blob: 8a65b70adb5995dec95aca9e80a5b0761b7a2ff6 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01002 * TLS shared functions
Paul Bakker5121ce52009-01-03 21:22:43 +00003 *
Bence Szépkúti1e148272020-08-07 13:07:28 +02004 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02005 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +000018 */
19/*
Paul Bakker5121ce52009-01-03 21:22:43 +000020 * http://www.ietf.org/rfc/rfc2246.txt
21 * http://www.ietf.org/rfc/rfc4346.txt
22 */
23
Gilles Peskinedb09ef62020-06-03 01:43:33 +020024#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020026#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000027
SimonBd5800b72016-04-26 07:43:27 +010028#if defined(MBEDTLS_PLATFORM_C)
29#include "mbedtls/platform.h"
30#else
31#include <stdlib.h>
32#define mbedtls_calloc calloc
33#define mbedtls_free free
SimonBd5800b72016-04-26 07:43:27 +010034#endif
35
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000036#include "mbedtls/ssl.h"
Chris Jones84a773f2021-03-05 18:38:47 +000037#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +000038#include "mbedtls/debug.h"
39#include "mbedtls/error.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050040#include "mbedtls/platform_util.h"
Hanno Beckera835da52019-05-16 12:39:07 +010041#include "mbedtls/version.h"
Paul Bakker0be444a2013-08-27 21:55:01 +020042
Rich Evans00ab4702015-02-06 13:43:58 +000043#include <string.h>
44
Andrzej Kurekd6db9be2019-01-10 05:27:10 -050045#if defined(MBEDTLS_USE_PSA_CRYPTO)
46#include "mbedtls/psa_util.h"
47#include "psa/crypto.h"
48#endif
49
Janos Follath23bdca02016-10-07 14:47:14 +010050#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000051#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +020052#endif
53
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +020054#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +010055
Hanno Beckera0e20d02019-05-15 14:03:01 +010056#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerf8542cf2019-04-09 15:22:03 +010057/* Top-level Connection ID API */
58
Hanno Becker8367ccc2019-05-14 11:30:10 +010059int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
60 size_t len,
61 int ignore_other_cid )
Hanno Beckerad4a1372019-05-03 13:06:44 +010062{
63 if( len > MBEDTLS_SSL_CID_IN_LEN_MAX )
64 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
65
Hanno Becker611ac772019-05-14 11:45:26 +010066 if( ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
67 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
68 {
69 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
70 }
71
72 conf->ignore_unexpected_cid = ignore_other_cid;
Hanno Beckerad4a1372019-05-03 13:06:44 +010073 conf->cid_len = len;
74 return( 0 );
75}
76
Hanno Beckerf8542cf2019-04-09 15:22:03 +010077int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
78 int enable,
79 unsigned char const *own_cid,
80 size_t own_cid_len )
81{
Hanno Becker76a79ab2019-05-03 14:38:32 +010082 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
83 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
84
Hanno Beckerca092242019-04-25 16:01:49 +010085 ssl->negotiate_cid = enable;
86 if( enable == MBEDTLS_SSL_CID_DISABLED )
87 {
88 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Disable use of CID extension." ) );
89 return( 0 );
90 }
91 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
Hanno Beckerad4a1372019-05-03 13:06:44 +010092 MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
Hanno Beckerca092242019-04-25 16:01:49 +010093
Hanno Beckerad4a1372019-05-03 13:06:44 +010094 if( own_cid_len != ssl->conf->cid_len )
Hanno Beckerca092242019-04-25 16:01:49 +010095 {
Hanno Beckerad4a1372019-05-03 13:06:44 +010096 MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
97 (unsigned) own_cid_len,
98 (unsigned) ssl->conf->cid_len ) );
Hanno Beckerca092242019-04-25 16:01:49 +010099 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
100 }
101
102 memcpy( ssl->own_cid, own_cid, own_cid_len );
Hanno Beckerb7ee0cf2019-04-30 14:07:31 +0100103 /* Truncation is not an issue here because
104 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
105 ssl->own_cid_len = (uint8_t) own_cid_len;
Hanno Beckerca092242019-04-25 16:01:49 +0100106
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100107 return( 0 );
108}
109
110int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
111 int *enabled,
112 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
113 size_t *peer_cid_len )
114{
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100115 *enabled = MBEDTLS_SSL_CID_DISABLED;
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100116
Hanno Becker76a79ab2019-05-03 14:38:32 +0100117 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
118 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
119 {
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100120 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Hanno Becker76a79ab2019-05-03 14:38:32 +0100121 }
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100122
Hanno Beckerc5f24222019-05-03 12:54:52 +0100123 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
124 * were used, but client and server requested the empty CID.
125 * This is indistinguishable from not using the CID extension
126 * in the first place. */
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100127 if( ssl->transform_in->in_cid_len == 0 &&
128 ssl->transform_in->out_cid_len == 0 )
129 {
130 return( 0 );
131 }
132
Hanno Becker615ef172019-05-22 16:50:35 +0100133 if( peer_cid_len != NULL )
134 {
135 *peer_cid_len = ssl->transform_in->out_cid_len;
136 if( peer_cid != NULL )
137 {
138 memcpy( peer_cid, ssl->transform_in->out_cid,
139 ssl->transform_in->out_cid_len );
140 }
141 }
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100142
143 *enabled = MBEDTLS_SSL_CID_ENABLED;
144
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100145 return( 0 );
146}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100147#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100148
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200149#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200150
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200151#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200152/*
153 * Convert max_fragment_length codes to length.
154 * RFC 6066 says:
155 * enum{
156 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
157 * } MaxFragmentLength;
158 * and we add 0 -> extension unused
159 */
Angus Grattond8213d02016-05-25 20:56:48 +1000160static unsigned int ssl_mfl_code_to_length( int mfl )
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200161{
Angus Grattond8213d02016-05-25 20:56:48 +1000162 switch( mfl )
163 {
164 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
165 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
166 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
167 return 512;
168 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
169 return 1024;
170 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
171 return 2048;
172 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
173 return 4096;
174 default:
175 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
176 }
177}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200178#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200179
Hanno Becker52055ae2019-02-06 14:30:46 +0000180int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
181 const mbedtls_ssl_session *src )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200182{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200183 mbedtls_ssl_session_free( dst );
184 memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200186#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker6d1986e2019-02-07 12:27:42 +0000187
188#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200189 if( src->peer_cert != NULL )
190 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000191 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker2292d1f2013-09-15 17:06:49 +0200192
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200193 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200194 if( dst->peer_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200195 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200196
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200197 mbedtls_x509_crt_init( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200198
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200199 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
Manuel Pégourié-Gonnard4d2a8eb2014-06-13 20:33:27 +0200200 src->peer_cert->raw.len ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200201 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200202 mbedtls_free( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200203 dst->peer_cert = NULL;
204 return( ret );
205 }
206 }
Hanno Becker6d1986e2019-02-07 12:27:42 +0000207#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker9198ad12019-02-05 17:00:50 +0000208 if( src->peer_cert_digest != NULL )
209 {
Hanno Becker9198ad12019-02-05 17:00:50 +0000210 dst->peer_cert_digest =
Hanno Beckeraccc5992019-02-25 10:06:59 +0000211 mbedtls_calloc( 1, src->peer_cert_digest_len );
Hanno Becker9198ad12019-02-05 17:00:50 +0000212 if( dst->peer_cert_digest == NULL )
213 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
214
215 memcpy( dst->peer_cert_digest, src->peer_cert_digest,
216 src->peer_cert_digest_len );
217 dst->peer_cert_digest_type = src->peer_cert_digest_type;
Hanno Beckeraccc5992019-02-25 10:06:59 +0000218 dst->peer_cert_digest_len = src->peer_cert_digest_len;
Hanno Becker9198ad12019-02-05 17:00:50 +0000219 }
220#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
221
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200222#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200223
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200224#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200225 if( src->ticket != NULL )
226 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200227 dst->ticket = mbedtls_calloc( 1, src->ticket_len );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200228 if( dst->ticket == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200229 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200230
231 memcpy( dst->ticket, src->ticket, src->ticket_len );
232 }
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200233#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200234
235 return( 0 );
236}
237
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500238#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
239static int resize_buffer( unsigned char **buffer, size_t len_new, size_t *len_old )
240{
241 unsigned char* resized_buffer = mbedtls_calloc( 1, len_new );
242 if( resized_buffer == NULL )
243 return -1;
244
245 /* We want to copy len_new bytes when downsizing the buffer, and
246 * len_old bytes when upsizing, so we choose the smaller of two sizes,
247 * to fit one buffer into another. Size checks, ensuring that no data is
248 * lost, are done outside of this function. */
249 memcpy( resized_buffer, *buffer,
250 ( len_new < *len_old ) ? len_new : *len_old );
251 mbedtls_platform_zeroize( *buffer, *len_old );
252 mbedtls_free( *buffer );
253
254 *buffer = resized_buffer;
255 *len_old = len_new;
256
257 return 0;
258}
Andrzej Kurek4a063792020-10-21 15:08:44 +0200259
260static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing,
Andrzej Kurek069fa962021-01-07 08:02:15 -0500261 size_t in_buf_new_len,
262 size_t out_buf_new_len )
Andrzej Kurek4a063792020-10-21 15:08:44 +0200263{
264 int modified = 0;
265 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
266 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
267 if( ssl->in_buf != NULL )
268 {
269 written_in = ssl->in_msg - ssl->in_buf;
270 iv_offset_in = ssl->in_iv - ssl->in_buf;
271 len_offset_in = ssl->in_len - ssl->in_buf;
272 if( downsizing ?
273 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
274 ssl->in_buf_len < in_buf_new_len )
275 {
276 if( resize_buffer( &ssl->in_buf, in_buf_new_len, &ssl->in_buf_len ) != 0 )
277 {
278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
279 }
280 else
281 {
Paul Elliottb7449902021-03-10 18:14:58 +0000282 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
283 in_buf_new_len ) );
Andrzej Kurek4a063792020-10-21 15:08:44 +0200284 modified = 1;
285 }
286 }
287 }
288
289 if( ssl->out_buf != NULL )
290 {
291 written_out = ssl->out_msg - ssl->out_buf;
292 iv_offset_out = ssl->out_iv - ssl->out_buf;
293 len_offset_out = ssl->out_len - ssl->out_buf;
294 if( downsizing ?
295 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
296 ssl->out_buf_len < out_buf_new_len )
297 {
298 if( resize_buffer( &ssl->out_buf, out_buf_new_len, &ssl->out_buf_len ) != 0 )
299 {
300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "output buffer resizing failed - out of memory" ) );
301 }
302 else
303 {
Paul Elliottb7449902021-03-10 18:14:58 +0000304 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
305 out_buf_new_len ) );
Andrzej Kurek4a063792020-10-21 15:08:44 +0200306 modified = 1;
307 }
308 }
309 }
310 if( modified )
311 {
312 /* Update pointers here to avoid doing it twice. */
313 mbedtls_ssl_reset_in_out_pointers( ssl );
314 /* Fields below might not be properly updated with record
315 * splitting or with CID, so they are manually updated here. */
316 ssl->out_msg = ssl->out_buf + written_out;
317 ssl->out_len = ssl->out_buf + len_offset_out;
318 ssl->out_iv = ssl->out_buf + iv_offset_out;
319
320 ssl->in_msg = ssl->in_buf + written_in;
321 ssl->in_len = ssl->in_buf + len_offset_in;
322 ssl->in_iv = ssl->in_buf + iv_offset_in;
323 }
324}
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500325#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200327#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurekc929a822019-01-14 03:51:11 -0500328#if defined(MBEDTLS_USE_PSA_CRYPTO)
k-stachowiak81053a52019-08-17 10:30:28 +0200329
330static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
Ronald Croncf56a0a2020-08-04 09:51:30 +0200331 psa_key_id_t key,
k-stachowiak81053a52019-08-17 10:30:28 +0200332 psa_algorithm_t alg,
333 const unsigned char* seed, size_t seed_length,
334 const unsigned char* label, size_t label_length,
335 size_t capacity )
336{
337 psa_status_t status;
338
339 status = psa_key_derivation_setup( derivation, alg );
340 if( status != PSA_SUCCESS )
341 return( status );
342
343 if( PSA_ALG_IS_TLS12_PRF( alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
344 {
345 status = psa_key_derivation_input_bytes( derivation,
346 PSA_KEY_DERIVATION_INPUT_SEED,
347 seed, seed_length );
348 if( status != PSA_SUCCESS )
349 return( status );
350
Ronald Croncf56a0a2020-08-04 09:51:30 +0200351 if( mbedtls_svc_key_id_is_null( key ) )
Gilles Peskine311f54d2019-09-23 18:19:22 +0200352 {
353 status = psa_key_derivation_input_bytes(
354 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
355 NULL, 0 );
356 }
357 else
358 {
359 status = psa_key_derivation_input_key(
Ronald Croncf56a0a2020-08-04 09:51:30 +0200360 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key );
Gilles Peskine311f54d2019-09-23 18:19:22 +0200361 }
k-stachowiak81053a52019-08-17 10:30:28 +0200362 if( status != PSA_SUCCESS )
363 return( status );
364
365 status = psa_key_derivation_input_bytes( derivation,
366 PSA_KEY_DERIVATION_INPUT_LABEL,
367 label, label_length );
368 if( status != PSA_SUCCESS )
369 return( status );
370 }
371 else
372 {
373 return( PSA_ERROR_NOT_SUPPORTED );
374 }
375
376 status = psa_key_derivation_set_capacity( derivation, capacity );
377 if( status != PSA_SUCCESS )
378 return( status );
379
380 return( PSA_SUCCESS );
381}
382
Andrzej Kurekc929a822019-01-14 03:51:11 -0500383static int tls_prf_generic( mbedtls_md_type_t md_type,
384 const unsigned char *secret, size_t slen,
385 const char *label,
386 const unsigned char *random, size_t rlen,
387 unsigned char *dstbuf, size_t dlen )
388{
389 psa_status_t status;
390 psa_algorithm_t alg;
Ronald Croncf56a0a2020-08-04 09:51:30 +0200391 psa_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
Janos Follathda6ac012019-08-16 13:47:29 +0100392 psa_key_derivation_operation_t derivation =
Janos Follath8dee8772019-07-30 12:53:32 +0100393 PSA_KEY_DERIVATION_OPERATION_INIT;
Andrzej Kurekc929a822019-01-14 03:51:11 -0500394
Andrzej Kurekc929a822019-01-14 03:51:11 -0500395 if( md_type == MBEDTLS_MD_SHA384 )
396 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
397 else
398 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
399
Gilles Peskine311f54d2019-09-23 18:19:22 +0200400 /* Normally a "secret" should be long enough to be impossible to
401 * find by brute force, and in particular should not be empty. But
402 * this PRF is also used to derive an IV, in particular in EAP-TLS,
403 * and for this use case it makes sense to have a 0-length "secret".
404 * Since the key API doesn't allow importing a key of length 0,
Ronald Croncf56a0a2020-08-04 09:51:30 +0200405 * keep master_key=0, which setup_psa_key_derivation() understands
Gilles Peskine311f54d2019-09-23 18:19:22 +0200406 * to mean a 0-length "secret" input. */
407 if( slen != 0 )
408 {
409 psa_key_attributes_t key_attributes = psa_key_attributes_init();
410 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
411 psa_set_key_algorithm( &key_attributes, alg );
412 psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500413
Ronald Croncf56a0a2020-08-04 09:51:30 +0200414 status = psa_import_key( &key_attributes, secret, slen, &master_key );
Gilles Peskine311f54d2019-09-23 18:19:22 +0200415 if( status != PSA_SUCCESS )
416 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
417 }
Andrzej Kurekc929a822019-01-14 03:51:11 -0500418
k-stachowiak81053a52019-08-17 10:30:28 +0200419 status = setup_psa_key_derivation( &derivation,
Ronald Croncf56a0a2020-08-04 09:51:30 +0200420 master_key, alg,
k-stachowiak81053a52019-08-17 10:30:28 +0200421 random, rlen,
422 (unsigned char const *) label,
423 (size_t) strlen( label ),
424 dlen );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500425 if( status != PSA_SUCCESS )
426 {
Janos Follathda6ac012019-08-16 13:47:29 +0100427 psa_key_derivation_abort( &derivation );
Ronald Croncf56a0a2020-08-04 09:51:30 +0200428 psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500429 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
430 }
431
Janos Follathda6ac012019-08-16 13:47:29 +0100432 status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500433 if( status != PSA_SUCCESS )
434 {
Janos Follathda6ac012019-08-16 13:47:29 +0100435 psa_key_derivation_abort( &derivation );
Ronald Croncf56a0a2020-08-04 09:51:30 +0200436 psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500437 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
438 }
439
Janos Follathda6ac012019-08-16 13:47:29 +0100440 status = psa_key_derivation_abort( &derivation );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500441 if( status != PSA_SUCCESS )
Andrzej Kurek70737ca2019-01-14 05:37:13 -0500442 {
Ronald Croncf56a0a2020-08-04 09:51:30 +0200443 psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500444 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Andrzej Kurek70737ca2019-01-14 05:37:13 -0500445 }
Andrzej Kurekc929a822019-01-14 03:51:11 -0500446
Ronald Croncf56a0a2020-08-04 09:51:30 +0200447 if( ! mbedtls_svc_key_id_is_null( master_key ) )
448 status = psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500449 if( status != PSA_SUCCESS )
450 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
451
Andrzej Kurek33171262019-01-15 03:25:18 -0500452 return( 0 );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500453}
454
455#else /* MBEDTLS_USE_PSA_CRYPTO */
456
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200457static int tls_prf_generic( mbedtls_md_type_t md_type,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100458 const unsigned char *secret, size_t slen,
459 const char *label,
460 const unsigned char *random, size_t rlen,
461 unsigned char *dstbuf, size_t dlen )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000462{
463 size_t nb;
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100464 size_t i, j, k, md_len;
Ron Eldor3b350852019-05-07 18:31:49 +0300465 unsigned char *tmp;
466 size_t tmp_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200467 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
468 const mbedtls_md_info_t *md_info;
469 mbedtls_md_context_t md_ctx;
Janos Follath865b3eb2019-12-16 11:46:15 +0000470 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100471
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200472 mbedtls_md_init( &md_ctx );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000473
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200474 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
475 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200477 md_len = mbedtls_md_get_size( md_info );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100478
Ron Eldor3b350852019-05-07 18:31:49 +0300479 tmp_len = md_len + strlen( label ) + rlen;
480 tmp = mbedtls_calloc( 1, tmp_len );
481 if( tmp == NULL )
482 {
483 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
484 goto exit;
485 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000486
487 nb = strlen( label );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100488 memcpy( tmp + md_len, label, nb );
489 memcpy( tmp + md_len + nb, random, rlen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000490 nb += rlen;
491
492 /*
493 * Compute P_<hash>(secret, label + random)[0..dlen]
494 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200495 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Ron Eldor3b350852019-05-07 18:31:49 +0300496 goto exit;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200498 mbedtls_md_hmac_starts( &md_ctx, secret, slen );
499 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
500 mbedtls_md_hmac_finish( &md_ctx, tmp );
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100501
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100502 for( i = 0; i < dlen; i += md_len )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000503 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200504 mbedtls_md_hmac_reset ( &md_ctx );
505 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
506 mbedtls_md_hmac_finish( &md_ctx, h_i );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100507
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200508 mbedtls_md_hmac_reset ( &md_ctx );
509 mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
510 mbedtls_md_hmac_finish( &md_ctx, tmp );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000511
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100512 k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000513
514 for( j = 0; j < k; j++ )
515 dstbuf[i + j] = h_i[j];
516 }
517
Ron Eldor3b350852019-05-07 18:31:49 +0300518exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200519 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100520
Ron Eldor3b350852019-05-07 18:31:49 +0300521 mbedtls_platform_zeroize( tmp, tmp_len );
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500522 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000523
Ron Eldor3b350852019-05-07 18:31:49 +0300524 mbedtls_free( tmp );
525
526 return( ret );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000527}
Andrzej Kurekc929a822019-01-14 03:51:11 -0500528#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200529#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100530static int tls_prf_sha256( const unsigned char *secret, size_t slen,
531 const char *label,
532 const unsigned char *random, size_t rlen,
533 unsigned char *dstbuf, size_t dlen )
534{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200535 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100536 label, random, rlen, dstbuf, dlen ) );
537}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200538#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000539
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200540#if defined(MBEDTLS_SHA384_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200541static int tls_prf_sha384( const unsigned char *secret, size_t slen,
542 const char *label,
543 const unsigned char *random, size_t rlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000544 unsigned char *dstbuf, size_t dlen )
545{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200546 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100547 label, random, rlen, dstbuf, dlen ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000548}
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200549#endif /* MBEDTLS_SHA384_C */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200550#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000551
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200552static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200553
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200554#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
555#if defined(MBEDTLS_SHA256_C)
556static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -0300557static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200558static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200559#endif
Paul Bakker769075d2012-11-24 11:26:46 +0100560
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200561#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200562static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -0300563static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200564static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakker769075d2012-11-24 11:26:46 +0100565#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200566#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000567
Manuel Pégourié-Gonnard45be3d82019-02-18 23:35:14 +0100568#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \
Hanno Becker7d0a5692018-10-23 15:26:22 +0100569 defined(MBEDTLS_USE_PSA_CRYPTO)
570static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
571{
572 if( ssl->conf->f_psk != NULL )
573 {
574 /* If we've used a callback to select the PSK,
575 * the static configuration is irrelevant. */
Ronald Croncf56a0a2020-08-04 09:51:30 +0200576 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
Hanno Becker7d0a5692018-10-23 15:26:22 +0100577 return( 1 );
578
579 return( 0 );
580 }
581
Ronald Croncf56a0a2020-08-04 09:51:30 +0200582 if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
Hanno Becker7d0a5692018-10-23 15:26:22 +0100583 return( 1 );
584
585 return( 0 );
586}
587#endif /* MBEDTLS_USE_PSA_CRYPTO &&
Manuel Pégourié-Gonnard45be3d82019-02-18 23:35:14 +0100588 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
Hanno Becker7d0a5692018-10-23 15:26:22 +0100589
Ron Eldorcf280092019-05-14 20:19:13 +0300590#if defined(MBEDTLS_SSL_EXPORT_KEYS)
591static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
592{
Ron Eldorcf280092019-05-14 20:19:13 +0300593#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200594#if defined(MBEDTLS_SHA384_C)
Ron Eldorcf280092019-05-14 20:19:13 +0300595 if( tls_prf == tls_prf_sha384 )
596 {
597 return( MBEDTLS_SSL_TLS_PRF_SHA384 );
598 }
599 else
600#endif
601#if defined(MBEDTLS_SHA256_C)
602 if( tls_prf == tls_prf_sha256 )
603 {
604 return( MBEDTLS_SSL_TLS_PRF_SHA256 );
605 }
606 else
607#endif
608#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
609 return( MBEDTLS_SSL_TLS_PRF_NONE );
610}
611#endif /* MBEDTLS_SSL_EXPORT_KEYS */
612
Ron Eldor51d3ab52019-05-12 14:54:30 +0300613int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
614 const unsigned char *secret, size_t slen,
615 const char *label,
616 const unsigned char *random, size_t rlen,
617 unsigned char *dstbuf, size_t dlen )
618{
619 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
620
621 switch( prf )
622 {
Ron Eldord2f25f72019-05-15 14:54:22 +0300623#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200624#if defined(MBEDTLS_SHA384_C)
Ron Eldor51d3ab52019-05-12 14:54:30 +0300625 case MBEDTLS_SSL_TLS_PRF_SHA384:
626 tls_prf = tls_prf_sha384;
627 break;
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200628#endif /* MBEDTLS_SHA384_C */
Ron Eldor51d3ab52019-05-12 14:54:30 +0300629#if defined(MBEDTLS_SHA256_C)
630 case MBEDTLS_SSL_TLS_PRF_SHA256:
631 tls_prf = tls_prf_sha256;
632 break;
Ron Eldord2f25f72019-05-15 14:54:22 +0300633#endif /* MBEDTLS_SHA256_C */
634#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Ron Eldor51d3ab52019-05-12 14:54:30 +0300635 default:
636 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
637 }
638
639 return( tls_prf( secret, slen, label, random, rlen, dstbuf, dlen ) );
640}
641
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200642/* Type for the TLS PRF */
643typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
644 const unsigned char *, size_t,
645 unsigned char *, size_t);
646
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +0200647/*
Manuel Pégourié-Gonnardcba40d92019-05-06 12:55:40 +0200648 * Populate a transform structure with session keys and all the other
649 * necessary information.
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +0200650 *
Manuel Pégourié-Gonnardcba40d92019-05-06 12:55:40 +0200651 * Parameters:
652 * - [in/out]: transform: structure to populate
653 * [in] must be just initialised with mbedtls_ssl_transform_init()
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200654 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200655 * - [in] ciphersuite
656 * - [in] master
657 * - [in] encrypt_then_mac
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200658 * - [in] compression
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200659 * - [in] tls_prf: pointer to PRF to use for key derivation
660 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200661 * - [in] minor_ver: SSL/TLS minor version
662 * - [in] endpoint: client or server
663 * - [in] ssl: optionally used for:
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200664 * - MBEDTLS_SSL_EXPORT_KEYS: ssl->conf->{f,p}_export_keys
665 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +0200666 */
Hanno Beckerbd257552021-03-22 06:59:27 +0000667static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200668 int ciphersuite,
669 const unsigned char master[48],
Hanno Beckerbd257552021-03-22 06:59:27 +0000670#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
671 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200672 int encrypt_then_mac,
Hanno Beckerbd257552021-03-22 06:59:27 +0000673#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
674 MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200675 ssl_tls_prf_t tls_prf,
676 const unsigned char randbytes[64],
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200677 int minor_ver,
678 unsigned endpoint,
Mateusz Starzyke204dbf2021-03-15 17:57:20 +0100679 const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000680{
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200681 int ret = 0;
Hanno Beckercb1cc802018-11-17 22:27:38 +0000682#if defined(MBEDTLS_USE_PSA_CRYPTO)
683 int psa_fallthrough;
684#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000685 unsigned char keyblk[256];
686 unsigned char *key1;
687 unsigned char *key2;
Paul Bakker68884e32013-01-07 18:20:04 +0100688 unsigned char *mac_enc;
689 unsigned char *mac_dec;
sander-visser3888b032020-05-06 21:49:46 +0200690 size_t mac_key_len = 0;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200691 size_t iv_copy_len;
Hanno Becker88aaf652017-12-27 08:17:40 +0000692 unsigned keylen;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000693 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200694 const mbedtls_cipher_info_t *cipher_info;
695 const mbedtls_md_info_t *md_info;
Paul Bakker68884e32013-01-07 18:20:04 +0100696
Mateusz Starzyke204dbf2021-03-15 17:57:20 +0100697#if !defined(MBEDTLS_SSL_EXPORT_KEYS) && \
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200698 !defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +0200699 ssl = NULL; /* make sure we don't use it except for those cases */
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200700 (void) ssl;
701#endif
702
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +0200703 /*
704 * Some data just needs copying into the structure
705 */
Jaeden Amero2de07f12019-06-05 13:32:08 +0100706#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000707 defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200708 transform->encrypt_then_mac = encrypt_then_mac;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000709#endif
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200710 transform->minor_ver = minor_ver;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000711
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +0200712#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
713 memcpy( transform->randbytes, randbytes, sizeof( transform->randbytes ) );
714#endif
715
Hanno Beckerc0da10d2021-04-21 05:32:23 +0100716#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
717 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
718 {
719 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
720 * generation separate. This should never happen. */
721 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
722 }
723#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
724
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200725 /*
726 * Get various info structures
727 */
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200728 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200729 if( ciphersuite_info == NULL )
730 {
731 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200732 ciphersuite ) );
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200733 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
734 }
735
Hanno Beckere694c3e2017-12-27 21:34:08 +0000736 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
Paul Bakker68884e32013-01-07 18:20:04 +0100737 if( cipher_info == NULL )
738 {
Paul Elliott9f352112020-12-09 14:55:45 +0000739 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
Hanno Beckere694c3e2017-12-27 21:34:08 +0000740 ciphersuite_info->cipher ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200741 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100742 }
743
Hanno Beckere694c3e2017-12-27 21:34:08 +0000744 md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
Paul Bakker68884e32013-01-07 18:20:04 +0100745 if( md_info == NULL )
746 {
Paul Elliott9f352112020-12-09 14:55:45 +0000747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %u not found",
Paul Elliott3891caf2020-12-17 18:42:40 +0000748 (unsigned) ciphersuite_info->mac ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200749 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100750 }
751
Hanno Beckera0e20d02019-05-15 14:03:01 +0100752#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker4bf74652019-04-26 16:22:27 +0100753 /* Copy own and peer's CID if the use of the CID
754 * extension has been negotiated. */
755 if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
756 {
757 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
Hanno Becker8a7f9722019-04-30 13:52:29 +0100758
Hanno Becker05154c32019-05-03 15:23:51 +0100759 transform->in_cid_len = ssl->own_cid_len;
Hanno Becker05154c32019-05-03 15:23:51 +0100760 memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
Hanno Becker1c1f0462019-05-03 12:55:51 +0100761 MBEDTLS_SSL_DEBUG_BUF( 3, "Incoming CID", transform->in_cid,
Hanno Becker4bf74652019-04-26 16:22:27 +0100762 transform->in_cid_len );
Hanno Beckerd1f20352019-05-15 10:21:55 +0100763
764 transform->out_cid_len = ssl->handshake->peer_cid_len;
765 memcpy( transform->out_cid, ssl->handshake->peer_cid,
766 ssl->handshake->peer_cid_len );
767 MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
768 transform->out_cid_len );
Hanno Becker4bf74652019-04-26 16:22:27 +0100769 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100770#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker4bf74652019-04-26 16:22:27 +0100771
Paul Bakker5121ce52009-01-03 21:22:43 +0000772 /*
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200773 * Compute key block using the PRF
Paul Bakker5121ce52009-01-03 21:22:43 +0000774 */
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200775 ret = tls_prf( master, 48, "key expansion", randbytes, 64, keyblk, 256 );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100776 if( ret != 0 )
777 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200778 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100779 return( ret );
780 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000781
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200782 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
Manuel Pégourié-Gonnardd91efa42019-05-20 10:27:20 +0200783 mbedtls_ssl_get_ciphersuite_name( ciphersuite ) ) );
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200784 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", master, 48 );
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200785 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", randbytes, 64 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200786 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000787
Paul Bakker5121ce52009-01-03 21:22:43 +0000788 /*
789 * Determine the appropriate key, IV and MAC length.
