blob: 9a8fe45ec75395b6bfeaf808f7a82f71ffa40ca2 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01002 * TLS shared functions
Paul Bakker5121ce52009-01-03 21:22:43 +00003 *
Bence Szépkúti1e148272020-08-07 13:07:28 +02004 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02005 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +000018 */
19/*
Paul Bakker5121ce52009-01-03 21:22:43 +000020 * http://www.ietf.org/rfc/rfc2246.txt
21 * http://www.ietf.org/rfc/rfc4346.txt
22 */
23
Gilles Peskinedb09ef62020-06-03 01:43:33 +020024#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020026#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000027
SimonBd5800b72016-04-26 07:43:27 +010028#if defined(MBEDTLS_PLATFORM_C)
29#include "mbedtls/platform.h"
30#else
31#include <stdlib.h>
32#define mbedtls_calloc calloc
33#define mbedtls_free free
SimonBd5800b72016-04-26 07:43:27 +010034#endif
35
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000036#include "mbedtls/ssl.h"
Chris Jones84a773f2021-03-05 18:38:47 +000037#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +000038#include "mbedtls/debug.h"
39#include "mbedtls/error.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050040#include "mbedtls/platform_util.h"
Hanno Beckera835da52019-05-16 12:39:07 +010041#include "mbedtls/version.h"
Gabor Mezei765862c2021-10-19 12:22:25 +020042#include "mbedtls/constant_time.h"
Paul Bakker0be444a2013-08-27 21:55:01 +020043
Rich Evans00ab4702015-02-06 13:43:58 +000044#include <string.h>
45
Andrzej Kurekd6db9be2019-01-10 05:27:10 -050046#if defined(MBEDTLS_USE_PSA_CRYPTO)
47#include "mbedtls/psa_util.h"
48#include "psa/crypto.h"
49#endif
50
Janos Follath23bdca02016-10-07 14:47:14 +010051#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000052#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +020053#endif
54
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +020055#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +010056
Hanno Beckera0e20d02019-05-15 14:03:01 +010057#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerf8542cf2019-04-09 15:22:03 +010058/* Top-level Connection ID API */
59
Hanno Becker8367ccc2019-05-14 11:30:10 +010060int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
61 size_t len,
62 int ignore_other_cid )
Hanno Beckerad4a1372019-05-03 13:06:44 +010063{
64 if( len > MBEDTLS_SSL_CID_IN_LEN_MAX )
65 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
66
Hanno Becker611ac772019-05-14 11:45:26 +010067 if( ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
68 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
69 {
70 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
71 }
72
73 conf->ignore_unexpected_cid = ignore_other_cid;
Hanno Beckerad4a1372019-05-03 13:06:44 +010074 conf->cid_len = len;
75 return( 0 );
76}
77
Hanno Beckerf8542cf2019-04-09 15:22:03 +010078int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
79 int enable,
80 unsigned char const *own_cid,
81 size_t own_cid_len )
82{
Hanno Becker76a79ab2019-05-03 14:38:32 +010083 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
84 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
85
Hanno Beckerca092242019-04-25 16:01:49 +010086 ssl->negotiate_cid = enable;
87 if( enable == MBEDTLS_SSL_CID_DISABLED )
88 {
89 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Disable use of CID extension." ) );
90 return( 0 );
91 }
92 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
Hanno Beckerad4a1372019-05-03 13:06:44 +010093 MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
Hanno Beckerca092242019-04-25 16:01:49 +010094
Hanno Beckerad4a1372019-05-03 13:06:44 +010095 if( own_cid_len != ssl->conf->cid_len )
Hanno Beckerca092242019-04-25 16:01:49 +010096 {
Hanno Beckerad4a1372019-05-03 13:06:44 +010097 MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
98 (unsigned) own_cid_len,
99 (unsigned) ssl->conf->cid_len ) );
Hanno Beckerca092242019-04-25 16:01:49 +0100100 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
101 }
102
103 memcpy( ssl->own_cid, own_cid, own_cid_len );
Hanno Beckerb7ee0cf2019-04-30 14:07:31 +0100104 /* Truncation is not an issue here because
105 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
106 ssl->own_cid_len = (uint8_t) own_cid_len;
Hanno Beckerca092242019-04-25 16:01:49 +0100107
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100108 return( 0 );
109}
110
111int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
112 int *enabled,
113 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
114 size_t *peer_cid_len )
115{
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100116 *enabled = MBEDTLS_SSL_CID_DISABLED;
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100117
Hanno Becker76a79ab2019-05-03 14:38:32 +0100118 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
119 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
120 {
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100121 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Hanno Becker76a79ab2019-05-03 14:38:32 +0100122 }
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100123
Hanno Beckerc5f24222019-05-03 12:54:52 +0100124 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
125 * were used, but client and server requested the empty CID.
126 * This is indistinguishable from not using the CID extension
127 * in the first place. */
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100128 if( ssl->transform_in->in_cid_len == 0 &&
129 ssl->transform_in->out_cid_len == 0 )
130 {
131 return( 0 );
132 }
133
Hanno Becker615ef172019-05-22 16:50:35 +0100134 if( peer_cid_len != NULL )
135 {
136 *peer_cid_len = ssl->transform_in->out_cid_len;
137 if( peer_cid != NULL )
138 {
139 memcpy( peer_cid, ssl->transform_in->out_cid,
140 ssl->transform_in->out_cid_len );
141 }
142 }
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100143
144 *enabled = MBEDTLS_SSL_CID_ENABLED;
145
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100146 return( 0 );
147}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100148#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100149
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200150#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200151
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200152#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200153/*
154 * Convert max_fragment_length codes to length.
155 * RFC 6066 says:
156 * enum{
157 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
158 * } MaxFragmentLength;
159 * and we add 0 -> extension unused
160 */
Angus Grattond8213d02016-05-25 20:56:48 +1000161static unsigned int ssl_mfl_code_to_length( int mfl )
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200162{
Angus Grattond8213d02016-05-25 20:56:48 +1000163 switch( mfl )
164 {
165 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
166 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
167 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
168 return 512;
169 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
170 return 1024;
171 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
172 return 2048;
173 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
174 return 4096;
175 default:
176 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
177 }
178}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200179#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200180
Hanno Becker52055ae2019-02-06 14:30:46 +0000181int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
182 const mbedtls_ssl_session *src )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200183{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200184 mbedtls_ssl_session_free( dst );
185 memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200186
吴敬辉0b716112021-11-29 10:46:35 +0800187#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
188 dst->ticket = NULL;
189#endif
190
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200191#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker6d1986e2019-02-07 12:27:42 +0000192
193#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200194 if( src->peer_cert != NULL )
195 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000196 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker2292d1f2013-09-15 17:06:49 +0200197
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200198 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200199 if( dst->peer_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200200 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200201
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200202 mbedtls_x509_crt_init( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200203
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200204 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
Manuel Pégourié-Gonnard4d2a8eb2014-06-13 20:33:27 +0200205 src->peer_cert->raw.len ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200206 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200207 mbedtls_free( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200208 dst->peer_cert = NULL;
209 return( ret );
210 }
211 }
Hanno Becker6d1986e2019-02-07 12:27:42 +0000212#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker9198ad12019-02-05 17:00:50 +0000213 if( src->peer_cert_digest != NULL )
214 {
Hanno Becker9198ad12019-02-05 17:00:50 +0000215 dst->peer_cert_digest =
Hanno Beckeraccc5992019-02-25 10:06:59 +0000216 mbedtls_calloc( 1, src->peer_cert_digest_len );
Hanno Becker9198ad12019-02-05 17:00:50 +0000217 if( dst->peer_cert_digest == NULL )
218 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
219
220 memcpy( dst->peer_cert_digest, src->peer_cert_digest,
221 src->peer_cert_digest_len );
222 dst->peer_cert_digest_type = src->peer_cert_digest_type;
Hanno Beckeraccc5992019-02-25 10:06:59 +0000223 dst->peer_cert_digest_len = src->peer_cert_digest_len;
Hanno Becker9198ad12019-02-05 17:00:50 +0000224 }
225#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
226
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200227#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200228
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200229#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200230 if( src->ticket != NULL )
231 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200232 dst->ticket = mbedtls_calloc( 1, src->ticket_len );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200233 if( dst->ticket == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200234 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200235
236 memcpy( dst->ticket, src->ticket, src->ticket_len );
237 }
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200238#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200239
240 return( 0 );
241}
242
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500243#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
244static int resize_buffer( unsigned char **buffer, size_t len_new, size_t *len_old )
245{
246 unsigned char* resized_buffer = mbedtls_calloc( 1, len_new );
247 if( resized_buffer == NULL )
248 return -1;
249
250 /* We want to copy len_new bytes when downsizing the buffer, and
251 * len_old bytes when upsizing, so we choose the smaller of two sizes,
252 * to fit one buffer into another. Size checks, ensuring that no data is
253 * lost, are done outside of this function. */
254 memcpy( resized_buffer, *buffer,
255 ( len_new < *len_old ) ? len_new : *len_old );
256 mbedtls_platform_zeroize( *buffer, *len_old );
257 mbedtls_free( *buffer );
258
259 *buffer = resized_buffer;
260 *len_old = len_new;
261
262 return 0;
263}
Andrzej Kurek4a063792020-10-21 15:08:44 +0200264
265static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing,
Andrzej Kurek069fa962021-01-07 08:02:15 -0500266 size_t in_buf_new_len,
267 size_t out_buf_new_len )
Andrzej Kurek4a063792020-10-21 15:08:44 +0200268{
269 int modified = 0;
270 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
271 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
272 if( ssl->in_buf != NULL )
273 {
274 written_in = ssl->in_msg - ssl->in_buf;
275 iv_offset_in = ssl->in_iv - ssl->in_buf;
276 len_offset_in = ssl->in_len - ssl->in_buf;
277 if( downsizing ?
278 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
279 ssl->in_buf_len < in_buf_new_len )
280 {
281 if( resize_buffer( &ssl->in_buf, in_buf_new_len, &ssl->in_buf_len ) != 0 )
282 {
283 MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
284 }
285 else
286 {
Paul Elliottb7449902021-03-10 18:14:58 +0000287 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
288 in_buf_new_len ) );
Andrzej Kurek4a063792020-10-21 15:08:44 +0200289 modified = 1;
290 }
291 }
292 }
293
294 if( ssl->out_buf != NULL )
295 {
296 written_out = ssl->out_msg - ssl->out_buf;
297 iv_offset_out = ssl->out_iv - ssl->out_buf;
298 len_offset_out = ssl->out_len - ssl->out_buf;
299 if( downsizing ?
300 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
301 ssl->out_buf_len < out_buf_new_len )
302 {
303 if( resize_buffer( &ssl->out_buf, out_buf_new_len, &ssl->out_buf_len ) != 0 )
304 {
305 MBEDTLS_SSL_DEBUG_MSG( 1, ( "output buffer resizing failed - out of memory" ) );
306 }
307 else
308 {
Paul Elliottb7449902021-03-10 18:14:58 +0000309 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
310 out_buf_new_len ) );
Andrzej Kurek4a063792020-10-21 15:08:44 +0200311 modified = 1;
312 }
313 }
314 }
315 if( modified )
316 {
317 /* Update pointers here to avoid doing it twice. */
318 mbedtls_ssl_reset_in_out_pointers( ssl );
319 /* Fields below might not be properly updated with record
320 * splitting or with CID, so they are manually updated here. */
321 ssl->out_msg = ssl->out_buf + written_out;
322 ssl->out_len = ssl->out_buf + len_offset_out;
323 ssl->out_iv = ssl->out_buf + iv_offset_out;
324
325 ssl->in_msg = ssl->in_buf + written_in;
326 ssl->in_len = ssl->in_buf + len_offset_in;
327 ssl->in_iv = ssl->in_buf + iv_offset_in;
328 }
329}
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500330#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200332#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurekc929a822019-01-14 03:51:11 -0500333#if defined(MBEDTLS_USE_PSA_CRYPTO)
k-stachowiak81053a52019-08-17 10:30:28 +0200334
335static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
Andrzej Kurek03e01462022-01-03 12:53:24 +0100336 mbedtls_svc_key_id_t key,
k-stachowiak81053a52019-08-17 10:30:28 +0200337 psa_algorithm_t alg,
338 const unsigned char* seed, size_t seed_length,
339 const unsigned char* label, size_t label_length,
340 size_t capacity )
341{
342 psa_status_t status;
343
344 status = psa_key_derivation_setup( derivation, alg );
345 if( status != PSA_SUCCESS )
346 return( status );
347
348 if( PSA_ALG_IS_TLS12_PRF( alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
349 {
350 status = psa_key_derivation_input_bytes( derivation,
351 PSA_KEY_DERIVATION_INPUT_SEED,
352 seed, seed_length );
353 if( status != PSA_SUCCESS )
354 return( status );
355
Ronald Croncf56a0a2020-08-04 09:51:30 +0200356 if( mbedtls_svc_key_id_is_null( key ) )
Gilles Peskine311f54d2019-09-23 18:19:22 +0200357 {
358 status = psa_key_derivation_input_bytes(
359 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
360 NULL, 0 );
361 }
362 else
363 {
364 status = psa_key_derivation_input_key(
Ronald Croncf56a0a2020-08-04 09:51:30 +0200365 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key );
Gilles Peskine311f54d2019-09-23 18:19:22 +0200366 }
k-stachowiak81053a52019-08-17 10:30:28 +0200367 if( status != PSA_SUCCESS )
368 return( status );
369
370 status = psa_key_derivation_input_bytes( derivation,
371 PSA_KEY_DERIVATION_INPUT_LABEL,
372 label, label_length );
373 if( status != PSA_SUCCESS )
374 return( status );
375 }
376 else
377 {
378 return( PSA_ERROR_NOT_SUPPORTED );
379 }
380
381 status = psa_key_derivation_set_capacity( derivation, capacity );
382 if( status != PSA_SUCCESS )
383 return( status );
384
385 return( PSA_SUCCESS );
386}
387
Andrzej Kurekc929a822019-01-14 03:51:11 -0500388static int tls_prf_generic( mbedtls_md_type_t md_type,
389 const unsigned char *secret, size_t slen,
390 const char *label,
391 const unsigned char *random, size_t rlen,
392 unsigned char *dstbuf, size_t dlen )
393{
394 psa_status_t status;
395 psa_algorithm_t alg;
Andrzej Kurek03e01462022-01-03 12:53:24 +0100396 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
Janos Follathda6ac012019-08-16 13:47:29 +0100397 psa_key_derivation_operation_t derivation =
Janos Follath8dee8772019-07-30 12:53:32 +0100398 PSA_KEY_DERIVATION_OPERATION_INIT;
Andrzej Kurekc929a822019-01-14 03:51:11 -0500399
Andrzej Kurekc929a822019-01-14 03:51:11 -0500400 if( md_type == MBEDTLS_MD_SHA384 )
401 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
402 else
403 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
404
Gilles Peskine311f54d2019-09-23 18:19:22 +0200405 /* Normally a "secret" should be long enough to be impossible to
406 * find by brute force, and in particular should not be empty. But
407 * this PRF is also used to derive an IV, in particular in EAP-TLS,
408 * and for this use case it makes sense to have a 0-length "secret".
