10049#if defined(MBEDTLS_SHA512_C)
10050 case MBEDTLS_SSL_HASH_SHA384:
10051 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
10052 break;
10053#endif
10054#if defined(MBEDTLS_SHA256_C)
10055 case MBEDTLS_SSL_HASH_SHA256:
10056 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
10057 break;
10058#endif
10059 default:
10060 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
10061 }
10062
10063 return 0;
10064#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
10065 (void) ssl;
10066 (void) md;
10067
10068 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
10069#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
10070}
10071
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010072#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
10073 defined(MBEDTLS_SSL_PROTO_TLS1_1)
10074int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
10075 unsigned char *output,
10076 unsigned char *data, size_t data_len )
10077{
10078 int ret = 0;
10079 mbedtls_md5_context mbedtls_md5;
10080 mbedtls_sha1_context mbedtls_sha1;
10081
10082 mbedtls_md5_init( &mbedtls_md5 );
10083 mbedtls_sha1_init( &mbedtls_sha1 );
10084
10085 /*
10086 * digitally-signed struct {
10087 * opaque md5_hash[16];
10088 * opaque sha_hash[20];
10089 * };
10090 *
10091 * md5_hash
10092 * MD5(ClientHello.random + ServerHello.random
10093 * + ServerParams);
10094 * sha_hash
10095 * SHA(ClientHello.random + ServerHello.random
10096 * + ServerParams);
10097 */
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010098 if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010099 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010100 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010101 goto exit;
10102 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010103 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010104 ssl->handshake->randbytes, 64 ) ) != 0 )
10105 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010106 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010107 goto exit;
10108 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010109 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010110 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010111 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010112 goto exit;
10113 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010114 if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010115 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010116 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010117 goto exit;
10118 }
10119
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010120 if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010121 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010122 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010123 goto exit;
10124 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010125 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010126 ssl->handshake->randbytes, 64 ) ) != 0 )
10127 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010128 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010129 goto exit;
10130 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010131 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010132 data_len ) ) != 0 )
10133 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010134 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010135 goto exit;
10136 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010137 if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010138 output + 16 ) ) != 0 )
10139 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +010010140 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010141 goto exit;
10142 }
10143
10144exit:
10145 mbedtls_md5_free( &mbedtls_md5 );
10146 mbedtls_sha1_free( &mbedtls_sha1 );
10147
10148 if( ret != 0 )
10149 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
10150 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
10151
10152 return( ret );
10153
10154}
10155#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
10156 MBEDTLS_SSL_PROTO_TLS1_1 */
10157
10158#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
10159 defined(MBEDTLS_SSL_PROTO_TLS1_2)
10160int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +020010161 unsigned char *hash, size_t *hashlen,
10162 unsigned char *data, size_t data_len,
10163 mbedtls_md_type_t md_alg )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010164{
10165 int ret = 0;
10166 mbedtls_md_context_t ctx;
10167 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
Gilles Peskineca1d7422018-04-24 11:53:22 +020010168 *hashlen = mbedtls_md_get_size( md_info );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010169
10170 mbedtls_md_init( &ctx );
10171
10172 /*
10173 * digitally-signed struct {
10174 * opaque client_random[32];
10175 * opaque server_random[32];
10176 * ServerDHParams params;
10177 * };
10178 */
10179 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
10180 {
10181 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
10182 goto exit;
10183 }
10184 if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
10185 {
10186 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
10187 goto exit;
10188 }
10189 if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
10190 {
10191 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
10192 goto exit;
10193 }
10194 if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
10195 {
10196 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
10197 goto exit;
10198 }
Gilles Peskineca1d7422018-04-24 11:53:22 +020010199 if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +010010200 {
10201 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
10202 goto exit;
10203 }
10204
10205exit:
10206 mbedtls_md_free( &ctx );
10207
10208 if( ret != 0 )
10209 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
10210 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
10211
10212 return( ret );
10213}
10214#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
10215 MBEDTLS_SSL_PROTO_TLS1_2 */
10216
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020010217#endif /* MBEDTLS_SSL_TLS_C */