790 */
Paul Bakker68884e32013-01-07 18:20:04 +0100791
Hanno Becker88aaf652017-12-27 08:17:40 +0000792 keylen = cipher_info->key_bitlen / 8;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200793
Hanno Becker8031d062018-01-03 15:32:31 +0000794#if defined(MBEDTLS_GCM_C) || \
795 defined(MBEDTLS_CCM_C) || \
796 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200797 if( cipher_info->mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200798 cipher_info->mode == MBEDTLS_MODE_CCM ||
799 cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000800 {
Hanno Beckerf704bef2018-11-16 15:21:18 +0000801 size_t explicit_ivlen;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200802
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200803 transform->maclen = 0;
Hanno Becker81c7b182017-11-09 18:39:33 +0000804 mac_key_len = 0;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000805 transform->taglen =
806 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200807
Hanno Becker447558d2020-05-28 07:36:33 +0100808 /* All modes haves 96-bit IVs, but the length of the static parts vary
809 * with mode and version:
810 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
811 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
Hanno Beckerf93c2d72020-05-28 07:39:43 +0100812 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
813 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
814 * sequence number).
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200815 */
Paul Bakker68884e32013-01-07 18:20:04 +0100816 transform->ivlen = 12;
Hanno Beckerc0da10d2021-04-21 05:32:23 +0100817 if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200818 transform->fixed_ivlen = 12;
819 else
Hanno Beckerc0da10d2021-04-21 05:32:23 +0100820 transform->fixed_ivlen = 4;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200821
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200822 /* Minimum length of encrypted record */
823 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000824 transform->minlen = explicit_ivlen + transform->taglen;
Paul Bakker68884e32013-01-07 18:20:04 +0100825 }
826 else
Hanno Becker8031d062018-01-03 15:32:31 +0000827#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000828#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Hanno Becker8031d062018-01-03 15:32:31 +0000829 if( cipher_info->mode == MBEDTLS_MODE_STREAM ||
830 cipher_info->mode == MBEDTLS_MODE_CBC )
Paul Bakker68884e32013-01-07 18:20:04 +0100831 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200832 /* Initialize HMAC contexts */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200833 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
834 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100835 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200836 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
Ron Eldore6992702019-05-07 18:27:13 +0300837 goto end;
Paul Bakker68884e32013-01-07 18:20:04 +0100838 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000839
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200840 /* Get MAC length */
Hanno Becker81c7b182017-11-09 18:39:33 +0000841 mac_key_len = mbedtls_md_get_size( md_info );
842 transform->maclen = mac_key_len;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200843
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200844 /* IV length */
Paul Bakker68884e32013-01-07 18:20:04 +0100845 transform->ivlen = cipher_info->iv_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000846
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200847 /* Minimum length */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200848 if( cipher_info->mode == MBEDTLS_MODE_STREAM )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200849 transform->minlen = transform->maclen;
850 else
Paul Bakker68884e32013-01-07 18:20:04 +0100851 {
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200852 /*
853 * GenericBlockCipher:
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100854 * 1. if EtM is in use: one block plus MAC
855 * otherwise: * first multiple of blocklen greater than maclen
TRodziewicz2abf03c2021-06-25 14:40:09 +0200856 * 2. IV
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200857 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200858#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200859 if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100860 {
861 transform->minlen = transform->maclen
862 + cipher_info->block_size;
863 }
864 else
865#endif
866 {
867 transform->minlen = transform->maclen
868 + cipher_info->block_size
869 - transform->maclen % cipher_info->block_size;
870 }
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200871
TRodziewicz0f82ec62021-05-12 17:49:18 +0200872#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
873 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200874 {
875 transform->minlen += transform->ivlen;
876 }
877 else
878#endif
879 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200880 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Ron Eldore6992702019-05-07 18:27:13 +0300881 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
882 goto end;
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200883 }
Paul Bakker68884e32013-01-07 18:20:04 +0100884 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000885 }
Hanno Becker8031d062018-01-03 15:32:31 +0000886 else
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000887#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Hanno Becker8031d062018-01-03 15:32:31 +0000888 {
889 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
890 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
891 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000892
Hanno Becker88aaf652017-12-27 08:17:40 +0000893 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
894 (unsigned) keylen,
895 (unsigned) transform->minlen,
896 (unsigned) transform->ivlen,
897 (unsigned) transform->maclen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000898
899 /*
900 * Finally setup the cipher contexts, IVs and MAC secrets.
901 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200902#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200903 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000904 {
Hanno Becker81c7b182017-11-09 18:39:33 +0000905 key1 = keyblk + mac_key_len * 2;
Hanno Becker88aaf652017-12-27 08:17:40 +0000906 key2 = keyblk + mac_key_len * 2 + keylen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000907
Paul Bakker68884e32013-01-07 18:20:04 +0100908 mac_enc = keyblk;
Hanno Becker81c7b182017-11-09 18:39:33 +0000909 mac_dec = keyblk + mac_key_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000910
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000911 /*
912 * This is not used in TLS v1.1.
913 */
Paul Bakker48916f92012-09-16 19:57:18 +0000914 iv_copy_len = ( transform->fixed_ivlen ) ?
915 transform->fixed_ivlen : transform->ivlen;
Hanno Becker88aaf652017-12-27 08:17:40 +0000916 memcpy( transform->iv_enc, key2 + keylen, iv_copy_len );
917 memcpy( transform->iv_dec, key2 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000918 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000919 }
920 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200921#endif /* MBEDTLS_SSL_CLI_C */
922#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200923 if( endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000924 {
Hanno Becker88aaf652017-12-27 08:17:40 +0000925 key1 = keyblk + mac_key_len * 2 + keylen;
Hanno Becker81c7b182017-11-09 18:39:33 +0000926 key2 = keyblk + mac_key_len * 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000927
Hanno Becker81c7b182017-11-09 18:39:33 +0000928 mac_enc = keyblk + mac_key_len;
Paul Bakker68884e32013-01-07 18:20:04 +0100929 mac_dec = keyblk;
Paul Bakker5121ce52009-01-03 21:22:43 +0000930
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000931 /*
932 * This is not used in TLS v1.1.
933 */
Paul Bakker48916f92012-09-16 19:57:18 +0000934 iv_copy_len = ( transform->fixed_ivlen ) ?
935 transform->fixed_ivlen : transform->ivlen;
Hanno Becker88aaf652017-12-27 08:17:40 +0000936 memcpy( transform->iv_dec, key1 + keylen, iv_copy_len );
937 memcpy( transform->iv_enc, key1 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000938 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000939 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100940 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200941#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100942 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200943 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Ron Eldore6992702019-05-07 18:27:13 +0300944 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
945 goto end;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100946 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000947
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200948#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
TRodziewicz0f82ec62021-05-12 17:49:18 +0200949#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
TRodziewicz345165c2021-07-06 13:42:11 +0200950 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
951 For AEAD-based ciphersuites, there is nothing to do here. */
952 if( mac_key_len != 0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100953 {
TRodziewicz345165c2021-07-06 13:42:11 +0200954 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
955 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
Paul Bakker68884e32013-01-07 18:20:04 +0100956 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200957#endif
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000958#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Paul Bakker68884e32013-01-07 18:20:04 +0100959
Hanno Beckerd56ed242018-01-03 15:32:51 +0000960 ((void) mac_dec);
961 ((void) mac_enc);
Paul Bakker05ef8352012-05-08 09:17:57 +0000962
Manuel Pégourié-Gonnard024b6df2015-10-19 13:52:53 +0200963#if defined(MBEDTLS_SSL_EXPORT_KEYS)
Hanno Becker7e6c1782021-06-08 09:24:55 +0100964 if( ssl->f_export_keys != NULL )
Robert Cragie4feb7ae2015-10-02 13:33:37 +0100965 {
Hanno Becker7e6c1782021-06-08 09:24:55 +0100966 ssl->f_export_keys( ssl->p_export_keys,
967 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
968 master, 48,
969 randbytes + 32,
970 randbytes,
971 tls_prf_get_type( tls_prf ) );
Ron Eldorf5cc10d2019-05-07 18:33:40 +0300972 }
Robert Cragie4feb7ae2015-10-02 13:33:37 +0100973#endif
974
Hanno Beckerf704bef2018-11-16 15:21:18 +0000975#if defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Beckercb1cc802018-11-17 22:27:38 +0000976
977 /* Only use PSA-based ciphers for TLS-1.2.
978 * That's relevant at least for TLS-1.0, where
979 * we assume that mbedtls_cipher_crypt() updates
980 * the structure field for the IV, which the PSA-based
981 * implementation currently doesn't. */
982#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
983 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Beckerf704bef2018-11-16 15:21:18 +0000984 {
Hanno Beckercb1cc802018-11-17 22:27:38 +0000985 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
Hanno Becker22bf1452019-04-05 11:21:08 +0100986 cipher_info, transform->taglen );
Hanno Beckercb1cc802018-11-17 22:27:38 +0000987 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
988 {
989 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
Ron Eldore6992702019-05-07 18:27:13 +0300990 goto end;
Hanno Beckercb1cc802018-11-17 22:27:38 +0000991 }
992
993 if( ret == 0 )
994 {
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100995 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based encryption cipher context" ) );
Hanno Beckercb1cc802018-11-17 22:27:38 +0000996 psa_fallthrough = 0;
997 }
998 else
999 {
1000 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );
1001 psa_fallthrough = 1;
1002 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001003 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001004 else
Hanno Beckercb1cc802018-11-17 22:27:38 +00001005 psa_fallthrough = 1;
1006#else
1007 psa_fallthrough = 1;
1008#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Beckerf704bef2018-11-16 15:21:18 +00001009
Hanno Beckercb1cc802018-11-17 22:27:38 +00001010 if( psa_fallthrough == 1 )
Hanno Beckerf704bef2018-11-16 15:21:18 +00001011#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001012 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001013 cipher_info ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001014 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001015 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001016 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001017 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001018
Hanno Beckerf704bef2018-11-16 15:21:18 +00001019#if defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Beckercb1cc802018-11-17 22:27:38 +00001020 /* Only use PSA-based ciphers for TLS-1.2.
1021 * That's relevant at least for TLS-1.0, where
1022 * we assume that mbedtls_cipher_crypt() updates
1023 * the structure field for the IV, which the PSA-based
1024 * implementation currently doesn't. */
1025#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1026 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Beckerf704bef2018-11-16 15:21:18 +00001027 {
Hanno Beckercb1cc802018-11-17 22:27:38 +00001028 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
Hanno Becker22bf1452019-04-05 11:21:08 +01001029 cipher_info, transform->taglen );
Hanno Beckercb1cc802018-11-17 22:27:38 +00001030 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
1031 {
1032 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001033 goto end;
Hanno Beckercb1cc802018-11-17 22:27:38 +00001034 }
1035
1036 if( ret == 0 )
1037 {
Hanno Becker4c8c7aa2019-04-10 09:25:41 +01001038 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based decryption cipher context" ) );
Hanno Beckercb1cc802018-11-17 22:27:38 +00001039 psa_fallthrough = 0;
1040 }
1041 else
1042 {
1043 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );
1044 psa_fallthrough = 1;
1045 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001046 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001047 else
Hanno Beckercb1cc802018-11-17 22:27:38 +00001048 psa_fallthrough = 1;
1049#else
1050 psa_fallthrough = 1;
1051#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Beckerf704bef2018-11-16 15:21:18 +00001052
Hanno Beckercb1cc802018-11-17 22:27:38 +00001053 if( psa_fallthrough == 1 )
Hanno Beckerf704bef2018-11-16 15:21:18 +00001054#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001055 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001056 cipher_info ) ) != 0 )
1057 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001058 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001059 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001060 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001062 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +02001063 cipher_info->key_bitlen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001064 MBEDTLS_ENCRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001065 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001066 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001067 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001068 }
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001069
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001070 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +02001071 cipher_info->key_bitlen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001072 MBEDTLS_DECRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001073 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001074 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001075 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001076 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001077
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001078#if defined(MBEDTLS_CIPHER_MODE_CBC)
1079 if( cipher_info->mode == MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001080 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001081 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
1082 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001083 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001084 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001085 goto end;
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001086 }
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001087
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001088 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
1089 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001090 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001091 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001092 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001093 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001094 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001095#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +00001096
Paul Bakker5121ce52009-01-03 21:22:43 +00001097
Ron Eldore6992702019-05-07 18:27:13 +03001098end:
Ron Eldora9f9a732019-05-07 18:29:02 +03001099 mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
Ron Eldore6992702019-05-07 18:27:13 +03001100 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001101}
1102
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001103/*
TRodziewicz0f82ec62021-05-12 17:49:18 +02001104 * Set appropriate PRF function and other SSL / TLS1.2 functions
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001105 *
1106 * Inputs:
1107 * - SSL/TLS minor version
1108 * - hash associated with the ciphersuite (only used by TLS 1.2)
1109 *
Manuel Pégourié-Gonnard31d3ef12019-05-10 10:25:00 +02001110 * Outputs:
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001111 * - the tls_prf, calc_verify and calc_finished members of handshake structure
1112 */
1113static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
1114 int minor_ver,
1115 mbedtls_md_type_t hash )
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001116{
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001117#if !defined(MBEDTLS_SSL_PROTO_TLS1_2) || !defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001118 (void) hash;
1119#endif
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001120
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001121#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001122#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001123 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
1124 hash == MBEDTLS_MD_SHA384 )
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001125 {
1126 handshake->tls_prf = tls_prf_sha384;
1127 handshake->calc_verify = ssl_calc_verify_tls_sha384;
1128 handshake->calc_finished = ssl_calc_finished_tls_sha384;
1129 }
1130 else
1131#endif
1132#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001133 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001134 {
1135 handshake->tls_prf = tls_prf_sha256;
1136 handshake->calc_verify = ssl_calc_verify_tls_sha256;
1137 handshake->calc_finished = ssl_calc_finished_tls_sha256;
1138 }
1139 else
1140#endif
1141#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1142 {
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001143 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1144 }
1145
1146 return( 0 );
1147}
1148
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001149/*
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001150 * Compute master secret if needed
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001151 *
1152 * Parameters:
1153 * [in/out] handshake
1154 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001155 * (PSA-PSK) ciphersuite_info, psk_opaque
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001156 * [out] premaster (cleared)
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001157 * [out] master
1158 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
1159 * debug: conf->f_dbg, conf->p_dbg
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01001160 * EMS: passed to calc_verify (debug + session_negotiate)
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001161 * PSA-PSA: minor_ver, conf
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001162 */
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001163static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001164 unsigned char *master,
Manuel Pégourié-Gonnard0d56aaa2019-05-03 09:58:33 +02001165 const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001166{
Janos Follath865b3eb2019-12-16 11:46:15 +00001167 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001168
1169 /* cf. RFC 5246, Section 8.1:
1170 * "The master secret is always exactly 48 bytes in length." */
1171 size_t const master_secret_len = 48;
1172
1173#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1174 unsigned char session_hash[48];
1175#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1176
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001177 /* The label for the KDF used for key expansion.
1178 * This is either "master secret" or "extended master secret"
1179 * depending on whether the Extended Master Secret extension
1180 * is used. */
1181 char const *lbl = "master secret";
1182
1183 /* The salt for the KDF used for key expansion.
1184 * - If the Extended Master Secret extension is not used,
1185 * this is ClientHello.Random + ServerHello.Random
1186 * (see Sect. 8.1 in RFC 5246).
1187 * - If the Extended Master Secret extension is used,
1188 * this is the transcript of the handshake so far.
1189 * (see Sect. 4 in RFC 7627). */
1190 unsigned char const *salt = handshake->randbytes;
1191 size_t salt_len = 64;
1192
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001193#if !defined(MBEDTLS_DEBUG_C) && \
1194 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
1195 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
1196 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +02001197 ssl = NULL; /* make sure we don't use it except for those cases */
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001198 (void) ssl;
1199#endif
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001200
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001201 if( handshake->resume != 0 )
1202 {
1203 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001204 return( 0 );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001205 }
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001206
1207#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001208 if( handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001209 {
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001210 lbl = "extended master secret";
1211 salt = session_hash;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001212 handshake->calc_verify( ssl, session_hash, &salt_len );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001213
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +02001214 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash for extended master secret",
1215 session_hash, salt_len );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001216 }
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001217#endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */
1218
1219#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001220 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1221 if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001222 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001223 ssl_use_opaque_psk( ssl ) == 1 )
1224 {
1225 /* Perform PSK-to-MS expansion in a single step. */
1226 psa_status_t status;
1227 psa_algorithm_t alg;
Ronald Croncf56a0a2020-08-04 09:51:30 +02001228 psa_key_id_t psk;
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001229 psa_key_derivation_operation_t derivation =
1230 PSA_KEY_DERIVATION_OPERATION_INIT;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001231 mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001232
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001234
Guilhem Bryantc5285d82020-03-25 17:08:15 +00001235 psk = mbedtls_ssl_get_opaque_psk( ssl );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001236
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001237 if( hash_alg == MBEDTLS_MD_SHA384 )
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001238 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001239 else
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001240 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
1241
k-stachowiak81053a52019-08-17 10:30:28 +02001242 status = setup_psa_key_derivation( &derivation, psk, alg,
1243 salt, salt_len,
1244 (unsigned char const *) lbl,
1245 (size_t) strlen( lbl ),
1246 master_secret_len );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001247 if( status != PSA_SUCCESS )
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001248 {
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001249 psa_key_derivation_abort( &derivation );
1250 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001251 }
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001252
1253 status = psa_key_derivation_output_bytes( &derivation,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001254 master,
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001255 master_secret_len );
1256 if( status != PSA_SUCCESS )
1257 {
1258 psa_key_derivation_abort( &derivation );
1259 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
1260 }
1261
1262 status = psa_key_derivation_abort( &derivation );
1263 if( status != PSA_SUCCESS )
1264 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
1265 }
1266 else
1267#endif
1268 {
1269 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
1270 lbl, salt, salt_len,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001271 master,
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001272 master_secret_len );
1273 if( ret != 0 )
1274 {
1275 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
1276 return( ret );
1277 }
1278
1279 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret",
1280 handshake->premaster,
1281 handshake->pmslen );
1282
1283 mbedtls_platform_zeroize( handshake->premaster,
1284 sizeof(handshake->premaster) );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001285 }
1286
1287 return( 0 );
1288}
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001289
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +02001290int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
1291{
Janos Follath865b3eb2019-12-16 11:46:15 +00001292 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001293 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
1294 ssl->handshake->ciphersuite_info;
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001295
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001296 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
1297
1298 /* Set PRF, calc_verify and calc_finished function pointers */
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001299 ret = ssl_set_handshake_prfs( ssl->handshake,
1300 ssl->minor_ver,
1301 ciphersuite_info->mac );
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001302 if( ret != 0 )
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001303 {
1304 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_set_handshake_prfs", ret );
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001305 return( ret );
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001306 }
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001307
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001308 /* Compute master secret if needed */
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001309 ret = ssl_compute_master( ssl->handshake,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001310 ssl->session_negotiate->master,
1311 ssl );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001312 if( ret != 0 )
1313 {
1314 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compute_master", ret );
1315 return( ret );
1316 }
1317
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001318 /* Swap the client and server random values:
1319 * - MS derivation wanted client+server (RFC 5246 8.1)
1320 * - key derivation wants server+client (RFC 5246 6.3) */
1321 {
1322 unsigned char tmp[64];
1323 memcpy( tmp, ssl->handshake->randbytes, 64 );
1324 memcpy( ssl->handshake->randbytes, tmp + 32, 32 );
1325 memcpy( ssl->handshake->randbytes + 32, tmp, 32 );
1326 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
1327 }
1328
1329 /* Populate transform structure */
Hanno Beckerbd257552021-03-22 06:59:27 +00001330 ret = ssl_tls12_populate_transform( ssl->transform_negotiate,
1331 ssl->session_negotiate->ciphersuite,
1332 ssl->session_negotiate->master,
1333#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
1334 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1335 ssl->session_negotiate->encrypt_then_mac,
1336#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
1337 MBEDTLS_SSL_SOME_SUITES_USE_MAC */
1338 ssl->handshake->tls_prf,
1339 ssl->handshake->randbytes,
1340 ssl->minor_ver,
1341 ssl->conf->endpoint,
1342 ssl );
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001343 if( ret != 0 )
1344 {
Hanno Beckerbd257552021-03-22 06:59:27 +00001345 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls12_populate_transform", ret );
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001346 return( ret );
1347 }
1348
1349 /* We no longer need Server/ClientHello.random values */
1350 mbedtls_platform_zeroize( ssl->handshake->randbytes,
1351 sizeof( ssl->handshake->randbytes ) );
1352
1353 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
1354
1355 return( 0 );
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +02001356}
1357
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001358#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1359#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001360void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl,
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -03001361 unsigned char *hash,
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001362 size_t *hlen )
Paul Bakker380da532012-04-18 16:10:25 +00001363{
Andrzej Kurekeb342242019-01-29 09:14:33 -05001364#if defined(MBEDTLS_USE_PSA_CRYPTO)
1365 size_t hash_size;
1366 psa_status_t status;
1367 psa_hash_operation_t sha256_psa = psa_hash_operation_init();
1368
1369 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) );
1370 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
1371 if( status != PSA_SUCCESS )
1372 {
1373 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1374 return;
1375 }
1376
1377 status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size );
1378 if( status != PSA_SUCCESS )
1379 {
1380 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1381 return;
1382 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001383
1384 *hlen = 32;
1385 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001386 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1387#else
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001388 mbedtls_sha256_context sha256;
Paul Bakker380da532012-04-18 16:10:25 +00001389
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001390 mbedtls_sha256_init( &sha256 );
1391
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001392 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001393
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001394 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
TRodziewicz26371e42021-06-08 16:45:41 +02001395 mbedtls_sha256_finish( &sha256, hash );
Paul Bakker380da532012-04-18 16:10:25 +00001396
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001397 *hlen = 32;
1398
1399 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001400 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001401
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001402 mbedtls_sha256_free( &sha256 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001403#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker380da532012-04-18 16:10:25 +00001404 return;
1405}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001406#endif /* MBEDTLS_SHA256_C */
Paul Bakker380da532012-04-18 16:10:25 +00001407
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001408#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001409void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl,
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -03001410 unsigned char *hash,
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001411 size_t *hlen )
Paul Bakker380da532012-04-18 16:10:25 +00001412{
Andrzej Kurekeb342242019-01-29 09:14:33 -05001413#if defined(MBEDTLS_USE_PSA_CRYPTO)
1414 size_t hash_size;
1415 psa_status_t status;
Andrzej Kurek972fba52019-01-30 03:29:12 -05001416 psa_hash_operation_t sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -05001417
1418 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) );
Andrzej Kurek972fba52019-01-30 03:29:12 -05001419 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001420 if( status != PSA_SUCCESS )
1421 {
1422 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1423 return;
1424 }
1425
Andrzej Kurek972fba52019-01-30 03:29:12 -05001426 status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001427 if( status != PSA_SUCCESS )
1428 {
1429 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1430 return;
1431 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001432
1433 *hlen = 48;
1434 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1436#else
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001437 mbedtls_sha512_context sha512;
Paul Bakker380da532012-04-18 16:10:25 +00001438
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001439 mbedtls_sha512_init( &sha512 );
1440
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001441 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001442
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001443 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
TRodziewicz26371e42021-06-08 16:45:41 +02001444 mbedtls_sha512_finish( &sha512, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +00001445
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001446 *hlen = 48;
1447
1448 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001449 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001450
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001451 mbedtls_sha512_free( &sha512 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001452#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker5121ce52009-01-03 21:22:43 +00001453 return;
1454}
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001455#endif /* MBEDTLS_SHA384_C */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001456#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001457
Gilles Peskineeccd8882020-03-10 12:19:08 +01001458#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001459int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001460{
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001461 unsigned char *p = ssl->handshake->premaster;
1462 unsigned char *end = p + sizeof( ssl->handshake->premaster );
Guilhem Bryantb5f04e42020-04-01 11:23:58 +01001463 const unsigned char *psk = NULL;
Guilhem Bryant61b0fe62020-03-27 11:12:12 +00001464 size_t psk_len = 0;
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001465
Guilhem Bryantc5285d82020-03-25 17:08:15 +00001466 if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
1467 == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001468 {
Guilhem Bryantc5285d82020-03-25 17:08:15 +00001469 /*
1470 * This should never happen because the existence of a PSK is always
1471 * checked before calling this function
1472 */
Guilhem Bryant82194c82020-03-26 17:04:31 +00001473 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Guilhem Bryant0c9b1952020-04-08 11:02:38 +01001474 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001475 }
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001476
1477 /*
1478 * PMS = struct {
1479 * opaque other_secret<0..2^16-1>;
1480 * opaque psk<0..2^16-1>;
1481 * };
1482 * with "other_secret" depending on the particular key exchange
1483 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001484#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1485 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001486 {
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001487 if( end - p < 2 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001488 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001489
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001490 *(p++) = (unsigned char)( psk_len >> 8 );
1491 *(p++) = (unsigned char)( psk_len );
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001492
1493 if( end < p || (size_t)( end - p ) < psk_len )
1494 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1495
1496 memset( p, 0, psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001497 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001498 }
1499 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001500#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
1501#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1502 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02001503 {
1504 /*
1505 * other_secret already set by the ClientKeyExchange message,
1506 * and is 48 bytes long
1507 */
Philippe Antoine747fd532018-05-30 09:13:21 +02001508 if( end - p < 2 )
1509 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1510
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02001511 *p++ = 0;
1512 *p++ = 48;
1513 p += 48;
1514 }
1515 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001516#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1517#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1518 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001519 {
Janos Follath865b3eb2019-12-16 11:46:15 +00001520 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +01001521 size_t len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001522
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +02001523 /* Write length only when we know the actual value */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001524 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +01001525 p + 2, end - ( p + 2 ), &len,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01001526 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001527 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001528 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001529 return( ret );
1530 }
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +02001531 *(p++) = (unsigned char)( len >> 8 );
1532 *(p++) = (unsigned char)( len );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001533 p += len;
1534
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001535 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001536 }
1537 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001538#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1539#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1540 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001541 {
Janos Follath865b3eb2019-12-16 11:46:15 +00001542 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001543 size_t zlen;
1544
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001545 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
Paul Bakker66d5d072014-06-17 16:39:18 +02001546 p + 2, end - ( p + 2 ),
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01001547 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001548 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001549 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001550 return( ret );
1551 }
1552
1553 *(p++) = (unsigned char)( zlen >> 8 );
1554 *(p++) = (unsigned char)( zlen );
1555 p += zlen;
1556
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05001557 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
1558 MBEDTLS_DEBUG_ECDH_Z );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001559 }
1560 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001561#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001562 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001563 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1564 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001565 }
1566
1567 /* opaque psk<0..2^16-1>; */
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001568 if( end - p < 2 )
1569 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +01001570
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001571 *(p++) = (unsigned char)( psk_len >> 8 );
1572 *(p++) = (unsigned char)( psk_len );
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001573
1574 if( end < p || (size_t)( end - p ) < psk_len )
1575 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1576
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001577 memcpy( p, psk, psk_len );
1578 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001579
1580 ssl->handshake->pmslen = p - ssl->handshake->premaster;
1581
1582 return( 0 );
1583}
Gilles Peskineeccd8882020-03-10 12:19:08 +01001584#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001586#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
1587static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001588
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001589#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker786300f2020-02-05 10:46:40 +00001590int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001591{
1592 /* If renegotiation is not enforced, retransmit until we would reach max
1593 * timeout if we were using the usual handshake doubling scheme */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001594 if( ssl->conf->renego_max_records < 0 )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001595 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001596 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001597 unsigned char doublings = 1;
1598
1599 while( ratio != 0 )
1600 {
1601 ++doublings;
1602 ratio >>= 1;
1603 }
1604
1605 if( ++ssl->renego_records_seen > doublings )
1606 {
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +02001607 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001608 return( 0 );
1609 }
1610 }
1611
1612 return( ssl_write_hello_request( ssl ) );
1613}
1614#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001615#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02001616
Hanno Beckerb9d44792019-02-08 07:19:04 +00001617#if defined(MBEDTLS_X509_CRT_PARSE_C)
1618static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
1619{
1620#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1621 if( session->peer_cert != NULL )
1622 {
1623 mbedtls_x509_crt_free( session->peer_cert );
1624 mbedtls_free( session->peer_cert );
1625 session->peer_cert = NULL;
1626 }
1627#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1628 if( session->peer_cert_digest != NULL )
1629 {
1630 /* Zeroization is not necessary. */
1631 mbedtls_free( session->peer_cert_digest );
1632 session->peer_cert_digest = NULL;
1633 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
1634 session->peer_cert_digest_len = 0;
1635 }
1636#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1637}
1638#endif /* MBEDTLS_X509_CRT_PARSE_C */
1639
Paul Bakker5121ce52009-01-03 21:22:43 +00001640/*
1641 * Handshake functions
1642 */
Gilles Peskineeccd8882020-03-10 12:19:08 +01001643#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskinef9828522017-05-03 12:28:43 +02001644/* No certificate support -> dummy functions */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001645int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00001646{
Hanno Beckere694c3e2017-12-27 21:34:08 +00001647 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1648 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00001649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001650 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001651
Hanno Becker7177a882019-02-05 13:36:46 +00001652 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001653 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001654 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001655 ssl->state++;
1656 return( 0 );
1657 }
1658
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001659 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1660 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001661}
1662
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001663int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001664{
Hanno Beckere694c3e2017-12-27 21:34:08 +00001665 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1666 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001668 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001669
Hanno Becker7177a882019-02-05 13:36:46 +00001670 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001671 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001672 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001673 ssl->state++;
1674 return( 0 );
1675 }
1676
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001677 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1678 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001679}
Gilles Peskinef9828522017-05-03 12:28:43 +02001680
Gilles Peskineeccd8882020-03-10 12:19:08 +01001681#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Gilles Peskinef9828522017-05-03 12:28:43 +02001682/* Some certificate support -> implement write and parse */
1683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001684int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001685{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001686 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001687 size_t i, n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001688 const mbedtls_x509_crt *crt;
Hanno Beckere694c3e2017-12-27 21:34:08 +00001689 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1690 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001691
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001692 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001693
Hanno Becker7177a882019-02-05 13:36:46 +00001694 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001695 {
Johan Pascal4f099262020-09-22 10:59:26 +02001696 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1697 ssl->state++;
1698 return( 0 );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001699 }
1700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001701#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001702 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +00001703 {
1704 if( ssl->client_auth == 0 )
1705 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001706 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001707 ssl->state++;
1708 return( 0 );
1709 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001710 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001711#endif /* MBEDTLS_SSL_CLI_C */
1712#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001713 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +00001714 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001715 if( mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001716 {
Hanno Becker9cfe6e92021-04-30 05:38:24 +01001717 /* Should never happen because we shouldn't have picked the
1718 * ciphersuite if we don't have a certificate. */
1719 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001720 }
1721 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01001722#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001723
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001724 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001725
1726 /*
1727 * 0 . 0 handshake type
1728 * 1 . 3 handshake length
1729 * 4 . 6 length of all certs
1730 * 7 . 9 length of cert. 1
1731 * 10 . n-1 peer certificate
1732 * n . n+2 length of cert. 2
1733 * n+3 . ... upper level cert, etc.