409 * Since the key API doesn't allow importing a key of length 0,
Ronald Croncf56a0a2020-08-04 09:51:30 +0200410 * keep master_key=0, which setup_psa_key_derivation() understands
Gilles Peskine311f54d2019-09-23 18:19:22 +0200411 * to mean a 0-length "secret" input. */
412 if( slen != 0 )
413 {
414 psa_key_attributes_t key_attributes = psa_key_attributes_init();
415 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
416 psa_set_key_algorithm( &key_attributes, alg );
417 psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500418
Ronald Croncf56a0a2020-08-04 09:51:30 +0200419 status = psa_import_key( &key_attributes, secret, slen, &master_key );
Gilles Peskine311f54d2019-09-23 18:19:22 +0200420 if( status != PSA_SUCCESS )
421 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
422 }
Andrzej Kurekc929a822019-01-14 03:51:11 -0500423
k-stachowiak81053a52019-08-17 10:30:28 +0200424 status = setup_psa_key_derivation( &derivation,
Ronald Croncf56a0a2020-08-04 09:51:30 +0200425 master_key, alg,
k-stachowiak81053a52019-08-17 10:30:28 +0200426 random, rlen,
427 (unsigned char const *) label,
428 (size_t) strlen( label ),
429 dlen );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500430 if( status != PSA_SUCCESS )
431 {
Janos Follathda6ac012019-08-16 13:47:29 +0100432 psa_key_derivation_abort( &derivation );
Ronald Croncf56a0a2020-08-04 09:51:30 +0200433 psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500434 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
435 }
436
Janos Follathda6ac012019-08-16 13:47:29 +0100437 status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500438 if( status != PSA_SUCCESS )
439 {
Janos Follathda6ac012019-08-16 13:47:29 +0100440 psa_key_derivation_abort( &derivation );
Ronald Croncf56a0a2020-08-04 09:51:30 +0200441 psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500442 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
443 }
444
Janos Follathda6ac012019-08-16 13:47:29 +0100445 status = psa_key_derivation_abort( &derivation );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500446 if( status != PSA_SUCCESS )
Andrzej Kurek70737ca2019-01-14 05:37:13 -0500447 {
Ronald Croncf56a0a2020-08-04 09:51:30 +0200448 psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500449 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Andrzej Kurek70737ca2019-01-14 05:37:13 -0500450 }
Andrzej Kurekc929a822019-01-14 03:51:11 -0500451
Ronald Croncf56a0a2020-08-04 09:51:30 +0200452 if( ! mbedtls_svc_key_id_is_null( master_key ) )
453 status = psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500454 if( status != PSA_SUCCESS )
455 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
456
Andrzej Kurek33171262019-01-15 03:25:18 -0500457 return( 0 );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500458}
459
460#else /* MBEDTLS_USE_PSA_CRYPTO */
461
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200462static int tls_prf_generic( mbedtls_md_type_t md_type,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100463 const unsigned char *secret, size_t slen,
464 const char *label,
465 const unsigned char *random, size_t rlen,
466 unsigned char *dstbuf, size_t dlen )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000467{
468 size_t nb;
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100469 size_t i, j, k, md_len;
Ron Eldor3b350852019-05-07 18:31:49 +0300470 unsigned char *tmp;
471 size_t tmp_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200472 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
473 const mbedtls_md_info_t *md_info;
474 mbedtls_md_context_t md_ctx;
Janos Follath865b3eb2019-12-16 11:46:15 +0000475 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200477 mbedtls_md_init( &md_ctx );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200479 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
480 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100481
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200482 md_len = mbedtls_md_get_size( md_info );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100483
Ron Eldor3b350852019-05-07 18:31:49 +0300484 tmp_len = md_len + strlen( label ) + rlen;
485 tmp = mbedtls_calloc( 1, tmp_len );
486 if( tmp == NULL )
487 {
488 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
489 goto exit;
490 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000491
492 nb = strlen( label );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100493 memcpy( tmp + md_len, label, nb );
494 memcpy( tmp + md_len + nb, random, rlen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000495 nb += rlen;
496
497 /*
498 * Compute P_<hash>(secret, label + random)[0..dlen]
499 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200500 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Ron Eldor3b350852019-05-07 18:31:49 +0300501 goto exit;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100502
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100503 ret = mbedtls_md_hmac_starts( &md_ctx, secret, slen );
504 if( ret != 0 )
505 goto exit;
506 ret = mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
507 if( ret != 0 )
508 goto exit;
509 ret = mbedtls_md_hmac_finish( &md_ctx, tmp );
510 if( ret != 0 )
511 goto exit;
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100512
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100513 for( i = 0; i < dlen; i += md_len )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000514 {
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100515 ret = mbedtls_md_hmac_reset ( &md_ctx );
516 if( ret != 0 )
517 goto exit;
518 ret = mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
519 if( ret != 0 )
520 goto exit;
521 ret = mbedtls_md_hmac_finish( &md_ctx, h_i );
522 if( ret != 0 )
523 goto exit;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100524
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100525 ret = mbedtls_md_hmac_reset ( &md_ctx );
526 if( ret != 0 )
527 goto exit;
528 ret = mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
529 if( ret != 0 )
530 goto exit;
531 ret = mbedtls_md_hmac_finish( &md_ctx, tmp );
532 if( ret != 0 )
533 goto exit;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000534
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100535 k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000536
537 for( j = 0; j < k; j++ )
538 dstbuf[i + j] = h_i[j];
539 }
540
Ron Eldor3b350852019-05-07 18:31:49 +0300541exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200542 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100543
Ron Eldor3b350852019-05-07 18:31:49 +0300544 mbedtls_platform_zeroize( tmp, tmp_len );
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500545 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000546
Ron Eldor3b350852019-05-07 18:31:49 +0300547 mbedtls_free( tmp );
548
549 return( ret );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000550}
Andrzej Kurekc929a822019-01-14 03:51:11 -0500551#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200552#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100553static int tls_prf_sha256( const unsigned char *secret, size_t slen,
554 const char *label,
555 const unsigned char *random, size_t rlen,
556 unsigned char *dstbuf, size_t dlen )
557{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200558 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100559 label, random, rlen, dstbuf, dlen ) );
560}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200561#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000562
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200563#if defined(MBEDTLS_SHA384_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200564static int tls_prf_sha384( const unsigned char *secret, size_t slen,
565 const char *label,
566 const unsigned char *random, size_t rlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000567 unsigned char *dstbuf, size_t dlen )
568{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200569 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100570 label, random, rlen, dstbuf, dlen ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000571}
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200572#endif /* MBEDTLS_SHA384_C */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200573#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000574
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200575static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200577#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
578#if defined(MBEDTLS_SHA256_C)
579static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -0300580static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200581static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200582#endif
Paul Bakker769075d2012-11-24 11:26:46 +0100583
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200584#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200585static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -0300586static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200587static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakker769075d2012-11-24 11:26:46 +0100588#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200589#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000590
Manuel Pégourié-Gonnard45be3d82019-02-18 23:35:14 +0100591#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \
Hanno Becker7d0a5692018-10-23 15:26:22 +0100592 defined(MBEDTLS_USE_PSA_CRYPTO)
593static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
594{
595 if( ssl->conf->f_psk != NULL )
596 {
597 /* If we've used a callback to select the PSK,
598 * the static configuration is irrelevant. */
Ronald Croncf56a0a2020-08-04 09:51:30 +0200599 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
Hanno Becker7d0a5692018-10-23 15:26:22 +0100600 return( 1 );
601
602 return( 0 );
603 }
604
Ronald Croncf56a0a2020-08-04 09:51:30 +0200605 if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
Hanno Becker7d0a5692018-10-23 15:26:22 +0100606 return( 1 );
607
608 return( 0 );
609}
610#endif /* MBEDTLS_USE_PSA_CRYPTO &&
Manuel Pégourié-Gonnard45be3d82019-02-18 23:35:14 +0100611 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
Hanno Becker7d0a5692018-10-23 15:26:22 +0100612
Ron Eldorcf280092019-05-14 20:19:13 +0300613static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
614{
Ron Eldorcf280092019-05-14 20:19:13 +0300615#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200616#if defined(MBEDTLS_SHA384_C)
Ron Eldorcf280092019-05-14 20:19:13 +0300617 if( tls_prf == tls_prf_sha384 )
618 {
619 return( MBEDTLS_SSL_TLS_PRF_SHA384 );
620 }
621 else
622#endif
623#if defined(MBEDTLS_SHA256_C)
624 if( tls_prf == tls_prf_sha256 )
625 {
626 return( MBEDTLS_SSL_TLS_PRF_SHA256 );
627 }
628 else
629#endif
630#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
631 return( MBEDTLS_SSL_TLS_PRF_NONE );
632}
Ron Eldorcf280092019-05-14 20:19:13 +0300633
Ron Eldor51d3ab52019-05-12 14:54:30 +0300634int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
635 const unsigned char *secret, size_t slen,
636 const char *label,
637 const unsigned char *random, size_t rlen,
638 unsigned char *dstbuf, size_t dlen )
639{
640 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
641
642 switch( prf )
643 {
Ron Eldord2f25f72019-05-15 14:54:22 +0300644#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200645#if defined(MBEDTLS_SHA384_C)
Ron Eldor51d3ab52019-05-12 14:54:30 +0300646 case MBEDTLS_SSL_TLS_PRF_SHA384:
647 tls_prf = tls_prf_sha384;
648 break;
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200649#endif /* MBEDTLS_SHA384_C */
Ron Eldor51d3ab52019-05-12 14:54:30 +0300650#if defined(MBEDTLS_SHA256_C)
651 case MBEDTLS_SSL_TLS_PRF_SHA256:
652 tls_prf = tls_prf_sha256;
653 break;
Ron Eldord2f25f72019-05-15 14:54:22 +0300654#endif /* MBEDTLS_SHA256_C */
655#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Ron Eldor51d3ab52019-05-12 14:54:30 +0300656 default:
657 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
658 }
659
660 return( tls_prf( secret, slen, label, random, rlen, dstbuf, dlen ) );
661}
662
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200663/* Type for the TLS PRF */
664typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
665 const unsigned char *, size_t,
666 unsigned char *, size_t);
667
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +0200668/*
Manuel Pégourié-Gonnardcba40d92019-05-06 12:55:40 +0200669 * Populate a transform structure with session keys and all the other
670 * necessary information.
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +0200671 *
Manuel Pégourié-Gonnardcba40d92019-05-06 12:55:40 +0200672 * Parameters:
673 * - [in/out]: transform: structure to populate
674 * [in] must be just initialised with mbedtls_ssl_transform_init()
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200675 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200676 * - [in] ciphersuite
677 * - [in] master
678 * - [in] encrypt_then_mac
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200679 * - [in] compression
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200680 * - [in] tls_prf: pointer to PRF to use for key derivation
681 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200682 * - [in] minor_ver: SSL/TLS minor version
683 * - [in] endpoint: client or server
Andrzej Kurek5902cd62021-09-28 10:00:32 -0400684 * - [in] ssl: used for:
685 * - ssl->conf->{f,p}_export_keys
686 * [in] optionally used for:
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200687 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +0200688 */
Hanno Beckerbd257552021-03-22 06:59:27 +0000689static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200690 int ciphersuite,
691 const unsigned char master[48],
Hanno Beckerbd257552021-03-22 06:59:27 +0000692#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
693 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200694 int encrypt_then_mac,
Hanno Beckerbd257552021-03-22 06:59:27 +0000695#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
696 MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200697 ssl_tls_prf_t tls_prf,
698 const unsigned char randbytes[64],
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200699 int minor_ver,
700 unsigned endpoint,
Mateusz Starzyke204dbf2021-03-15 17:57:20 +0100701 const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000702{
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200703 int ret = 0;
Hanno Beckercb1cc802018-11-17 22:27:38 +0000704#if defined(MBEDTLS_USE_PSA_CRYPTO)
705 int psa_fallthrough;
706#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000707 unsigned char keyblk[256];
708 unsigned char *key1;
709 unsigned char *key2;
Paul Bakker68884e32013-01-07 18:20:04 +0100710 unsigned char *mac_enc;
711 unsigned char *mac_dec;
sander-visser3888b032020-05-06 21:49:46 +0200712 size_t mac_key_len = 0;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200713 size_t iv_copy_len;
Gilles Peskine88d681c2021-09-01 11:19:33 +0200714 size_t keylen;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000715 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200716 const mbedtls_cipher_info_t *cipher_info;
717 const mbedtls_md_info_t *md_info;
Paul Bakker68884e32013-01-07 18:20:04 +0100718
Andrzej Kurek324f72e2021-09-29 04:21:21 -0400719#if !defined(MBEDTLS_DEBUG_C) && \
720 !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Andrzej Kureka72fe642021-09-29 15:57:30 -0400721 if( ssl->f_export_keys == NULL )
722 {
723 ssl = NULL; /* make sure we don't use it except for these cases */
724 (void) ssl;
725 }
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200726#endif
727
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +0200728 /*
729 * Some data just needs copying into the structure
730 */
Jaeden Amero2de07f12019-06-05 13:32:08 +0100731#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000732 defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200733 transform->encrypt_then_mac = encrypt_then_mac;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000734#endif
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200735 transform->minor_ver = minor_ver;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000736
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +0200737#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
738 memcpy( transform->randbytes, randbytes, sizeof( transform->randbytes ) );
739#endif
740
Ronald Cron6f135e12021-12-08 16:57:54 +0100741#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Beckerc0da10d2021-04-21 05:32:23 +0100742 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
743 {
744 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
745 * generation separate. This should never happen. */
746 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
747 }
Ronald Cron6f135e12021-12-08 16:57:54 +0100748#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Beckerc0da10d2021-04-21 05:32:23 +0100749
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200750 /*
751 * Get various info structures
752 */
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200753 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200754 if( ciphersuite_info == NULL )
755 {
756 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200757 ciphersuite ) );
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200758 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
759 }
760
Hanno Beckere694c3e2017-12-27 21:34:08 +0000761 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
Paul Bakker68884e32013-01-07 18:20:04 +0100762 if( cipher_info == NULL )
763 {
Paul Elliott9f352112020-12-09 14:55:45 +0000764 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
Hanno Beckere694c3e2017-12-27 21:34:08 +0000765 ciphersuite_info->cipher ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200766 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100767 }
768
Hanno Beckere694c3e2017-12-27 21:34:08 +0000769 md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
Paul Bakker68884e32013-01-07 18:20:04 +0100770 if( md_info == NULL )
771 {
Paul Elliott9f352112020-12-09 14:55:45 +0000772 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %u not found",
Paul Elliott3891caf2020-12-17 18:42:40 +0000773 (unsigned) ciphersuite_info->mac ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200774 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100775 }
776
Hanno Beckera0e20d02019-05-15 14:03:01 +0100777#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker4bf74652019-04-26 16:22:27 +0100778 /* Copy own and peer's CID if the use of the CID
779 * extension has been negotiated. */
780 if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
781 {
782 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
Hanno Becker8a7f9722019-04-30 13:52:29 +0100783
Hanno Becker05154c32019-05-03 15:23:51 +0100784 transform->in_cid_len = ssl->own_cid_len;
Hanno Becker05154c32019-05-03 15:23:51 +0100785 memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
Hanno Becker1c1f0462019-05-03 12:55:51 +0100786 MBEDTLS_SSL_DEBUG_BUF( 3, "Incoming CID", transform->in_cid,
Hanno Becker4bf74652019-04-26 16:22:27 +0100787 transform->in_cid_len );
Hanno Beckerd1f20352019-05-15 10:21:55 +0100788
789 transform->out_cid_len = ssl->handshake->peer_cid_len;
790 memcpy( transform->out_cid, ssl->handshake->peer_cid,
791 ssl->handshake->peer_cid_len );
792 MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
793 transform->out_cid_len );
Hanno Becker4bf74652019-04-26 16:22:27 +0100794 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100795#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker4bf74652019-04-26 16:22:27 +0100796
Paul Bakker5121ce52009-01-03 21:22:43 +0000797 /*
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200798 * Compute key block using the PRF
Paul Bakker5121ce52009-01-03 21:22:43 +0000799 */
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200800 ret = tls_prf( master, 48, "key expansion", randbytes, 64, keyblk, 256 );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100801 if( ret != 0 )
802 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200803 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100804 return( ret );
805 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000806
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200807 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
Manuel Pégourié-Gonnardd91efa42019-05-20 10:27:20 +0200808 mbedtls_ssl_get_ciphersuite_name( ciphersuite ) ) );
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200809 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", master, 48 );
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200810 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", randbytes, 64 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200811 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000812
Paul Bakker5121ce52009-01-03 21:22:43 +0000813 /*
814 * Determine the appropriate key, IV and MAC length.
815 */
Paul Bakker68884e32013-01-07 18:20:04 +0100816
Gilles Peskinee720dbe2021-07-19 17:37:46 +0200817 keylen = mbedtls_cipher_info_get_key_bitlen( cipher_info ) / 8;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200818
Hanno Becker8031d062018-01-03 15:32:31 +0000819#if defined(MBEDTLS_GCM_C) || \
820 defined(MBEDTLS_CCM_C) || \
821 defined(MBEDTLS_CHACHAPOLY_C)
Gilles Peskinee720dbe2021-07-19 17:37:46 +0200822 if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_GCM ||
823 mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CCM ||
824 mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000825 {
Hanno Beckerf704bef2018-11-16 15:21:18 +0000826 size_t explicit_ivlen;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200827
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200828 transform->maclen = 0;
Hanno Becker81c7b182017-11-09 18:39:33 +0000829 mac_key_len = 0;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000830 transform->taglen =
831 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200832
Hanno Becker447558d2020-05-28 07:36:33 +0100833 /* All modes haves 96-bit IVs, but the length of the static parts vary
834 * with mode and version:
835 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
836 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
Hanno Beckerf93c2d72020-05-28 07:39:43 +0100837 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
838 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
839 * sequence number).
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200840 */
Paul Bakker68884e32013-01-07 18:20:04 +0100841 transform->ivlen = 12;
Gilles Peskinee720dbe2021-07-19 17:37:46 +0200842 if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CHACHAPOLY )
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200843 transform->fixed_ivlen = 12;
844 else
Hanno Beckerc0da10d2021-04-21 05:32:23 +0100845 transform->fixed_ivlen = 4;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200846
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200847 /* Minimum length of encrypted record */
848 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000849 transform->minlen = explicit_ivlen + transform->taglen;
Paul Bakker68884e32013-01-07 18:20:04 +0100850 }
851 else
Hanno Becker8031d062018-01-03 15:32:31 +0000852#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000853#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Gilles Peskinee720dbe2021-07-19 17:37:46 +0200854 if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM ||
855 mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CBC )
Paul Bakker68884e32013-01-07 18:20:04 +0100856 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200857 /* Initialize HMAC contexts */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200858 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
859 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100860 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200861 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
Ron Eldore6992702019-05-07 18:27:13 +0300862 goto end;
Paul Bakker68884e32013-01-07 18:20:04 +0100863 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000864
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200865 /* Get MAC length */
Hanno Becker81c7b182017-11-09 18:39:33 +0000866 mac_key_len = mbedtls_md_get_size( md_info );
867 transform->maclen = mac_key_len;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200868
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200869 /* IV length */
Paul Bakker68884e32013-01-07 18:20:04 +0100870 transform->ivlen = cipher_info->iv_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000871
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200872 /* Minimum length */
Gilles Peskinee720dbe2021-07-19 17:37:46 +0200873 if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200874 transform->minlen = transform->maclen;
875 else
Paul Bakker68884e32013-01-07 18:20:04 +0100876 {
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200877 /*
878 * GenericBlockCipher:
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100879 * 1. if EtM is in use: one block plus MAC
880 * otherwise: * first multiple of blocklen greater than maclen
TRodziewicz2abf03c2021-06-25 14:40:09 +0200881 * 2. IV
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200882 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200883#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200884 if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100885 {
886 transform->minlen = transform->maclen
887 + cipher_info->block_size;
888 }
889 else
890#endif
891 {
892 transform->minlen = transform->maclen
893 + cipher_info->block_size
894 - transform->maclen % cipher_info->block_size;
895 }
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200896
TRodziewicz0f82ec62021-05-12 17:49:18 +0200897#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
898 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200899 {
900 transform->minlen += transform->ivlen;
901 }
902 else
903#endif
904 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200905 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Ron Eldore6992702019-05-07 18:27:13 +0300906 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
907 goto end;
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200908 }
Paul Bakker68884e32013-01-07 18:20:04 +0100909 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000910 }
Hanno Becker8031d062018-01-03 15:32:31 +0000911 else
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000912#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Hanno Becker8031d062018-01-03 15:32:31 +0000913 {
914 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
915 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
916 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000917
Hanno Becker88aaf652017-12-27 08:17:40 +0000918 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
919 (unsigned) keylen,
920 (unsigned) transform->minlen,
921 (unsigned) transform->ivlen,
922 (unsigned) transform->maclen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000923
924 /*
925 * Finally setup the cipher contexts, IVs and MAC secrets.
926 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200927#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200928 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000929 {
Hanno Becker81c7b182017-11-09 18:39:33 +0000930 key1 = keyblk + mac_key_len * 2;
Hanno Becker88aaf652017-12-27 08:17:40 +0000931 key2 = keyblk + mac_key_len * 2 + keylen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000932
Paul Bakker68884e32013-01-07 18:20:04 +0100933 mac_enc = keyblk;
Hanno Becker81c7b182017-11-09 18:39:33 +0000934 mac_dec = keyblk + mac_key_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000935
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000936 /*
937 * This is not used in TLS v1.1.
938 */
Paul Bakker48916f92012-09-16 19:57:18 +0000939 iv_copy_len = ( transform->fixed_ivlen ) ?
940 transform->fixed_ivlen : transform->ivlen;
Hanno Becker88aaf652017-12-27 08:17:40 +0000941 memcpy( transform->iv_enc, key2 + keylen, iv_copy_len );
942 memcpy( transform->iv_dec, key2 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000943 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000944 }
945 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200946#endif /* MBEDTLS_SSL_CLI_C */
947#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200948 if( endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000949 {
Hanno Becker88aaf652017-12-27 08:17:40 +0000950 key1 = keyblk + mac_key_len * 2 + keylen;
Hanno Becker81c7b182017-11-09 18:39:33 +0000951 key2 = keyblk + mac_key_len * 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000952
Hanno Becker81c7b182017-11-09 18:39:33 +0000953 mac_enc = keyblk + mac_key_len;
Paul Bakker68884e32013-01-07 18:20:04 +0100954 mac_dec = keyblk;
Paul Bakker5121ce52009-01-03 21:22:43 +0000955
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000956 /*
957 * This is not used in TLS v1.1.
958 */
Paul Bakker48916f92012-09-16 19:57:18 +0000959 iv_copy_len = ( transform->fixed_ivlen ) ?
960 transform->fixed_ivlen : transform->ivlen;
Hanno Becker88aaf652017-12-27 08:17:40 +0000961 memcpy( transform->iv_dec, key1 + keylen, iv_copy_len );
962 memcpy( transform->iv_enc, key1 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000963 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000964 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100965 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200966#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100967 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200968 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Ron Eldore6992702019-05-07 18:27:13 +0300969 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
970 goto end;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100971 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000972
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200973#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
TRodziewicz0f82ec62021-05-12 17:49:18 +0200974#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
TRodziewicz345165c2021-07-06 13:42:11 +0200975 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
976 For AEAD-based ciphersuites, there is nothing to do here. */
977 if( mac_key_len != 0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100978 {
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100979 ret = mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
980 if( ret != 0 )
981 goto end;
982 ret = mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
983 if( ret != 0 )
984 goto end;
Paul Bakker68884e32013-01-07 18:20:04 +0100985 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200986#endif
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000987#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Paul Bakker68884e32013-01-07 18:20:04 +0100988
Hanno Beckerd56ed242018-01-03 15:32:51 +0000989 ((void) mac_dec);
990 ((void) mac_enc);
Paul Bakker05ef8352012-05-08 09:17:57 +0000991
Andrzej Kureka72fe642021-09-29 15:57:30 -0400992 if( ssl != NULL && ssl->f_export_keys != NULL )
Robert Cragie4feb7ae2015-10-02 13:33:37 +0100993 {
Hanno Becker7e6c1782021-06-08 09:24:55 +0100994 ssl->f_export_keys( ssl->p_export_keys,
995 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
996 master, 48,
997 randbytes + 32,
998 randbytes,
999 tls_prf_get_type( tls_prf ) );
Ron Eldorf5cc10d2019-05-07 18:33:40 +03001000 }
Robert Cragie4feb7ae2015-10-02 13:33:37 +01001001
Hanno Beckerf704bef2018-11-16 15:21:18 +00001002#if defined(MBEDTLS_USE_PSA_CRYPTO)
Manuel Pégourié-Gonnarda0b4b0c2021-09-21 14:06:33 +02001003 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
1004 cipher_info, transform->taglen );
1005 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
Hanno Beckerf704bef2018-11-16 15:21:18 +00001006 {
Manuel Pégourié-Gonnarda0b4b0c2021-09-21 14:06:33 +02001007 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
1008 goto end;
1009 }
Hanno Beckercb1cc802018-11-17 22:27:38 +00001010
Manuel Pégourié-Gonnarda0b4b0c2021-09-21 14:06:33 +02001011 if( ret == 0 )
1012 {
1013 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based encryption cipher context" ) );
1014 psa_fallthrough = 0;
Hanno Beckerf704bef2018-11-16 15:21:18 +00001015 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001016 else
Manuel Pégourié-Gonnarda0b4b0c2021-09-21 14:06:33 +02001017 {
1018 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );
Hanno Beckercb1cc802018-11-17 22:27:38 +00001019 psa_fallthrough = 1;
Manuel Pégourié-Gonnarda0b4b0c2021-09-21 14:06:33 +02001020 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001021
Hanno Beckercb1cc802018-11-17 22:27:38 +00001022 if( psa_fallthrough == 1 )
Hanno Beckerf704bef2018-11-16 15:21:18 +00001023#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001024 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001025 cipher_info ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001026 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001027 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001028 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001029 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001030
Hanno Beckerf704bef2018-11-16 15:21:18 +00001031#if defined(MBEDTLS_USE_PSA_CRYPTO)
Manuel Pégourié-Gonnarda0b4b0c2021-09-21 14:06:33 +02001032 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
1033 cipher_info, transform->taglen );
1034 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
Hanno Beckerf704bef2018-11-16 15:21:18 +00001035 {
Manuel Pégourié-Gonnarda0b4b0c2021-09-21 14:06:33 +02001036 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
1037 goto end;
1038 }
Hanno Beckercb1cc802018-11-17 22:27:38 +00001039
Manuel Pégourié-Gonnarda0b4b0c2021-09-21 14:06:33 +02001040 if( ret == 0 )
1041 {
1042 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based decryption cipher context" ) );
1043 psa_fallthrough = 0;
Hanno Beckerf704bef2018-11-16 15:21:18 +00001044 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001045 else
Manuel Pégourié-Gonnarda0b4b0c2021-09-21 14:06:33 +02001046 {
1047 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );
Hanno Beckercb1cc802018-11-17 22:27:38 +00001048 psa_fallthrough = 1;
Manuel Pégourié-Gonnarda0b4b0c2021-09-21 14:06:33 +02001049 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001050
Hanno Beckercb1cc802018-11-17 22:27:38 +00001051 if( psa_fallthrough == 1 )
Hanno Beckerf704bef2018-11-16 15:21:18 +00001052#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001053 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001054 cipher_info ) ) != 0 )
1055 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001056 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001057 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001058 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001059
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001060 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
Gilles Peskine88d681c2021-09-01 11:19:33 +02001061 (int) mbedtls_cipher_info_get_key_bitlen( cipher_info ),
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001062 MBEDTLS_ENCRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001063 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001064 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001065 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001066 }
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001067
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001068 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
Gilles Peskine88d681c2021-09-01 11:19:33 +02001069 (int) mbedtls_cipher_info_get_key_bitlen( cipher_info ),
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001070 MBEDTLS_DECRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001071 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001072 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001073 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001074 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001075
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001076#if defined(MBEDTLS_CIPHER_MODE_CBC)
Gilles Peskinee720dbe2021-07-19 17:37:46 +02001077 if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001078 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001079 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
1080 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001081 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001082 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001083 goto end;
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001084 }
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001085
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001086 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
1087 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001088 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001089 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001090 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001091 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001092 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001093#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +00001094
Paul Bakker5121ce52009-01-03 21:22:43 +00001095
Ron Eldore6992702019-05-07 18:27:13 +03001096end:
Ron Eldora9f9a732019-05-07 18:29:02 +03001097 mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
Ron Eldore6992702019-05-07 18:27:13 +03001098 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001099}
1100
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001101/*
TRodziewicz0f82ec62021-05-12 17:49:18 +02001102 * Set appropriate PRF function and other SSL / TLS1.2 functions
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001103 *
1104 * Inputs:
1105 * - SSL/TLS minor version
1106 * - hash associated with the ciphersuite (only used by TLS 1.2)
1107 *
Manuel Pégourié-Gonnard31d3ef12019-05-10 10:25:00 +02001108 * Outputs:
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001109 * - the tls_prf, calc_verify and calc_finished members of handshake structure
1110 */
1111static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
1112 int minor_ver,
1113 mbedtls_md_type_t hash )
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001114{
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001115#if !defined(MBEDTLS_SSL_PROTO_TLS1_2) || !defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001116 (void) hash;
1117#endif
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001118
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001119#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001120#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001121 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
1122 hash == MBEDTLS_MD_SHA384 )
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001123 {
1124 handshake->tls_prf = tls_prf_sha384;
1125 handshake->calc_verify = ssl_calc_verify_tls_sha384;
1126 handshake->calc_finished = ssl_calc_finished_tls_sha384;
1127 }
1128 else
1129#endif
1130#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001131 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001132 {
1133 handshake->tls_prf = tls_prf_sha256;
1134 handshake->calc_verify = ssl_calc_verify_tls_sha256;
1135 handshake->calc_finished = ssl_calc_finished_tls_sha256;
1136 }
1137 else
1138#endif
1139#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1140 {
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001141 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1142 }
1143
1144 return( 0 );
1145}
1146
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001147/*
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001148 * Compute master secret if needed
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001149 *
1150 * Parameters:
1151 * [in/out] handshake
1152 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001153 * (PSA-PSK) ciphersuite_info, psk_opaque
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001154 * [out] premaster (cleared)
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001155 * [out] master
1156 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
1157 * debug: conf->f_dbg, conf->p_dbg
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01001158 * EMS: passed to calc_verify (debug + session_negotiate)
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001159 * PSA-PSA: minor_ver, conf
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001160 */
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001161static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001162 unsigned char *master,
Manuel Pégourié-Gonnard0d56aaa2019-05-03 09:58:33 +02001163 const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001164{
Janos Follath865b3eb2019-12-16 11:46:15 +00001165 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001166
1167 /* cf. RFC 5246, Section 8.1:
1168 * "The master secret is always exactly 48 bytes in length." */
1169 size_t const master_secret_len = 48;
1170
1171#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1172 unsigned char session_hash[48];
1173#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1174
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001175 /* The label for the KDF used for key expansion.
1176 * This is either "master secret" or "extended master secret"
1177 * depending on whether the Extended Master Secret extension
1178 * is used. */
1179 char const *lbl = "master secret";
1180
1181 /* The salt for the KDF used for key expansion.
1182 * - If the Extended Master Secret extension is not used,
1183 * this is ClientHello.Random + ServerHello.Random
1184 * (see Sect. 8.1 in RFC 5246).
1185 * - If the Extended Master Secret extension is used,
1186 * this is the transcript of the handshake so far.
1187 * (see Sect. 4 in RFC 7627). */
1188 unsigned char const *salt = handshake->randbytes;
1189 size_t salt_len = 64;
1190
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001191#if !defined(MBEDTLS_DEBUG_C) && \
1192 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
1193 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
1194 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +02001195 ssl = NULL; /* make sure we don't use it except for those cases */
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001196 (void) ssl;
1197#endif
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001198
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001199 if( handshake->resume != 0 )
1200 {
1201 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001202 return( 0 );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001203 }
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001204
1205#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001206 if( handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001207 {
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001208 lbl = "extended master secret";
1209 salt = session_hash;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001210 handshake->calc_verify( ssl, session_hash, &salt_len );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001211
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +02001212 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash for extended master secret",
1213 session_hash, salt_len );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001214 }
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001215#endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */
1216
1217#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001218 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1219 if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001220 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001221 ssl_use_opaque_psk( ssl ) == 1 )
1222 {
1223 /* Perform PSK-to-MS expansion in a single step. */
1224 psa_status_t status;
1225 psa_algorithm_t alg;
Andrzej Kurek03e01462022-01-03 12:53:24 +01001226 mbedtls_svc_key_id_t psk;
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001227 psa_key_derivation_operation_t derivation =
1228 PSA_KEY_DERIVATION_OPERATION_INIT;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001229 mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001230
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001231 MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001232
Guilhem Bryantc5285d82020-03-25 17:08:15 +00001233 psk = mbedtls_ssl_get_opaque_psk( ssl );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001234
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001235 if( hash_alg == MBEDTLS_MD_SHA384 )
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001236 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001237 else
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001238 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
1239
k-stachowiak81053a52019-08-17 10:30:28 +02001240 status = setup_psa_key_derivation( &derivation, psk, alg,
1241 salt, salt_len,
1242 (unsigned char const *) lbl,
1243 (size_t) strlen( lbl ),
1244 master_secret_len );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001245 if( status != PSA_SUCCESS )
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001246 {
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001247 psa_key_derivation_abort( &derivation );
1248 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001249 }
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001250
1251 status = psa_key_derivation_output_bytes( &derivation,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001252 master,
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001253 master_secret_len );
1254 if( status != PSA_SUCCESS )
1255 {
1256 psa_key_derivation_abort( &derivation );
1257 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
1258 }
1259
1260 status = psa_key_derivation_abort( &derivation );
1261 if( status != PSA_SUCCESS )
1262 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
1263 }
1264 else
1265#endif
1266 {
1267 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
1268 lbl, salt, salt_len,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001269 master,
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001270 master_secret_len );
1271 if( ret != 0 )
1272 {
1273 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
1274 return( ret );
1275 }
1276
1277 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret",
1278 handshake->premaster,
1279 handshake->pmslen );
1280
1281 mbedtls_platform_zeroize( handshake->premaster,
1282 sizeof(handshake->premaster) );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001283 }
1284
1285 return( 0 );
1286}
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001287
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +02001288int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
1289{
Janos Follath865b3eb2019-12-16 11:46:15 +00001290 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001291 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
1292 ssl->handshake->ciphersuite_info;
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001293
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001294 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
1295
1296 /* Set PRF, calc_verify and calc_finished function pointers */
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001297 ret = ssl_set_handshake_prfs( ssl->handshake,
1298 ssl->minor_ver,
1299 ciphersuite_info->mac );
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001300 if( ret != 0 )
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001301 {
1302 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_set_handshake_prfs", ret );
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001303 return( ret );
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001304 }
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001305
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001306 /* Compute master secret if needed */
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001307 ret = ssl_compute_master( ssl->handshake,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001308 ssl->session_negotiate->master,
1309 ssl );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001310 if( ret != 0 )
1311 {
1312 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compute_master", ret );
1313 return( ret );
1314 }
1315
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001316 /* Swap the client and server random values:
1317 * - MS derivation wanted client+server (RFC 5246 8.1)
1318 * - key derivation wants server+client (RFC 5246 6.3) */
1319 {
1320 unsigned char tmp[64];
1321 memcpy( tmp, ssl->handshake->randbytes, 64 );
1322 memcpy( ssl->handshake->randbytes, tmp + 32, 32 );
1323 memcpy( ssl->handshake->randbytes + 32, tmp, 32 );
1324 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
1325 }
1326
1327 /* Populate transform structure */
Hanno Beckerbd257552021-03-22 06:59:27 +00001328 ret = ssl_tls12_populate_transform( ssl->transform_negotiate,
1329 ssl->session_negotiate->ciphersuite,
1330 ssl->session_negotiate->master,
1331#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
1332 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1333 ssl->session_negotiate->encrypt_then_mac,
1334#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
1335 MBEDTLS_SSL_SOME_SUITES_USE_MAC */
1336 ssl->handshake->tls_prf,
1337 ssl->handshake->randbytes,
1338 ssl->minor_ver,
1339 ssl->conf->endpoint,
1340 ssl );
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001341 if( ret != 0 )
1342 {
Hanno Beckerbd257552021-03-22 06:59:27 +00001343 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls12_populate_transform", ret );
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001344 return( ret );
1345 }
1346
1347 /* We no longer need Server/ClientHello.random values */
1348 mbedtls_platform_zeroize( ssl->handshake->randbytes,
1349 sizeof( ssl->handshake->randbytes ) );
1350
1351 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
1352
1353 return( 0 );
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +02001354}
1355
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001356#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1357#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001358void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl,
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -03001359 unsigned char *hash,
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001360 size_t *hlen )
Paul Bakker380da532012-04-18 16:10:25 +00001361{
Andrzej Kurekeb342242019-01-29 09:14:33 -05001362#if defined(MBEDTLS_USE_PSA_CRYPTO)
1363 size_t hash_size;
1364 psa_status_t status;
1365 psa_hash_operation_t sha256_psa = psa_hash_operation_init();
1366
1367 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) );
1368 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
1369 if( status != PSA_SUCCESS )
1370 {
1371 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1372 return;
1373 }
1374
1375 status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size );
1376 if( status != PSA_SUCCESS )
1377 {
1378 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1379 return;
1380 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001381
1382 *hlen = 32;
1383 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001384 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1385#else
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001386 mbedtls_sha256_context sha256;
Paul Bakker380da532012-04-18 16:10:25 +00001387
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001388 mbedtls_sha256_init( &sha256 );
1389
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001390 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001391
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001392 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
TRodziewicz26371e42021-06-08 16:45:41 +02001393 mbedtls_sha256_finish( &sha256, hash );
Paul Bakker380da532012-04-18 16:10:25 +00001394
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001395 *hlen = 32;
1396
1397 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001398 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001399
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001400 mbedtls_sha256_free( &sha256 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001401#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker380da532012-04-18 16:10:25 +00001402 return;
1403}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001404#endif /* MBEDTLS_SHA256_C */
Paul Bakker380da532012-04-18 16:10:25 +00001405
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001406#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001407void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl,
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -03001408 unsigned char *hash,
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001409 size_t *hlen )
Paul Bakker380da532012-04-18 16:10:25 +00001410{
Andrzej Kurekeb342242019-01-29 09:14:33 -05001411#if defined(MBEDTLS_USE_PSA_CRYPTO)
1412 size_t hash_size;
1413 psa_status_t status;
Andrzej Kurek972fba52019-01-30 03:29:12 -05001414 psa_hash_operation_t sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -05001415
1416 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) );
Andrzej Kurek972fba52019-01-30 03:29:12 -05001417 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001418 if( status != PSA_SUCCESS )
1419 {
1420 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1421 return;
1422 }
1423
Andrzej Kurek972fba52019-01-30 03:29:12 -05001424 status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001425 if( status != PSA_SUCCESS )
1426 {
1427 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1428 return;
1429 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001430
1431 *hlen = 48;
1432 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001433 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1434#else
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001435 mbedtls_sha512_context sha512;
Paul Bakker380da532012-04-18 16:10:25 +00001436
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001437 mbedtls_sha512_init( &sha512 );
1438
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001439 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001440
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001441 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
TRodziewicz26371e42021-06-08 16:45:41 +02001442 mbedtls_sha512_finish( &sha512, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +00001443
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001444 *hlen = 48;
1445
1446 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001447 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001448
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001449 mbedtls_sha512_free( &sha512 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001450#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker5121ce52009-01-03 21:22:43 +00001451 return;
1452}
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001453#endif /* MBEDTLS_SHA384_C */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001454#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001455
Gilles Peskineeccd8882020-03-10 12:19:08 +01001456#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001457int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001458{