1734 */
1735 i = 7;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001736 crt = mbedtls_ssl_own_cert( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00001737
Paul Bakker29087132010-03-21 21:03:34 +00001738 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001739 {
1740 n = crt->raw.len;
Angus Grattond8213d02016-05-25 20:56:48 +10001741 if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
Paul Bakker5121ce52009-01-03 21:22:43 +00001742 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00001743 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %" MBEDTLS_PRINTF_SIZET
1744 " > %" MBEDTLS_PRINTF_SIZET,
Paul Elliott3891caf2020-12-17 18:42:40 +00001745 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
Hanno Becker91e1cc32021-04-30 05:28:49 +01001746 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Paul Bakker5121ce52009-01-03 21:22:43 +00001747 }
1748
1749 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1750 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1751 ssl->out_msg[i + 2] = (unsigned char)( n );
1752
1753 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1754 i += n; crt = crt->next;
1755 }
1756
1757 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1758 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1759 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1760
1761 ssl->out_msglen = i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001762 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1763 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
Paul Bakker5121ce52009-01-03 21:22:43 +00001764
Paul Bakker5121ce52009-01-03 21:22:43 +00001765 ssl->state++;
1766
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02001767 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001768 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02001769 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001770 return( ret );
1771 }
1772
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001773 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001774
Paul Bakkered27a042013-04-18 22:46:23 +02001775 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001776}
1777
Hanno Becker84879e32019-01-31 07:44:03 +00001778#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
Hanno Becker177475a2019-02-05 17:02:46 +00001779
1780#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001781static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
1782 unsigned char *crt_buf,
1783 size_t crt_buf_len )
1784{
1785 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
1786
1787 if( peer_crt == NULL )
1788 return( -1 );
1789
1790 if( peer_crt->raw.len != crt_buf_len )
1791 return( -1 );
1792
k-stachowiak95b68ef2019-09-16 12:21:00 +02001793 return( memcmp( peer_crt->raw.p, crt_buf, peer_crt->raw.len ) );
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001794}
Hanno Becker177475a2019-02-05 17:02:46 +00001795#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1796static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
1797 unsigned char *crt_buf,
1798 size_t crt_buf_len )
1799{
Janos Follath865b3eb2019-12-16 11:46:15 +00001800 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker177475a2019-02-05 17:02:46 +00001801 unsigned char const * const peer_cert_digest =
1802 ssl->session->peer_cert_digest;
1803 mbedtls_md_type_t const peer_cert_digest_type =
1804 ssl->session->peer_cert_digest_type;
1805 mbedtls_md_info_t const * const digest_info =
1806 mbedtls_md_info_from_type( peer_cert_digest_type );
1807 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
1808 size_t digest_len;
1809
1810 if( peer_cert_digest == NULL || digest_info == NULL )
1811 return( -1 );
1812
1813 digest_len = mbedtls_md_get_size( digest_info );
1814 if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN )
1815 return( -1 );
1816
1817 ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest );
1818 if( ret != 0 )
1819 return( -1 );
1820
1821 return( memcmp( tmp_digest, peer_cert_digest, digest_len ) );
1822}
1823#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker84879e32019-01-31 07:44:03 +00001824#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001825
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02001826/*
1827 * Once the certificate message is read, parse it into a cert chain and
1828 * perform basic checks, but leave actual verification to the caller
1829 */
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001830static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
1831 mbedtls_x509_crt *chain )
Paul Bakker5121ce52009-01-03 21:22:43 +00001832{
Janos Follath865b3eb2019-12-16 11:46:15 +00001833 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001834#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
1835 int crt_cnt=0;
1836#endif
Paul Bakker23986e52011-04-24 08:57:21 +00001837 size_t i, n;
Gilles Peskine064a85c2017-05-10 10:46:40 +02001838 uint8_t alert;
Paul Bakker5121ce52009-01-03 21:22:43 +00001839
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001840 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001841 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001842 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001843 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1844 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001845 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001846 }
1847
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001848 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE )
1849 {
1850 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1851 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
1852 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1853 }
1854
1855 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001856 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001857 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001858 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1859 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001860 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001861 }
1862
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001863 i = mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00001864
Paul Bakker5121ce52009-01-03 21:22:43 +00001865 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001866 * Same message structure as in mbedtls_ssl_write_certificate()
Paul Bakker5121ce52009-01-03 21:22:43 +00001867 */
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00001868 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
Paul Bakker5121ce52009-01-03 21:22:43 +00001869
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00001870 if( ssl->in_msg[i] != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001871 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00001872 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001873 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001874 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1875 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001876 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001877 }
1878
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001879 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
1880 i += 3;
1881
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001882 /* Iterate through and parse the CRTs in the provided chain. */
Paul Bakker5121ce52009-01-03 21:22:43 +00001883 while( i < ssl->in_hslen )
1884 {
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001885 /* Check that there's room for the next CRT's length fields. */
Philippe Antoine747fd532018-05-30 09:13:21 +02001886 if ( i + 3 > ssl->in_hslen ) {
1887 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +00001888 mbedtls_ssl_send_alert_message( ssl,
1889 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1890 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01001891 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Philippe Antoine747fd532018-05-30 09:13:21 +02001892 }
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001893 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
1894 * anything beyond 2**16 ~ 64K. */
Paul Bakker5121ce52009-01-03 21:22:43 +00001895 if( ssl->in_msg[i] != 0 )
1896 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001897 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +00001898 mbedtls_ssl_send_alert_message( ssl,
1899 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01001900 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT );
1901 return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001902 }
1903
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001904 /* Read length of the next CRT in the chain. */
Paul Bakker5121ce52009-01-03 21:22:43 +00001905 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1906 | (unsigned int) ssl->in_msg[i + 2];
1907 i += 3;
1908
1909 if( n < 128 || i + n > ssl->in_hslen )
1910 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001911 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +00001912 mbedtls_ssl_send_alert_message( ssl,
1913 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1914 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001915 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001916 }
1917
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001918 /* Check if we're handling the first CRT in the chain. */
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001919#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
1920 if( crt_cnt++ == 0 &&
1921 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
1922 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001923 {
Hanno Becker46f34d02019-02-08 14:00:04 +00001924 /* During client-side renegotiation, check that the server's
1925 * end-CRTs hasn't changed compared to the initial handshake,
1926 * mitigating the triple handshake attack. On success, reuse
1927 * the original end-CRT instead of parsing it again. */
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001928 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Check that peer CRT hasn't changed during renegotiation" ) );
1929 if( ssl_check_peer_crt_unchanged( ssl,
1930 &ssl->in_msg[i],
1931 n ) != 0 )
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001932 {
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001933 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
1934 mbedtls_ssl_send_alert_message( ssl,
1935 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01001936 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
1937 return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001938 }
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001939
1940 /* Now we can safely free the original chain. */
1941 ssl_clear_peer_cert( ssl->session );
1942 }
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001943#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
1944
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001945 /* Parse the next certificate in the chain. */
Hanno Becker0056eab2019-02-08 14:39:16 +00001946#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001947 ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n );
Hanno Becker0056eab2019-02-08 14:39:16 +00001948#else
Hanno Becker353a6f02019-02-26 11:51:34 +00001949 /* If we don't need to store the CRT chain permanently, parse
Hanno Becker0056eab2019-02-08 14:39:16 +00001950 * it in-place from the input buffer instead of making a copy. */
1951 ret = mbedtls_x509_crt_parse_der_nocopy( chain, ssl->in_msg + i, n );
1952#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001953 switch( ret )
Paul Bakker5121ce52009-01-03 21:22:43 +00001954 {
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001955 case 0: /*ok*/
1956 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
1957 /* Ignore certificate with an unknown algorithm: maybe a
1958 prior certificate was already trusted. */
1959 break;
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001960
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001961 case MBEDTLS_ERR_X509_ALLOC_FAILED:
1962 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
1963 goto crt_parse_der_failed;
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001964
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001965 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
1966 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
1967 goto crt_parse_der_failed;
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001968
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001969 default:
1970 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
1971 crt_parse_der_failed:
1972 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
1973 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
1974 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001975 }
1976
1977 i += n;
1978 }
1979
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001980 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", chain );
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02001981 return( 0 );
1982}
1983
Hanno Becker4a55f632019-02-05 12:49:06 +00001984#if defined(MBEDTLS_SSL_SRV_C)
1985static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
1986{
1987 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1988 return( -1 );
1989
TRodziewicz0f82ec62021-05-12 17:49:18 +02001990#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker4a55f632019-02-05 12:49:06 +00001991 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
1992 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
1993 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
1994 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
1995 {
1996 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1997 return( 0 );
1998 }
1999
2000 return( -1 );
TRodziewicz0f82ec62021-05-12 17:49:18 +02002001#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker4a55f632019-02-05 12:49:06 +00002002}
2003#endif /* MBEDTLS_SSL_SRV_C */
2004
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002005/* Check if a certificate message is expected.
2006 * Return either
2007 * - SSL_CERTIFICATE_EXPECTED, or
2008 * - SSL_CERTIFICATE_SKIP
2009 * indicating whether a Certificate message is expected or not.
2010 */
2011#define SSL_CERTIFICATE_EXPECTED 0
2012#define SSL_CERTIFICATE_SKIP 1
2013static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
2014 int authmode )
2015{
2016 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00002017 ssl->handshake->ciphersuite_info;
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002018
2019 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
2020 return( SSL_CERTIFICATE_SKIP );
2021
2022#if defined(MBEDTLS_SSL_SRV_C)
2023 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
2024 {
2025 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2026 return( SSL_CERTIFICATE_SKIP );
2027
2028 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
2029 {
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002030 ssl->session_negotiate->verify_result =
2031 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
2032 return( SSL_CERTIFICATE_SKIP );
2033 }
2034 }
Hanno Becker84d9d272019-03-01 08:10:46 +00002035#else
2036 ((void) authmode);
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002037#endif /* MBEDTLS_SSL_SRV_C */
2038
2039 return( SSL_CERTIFICATE_EXPECTED );
2040}
2041
Hanno Becker68636192019-02-05 14:36:34 +00002042static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
2043 int authmode,
2044 mbedtls_x509_crt *chain,
2045 void *rs_ctx )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002046{
Hanno Becker6bdfab22019-02-05 13:11:17 +00002047 int ret = 0;
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002048 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00002049 ssl->handshake->ciphersuite_info;
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002050 int have_ca_chain = 0;
Hanno Becker68636192019-02-05 14:36:34 +00002051
Hanno Becker8927c832019-04-03 12:52:50 +01002052 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
2053 void *p_vrfy;
2054
Hanno Becker68636192019-02-05 14:36:34 +00002055 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
2056 return( 0 );
2057
Hanno Becker8927c832019-04-03 12:52:50 +01002058 if( ssl->f_vrfy != NULL )
2059 {
Hanno Beckerefb440a2019-04-03 13:04:33 +01002060 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );
Hanno Becker8927c832019-04-03 12:52:50 +01002061 f_vrfy = ssl->f_vrfy;
2062 p_vrfy = ssl->p_vrfy;
2063 }
2064 else
2065 {
Hanno Beckerefb440a2019-04-03 13:04:33 +01002066 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );
Hanno Becker8927c832019-04-03 12:52:50 +01002067 f_vrfy = ssl->conf->f_vrfy;
2068 p_vrfy = ssl->conf->p_vrfy;
2069 }
2070
Hanno Becker68636192019-02-05 14:36:34 +00002071 /*
2072 * Main check: verify certificate
2073 */
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002074#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2075 if( ssl->conf->f_ca_cb != NULL )
2076 {
2077 ((void) rs_ctx);
2078 have_ca_chain = 1;
2079
2080 MBEDTLS_SSL_DEBUG_MSG( 3, ( "use CA callback for X.509 CRT verification" ) );
Jarno Lamsa9822c0d2019-04-01 16:59:48 +03002081 ret = mbedtls_x509_crt_verify_with_ca_cb(
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002082 chain,
2083 ssl->conf->f_ca_cb,
2084 ssl->conf->p_ca_cb,
2085 ssl->conf->cert_profile,
2086 ssl->hostname,
2087 &ssl->session_negotiate->verify_result,
Jaeden Amerofe710672019-04-16 15:03:12 +01002088 f_vrfy, p_vrfy );
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002089 }
2090 else
2091#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2092 {
2093 mbedtls_x509_crt *ca_chain;
2094 mbedtls_x509_crl *ca_crl;
2095
2096#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2097 if( ssl->handshake->sni_ca_chain != NULL )
2098 {
2099 ca_chain = ssl->handshake->sni_ca_chain;
2100 ca_crl = ssl->handshake->sni_ca_crl;
2101 }
2102 else
2103#endif
2104 {
2105 ca_chain = ssl->conf->ca_chain;
2106 ca_crl = ssl->conf->ca_crl;
2107 }
2108
2109 if( ca_chain != NULL )
2110 have_ca_chain = 1;
2111
2112 ret = mbedtls_x509_crt_verify_restartable(
2113 chain,
2114 ca_chain, ca_crl,
2115 ssl->conf->cert_profile,
2116 ssl->hostname,
2117 &ssl->session_negotiate->verify_result,
Jaeden Amerofe710672019-04-16 15:03:12 +01002118 f_vrfy, p_vrfy, rs_ctx );
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002119 }
Hanno Becker68636192019-02-05 14:36:34 +00002120
2121 if( ret != 0 )
2122 {
2123 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2124 }
2125
Gilles Peskineeccd8882020-03-10 12:19:08 +01002126#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Hanno Becker68636192019-02-05 14:36:34 +00002127 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2128 return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
2129#endif
2130
2131 /*
2132 * Secondary checks: always done, but change 'ret' only if it was 0
2133 */
2134
2135#if defined(MBEDTLS_ECP_C)
2136 {
2137 const mbedtls_pk_context *pk = &chain->pk;
2138
2139 /* If certificate uses an EC key, make sure the curve is OK */
2140 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
2141 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
2142 {
2143 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
2144
2145 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
2146 if( ret == 0 )
Hanno Becker9ed1ba52021-06-24 11:03:13 +01002147 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Hanno Becker68636192019-02-05 14:36:34 +00002148 }
2149 }
2150#endif /* MBEDTLS_ECP_C */
2151
2152 if( mbedtls_ssl_check_cert_usage( chain,
2153 ciphersuite_info,
2154 ! ssl->conf->endpoint,
2155 &ssl->session_negotiate->verify_result ) != 0 )
2156 {
2157 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
2158 if( ret == 0 )
Hanno Becker9ed1ba52021-06-24 11:03:13 +01002159 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Hanno Becker68636192019-02-05 14:36:34 +00002160 }
2161
2162 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
2163 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
2164 * with details encoded in the verification flags. All other kinds
2165 * of error codes, including those from the user provided f_vrfy
2166 * functions, are treated as fatal and lead to a failure of
2167 * ssl_parse_certificate even if verification was optional. */
2168 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
2169 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
Hanno Becker9ed1ba52021-06-24 11:03:13 +01002170 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
Hanno Becker68636192019-02-05 14:36:34 +00002171 {
2172 ret = 0;
2173 }
2174
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002175 if( have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
Hanno Becker68636192019-02-05 14:36:34 +00002176 {
2177 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2178 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
2179 }
2180
2181 if( ret != 0 )
2182 {
2183 uint8_t alert;
2184
2185 /* The certificate may have been rejected for several reasons.
2186 Pick one and send the corresponding alert. Which alert to send
2187 may be a subject of debate in some cases. */
2188 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
2189 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
2190 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
2191 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
2192 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
2193 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2194 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
2195 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2196 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
2197 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2198 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
2199 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2200 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
2201 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2202 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
2203 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
2204 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
2205 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
2206 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
2207 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
2208 else
2209 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
2210 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2211 alert );
2212 }
2213
2214#if defined(MBEDTLS_DEBUG_C)
2215 if( ssl->session_negotiate->verify_result != 0 )
2216 {
Paul Elliott3891caf2020-12-17 18:42:40 +00002217 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Paul Elliott9f352112020-12-09 14:55:45 +00002218 (unsigned int) ssl->session_negotiate->verify_result ) );
Hanno Becker68636192019-02-05 14:36:34 +00002219 }
2220 else
2221 {
2222 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
2223 }
2224#endif /* MBEDTLS_DEBUG_C */
2225
2226 return( ret );
2227}
2228
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002229#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2230static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
2231 unsigned char *start, size_t len )
2232{
Janos Follath865b3eb2019-12-16 11:46:15 +00002233 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002234 /* Remember digest of the peer's end-CRT. */
2235 ssl->session_negotiate->peer_cert_digest =
2236 mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
2237 if( ssl->session_negotiate->peer_cert_digest == NULL )
2238 {
2239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
irwir40883e92019-09-21 17:55:33 +03002240 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) );
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002241 mbedtls_ssl_send_alert_message( ssl,
2242 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2243 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
2244
2245 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2246 }
2247
2248 ret = mbedtls_md( mbedtls_md_info_from_type(
2249 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
2250 start, len,
2251 ssl->session_negotiate->peer_cert_digest );
2252
2253 ssl->session_negotiate->peer_cert_digest_type =
2254 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
2255 ssl->session_negotiate->peer_cert_digest_len =
2256 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
2257
2258 return( ret );
2259}
2260
2261static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
2262 unsigned char *start, size_t len )
2263{
2264 unsigned char *end = start + len;
Janos Follath865b3eb2019-12-16 11:46:15 +00002265 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002266
2267 /* Make a copy of the peer's raw public key. */
2268 mbedtls_pk_init( &ssl->handshake->peer_pubkey );
2269 ret = mbedtls_pk_parse_subpubkey( &start, end,
2270 &ssl->handshake->peer_pubkey );
2271 if( ret != 0 )
2272 {
2273 /* We should have parsed the public key before. */
2274 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2275 }
2276
2277 return( 0 );
2278}
2279#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2280
Hanno Becker68636192019-02-05 14:36:34 +00002281int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
2282{
2283 int ret = 0;
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002284 int crt_expected;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002285#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2286 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
2287 ? ssl->handshake->sni_authmode
2288 : ssl->conf->authmode;
2289#else
Johan Pascal4f099262020-09-22 10:59:26 +02002290 const int authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002291#endif
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002292 void *rs_ctx = NULL;
Hanno Becker3dad3112019-02-05 17:19:52 +00002293 mbedtls_x509_crt *chain = NULL;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002294
2295 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2296
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002297 crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
2298 if( crt_expected == SSL_CERTIFICATE_SKIP )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002299 {
2300 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Hanno Becker6bdfab22019-02-05 13:11:17 +00002301 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002302 }
2303
Gilles Peskineeccd8882020-03-10 12:19:08 +01002304#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002305 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02002306 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002307 {
Hanno Becker3dad3112019-02-05 17:19:52 +00002308 chain = ssl->handshake->ecrs_peer_cert;
2309 ssl->handshake->ecrs_peer_cert = NULL;
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002310 goto crt_verify;
2311 }
2312#endif
2313
Manuel Pégourié-Gonnard125af942018-09-11 11:08:12 +02002314 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002315 {
2316 /* mbedtls_ssl_read_record may have sent an alert already. We
2317 let it decide whether to alert. */
2318 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Hanno Becker3dad3112019-02-05 17:19:52 +00002319 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002320 }
2321
Hanno Becker4a55f632019-02-05 12:49:06 +00002322#if defined(MBEDTLS_SSL_SRV_C)
2323 if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 )
2324 {
2325 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
Hanno Becker4a55f632019-02-05 12:49:06 +00002326
irwird3085ab2020-04-21 22:26:05 +03002327 if( authmode != MBEDTLS_SSL_VERIFY_OPTIONAL )
Hanno Becker6bdfab22019-02-05 13:11:17 +00002328 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Hanno Becker4a55f632019-02-05 12:49:06 +00002329
Hanno Becker6bdfab22019-02-05 13:11:17 +00002330 goto exit;
Hanno Becker4a55f632019-02-05 12:49:06 +00002331 }
2332#endif /* MBEDTLS_SSL_SRV_C */
2333
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002334 /* Clear existing peer CRT structure in case we tried to
2335 * reuse a session but it failed, and allocate a new one. */
Hanno Becker7a955a02019-02-05 13:08:01 +00002336 ssl_clear_peer_cert( ssl->session_negotiate );
Hanno Becker3dad3112019-02-05 17:19:52 +00002337
2338 chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
2339 if( chain == NULL )
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002340 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00002341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002342 sizeof( mbedtls_x509_crt ) ) );
2343 mbedtls_ssl_send_alert_message( ssl,
2344 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2345 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Hanno Becker7a955a02019-02-05 13:08:01 +00002346
Hanno Becker3dad3112019-02-05 17:19:52 +00002347 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
2348 goto exit;
2349 }
2350 mbedtls_x509_crt_init( chain );
2351
2352 ret = ssl_parse_certificate_chain( ssl, chain );
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002353 if( ret != 0 )
Hanno Becker3dad3112019-02-05 17:19:52 +00002354 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002355
Gilles Peskineeccd8882020-03-10 12:19:08 +01002356#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002357 if( ssl->handshake->ecrs_enabled)
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02002358 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002359
2360crt_verify:
2361 if( ssl->handshake->ecrs_enabled)
2362 rs_ctx = &ssl->handshake->ecrs_ctx;
2363#endif
2364
Hanno Becker68636192019-02-05 14:36:34 +00002365 ret = ssl_parse_certificate_verify( ssl, authmode,
Hanno Becker3dad3112019-02-05 17:19:52 +00002366 chain, rs_ctx );
Hanno Becker68636192019-02-05 14:36:34 +00002367 if( ret != 0 )
Hanno Becker3dad3112019-02-05 17:19:52 +00002368 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +00002369
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002370#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002371 {
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002372 unsigned char *crt_start, *pk_start;
2373 size_t crt_len, pk_len;
Hanno Becker3dad3112019-02-05 17:19:52 +00002374
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002375 /* We parse the CRT chain without copying, so
2376 * these pointers point into the input buffer,
2377 * and are hence still valid after freeing the
2378 * CRT chain. */
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002379
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002380 crt_start = chain->raw.p;
2381 crt_len = chain->raw.len;
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002382
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002383 pk_start = chain->pk_raw.p;
2384 pk_len = chain->pk_raw.len;
2385
2386 /* Free the CRT structures before computing
2387 * digest and copying the peer's public key. */
2388 mbedtls_x509_crt_free( chain );
2389 mbedtls_free( chain );
2390 chain = NULL;
2391
2392 ret = ssl_remember_peer_crt_digest( ssl, crt_start, crt_len );
Hanno Beckera2747532019-02-06 16:19:04 +00002393 if( ret != 0 )
Hanno Beckera2747532019-02-06 16:19:04 +00002394 goto exit;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002395
2396 ret = ssl_remember_peer_pubkey( ssl, pk_start, pk_len );
2397 if( ret != 0 )
2398 goto exit;
Hanno Beckera2747532019-02-06 16:19:04 +00002399 }
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002400#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2401 /* Pass ownership to session structure. */
Hanno Becker3dad3112019-02-05 17:19:52 +00002402 ssl->session_negotiate->peer_cert = chain;
2403 chain = NULL;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002404#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker3dad3112019-02-05 17:19:52 +00002405
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002406 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002407
Hanno Becker6bdfab22019-02-05 13:11:17 +00002408exit:
2409
Hanno Becker3dad3112019-02-05 17:19:52 +00002410 if( ret == 0 )
2411 ssl->state++;
2412
Gilles Peskineeccd8882020-03-10 12:19:08 +01002413#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Hanno Becker3dad3112019-02-05 17:19:52 +00002414 if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
2415 {
2416 ssl->handshake->ecrs_peer_cert = chain;
2417 chain = NULL;
2418 }
2419#endif
2420
2421 if( chain != NULL )
2422 {
2423 mbedtls_x509_crt_free( chain );
2424 mbedtls_free( chain );
2425 }
2426
Paul Bakker5121ce52009-01-03 21:22:43 +00002427 return( ret );
2428}
Gilles Peskineeccd8882020-03-10 12:19:08 +01002429#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002430
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002431void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
2432 const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
Paul Bakker380da532012-04-18 16:10:25 +00002433{
Paul Bakkerfb08fd22013-08-27 15:06:26 +02002434 ((void) ciphersuite_info);
Paul Bakker769075d2012-11-24 11:26:46 +01002435
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002436#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002437#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002438 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002439 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2440 else
2441#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002442#if defined(MBEDTLS_SHA256_C)
2443 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
Paul Bakker48916f92012-09-16 19:57:18 +00002444 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002445 else
2446#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002447#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002448 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002449 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002450 return;
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002451 }
Paul Bakker380da532012-04-18 16:10:25 +00002452}
Paul Bakkerf7abd422013-04-16 13:15:56 +02002453
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002454void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002455{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002456#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2457#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002458#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2ad22972019-01-30 03:32:12 -05002459 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002460 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
2461#else
TRodziewicz26371e42021-06-08 16:45:41 +02002462 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002463#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002464#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002465#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002466#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2ad22972019-01-30 03:32:12 -05002467 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
Andrzej Kurek972fba52019-01-30 03:29:12 -05002468 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002469#else
TRodziewicz26371e42021-06-08 16:45:41 +02002470 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002471#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002472#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002473#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002474}
2475
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002476static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002477 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002478{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002479#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2480#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002481#if defined(MBEDTLS_USE_PSA_CRYPTO)
2482 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
2483#else
TRodziewicz26371e42021-06-08 16:45:41 +02002484 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002485#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002486#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002487#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002488#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002489 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002490#else
TRodziewicz26371e42021-06-08 16:45:41 +02002491 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker769075d2012-11-24 11:26:46 +01002492#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002493#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002494#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00002495}
2496
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002497#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2498#if defined(MBEDTLS_SHA256_C)
2499static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002500 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002501{
Andrzej Kurekeb342242019-01-29 09:14:33 -05002502#if defined(MBEDTLS_USE_PSA_CRYPTO)
2503 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
2504#else
TRodziewicz26371e42021-06-08 16:45:41 +02002505 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002506#endif
Paul Bakker380da532012-04-18 16:10:25 +00002507}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002508#endif
Paul Bakker380da532012-04-18 16:10:25 +00002509
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002510#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002511static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002512 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002513{
Andrzej Kurekeb342242019-01-29 09:14:33 -05002514#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002515 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002516#else
TRodziewicz26371e42021-06-08 16:45:41 +02002517 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002518#endif
Paul Bakker380da532012-04-18 16:10:25 +00002519}
Paul Bakker769075d2012-11-24 11:26:46 +01002520#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002521#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00002522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002523#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2524#if defined(MBEDTLS_SHA256_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +00002525static void ssl_calc_finished_tls_sha256(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002526 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002527{
2528 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002529 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002530 unsigned char padbuf[32];
Andrzej Kurekeb342242019-01-29 09:14:33 -05002531#if defined(MBEDTLS_USE_PSA_CRYPTO)
2532 size_t hash_size;
Jaeden Amero34973232019-02-20 10:32:28 +00002533 psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
Andrzej Kurekeb342242019-01-29 09:14:33 -05002534 psa_status_t status;
2535#else
2536 mbedtls_sha256_context sha256;
2537#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002538
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002539 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00002540 if( !session )
2541 session = ssl->session;
2542
Andrzej Kurekeb342242019-01-29 09:14:33 -05002543 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
2544 ? "client finished"
2545 : "server finished";
2546
2547#if defined(MBEDTLS_USE_PSA_CRYPTO)
2548 sha256_psa = psa_hash_operation_init();
2549
2550 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) );
2551
2552 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
2553 if( status != PSA_SUCCESS )
2554 {
2555 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
2556 return;
2557 }
2558
2559 status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size );
2560 if( status != PSA_SUCCESS )
2561 {
2562 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
2563 return;
2564 }
2565 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 );
2566#else
2567
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002568 mbedtls_sha256_init( &sha256 );
2569
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02002570 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002571
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002572 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002573
2574 /*
2575 * TLSv1.2:
2576 * hash = PRF( master, finished_label,
2577 * Hash( handshake ) )[0.11]
2578 */
2579
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002580#if !defined(MBEDTLS_SHA256_ALT)
2581 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02002582 sha256.state, sizeof( sha256.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002583#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002584
TRodziewicz26371e42021-06-08 16:45:41 +02002585 mbedtls_sha256_finish( &sha256, padbuf );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002586 mbedtls_sha256_free( &sha256 );
2587#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002588
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002589 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002590 padbuf, 32, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002592 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002593
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05002594 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002595
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002596 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002597}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002598#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002599
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002600#if defined(MBEDTLS_SHA384_C)
Rodrigo Dias Corread596ca82020-11-25 00:42:28 -03002601
Paul Bakkerca4ab492012-04-18 14:23:57 +00002602static void ssl_calc_finished_tls_sha384(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002603 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakkerca4ab492012-04-18 14:23:57 +00002604{
2605 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002606 const char *sender;
Rodrigo Dias Corread596ca82020-11-25 00:42:28 -03002607 unsigned char padbuf[48];
Andrzej Kurekeb342242019-01-29 09:14:33 -05002608#if defined(MBEDTLS_USE_PSA_CRYPTO)
2609 size_t hash_size;
Jaeden Amero34973232019-02-20 10:32:28 +00002610 psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
Andrzej Kurekeb342242019-01-29 09:14:33 -05002611 psa_status_t status;
2612#else
2613 mbedtls_sha512_context sha512;
2614#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00002615
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002616 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00002617 if( !session )
2618 session = ssl->session;
2619
Andrzej Kurekeb342242019-01-29 09:14:33 -05002620 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
2621 ? "client finished"
2622 : "server finished";
2623
2624#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002625 sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -05002626
2627 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) );
2628
Andrzej Kurek972fba52019-01-30 03:29:12 -05002629 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002630 if( status != PSA_SUCCESS )
2631 {
2632 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
2633 return;
2634 }
2635
Andrzej Kurek972fba52019-01-30 03:29:12 -05002636 status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002637 if( status != PSA_SUCCESS )
2638 {
2639 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
2640 return;
2641 }
2642 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 );
2643#else
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002644 mbedtls_sha512_init( &sha512 );
2645
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002646 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002647
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002648 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002649
2650 /*
2651 * TLSv1.2:
2652 * hash = PRF( master, finished_label,
2653 * Hash( handshake ) )[0.11]
2654 */
2655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002656#if !defined(MBEDTLS_SHA512_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02002657 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
2658 sha512.state, sizeof( sha512.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002659#endif
TRodziewicz26371e42021-06-08 16:45:41 +02002660 mbedtls_sha512_finish( &sha512, padbuf );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002661
Andrzej Kurekeb342242019-01-29 09:14:33 -05002662 mbedtls_sha512_free( &sha512 );
2663#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00002664
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002665 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002666 padbuf, 48, buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002668 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002669
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05002670 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002671
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002672 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002673}
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002674#endif /* MBEDTLS_SHA384_C */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002675#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +00002676
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00002677void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00002678{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002679 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00002680
2681 /*
2682 * Free our handshake params
2683 */
Gilles Peskine9b562d52018-04-25 20:32:43 +02002684 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002685 mbedtls_free( ssl->handshake );
Paul Bakker48916f92012-09-16 19:57:18 +00002686 ssl->handshake = NULL;
2687
2688 /*
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002689 * Free the previous transform and swith in the current one
Paul Bakker48916f92012-09-16 19:57:18 +00002690 */
2691 if( ssl->transform )
2692 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002693 mbedtls_ssl_transform_free( ssl->transform );
2694 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00002695 }
2696 ssl->transform = ssl->transform_negotiate;
2697 ssl->transform_negotiate = NULL;
2698
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002699 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002700}
2701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002702void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002703{
2704 int resume = ssl->handshake->resume;
2705
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002706 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002708#if defined(MBEDTLS_SSL_RENEGOTIATION)
2709 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002710 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002711 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002712 ssl->renego_records_seen = 0;
2713 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002714#endif
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002715
2716 /*
2717 * Free the previous session and switch in the current one
2718 */
Paul Bakker0a597072012-09-25 21:55:46 +00002719 if( ssl->session )
2720 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002721#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard1a034732014-11-04 17:36:18 +01002722 /* RFC 7366 3.1: keep the EtM state */
2723 ssl->session_negotiate->encrypt_then_mac =
2724 ssl->session->encrypt_then_mac;
2725#endif
2726
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002727 mbedtls_ssl_session_free( ssl->session );
2728 mbedtls_free( ssl->session );
Paul Bakker0a597072012-09-25 21:55:46 +00002729 }
2730 ssl->session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00002731 ssl->session_negotiate = NULL;
2732
Paul Bakker0a597072012-09-25 21:55:46 +00002733 /*
2734 * Add cache entry
2735 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002736 if( ssl->conf->f_set_cache != NULL &&
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02002737 ssl->session->id_len != 0 &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02002738 resume == 0 )
2739 {
Hanno Beckerccdaf6e2021-04-15 09:26:17 +01002740 if( ssl->conf->f_set_cache( ssl->conf->p_cache,
2741 ssl->session->id,
2742 ssl->session->id_len,
2743 ssl->session ) != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002744 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02002745 }
Paul Bakker0a597072012-09-25 21:55:46 +00002746
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002747#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002748 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002749 ssl->handshake->flight != NULL )
2750 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002751 /* Cancel handshake timer */
Hanno Becker0f57a652020-02-05 10:37:26 +00002752 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002753
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002754 /* Keep last flight around in case we need to resend it:
2755 * we need the handshake and transform structures for that */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002756 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002757 }
2758 else
2759#endif
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00002760 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002761
Paul Bakker48916f92012-09-16 19:57:18 +00002762 ssl->state++;
2763
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002764 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00002765}
2766
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002767int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002768{
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002769 int ret, hash_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002770
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002771 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002772
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00002773 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_negotiate );
Paul Bakker92be97b2013-01-02 17:30:03 +01002774
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002775 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002776
Manuel Pégourié-Gonnard214a8482016-02-22 11:27:26 +01002777 /*
2778 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
2779 * may define some other value. Currently (early 2016), no defined
2780 * ciphersuite does this (and this is unlikely to change as activity has
2781 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
2782 */
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01002783 hash_len = 12;
Paul Bakker5121ce52009-01-03 21:22:43 +00002784
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002785#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00002786 ssl->verify_data_len = hash_len;
2787 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002788#endif
Paul Bakker48916f92012-09-16 19:57:18 +00002789
Paul Bakker5121ce52009-01-03 21:22:43 +00002790 ssl->out_msglen = 4 + hash_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002791 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2792 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
Paul Bakker5121ce52009-01-03 21:22:43 +00002793
2794 /*
2795 * In case of session resuming, invert the client and server
2796 * ChangeCipherSpec messages order.