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001459 unsigned char *p = ssl->handshake->premaster;
1460 unsigned char *end = p + sizeof( ssl->handshake->premaster );
Guilhem Bryantb5f04e42020-04-01 11:23:58 +01001461 const unsigned char *psk = NULL;
Guilhem Bryant61b0fe62020-03-27 11:12:12 +00001462 size_t psk_len = 0;
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001463
Guilhem Bryantc5285d82020-03-25 17:08:15 +00001464 if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
1465 == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001466 {
Guilhem Bryantc5285d82020-03-25 17:08:15 +00001467 /*
1468 * This should never happen because the existence of a PSK is always
1469 * checked before calling this function
1470 */
Guilhem Bryant82194c82020-03-26 17:04:31 +00001471 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Guilhem Bryant0c9b1952020-04-08 11:02:38 +01001472 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001473 }
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001474
1475 /*
1476 * PMS = struct {
1477 * opaque other_secret<0..2^16-1>;
1478 * opaque psk<0..2^16-1>;
1479 * };
1480 * with "other_secret" depending on the particular key exchange
1481 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001482#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1483 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001484 {
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001485 if( end - p < 2 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001486 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001487
Joe Subbiania5cb0d22021-08-23 11:35:25 +01001488 MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 );
1489 p += 2;
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001490
1491 if( end < p || (size_t)( end - p ) < psk_len )
1492 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1493
1494 memset( p, 0, psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001495 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001496 }
1497 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001498#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
1499#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1500 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02001501 {
1502 /*
1503 * other_secret already set by the ClientKeyExchange message,
1504 * and is 48 bytes long
1505 */
Philippe Antoine747fd532018-05-30 09:13:21 +02001506 if( end - p < 2 )
1507 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1508
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02001509 *p++ = 0;
1510 *p++ = 48;
1511 p += 48;
1512 }
1513 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001514#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1515#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1516 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001517 {
Janos Follath865b3eb2019-12-16 11:46:15 +00001518 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +01001519 size_t len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001520
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +02001521 /* Write length only when we know the actual value */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001522 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +01001523 p + 2, end - ( p + 2 ), &len,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01001524 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001525 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001526 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001527 return( ret );
1528 }
Joe Subbiania5cb0d22021-08-23 11:35:25 +01001529 MBEDTLS_PUT_UINT16_BE( len, p, 0 );
1530 p += 2 + len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001531
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001532 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001533 }
1534 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001535#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1536#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1537 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001538 {
Janos Follath865b3eb2019-12-16 11:46:15 +00001539 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001540 size_t zlen;
1541
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001542 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
Paul Bakker66d5d072014-06-17 16:39:18 +02001543 p + 2, end - ( p + 2 ),
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01001544 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001545 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001546 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001547 return( ret );
1548 }
1549
Joe Subbiania5cb0d22021-08-23 11:35:25 +01001550 MBEDTLS_PUT_UINT16_BE( zlen, p, 0 );
1551 p += 2 + zlen;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001552
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05001553 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
1554 MBEDTLS_DEBUG_ECDH_Z );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001555 }
1556 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001557#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001558 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001559 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1560 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001561 }
1562
1563 /* opaque psk<0..2^16-1>; */
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001564 if( end - p < 2 )
1565 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +01001566
Joe Subbiania5cb0d22021-08-23 11:35:25 +01001567 MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 );
1568 p += 2;
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001569
1570 if( end < p || (size_t)( end - p ) < psk_len )
1571 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1572
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001573 memcpy( p, psk, psk_len );
1574 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001575
1576 ssl->handshake->pmslen = p - ssl->handshake->premaster;
1577
1578 return( 0 );
1579}
Gilles Peskineeccd8882020-03-10 12:19:08 +01001580#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001581
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001582#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
1583static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001584
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001585#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker786300f2020-02-05 10:46:40 +00001586int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001587{
1588 /* If renegotiation is not enforced, retransmit until we would reach max
1589 * timeout if we were using the usual handshake doubling scheme */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001590 if( ssl->conf->renego_max_records < 0 )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001591 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001592 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001593 unsigned char doublings = 1;
1594
1595 while( ratio != 0 )
1596 {
1597 ++doublings;
1598 ratio >>= 1;
1599 }
1600
1601 if( ++ssl->renego_records_seen > doublings )
1602 {
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +02001603 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001604 return( 0 );
1605 }
1606 }
1607
1608 return( ssl_write_hello_request( ssl ) );
1609}
1610#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001611#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02001612
Hanno Beckerb9d44792019-02-08 07:19:04 +00001613#if defined(MBEDTLS_X509_CRT_PARSE_C)
1614static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
1615{
1616#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1617 if( session->peer_cert != NULL )
1618 {
1619 mbedtls_x509_crt_free( session->peer_cert );
1620 mbedtls_free( session->peer_cert );
1621 session->peer_cert = NULL;
1622 }
1623#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1624 if( session->peer_cert_digest != NULL )
1625 {
1626 /* Zeroization is not necessary. */
1627 mbedtls_free( session->peer_cert_digest );
1628 session->peer_cert_digest = NULL;
1629 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
1630 session->peer_cert_digest_len = 0;
1631 }
1632#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1633}
1634#endif /* MBEDTLS_X509_CRT_PARSE_C */
1635
Paul Bakker5121ce52009-01-03 21:22:43 +00001636/*
1637 * Handshake functions
1638 */
Gilles Peskineeccd8882020-03-10 12:19:08 +01001639#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskinef9828522017-05-03 12:28:43 +02001640/* No certificate support -> dummy functions */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001641int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00001642{
Hanno Beckere694c3e2017-12-27 21:34:08 +00001643 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1644 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00001645
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001646 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001647
Hanno Becker7177a882019-02-05 13:36:46 +00001648 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001649 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001650 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001651 ssl->state++;
1652 return( 0 );
1653 }
1654
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001655 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1656 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001657}
1658
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001659int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001660{
Hanno Beckere694c3e2017-12-27 21:34:08 +00001661 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1662 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001664 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001665
Hanno Becker7177a882019-02-05 13:36:46 +00001666 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001667 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001668 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001669 ssl->state++;
1670 return( 0 );
1671 }
1672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001673 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1674 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001675}
Gilles Peskinef9828522017-05-03 12:28:43 +02001676
Gilles Peskineeccd8882020-03-10 12:19:08 +01001677#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Gilles Peskinef9828522017-05-03 12:28:43 +02001678/* Some certificate support -> implement write and parse */
1679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001680int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001681{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001682 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001683 size_t i, n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001684 const mbedtls_x509_crt *crt;
Hanno Beckere694c3e2017-12-27 21:34:08 +00001685 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1686 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001687
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001688 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001689
Hanno Becker7177a882019-02-05 13:36:46 +00001690 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001691 {
Johan Pascal4f099262020-09-22 10:59:26 +02001692 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1693 ssl->state++;
1694 return( 0 );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001695 }
1696
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001697#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001698 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +00001699 {
1700 if( ssl->client_auth == 0 )
1701 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001702 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001703 ssl->state++;
1704 return( 0 );
1705 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001706 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001707#endif /* MBEDTLS_SSL_CLI_C */
1708#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001709 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +00001710 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001711 if( mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001712 {
Hanno Becker9cfe6e92021-04-30 05:38:24 +01001713 /* Should never happen because we shouldn't have picked the
1714 * ciphersuite if we don't have a certificate. */
1715 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001716 }
1717 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01001718#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001719
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001720 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001721
1722 /*
1723 * 0 . 0 handshake type
1724 * 1 . 3 handshake length
1725 * 4 . 6 length of all certs
1726 * 7 . 9 length of cert. 1
1727 * 10 . n-1 peer certificate
1728 * n . n+2 length of cert. 2
1729 * n+3 . ... upper level cert, etc.
1730 */
1731 i = 7;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001732 crt = mbedtls_ssl_own_cert( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00001733
Paul Bakker29087132010-03-21 21:03:34 +00001734 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001735 {
1736 n = crt->raw.len;
Angus Grattond8213d02016-05-25 20:56:48 +10001737 if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
Paul Bakker5121ce52009-01-03 21:22:43 +00001738 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00001739 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %" MBEDTLS_PRINTF_SIZET
1740 " > %" MBEDTLS_PRINTF_SIZET,
Paul Elliott3891caf2020-12-17 18:42:40 +00001741 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
Hanno Becker91e1cc32021-04-30 05:28:49 +01001742 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Paul Bakker5121ce52009-01-03 21:22:43 +00001743 }
1744
Joe Subbianifbeb6922021-07-16 14:27:50 +01001745 ssl->out_msg[i ] = MBEDTLS_BYTE_2( n );
1746 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1( n );
1747 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0( n );
Paul Bakker5121ce52009-01-03 21:22:43 +00001748
1749 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1750 i += n; crt = crt->next;
1751 }
1752
Joe Subbianifbeb6922021-07-16 14:27:50 +01001753 ssl->out_msg[4] = MBEDTLS_BYTE_2( i - 7 );
1754 ssl->out_msg[5] = MBEDTLS_BYTE_1( i - 7 );
1755 ssl->out_msg[6] = MBEDTLS_BYTE_0( i - 7 );
Paul Bakker5121ce52009-01-03 21:22:43 +00001756
1757 ssl->out_msglen = i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001758 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1759 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
Paul Bakker5121ce52009-01-03 21:22:43 +00001760
Paul Bakker5121ce52009-01-03 21:22:43 +00001761 ssl->state++;
1762
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02001763 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001764 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02001765 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001766 return( ret );
1767 }
1768
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001769 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001770
Paul Bakkered27a042013-04-18 22:46:23 +02001771 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001772}
1773
Hanno Becker84879e32019-01-31 07:44:03 +00001774#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
Hanno Becker177475a2019-02-05 17:02:46 +00001775
1776#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001777static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
1778 unsigned char *crt_buf,
1779 size_t crt_buf_len )
1780{
1781 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
1782
1783 if( peer_crt == NULL )
1784 return( -1 );
1785
1786 if( peer_crt->raw.len != crt_buf_len )
1787 return( -1 );
1788
k-stachowiak95b68ef2019-09-16 12:21:00 +02001789 return( memcmp( peer_crt->raw.p, crt_buf, peer_crt->raw.len ) );
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001790}
Hanno Becker177475a2019-02-05 17:02:46 +00001791#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1792static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
1793 unsigned char *crt_buf,
1794 size_t crt_buf_len )
1795{
Janos Follath865b3eb2019-12-16 11:46:15 +00001796 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker177475a2019-02-05 17:02:46 +00001797 unsigned char const * const peer_cert_digest =
1798 ssl->session->peer_cert_digest;
1799 mbedtls_md_type_t const peer_cert_digest_type =
1800 ssl->session->peer_cert_digest_type;
1801 mbedtls_md_info_t const * const digest_info =
1802 mbedtls_md_info_from_type( peer_cert_digest_type );
1803 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
1804 size_t digest_len;
1805
1806 if( peer_cert_digest == NULL || digest_info == NULL )
1807 return( -1 );
1808
1809 digest_len = mbedtls_md_get_size( digest_info );
1810 if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN )
1811 return( -1 );
1812
1813 ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest );
1814 if( ret != 0 )
1815 return( -1 );
1816
1817 return( memcmp( tmp_digest, peer_cert_digest, digest_len ) );
1818}
1819#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker84879e32019-01-31 07:44:03 +00001820#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001821
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02001822/*
1823 * Once the certificate message is read, parse it into a cert chain and
1824 * perform basic checks, but leave actual verification to the caller
1825 */
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001826static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
1827 mbedtls_x509_crt *chain )
Paul Bakker5121ce52009-01-03 21:22:43 +00001828{
Janos Follath865b3eb2019-12-16 11:46:15 +00001829 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001830#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
1831 int crt_cnt=0;
1832#endif
Paul Bakker23986e52011-04-24 08:57:21 +00001833 size_t i, n;
Gilles Peskine064a85c2017-05-10 10:46:40 +02001834 uint8_t alert;
Paul Bakker5121ce52009-01-03 21:22:43 +00001835
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001836 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001837 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001838 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001839 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1840 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001841 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001842 }
1843
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001844 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE )
1845 {
1846 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1847 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
1848 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1849 }
1850
1851 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001852 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001853 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001854 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1855 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001856 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001857 }
1858
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001859 i = mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00001860
Paul Bakker5121ce52009-01-03 21:22:43 +00001861 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001862 * Same message structure as in mbedtls_ssl_write_certificate()
Paul Bakker5121ce52009-01-03 21:22:43 +00001863 */
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00001864 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
Paul Bakker5121ce52009-01-03 21:22:43 +00001865
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00001866 if( ssl->in_msg[i] != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001867 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00001868 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001869 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001870 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1871 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001872 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001873 }
1874
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001875 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
1876 i += 3;
1877
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001878 /* Iterate through and parse the CRTs in the provided chain. */
Paul Bakker5121ce52009-01-03 21:22:43 +00001879 while( i < ssl->in_hslen )
1880 {
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001881 /* Check that there's room for the next CRT's length fields. */
Philippe Antoine747fd532018-05-30 09:13:21 +02001882 if ( i + 3 > ssl->in_hslen ) {
1883 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +00001884 mbedtls_ssl_send_alert_message( ssl,
1885 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1886 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01001887 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Philippe Antoine747fd532018-05-30 09:13:21 +02001888 }
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001889 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
1890 * anything beyond 2**16 ~ 64K. */
Paul Bakker5121ce52009-01-03 21:22:43 +00001891 if( ssl->in_msg[i] != 0 )
1892 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001893 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +00001894 mbedtls_ssl_send_alert_message( ssl,
1895 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01001896 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT );
1897 return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001898 }
1899
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001900 /* Read length of the next CRT in the chain. */
Paul Bakker5121ce52009-01-03 21:22:43 +00001901 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1902 | (unsigned int) ssl->in_msg[i + 2];
1903 i += 3;
1904
1905 if( n < 128 || i + n > ssl->in_hslen )
1906 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001907 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +00001908 mbedtls_ssl_send_alert_message( ssl,
1909 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1910 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001911 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001912 }
1913
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001914 /* Check if we're handling the first CRT in the chain. */
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001915#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
1916 if( crt_cnt++ == 0 &&
1917 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
1918 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001919 {
Hanno Becker46f34d02019-02-08 14:00:04 +00001920 /* During client-side renegotiation, check that the server's
1921 * end-CRTs hasn't changed compared to the initial handshake,
1922 * mitigating the triple handshake attack. On success, reuse
1923 * the original end-CRT instead of parsing it again. */
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001924 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Check that peer CRT hasn't changed during renegotiation" ) );
1925 if( ssl_check_peer_crt_unchanged( ssl,
1926 &ssl->in_msg[i],
1927 n ) != 0 )
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001928 {
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001929 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
1930 mbedtls_ssl_send_alert_message( ssl,
1931 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01001932 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
1933 return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001934 }
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001935
1936 /* Now we can safely free the original chain. */
1937 ssl_clear_peer_cert( ssl->session );
1938 }
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001939#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
1940
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001941 /* Parse the next certificate in the chain. */
Hanno Becker0056eab2019-02-08 14:39:16 +00001942#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001943 ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n );
Hanno Becker0056eab2019-02-08 14:39:16 +00001944#else
Hanno Becker353a6f02019-02-26 11:51:34 +00001945 /* If we don't need to store the CRT chain permanently, parse
Hanno Becker0056eab2019-02-08 14:39:16 +00001946 * it in-place from the input buffer instead of making a copy. */
1947 ret = mbedtls_x509_crt_parse_der_nocopy( chain, ssl->in_msg + i, n );
1948#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001949 switch( ret )
Paul Bakker5121ce52009-01-03 21:22:43 +00001950 {
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001951 case 0: /*ok*/
1952 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
1953 /* Ignore certificate with an unknown algorithm: maybe a
1954 prior certificate was already trusted. */
1955 break;
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001956
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001957 case MBEDTLS_ERR_X509_ALLOC_FAILED:
1958 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
1959 goto crt_parse_der_failed;
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001960
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001961 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
1962 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
1963 goto crt_parse_der_failed;
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001964
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001965 default:
1966 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
1967 crt_parse_der_failed:
1968 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
1969 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
1970 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001971 }
1972
1973 i += n;
1974 }
1975
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001976 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", chain );
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02001977 return( 0 );
1978}
1979
Hanno Becker4a55f632019-02-05 12:49:06 +00001980#if defined(MBEDTLS_SSL_SRV_C)
1981static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
1982{
1983 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1984 return( -1 );
1985
TRodziewicz0f82ec62021-05-12 17:49:18 +02001986#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker4a55f632019-02-05 12:49:06 +00001987 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
1988 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
1989 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
1990 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
1991 {
1992 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1993 return( 0 );
1994 }
1995
1996 return( -1 );
TRodziewicz0f82ec62021-05-12 17:49:18 +02001997#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker4a55f632019-02-05 12:49:06 +00001998}
1999#endif /* MBEDTLS_SSL_SRV_C */
2000
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002001/* Check if a certificate message is expected.
2002 * Return either
2003 * - SSL_CERTIFICATE_EXPECTED, or
2004 * - SSL_CERTIFICATE_SKIP
2005 * indicating whether a Certificate message is expected or not.