2797 */
Paul Bakker0a597072012-09-25 21:55:46 +00002798 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002799 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002800#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002801 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002802 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002803#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002804#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002805 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002806 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002807#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002808 }
2809 else
2810 ssl->state++;
2811
Paul Bakker48916f92012-09-16 19:57:18 +00002812 /*
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02002813 * Switch to our negotiated transform and session parameters for outbound
2814 * data.
Paul Bakker48916f92012-09-16 19:57:18 +00002815 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002816 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +01002817
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002818#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002819 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002820 {
2821 unsigned char i;
2822
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002823 /* Remember current epoch settings for resending */
2824 ssl->handshake->alt_transform_out = ssl->transform_out;
Hanno Becker19859472018-08-06 09:40:20 +01002825 memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002826
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002827 /* Set sequence_number to zero */
Hanno Becker19859472018-08-06 09:40:20 +01002828 memset( ssl->cur_out_ctr + 2, 0, 6 );
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002829
2830 /* Increment epoch */
2831 for( i = 2; i > 0; i-- )
Hanno Becker19859472018-08-06 09:40:20 +01002832 if( ++ssl->cur_out_ctr[i - 1] != 0 )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002833 break;
2834
2835 /* The loop goes to its end iff the counter is wrapping */
2836 if( i == 0 )
2837 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002838 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
2839 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002840 }
2841 }
2842 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002843#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker19859472018-08-06 09:40:20 +01002844 memset( ssl->cur_out_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002845
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002846 ssl->transform_out = ssl->transform_negotiate;
2847 ssl->session_out = ssl->session_negotiate;
2848
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002849#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002850 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002851 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02002852#endif
2853
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02002854 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002855 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02002856 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002857 return( ret );
2858 }
2859
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02002860#if defined(MBEDTLS_SSL_PROTO_DTLS)
2861 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2862 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
2863 {
2864 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
2865 return( ret );
2866 }
2867#endif
2868
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002869 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002870
2871 return( 0 );
2872}
2873
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00002874#define SSL_MAX_HASH_LEN 12
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00002875
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002876int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00002877{
Janos Follath865b3eb2019-12-16 11:46:15 +00002878 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002879 unsigned int hash_len;
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00002880 unsigned char buf[SSL_MAX_HASH_LEN];
Paul Bakker5121ce52009-01-03 21:22:43 +00002881
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002882 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002883
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002884 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002885
Hanno Becker327c93b2018-08-15 13:56:18 +01002886 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002887 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002888 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002889 return( ret );
2890 }
2891
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002892 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00002893 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002894 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002895 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2896 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002897 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002898 }
2899
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01002900 hash_len = 12;
Paul Bakker5121ce52009-01-03 21:22:43 +00002901
Hanno Beckera0ca87e2021-06-24 10:27:37 +01002902 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED )
2903 {
2904 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2905 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2906 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2907 }
2908
2909 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
Paul Bakker5121ce52009-01-03 21:22:43 +00002910 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002911 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002912 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2913 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckera0ca87e2021-06-24 10:27:37 +01002914 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00002915 }
2916
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002917 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
Manuel Pégourié-Gonnard4abc3272014-09-10 12:02:46 +00002918 buf, hash_len ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002919 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002921 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01002922 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
2923 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002924 }
2925
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002926#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00002927 ssl->verify_data_len = hash_len;
2928 memcpy( ssl->peer_verify_data, buf, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002929#endif
Paul Bakker48916f92012-09-16 19:57:18 +00002930
Paul Bakker0a597072012-09-25 21:55:46 +00002931 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002932 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002933#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002934 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002935 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002936#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002937#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002938 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002939 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002940#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002941 }
2942 else
2943 ssl->state++;
2944
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002945#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002946 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002947 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002948#endif
2949
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002950 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002951
2952 return( 0 );
2953}
2954
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002955static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002956{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002957 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002958
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002959#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2960#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002961#if defined(MBEDTLS_USE_PSA_CRYPTO)
2962 handshake->fin_sha256_psa = psa_hash_operation_init();
2963 psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
2964#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002965 mbedtls_sha256_init( &handshake->fin_sha256 );
TRodziewicz26371e42021-06-08 16:45:41 +02002966 mbedtls_sha256_starts( &handshake->fin_sha256, 0 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002967#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002968#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002969#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002970#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002971 handshake->fin_sha384_psa = psa_hash_operation_init();
2972 psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002973#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002974 mbedtls_sha512_init( &handshake->fin_sha512 );
TRodziewicz26371e42021-06-08 16:45:41 +02002975 mbedtls_sha512_starts( &handshake->fin_sha512, 1 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002976#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002977#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002978#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002979
2980 handshake->update_checksum = ssl_update_checksum_start;
Hanno Becker7e5437a2017-04-28 17:15:26 +01002981
2982#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +01002983 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +01002984 mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
2985#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002986
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002987#if defined(MBEDTLS_DHM_C)
2988 mbedtls_dhm_init( &handshake->dhm_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002989#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002990#if defined(MBEDTLS_ECDH_C)
2991 mbedtls_ecdh_init( &handshake->ecdh_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002992#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02002993#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02002994 mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02002995#if defined(MBEDTLS_SSL_CLI_C)
2996 handshake->ecjpake_cache = NULL;
2997 handshake->ecjpake_cache_len = 0;
2998#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02002999#endif
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02003000
Gilles Peskineeccd8882020-03-10 12:19:08 +01003001#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +02003002 mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02003003#endif
3004
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02003005#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3006 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
3007#endif
Hanno Becker75173122019-02-06 16:18:31 +00003008
3009#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
3010 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3011 mbedtls_pk_init( &handshake->peer_pubkey );
3012#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003013}
3014
Hanno Beckera18d1322018-01-03 14:27:32 +00003015void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003016{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003017 memset( transform, 0, sizeof(mbedtls_ssl_transform) );
Paul Bakker84bbeb52014-07-01 14:53:22 +02003018
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003019 mbedtls_cipher_init( &transform->cipher_ctx_enc );
3020 mbedtls_cipher_init( &transform->cipher_ctx_dec );
Paul Bakker84bbeb52014-07-01 14:53:22 +02003021
Hanno Beckerfd86ca82020-11-30 08:54:23 +00003022#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003023 mbedtls_md_init( &transform->md_ctx_enc );
3024 mbedtls_md_init( &transform->md_ctx_dec );
Hanno Beckerd56ed242018-01-03 15:32:51 +00003025#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003026}
3027
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003028void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003029{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003030 memset( session, 0, sizeof(mbedtls_ssl_session) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003031}
3032
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003033static int ssl_handshake_init( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00003034{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003035 /* Clear old handshake information if present */
Paul Bakker48916f92012-09-16 19:57:18 +00003036 if( ssl->transform_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003037 mbedtls_ssl_transform_free( ssl->transform_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003038 if( ssl->session_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003039 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003040 if( ssl->handshake )
Gilles Peskine9b562d52018-04-25 20:32:43 +02003041 mbedtls_ssl_handshake_free( ssl );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003042
3043 /*
3044 * Either the pointers are now NULL or cleared properly and can be freed.
3045 * Now allocate missing structures.
3046 */
3047 if( ssl->transform_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003048 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003049 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003050 }
Paul Bakker48916f92012-09-16 19:57:18 +00003051
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003052 if( ssl->session_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003053 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003054 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003055 }
Paul Bakker48916f92012-09-16 19:57:18 +00003056
Paul Bakker82788fb2014-10-20 13:59:19 +02003057 if( ssl->handshake == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003058 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003059 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003060 }
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05003061#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3062 /* If the buffers are too small - reallocate */
Andrzej Kurek8ea68722020-04-03 06:40:47 -04003063
Andrzej Kurek4a063792020-10-21 15:08:44 +02003064 handle_buffer_resizing( ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
3065 MBEDTLS_SSL_OUT_BUFFER_LEN );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05003066#endif
Paul Bakker48916f92012-09-16 19:57:18 +00003067
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003068 /* All pointers should exist and can be directly freed without issue */
Paul Bakker48916f92012-09-16 19:57:18 +00003069 if( ssl->handshake == NULL ||
3070 ssl->transform_negotiate == NULL ||
3071 ssl->session_negotiate == NULL )
3072 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02003073 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003074
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003075 mbedtls_free( ssl->handshake );
3076 mbedtls_free( ssl->transform_negotiate );
3077 mbedtls_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003078
3079 ssl->handshake = NULL;
3080 ssl->transform_negotiate = NULL;
3081 ssl->session_negotiate = NULL;
3082
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003083 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker48916f92012-09-16 19:57:18 +00003084 }
3085
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003086 /* Initialize structures */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003087 mbedtls_ssl_session_init( ssl->session_negotiate );
Hanno Beckera18d1322018-01-03 14:27:32 +00003088 mbedtls_ssl_transform_init( ssl->transform_negotiate );
Paul Bakker968afaa2014-07-09 11:09:24 +02003089 ssl_handshake_params_init( ssl->handshake );
3090
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003091#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02003092 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3093 {
3094 ssl->handshake->alt_transform_out = ssl->transform_out;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003095
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02003096 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
3097 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
3098 else
3099 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003100
Hanno Becker0f57a652020-02-05 10:37:26 +00003101 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02003102 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003103#endif
3104
Paul Bakker48916f92012-09-16 19:57:18 +00003105 return( 0 );
3106}
3107
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02003108#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003109/* Dummy cookie callbacks for defaults */
3110static int ssl_cookie_write_dummy( void *ctx,
3111 unsigned char **p, unsigned char *end,
3112 const unsigned char *cli_id, size_t cli_id_len )
3113{
3114 ((void) ctx);
3115 ((void) p);
3116 ((void) end);
3117 ((void) cli_id);
3118 ((void) cli_id_len);
3119
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003120 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003121}
3122
3123static int ssl_cookie_check_dummy( void *ctx,
3124 const unsigned char *cookie, size_t cookie_len,
3125 const unsigned char *cli_id, size_t cli_id_len )
3126{
3127 ((void) ctx);
3128 ((void) cookie);
3129 ((void) cookie_len);
3130 ((void) cli_id);
3131 ((void) cli_id_len);
3132
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003133 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003134}
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02003135#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003136
Paul Bakker5121ce52009-01-03 21:22:43 +00003137/*
3138 * Initialize an SSL context
3139 */
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02003140void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
3141{
3142 memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
3143}
3144
Jerry Yu60835a82021-08-04 10:13:52 +08003145static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
3146{
3147#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
3148 if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
3149 {
3150 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3151 {
3152 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported" ) );
3153 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3154 }
3155 MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) );
3156 return( 0 );
3157 }
3158#endif
3159
3160#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3161 if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
3162 {
3163 MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls12 only." ) );
3164 return( 0 );
3165 }
3166#endif
3167
3168#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
3169 if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) )
3170 {
3171 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) );
3172 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3173 }
3174#endif
3175
3176 MBEDTLS_SSL_DEBUG_MSG( 1, ( "The SSL configuration is invalid." ) );
3177 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
3178}
3179
3180static int ssl_conf_check(const mbedtls_ssl_context *ssl)
3181{
3182 int ret;
3183 ret = ssl_conf_version_check( ssl );
3184 if( ret != 0 )
3185 return( ret );
3186
3187 /* Space for further checks */
3188
3189 return( 0 );
3190}
3191
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02003192/*
3193 * Setup an SSL context
3194 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +01003195
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +02003196int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +02003197 const mbedtls_ssl_config *conf )
Paul Bakker5121ce52009-01-03 21:22:43 +00003198{
Janos Follath865b3eb2019-12-16 11:46:15 +00003199 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Darryl Greenb33cc762019-11-28 14:29:44 +00003200 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
3201 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
Paul Bakker5121ce52009-01-03 21:22:43 +00003202
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +02003203 ssl->conf = conf;
Paul Bakker62f2dee2012-09-28 07:31:51 +00003204
Jerry Yu60835a82021-08-04 10:13:52 +08003205 if( ( ret = ssl_conf_check( ssl ) ) != 0 )
3206 return( ret );
3207
Paul Bakker62f2dee2012-09-28 07:31:51 +00003208 /*
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +01003209 * Prepare base structures
Paul Bakker62f2dee2012-09-28 07:31:51 +00003210 */
k-stachowiakc9a5f022018-07-24 13:53:31 +02003211
3212 /* Set to NULL in case of an error condition */
3213 ssl->out_buf = NULL;
k-stachowiaka47911c2018-07-04 17:41:58 +02003214
Darryl Greenb33cc762019-11-28 14:29:44 +00003215#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3216 ssl->in_buf_len = in_buf_len;
3217#endif
3218 ssl->in_buf = mbedtls_calloc( 1, in_buf_len );
Angus Grattond8213d02016-05-25 20:56:48 +10003219 if( ssl->in_buf == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00003220 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00003221 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len ) );
k-stachowiak9f7798e2018-07-31 16:52:32 +02003222 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02003223 goto error;
Angus Grattond8213d02016-05-25 20:56:48 +10003224 }
3225
Darryl Greenb33cc762019-11-28 14:29:44 +00003226#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3227 ssl->out_buf_len = out_buf_len;
3228#endif
3229 ssl->out_buf = mbedtls_calloc( 1, out_buf_len );
Angus Grattond8213d02016-05-25 20:56:48 +10003230 if( ssl->out_buf == NULL )
3231 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00003232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len ) );
k-stachowiak9f7798e2018-07-31 16:52:32 +02003233 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02003234 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +00003235 }
3236
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00003237 mbedtls_ssl_reset_in_out_pointers( ssl );
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02003238
Johan Pascalb62bb512015-12-03 21:56:45 +01003239#if defined(MBEDTLS_SSL_DTLS_SRTP)
Ron Eldor3adb9922017-12-21 10:15:08 +02003240 memset( &ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info) );
Johan Pascalb62bb512015-12-03 21:56:45 +01003241#endif
3242
Paul Bakker48916f92012-09-16 19:57:18 +00003243 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
k-stachowiaka47911c2018-07-04 17:41:58 +02003244 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +00003245
3246 return( 0 );
k-stachowiaka47911c2018-07-04 17:41:58 +02003247
3248error:
3249 mbedtls_free( ssl->in_buf );
3250 mbedtls_free( ssl->out_buf );
3251
3252 ssl->conf = NULL;
3253
Darryl Greenb33cc762019-11-28 14:29:44 +00003254#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3255 ssl->in_buf_len = 0;
3256 ssl->out_buf_len = 0;
3257#endif
k-stachowiaka47911c2018-07-04 17:41:58 +02003258 ssl->in_buf = NULL;
3259 ssl->out_buf = NULL;
3260
3261 ssl->in_hdr = NULL;
3262 ssl->in_ctr = NULL;
3263 ssl->in_len = NULL;
3264 ssl->in_iv = NULL;
3265 ssl->in_msg = NULL;
3266
3267 ssl->out_hdr = NULL;
3268 ssl->out_ctr = NULL;
3269 ssl->out_len = NULL;
3270 ssl->out_iv = NULL;
3271 ssl->out_msg = NULL;
3272
k-stachowiak9f7798e2018-07-31 16:52:32 +02003273 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003274}
3275
3276/*
Paul Bakker7eb013f2011-10-06 12:37:39 +00003277 * Reset an initialized and used SSL context for re-use while retaining
3278 * all application-set variables, function pointers and data.
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003279 *
3280 * If partial is non-zero, keep data in the input buffer and client ID.
3281 * (Use when a DTLS client reconnects from the same port.)
Paul Bakker7eb013f2011-10-06 12:37:39 +00003282 */
Hanno Becker43aefe22020-02-05 10:44:56 +00003283int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
Paul Bakker7eb013f2011-10-06 12:37:39 +00003284{
Janos Follath865b3eb2019-12-16 11:46:15 +00003285 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Darryl Greenb33cc762019-11-28 14:29:44 +00003286#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3287 size_t in_buf_len = ssl->in_buf_len;
3288 size_t out_buf_len = ssl->out_buf_len;
3289#else
3290 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
3291 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
3292#endif
Paul Bakker48916f92012-09-16 19:57:18 +00003293
Hanno Becker7e772132018-08-10 12:38:21 +01003294#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || \
3295 !defined(MBEDTLS_SSL_SRV_C)
3296 ((void) partial);
3297#endif
3298
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003299 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003300
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003301 /* Cancel any possibly running timer */
Hanno Becker0f57a652020-02-05 10:37:26 +00003302 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003303
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003304#if defined(MBEDTLS_SSL_RENEGOTIATION)
3305 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003306 ssl->renego_records_seen = 0;
Paul Bakker48916f92012-09-16 19:57:18 +00003307
3308 ssl->verify_data_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003309 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
3310 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003311#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003312 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +00003313
Paul Bakker7eb013f2011-10-06 12:37:39 +00003314 ssl->in_offt = NULL;
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00003315 mbedtls_ssl_reset_in_out_pointers( ssl );
Paul Bakker7eb013f2011-10-06 12:37:39 +00003316
3317 ssl->in_msgtype = 0;
3318 ssl->in_msglen = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003319#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02003320 ssl->next_record_offset = 0;
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02003321 ssl->in_epoch = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02003322#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003323#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker7e8e6a62020-02-05 10:45:48 +00003324 mbedtls_ssl_dtls_replay_reset( ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +02003325#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +00003326
3327 ssl->in_hslen = 0;
3328 ssl->nb_zero = 0;
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003329
3330 ssl->keep_current_message = 0;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003331
3332 ssl->out_msgtype = 0;
3333 ssl->out_msglen = 0;
3334 ssl->out_left = 0;
3335
Hanno Becker19859472018-08-06 09:40:20 +01003336 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
3337
Paul Bakker48916f92012-09-16 19:57:18 +00003338 ssl->transform_in = NULL;
3339 ssl->transform_out = NULL;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003340
Hanno Becker78640902018-08-13 16:35:15 +01003341 ssl->session_in = NULL;
3342 ssl->session_out = NULL;
3343
Darryl Greenb33cc762019-11-28 14:29:44 +00003344 memset( ssl->out_buf, 0, out_buf_len );
Hanno Becker4ccbf062018-08-10 11:20:38 +01003345
3346#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003347 if( partial == 0 )
Hanno Becker4ccbf062018-08-10 11:20:38 +01003348#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3349 {
3350 ssl->in_left = 0;
Darryl Greenb33cc762019-11-28 14:29:44 +00003351 memset( ssl->in_buf, 0, in_buf_len );
Hanno Becker4ccbf062018-08-10 11:20:38 +01003352 }
Paul Bakker05ef8352012-05-08 09:17:57 +00003353
Paul Bakker48916f92012-09-16 19:57:18 +00003354 if( ssl->transform )
Paul Bakker2770fbd2012-07-03 13:30:23 +00003355 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003356 mbedtls_ssl_transform_free( ssl->transform );
3357 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00003358 ssl->transform = NULL;
Paul Bakker2770fbd2012-07-03 13:30:23 +00003359 }
Paul Bakker48916f92012-09-16 19:57:18 +00003360
Paul Bakkerc0463502013-02-14 11:19:38 +01003361 if( ssl->session )
3362 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003363 mbedtls_ssl_session_free( ssl->session );
3364 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01003365 ssl->session = NULL;
3366 }
3367
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003368#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02003369 ssl->alpn_chosen = NULL;
3370#endif
3371
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02003372#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Hanno Becker4ccbf062018-08-10 11:20:38 +01003373#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003374 if( partial == 0 )
Hanno Becker4ccbf062018-08-10 11:20:38 +01003375#endif
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003376 {
3377 mbedtls_free( ssl->cli_id );
3378 ssl->cli_id = NULL;
3379 ssl->cli_id_len = 0;
3380 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02003381#endif
3382
Paul Bakker48916f92012-09-16 19:57:18 +00003383 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3384 return( ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +00003385
3386 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +00003387}
3388
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003389/*
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003390 * Reset an initialized and used SSL context for re-use while retaining
3391 * all application-set variables, function pointers and data.
3392 */
3393int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
3394{
Hanno Becker43aefe22020-02-05 10:44:56 +00003395 return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003396}
3397
3398/*
Paul Bakker5121ce52009-01-03 21:22:43 +00003399 * SSL set accessors
3400 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003401void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
Paul Bakker5121ce52009-01-03 21:22:43 +00003402{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003403 conf->endpoint = endpoint;
Paul Bakker5121ce52009-01-03 21:22:43 +00003404}
3405
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02003406void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01003407{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003408 conf->transport = transport;
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01003409}
3410
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003411#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003412void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02003413{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003414 conf->anti_replay = mode;
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02003415}
3416#endif
3417
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003418void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02003419{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003420 conf->badmac_limit = limit;
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02003421}
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02003422
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003423#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker04da1892018-08-14 13:22:10 +01003424
Hanno Becker1841b0a2018-08-24 11:13:57 +01003425void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
3426 unsigned allow_packing )
Hanno Becker04da1892018-08-14 13:22:10 +01003427{
3428 ssl->disable_datagram_packing = !allow_packing;
3429}
3430
3431void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
3432 uint32_t min, uint32_t max )
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02003433{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003434 conf->hs_timeout_min = min;
3435 conf->hs_timeout_max = max;
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02003436}
3437#endif
3438
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003439void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
Paul Bakker5121ce52009-01-03 21:22:43 +00003440{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003441 conf->authmode = authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +00003442}
3443
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003444#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003445void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02003446 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003447 void *p_vrfy )
3448{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003449 conf->f_vrfy = f_vrfy;
3450 conf->p_vrfy = p_vrfy;
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003451}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003452#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003453
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003454void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
Paul Bakkera3d195c2011-11-27 21:07:34 +00003455 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +00003456 void *p_rng )
3457{
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01003458 conf->f_rng = f_rng;
3459 conf->p_rng = p_rng;
Paul Bakker5121ce52009-01-03 21:22:43 +00003460}
3461
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003462void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardfd474232015-06-23 16:34:24 +02003463 void (*f_dbg)(void *, int, const char *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +00003464 void *p_dbg )
3465{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003466 conf->f_dbg = f_dbg;
3467 conf->p_dbg = p_dbg;
Paul Bakker5121ce52009-01-03 21:22:43 +00003468}
3469
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003470void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02003471 void *p_bio,
Simon Butchere846b512016-03-01 17:31:49 +00003472 mbedtls_ssl_send_t *f_send,
3473 mbedtls_ssl_recv_t *f_recv,
3474 mbedtls_ssl_recv_timeout_t *f_recv_timeout )
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02003475{
3476 ssl->p_bio = p_bio;
3477 ssl->f_send = f_send;
3478 ssl->f_recv = f_recv;
3479 ssl->f_recv_timeout = f_recv_timeout;
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01003480}
3481
Manuel Pégourié-Gonnard6e7aaca2018-08-20 10:37:23 +02003482#if defined(MBEDTLS_SSL_PROTO_DTLS)
3483void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
3484{
3485 ssl->mtu = mtu;
3486}
3487#endif
3488
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003489void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01003490{
3491 conf->read_timeout = timeout;
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02003492}
3493
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02003494void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
3495 void *p_timer,
Simon Butchere846b512016-03-01 17:31:49 +00003496 mbedtls_ssl_set_timer_t *f_set_timer,
3497 mbedtls_ssl_get_timer_t *f_get_timer )
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02003498{
3499 ssl->p_timer = p_timer;
3500 ssl->f_set_timer = f_set_timer;
3501 ssl->f_get_timer = f_get_timer;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003502
3503 /* Make sure we start with no timer running */
Hanno Becker0f57a652020-02-05 10:37:26 +00003504 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02003505}
3506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003507#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003508void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
Hanno Beckera637ff62021-04-15 08:42:48 +01003509 void *p_cache,
3510 mbedtls_ssl_cache_get_t *f_get_cache,
3511 mbedtls_ssl_cache_set_t *f_set_cache )
Paul Bakker5121ce52009-01-03 21:22:43 +00003512{
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +01003513 conf->p_cache = p_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003514 conf->f_get_cache = f_get_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003515 conf->f_set_cache = f_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +00003516}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003517#endif /* MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00003518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003519#if defined(MBEDTLS_SSL_CLI_C)
3520int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
Paul Bakker5121ce52009-01-03 21:22:43 +00003521{
Janos Follath865b3eb2019-12-16 11:46:15 +00003522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003523
3524 if( ssl == NULL ||
3525 session == NULL ||
3526 ssl->session_negotiate == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02003527 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003528 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003529 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003530 }
3531
Hanno Beckere810bbc2021-05-14 16:01:05 +01003532 if( ssl->handshake->resume == 1 )
3533 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3534
Hanno Becker52055ae2019-02-06 14:30:46 +00003535 if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
3536 session ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003537 return( ret );
3538
Paul Bakker0a597072012-09-25 21:55:46 +00003539 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003540
3541 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003542}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003543#endif /* MBEDTLS_SSL_CLI_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00003544
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01003545void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
3546 const int *ciphersuites )
3547{
Hanno Beckerd60b6c62021-04-29 12:04:11 +01003548 conf->ciphersuite_list = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +00003549}
3550
Hanno Becker71f1ed62021-07-24 06:01:47 +01003551#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
Jerry Yucadebe52021-08-24 10:36:45 +08003552void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config *conf,
Hanno Becker71f1ed62021-07-24 06:01:47 +01003553 const int kex_modes )
3554{
Jerry Yud85a52c2021-08-24 10:55:07 +08003555 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL;
Hanno Becker71f1ed62021-07-24 06:01:47 +01003556}
3557#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
3558
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003559#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +02003560void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
Nicholas Wilson2088e2e2015-09-08 16:53:18 +01003561 const mbedtls_x509_crt_profile *profile )
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +02003562{
3563 conf->cert_profile = profile;
3564}
3565
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003566/* Append a new keycert entry to a (possibly empty) list */
3567static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
3568 mbedtls_x509_crt *cert,
3569 mbedtls_pk_context *key )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003570{
niisato8ee24222018-06-25 19:05:48 +09003571 mbedtls_ssl_key_cert *new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003572
niisato8ee24222018-06-25 19:05:48 +09003573 new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
3574 if( new_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003575 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003576
niisato8ee24222018-06-25 19:05:48 +09003577 new_cert->cert = cert;
3578 new_cert->key = key;
3579 new_cert->next = NULL;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003580
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003581 /* Update head is the list was null, else add to the end */
3582 if( *head == NULL )
Paul Bakker0333b972013-11-04 17:08:28 +01003583 {
niisato8ee24222018-06-25 19:05:48 +09003584 *head = new_cert;
Paul Bakker0333b972013-11-04 17:08:28 +01003585 }
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003586 else
3587 {
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003588 mbedtls_ssl_key_cert *cur = *head;
3589 while( cur->next != NULL )
3590 cur = cur->next;
niisato8ee24222018-06-25 19:05:48 +09003591 cur->next = new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003592 }
3593
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003594 return( 0 );
3595}
3596
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003597int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003598 mbedtls_x509_crt *own_cert,
3599 mbedtls_pk_context *pk_key )
3600{
Manuel Pégourié-Gonnard17a40cd2015-05-10 23:17:17 +02003601 return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003602}
3603
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003604void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01003605 mbedtls_x509_crt *ca_chain,
3606 mbedtls_x509_crl *ca_crl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003607{
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01003608 conf->ca_chain = ca_chain;
3609 conf->ca_crl = ca_crl;
Hanno Becker5adaad92019-03-27 16:54:37 +00003610
3611#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3612 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
3613 * cannot be used together. */
3614 conf->f_ca_cb = NULL;
3615 conf->p_ca_cb = NULL;
3616#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Paul Bakker5121ce52009-01-03 21:22:43 +00003617}
Hanno Becker5adaad92019-03-27 16:54:37 +00003618
3619#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3620void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00003621 mbedtls_x509_crt_ca_cb_t f_ca_cb,
Hanno Becker5adaad92019-03-27 16:54:37 +00003622 void *p_ca_cb )
3623{
3624 conf->f_ca_cb = f_ca_cb;
3625 conf->p_ca_cb = p_ca_cb;
3626
3627 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
3628 * cannot be used together. */
3629 conf->ca_chain = NULL;
3630 conf->ca_crl = NULL;
3631}
3632#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003633#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +00003634
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02003635#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3636int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
3637 mbedtls_x509_crt *own_cert,
3638 mbedtls_pk_context *pk_key )
3639{
3640 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
3641 own_cert, pk_key ) );
3642}
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +02003643
3644void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
3645 mbedtls_x509_crt *ca_chain,
3646 mbedtls_x509_crl *ca_crl )
3647{
3648 ssl->handshake->sni_ca_chain = ca_chain;
3649 ssl->handshake->sni_ca_crl = ca_crl;
3650}
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02003651
3652void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
3653 int authmode )
3654{
3655 ssl->handshake->sni_authmode = authmode;
3656}
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02003657#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3658
Hanno Becker8927c832019-04-03 12:52:50 +01003659#if defined(MBEDTLS_X509_CRT_PARSE_C)
3660void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
3661 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3662 void *p_vrfy )
3663{
3664 ssl->f_vrfy = f_vrfy;
3665 ssl->p_vrfy = p_vrfy;
3666}
3667#endif
3668
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02003669#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02003670/*
3671 * Set EC J-PAKE password for current handshake
3672 */
3673int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
3674 const unsigned char *pw,
3675 size_t pw_len )
3676{
3677 mbedtls_ecjpake_role role;
3678
Janos Follath8eb64132016-06-03 15:40:57 +01003679 if( ssl->handshake == NULL || ssl->conf == NULL )
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02003680 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3681
3682 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
3683 role = MBEDTLS_ECJPAKE_SERVER;
3684 else
3685 role = MBEDTLS_ECJPAKE_CLIENT;
3686
3687 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
3688 role,
3689 MBEDTLS_MD_SHA256,
3690 MBEDTLS_ECP_DP_SECP256R1,
3691 pw, pw_len ) );
3692}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02003693#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02003694
Gilles Peskineeccd8882020-03-10 12:19:08 +01003695#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003696
Hanno Becker2ed3dce2021-04-19 21:59:14 +01003697static int ssl_conf_psk_is_configured( mbedtls_ssl_config const *conf )
3698{
3699#if defined(MBEDTLS_USE_PSA_CRYPTO)
3700 if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
3701 return( 1 );
3702#endif /* MBEDTLS_USE_PSA_CRYPTO */
3703
3704 if( conf->psk != NULL )
3705 return( 1 );
3706
3707 return( 0 );
3708}
3709
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003710static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
3711{
3712 /* Remove reference to existing PSK, if any. */
3713#if defined(MBEDTLS_USE_PSA_CRYPTO)
Ronald Croncf56a0a2020-08-04 09:51:30 +02003714 if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003715 {
3716 /* The maintenance of the PSK key slot is the
3717 * user's responsibility. */
Ronald Croncf56a0a2020-08-04 09:51:30 +02003718 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003719 }
Hanno Beckera63ac3f2018-11-05 12:47:16 +00003720 /* This and the following branch should never
3721 * be taken simultaenously as we maintain the
3722 * invariant that raw and opaque PSKs are never
3723 * configured simultaneously. As a safeguard,
3724 * though, `else` is omitted here. */
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003725#endif /* MBEDTLS_USE_PSA_CRYPTO */
3726 if( conf->psk != NULL )
3727 {
3728 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
3729
3730 mbedtls_free( conf->psk );
3731 conf->psk = NULL;
3732 conf->psk_len = 0;
3733 }
3734
3735 /* Remove reference to PSK identity, if any. */
3736 if( conf->psk_identity != NULL )
3737 {
3738 mbedtls_free( conf->psk_identity );
3739 conf->psk_identity = NULL;
3740 conf->psk_identity_len = 0;
3741 }
3742}
3743
Hanno Becker7390c712018-11-15 13:33:04 +00003744/* This function assumes that PSK identity in the SSL config is unset.
3745 * It checks that the provided identity is well-formed and attempts
3746 * to make a copy of it in the SSL config.
3747 * On failure, the PSK identity in the config remains unset. */
3748static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
3749 unsigned char const *psk_identity,
3750 size_t psk_identity_len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003751{
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02003752 /* Identity len will be encoded on two bytes */
Hanno Becker7390c712018-11-15 13:33:04 +00003753 if( psk_identity == NULL ||
3754 ( psk_identity_len >> 16 ) != 0 ||
Angus Grattond8213d02016-05-25 20:56:48 +10003755 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02003756 {
3757 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3758 }
3759
Hanno Becker7390c712018-11-15 13:33:04 +00003760 conf->psk_identity = mbedtls_calloc( 1, psk_identity_len );
3761 if( conf->psk_identity == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003762 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker6db455e2013-09-18 17:29:31 +02003763
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01003764 conf->psk_identity_len = psk_identity_len;
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01003765 memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
Paul Bakker5ad403f2013-09-18 21:21:30 +02003766
3767 return( 0 );
Paul Bakker6db455e2013-09-18 17:29:31 +02003768}
3769
Hanno Becker7390c712018-11-15 13:33:04 +00003770int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
3771 const unsigned char *psk, size_t psk_len,
3772 const unsigned char *psk_identity, size_t psk_identity_len )
3773{
Janos Follath865b3eb2019-12-16 11:46:15 +00003774 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01003775
3776 /* We currently only support one PSK, raw or opaque. */
3777 if( ssl_conf_psk_is_configured( conf ) )
3778 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Hanno Becker7390c712018-11-15 13:33:04 +00003779
3780 /* Check and set raw PSK */
Piotr Nowicki9926eaf2019-11-20 14:54:36 +01003781 if( psk == NULL )
Hanno Becker7390c712018-11-15 13:33:04 +00003782 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Piotr Nowicki9926eaf2019-11-20 14:54:36 +01003783 if( psk_len == 0 )
3784 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3785 if( psk_len > MBEDTLS_PSK_MAX_LEN )
3786 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3787
Hanno Becker7390c712018-11-15 13:33:04 +00003788 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
3789 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3790 conf->psk_len = psk_len;
3791 memcpy( conf->psk, psk, conf->psk_len );
3792
3793 /* Check and set PSK Identity */
3794 ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len );
3795 if( ret != 0 )
3796 ssl_conf_remove_psk( conf );
3797
3798 return( ret );
3799}
3800
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003801static void ssl_remove_psk( mbedtls_ssl_context *ssl )
3802{
3803#if defined(MBEDTLS_USE_PSA_CRYPTO)
Ronald Croncf56a0a2020-08-04 09:51:30 +02003804 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003805 {
Ronald Croncf56a0a2020-08-04 09:51:30 +02003806 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003807 }
3808 else
3809#endif /* MBEDTLS_USE_PSA_CRYPTO */
3810 if( ssl->handshake->psk != NULL )
3811 {
3812 mbedtls_platform_zeroize( ssl->handshake->psk,
3813 ssl->handshake->psk_len );
3814 mbedtls_free( ssl->handshake->psk );
3815 ssl->handshake->psk_len = 0;
3816 }
3817}
3818
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01003819int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
3820 const unsigned char *psk, size_t psk_len )
3821{
3822 if( psk == NULL || ssl->handshake == NULL )
3823 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3824
3825 if( psk_len > MBEDTLS_PSK_MAX_LEN )
3826 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3827
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003828 ssl_remove_psk( ssl );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01003829
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003830 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003831 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01003832
3833 ssl->handshake->psk_len = psk_len;
3834 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
3835
3836 return( 0 );
3837}
3838
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003839#if defined(MBEDTLS_USE_PSA_CRYPTO)
3840int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
Ronald Croncf56a0a2020-08-04 09:51:30 +02003841 psa_key_id_t psk,
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003842 const unsigned char *psk_identity,
3843 size_t psk_identity_len )
3844{
Janos Follath865b3eb2019-12-16 11:46:15 +00003845 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01003846
3847 /* We currently only support one PSK, raw or opaque. */
3848 if( ssl_conf_psk_is_configured( conf ) )
3849 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003850
Hanno Becker7390c712018-11-15 13:33:04 +00003851 /* Check and set opaque PSK */
Ronald Croncf56a0a2020-08-04 09:51:30 +02003852 if( mbedtls_svc_key_id_is_null( psk ) )
Hanno Becker7390c712018-11-15 13:33:04 +00003853 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Ronald Croncf56a0a2020-08-04 09:51:30 +02003854 conf->psk_opaque = psk;
Hanno Becker7390c712018-11-15 13:33:04 +00003855
3856 /* Check and set PSK Identity */
3857 ret = ssl_conf_set_psk_identity( conf, psk_identity,
3858 psk_identity_len );
3859 if( ret != 0 )
3860 ssl_conf_remove_psk( conf );
3861
3862 return( ret );
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003863}
3864
3865int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
Ronald Croncf56a0a2020-08-04 09:51:30 +02003866 psa_key_id_t psk )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003867{
Ronald Croncf56a0a2020-08-04 09:51:30 +02003868 if( ( mbedtls_svc_key_id_is_null( psk ) ) ||
Ronald Cronc26f8d42020-09-01 10:51:51 +02003869 ( ssl->handshake == NULL ) )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003870 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3871
3872 ssl_remove_psk( ssl );
Ronald Croncf56a0a2020-08-04 09:51:30 +02003873 ssl->handshake->psk_opaque = psk;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003874 return( 0 );
3875}
3876#endif /* MBEDTLS_USE_PSA_CRYPTO */
3877
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003878void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003879 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
Paul Bakker6db455e2013-09-18 17:29:31 +02003880 size_t),
3881 void *p_psk )
3882{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003883 conf->f_psk = f_psk;
3884 conf->p_psk = p_psk;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003885}
Gilles Peskineeccd8882020-03-10 12:19:08 +01003886#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakker43b7e352011-01-18 15:27:19 +00003887
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +02003888#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Hanno Beckera90658f2017-10-04 15:29:08 +01003889int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
3890 const unsigned char *dhm_P, size_t P_len,
3891 const unsigned char *dhm_G, size_t G_len )
3892{
Janos Follath865b3eb2019-12-16 11:46:15 +00003893 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckera90658f2017-10-04 15:29:08 +01003894
3895 if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
3896 ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
3897 {
3898 mbedtls_mpi_free( &conf->dhm_P );
3899 mbedtls_mpi_free( &conf->dhm_G );
3900 return( ret );
3901 }
3902
3903 return( 0 );
3904}
Paul Bakker5121ce52009-01-03 21:22:43 +00003905
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003906int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
Paul Bakker1b57b062011-01-06 15:48:19 +00003907{
Janos Follath865b3eb2019-12-16 11:46:15 +00003908 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker1b57b062011-01-06 15:48:19 +00003909
Gilles Peskinee5702482021-06-11 21:59:08 +02003910 if( ( ret = mbedtls_dhm_get_value( dhm_ctx, MBEDTLS_DHM_PARAM_P,
3911 &conf->dhm_P ) ) != 0 ||
3912 ( ret = mbedtls_dhm_get_value( dhm_ctx, MBEDTLS_DHM_PARAM_G,
3913 &conf->dhm_G ) ) != 0 )
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +01003914 {
3915 mbedtls_mpi_free( &conf->dhm_P );
3916 mbedtls_mpi_free( &conf->dhm_G );
Paul Bakker1b57b062011-01-06 15:48:19 +00003917 return( ret );
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +01003918 }
Paul Bakker1b57b062011-01-06 15:48:19 +00003919
3920 return( 0 );
3921}
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +02003922#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
Paul Bakker1b57b062011-01-06 15:48:19 +00003923
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +02003924#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
3925/*
3926 * Set the minimum length for Diffie-Hellman parameters
3927 */
3928void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
3929 unsigned int bitlen )
3930{
3931 conf->dhm_min_bitlen = bitlen;
3932}
3933#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
3934
Gilles Peskineeccd8882020-03-10 12:19:08 +01003935#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02003936/*
3937 * Set allowed/preferred hashes for handshake signatures
3938 */
3939void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
3940 const int *hashes )
3941{
3942 conf->sig_hashes = hashes;
3943}
Gilles Peskineeccd8882020-03-10 12:19:08 +01003944#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02003945
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02003946#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01003947/*
3948 * Set the allowed elliptic curves
3949 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003950void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003951 const mbedtls_ecp_group_id *curve_list )
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01003952{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003953 conf->curve_list = curve_list;
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01003954}
Hanno Becker947194e2017-04-07 13:25:49 +01003955#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01003956
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01003957#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003958int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +00003959{
Hanno Becker947194e2017-04-07 13:25:49 +01003960 /* Initialize to suppress unnecessary compiler warning */
3961 size_t hostname_len = 0;
3962
3963 /* Check if new hostname is valid before
3964 * making any change to current one */
Hanno Becker947194e2017-04-07 13:25:49 +01003965 if( hostname != NULL )
3966 {
3967 hostname_len = strlen( hostname );
3968
3969 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
3970 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3971 }
3972
3973 /* Now it's clear that we will overwrite the old hostname,
3974 * so we can free it safely */
3975
3976 if( ssl->hostname != NULL )
3977 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05003978 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Hanno Becker947194e2017-04-07 13:25:49 +01003979 mbedtls_free( ssl->hostname );
3980 }
3981
3982 /* Passing NULL as hostname shall clear the old one */
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +01003983
Paul Bakker5121ce52009-01-03 21:22:43 +00003984 if( hostname == NULL )
Hanno Becker947194e2017-04-07 13:25:49 +01003985 {
3986 ssl->hostname = NULL;
3987 }
3988 else
3989 {
3990 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
Hanno Becker947194e2017-04-07 13:25:49 +01003991 if( ssl->hostname == NULL )
3992 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker75c1a6f2013-08-19 14:25:29 +02003993
Hanno Becker947194e2017-04-07 13:25:49 +01003994 memcpy( ssl->hostname, hostname, hostname_len );
Paul Bakker75c1a6f2013-08-19 14:25:29 +02003995
Hanno Becker947194e2017-04-07 13:25:49 +01003996 ssl->hostname[hostname_len] = '\0';
3997 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003998
3999 return( 0 );
4000}
Hanno Becker1a9a51c2017-04-07 13:02:16 +01004001#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00004002
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01004003#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004004void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004005 int (*f_sni)(void *, mbedtls_ssl_context *,
Paul Bakker5701cdc2012-09-27 21:49:42 +00004006 const unsigned char *, size_t),
4007 void *p_sni )
4008{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004009 conf->f_sni = f_sni;
4010 conf->p_sni = p_sni;
Paul Bakker5701cdc2012-09-27 21:49:42 +00004011}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004012#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +00004013
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004014#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004015int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004016{
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004017 size_t cur_len, tot_len;
4018 const char **p;
4019
4020 /*
Brian J Murray1903fb32016-11-06 04:45:15 -08004021 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
4022 * MUST NOT be truncated."
4023 * We check lengths now rather than later.
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004024 */
4025 tot_len = 0;
4026 for( p = protos; *p != NULL; p++ )
4027 {
4028 cur_len = strlen( *p );
4029 tot_len += cur_len;
4030
Ronald Cron8216dd32020-04-23 16:41:44 +02004031 if( ( cur_len == 0 ) ||
4032 ( cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN ) ||
4033 ( tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004034 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004035 }
4036
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004037 conf->alpn_list = protos;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004038
4039 return( 0 );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004040}
4041
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004042const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004043{
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004044 return( ssl->alpn_chosen );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004045}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004046#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004047
Johan Pascalb62bb512015-12-03 21:56:45 +01004048#if defined(MBEDTLS_SSL_DTLS_SRTP)
Ron Eldoref72faf2018-07-12 11:54:20 +03004049void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf,
4050 int support_mki_value )
Ron Eldor591f1622018-01-22 12:30:04 +02004051{
4052 conf->dtls_srtp_mki_support = support_mki_value;
4053}
4054
Ron Eldoref72faf2018-07-12 11:54:20 +03004055int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
4056 unsigned char *mki_value,
Johan Pascalf6417ec2020-09-22 15:15:19 +02004057 uint16_t mki_len )
Ron Eldor591f1622018-01-22 12:30:04 +02004058{
Johan Pascal5ef72d22020-10-28 17:05:47 +01004059 if( mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH )
Ron Eldora9788042018-12-05 11:04:31 +02004060 {
Johan Pascald576fdb2020-09-22 10:39:53 +02004061 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Ron Eldora9788042018-12-05 11:04:31 +02004062 }
Ron Eldor591f1622018-01-22 12:30:04 +02004063
4064 if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED )
Ron Eldora9788042018-12-05 11:04:31 +02004065 {
Johan Pascald576fdb2020-09-22 10:39:53 +02004066 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Ron Eldora9788042018-12-05 11:04:31 +02004067 }
Ron Eldor591f1622018-01-22 12:30:04 +02004068
4069 memcpy( ssl->dtls_srtp_info.mki_value, mki_value, mki_len );
4070 ssl->dtls_srtp_info.mki_len = mki_len;
Ron Eldora9788042018-12-05 11:04:31 +02004071 return( 0 );
Ron Eldor591f1622018-01-22 12:30:04 +02004072}
4073
Ron Eldoref72faf2018-07-12 11:54:20 +03004074int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
Johan Pascal253d0262020-09-22 13:04:45 +02004075 const mbedtls_ssl_srtp_profile *profiles )
Johan Pascalb62bb512015-12-03 21:56:45 +01004076{
Johan Pascal253d0262020-09-22 13:04:45 +02004077 const mbedtls_ssl_srtp_profile *p;
4078 size_t list_size = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +01004079
Johan Pascal253d0262020-09-22 13:04:45 +02004080 /* check the profiles list: all entry must be valid,
4081 * its size cannot be more than the total number of supported profiles, currently 4 */
Johan Pascald387aa02020-09-23 18:47:56 +02004082 for( p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
4083 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
4084 p++ )
Johan Pascald576fdb2020-09-22 10:39:53 +02004085 {
Johan Pascal5ef72d22020-10-28 17:05:47 +01004086 if( mbedtls_ssl_check_srtp_profile_value( *p ) != MBEDTLS_TLS_SRTP_UNSET )
Johan Pascald576fdb2020-09-22 10:39:53 +02004087 {
Johan Pascal76fdf1d2020-10-22 23:31:00 +02004088 list_size++;
4089 }
4090 else
4091 {
4092 /* unsupported value, stop parsing and set the size to an error value */
4093 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
Johan Pascalb62bb512015-12-03 21:56:45 +01004094 }
4095 }
4096
Johan Pascal5ef72d22020-10-28 17:05:47 +01004097 if( list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH )
Johan Pascald387aa02020-09-23 18:47:56 +02004098 {
Johan Pascal253d0262020-09-22 13:04:45 +02004099 conf->dtls_srtp_profile_list = NULL;
4100 conf->dtls_srtp_profile_list_len = 0;
4101 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4102 }
4103
Johan Pascal9bc97ca2020-09-21 23:44:45 +02004104 conf->dtls_srtp_profile_list = profiles;
Johan Pascal253d0262020-09-22 13:04:45 +02004105 conf->dtls_srtp_profile_list_len = list_size;
Johan Pascalb62bb512015-12-03 21:56:45 +01004106
4107 return( 0 );
4108}
4109
Johan Pascal5ef72d22020-10-28 17:05:47 +01004110void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl,
4111 mbedtls_dtls_srtp_info *dtls_srtp_info )
Johan Pascalb62bb512015-12-03 21:56:45 +01004112{
Johan Pascal2258a4f2020-10-28 13:53:09 +01004113 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
4114 /* do not copy the mki value if there is no chosen profile */
Johan Pascal5ef72d22020-10-28 17:05:47 +01004115 if( dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET )
Johan Pascal0dbcd1d2020-10-28 11:03:07 +01004116 {
Johan Pascal2258a4f2020-10-28 13:53:09 +01004117 dtls_srtp_info->mki_len = 0;
Johan Pascal0dbcd1d2020-10-28 11:03:07 +01004118 }
Johan Pascal2258a4f2020-10-28 13:53:09 +01004119 else
4120 {
4121 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
Johan Pascal5ef72d22020-10-28 17:05:47 +01004122 memcpy( dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
4123 ssl->dtls_srtp_info.mki_len );
Johan Pascal2258a4f2020-10-28 13:53:09 +01004124 }
Johan Pascalb62bb512015-12-03 21:56:45 +01004125}
Johan Pascalb62bb512015-12-03 21:56:45 +01004126#endif /* MBEDTLS_SSL_DTLS_SRTP */
4127
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02004128void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker490ecc82011-10-06 13:04:09 +00004129{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004130 conf->max_major_ver = major;
4131 conf->max_minor_ver = minor;
Paul Bakker490ecc82011-10-06 13:04:09 +00004132}
4133
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02004134void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker1d29fb52012-09-28 13:28:45 +00004135{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004136 conf->min_major_ver = major;
4137 conf->min_minor_ver = minor;
Paul Bakker1d29fb52012-09-28 13:28:45 +00004138}
4139
Janos Follath088ce432017-04-10 12:42:31 +01004140#if defined(MBEDTLS_SSL_SRV_C)
4141void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
4142 char cert_req_ca_list )
4143{
4144 conf->cert_req_ca_list = cert_req_ca_list;
4145}
4146#endif
4147
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004148#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004149void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01004150{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004151 conf->encrypt_then_mac = etm;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01004152}
4153#endif
4154
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004155#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004156void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02004157{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004158 conf->extended_ms = ems;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02004159}
4160#endif
4161
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004162#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004163int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004164{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004165 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
Angus Grattond8213d02016-05-25 20:56:48 +10004166 ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004167 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004168 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004169 }
4170
Manuel Pégourié-Gonnard6bf89d62015-05-05 17:01:57 +01004171 conf->mfl_code = mfl_code;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004172
4173 return( 0 );
4174}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004175#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004176
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004177void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
Paul Bakker48916f92012-09-16 19:57:18 +00004178{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004179 conf->allow_legacy_renegotiation = allow_legacy;
Paul Bakker48916f92012-09-16 19:57:18 +00004180}
4181
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004182#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004183void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004184{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004185 conf->disable_renegotiation = renegotiation;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004186}
4187
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004188void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02004189{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004190 conf->renego_max_records = max_records;
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02004191}
4192
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004193void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004194 const unsigned char period[8] )
4195{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004196 memcpy( conf->renego_period, period, 8 );
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004197}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004198#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +00004199
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004200#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004201#if defined(MBEDTLS_SSL_CLI_C)
4202void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004203{
Manuel Pégourié-Gonnard2b494452015-05-06 10:05:11 +01004204 conf->session_tickets = use_tickets;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004205}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004206#endif
Paul Bakker606b4ba2013-08-14 16:52:14 +02004207
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004208#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +02004209void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
4210 mbedtls_ssl_ticket_write_t *f_ticket_write,
4211 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
4212 void *p_ticket )
Paul Bakker606b4ba2013-08-14 16:52:14 +02004213{
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +02004214 conf->f_ticket_write = f_ticket_write;
4215 conf->f_ticket_parse = f_ticket_parse;
4216 conf->p_ticket = p_ticket;
Paul Bakker606b4ba2013-08-14 16:52:14 +02004217}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004218#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004219#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004220
Robert Cragie4feb7ae2015-10-02 13:33:37 +01004221#if defined(MBEDTLS_SSL_EXPORT_KEYS)
Hanno Becker7e6c1782021-06-08 09:24:55 +01004222void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl,
4223 mbedtls_ssl_export_keys_t *f_export_keys,
4224 void *p_export_keys )
Robert Cragie4feb7ae2015-10-02 13:33:37 +01004225{
Hanno Becker7e6c1782021-06-08 09:24:55 +01004226 ssl->f_export_keys = f_export_keys;
4227 ssl->p_export_keys = p_export_keys;
Ron Eldorf5cc10d2019-05-07 18:33:40 +03004228}
Robert Cragie4feb7ae2015-10-02 13:33:37 +01004229#endif
4230
Gilles Peskineb74a1c72018-04-24 13:09:22 +02004231#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004232void mbedtls_ssl_conf_async_private_cb(
4233 mbedtls_ssl_config *conf,
4234 mbedtls_ssl_async_sign_t *f_async_sign,
4235 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
4236 mbedtls_ssl_async_resume_t *f_async_resume,
4237 mbedtls_ssl_async_cancel_t *f_async_cancel,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004238 void *async_config_data )
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004239{
4240 conf->f_async_sign_start = f_async_sign;
4241 conf->f_async_decrypt_start = f_async_decrypt;
4242 conf->f_async_resume = f_async_resume;
4243 conf->f_async_cancel = f_async_cancel;
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004244 conf->p_async_config_data = async_config_data;
4245}
4246
Gilles Peskine8f97af72018-04-26 11:46:10 +02004247void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
4248{
4249 return( conf->p_async_config_data );
4250}
4251
Gilles Peskine1febfef2018-04-30 11:54:39 +02004252void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004253{
4254 if( ssl->handshake == NULL )
4255 return( NULL );
4256 else
4257 return( ssl->handshake->user_async_ctx );
4258}
4259
Gilles Peskine1febfef2018-04-30 11:54:39 +02004260void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004261 void *ctx )
4262{
4263 if( ssl->handshake != NULL )
4264 ssl->handshake->user_async_ctx = ctx;
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004265}
Gilles Peskineb74a1c72018-04-24 13:09:22 +02004266#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004267
Paul Bakker5121ce52009-01-03 21:22:43 +00004268/*
4269 * SSL get accessors
4270 */
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02004271uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00004272{
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +00004273 if( ssl->session != NULL )
4274 return( ssl->session->verify_result );
4275
4276 if( ssl->session_negotiate != NULL )
4277 return( ssl->session_negotiate->verify_result );
4278
Manuel Pégourié-Gonnard6ab9b002015-05-14 11:25:04 +02004279 return( 0xFFFFFFFF );
Paul Bakker5121ce52009-01-03 21:22:43 +00004280}
4281
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004282const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +00004283{
Paul Bakker926c8e42013-03-06 10:23:34 +01004284 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004285 return( NULL );
Paul Bakker926c8e42013-03-06 10:23:34 +01004286
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004287 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +00004288}
4289
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004290const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
Paul Bakker43ca69c2011-01-15 17:35:19 +00004291{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004292#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004293 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01004294 {
4295 switch( ssl->minor_ver )
4296 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004297 case MBEDTLS_SSL_MINOR_VERSION_3:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01004298 return( "DTLSv1.2" );
4299
4300 default:
4301 return( "unknown (DTLS)" );
4302 }
4303 }
4304#endif
4305
Paul Bakker43ca69c2011-01-15 17:35:19 +00004306 switch( ssl->minor_ver )
4307 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004308 case MBEDTLS_SSL_MINOR_VERSION_3:
Paul Bakker1ef83d62012-04-11 12:09:53 +00004309 return( "TLSv1.2" );
4310
Paul Bakker43ca69c2011-01-15 17:35:19 +00004311 default:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01004312 return( "unknown" );
Paul Bakker43ca69c2011-01-15 17:35:19 +00004313 }
Paul Bakker43ca69c2011-01-15 17:35:19 +00004314}
4315
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004316#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Andrzej Kurek90c6e842020-04-03 05:25:29 -04004317size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl )
4318{
David Horstmann95d516f2021-05-04 18:36:56 +01004319 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
Andrzej Kurek90c6e842020-04-03 05:25:29 -04004320 size_t read_mfl;
4321
4322 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
4323 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
4324 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE )
4325 {
4326 return ssl_mfl_code_to_length( ssl->conf->mfl_code );
4327 }
4328
4329 /* Check if a smaller max length was negotiated */
4330 if( ssl->session_out != NULL )
4331 {
4332 read_mfl = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
4333 if( read_mfl < max_len )
4334 {
4335 max_len = read_mfl;
4336 }
4337 }
4338
4339 // During a handshake, use the value being negotiated
4340 if( ssl->session_negotiate != NULL )
4341 {
4342 read_mfl = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
4343 if( read_mfl < max_len )
4344 {
4345 max_len = read_mfl;
4346 }
4347 }
4348
4349 return( max_len );
4350}
4351
4352size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004353{
4354 size_t max_len;
4355
4356 /*
4357 * Assume mfl_code is correct since it was checked when set
4358 */
Angus Grattond8213d02016-05-25 20:56:48 +10004359 max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004360
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02004361 /* Check if a smaller max length was negotiated */
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004362 if( ssl->session_out != NULL &&
Angus Grattond8213d02016-05-25 20:56:48 +10004363 ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004364 {
Angus Grattond8213d02016-05-25 20:56:48 +10004365 max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004366 }
4367
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02004368 /* During a handshake, use the value being negotiated */
4369 if( ssl->session_negotiate != NULL &&
4370 ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
4371 {
4372 max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
4373 }
4374
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004375 return( max_len );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004376}
4377#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4378
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004379#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker89490712020-02-05 10:50:12 +00004380size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004381{
Andrzej Kurekef43ce62018-10-09 08:24:12 -04004382 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
4383 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
4384 ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
4385 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
4386 return ( 0 );
4387
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004388 if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
4389 return( ssl->mtu );
4390
4391 if( ssl->mtu == 0 )
4392 return( ssl->handshake->mtu );
4393
4394 return( ssl->mtu < ssl->handshake->mtu ?