2006 */
2007#define SSL_CERTIFICATE_EXPECTED 0
2008#define SSL_CERTIFICATE_SKIP 1
2009static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
2010 int authmode )
2011{
2012 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00002013 ssl->handshake->ciphersuite_info;
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002014
2015 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
2016 return( SSL_CERTIFICATE_SKIP );
2017
2018#if defined(MBEDTLS_SSL_SRV_C)
2019 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
2020 {
2021 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2022 return( SSL_CERTIFICATE_SKIP );
2023
2024 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
2025 {
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002026 ssl->session_negotiate->verify_result =
2027 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
2028 return( SSL_CERTIFICATE_SKIP );
2029 }
2030 }
Hanno Becker84d9d272019-03-01 08:10:46 +00002031#else
2032 ((void) authmode);
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002033#endif /* MBEDTLS_SSL_SRV_C */
2034
2035 return( SSL_CERTIFICATE_EXPECTED );
2036}
2037
Hanno Becker68636192019-02-05 14:36:34 +00002038static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
2039 int authmode,
2040 mbedtls_x509_crt *chain,
2041 void *rs_ctx )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002042{
Hanno Becker6bdfab22019-02-05 13:11:17 +00002043 int ret = 0;
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002044 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00002045 ssl->handshake->ciphersuite_info;
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002046 int have_ca_chain = 0;
Hanno Becker68636192019-02-05 14:36:34 +00002047
Hanno Becker8927c832019-04-03 12:52:50 +01002048 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
2049 void *p_vrfy;
2050
Hanno Becker68636192019-02-05 14:36:34 +00002051 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
2052 return( 0 );
2053
Hanno Becker8927c832019-04-03 12:52:50 +01002054 if( ssl->f_vrfy != NULL )
2055 {
Hanno Beckerefb440a2019-04-03 13:04:33 +01002056 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );
Hanno Becker8927c832019-04-03 12:52:50 +01002057 f_vrfy = ssl->f_vrfy;
2058 p_vrfy = ssl->p_vrfy;
2059 }
2060 else
2061 {
Hanno Beckerefb440a2019-04-03 13:04:33 +01002062 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );
Hanno Becker8927c832019-04-03 12:52:50 +01002063 f_vrfy = ssl->conf->f_vrfy;
2064 p_vrfy = ssl->conf->p_vrfy;
2065 }
2066
Hanno Becker68636192019-02-05 14:36:34 +00002067 /*
2068 * Main check: verify certificate
2069 */
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002070#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2071 if( ssl->conf->f_ca_cb != NULL )
2072 {
2073 ((void) rs_ctx);
2074 have_ca_chain = 1;
2075
2076 MBEDTLS_SSL_DEBUG_MSG( 3, ( "use CA callback for X.509 CRT verification" ) );
Jarno Lamsa9822c0d2019-04-01 16:59:48 +03002077 ret = mbedtls_x509_crt_verify_with_ca_cb(
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002078 chain,
2079 ssl->conf->f_ca_cb,
2080 ssl->conf->p_ca_cb,
2081 ssl->conf->cert_profile,
2082 ssl->hostname,
2083 &ssl->session_negotiate->verify_result,
Jaeden Amerofe710672019-04-16 15:03:12 +01002084 f_vrfy, p_vrfy );
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002085 }
2086 else
2087#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2088 {
2089 mbedtls_x509_crt *ca_chain;
2090 mbedtls_x509_crl *ca_crl;
2091
2092#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2093 if( ssl->handshake->sni_ca_chain != NULL )
2094 {
2095 ca_chain = ssl->handshake->sni_ca_chain;
2096 ca_crl = ssl->handshake->sni_ca_crl;
2097 }
2098 else
2099#endif
2100 {
2101 ca_chain = ssl->conf->ca_chain;
2102 ca_crl = ssl->conf->ca_crl;
2103 }
2104
2105 if( ca_chain != NULL )
2106 have_ca_chain = 1;
2107
2108 ret = mbedtls_x509_crt_verify_restartable(
2109 chain,
2110 ca_chain, ca_crl,
2111 ssl->conf->cert_profile,
2112 ssl->hostname,
2113 &ssl->session_negotiate->verify_result,
Jaeden Amerofe710672019-04-16 15:03:12 +01002114 f_vrfy, p_vrfy, rs_ctx );
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002115 }
Hanno Becker68636192019-02-05 14:36:34 +00002116
2117 if( ret != 0 )
2118 {
2119 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2120 }
2121
Gilles Peskineeccd8882020-03-10 12:19:08 +01002122#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Hanno Becker68636192019-02-05 14:36:34 +00002123 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2124 return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
2125#endif
2126
2127 /*
2128 * Secondary checks: always done, but change 'ret' only if it was 0
2129 */
2130
2131#if defined(MBEDTLS_ECP_C)
2132 {
2133 const mbedtls_pk_context *pk = &chain->pk;
2134
2135 /* If certificate uses an EC key, make sure the curve is OK */
2136 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
2137 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
2138 {
2139 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
2140
2141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
2142 if( ret == 0 )
Hanno Becker9ed1ba52021-06-24 11:03:13 +01002143 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Hanno Becker68636192019-02-05 14:36:34 +00002144 }
2145 }
2146#endif /* MBEDTLS_ECP_C */
2147
2148 if( mbedtls_ssl_check_cert_usage( chain,
2149 ciphersuite_info,
2150 ! ssl->conf->endpoint,
2151 &ssl->session_negotiate->verify_result ) != 0 )
2152 {
2153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
2154 if( ret == 0 )
Hanno Becker9ed1ba52021-06-24 11:03:13 +01002155 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Hanno Becker68636192019-02-05 14:36:34 +00002156 }
2157
2158 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
2159 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
2160 * with details encoded in the verification flags. All other kinds
2161 * of error codes, including those from the user provided f_vrfy
2162 * functions, are treated as fatal and lead to a failure of
2163 * ssl_parse_certificate even if verification was optional. */
2164 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
2165 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
Hanno Becker9ed1ba52021-06-24 11:03:13 +01002166 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
Hanno Becker68636192019-02-05 14:36:34 +00002167 {
2168 ret = 0;
2169 }
2170
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002171 if( have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
Hanno Becker68636192019-02-05 14:36:34 +00002172 {
2173 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2174 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
2175 }
2176
2177 if( ret != 0 )
2178 {
2179 uint8_t alert;
2180
2181 /* The certificate may have been rejected for several reasons.
2182 Pick one and send the corresponding alert. Which alert to send
2183 may be a subject of debate in some cases. */
2184 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
2185 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
2186 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
2187 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
2188 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
2189 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2190 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
2191 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2192 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
2193 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2194 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
2195 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2196 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
2197 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2198 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
2199 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
2200 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
2201 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
2202 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
2203 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
2204 else
2205 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
2206 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2207 alert );
2208 }
2209
2210#if defined(MBEDTLS_DEBUG_C)
2211 if( ssl->session_negotiate->verify_result != 0 )
2212 {
Paul Elliott3891caf2020-12-17 18:42:40 +00002213 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Paul Elliott9f352112020-12-09 14:55:45 +00002214 (unsigned int) ssl->session_negotiate->verify_result ) );
Hanno Becker68636192019-02-05 14:36:34 +00002215 }
2216 else
2217 {
2218 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
2219 }
2220#endif /* MBEDTLS_DEBUG_C */
2221
2222 return( ret );
2223}
2224
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002225#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2226static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
2227 unsigned char *start, size_t len )
2228{
Janos Follath865b3eb2019-12-16 11:46:15 +00002229 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002230 /* Remember digest of the peer's end-CRT. */
2231 ssl->session_negotiate->peer_cert_digest =
2232 mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
2233 if( ssl->session_negotiate->peer_cert_digest == NULL )
2234 {
2235 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
irwir40883e92019-09-21 17:55:33 +03002236 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) );
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002237 mbedtls_ssl_send_alert_message( ssl,
2238 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2239 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
2240
2241 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2242 }
2243
2244 ret = mbedtls_md( mbedtls_md_info_from_type(
2245 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
2246 start, len,
2247 ssl->session_negotiate->peer_cert_digest );
2248
2249 ssl->session_negotiate->peer_cert_digest_type =
2250 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
2251 ssl->session_negotiate->peer_cert_digest_len =
2252 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
2253
2254 return( ret );
2255}
2256
2257static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
2258 unsigned char *start, size_t len )
2259{
2260 unsigned char *end = start + len;
Janos Follath865b3eb2019-12-16 11:46:15 +00002261 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002262
2263 /* Make a copy of the peer's raw public key. */
2264 mbedtls_pk_init( &ssl->handshake->peer_pubkey );
2265 ret = mbedtls_pk_parse_subpubkey( &start, end,
2266 &ssl->handshake->peer_pubkey );
2267 if( ret != 0 )
2268 {
2269 /* We should have parsed the public key before. */
2270 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2271 }
2272
2273 return( 0 );
2274}
2275#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2276
Hanno Becker68636192019-02-05 14:36:34 +00002277int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
2278{
2279 int ret = 0;
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002280 int crt_expected;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002281#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2282 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
2283 ? ssl->handshake->sni_authmode
2284 : ssl->conf->authmode;
2285#else
Johan Pascal4f099262020-09-22 10:59:26 +02002286 const int authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002287#endif
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002288 void *rs_ctx = NULL;
Hanno Becker3dad3112019-02-05 17:19:52 +00002289 mbedtls_x509_crt *chain = NULL;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002290
2291 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2292
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002293 crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
2294 if( crt_expected == SSL_CERTIFICATE_SKIP )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002295 {
2296 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Hanno Becker6bdfab22019-02-05 13:11:17 +00002297 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002298 }
2299
Gilles Peskineeccd8882020-03-10 12:19:08 +01002300#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002301 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02002302 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002303 {
Hanno Becker3dad3112019-02-05 17:19:52 +00002304 chain = ssl->handshake->ecrs_peer_cert;
2305 ssl->handshake->ecrs_peer_cert = NULL;
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002306 goto crt_verify;
2307 }
2308#endif
2309
Manuel Pégourié-Gonnard125af942018-09-11 11:08:12 +02002310 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002311 {
2312 /* mbedtls_ssl_read_record may have sent an alert already. We
2313 let it decide whether to alert. */
2314 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Hanno Becker3dad3112019-02-05 17:19:52 +00002315 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002316 }
2317
Hanno Becker4a55f632019-02-05 12:49:06 +00002318#if defined(MBEDTLS_SSL_SRV_C)
2319 if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 )
2320 {
2321 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
Hanno Becker4a55f632019-02-05 12:49:06 +00002322
irwird3085ab2020-04-21 22:26:05 +03002323 if( authmode != MBEDTLS_SSL_VERIFY_OPTIONAL )
Hanno Becker6bdfab22019-02-05 13:11:17 +00002324 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Hanno Becker4a55f632019-02-05 12:49:06 +00002325
Hanno Becker6bdfab22019-02-05 13:11:17 +00002326 goto exit;
Hanno Becker4a55f632019-02-05 12:49:06 +00002327 }
2328#endif /* MBEDTLS_SSL_SRV_C */
2329
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002330 /* Clear existing peer CRT structure in case we tried to
2331 * reuse a session but it failed, and allocate a new one. */
Hanno Becker7a955a02019-02-05 13:08:01 +00002332 ssl_clear_peer_cert( ssl->session_negotiate );
Hanno Becker3dad3112019-02-05 17:19:52 +00002333
2334 chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
2335 if( chain == NULL )
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002336 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00002337 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002338 sizeof( mbedtls_x509_crt ) ) );
2339 mbedtls_ssl_send_alert_message( ssl,
2340 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2341 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Hanno Becker7a955a02019-02-05 13:08:01 +00002342
Hanno Becker3dad3112019-02-05 17:19:52 +00002343 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
2344 goto exit;
2345 }
2346 mbedtls_x509_crt_init( chain );
2347
2348 ret = ssl_parse_certificate_chain( ssl, chain );
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002349 if( ret != 0 )
Hanno Becker3dad3112019-02-05 17:19:52 +00002350 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002351
Gilles Peskineeccd8882020-03-10 12:19:08 +01002352#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002353 if( ssl->handshake->ecrs_enabled)
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02002354 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002355
2356crt_verify:
2357 if( ssl->handshake->ecrs_enabled)
2358 rs_ctx = &ssl->handshake->ecrs_ctx;
2359#endif
2360
Hanno Becker68636192019-02-05 14:36:34 +00002361 ret = ssl_parse_certificate_verify( ssl, authmode,
Hanno Becker3dad3112019-02-05 17:19:52 +00002362 chain, rs_ctx );
Hanno Becker68636192019-02-05 14:36:34 +00002363 if( ret != 0 )
Hanno Becker3dad3112019-02-05 17:19:52 +00002364 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +00002365
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002366#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002367 {
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002368 unsigned char *crt_start, *pk_start;
2369 size_t crt_len, pk_len;
Hanno Becker3dad3112019-02-05 17:19:52 +00002370
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002371 /* We parse the CRT chain without copying, so
2372 * these pointers point into the input buffer,
2373 * and are hence still valid after freeing the
2374 * CRT chain. */
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002375
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002376 crt_start = chain->raw.p;
2377 crt_len = chain->raw.len;
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002378
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002379 pk_start = chain->pk_raw.p;
2380 pk_len = chain->pk_raw.len;
2381
2382 /* Free the CRT structures before computing
2383 * digest and copying the peer's public key. */
2384 mbedtls_x509_crt_free( chain );
2385 mbedtls_free( chain );
2386 chain = NULL;
2387
2388 ret = ssl_remember_peer_crt_digest( ssl, crt_start, crt_len );
Hanno Beckera2747532019-02-06 16:19:04 +00002389 if( ret != 0 )
Hanno Beckera2747532019-02-06 16:19:04 +00002390 goto exit;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002391
2392 ret = ssl_remember_peer_pubkey( ssl, pk_start, pk_len );
2393 if( ret != 0 )
2394 goto exit;
Hanno Beckera2747532019-02-06 16:19:04 +00002395 }
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002396#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2397 /* Pass ownership to session structure. */
Hanno Becker3dad3112019-02-05 17:19:52 +00002398 ssl->session_negotiate->peer_cert = chain;
2399 chain = NULL;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002400#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker3dad3112019-02-05 17:19:52 +00002401
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002402 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002403
Hanno Becker6bdfab22019-02-05 13:11:17 +00002404exit:
2405
Hanno Becker3dad3112019-02-05 17:19:52 +00002406 if( ret == 0 )
2407 ssl->state++;
2408
Gilles Peskineeccd8882020-03-10 12:19:08 +01002409#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Hanno Becker3dad3112019-02-05 17:19:52 +00002410 if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
2411 {
2412 ssl->handshake->ecrs_peer_cert = chain;
2413 chain = NULL;
2414 }
2415#endif
2416
2417 if( chain != NULL )
2418 {
2419 mbedtls_x509_crt_free( chain );
2420 mbedtls_free( chain );
2421 }
2422
Paul Bakker5121ce52009-01-03 21:22:43 +00002423 return( ret );
2424}
Gilles Peskineeccd8882020-03-10 12:19:08 +01002425#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002426
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002427void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
2428 const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
Paul Bakker380da532012-04-18 16:10:25 +00002429{
Paul Bakkerfb08fd22013-08-27 15:06:26 +02002430 ((void) ciphersuite_info);
Paul Bakker769075d2012-11-24 11:26:46 +01002431
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002432#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002433#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002434 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002435 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2436 else
2437#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002438#if defined(MBEDTLS_SHA256_C)
2439 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
Paul Bakker48916f92012-09-16 19:57:18 +00002440 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002441 else
2442#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002443#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002444 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002445 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002446 return;
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002447 }
Paul Bakker380da532012-04-18 16:10:25 +00002448}
Paul Bakkerf7abd422013-04-16 13:15:56 +02002449
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002450void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002451{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002452#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2453#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002454#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2ad22972019-01-30 03:32:12 -05002455 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002456 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
2457#else
TRodziewicz26371e42021-06-08 16:45:41 +02002458 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002459#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002460#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002461#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002462#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2ad22972019-01-30 03:32:12 -05002463 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
Andrzej Kurek972fba52019-01-30 03:29:12 -05002464 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002465#else
TRodziewicz26371e42021-06-08 16:45:41 +02002466 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002467#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002468#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002469#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002470}
2471
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002472static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002473 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002474{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002475#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2476#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002477#if defined(MBEDTLS_USE_PSA_CRYPTO)
2478 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
2479#else
TRodziewicz26371e42021-06-08 16:45:41 +02002480 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002481#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002482#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002483#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002484#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002485 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002486#else
TRodziewicz26371e42021-06-08 16:45:41 +02002487 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker769075d2012-11-24 11:26:46 +01002488#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002489#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002490#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00002491}
2492
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002493#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2494#if defined(MBEDTLS_SHA256_C)
2495static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002496 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002497{
Andrzej Kurekeb342242019-01-29 09:14:33 -05002498#if defined(MBEDTLS_USE_PSA_CRYPTO)
2499 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
2500#else
TRodziewicz26371e42021-06-08 16:45:41 +02002501 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002502#endif
Paul Bakker380da532012-04-18 16:10:25 +00002503}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002504#endif
Paul Bakker380da532012-04-18 16:10:25 +00002505
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002506#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002507static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002508 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002509{
Andrzej Kurekeb342242019-01-29 09:14:33 -05002510#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002511 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002512#else
TRodziewicz26371e42021-06-08 16:45:41 +02002513 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002514#endif
Paul Bakker380da532012-04-18 16:10:25 +00002515}
Paul Bakker769075d2012-11-24 11:26:46 +01002516#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002517#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00002518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002519#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2520#if defined(MBEDTLS_SHA256_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +00002521static void ssl_calc_finished_tls_sha256(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002522 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002523{
2524 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002525 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002526 unsigned char padbuf[32];
Andrzej Kurekeb342242019-01-29 09:14:33 -05002527#if defined(MBEDTLS_USE_PSA_CRYPTO)
2528 size_t hash_size;
Jaeden Amero34973232019-02-20 10:32:28 +00002529 psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
Andrzej Kurekeb342242019-01-29 09:14:33 -05002530 psa_status_t status;
2531#else
2532 mbedtls_sha256_context sha256;
2533#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002534
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002535 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00002536 if( !session )
2537 session = ssl->session;
2538
Andrzej Kurekeb342242019-01-29 09:14:33 -05002539 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
2540 ? "client finished"
2541 : "server finished";
2542
2543#if defined(MBEDTLS_USE_PSA_CRYPTO)
2544 sha256_psa = psa_hash_operation_init();
2545
2546 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) );
2547
2548 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
2549 if( status != PSA_SUCCESS )
2550 {
2551 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
2552 return;
2553 }
2554
2555 status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size );
2556 if( status != PSA_SUCCESS )
2557 {
2558 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
2559 return;
2560 }
2561 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 );
2562#else
2563
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002564 mbedtls_sha256_init( &sha256 );
2565
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02002566 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002567
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002568 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002569
2570 /*
2571 * TLSv1.2:
2572 * hash = PRF( master, finished_label,
2573 * Hash( handshake ) )[0.11]
2574 */
2575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002576#if !defined(MBEDTLS_SHA256_ALT)
2577 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02002578 sha256.state, sizeof( sha256.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002579#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002580
TRodziewicz26371e42021-06-08 16:45:41 +02002581 mbedtls_sha256_finish( &sha256, padbuf );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002582 mbedtls_sha256_free( &sha256 );
2583#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002584
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002585 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002586 padbuf, 32, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002588 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002589
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05002590 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002592 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002593}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002594#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002595
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002596#if defined(MBEDTLS_SHA384_C)
Rodrigo Dias Corread596ca82020-11-25 00:42:28 -03002597