4395 ssl->mtu : ssl->handshake->mtu );
4396}
4397#endif /* MBEDTLS_SSL_PROTO_DTLS */
4398
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004399int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
4400{
4401 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
4402
Manuel Pégourié-Gonnard000281e2018-08-21 11:20:58 +02004403#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
4404 !defined(MBEDTLS_SSL_PROTO_DTLS)
4405 (void) ssl;
4406#endif
4407
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004408#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Andrzej Kurek90c6e842020-04-03 05:25:29 -04004409 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004410
4411 if( max_len > mfl )
4412 max_len = mfl;
4413#endif
4414
4415#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker89490712020-02-05 10:50:12 +00004416 if( mbedtls_ssl_get_current_mtu( ssl ) != 0 )
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004417 {
Hanno Becker89490712020-02-05 10:50:12 +00004418 const size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004419 const int ret = mbedtls_ssl_get_record_expansion( ssl );
4420 const size_t overhead = (size_t) ret;
4421
4422 if( ret < 0 )
4423 return( ret );
4424
4425 if( mtu <= overhead )
4426 {
4427 MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
4428 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4429 }
4430
4431 if( max_len > mtu - overhead )
4432 max_len = mtu - overhead;
4433 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004434#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004435
Hanno Becker0defedb2018-08-10 12:35:02 +01004436#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
4437 !defined(MBEDTLS_SSL_PROTO_DTLS)
4438 ((void) ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004439#endif
4440
4441 return( (int) max_len );
4442}
4443
Hanno Becker2d8e99b2021-04-21 06:19:50 +01004444int mbedtls_ssl_get_max_in_record_payload( const mbedtls_ssl_context *ssl )
4445{
4446 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
4447
4448#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4449 (void) ssl;
4450#endif
4451
4452#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4453 const size_t mfl = mbedtls_ssl_get_input_max_frag_len( ssl );
4454
4455 if( max_len > mfl )
4456 max_len = mfl;
4457#endif
4458
4459 return( (int) max_len );
4460}
4461
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004462#if defined(MBEDTLS_X509_CRT_PARSE_C)
4463const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
Paul Bakkerb0550d92012-10-30 07:51:03 +00004464{
4465 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004466 return( NULL );
Paul Bakkerb0550d92012-10-30 07:51:03 +00004467
Hanno Beckere6824572019-02-07 13:18:46 +00004468#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004469 return( ssl->session->peer_cert );
Hanno Beckere6824572019-02-07 13:18:46 +00004470#else
4471 return( NULL );
4472#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakkerb0550d92012-10-30 07:51:03 +00004473}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004474#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +00004475
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004476#if defined(MBEDTLS_SSL_CLI_C)
Hanno Beckerf852b1c2019-02-05 11:42:30 +00004477int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
4478 mbedtls_ssl_session *dst )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004479{
Hanno Beckere810bbc2021-05-14 16:01:05 +01004480 int ret;
4481
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004482 if( ssl == NULL ||
4483 dst == NULL ||
4484 ssl->session == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004485 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004486 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004487 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004488 }
4489
Hanno Beckere810bbc2021-05-14 16:01:05 +01004490 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
4491 * idempotent: Each session can only be exported once.
4492 *
4493 * (This is in preparation for TLS 1.3 support where we will
4494 * need the ability to export multiple sessions (aka tickets),
4495 * which will be achieved by calling mbedtls_ssl_get_session()
4496 * multiple times until it fails.)
4497 *
4498 * Check whether we have already exported the current session,
4499 * and fail if so.
4500 */
4501 if( ssl->session->exported == 1 )
4502 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4503
4504 ret = mbedtls_ssl_session_copy( dst, ssl->session );
4505 if( ret != 0 )
4506 return( ret );
4507
4508 /* Remember that we've exported the session. */
4509 ssl->session->exported = 1;
4510 return( 0 );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004511}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004512#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004513
Paul Bakker5121ce52009-01-03 21:22:43 +00004514/*
Hanno Beckera835da52019-05-16 12:39:07 +01004515 * Define ticket header determining Mbed TLS version
4516 * and structure of the ticket.
4517 */
4518
Hanno Becker94ef3b32019-05-16 12:50:45 +01004519/*
Hanno Becker50b59662019-05-28 14:30:45 +01004520 * Define bitflag determining compile-time settings influencing
4521 * structure of serialized SSL sessions.
Hanno Becker94ef3b32019-05-16 12:50:45 +01004522 */
4523
Hanno Becker50b59662019-05-28 14:30:45 +01004524#if defined(MBEDTLS_HAVE_TIME)
Hanno Becker3e088662019-05-29 11:10:18 +01004525#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
Hanno Becker50b59662019-05-28 14:30:45 +01004526#else
Hanno Becker3e088662019-05-29 11:10:18 +01004527#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004528#endif /* MBEDTLS_HAVE_TIME */
4529
4530#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker3e088662019-05-29 11:10:18 +01004531#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004532#else
Hanno Becker3e088662019-05-29 11:10:18 +01004533#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004534#endif /* MBEDTLS_X509_CRT_PARSE_C */
4535
4536#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
Hanno Becker3e088662019-05-29 11:10:18 +01004537#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004538#else
Hanno Becker3e088662019-05-29 11:10:18 +01004539#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004540#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
4541
4542#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Hanno Becker3e088662019-05-29 11:10:18 +01004543#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004544#else
Hanno Becker3e088662019-05-29 11:10:18 +01004545#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004546#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4547
Hanno Becker94ef3b32019-05-16 12:50:45 +01004548#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker3e088662019-05-29 11:10:18 +01004549#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004550#else
Hanno Becker3e088662019-05-29 11:10:18 +01004551#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004552#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
4553
Hanno Becker94ef3b32019-05-16 12:50:45 +01004554#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4555#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
4556#else
4557#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
4558#endif /* MBEDTLS_SSL_SESSION_TICKETS */
4559
Hanno Becker3e088662019-05-29 11:10:18 +01004560#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
4561#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
4562#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
4563#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
Hanno Becker37bdbe62021-08-01 05:38:58 +01004564#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
4565#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
Hanno Becker3e088662019-05-29 11:10:18 +01004566
Hanno Becker50b59662019-05-28 14:30:45 +01004567#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
Hanno Becker3e088662019-05-29 11:10:18 +01004568 ( (uint16_t) ( \
4569 ( SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT ) | \
4570 ( SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT ) | \
4571 ( SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT ) | \
4572 ( SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT ) | \
Hanno Becker3e088662019-05-29 11:10:18 +01004573 ( SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT ) | \
Hanno Beckerbe34e8e2019-06-04 09:43:16 +01004574 ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT ) ) )
Hanno Becker94ef3b32019-05-16 12:50:45 +01004575
Hanno Beckerf8787072019-05-16 12:41:07 +01004576static unsigned char ssl_serialized_session_header[] = {
Hanno Becker94ef3b32019-05-16 12:50:45 +01004577 MBEDTLS_VERSION_MAJOR,
4578 MBEDTLS_VERSION_MINOR,
4579 MBEDTLS_VERSION_PATCH,
Hanno Becker50b59662019-05-28 14:30:45 +01004580 ( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 8 ) & 0xFF,
4581 ( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 0 ) & 0xFF,
Hanno Beckerf8787072019-05-16 12:41:07 +01004582};
Hanno Beckera835da52019-05-16 12:39:07 +01004583
4584/*
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004585 * Serialize a session in the following format:
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004586 * (in the presentation language of TLS, RFC 8446 section 3)
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004587 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004588 * struct {
Hanno Beckerdc28b6c2019-05-29 11:08:00 +01004589 *
Hanno Beckerdce50972021-08-01 05:39:23 +01004590 * opaque mbedtls_version[3]; // library version: major, minor, patch
4591 * opaque session_format[2]; // library-version specific 16-bit field
4592 * // determining the format of the remaining
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004593 * // serialized data.
Hanno Beckerdc28b6c2019-05-29 11:08:00 +01004594 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004595 * Note: When updating the format, remember to keep
4596 * these version+format bytes.
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004597 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004598 * // In this version, `session_format` determines
4599 * // the setting of those compile-time
4600 * // configuration options which influence
4601 * // the structure of mbedtls_ssl_session.
4602 *
Hanno Beckerfa0d61e2021-08-02 08:56:14 +01004603 * uint8_t minor_ver; // Protocol-version. Possible values:
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004604 * // - TLS 1.2 (MBEDTLS_SSL_MINOR_VERSION_3)
4605 *
4606 * select (serialized_session.minor_ver) {
4607 *
4608 * case MBEDTLS_SSL_MINOR_VERSION_3: // TLS 1.2
4609 * serialized_session_tls12 data;
4610 *
4611 * };
4612 *
4613 * } serialized_session;
4614 *
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004615 */
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004616
4617#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4618/* Serialization of TLS 1.2 sessions:
4619 *
4620 * struct {
4621 * uint64 start_time;
4622 * uint8 ciphersuite[2]; // defined by the standard
4623 * uint8 compression; // 0 or 1
4624 * uint8 session_id_len; // at most 32
4625 * opaque session_id[32];
4626 * opaque master[48]; // fixed length in the standard
4627 * uint32 verify_result;
4628 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
4629 * opaque ticket<0..2^24-1>; // length 0 means no ticket
4630 * uint32 ticket_lifetime;
4631 * uint8 mfl_code; // up to 255 according to standard
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004632 * uint8 encrypt_then_mac; // 0 or 1
4633 * } serialized_session_tls12;
4634 *
4635 */
4636static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
4637 unsigned char *buf,
4638 size_t buf_len )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004639{
4640 unsigned char *p = buf;
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004641 size_t used = 0;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004642
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004643#if defined(MBEDTLS_HAVE_TIME)
4644 uint64_t start;
4645#endif
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004646#if defined(MBEDTLS_X509_CRT_PARSE_C)
4647#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4648 size_t cert_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004649#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4650#endif /* MBEDTLS_X509_CRT_PARSE_C */
4651
Hanno Beckera835da52019-05-16 12:39:07 +01004652 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004653 * Time
4654 */
4655#if defined(MBEDTLS_HAVE_TIME)
4656 used += 8;
4657
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004658 if( used <= buf_len )
4659 {
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004660 start = (uint64_t) session->start;
4661
4662 *p++ = (unsigned char)( ( start >> 56 ) & 0xFF );
4663 *p++ = (unsigned char)( ( start >> 48 ) & 0xFF );
4664 *p++ = (unsigned char)( ( start >> 40 ) & 0xFF );
4665 *p++ = (unsigned char)( ( start >> 32 ) & 0xFF );
4666 *p++ = (unsigned char)( ( start >> 24 ) & 0xFF );
4667 *p++ = (unsigned char)( ( start >> 16 ) & 0xFF );
4668 *p++ = (unsigned char)( ( start >> 8 ) & 0xFF );
4669 *p++ = (unsigned char)( ( start ) & 0xFF );
4670 }
4671#endif /* MBEDTLS_HAVE_TIME */
4672
4673 /*
4674 * Basic mandatory fields
4675 */
4676 used += 2 /* ciphersuite */
4677 + 1 /* compression */
4678 + 1 /* id_len */
4679 + sizeof( session->id )
4680 + sizeof( session->master )
4681 + 4; /* verify_result */
4682
4683 if( used <= buf_len )
4684 {
4685 *p++ = (unsigned char)( ( session->ciphersuite >> 8 ) & 0xFF );
4686 *p++ = (unsigned char)( ( session->ciphersuite ) & 0xFF );
4687
4688 *p++ = (unsigned char)( session->compression & 0xFF );
4689
4690 *p++ = (unsigned char)( session->id_len & 0xFF );
4691 memcpy( p, session->id, 32 );
4692 p += 32;
4693
4694 memcpy( p, session->master, 48 );
4695 p += 48;
4696
4697 *p++ = (unsigned char)( ( session->verify_result >> 24 ) & 0xFF );
4698 *p++ = (unsigned char)( ( session->verify_result >> 16 ) & 0xFF );
4699 *p++ = (unsigned char)( ( session->verify_result >> 8 ) & 0xFF );
4700 *p++ = (unsigned char)( ( session->verify_result ) & 0xFF );
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004701 }
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004702
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004703 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004704 * Peer's end-entity certificate
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004705 */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004706#if defined(MBEDTLS_X509_CRT_PARSE_C)
4707#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4708 if( session->peer_cert == NULL )
4709 cert_len = 0;
4710 else
4711 cert_len = session->peer_cert->raw.len;
4712
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004713 used += 3 + cert_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004714
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004715 if( used <= buf_len )
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004716 {
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004717 *p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF );
4718 *p++ = (unsigned char)( ( cert_len >> 8 ) & 0xFF );
4719 *p++ = (unsigned char)( ( cert_len ) & 0xFF );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004720
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004721 if( session->peer_cert != NULL )
4722 {
4723 memcpy( p, session->peer_cert->raw.p, cert_len );
4724 p += cert_len;
4725 }
4726 }
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004727#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004728 if( session->peer_cert_digest != NULL )
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004729 {
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004730 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
4731 if( used <= buf_len )
4732 {
4733 *p++ = (unsigned char) session->peer_cert_digest_type;
4734 *p++ = (unsigned char) session->peer_cert_digest_len;
4735 memcpy( p, session->peer_cert_digest,
4736 session->peer_cert_digest_len );
4737 p += session->peer_cert_digest_len;
4738 }
4739 }
4740 else
4741 {
4742 used += 2;
4743 if( used <= buf_len )
4744 {
4745 *p++ = (unsigned char) MBEDTLS_MD_NONE;
4746 *p++ = 0;
4747 }
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004748 }
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004749#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4750#endif /* MBEDTLS_X509_CRT_PARSE_C */
4751
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004752 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004753 * Session ticket if any, plus associated data
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004754 */
4755#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004756 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004757
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004758 if( used <= buf_len )
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004759 {
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004760 *p++ = (unsigned char)( ( session->ticket_len >> 16 ) & 0xFF );
4761 *p++ = (unsigned char)( ( session->ticket_len >> 8 ) & 0xFF );
4762 *p++ = (unsigned char)( ( session->ticket_len ) & 0xFF );
4763
4764 if( session->ticket != NULL )
4765 {
4766 memcpy( p, session->ticket, session->ticket_len );
4767 p += session->ticket_len;
4768 }
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004769
4770 *p++ = (unsigned char)( ( session->ticket_lifetime >> 24 ) & 0xFF );
4771 *p++ = (unsigned char)( ( session->ticket_lifetime >> 16 ) & 0xFF );
4772 *p++ = (unsigned char)( ( session->ticket_lifetime >> 8 ) & 0xFF );
4773 *p++ = (unsigned char)( ( session->ticket_lifetime ) & 0xFF );
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004774 }
4775#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
4776
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004777 /*
4778 * Misc extension-related info
4779 */
4780#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4781 used += 1;
4782
4783 if( used <= buf_len )
4784 *p++ = session->mfl_code;
4785#endif
4786
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004787#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4788 used += 1;
4789
4790 if( used <= buf_len )
4791 *p++ = (unsigned char)( ( session->encrypt_then_mac ) & 0xFF );
4792#endif
4793
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004794 return( used );
4795}
4796#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004797
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004798static int ssl_session_save( const mbedtls_ssl_session *session,
4799 unsigned char omit_header,
4800 unsigned char *buf,
4801 size_t buf_len,
4802 size_t *olen )
4803{
4804 unsigned char *p = buf;
4805 size_t used = 0;
4806
4807 if( !omit_header )
4808 {
4809 /*
4810 * Add Mbed TLS version identifier
4811 */
4812
4813 used += sizeof( ssl_serialized_session_header );
4814
4815 if( used <= buf_len )
4816 {
4817 memcpy( p, ssl_serialized_session_header,
4818 sizeof( ssl_serialized_session_header ) );
4819 p += sizeof( ssl_serialized_session_header );
4820 }
4821 }
4822
4823 /*
4824 * TLS version identifier
4825 */
4826 used += 1;
4827 if( used <= buf_len )
4828 {
4829 *p++ = session->minor_ver;
4830 }
4831
4832 /* Forward to version-specific serialization routine. */
4833 switch( session->minor_ver )
4834 {
4835#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4836 case MBEDTLS_SSL_MINOR_VERSION_3:
4837 {
4838 size_t remaining_len = used <= buf_len ? buf_len - used : 0;
4839 used += ssl_session_save_tls12( session, p, remaining_len );
4840 break;
4841 }
4842#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4843
4844 default:
4845 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4846 }
4847
4848 *olen = used;
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004849 if( used > buf_len )
4850 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004851
4852 return( 0 );
4853}
4854
4855/*
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02004856 * Public wrapper for ssl_session_save()
4857 */
4858int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
4859 unsigned char *buf,
4860 size_t buf_len,
4861 size_t *olen )
4862{
4863 return( ssl_session_save( session, 0, buf, buf_len, olen ) );
4864}
4865
4866/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02004867 * Deserialize session, see mbedtls_ssl_session_save() for format.
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004868 *
4869 * This internal version is wrapped by a public function that cleans up in
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02004870 * case of error, and has an extra option omit_header.
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004871 */
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004872static int ssl_session_load_tls12( mbedtls_ssl_session *session,
4873 const unsigned char *buf,
4874 size_t len )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004875{
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004876#if defined(MBEDTLS_HAVE_TIME)
4877 uint64_t start;
4878#endif
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004879#if defined(MBEDTLS_X509_CRT_PARSE_C)
4880#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4881 size_t cert_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004882#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4883#endif /* MBEDTLS_X509_CRT_PARSE_C */
4884
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004885 const unsigned char *p = buf;
4886 const unsigned char * const end = buf + len;
Hanno Beckera835da52019-05-16 12:39:07 +01004887
4888 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004889 * Time
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004890 */
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004891#if defined(MBEDTLS_HAVE_TIME)
4892 if( 8 > (size_t)( end - p ) )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004893 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4894
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004895 start = ( (uint64_t) p[0] << 56 ) |
4896 ( (uint64_t) p[1] << 48 ) |
4897 ( (uint64_t) p[2] << 40 ) |
4898 ( (uint64_t) p[3] << 32 ) |
4899 ( (uint64_t) p[4] << 24 ) |
4900 ( (uint64_t) p[5] << 16 ) |
4901 ( (uint64_t) p[6] << 8 ) |
4902 ( (uint64_t) p[7] );
4903 p += 8;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004904
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004905 session->start = (time_t) start;
4906#endif /* MBEDTLS_HAVE_TIME */
4907
4908 /*
4909 * Basic mandatory fields
4910 */
4911 if( 2 + 1 + 1 + 32 + 48 + 4 > (size_t)( end - p ) )
4912 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4913
4914 session->ciphersuite = ( p[0] << 8 ) | p[1];
4915 p += 2;
4916
4917 session->compression = *p++;
4918
4919 session->id_len = *p++;
4920 memcpy( session->id, p, 32 );
4921 p += 32;
4922
4923 memcpy( session->master, p, 48 );
4924 p += 48;
4925
4926 session->verify_result = ( (uint32_t) p[0] << 24 ) |
4927 ( (uint32_t) p[1] << 16 ) |
4928 ( (uint32_t) p[2] << 8 ) |
4929 ( (uint32_t) p[3] );
4930 p += 4;
4931
4932 /* Immediately clear invalid pointer values that have been read, in case
4933 * we exit early before we replaced them with valid ones. */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004934#if defined(MBEDTLS_X509_CRT_PARSE_C)
4935#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4936 session->peer_cert = NULL;
4937#else
4938 session->peer_cert_digest = NULL;
4939#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4940#endif /* MBEDTLS_X509_CRT_PARSE_C */
4941#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4942 session->ticket = NULL;
4943#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
4944
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004945 /*
4946 * Peer certificate
4947 */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004948#if defined(MBEDTLS_X509_CRT_PARSE_C)
4949#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4950 /* Deserialize CRT from the end of the ticket. */
4951 if( 3 > (size_t)( end - p ) )
4952 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4953
4954 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
4955 p += 3;
4956
4957 if( cert_len != 0 )
4958 {
Janos Follath865b3eb2019-12-16 11:46:15 +00004959 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004960
4961 if( cert_len > (size_t)( end - p ) )
4962 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4963
4964 session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
4965
4966 if( session->peer_cert == NULL )
4967 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
4968
4969 mbedtls_x509_crt_init( session->peer_cert );
4970
4971 if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
4972 p, cert_len ) ) != 0 )
4973 {
4974 mbedtls_x509_crt_free( session->peer_cert );
4975 mbedtls_free( session->peer_cert );
4976 session->peer_cert = NULL;
4977 return( ret );
4978 }
4979
4980 p += cert_len;
4981 }
4982#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4983 /* Deserialize CRT digest from the end of the ticket. */
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004984 if( 2 > (size_t)( end - p ) )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004985 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4986
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004987 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
4988 session->peer_cert_digest_len = (size_t) *p++;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004989
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004990 if( session->peer_cert_digest_len != 0 )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004991 {
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004992 const mbedtls_md_info_t *md_info =
4993 mbedtls_md_info_from_type( session->peer_cert_digest_type );
4994 if( md_info == NULL )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004995 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004996 if( session->peer_cert_digest_len != mbedtls_md_get_size( md_info ) )
4997 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004998
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004999 if( session->peer_cert_digest_len > (size_t)( end - p ) )
5000 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5001
5002 session->peer_cert_digest =
5003 mbedtls_calloc( 1, session->peer_cert_digest_len );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005004 if( session->peer_cert_digest == NULL )
5005 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5006
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005007 memcpy( session->peer_cert_digest, p,
5008 session->peer_cert_digest_len );
5009 p += session->peer_cert_digest_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005010 }
5011#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5012#endif /* MBEDTLS_X509_CRT_PARSE_C */
5013
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005014 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005015 * Session ticket and associated data
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005016 */
5017#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
5018 if( 3 > (size_t)( end - p ) )
5019 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5020
5021 session->ticket_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
5022 p += 3;
5023
5024 if( session->ticket_len != 0 )
5025 {
5026 if( session->ticket_len > (size_t)( end - p ) )
5027 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5028
5029 session->ticket = mbedtls_calloc( 1, session->ticket_len );
5030 if( session->ticket == NULL )
5031 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5032
5033 memcpy( session->ticket, p, session->ticket_len );
5034 p += session->ticket_len;
5035 }
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005036
5037 if( 4 > (size_t)( end - p ) )
5038 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5039
5040 session->ticket_lifetime = ( (uint32_t) p[0] << 24 ) |
5041 ( (uint32_t) p[1] << 16 ) |
5042 ( (uint32_t) p[2] << 8 ) |
5043 ( (uint32_t) p[3] );
5044 p += 4;
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005045#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
5046
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005047 /*
5048 * Misc extension-related info
5049 */
5050#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
5051 if( 1 > (size_t)( end - p ) )
5052 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5053
5054 session->mfl_code = *p++;
5055#endif
5056
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005057#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5058 if( 1 > (size_t)( end - p ) )
5059 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5060
5061 session->encrypt_then_mac = *p++;
5062#endif
5063
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005064 /* Done, should have consumed entire buffer */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005065 if( p != end )
5066 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5067
5068 return( 0 );
5069}
5070
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01005071static int ssl_session_load( mbedtls_ssl_session *session,
5072 unsigned char omit_header,
5073 const unsigned char *buf,
5074 size_t len )
5075{
5076 const unsigned char *p = buf;
5077 const unsigned char * const end = buf + len;
5078
5079 if( !omit_header )
5080 {
5081 /*
5082 * Check Mbed TLS version identifier
5083 */
5084
5085 if( (size_t)( end - p ) < sizeof( ssl_serialized_session_header ) )
5086 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5087
5088 if( memcmp( p, ssl_serialized_session_header,
5089 sizeof( ssl_serialized_session_header ) ) != 0 )
5090 {
5091 return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
5092 }
5093 p += sizeof( ssl_serialized_session_header );
5094 }
5095
5096 /*
5097 * TLS version identifier
5098 */
5099 if( 1 > (size_t)( end - p ) )
5100 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5101 session->minor_ver = *p++;
5102
5103 /* Dispatch according to TLS version. */
5104 switch( session->minor_ver )
5105 {
5106#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5107 case MBEDTLS_SSL_MINOR_VERSION_3: /* TLS 1.2 */
5108 {
5109 size_t remaining_len = ( end - p );
5110 return( ssl_session_load_tls12( session, p, remaining_len ) );
5111 }
5112#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5113
5114 default:
5115 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5116 }
5117}
5118
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005119/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02005120 * Deserialize session: public wrapper for error cleaning
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02005121 */
5122int mbedtls_ssl_session_load( mbedtls_ssl_session *session,
5123 const unsigned char *buf,
5124 size_t len )
5125{
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005126 int ret = ssl_session_load( session, 0, buf, len );
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02005127
5128 if( ret != 0 )
5129 mbedtls_ssl_session_free( session );
5130
5131 return( ret );
5132}
5133
5134/*
Paul Bakker1961b702013-01-25 14:49:24 +01005135 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +00005136 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005137int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00005138{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005139 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +00005140
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02005141 if( ssl == NULL || ssl->conf == NULL )
5142 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5143
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005144#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005145 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Jerry Yub9930e72021-08-06 17:11:51 +08005146 {
5147#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
5148 if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
5149 ret = mbedtls_ssl_handshake_client_step_tls1_3( ssl );
5150#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
5151
5152#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5153 if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
5154 ret = mbedtls_ssl_handshake_client_step( ssl );
5155#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5156 }
Paul Bakker5121ce52009-01-03 21:22:43 +00005157#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005158#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005159 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Jerry Yub9930e72021-08-06 17:11:51 +08005160 {
5161#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
5162 if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
5163 ret = mbedtls_ssl_handshake_server_step_tls1_3( ssl );
5164#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
5165
5166#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5167 if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
5168 ret = mbedtls_ssl_handshake_server_step( ssl );
5169#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5170 }
Paul Bakker5121ce52009-01-03 21:22:43 +00005171#endif
5172
Paul Bakker1961b702013-01-25 14:49:24 +01005173 return( ret );
5174}
5175
5176/*
5177 * Perform the SSL handshake
5178 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005179int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
Paul Bakker1961b702013-01-25 14:49:24 +01005180{
5181 int ret = 0;
5182
Hanno Beckera817ea42020-10-20 15:20:23 +01005183 /* Sanity checks */
5184
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02005185 if( ssl == NULL || ssl->conf == NULL )
5186 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5187
Hanno Beckera817ea42020-10-20 15:20:23 +01005188#if defined(MBEDTLS_SSL_PROTO_DTLS)
5189 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5190 ( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) )
5191 {
5192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
5193 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
5194 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5195 }
5196#endif /* MBEDTLS_SSL_PROTO_DTLS */
5197
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005198 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
Paul Bakker1961b702013-01-25 14:49:24 +01005199
Hanno Beckera817ea42020-10-20 15:20:23 +01005200 /* Main handshake loop */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005201 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker1961b702013-01-25 14:49:24 +01005202 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005203 ret = mbedtls_ssl_handshake_step( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01005204
5205 if( ret != 0 )
5206 break;
5207 }
5208
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005209 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005210
5211 return( ret );
5212}
5213
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005214#if defined(MBEDTLS_SSL_RENEGOTIATION)
5215#if defined(MBEDTLS_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00005216/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005217 * Write HelloRequest to request renegotiation on server
Paul Bakker48916f92012-09-16 19:57:18 +00005218 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005219static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005220{
Janos Follath865b3eb2019-12-16 11:46:15 +00005221 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005222
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005223 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005224
5225 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005226 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
5227 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005228
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02005229 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005230 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02005231 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005232 return( ret );
5233 }
5234
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005235 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005236
5237 return( 0 );
5238}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005239#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005240
5241/*
5242 * Actually renegotiate current connection, triggered by either:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005243 * - any side: calling mbedtls_ssl_renegotiate(),
5244 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
5245 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
Manuel Pégourié-Gonnard55e4ff22014-08-19 11:16:35 +02005246 * the initial handshake is completed.
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005247 * If the handshake doesn't complete due to waiting for I/O, it will continue
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005248 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005249 */
Hanno Becker40cdaa12020-02-05 10:48:27 +00005250int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00005251{
Janos Follath865b3eb2019-12-16 11:46:15 +00005252 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker48916f92012-09-16 19:57:18 +00005253
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005254 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005255
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005256 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
5257 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +00005258
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02005259 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
5260 * the ServerHello will have message_seq = 1" */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005261#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005262 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005263 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02005264 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005265 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02005266 ssl->handshake->out_msg_seq = 1;
5267 else
5268 ssl->handshake->in_msg_seq = 1;
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02005269 }
5270#endif
5271
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005272 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
5273 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
Paul Bakker48916f92012-09-16 19:57:18 +00005274
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005275 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00005276 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005277 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker48916f92012-09-16 19:57:18 +00005278 return( ret );
5279 }
5280
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005281 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005282
5283 return( 0 );
5284}
5285
5286/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005287 * Renegotiate current connection on client,
5288 * or request renegotiation on server
5289 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005290int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005291{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005292 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005293
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02005294 if( ssl == NULL || ssl->conf == NULL )
5295 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5296
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005297#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005298 /* On server, just send the request */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005299 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005300 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005301 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5302 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005303
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005304 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02005305
5306 /* Did we already try/start sending HelloRequest? */
5307 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005308 return( mbedtls_ssl_flush_output( ssl ) );
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02005309
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005310 return( ssl_write_hello_request( ssl ) );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005311 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005312#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005313
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005314#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005315 /*
5316 * On client, either start the renegotiation process or,
5317 * if already in progress, continue the handshake
5318 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005319 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005320 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005321 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5322 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005323
Hanno Becker40cdaa12020-02-05 10:48:27 +00005324 if( ( ret = mbedtls_ssl_start_renegotiation( ssl ) ) != 0 )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005325 {
Hanno Becker40cdaa12020-02-05 10:48:27 +00005326 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005327 return( ret );
5328 }
5329 }
5330 else
5331 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005332 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005333 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005334 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005335 return( ret );
5336 }
5337 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005338#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005339
Paul Bakker37ce0ff2013-10-31 14:32:04 +01005340 return( ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005341}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005342#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005343
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005344#if defined(MBEDTLS_X509_CRT_PARSE_C)
5345static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005346{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005347 mbedtls_ssl_key_cert *cur = key_cert, *next;
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005348
5349 while( cur != NULL )
5350 {
5351 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005352 mbedtls_free( cur );
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005353 cur = next;
5354 }
5355}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005356#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005357
Gilles Peskine9b562d52018-04-25 20:32:43 +02005358void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00005359{
Gilles Peskine9b562d52018-04-25 20:32:43 +02005360 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
5361
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005362 if( handshake == NULL )
5363 return;
5364
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02005365#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
5366 if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
5367 {
Gilles Peskine8f97af72018-04-26 11:46:10 +02005368 ssl->conf->f_async_cancel( ssl );
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02005369 handshake->async_in_progress = 0;
5370 }
5371#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
5372
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005373#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5374#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05005375#if defined(MBEDTLS_USE_PSA_CRYPTO)
5376 psa_hash_abort( &handshake->fin_sha256_psa );
5377#else
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005378 mbedtls_sha256_free( &handshake->fin_sha256 );
5379#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05005380#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02005381#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05005382#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05005383 psa_hash_abort( &handshake->fin_sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05005384#else
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005385 mbedtls_sha512_free( &handshake->fin_sha512 );
5386#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05005387#endif
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005388#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5389
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005390#if defined(MBEDTLS_DHM_C)
5391 mbedtls_dhm_free( &handshake->dhm_ctx );
Paul Bakker48916f92012-09-16 19:57:18 +00005392#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005393#if defined(MBEDTLS_ECDH_C)
5394 mbedtls_ecdh_free( &handshake->ecdh_ctx );
Paul Bakker61d113b2013-07-04 11:51:43 +02005395#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02005396#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02005397 mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02005398#if defined(MBEDTLS_SSL_CLI_C)
5399 mbedtls_free( handshake->ecjpake_cache );
5400 handshake->ecjpake_cache = NULL;
5401 handshake->ecjpake_cache_len = 0;
5402#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02005403#endif
Paul Bakker61d113b2013-07-04 11:51:43 +02005404
Janos Follath4ae5c292016-02-10 11:27:43 +00005405#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
5406 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakker9af723c2014-05-01 13:03:14 +02005407 /* explicit void pointer cast for buggy MS compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005408 mbedtls_free( (void *) handshake->curves );
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02005409#endif
5410
Gilles Peskineeccd8882020-03-10 12:19:08 +01005411#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01005412 if( handshake->psk != NULL )
5413 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05005414 mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01005415 mbedtls_free( handshake->psk );
5416 }
5417#endif
5418
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005419#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
5420 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02005421 /*
5422 * Free only the linked list wrapper, not the keys themselves
5423 * since the belong to the SNI callback
5424 */
5425 if( handshake->sni_key_cert != NULL )
5426 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005427 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02005428
5429 while( cur != NULL )
5430 {
5431 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005432 mbedtls_free( cur );
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02005433 cur = next;
5434 }
5435 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005436#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005437
Gilles Peskineeccd8882020-03-10 12:19:08 +01005438#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +02005439 mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
Hanno Becker3dad3112019-02-05 17:19:52 +00005440 if( handshake->ecrs_peer_cert != NULL )
5441 {
5442 mbedtls_x509_crt_free( handshake->ecrs_peer_cert );
5443 mbedtls_free( handshake->ecrs_peer_cert );
5444 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02005445#endif
5446
Hanno Becker75173122019-02-06 16:18:31 +00005447#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
5448 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
5449 mbedtls_pk_free( &handshake->peer_pubkey );
5450#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5451
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005452#if defined(MBEDTLS_SSL_PROTO_DTLS)
5453 mbedtls_free( handshake->verify_cookie );
Hanno Becker533ab5f2020-02-05 10:49:13 +00005454 mbedtls_ssl_flight_free( handshake->flight );
5455 mbedtls_ssl_buffering_free( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02005456#endif
5457
Hanno Becker4a63ed42019-01-08 11:39:35 +00005458#if defined(MBEDTLS_ECDH_C) && \
5459 defined(MBEDTLS_USE_PSA_CRYPTO)
5460 psa_destroy_key( handshake->ecdh_psa_privkey );
5461#endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
5462
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05005463 mbedtls_platform_zeroize( handshake,
5464 sizeof( mbedtls_ssl_handshake_params ) );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05005465
5466#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5467 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
5468 * processes datagrams and the fact that a datagram is allowed to have
5469 * several records in it, it is possible that the I/O buffers are not
5470 * empty at this stage */
Andrzej Kurek4a063792020-10-21 15:08:44 +02005471 handle_buffer_resizing( ssl, 1, mbedtls_ssl_get_input_buflen( ssl ),
5472 mbedtls_ssl_get_output_buflen( ssl ) );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05005473#endif
Paul Bakker48916f92012-09-16 19:57:18 +00005474}
5475
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005476void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
Paul Bakker48916f92012-09-16 19:57:18 +00005477{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005478 if( session == NULL )
5479 return;
5480
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005481#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker1294a0b2019-02-05 12:38:15 +00005482 ssl_clear_peer_cert( session );
Paul Bakkered27a042013-04-18 22:46:23 +02005483#endif
Paul Bakker0a597072012-09-25 21:55:46 +00005484
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02005485#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005486 mbedtls_free( session->ticket );
Paul Bakkera503a632013-08-14 13:48:06 +02005487#endif
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +02005488
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05005489 mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005490}
5491
Manuel Pégourié-Gonnard5c0e3772019-07-23 16:13:17 +02005492#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005493
5494#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5495#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
5496#else
5497#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
5498#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5499
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005500#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005501
5502#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5503#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
5504#else
5505#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
5506#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5507
5508#if defined(MBEDTLS_SSL_ALPN)
5509#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
5510#else
5511#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
5512#endif /* MBEDTLS_SSL_ALPN */
5513
5514#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
5515#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
5516#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
5517#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
5518
5519#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
5520 ( (uint32_t) ( \
5521 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT ) | \
5522 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT ) | \
5523 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT ) | \
5524 ( SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT ) | \
5525 0u ) )
5526
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005527static unsigned char ssl_serialized_context_header[] = {
5528 MBEDTLS_VERSION_MAJOR,
5529 MBEDTLS_VERSION_MINOR,
5530 MBEDTLS_VERSION_PATCH,
5531 ( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 8 ) & 0xFF,
5532 ( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 0 ) & 0xFF,
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005533 ( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 16 ) & 0xFF,
5534 ( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 8 ) & 0xFF,
5535 ( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 0 ) & 0xFF,
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005536};
5537
Paul Bakker5121ce52009-01-03 21:22:43 +00005538/*
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005539 * Serialize a full SSL context
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02005540 *
5541 * The format of the serialized data is:
5542 * (in the presentation language of TLS, RFC 8446 section 3)
5543 *
5544 * // header
5545 * opaque mbedtls_version[3]; // major, minor, patch
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005546 * opaque context_format[5]; // version-specific field determining
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02005547 * // the format of the remaining
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005548 * // serialized data.
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005549 * Note: When updating the format, remember to keep these
5550 * version+format bytes. (We may make their size part of the API.)
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02005551 *
5552 * // session sub-structure
5553 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
5554 * // transform sub-structure
5555 * uint8 random[64]; // ServerHello.random+ClientHello.random
5556 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
5557 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
5558 * // fields from ssl_context
5559 * uint32 badmac_seen; // DTLS: number of records with failing MAC
5560 * uint64 in_window_top; // DTLS: last validated record seq_num
5561 * uint64 in_window; // DTLS: bitmask for replay protection
5562 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
5563 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
5564 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
5565 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
5566 *
5567 * Note that many fields of the ssl_context or sub-structures are not
5568 * serialized, as they fall in one of the following categories:
5569 *
5570 * 1. forced value (eg in_left must be 0)
5571 * 2. pointer to dynamically-allocated memory (eg session, transform)
5572 * 3. value can be re-derived from other data (eg session keys from MS)
5573 * 4. value was temporary (eg content of input buffer)
5574 * 5. value will be provided by the user again (eg I/O callbacks and context)
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005575 */
5576int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
5577 unsigned char *buf,
5578 size_t buf_len,
5579 size_t *olen )
5580{
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005581 unsigned char *p = buf;
5582 size_t used = 0;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005583 size_t session_len;
5584 int ret = 0;
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005585
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02005586 /*
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005587 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
5588 * this function's documentation.
5589 *
5590 * These are due to assumptions/limitations in the implementation. Some of
5591 * them are likely to stay (no handshake in progress) some might go away
5592 * (only DTLS) but are currently used to simplify the implementation.
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02005593 */
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005594 /* The initial handshake must be over */
5595 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005596 {
5597 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Initial handshake isn't over" ) );
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02005598 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005599 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005600 if( ssl->handshake != NULL )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005601 {
5602 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Handshake isn't completed" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005603 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005604 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005605 /* Double-check that sub-structures are indeed ready */
5606 if( ssl->transform == NULL || ssl->session == NULL )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005607 {
5608 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Serialised structures aren't ready" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005609 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005610 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005611 /* There must be no pending incoming or outgoing data */
5612 if( mbedtls_ssl_check_pending( ssl ) != 0 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005613 {
5614 MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending incoming data" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005615 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005616 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005617 if( ssl->out_left != 0 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005618 {
5619 MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending outgoing data" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005620 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005621 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005622 /* Protocol must be DLTS, not TLS */
5623 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005624 {
5625 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only DTLS is supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005626 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005627 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005628 /* Version must be 1.2 */
5629 if( ssl->major_ver != MBEDTLS_SSL_MAJOR_VERSION_3 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005630 {
5631 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005632 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005633 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005634 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005635 {
5636 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005637 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005638 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005639 /* We must be using an AEAD ciphersuite */
5640 if( mbedtls_ssl_transform_uses_aead( ssl->transform ) != 1 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005641 {
5642 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only AEAD ciphersuites supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005643 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005644 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005645 /* Renegotiation must not be enabled */
5646#if defined(MBEDTLS_SSL_RENEGOTIATION)
5647 if( ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005648 {
5649 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Renegotiation must not be enabled" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005650 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005651 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005652#endif
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005653
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005654 /*
5655 * Version and format identifier
5656 */
5657 used += sizeof( ssl_serialized_context_header );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005658
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005659 if( used <= buf_len )
5660 {
5661 memcpy( p, ssl_serialized_context_header,
5662 sizeof( ssl_serialized_context_header ) );
5663 p += sizeof( ssl_serialized_context_header );
5664 }
5665
5666 /*
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005667 * Session (length + data)
5668 */
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005669 ret = ssl_session_save( ssl->session, 1, NULL, 0, &session_len );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005670 if( ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL )
5671 return( ret );
5672
5673 used += 4 + session_len;
5674 if( used <= buf_len )
5675 {
5676 *p++ = (unsigned char)( ( session_len >> 24 ) & 0xFF );
5677 *p++ = (unsigned char)( ( session_len >> 16 ) & 0xFF );
5678 *p++ = (unsigned char)( ( session_len >> 8 ) & 0xFF );
5679 *p++ = (unsigned char)( ( session_len ) & 0xFF );
5680
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005681 ret = ssl_session_save( ssl->session, 1,
5682 p, session_len, &session_len );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005683 if( ret != 0 )
5684 return( ret );
5685
5686 p += session_len;
5687 }
5688
5689 /*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005690 * Transform
5691 */
5692 used += sizeof( ssl->transform->randbytes );
5693 if( used <= buf_len )
5694 {
5695 memcpy( p, ssl->transform->randbytes,
5696 sizeof( ssl->transform->randbytes ) );
5697 p += sizeof( ssl->transform->randbytes );
5698 }
5699
5700#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5701 used += 2 + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
5702 if( used <= buf_len )
5703 {
5704 *p++ = ssl->transform->in_cid_len;
5705 memcpy( p, ssl->transform->in_cid, ssl->transform->in_cid_len );
5706 p += ssl->transform->in_cid_len;
5707
5708 *p++ = ssl->transform->out_cid_len;
5709 memcpy( p, ssl->transform->out_cid, ssl->transform->out_cid_len );
5710 p += ssl->transform->out_cid_len;
5711 }
5712#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5713
5714 /*
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005715 * Saved fields from top-level ssl_context structure
5716 */
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005717 used += 4;
5718 if( used <= buf_len )
5719 {
5720 *p++ = (unsigned char)( ( ssl->badmac_seen >> 24 ) & 0xFF );
5721 *p++ = (unsigned char)( ( ssl->badmac_seen >> 16 ) & 0xFF );
5722 *p++ = (unsigned char)( ( ssl->badmac_seen >> 8 ) & 0xFF );
5723 *p++ = (unsigned char)( ( ssl->badmac_seen ) & 0xFF );
5724 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005725
5726#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5727 used += 16;
5728 if( used <= buf_len )
5729 {
5730 *p++ = (unsigned char)( ( ssl->in_window_top >> 56 ) & 0xFF );
5731 *p++ = (unsigned char)( ( ssl->in_window_top >> 48 ) & 0xFF );
5732 *p++ = (unsigned char)( ( ssl->in_window_top >> 40 ) & 0xFF );
5733 *p++ = (unsigned char)( ( ssl->in_window_top >> 32 ) & 0xFF );
5734 *p++ = (unsigned char)( ( ssl->in_window_top >> 24 ) & 0xFF );
5735 *p++ = (unsigned char)( ( ssl->in_window_top >> 16 ) & 0xFF );
5736 *p++ = (unsigned char)( ( ssl->in_window_top >> 8 ) & 0xFF );
5737 *p++ = (unsigned char)( ( ssl->in_window_top ) & 0xFF );
5738
5739 *p++ = (unsigned char)( ( ssl->in_window >> 56 ) & 0xFF );
5740 *p++ = (unsigned char)( ( ssl->in_window >> 48 ) & 0xFF );
5741 *p++ = (unsigned char)( ( ssl->in_window >> 40 ) & 0xFF );
5742 *p++ = (unsigned char)( ( ssl->in_window >> 32 ) & 0xFF );
5743 *p++ = (unsigned char)( ( ssl->in_window >> 24 ) & 0xFF );
5744 *p++ = (unsigned char)( ( ssl->in_window >> 16 ) & 0xFF );
5745 *p++ = (unsigned char)( ( ssl->in_window >> 8 ) & 0xFF );
5746 *p++ = (unsigned char)( ( ssl->in_window ) & 0xFF );
5747 }
5748#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5749
5750#if defined(MBEDTLS_SSL_PROTO_DTLS)
5751 used += 1;
5752 if( used <= buf_len )
5753 {
5754 *p++ = ssl->disable_datagram_packing;
5755 }
5756#endif /* MBEDTLS_SSL_PROTO_DTLS */
5757
5758 used += 8;
5759 if( used <= buf_len )
5760 {
5761 memcpy( p, ssl->cur_out_ctr, 8 );
5762 p += 8;
5763 }
5764
5765#if defined(MBEDTLS_SSL_PROTO_DTLS)
5766 used += 2;
5767 if( used <= buf_len )
5768 {
5769 *p++ = (unsigned char)( ( ssl->mtu >> 8 ) & 0xFF );
5770 *p++ = (unsigned char)( ( ssl->mtu ) & 0xFF );
5771 }
5772#endif /* MBEDTLS_SSL_PROTO_DTLS */
5773
5774#if defined(MBEDTLS_SSL_ALPN)
5775 {
5776 const uint8_t alpn_len = ssl->alpn_chosen
Manuel Pégourié-Gonnardf041f4e2019-07-24 00:58:27 +02005777 ? (uint8_t) strlen( ssl->alpn_chosen )
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005778 : 0;
5779
5780 used += 1 + alpn_len;
5781 if( used <= buf_len )
5782 {
5783 *p++ = alpn_len;
5784
5785 if( ssl->alpn_chosen != NULL )
5786 {
5787 memcpy( p, ssl->alpn_chosen, alpn_len );
5788 p += alpn_len;
5789 }
5790 }
5791 }
5792#endif /* MBEDTLS_SSL_ALPN */
5793
5794 /*
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005795 * Done
5796 */
5797 *olen = used;
5798
5799 if( used > buf_len )
5800 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005801
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005802 MBEDTLS_SSL_DEBUG_BUF( 4, "saved context", buf, used );
5803
Hanno Becker43aefe22020-02-05 10:44:56 +00005804 return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005805}
5806
5807/*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005808 * Helper to get TLS 1.2 PRF from ciphersuite
5809 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
5810 */
5811typedef int (*tls_prf_fn)( const unsigned char *secret, size_t slen,
5812 const char *label,
5813 const unsigned char *random, size_t rlen,
5814 unsigned char *dstbuf, size_t dlen );
5815static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id )
5816{
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02005817#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005818 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
5819 mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
5820
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02005821 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
5822 return( tls_prf_sha384 );
Jarno Lamsab7b486c2019-08-21 15:30:44 +03005823#else
5824 (void) ciphersuite_id;
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02005825#endif
5826 return( tls_prf_sha256 );
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005827}
5828
5829/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02005830 * Deserialize context, see mbedtls_ssl_context_save() for format.
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005831 *
5832 * This internal version is wrapped by a public function that cleans up in
5833 * case of error.
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005834 */
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005835static int ssl_context_load( mbedtls_ssl_context *ssl,
5836 const unsigned char *buf,
5837 size_t len )
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005838{
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005839 const unsigned char *p = buf;
5840 const unsigned char * const end = buf + len;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005841 size_t session_len;
Janos Follath865b3eb2019-12-16 11:46:15 +00005842 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005843
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02005844 /*
5845 * The context should have been freshly setup or reset.
5846 * Give the user an error in case of obvious misuse.
Manuel Pégourié-Gonnard4ca930f2019-07-26 16:31:53 +02005847 * (Checking session is useful because it won't be NULL if we're
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02005848 * renegotiating, or if the user mistakenly loaded a session first.)
5849 */
5850 if( ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
5851 ssl->session != NULL )
5852 {
5853 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5854 }
5855
5856 /*
5857 * We can't check that the config matches the initial one, but we can at
5858 * least check it matches the requirements for serializing.