Paul Bakkerca4ab492012-04-18 14:23:57 +00002598static void ssl_calc_finished_tls_sha384(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002599 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakkerca4ab492012-04-18 14:23:57 +00002600{
2601 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002602 const char *sender;
Rodrigo Dias Corread596ca82020-11-25 00:42:28 -03002603 unsigned char padbuf[48];
Andrzej Kurekeb342242019-01-29 09:14:33 -05002604#if defined(MBEDTLS_USE_PSA_CRYPTO)
2605 size_t hash_size;
Jaeden Amero34973232019-02-20 10:32:28 +00002606 psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
Andrzej Kurekeb342242019-01-29 09:14:33 -05002607 psa_status_t status;
2608#else
2609 mbedtls_sha512_context sha512;
2610#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00002611
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002612 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00002613 if( !session )
2614 session = ssl->session;
2615
Andrzej Kurekeb342242019-01-29 09:14:33 -05002616 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
2617 ? "client finished"
2618 : "server finished";
2619
2620#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002621 sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -05002622
2623 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) );
2624
Andrzej Kurek972fba52019-01-30 03:29:12 -05002625 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002626 if( status != PSA_SUCCESS )
2627 {
2628 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
2629 return;
2630 }
2631
Andrzej Kurek972fba52019-01-30 03:29:12 -05002632 status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002633 if( status != PSA_SUCCESS )
2634 {
2635 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
2636 return;
2637 }
2638 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 );
2639#else
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002640 mbedtls_sha512_init( &sha512 );
2641
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002642 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002643
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002644 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002645
2646 /*
2647 * TLSv1.2:
2648 * hash = PRF( master, finished_label,
2649 * Hash( handshake ) )[0.11]
2650 */
2651
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002652#if !defined(MBEDTLS_SHA512_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02002653 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
2654 sha512.state, sizeof( sha512.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002655#endif
TRodziewicz26371e42021-06-08 16:45:41 +02002656 mbedtls_sha512_finish( &sha512, padbuf );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002657
Andrzej Kurekeb342242019-01-29 09:14:33 -05002658 mbedtls_sha512_free( &sha512 );
2659#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00002660
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002661 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002662 padbuf, 48, buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002664 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002665
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05002666 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002668 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002669}
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002670#endif /* MBEDTLS_SHA384_C */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002671#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +00002672
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00002673void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00002674{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002675 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00002676
2677 /*
2678 * Free our handshake params
2679 */
Gilles Peskine9b562d52018-04-25 20:32:43 +02002680 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002681 mbedtls_free( ssl->handshake );
Paul Bakker48916f92012-09-16 19:57:18 +00002682 ssl->handshake = NULL;
2683
2684 /*
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002685 * Free the previous transform and swith in the current one
Paul Bakker48916f92012-09-16 19:57:18 +00002686 */
2687 if( ssl->transform )
2688 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002689 mbedtls_ssl_transform_free( ssl->transform );
2690 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00002691 }
2692 ssl->transform = ssl->transform_negotiate;
2693 ssl->transform_negotiate = NULL;
2694
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002695 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002696}
2697
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002698void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002699{
2700 int resume = ssl->handshake->resume;
2701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002702 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002703
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002704#if defined(MBEDTLS_SSL_RENEGOTIATION)
2705 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002706 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002707 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002708 ssl->renego_records_seen = 0;
2709 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002710#endif
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002711
2712 /*
2713 * Free the previous session and switch in the current one
2714 */
Paul Bakker0a597072012-09-25 21:55:46 +00002715 if( ssl->session )
2716 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002717#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard1a034732014-11-04 17:36:18 +01002718 /* RFC 7366 3.1: keep the EtM state */
2719 ssl->session_negotiate->encrypt_then_mac =
2720 ssl->session->encrypt_then_mac;
2721#endif
2722
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002723 mbedtls_ssl_session_free( ssl->session );
2724 mbedtls_free( ssl->session );
Paul Bakker0a597072012-09-25 21:55:46 +00002725 }
2726 ssl->session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00002727 ssl->session_negotiate = NULL;
2728
Paul Bakker0a597072012-09-25 21:55:46 +00002729 /*
2730 * Add cache entry
2731 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002732 if( ssl->conf->f_set_cache != NULL &&
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02002733 ssl->session->id_len != 0 &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02002734 resume == 0 )
2735 {
Hanno Beckerccdaf6e2021-04-15 09:26:17 +01002736 if( ssl->conf->f_set_cache( ssl->conf->p_cache,
2737 ssl->session->id,
2738 ssl->session->id_len,
2739 ssl->session ) != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002740 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02002741 }
Paul Bakker0a597072012-09-25 21:55:46 +00002742
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002743#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002744 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002745 ssl->handshake->flight != NULL )
2746 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002747 /* Cancel handshake timer */
Hanno Becker0f57a652020-02-05 10:37:26 +00002748 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002749
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002750 /* Keep last flight around in case we need to resend it:
2751 * we need the handshake and transform structures for that */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002752 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002753 }
2754 else
2755#endif
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00002756 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002757
Paul Bakker48916f92012-09-16 19:57:18 +00002758 ssl->state++;
2759
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002760 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00002761}
2762
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002763int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002764{
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002765 int ret, hash_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002766
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002767 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002768
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00002769 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_negotiate );
Paul Bakker92be97b2013-01-02 17:30:03 +01002770
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002771 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002772
Manuel Pégourié-Gonnard214a8482016-02-22 11:27:26 +01002773 /*
2774 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
2775 * may define some other value. Currently (early 2016), no defined
2776 * ciphersuite does this (and this is unlikely to change as activity has
2777 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
2778 */
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01002779 hash_len = 12;
Paul Bakker5121ce52009-01-03 21:22:43 +00002780
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002781#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00002782 ssl->verify_data_len = hash_len;
2783 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002784#endif
Paul Bakker48916f92012-09-16 19:57:18 +00002785
Paul Bakker5121ce52009-01-03 21:22:43 +00002786 ssl->out_msglen = 4 + hash_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002787 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2788 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
Paul Bakker5121ce52009-01-03 21:22:43 +00002789
2790 /*
2791 * In case of session resuming, invert the client and server
2792 * ChangeCipherSpec messages order.
2793 */
Paul Bakker0a597072012-09-25 21:55:46 +00002794 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002795 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002796#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002797 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002798 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002799#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002800#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002801 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002802 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002803#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002804 }
2805 else
2806 ssl->state++;
2807
Paul Bakker48916f92012-09-16 19:57:18 +00002808 /*
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02002809 * Switch to our negotiated transform and session parameters for outbound
2810 * data.
Paul Bakker48916f92012-09-16 19:57:18 +00002811 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002812 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +01002813
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002814#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002815 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002816 {
2817 unsigned char i;
2818
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002819 /* Remember current epoch settings for resending */
2820 ssl->handshake->alt_transform_out = ssl->transform_out;
Jerry Yud9a94fe2021-09-28 18:58:59 +08002821 memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
Jerry Yud96a5c22021-09-29 17:46:51 +08002822 sizeof( ssl->handshake->alt_out_ctr ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002823
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002824 /* Set sequence_number to zero */
Jerry Yufd320e92021-10-08 21:52:41 +08002825 memset( &ssl->cur_out_ctr[2], 0, sizeof( ssl->cur_out_ctr ) - 2 );
Jerry Yud9a94fe2021-09-28 18:58:59 +08002826
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002827
2828 /* Increment epoch */
2829 for( i = 2; i > 0; i-- )
Hanno Becker19859472018-08-06 09:40:20 +01002830 if( ++ssl->cur_out_ctr[i - 1] != 0 )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002831 break;
2832
2833 /* The loop goes to its end iff the counter is wrapping */
2834 if( i == 0 )
2835 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002836 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
2837 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002838 }
2839 }
2840 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002841#endif /* MBEDTLS_SSL_PROTO_DTLS */
Jerry Yufd320e92021-10-08 21:52:41 +08002842 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002843
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002844 ssl->transform_out = ssl->transform_negotiate;
2845 ssl->session_out = ssl->session_negotiate;
2846
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002847#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002848 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002849 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02002850#endif
2851
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02002852 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002853 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02002854 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002855 return( ret );
2856 }
2857
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02002858#if defined(MBEDTLS_SSL_PROTO_DTLS)
2859 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2860 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
2861 {
2862 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
2863 return( ret );
2864 }
2865#endif
2866
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002867 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002868
2869 return( 0 );
2870}
2871
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00002872#define SSL_MAX_HASH_LEN 12
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00002873
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002874int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00002875{
Janos Follath865b3eb2019-12-16 11:46:15 +00002876 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinea4174312021-12-13 14:38:40 +01002877 unsigned int hash_len = 12;
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00002878 unsigned char buf[SSL_MAX_HASH_LEN];
Paul Bakker5121ce52009-01-03 21:22:43 +00002879
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002880 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002881
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002882 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002883
Hanno Becker327c93b2018-08-15 13:56:18 +01002884 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002885 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002886 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Gilles Peskinef0fd4c32021-12-13 12:36:15 +01002887 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +00002888 }
2889
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002890 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00002891 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002892 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002893 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2894 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Gilles Peskinef0fd4c32021-12-13 12:36:15 +01002895 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2896 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +00002897 }
2898
Hanno Beckera0ca87e2021-06-24 10:27:37 +01002899 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED )
2900 {
2901 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2902 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Gilles Peskinef0fd4c32021-12-13 12:36:15 +01002903 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2904 goto exit;
Hanno Beckera0ca87e2021-06-24 10:27:37 +01002905 }
2906
2907 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
Paul Bakker5121ce52009-01-03 21:22:43 +00002908 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002909 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002910 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2911 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Gilles Peskinef0fd4c32021-12-13 12:36:15 +01002912 ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
2913 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +00002914 }
2915
Gabor Mezei90437e32021-10-20 11:59:27 +02002916 if( mbedtls_ct_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
Manuel Pégourié-Gonnard4abc3272014-09-10 12:02:46 +00002917 buf, hash_len ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002918 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002919 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002920 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01002921 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
Gilles Peskinef0fd4c32021-12-13 12:36:15 +01002922 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2923 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +00002924 }
2925
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002926#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00002927 ssl->verify_data_len = hash_len;
2928 memcpy( ssl->peer_verify_data, buf, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002929#endif
Paul Bakker48916f92012-09-16 19:57:18 +00002930
Paul Bakker0a597072012-09-25 21:55:46 +00002931 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002932 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002933#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002934 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002935 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002936#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002937#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002938 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002939 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002940#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002941 }
2942 else
2943 ssl->state++;
2944
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002945#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002946 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002947 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002948#endif
2949
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002950 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002951
Gilles Peskinef0fd4c32021-12-13 12:36:15 +01002952exit:
2953 mbedtls_platform_zeroize( buf, hash_len );
2954 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002955}
2956
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002957static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002958{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002959 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002960
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002961#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2962#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002963#if defined(MBEDTLS_USE_PSA_CRYPTO)
2964 handshake->fin_sha256_psa = psa_hash_operation_init();
2965 psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
2966#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002967 mbedtls_sha256_init( &handshake->fin_sha256 );
TRodziewicz26371e42021-06-08 16:45:41 +02002968 mbedtls_sha256_starts( &handshake->fin_sha256, 0 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002969#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002970#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002971#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002972#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002973 handshake->fin_sha384_psa = psa_hash_operation_init();
2974 psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002975#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002976 mbedtls_sha512_init( &handshake->fin_sha512 );
TRodziewicz26371e42021-06-08 16:45:41 +02002977 mbedtls_sha512_starts( &handshake->fin_sha512, 1 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002978#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002979#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002980#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002981
2982 handshake->update_checksum = ssl_update_checksum_start;
Hanno Becker7e5437a2017-04-28 17:15:26 +01002983
2984#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +01002985 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +01002986 mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
2987#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002988
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002989#if defined(MBEDTLS_DHM_C)
2990 mbedtls_dhm_init( &handshake->dhm_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002991#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002992#if defined(MBEDTLS_ECDH_C)
2993 mbedtls_ecdh_init( &handshake->ecdh_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002994#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02002995#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02002996 mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02002997#if defined(MBEDTLS_SSL_CLI_C)
2998 handshake->ecjpake_cache = NULL;
2999 handshake->ecjpake_cache_len = 0;
3000#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02003001#endif
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02003002
Gilles Peskineeccd8882020-03-10 12:19:08 +01003003#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +02003004 mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02003005#endif
3006
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02003007#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3008 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
3009#endif
Hanno Becker75173122019-02-06 16:18:31 +00003010
3011#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
3012 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3013 mbedtls_pk_init( &handshake->peer_pubkey );
3014#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003015}
3016
Hanno Beckera18d1322018-01-03 14:27:32 +00003017void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003018{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003019 memset( transform, 0, sizeof(mbedtls_ssl_transform) );
Paul Bakker84bbeb52014-07-01 14:53:22 +02003020
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003021 mbedtls_cipher_init( &transform->cipher_ctx_enc );
3022 mbedtls_cipher_init( &transform->cipher_ctx_dec );
Paul Bakker84bbeb52014-07-01 14:53:22 +02003023
Hanno Beckerfd86ca82020-11-30 08:54:23 +00003024#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003025 mbedtls_md_init( &transform->md_ctx_enc );
3026 mbedtls_md_init( &transform->md_ctx_dec );
Hanno Beckerd56ed242018-01-03 15:32:51 +00003027#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003028}
3029
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003030void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003031{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003032 memset( session, 0, sizeof(mbedtls_ssl_session) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003033}
3034
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003035static int ssl_handshake_init( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00003036{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003037 /* Clear old handshake information if present */
Paul Bakker48916f92012-09-16 19:57:18 +00003038 if( ssl->transform_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003039 mbedtls_ssl_transform_free( ssl->transform_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003040 if( ssl->session_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003041 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003042 if( ssl->handshake )
Gilles Peskine9b562d52018-04-25 20:32:43 +02003043 mbedtls_ssl_handshake_free( ssl );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003044
3045 /*
3046 * Either the pointers are now NULL or cleared properly and can be freed.
3047 * Now allocate missing structures.
3048 */
3049 if( ssl->transform_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003050 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003051 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003052 }
Paul Bakker48916f92012-09-16 19:57:18 +00003053
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003054 if( ssl->session_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003055 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003056 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003057 }
Paul Bakker48916f92012-09-16 19:57:18 +00003058
Paul Bakker82788fb2014-10-20 13:59:19 +02003059 if( ssl->handshake == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003060 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003061 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003062 }
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05003063#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3064 /* If the buffers are too small - reallocate */
Andrzej Kurek8ea68722020-04-03 06:40:47 -04003065
Andrzej Kurek4a063792020-10-21 15:08:44 +02003066 handle_buffer_resizing( ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
3067 MBEDTLS_SSL_OUT_BUFFER_LEN );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05003068#endif
Paul Bakker48916f92012-09-16 19:57:18 +00003069
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003070 /* All pointers should exist and can be directly freed without issue */
Paul Bakker48916f92012-09-16 19:57:18 +00003071 if( ssl->handshake == NULL ||
3072 ssl->transform_negotiate == NULL ||
3073 ssl->session_negotiate == NULL )
3074 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02003075 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003076
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003077 mbedtls_free( ssl->handshake );
3078 mbedtls_free( ssl->transform_negotiate );
3079 mbedtls_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003080
3081 ssl->handshake = NULL;
3082 ssl->transform_negotiate = NULL;
3083 ssl->session_negotiate = NULL;
3084
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003085 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker48916f92012-09-16 19:57:18 +00003086 }
3087
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003088 /* Initialize structures */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003089 mbedtls_ssl_session_init( ssl->session_negotiate );
Hanno Beckera18d1322018-01-03 14:27:32 +00003090 mbedtls_ssl_transform_init( ssl->transform_negotiate );
Paul Bakker968afaa2014-07-09 11:09:24 +02003091 ssl_handshake_params_init( ssl->handshake );
3092
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003093#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02003094 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3095 {
3096 ssl->handshake->alt_transform_out = ssl->transform_out;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003097
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02003098 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
3099 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
3100 else
3101 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003102
Hanno Becker0f57a652020-02-05 10:37:26 +00003103 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02003104 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003105#endif
3106
Brett Warrene0edc842021-08-17 09:53:13 +01003107/*
3108 * curve_list is translated to IANA TLS group identifiers here because
3109 * mbedtls_ssl_conf_curves returns void and so can't return
3110 * any error codes.
3111 */
3112#if defined(MBEDTLS_ECP_C)
3113#if !defined(MBEDTLS_DEPRECATED_REMOVED)
3114 /* Heap allocate and translate curve_list from internal to IANA group ids */
3115 if ( ssl->conf->curve_list != NULL )
3116 {
3117 size_t length;
3118 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
3119
3120 for( length = 0; ( curve_list[length] != MBEDTLS_ECP_DP_NONE ) &&
3121 ( length < MBEDTLS_ECP_DP_MAX ); length++ ) {}
3122
3123 /* Leave room for zero termination */
3124 uint16_t *group_list = mbedtls_calloc( length + 1, sizeof(uint16_t) );
3125 if ( group_list == NULL )
3126 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3127
3128 for( size_t i = 0; i < length; i++ )
3129 {
3130 const mbedtls_ecp_curve_info *info =
3131 mbedtls_ecp_curve_info_from_grp_id( curve_list[i] );
3132 if ( info == NULL )
3133 {
3134 mbedtls_free( group_list );
3135 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
3136 }
3137 group_list[i] = info->tls_id;
3138 }
3139
3140 group_list[length] = 0;
3141
3142 ssl->handshake->group_list = group_list;
3143 ssl->handshake->group_list_heap_allocated = 1;
3144 }
3145 else
3146 {
3147 ssl->handshake->group_list = ssl->conf->group_list;
3148 ssl->handshake->group_list_heap_allocated = 0;
3149 }
3150#endif /* MBEDTLS_DEPRECATED_REMOVED */
3151#endif /* MBEDTLS_ECP_C */
3152
Jerry Yuf017ee42022-01-12 15:49:48 +08003153#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
3154#if !defined(MBEDTLS_DEPRECATED_REMOVED)
3155 /* Heap allocate and translate curve_list from internal to IANA group ids */
3156 if ( mbedtls_ssl_conf_is_tls12_enabled( ssl->conf ) &&
3157 ssl->conf->sig_hashes != NULL )
3158 {
3159 const int *md;
3160 const int *sig_hashes = ssl->conf->sig_hashes;
3161 size_t sig_algs_len = 0;
3162 uint16_t *p;
3163
3164 for( md = sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
3165 {
3166 if( mbedtls_ssl_hash_from_md_alg( *md ) == MBEDTLS_SSL_HASH_NONE )
3167 continue;
3168 #if defined(MBEDTLS_ECDSA_C)
3169 sig_algs_len++;
3170 #endif
3171 #if defined(MBEDTLS_RSA_C)
3172 sig_algs_len++;
3173 #endif
3174 }
3175
3176 if( sig_algs_len == 0 )
3177 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
3178
3179 ssl->handshake->sig_algs = mbedtls_calloc( sig_algs_len + 1,
3180 sizeof( uint16_t ) );
3181 if( ssl->handshake->sig_algs == NULL )
3182 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3183
3184 p = (uint16_t *)ssl->handshake->sig_algs;
3185 for( md = sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
3186 {
3187 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *md );
3188 if( hash == MBEDTLS_SSL_HASH_NONE )
3189 continue;
Jerry Yu6106fdc2022-01-12 16:36:14 +08003190#if defined(MBEDTLS_ECDSA_C)
Jerry Yuf017ee42022-01-12 15:49:48 +08003191 *p = (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA);
3192 p++;
Jerry Yu6106fdc2022-01-12 16:36:14 +08003193#endif
3194#if defined(MBEDTLS_RSA_C)
Jerry Yuf017ee42022-01-12 15:49:48 +08003195 *p = (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA);
3196 p++;
Jerry Yu6106fdc2022-01-12 16:36:14 +08003197#endif
Jerry Yuf017ee42022-01-12 15:49:48 +08003198 }
3199 *p = MBEDTLS_TLS1_3_SIG_NONE;
3200 ssl->handshake->sig_algs_heap_allocated = 1;
3201 }
3202 else
3203 {
3204 ssl->handshake->sig_algs = ssl->conf->sig_algs;
3205 ssl->handshake->sig_algs_heap_allocated = 0;
3206 }
3207#endif /* MBEDTLS_DEPRECATED_REMOVED */
3208#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +00003209 return( 0 );
3210}
3211
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02003212#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003213/* Dummy cookie callbacks for defaults */
3214static int ssl_cookie_write_dummy( void *ctx,
3215 unsigned char **p, unsigned char *end,
3216 const unsigned char *cli_id, size_t cli_id_len )
3217{
3218 ((void) ctx);
3219 ((void) p);
3220 ((void) end);
3221 ((void) cli_id);
3222 ((void) cli_id_len);
3223
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003224 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003225}
3226
3227static int ssl_cookie_check_dummy( void *ctx,
3228 const unsigned char *cookie, size_t cookie_len,
3229 const unsigned char *cli_id, size_t cli_id_len )
3230{
3231 ((void) ctx);
3232 ((void) cookie);
3233 ((void) cookie_len);
3234 ((void) cli_id);
3235 ((void) cli_id_len);
3236
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003237 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003238}
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02003239#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003240
Paul Bakker5121ce52009-01-03 21:22:43 +00003241/*
3242 * Initialize an SSL context
3243 */
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02003244void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
3245{
3246 memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
3247}
3248
Jerry Yu60835a82021-08-04 10:13:52 +08003249static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
3250{
Ronald Cron6f135e12021-12-08 16:57:54 +01003251#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu60835a82021-08-04 10:13:52 +08003252 if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
3253 {
3254 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3255 {
3256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported" ) );
3257 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3258 }
3259 MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) );
3260 return( 0 );
3261 }
3262#endif
3263
3264#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3265 if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
3266 {
3267 MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls12 only." ) );
3268 return( 0 );
3269 }
3270#endif
3271
Ronald Cron6f135e12021-12-08 16:57:54 +01003272#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu60835a82021-08-04 10:13:52 +08003273 if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) )
3274 {
3275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) );
3276 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3277 }
3278#endif
3279
3280 MBEDTLS_SSL_DEBUG_MSG( 1, ( "The SSL configuration is invalid." ) );
3281 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
3282}
3283
3284static int ssl_conf_check(const mbedtls_ssl_context *ssl)
3285{
3286 int ret;
3287 ret = ssl_conf_version_check( ssl );
3288 if( ret != 0 )
3289 return( ret );
3290
3291 /* Space for further checks */
3292
3293 return( 0 );
3294}
3295
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02003296/*
3297 * Setup an SSL context
3298 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +01003299
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +02003300int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +02003301 const mbedtls_ssl_config *conf )
Paul Bakker5121ce52009-01-03 21:22:43 +00003302{
Janos Follath865b3eb2019-12-16 11:46:15 +00003303 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Darryl Greenb33cc762019-11-28 14:29:44 +00003304 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
3305 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
Paul Bakker5121ce52009-01-03 21:22:43 +00003306
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +02003307 ssl->conf = conf;
Paul Bakker62f2dee2012-09-28 07:31:51 +00003308
Jerry Yu60835a82021-08-04 10:13:52 +08003309 if( ( ret = ssl_conf_check( ssl ) ) != 0 )
3310 return( ret );
3311
Paul Bakker62f2dee2012-09-28 07:31:51 +00003312 /*
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +01003313 * Prepare base structures
Paul Bakker62f2dee2012-09-28 07:31:51 +00003314 */
k-stachowiakc9a5f022018-07-24 13:53:31 +02003315
3316 /* Set to NULL in case of an error condition */
3317 ssl->out_buf = NULL;
k-stachowiaka47911c2018-07-04 17:41:58 +02003318
Darryl Greenb33cc762019-11-28 14:29:44 +00003319#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3320 ssl->in_buf_len = in_buf_len;
3321#endif
3322 ssl->in_buf = mbedtls_calloc( 1, in_buf_len );
Angus Grattond8213d02016-05-25 20:56:48 +10003323 if( ssl->in_buf == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00003324 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00003325 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len ) );
k-stachowiak9f7798e2018-07-31 16:52:32 +02003326 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02003327 goto error;
Angus Grattond8213d02016-05-25 20:56:48 +10003328 }
3329
Darryl Greenb33cc762019-11-28 14:29:44 +00003330#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3331 ssl->out_buf_len = out_buf_len;
3332#endif
3333 ssl->out_buf = mbedtls_calloc( 1, out_buf_len );
Angus Grattond8213d02016-05-25 20:56:48 +10003334 if( ssl->out_buf == NULL )
3335 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00003336 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len ) );
k-stachowiak9f7798e2018-07-31 16:52:32 +02003337 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02003338 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +00003339 }
3340
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00003341 mbedtls_ssl_reset_in_out_pointers( ssl );
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02003342
Johan Pascalb62bb512015-12-03 21:56:45 +01003343#if defined(MBEDTLS_SSL_DTLS_SRTP)
Ron Eldor3adb9922017-12-21 10:15:08 +02003344 memset( &ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info) );
Johan Pascalb62bb512015-12-03 21:56:45 +01003345#endif
3346
Paul Bakker48916f92012-09-16 19:57:18 +00003347 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
k-stachowiaka47911c2018-07-04 17:41:58 +02003348 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +00003349
3350 return( 0 );
k-stachowiaka47911c2018-07-04 17:41:58 +02003351
3352error:
3353 mbedtls_free( ssl->in_buf );
3354 mbedtls_free( ssl->out_buf );
3355
3356 ssl->conf = NULL;
3357
Darryl Greenb33cc762019-11-28 14:29:44 +00003358#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3359 ssl->in_buf_len = 0;
3360 ssl->out_buf_len = 0;
3361#endif
k-stachowiaka47911c2018-07-04 17:41:58 +02003362 ssl->in_buf = NULL;
3363 ssl->out_buf = NULL;
3364
3365 ssl->in_hdr = NULL;
3366 ssl->in_ctr = NULL;
3367 ssl->in_len = NULL;
3368 ssl->in_iv = NULL;
3369 ssl->in_msg = NULL;
3370
3371 ssl->out_hdr = NULL;
3372 ssl->out_ctr = NULL;
3373 ssl->out_len = NULL;
3374 ssl->out_iv = NULL;
3375 ssl->out_msg = NULL;
3376
k-stachowiak9f7798e2018-07-31 16:52:32 +02003377 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003378}
3379
3380/*
Paul Bakker7eb013f2011-10-06 12:37:39 +00003381 * Reset an initialized and used SSL context for re-use while retaining
3382 * all application-set variables, function pointers and data.
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003383 *
3384 * If partial is non-zero, keep data in the input buffer and client ID.
3385 * (Use when a DTLS client reconnects from the same port.)
Paul Bakker7eb013f2011-10-06 12:37:39 +00003386 */
Hanno Beckerb0302c42021-08-03 09:39:42 +01003387static void ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
3388 int partial )
Paul Bakker7eb013f2011-10-06 12:37:39 +00003389{
Darryl Greenb33cc762019-11-28 14:29:44 +00003390#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3391 size_t in_buf_len = ssl->in_buf_len;
3392 size_t out_buf_len = ssl->out_buf_len;
3393#else
3394 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
3395 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
3396#endif
Paul Bakker48916f92012-09-16 19:57:18 +00003397
Hanno Beckerb0302c42021-08-03 09:39:42 +01003398#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
3399 partial = 0;
Hanno Becker7e772132018-08-10 12:38:21 +01003400#endif
3401
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003402 /* Cancel any possibly running timer */
Hanno Becker0f57a652020-02-05 10:37:26 +00003403 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003404
Hanno Beckerb0302c42021-08-03 09:39:42 +01003405 mbedtls_ssl_reset_in_out_pointers( ssl );
3406
3407 /* Reset incoming message parsing */
3408 ssl->in_offt = NULL;
3409 ssl->nb_zero = 0;
3410 ssl->in_msgtype = 0;
3411 ssl->in_msglen = 0;
3412 ssl->in_hslen = 0;
3413 ssl->keep_current_message = 0;
3414 ssl->transform_in = NULL;
3415
3416#if defined(MBEDTLS_SSL_PROTO_DTLS)
3417 ssl->next_record_offset = 0;
3418 ssl->in_epoch = 0;
3419#endif
3420
3421 /* Keep current datagram if partial == 1 */
3422 if( partial == 0 )
3423 {
3424 ssl->in_left = 0;
3425 memset( ssl->in_buf, 0, in_buf_len );
3426 }
3427
3428 /* Reset outgoing message writing */
3429 ssl->out_msgtype = 0;
3430 ssl->out_msglen = 0;
3431 ssl->out_left = 0;
3432 memset( ssl->out_buf, 0, out_buf_len );
3433 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
3434 ssl->transform_out = NULL;
3435
3436#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3437 mbedtls_ssl_dtls_replay_reset( ssl );
3438#endif
3439
3440 if( ssl->transform )
3441 {
3442 mbedtls_ssl_transform_free( ssl->transform );
3443 mbedtls_free( ssl->transform );
3444 ssl->transform = NULL;
3445 }
3446}
3447
3448int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
3449{
3450 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3451
3452 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
3453
3454 ssl_session_reset_msg_layer( ssl, partial );
3455
3456 /* Reset renegotiation state */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003457#if defined(MBEDTLS_SSL_RENEGOTIATION)
3458 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003459 ssl->renego_records_seen = 0;
Paul Bakker48916f92012-09-16 19:57:18 +00003460
3461 ssl->verify_data_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003462 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
3463 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003464#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003465 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +00003466
Hanno Beckerb0302c42021-08-03 09:39:42 +01003467 ssl->session_in = NULL;
Hanno Becker78640902018-08-13 16:35:15 +01003468 ssl->session_out = NULL;
Paul Bakkerc0463502013-02-14 11:19:38 +01003469 if( ssl->session )
3470 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003471 mbedtls_ssl_session_free( ssl->session );
3472 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01003473 ssl->session = NULL;
3474 }
3475
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003476#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02003477 ssl->alpn_chosen = NULL;
3478#endif
3479
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02003480#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Hanno Becker4ccbf062018-08-10 11:20:38 +01003481#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003482 if( partial == 0 )
Hanno Becker4ccbf062018-08-10 11:20:38 +01003483#endif
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003484 {
3485 mbedtls_free( ssl->cli_id );
3486 ssl->cli_id = NULL;
3487 ssl->cli_id_len = 0;
3488 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02003489#endif
3490
Paul Bakker48916f92012-09-16 19:57:18 +00003491 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3492 return( ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +00003493
3494 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +00003495}
3496
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003497/*
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003498 * Reset an initialized and used SSL context for re-use while retaining
3499 * all application-set variables, function pointers and data.
3500 */
3501int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
3502{
Hanno Becker43aefe22020-02-05 10:44:56 +00003503 return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003504}
3505
3506/*
Paul Bakker5121ce52009-01-03 21:22:43 +00003507 * SSL set accessors
3508 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003509void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
Paul Bakker5121ce52009-01-03 21:22:43 +00003510{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003511 conf->endpoint = endpoint;
Paul Bakker5121ce52009-01-03 21:22:43 +00003512}
3513
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02003514void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01003515{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003516 conf->transport = transport;
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01003517}
3518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003519#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003520void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02003521{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003522 conf->anti_replay = mode;
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02003523}
3524#endif
3525
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003526void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02003527{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003528 conf->badmac_limit = limit;
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02003529}
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02003530
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003531#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker04da1892018-08-14 13:22:10 +01003532
Hanno Becker1841b0a2018-08-24 11:13:57 +01003533void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
3534 unsigned allow_packing )
Hanno Becker04da1892018-08-14 13:22:10 +01003535{
3536 ssl->disable_datagram_packing = !allow_packing;
3537}
3538
3539void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
3540 uint32_t min, uint32_t max )
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02003541{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003542 conf->hs_timeout_min = min;
3543 conf->hs_timeout_max = max;
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02003544}
3545#endif
3546
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003547void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
Paul Bakker5121ce52009-01-03 21:22:43 +00003548{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003549 conf->authmode = authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +00003550}
3551
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003552#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003553void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02003554 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003555 void *p_vrfy )
3556{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003557 conf->f_vrfy = f_vrfy;
3558 conf->p_vrfy = p_vrfy;
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003559}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003560#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003561
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003562void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
Paul Bakkera3d195c2011-11-27 21:07:34 +00003563 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +00003564 void *p_rng )
3565{
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01003566 conf->f_rng = f_rng;
3567 conf->p_rng = p_rng;
Paul Bakker5121ce52009-01-03 21:22:43 +00003568}
3569
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003570void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardfd474232015-06-23 16:34:24 +02003571 void (*f_dbg)(void *, int, const char *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +00003572 void *p_dbg )
3573{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003574 conf->f_dbg = f_dbg;
3575 conf->p_dbg = p_dbg;
Paul Bakker5121ce52009-01-03 21:22:43 +00003576}
3577
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003578void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02003579 void *p_bio,
Simon Butchere846b512016-03-01 17:31:49 +00003580 mbedtls_ssl_send_t *f_send,
3581 mbedtls_ssl_recv_t *f_recv,
3582 mbedtls_ssl_recv_timeout_t *f_recv_timeout )
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02003583{
3584 ssl->p_bio = p_bio;
3585 ssl->f_send = f_send;
3586 ssl->f_recv = f_recv;
3587 ssl->f_recv_timeout = f_recv_timeout;
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01003588}
3589
Manuel Pégourié-Gonnard6e7aaca2018-08-20 10:37:23 +02003590#if defined(MBEDTLS_SSL_PROTO_DTLS)
3591void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
3592{
3593 ssl->mtu = mtu;
3594}
3595#endif
3596
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003597void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01003598{
3599 conf->read_timeout = timeout;
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02003600}
3601
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02003602void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
3603 void *p_timer,
Simon Butchere846b512016-03-01 17:31:49 +00003604 mbedtls_ssl_set_timer_t *f_set_timer,
3605 mbedtls_ssl_get_timer_t *f_get_timer )
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02003606{
3607 ssl->p_timer = p_timer;
3608 ssl->f_set_timer = f_set_timer;
3609 ssl->f_get_timer = f_get_timer;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003610
3611 /* Make sure we start with no timer running */
Hanno Becker0f57a652020-02-05 10:37:26 +00003612 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02003613}
3614
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003615#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003616void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
Hanno Beckera637ff62021-04-15 08:42:48 +01003617 void *p_cache,
3618 mbedtls_ssl_cache_get_t *f_get_cache,
3619 mbedtls_ssl_cache_set_t *f_set_cache )
Paul Bakker5121ce52009-01-03 21:22:43 +00003620{
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +01003621 conf->p_cache = p_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003622 conf->f_get_cache = f_get_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003623 conf->f_set_cache = f_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +00003624}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003625#endif /* MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00003626
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003627#if defined(MBEDTLS_SSL_CLI_C)
3628int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
Paul Bakker5121ce52009-01-03 21:22:43 +00003629{
Janos Follath865b3eb2019-12-16 11:46:15 +00003630 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003631
3632 if( ssl == NULL ||
3633 session == NULL ||
3634 ssl->session_negotiate == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02003635 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003636 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003637 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003638 }
3639
Hanno Beckere810bbc2021-05-14 16:01:05 +01003640 if( ssl->handshake->resume == 1 )
3641 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3642
Hanno Becker52055ae2019-02-06 14:30:46 +00003643 if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
3644 session ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003645 return( ret );
3646
Paul Bakker0a597072012-09-25 21:55:46 +00003647 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003648
3649 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003650}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003651#endif /* MBEDTLS_SSL_CLI_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00003652