5859 */
5860 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
5861 ssl->conf->max_major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
5862 ssl->conf->min_major_ver > MBEDTLS_SSL_MAJOR_VERSION_3 ||
5863 ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ||
5864 ssl->conf->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 ||
5865#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02005866 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02005867#endif
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02005868 0 )
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02005869 {
5870 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5871 }
5872
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005873 MBEDTLS_SSL_DEBUG_BUF( 4, "context to load", buf, len );
5874
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005875 /*
5876 * Check version identifier
5877 */
5878 if( (size_t)( end - p ) < sizeof( ssl_serialized_context_header ) )
5879 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5880
5881 if( memcmp( p, ssl_serialized_context_header,
5882 sizeof( ssl_serialized_context_header ) ) != 0 )
5883 {
5884 return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
5885 }
5886 p += sizeof( ssl_serialized_context_header );
5887
5888 /*
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005889 * Session
5890 */
5891 if( (size_t)( end - p ) < 4 )
5892 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5893
5894 session_len = ( (size_t) p[0] << 24 ) |
5895 ( (size_t) p[1] << 16 ) |
5896 ( (size_t) p[2] << 8 ) |
5897 ( (size_t) p[3] );
5898 p += 4;
5899
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005900 /* This has been allocated by ssl_handshake_init(), called by
Hanno Becker43aefe22020-02-05 10:44:56 +00005901 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005902 ssl->session = ssl->session_negotiate;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005903 ssl->session_in = ssl->session;
5904 ssl->session_out = ssl->session;
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005905 ssl->session_negotiate = NULL;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005906
5907 if( (size_t)( end - p ) < session_len )
5908 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5909
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005910 ret = ssl_session_load( ssl->session, 1, p, session_len );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005911 if( ret != 0 )
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005912 {
5913 mbedtls_ssl_session_free( ssl->session );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005914 return( ret );
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005915 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005916
5917 p += session_len;
5918
5919 /*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005920 * Transform
5921 */
5922
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005923 /* This has been allocated by ssl_handshake_init(), called by
Hanno Becker43aefe22020-02-05 10:44:56 +00005924 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005925 ssl->transform = ssl->transform_negotiate;
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005926 ssl->transform_in = ssl->transform;
5927 ssl->transform_out = ssl->transform;
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005928 ssl->transform_negotiate = NULL;
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005929
5930 /* Read random bytes and populate structure */
5931 if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) )
5932 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5933
Hanno Beckerbd257552021-03-22 06:59:27 +00005934 ret = ssl_tls12_populate_transform( ssl->transform,
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005935 ssl->session->ciphersuite,
5936 ssl->session->master,
Hanno Beckerbd257552021-03-22 06:59:27 +00005937#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
5938 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005939 ssl->session->encrypt_then_mac,
Hanno Beckerbd257552021-03-22 06:59:27 +00005940#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
5941 MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005942 ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
5943 p, /* currently pointing to randbytes */
5944 MBEDTLS_SSL_MINOR_VERSION_3, /* (D)TLS 1.2 is forced */
5945 ssl->conf->endpoint,
5946 ssl );
5947 if( ret != 0 )
5948 return( ret );
5949
5950 p += sizeof( ssl->transform->randbytes );
5951
5952#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5953 /* Read connection IDs and store them */
5954 if( (size_t)( end - p ) < 1 )
5955 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5956
5957 ssl->transform->in_cid_len = *p++;
5958
Manuel Pégourié-Gonnard5ea13b82019-07-23 15:02:54 +02005959 if( (size_t)( end - p ) < ssl->transform->in_cid_len + 1u )
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005960 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5961
5962 memcpy( ssl->transform->in_cid, p, ssl->transform->in_cid_len );
5963 p += ssl->transform->in_cid_len;
5964
5965 ssl->transform->out_cid_len = *p++;
5966
5967 if( (size_t)( end - p ) < ssl->transform->out_cid_len )
5968 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5969
5970 memcpy( ssl->transform->out_cid, p, ssl->transform->out_cid_len );
5971 p += ssl->transform->out_cid_len;
5972#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5973
5974 /*
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005975 * Saved fields from top-level ssl_context structure
5976 */
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005977 if( (size_t)( end - p ) < 4 )
5978 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5979
5980 ssl->badmac_seen = ( (uint32_t) p[0] << 24 ) |
5981 ( (uint32_t) p[1] << 16 ) |
5982 ( (uint32_t) p[2] << 8 ) |
5983 ( (uint32_t) p[3] );
5984 p += 4;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005985
5986#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5987 if( (size_t)( end - p ) < 16 )
5988 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5989
5990 ssl->in_window_top = ( (uint64_t) p[0] << 56 ) |
5991 ( (uint64_t) p[1] << 48 ) |
5992 ( (uint64_t) p[2] << 40 ) |
5993 ( (uint64_t) p[3] << 32 ) |
5994 ( (uint64_t) p[4] << 24 ) |
5995 ( (uint64_t) p[5] << 16 ) |
5996 ( (uint64_t) p[6] << 8 ) |
5997 ( (uint64_t) p[7] );
5998 p += 8;
5999
6000 ssl->in_window = ( (uint64_t) p[0] << 56 ) |
6001 ( (uint64_t) p[1] << 48 ) |
6002 ( (uint64_t) p[2] << 40 ) |
6003 ( (uint64_t) p[3] << 32 ) |
6004 ( (uint64_t) p[4] << 24 ) |
6005 ( (uint64_t) p[5] << 16 ) |
6006 ( (uint64_t) p[6] << 8 ) |
6007 ( (uint64_t) p[7] );
6008 p += 8;
6009#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
6010
6011#if defined(MBEDTLS_SSL_PROTO_DTLS)
6012 if( (size_t)( end - p ) < 1 )
6013 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6014
6015 ssl->disable_datagram_packing = *p++;
6016#endif /* MBEDTLS_SSL_PROTO_DTLS */
6017
6018 if( (size_t)( end - p ) < 8 )
6019 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6020
6021 memcpy( ssl->cur_out_ctr, p, 8 );
6022 p += 8;
6023
6024#if defined(MBEDTLS_SSL_PROTO_DTLS)
6025 if( (size_t)( end - p ) < 2 )
6026 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6027
6028 ssl->mtu = ( p[0] << 8 ) | p[1];
6029 p += 2;
6030#endif /* MBEDTLS_SSL_PROTO_DTLS */
6031
6032#if defined(MBEDTLS_SSL_ALPN)
6033 {
6034 uint8_t alpn_len;
6035 const char **cur;
6036
6037 if( (size_t)( end - p ) < 1 )
6038 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6039
6040 alpn_len = *p++;
6041
6042 if( alpn_len != 0 && ssl->conf->alpn_list != NULL )
6043 {
6044 /* alpn_chosen should point to an item in the configured list */
6045 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
6046 {
6047 if( strlen( *cur ) == alpn_len &&
6048 memcmp( p, cur, alpn_len ) == 0 )
6049 {
6050 ssl->alpn_chosen = *cur;
6051 break;
6052 }
6053 }
6054 }
6055
6056 /* can only happen on conf mismatch */
6057 if( alpn_len != 0 && ssl->alpn_chosen == NULL )
6058 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6059
6060 p += alpn_len;
6061 }
6062#endif /* MBEDTLS_SSL_ALPN */
6063
6064 /*
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02006065 * Forced fields from top-level ssl_context structure
6066 *
6067 * Most of them already set to the correct value by mbedtls_ssl_init() and
6068 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
6069 */
6070 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
6071
6072 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
6073 ssl->minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
6074
Hanno Becker361b10d2019-08-30 10:42:49 +01006075 /* Adjust pointers for header fields of outgoing records to
6076 * the given transform, accounting for explicit IV and CID. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00006077 mbedtls_ssl_update_out_pointers( ssl, ssl->transform );
Hanno Becker361b10d2019-08-30 10:42:49 +01006078
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02006079#if defined(MBEDTLS_SSL_PROTO_DTLS)
6080 ssl->in_epoch = 1;
6081#endif
6082
6083 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
6084 * which we don't want - otherwise we'd end up freeing the wrong transform
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00006085 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
6086 * inappropriately. */
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02006087 if( ssl->handshake != NULL )
6088 {
6089 mbedtls_ssl_handshake_free( ssl );
6090 mbedtls_free( ssl->handshake );
6091 ssl->handshake = NULL;
6092 }
6093
6094 /*
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02006095 * Done - should have consumed entire buffer
6096 */
6097 if( p != end )
6098 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02006099
6100 return( 0 );
6101}
6102
6103/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02006104 * Deserialize context: public wrapper for error cleaning
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006105 */
6106int mbedtls_ssl_context_load( mbedtls_ssl_context *context,
6107 const unsigned char *buf,
6108 size_t len )
6109{
6110 int ret = ssl_context_load( context, buf, len );
6111
6112 if( ret != 0 )
6113 mbedtls_ssl_free( context );
6114
6115 return( ret );
6116}
Manuel Pégourié-Gonnard5c0e3772019-07-23 16:13:17 +02006117#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006118
6119/*
Paul Bakker5121ce52009-01-03 21:22:43 +00006120 * Free an SSL context
6121 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006122void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00006123{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02006124 if( ssl == NULL )
6125 return;
6126
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006127 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006128
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +01006129 if( ssl->out_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00006130 {
sander-visserb8aa2072020-05-06 22:05:13 +02006131#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
6132 size_t out_buf_len = ssl->out_buf_len;
6133#else
6134 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
6135#endif
6136
Darryl Greenb33cc762019-11-28 14:29:44 +00006137 mbedtls_platform_zeroize( ssl->out_buf, out_buf_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006138 mbedtls_free( ssl->out_buf );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05006139 ssl->out_buf = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00006140 }
6141
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +01006142 if( ssl->in_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00006143 {
sander-visserb8aa2072020-05-06 22:05:13 +02006144#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
6145 size_t in_buf_len = ssl->in_buf_len;
6146#else
6147 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
6148#endif
6149
Darryl Greenb33cc762019-11-28 14:29:44 +00006150 mbedtls_platform_zeroize( ssl->in_buf, in_buf_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006151 mbedtls_free( ssl->in_buf );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05006152 ssl->in_buf = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00006153 }
6154
Paul Bakker48916f92012-09-16 19:57:18 +00006155 if( ssl->transform )
6156 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006157 mbedtls_ssl_transform_free( ssl->transform );
6158 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00006159 }
6160
6161 if( ssl->handshake )
6162 {
Gilles Peskine9b562d52018-04-25 20:32:43 +02006163 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006164 mbedtls_ssl_transform_free( ssl->transform_negotiate );
6165 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +00006166
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006167 mbedtls_free( ssl->handshake );
6168 mbedtls_free( ssl->transform_negotiate );
6169 mbedtls_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +00006170 }
6171
Paul Bakkerc0463502013-02-14 11:19:38 +01006172 if( ssl->session )
6173 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006174 mbedtls_ssl_session_free( ssl->session );
6175 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01006176 }
6177
Manuel Pégourié-Gonnard55fab2d2015-05-11 16:15:19 +02006178#if defined(MBEDTLS_X509_CRT_PARSE_C)
Paul Bakker66d5d072014-06-17 16:39:18 +02006179 if( ssl->hostname != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00006180 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006181 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006182 mbedtls_free( ssl->hostname );
Paul Bakker5121ce52009-01-03 21:22:43 +00006183 }
Paul Bakker0be444a2013-08-27 21:55:01 +02006184#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00006185
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02006186#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006187 mbedtls_free( ssl->cli_id );
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02006188#endif
6189
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006190 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +00006191
Paul Bakker86f04f42013-02-14 11:20:09 +01006192 /* Actually clear after last debug message */
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006193 mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006194}
6195
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006196/*
6197 * Initialze mbedtls_ssl_config
6198 */
6199void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
6200{
6201 memset( conf, 0, sizeof( mbedtls_ssl_config ) );
6202}
6203
Gilles Peskineeccd8882020-03-10 12:19:08 +01006204#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskineae270bf2021-06-02 00:05:29 +02006205/* The selection should be the same as mbedtls_x509_crt_profile_default in
Gilles Peskinea28f0f52021-06-02 15:29:38 +02006206 * x509_crt.c. Here, the order matters. Currently we favor stronger hashes,
6207 * for no fundamental reason.
Gilles Peskineae270bf2021-06-02 00:05:29 +02006208 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
6209 * about this list. */
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006210static int ssl_preset_default_hashes[] = {
6211#if defined(MBEDTLS_SHA512_C)
6212 MBEDTLS_MD_SHA512,
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006213#endif
6214#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006215 MBEDTLS_MD_SHA384,
6216#endif
6217#if defined(MBEDTLS_SHA256_C)
6218 MBEDTLS_MD_SHA256,
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006219#endif
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006220 MBEDTLS_MD_NONE
6221};
Simon Butcherc97b6972015-12-27 23:48:17 +00006222#endif
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006223
Gilles Peskineae270bf2021-06-02 00:05:29 +02006224#if defined(MBEDTLS_ECP_C)
6225/* The selection should be the same as mbedtls_x509_crt_profile_default in
6226 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
Gilles Peskineb1940a72021-06-02 15:18:12 +02006227 * curves with a lower resource usage come first.
Gilles Peskineae270bf2021-06-02 00:05:29 +02006228 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
Gilles Peskineb1940a72021-06-02 15:18:12 +02006229 * about this list.
6230 */
Gilles Peskineae270bf2021-06-02 00:05:29 +02006231static mbedtls_ecp_group_id ssl_preset_default_curves[] = {
Gilles Peskineae270bf2021-06-02 00:05:29 +02006232#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
Gilles Peskineae270bf2021-06-02 00:05:29 +02006233 MBEDTLS_ECP_DP_CURVE25519,
6234#endif
6235#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
6236 MBEDTLS_ECP_DP_SECP256R1,
6237#endif
Gilles Peskineb1940a72021-06-02 15:18:12 +02006238#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
6239 MBEDTLS_ECP_DP_SECP384R1,
6240#endif
6241#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
6242 MBEDTLS_ECP_DP_CURVE448,
6243#endif
6244#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
6245 MBEDTLS_ECP_DP_SECP521R1,
6246#endif
Gilles Peskineae270bf2021-06-02 00:05:29 +02006247#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
6248 MBEDTLS_ECP_DP_BP256R1,
6249#endif
Gilles Peskineb1940a72021-06-02 15:18:12 +02006250#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
6251 MBEDTLS_ECP_DP_BP384R1,
6252#endif
6253#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
6254 MBEDTLS_ECP_DP_BP512R1,
6255#endif
Gilles Peskineae270bf2021-06-02 00:05:29 +02006256 MBEDTLS_ECP_DP_NONE
6257};
6258#endif
6259
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006260static int ssl_preset_suiteb_ciphersuites[] = {
6261 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6262 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
6263 0
6264};
6265
Gilles Peskineeccd8882020-03-10 12:19:08 +01006266#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006267static int ssl_preset_suiteb_hashes[] = {
6268 MBEDTLS_MD_SHA256,
6269 MBEDTLS_MD_SHA384,
6270 MBEDTLS_MD_NONE
6271};
6272#endif
6273
6274#if defined(MBEDTLS_ECP_C)
6275static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
Jaeden Amerod4311042019-06-03 08:27:16 +01006276#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006277 MBEDTLS_ECP_DP_SECP256R1,
Jaeden Amerod4311042019-06-03 08:27:16 +01006278#endif
6279#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006280 MBEDTLS_ECP_DP_SECP384R1,
Jaeden Amerod4311042019-06-03 08:27:16 +01006281#endif
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006282 MBEDTLS_ECP_DP_NONE
6283};
6284#endif
6285
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006286/*
Tillmann Karras588ad502015-09-25 04:27:22 +02006287 * Load default in mbedtls_ssl_config
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006288 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02006289int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006290 int endpoint, int transport, int preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006291{
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +02006292#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Janos Follath865b3eb2019-12-16 11:46:15 +00006293 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +02006294#endif
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006295
Manuel Pégourié-Gonnard0de074f2015-05-14 12:58:01 +02006296 /* Use the functions here so that they are covered in tests,
6297 * but otherwise access member directly for efficiency */
6298 mbedtls_ssl_conf_endpoint( conf, endpoint );
6299 mbedtls_ssl_conf_transport( conf, transport );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006300
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006301 /*
6302 * Things that are common to all presets
6303 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02006304#if defined(MBEDTLS_SSL_CLI_C)
6305 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
6306 {
6307 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
6308#if defined(MBEDTLS_SSL_SESSION_TICKETS)
6309 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
6310#endif
6311 }
6312#endif
6313
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006314#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
6315 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
6316#endif
6317
6318#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6319 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
6320#endif
6321
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02006322#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006323 conf->f_cookie_write = ssl_cookie_write_dummy;
6324 conf->f_cookie_check = ssl_cookie_check_dummy;
6325#endif
6326
6327#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
6328 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
6329#endif
6330
Janos Follath088ce432017-04-10 12:42:31 +01006331#if defined(MBEDTLS_SSL_SRV_C)
6332 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
TRodziewicz3946f792021-06-14 12:11:18 +02006333 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
Janos Follath088ce432017-04-10 12:42:31 +01006334#endif
6335
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006336#if defined(MBEDTLS_SSL_PROTO_DTLS)
6337 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
6338 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
6339#endif
6340
6341#if defined(MBEDTLS_SSL_RENEGOTIATION)
6342 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
Andres AG2196c7f2016-12-15 17:01:16 +00006343 memset( conf->renego_period, 0x00, 2 );
6344 memset( conf->renego_period + 2, 0xFF, 6 );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006345#endif
6346
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006347#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Hanno Beckere2defad2021-07-24 05:59:17 +01006348 if( endpoint == MBEDTLS_SSL_IS_SERVER )
6349 {
6350 const unsigned char dhm_p[] =
6351 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
6352 const unsigned char dhm_g[] =
6353 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
Hanno Becker00d0a682017-10-04 13:14:29 +01006354
Hanno Beckere2defad2021-07-24 05:59:17 +01006355 if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
6356 dhm_p, sizeof( dhm_p ),
6357 dhm_g, sizeof( dhm_g ) ) ) != 0 )
6358 {
6359 return( ret );
6360 }
6361 }
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +02006362#endif
6363
Hanno Becker71f1ed62021-07-24 06:01:47 +01006364#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
6365 /*
6366 * Allow all TLS 1.3 key exchange modes by default.
6367 */
6368 conf->tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL;
6369#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
6370
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006371 /*
6372 * Preset-specific defaults
6373 */
6374 switch( preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006375 {
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006376 /*
6377 * NSA Suite B
6378 */
6379 case MBEDTLS_SSL_PRESET_SUITEB:
6380 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
6381 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
6382 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
6383 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
6384
Hanno Beckerd60b6c62021-04-29 12:04:11 +01006385 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006386
6387#if defined(MBEDTLS_X509_CRT_PARSE_C)
6388 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006389#endif
6390
Gilles Peskineeccd8882020-03-10 12:19:08 +01006391#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006392 conf->sig_hashes = ssl_preset_suiteb_hashes;
6393#endif
6394
6395#if defined(MBEDTLS_ECP_C)
6396 conf->curve_list = ssl_preset_suiteb_curves;
6397#endif
Manuel Pégourié-Gonnardc98204e2015-08-11 04:21:01 +02006398 break;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006399
6400 /*
6401 * Default
6402 */
6403 default:
Ron Eldor5e9f14d2017-05-28 10:46:38 +03006404 conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
6405 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
6406 MBEDTLS_SSL_MIN_MAJOR_VERSION :
6407 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
6408 conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
6409 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
6410 MBEDTLS_SSL_MIN_MINOR_VERSION :
6411 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006412 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
6413 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
6414
6415#if defined(MBEDTLS_SSL_PROTO_DTLS)
6416 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
TRodziewiczef73f012021-05-13 14:53:36 +02006417 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006418#endif
Hanno Beckerd60b6c62021-04-29 12:04:11 +01006419 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006420
6421#if defined(MBEDTLS_X509_CRT_PARSE_C)
6422 conf->cert_profile = &mbedtls_x509_crt_profile_default;
6423#endif
6424
Gilles Peskineeccd8882020-03-10 12:19:08 +01006425#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006426 conf->sig_hashes = ssl_preset_default_hashes;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006427#endif
6428
6429#if defined(MBEDTLS_ECP_C)
Gilles Peskineae270bf2021-06-02 00:05:29 +02006430 conf->curve_list = ssl_preset_default_curves;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006431#endif
6432
6433#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
6434 conf->dhm_min_bitlen = 1024;
6435#endif
6436 }
6437
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006438 return( 0 );
6439}
6440
6441/*
6442 * Free mbedtls_ssl_config
6443 */
6444void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
6445{
6446#if defined(MBEDTLS_DHM_C)
6447 mbedtls_mpi_free( &conf->dhm_P );
6448 mbedtls_mpi_free( &conf->dhm_G );
6449#endif
6450
Gilles Peskineeccd8882020-03-10 12:19:08 +01006451#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006452 if( conf->psk != NULL )
6453 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006454 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006455 mbedtls_free( conf->psk );
Azim Khan27e8a122018-03-21 14:24:11 +00006456 conf->psk = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006457 conf->psk_len = 0;
junyeonLEE316b1622017-12-20 16:29:30 +09006458 }
6459
6460 if( conf->psk_identity != NULL )
6461 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006462 mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
junyeonLEE316b1622017-12-20 16:29:30 +09006463 mbedtls_free( conf->psk_identity );
Azim Khan27e8a122018-03-21 14:24:11 +00006464 conf->psk_identity = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006465 conf->psk_identity_len = 0;
6466 }
6467#endif
6468
6469#if defined(MBEDTLS_X509_CRT_PARSE_C)
6470 ssl_key_cert_free( conf->key_cert );
6471#endif
6472
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006473 mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006474}
6475
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +02006476#if defined(MBEDTLS_PK_C) && \
6477 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006478/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006479 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006480 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006481unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006482{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006483#if defined(MBEDTLS_RSA_C)
6484 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
6485 return( MBEDTLS_SSL_SIG_RSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006486#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006487#if defined(MBEDTLS_ECDSA_C)
6488 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
6489 return( MBEDTLS_SSL_SIG_ECDSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006490#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006491 return( MBEDTLS_SSL_SIG_ANON );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006492}
6493
Hanno Becker7e5437a2017-04-28 17:15:26 +01006494unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
6495{
6496 switch( type ) {
6497 case MBEDTLS_PK_RSA:
6498 return( MBEDTLS_SSL_SIG_RSA );
6499 case MBEDTLS_PK_ECDSA:
6500 case MBEDTLS_PK_ECKEY:
6501 return( MBEDTLS_SSL_SIG_ECDSA );
6502 default:
6503 return( MBEDTLS_SSL_SIG_ANON );
6504 }
6505}
6506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006507mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006508{
6509 switch( sig )
6510 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006511#if defined(MBEDTLS_RSA_C)
6512 case MBEDTLS_SSL_SIG_RSA:
6513 return( MBEDTLS_PK_RSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006514#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006515#if defined(MBEDTLS_ECDSA_C)
6516 case MBEDTLS_SSL_SIG_ECDSA:
6517 return( MBEDTLS_PK_ECDSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006518#endif
6519 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006520 return( MBEDTLS_PK_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006521 }
6522}
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +02006523#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006524
Hanno Becker7e5437a2017-04-28 17:15:26 +01006525#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +01006526 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +01006527
6528/* Find an entry in a signature-hash set matching a given hash algorithm. */
6529mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
6530 mbedtls_pk_type_t sig_alg )
6531{
6532 switch( sig_alg )
6533 {
6534 case MBEDTLS_PK_RSA:
6535 return( set->rsa );
6536 case MBEDTLS_PK_ECDSA:
6537 return( set->ecdsa );
6538 default:
6539 return( MBEDTLS_MD_NONE );
6540 }
6541}
6542
6543/* Add a signature-hash-pair to a signature-hash set */
6544void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
6545 mbedtls_pk_type_t sig_alg,
6546 mbedtls_md_type_t md_alg )
6547{
6548 switch( sig_alg )
6549 {
6550 case MBEDTLS_PK_RSA:
6551 if( set->rsa == MBEDTLS_MD_NONE )
6552 set->rsa = md_alg;
6553 break;
6554
6555 case MBEDTLS_PK_ECDSA:
6556 if( set->ecdsa == MBEDTLS_MD_NONE )
6557 set->ecdsa = md_alg;
6558 break;
6559
6560 default:
6561 break;
6562 }
6563}
6564
6565/* Allow exactly one hash algorithm for each signature. */
6566void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
6567 mbedtls_md_type_t md_alg )
6568{
6569 set->rsa = md_alg;
6570 set->ecdsa = md_alg;
6571}
6572
6573#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
Gilles Peskineeccd8882020-03-10 12:19:08 +01006574 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +01006575
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02006576/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006577 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02006578 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006579mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006580{
6581 switch( hash )
6582 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006583#if defined(MBEDTLS_MD5_C)
6584 case MBEDTLS_SSL_HASH_MD5:
6585 return( MBEDTLS_MD_MD5 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006586#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006587#if defined(MBEDTLS_SHA1_C)
6588 case MBEDTLS_SSL_HASH_SHA1:
6589 return( MBEDTLS_MD_SHA1 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006590#endif
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006591#if defined(MBEDTLS_SHA224_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006592 case MBEDTLS_SSL_HASH_SHA224:
6593 return( MBEDTLS_MD_SHA224 );
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006594#endif
6595#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006596 case MBEDTLS_SSL_HASH_SHA256:
6597 return( MBEDTLS_MD_SHA256 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006598#endif
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006599#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006600 case MBEDTLS_SSL_HASH_SHA384:
6601 return( MBEDTLS_MD_SHA384 );
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006602#endif
6603#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006604 case MBEDTLS_SSL_HASH_SHA512:
6605 return( MBEDTLS_MD_SHA512 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006606#endif
6607 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006608 return( MBEDTLS_MD_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006609 }
6610}
6611
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006612/*
6613 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
6614 */
6615unsigned char mbedtls_ssl_hash_from_md_alg( int md )
6616{
6617 switch( md )
6618 {
6619#if defined(MBEDTLS_MD5_C)
6620 case MBEDTLS_MD_MD5:
6621 return( MBEDTLS_SSL_HASH_MD5 );
6622#endif
6623#if defined(MBEDTLS_SHA1_C)
6624 case MBEDTLS_MD_SHA1:
6625 return( MBEDTLS_SSL_HASH_SHA1 );
6626#endif
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006627#if defined(MBEDTLS_SHA224_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006628 case MBEDTLS_MD_SHA224:
6629 return( MBEDTLS_SSL_HASH_SHA224 );
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006630#endif
6631#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006632 case MBEDTLS_MD_SHA256:
6633 return( MBEDTLS_SSL_HASH_SHA256 );
6634#endif
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006635#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006636 case MBEDTLS_MD_SHA384:
6637 return( MBEDTLS_SSL_HASH_SHA384 );
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006638#endif
6639#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006640 case MBEDTLS_MD_SHA512:
6641 return( MBEDTLS_SSL_HASH_SHA512 );
6642#endif
6643 default:
6644 return( MBEDTLS_SSL_HASH_NONE );
6645 }
6646}
6647
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02006648#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006649/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006650 * Check if a curve proposed by the peer is in our list.
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006651 * Return 0 if we're willing to use it, -1 otherwise.
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006652 */
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006653int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006654{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006655 const mbedtls_ecp_group_id *gid;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006656
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006657 if( ssl->conf->curve_list == NULL )
6658 return( -1 );
6659
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006660 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006661 if( *gid == grp_id )
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006662 return( 0 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006663
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006664 return( -1 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006665}
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02006666#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006667
Gilles Peskineeccd8882020-03-10 12:19:08 +01006668#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006669/*
6670 * Check if a hash proposed by the peer is in our list.
6671 * Return 0 if we're willing to use it, -1 otherwise.
6672 */
6673int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
6674 mbedtls_md_type_t md )
6675{
6676 const int *cur;
6677
6678 if( ssl->conf->sig_hashes == NULL )
6679 return( -1 );
6680
6681 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
6682 if( *cur == (int) md )
6683 return( 0 );
6684
6685 return( -1 );
6686}
Gilles Peskineeccd8882020-03-10 12:19:08 +01006687#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006688
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006689#if defined(MBEDTLS_X509_CRT_PARSE_C)
6690int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
6691 const mbedtls_ssl_ciphersuite_t *ciphersuite,
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006692 int cert_endpoint,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02006693 uint32_t *flags )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006694{
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006695 int ret = 0;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006696 int usage = 0;
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006697 const char *ext_oid;
6698 size_t ext_len;
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006699
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006700 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006701 {
6702 /* Server part of the key exchange */
6703 switch( ciphersuite->key_exchange )
6704 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006705 case MBEDTLS_KEY_EXCHANGE_RSA:
6706 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01006707 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006708 break;
6709
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006710 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
6711 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
6712 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
6713 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006714 break;
6715
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006716 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
6717 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01006718 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006719 break;
6720
6721 /* Don't use default: we want warnings when adding new values */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006722 case MBEDTLS_KEY_EXCHANGE_NONE:
6723 case MBEDTLS_KEY_EXCHANGE_PSK:
6724 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
6725 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +02006726 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006727 usage = 0;
6728 }
6729 }
6730 else
6731 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006732 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
6733 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006734 }
6735
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006736 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006737 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01006738 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006739 ret = -1;
6740 }
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006741
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006742 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006743 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006744 ext_oid = MBEDTLS_OID_SERVER_AUTH;
6745 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006746 }
6747 else
6748 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006749 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
6750 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006751 }
6752
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006753 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006754 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01006755 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006756 ret = -1;
6757 }
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006758
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006759 return( ret );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006760}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006761#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard3a306b92014-04-29 15:11:17 +02006762
Simon Butcher99000142016-10-13 17:21:01 +01006763int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
6764{
6765#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6766 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Becker541af852021-05-14 16:49:01 +01006767 return( -1 );
Simon Butcher99000142016-10-13 17:21:01 +01006768
6769 switch( md )
6770 {
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02006771#if defined(MBEDTLS_SHA384_C)
Simon Butcher99000142016-10-13 17:21:01 +01006772 case MBEDTLS_SSL_HASH_SHA384:
6773 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
6774 break;
6775#endif
6776#if defined(MBEDTLS_SHA256_C)
6777 case MBEDTLS_SSL_HASH_SHA256:
6778 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
6779 break;
6780#endif
6781 default:
Hanno Becker541af852021-05-14 16:49:01 +01006782 return( -1 );
Simon Butcher99000142016-10-13 17:21:01 +01006783 }
6784
6785 return 0;
6786#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
6787 (void) ssl;
6788 (void) md;
6789
Hanno Becker541af852021-05-14 16:49:01 +01006790 return( -1 );
Simon Butcher99000142016-10-13 17:21:01 +01006791#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6792}
6793
TRodziewicz0f82ec62021-05-12 17:49:18 +02006794#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006795
6796#if defined(MBEDTLS_USE_PSA_CRYPTO)
6797int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
6798 unsigned char *hash, size_t *hashlen,
6799 unsigned char *data, size_t data_len,
6800 mbedtls_md_type_t md_alg )
6801{
Andrzej Kurek814feff2019-01-14 04:35:19 -05006802 psa_status_t status;
Jaeden Amero34973232019-02-20 10:32:28 +00006803 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006804 psa_algorithm_t hash_alg = mbedtls_psa_translate_md( md_alg );
6805
Hanno Becker4c8c7aa2019-04-10 09:25:41 +01006806 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform PSA-based computation of digest of ServerKeyExchange" ) );
Andrzej Kurek814feff2019-01-14 04:35:19 -05006807
6808 if( ( status = psa_hash_setup( &hash_operation,
6809 hash_alg ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006810 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05006811 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_setup", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006812 goto exit;
6813 }
6814
Andrzej Kurek814feff2019-01-14 04:35:19 -05006815 if( ( status = psa_hash_update( &hash_operation, ssl->handshake->randbytes,
6816 64 ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006817 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05006818 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006819 goto exit;
6820 }
6821
Andrzej Kurek814feff2019-01-14 04:35:19 -05006822 if( ( status = psa_hash_update( &hash_operation,
6823 data, data_len ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006824 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05006825 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006826 goto exit;
6827 }
6828
Andrzej Kurek814feff2019-01-14 04:35:19 -05006829 if( ( status = psa_hash_finish( &hash_operation, hash, MBEDTLS_MD_MAX_SIZE,
6830 hashlen ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006831 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05006832 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006833 goto exit;
6834 }
6835
6836exit:
Andrzej Kurek814feff2019-01-14 04:35:19 -05006837 if( status != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006838 {
6839 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6840 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Andrzej Kurek814feff2019-01-14 04:35:19 -05006841 switch( status )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006842 {
6843 case PSA_ERROR_NOT_SUPPORTED:
6844 return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
Andrzej Kurek814feff2019-01-14 04:35:19 -05006845 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006846 case PSA_ERROR_BUFFER_TOO_SMALL:
6847 return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
6848 case PSA_ERROR_INSUFFICIENT_MEMORY:
6849 return( MBEDTLS_ERR_MD_ALLOC_FAILED );
6850 default:
TRodziewiczb579ccd2021-04-13 14:28:28 +02006851 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006852 }
6853 }
6854 return( 0 );
6855}
6856
6857#else
6858
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006859int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +02006860 unsigned char *hash, size_t *hashlen,
6861 unsigned char *data, size_t data_len,
6862 mbedtls_md_type_t md_alg )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006863{
6864 int ret = 0;
6865 mbedtls_md_context_t ctx;
6866 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
Gilles Peskineca1d7422018-04-24 11:53:22 +02006867 *hashlen = mbedtls_md_get_size( md_info );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006868
Hanno Becker4c8c7aa2019-04-10 09:25:41 +01006869 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform mbedtls-based computation of digest of ServerKeyExchange" ) );
Andrzej Kurek814feff2019-01-14 04:35:19 -05006870
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006871 mbedtls_md_init( &ctx );
6872
6873 /*
6874 * digitally-signed struct {
6875 * opaque client_random[32];
6876 * opaque server_random[32];
6877 * ServerDHParams params;
6878 * };
6879 */
6880 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
6881 {
6882 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
6883 goto exit;
6884 }
6885 if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
6886 {
6887 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
6888 goto exit;
6889 }
6890 if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
6891 {
6892 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
6893 goto exit;
6894 }
6895 if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
6896 {
6897 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
6898 goto exit;
6899 }
Gilles Peskineca1d7422018-04-24 11:53:22 +02006900 if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006901 {
6902 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
6903 goto exit;
6904 }
6905
6906exit:
6907 mbedtls_md_free( &ctx );
6908
6909 if( ret != 0 )
6910 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6911 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
6912
6913 return( ret );
6914}
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006915#endif /* MBEDTLS_USE_PSA_CRYPTO */
6916
TRodziewicz0f82ec62021-05-12 17:49:18 +02006917#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006918
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006919#endif /* MBEDTLS_SSL_TLS_C */