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01003653void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
3654 const int *ciphersuites )
3655{
Hanno Beckerd60b6c62021-04-29 12:04:11 +01003656 conf->ciphersuite_list = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +00003657}
3658
Ronald Cron6f135e12021-12-08 16:57:54 +01003659#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yucadebe52021-08-24 10:36:45 +08003660void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config *conf,
Hanno Becker71f1ed62021-07-24 06:01:47 +01003661 const int kex_modes )
3662{
Xiaofei Bai746f9482021-11-12 08:53:56 +00003663 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
Hanno Becker71f1ed62021-07-24 06:01:47 +01003664}
Ronald Cron6f135e12021-12-08 16:57:54 +01003665#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker71f1ed62021-07-24 06:01:47 +01003666
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003667#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +02003668void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
Nicholas Wilson2088e2e2015-09-08 16:53:18 +01003669 const mbedtls_x509_crt_profile *profile )
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +02003670{
3671 conf->cert_profile = profile;
3672}
3673
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003674/* Append a new keycert entry to a (possibly empty) list */
3675static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
3676 mbedtls_x509_crt *cert,
3677 mbedtls_pk_context *key )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003678{
niisato8ee24222018-06-25 19:05:48 +09003679 mbedtls_ssl_key_cert *new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003680
niisato8ee24222018-06-25 19:05:48 +09003681 new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
3682 if( new_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003683 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003684
niisato8ee24222018-06-25 19:05:48 +09003685 new_cert->cert = cert;
3686 new_cert->key = key;
3687 new_cert->next = NULL;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003688
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003689 /* Update head is the list was null, else add to the end */
3690 if( *head == NULL )
Paul Bakker0333b972013-11-04 17:08:28 +01003691 {
niisato8ee24222018-06-25 19:05:48 +09003692 *head = new_cert;
Paul Bakker0333b972013-11-04 17:08:28 +01003693 }
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003694 else
3695 {
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003696 mbedtls_ssl_key_cert *cur = *head;
3697 while( cur->next != NULL )
3698 cur = cur->next;
niisato8ee24222018-06-25 19:05:48 +09003699 cur->next = new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003700 }
3701
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003702 return( 0 );
3703}
3704
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003705int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003706 mbedtls_x509_crt *own_cert,
3707 mbedtls_pk_context *pk_key )
3708{
Manuel Pégourié-Gonnard17a40cd2015-05-10 23:17:17 +02003709 return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003710}
3711
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003712void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01003713 mbedtls_x509_crt *ca_chain,
3714 mbedtls_x509_crl *ca_crl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003715{
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01003716 conf->ca_chain = ca_chain;
3717 conf->ca_crl = ca_crl;
Hanno Becker5adaad92019-03-27 16:54:37 +00003718
3719#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3720 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
3721 * cannot be used together. */
3722 conf->f_ca_cb = NULL;
3723 conf->p_ca_cb = NULL;
3724#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Paul Bakker5121ce52009-01-03 21:22:43 +00003725}
Hanno Becker5adaad92019-03-27 16:54:37 +00003726
3727#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3728void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00003729 mbedtls_x509_crt_ca_cb_t f_ca_cb,
Hanno Becker5adaad92019-03-27 16:54:37 +00003730 void *p_ca_cb )
3731{
3732 conf->f_ca_cb = f_ca_cb;
3733 conf->p_ca_cb = p_ca_cb;
3734
3735 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
3736 * cannot be used together. */
3737 conf->ca_chain = NULL;
3738 conf->ca_crl = NULL;
3739}
3740#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003741#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +00003742
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02003743#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3744int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
3745 mbedtls_x509_crt *own_cert,
3746 mbedtls_pk_context *pk_key )
3747{
3748 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
3749 own_cert, pk_key ) );
3750}
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +02003751
3752void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
3753 mbedtls_x509_crt *ca_chain,
3754 mbedtls_x509_crl *ca_crl )
3755{
3756 ssl->handshake->sni_ca_chain = ca_chain;
3757 ssl->handshake->sni_ca_crl = ca_crl;
3758}
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02003759
3760void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
3761 int authmode )
3762{
3763 ssl->handshake->sni_authmode = authmode;
3764}
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02003765#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3766
Hanno Becker8927c832019-04-03 12:52:50 +01003767#if defined(MBEDTLS_X509_CRT_PARSE_C)
3768void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
3769 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3770 void *p_vrfy )
3771{
3772 ssl->f_vrfy = f_vrfy;
3773 ssl->p_vrfy = p_vrfy;
3774}
3775#endif
3776
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02003777#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02003778/*
3779 * Set EC J-PAKE password for current handshake
3780 */
3781int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
3782 const unsigned char *pw,
3783 size_t pw_len )
3784{
3785 mbedtls_ecjpake_role role;
3786
Janos Follath8eb64132016-06-03 15:40:57 +01003787 if( ssl->handshake == NULL || ssl->conf == NULL )
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02003788 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3789
3790 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
3791 role = MBEDTLS_ECJPAKE_SERVER;
3792 else
3793 role = MBEDTLS_ECJPAKE_CLIENT;
3794
3795 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
3796 role,
3797 MBEDTLS_MD_SHA256,
3798 MBEDTLS_ECP_DP_SECP256R1,
3799 pw, pw_len ) );
3800}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02003801#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02003802
Gilles Peskineeccd8882020-03-10 12:19:08 +01003803#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003804
Hanno Becker2ed3dce2021-04-19 21:59:14 +01003805static int ssl_conf_psk_is_configured( mbedtls_ssl_config const *conf )
3806{
3807#if defined(MBEDTLS_USE_PSA_CRYPTO)
3808 if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
3809 return( 1 );
3810#endif /* MBEDTLS_USE_PSA_CRYPTO */
3811
3812 if( conf->psk != NULL )
3813 return( 1 );
3814
3815 return( 0 );
3816}
3817
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003818static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
3819{
3820 /* Remove reference to existing PSK, if any. */
3821#if defined(MBEDTLS_USE_PSA_CRYPTO)
Ronald Croncf56a0a2020-08-04 09:51:30 +02003822 if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003823 {
3824 /* The maintenance of the PSK key slot is the
3825 * user's responsibility. */
Ronald Croncf56a0a2020-08-04 09:51:30 +02003826 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003827 }
Hanno Beckera63ac3f2018-11-05 12:47:16 +00003828 /* This and the following branch should never
3829 * be taken simultaenously as we maintain the
3830 * invariant that raw and opaque PSKs are never
3831 * configured simultaneously. As a safeguard,
3832 * though, `else` is omitted here. */
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003833#endif /* MBEDTLS_USE_PSA_CRYPTO */
3834 if( conf->psk != NULL )
3835 {
3836 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
3837
3838 mbedtls_free( conf->psk );
3839 conf->psk = NULL;
3840 conf->psk_len = 0;
3841 }
3842
3843 /* Remove reference to PSK identity, if any. */
3844 if( conf->psk_identity != NULL )
3845 {
3846 mbedtls_free( conf->psk_identity );
3847 conf->psk_identity = NULL;
3848 conf->psk_identity_len = 0;
3849 }
3850}
3851
Hanno Becker7390c712018-11-15 13:33:04 +00003852/* This function assumes that PSK identity in the SSL config is unset.
3853 * It checks that the provided identity is well-formed and attempts
3854 * to make a copy of it in the SSL config.
3855 * On failure, the PSK identity in the config remains unset. */
3856static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
3857 unsigned char const *psk_identity,
3858 size_t psk_identity_len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003859{
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02003860 /* Identity len will be encoded on two bytes */
Hanno Becker7390c712018-11-15 13:33:04 +00003861 if( psk_identity == NULL ||
3862 ( psk_identity_len >> 16 ) != 0 ||
Angus Grattond8213d02016-05-25 20:56:48 +10003863 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02003864 {
3865 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3866 }
3867
Hanno Becker7390c712018-11-15 13:33:04 +00003868 conf->psk_identity = mbedtls_calloc( 1, psk_identity_len );
3869 if( conf->psk_identity == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003870 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker6db455e2013-09-18 17:29:31 +02003871
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01003872 conf->psk_identity_len = psk_identity_len;
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01003873 memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
Paul Bakker5ad403f2013-09-18 21:21:30 +02003874
3875 return( 0 );
Paul Bakker6db455e2013-09-18 17:29:31 +02003876}
3877
Hanno Becker7390c712018-11-15 13:33:04 +00003878int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
3879 const unsigned char *psk, size_t psk_len,
3880 const unsigned char *psk_identity, size_t psk_identity_len )
3881{
Janos Follath865b3eb2019-12-16 11:46:15 +00003882 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01003883
3884 /* We currently only support one PSK, raw or opaque. */
3885 if( ssl_conf_psk_is_configured( conf ) )
3886 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Hanno Becker7390c712018-11-15 13:33:04 +00003887
3888 /* Check and set raw PSK */
Piotr Nowicki9926eaf2019-11-20 14:54:36 +01003889 if( psk == NULL )
Hanno Becker7390c712018-11-15 13:33:04 +00003890 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Piotr Nowicki9926eaf2019-11-20 14:54:36 +01003891 if( psk_len == 0 )
3892 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3893 if( psk_len > MBEDTLS_PSK_MAX_LEN )
3894 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3895
Hanno Becker7390c712018-11-15 13:33:04 +00003896 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
3897 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3898 conf->psk_len = psk_len;
3899 memcpy( conf->psk, psk, conf->psk_len );
3900
3901 /* Check and set PSK Identity */
3902 ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len );
3903 if( ret != 0 )
3904 ssl_conf_remove_psk( conf );
3905
3906 return( ret );
3907}
3908
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003909static void ssl_remove_psk( mbedtls_ssl_context *ssl )
3910{
3911#if defined(MBEDTLS_USE_PSA_CRYPTO)
Ronald Croncf56a0a2020-08-04 09:51:30 +02003912 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003913 {
Ronald Croncf56a0a2020-08-04 09:51:30 +02003914 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003915 }
3916 else
3917#endif /* MBEDTLS_USE_PSA_CRYPTO */
3918 if( ssl->handshake->psk != NULL )
3919 {
3920 mbedtls_platform_zeroize( ssl->handshake->psk,
3921 ssl->handshake->psk_len );
3922 mbedtls_free( ssl->handshake->psk );
3923 ssl->handshake->psk_len = 0;
3924 }
3925}
3926
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01003927int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
3928 const unsigned char *psk, size_t psk_len )
3929{
3930 if( psk == NULL || ssl->handshake == NULL )
3931 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3932
3933 if( psk_len > MBEDTLS_PSK_MAX_LEN )
3934 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3935
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003936 ssl_remove_psk( ssl );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01003937
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003938 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003939 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01003940
3941 ssl->handshake->psk_len = psk_len;
3942 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
3943
3944 return( 0 );
3945}
3946
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003947#if defined(MBEDTLS_USE_PSA_CRYPTO)
3948int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
Andrzej Kurek03e01462022-01-03 12:53:24 +01003949 mbedtls_svc_key_id_t psk,
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003950 const unsigned char *psk_identity,
3951 size_t psk_identity_len )
3952{
Janos Follath865b3eb2019-12-16 11:46:15 +00003953 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01003954
3955 /* We currently only support one PSK, raw or opaque. */
3956 if( ssl_conf_psk_is_configured( conf ) )
3957 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003958
Hanno Becker7390c712018-11-15 13:33:04 +00003959 /* Check and set opaque PSK */
Ronald Croncf56a0a2020-08-04 09:51:30 +02003960 if( mbedtls_svc_key_id_is_null( psk ) )
Hanno Becker7390c712018-11-15 13:33:04 +00003961 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Ronald Croncf56a0a2020-08-04 09:51:30 +02003962 conf->psk_opaque = psk;
Hanno Becker7390c712018-11-15 13:33:04 +00003963
3964 /* Check and set PSK Identity */
3965 ret = ssl_conf_set_psk_identity( conf, psk_identity,
3966 psk_identity_len );
3967 if( ret != 0 )
3968 ssl_conf_remove_psk( conf );
3969
3970 return( ret );
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003971}
3972
3973int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
Andrzej Kurek03e01462022-01-03 12:53:24 +01003974 mbedtls_svc_key_id_t psk )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003975{
Ronald Croncf56a0a2020-08-04 09:51:30 +02003976 if( ( mbedtls_svc_key_id_is_null( psk ) ) ||
Ronald Cronc26f8d42020-09-01 10:51:51 +02003977 ( ssl->handshake == NULL ) )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003978 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3979
3980 ssl_remove_psk( ssl );
Ronald Croncf56a0a2020-08-04 09:51:30 +02003981 ssl->handshake->psk_opaque = psk;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003982 return( 0 );
3983}
3984#endif /* MBEDTLS_USE_PSA_CRYPTO */
3985
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003986void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003987 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
Paul Bakker6db455e2013-09-18 17:29:31 +02003988 size_t),
3989 void *p_psk )
3990{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003991 conf->f_psk = f_psk;
3992 conf->p_psk = p_psk;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003993}
Gilles Peskineeccd8882020-03-10 12:19:08 +01003994#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakker43b7e352011-01-18 15:27:19 +00003995
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +02003996#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Hanno Beckera90658f2017-10-04 15:29:08 +01003997int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
3998 const unsigned char *dhm_P, size_t P_len,
3999 const unsigned char *dhm_G, size_t G_len )
4000{
Janos Follath865b3eb2019-12-16 11:46:15 +00004001 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckera90658f2017-10-04 15:29:08 +01004002
Glenn Strausscee11292021-12-20 01:43:17 -05004003 mbedtls_mpi_free( &conf->dhm_P );
4004 mbedtls_mpi_free( &conf->dhm_G );
4005
Hanno Beckera90658f2017-10-04 15:29:08 +01004006 if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
4007 ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
4008 {
4009 mbedtls_mpi_free( &conf->dhm_P );
4010 mbedtls_mpi_free( &conf->dhm_G );
4011 return( ret );
4012 }
4013
4014 return( 0 );
4015}
Paul Bakker5121ce52009-01-03 21:22:43 +00004016
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004017int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
Paul Bakker1b57b062011-01-06 15:48:19 +00004018{
Janos Follath865b3eb2019-12-16 11:46:15 +00004019 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker1b57b062011-01-06 15:48:19 +00004020
Glenn Strausscee11292021-12-20 01:43:17 -05004021 mbedtls_mpi_free( &conf->dhm_P );
4022 mbedtls_mpi_free( &conf->dhm_G );
4023
Gilles Peskinee5702482021-06-11 21:59:08 +02004024 if( ( ret = mbedtls_dhm_get_value( dhm_ctx, MBEDTLS_DHM_PARAM_P,
4025 &conf->dhm_P ) ) != 0 ||
4026 ( ret = mbedtls_dhm_get_value( dhm_ctx, MBEDTLS_DHM_PARAM_G,
4027 &conf->dhm_G ) ) != 0 )
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +01004028 {
4029 mbedtls_mpi_free( &conf->dhm_P );
4030 mbedtls_mpi_free( &conf->dhm_G );
Paul Bakker1b57b062011-01-06 15:48:19 +00004031 return( ret );
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +01004032 }
Paul Bakker1b57b062011-01-06 15:48:19 +00004033
4034 return( 0 );
4035}
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +02004036#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
Paul Bakker1b57b062011-01-06 15:48:19 +00004037
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +02004038#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
4039/*
4040 * Set the minimum length for Diffie-Hellman parameters
4041 */
4042void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
4043 unsigned int bitlen )
4044{
4045 conf->dhm_min_bitlen = bitlen;
4046}
4047#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
4048
Gilles Peskineeccd8882020-03-10 12:19:08 +01004049#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yuf017ee42022-01-12 15:49:48 +08004050#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02004051/*
4052 * Set allowed/preferred hashes for handshake signatures
4053 */
4054void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
4055 const int *hashes )
4056{
4057 conf->sig_hashes = hashes;
4058}
Jerry Yuf017ee42022-01-12 15:49:48 +08004059#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Becker1cd6e002021-08-10 13:27:10 +01004060
Jerry Yuf017ee42022-01-12 15:49:48 +08004061/* Configure allowed signature algorithms for handshake */
Hanno Becker1cd6e002021-08-10 13:27:10 +01004062void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf,
4063 const uint16_t* sig_algs )
4064{
Jerry Yuf017ee42022-01-12 15:49:48 +08004065#if !defined(MBEDTLS_DEPRECATED_REMOVED)
4066 conf->sig_hashes = NULL;
4067#endif /* !MBEDTLS_DEPRECATED_REMOVED */
4068 conf->sig_algs = sig_algs;
Hanno Becker1cd6e002021-08-10 13:27:10 +01004069}
Gilles Peskineeccd8882020-03-10 12:19:08 +01004070#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02004071
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02004072#if defined(MBEDTLS_ECP_C)
Brett Warrene0edc842021-08-17 09:53:13 +01004073#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01004074/*
4075 * Set the allowed elliptic curves
Brett Warrene0edc842021-08-17 09:53:13 +01004076 *
4077 * mbedtls_ssl_setup() takes the provided list
4078 * and translates it to a list of IANA TLS group identifiers,
4079 * stored in ssl->handshake->group_list.
4080 *
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01004081 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004082void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004083 const mbedtls_ecp_group_id *curve_list )
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01004084{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004085 conf->curve_list = curve_list;
Brett Warrene0edc842021-08-17 09:53:13 +01004086 conf->group_list = NULL;
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01004087}
Brett Warrene0edc842021-08-17 09:53:13 +01004088#endif /* MBEDTLS_DEPRECATED_REMOVED */
Hanno Becker947194e2017-04-07 13:25:49 +01004089#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01004090
Brett Warrene0edc842021-08-17 09:53:13 +01004091/*
4092 * Set the allowed groups
4093 */
4094void mbedtls_ssl_conf_groups( mbedtls_ssl_config *conf,
4095 const uint16_t *group_list )
4096{
4097#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
4098 conf->curve_list = NULL;
4099#endif
4100 conf->group_list = group_list;
4101}
4102
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01004103#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004104int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +00004105{
Hanno Becker947194e2017-04-07 13:25:49 +01004106 /* Initialize to suppress unnecessary compiler warning */
4107 size_t hostname_len = 0;
4108
4109 /* Check if new hostname is valid before
4110 * making any change to current one */
Hanno Becker947194e2017-04-07 13:25:49 +01004111 if( hostname != NULL )
4112 {
4113 hostname_len = strlen( hostname );
4114
4115 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
4116 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4117 }
4118
4119 /* Now it's clear that we will overwrite the old hostname,
4120 * so we can free it safely */
4121
4122 if( ssl->hostname != NULL )
4123 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05004124 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Hanno Becker947194e2017-04-07 13:25:49 +01004125 mbedtls_free( ssl->hostname );
4126 }
4127
4128 /* Passing NULL as hostname shall clear the old one */
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +01004129
Paul Bakker5121ce52009-01-03 21:22:43 +00004130 if( hostname == NULL )
Hanno Becker947194e2017-04-07 13:25:49 +01004131 {
4132 ssl->hostname = NULL;
4133 }
4134 else
4135 {
4136 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
Hanno Becker947194e2017-04-07 13:25:49 +01004137 if( ssl->hostname == NULL )
4138 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker75c1a6f2013-08-19 14:25:29 +02004139
Hanno Becker947194e2017-04-07 13:25:49 +01004140 memcpy( ssl->hostname, hostname, hostname_len );
Paul Bakker75c1a6f2013-08-19 14:25:29 +02004141
Hanno Becker947194e2017-04-07 13:25:49 +01004142 ssl->hostname[hostname_len] = '\0';
4143 }
Paul Bakker5121ce52009-01-03 21:22:43 +00004144
4145 return( 0 );
4146}
Hanno Becker1a9a51c2017-04-07 13:02:16 +01004147#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00004148
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01004149#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004150void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004151 int (*f_sni)(void *, mbedtls_ssl_context *,
Paul Bakker5701cdc2012-09-27 21:49:42 +00004152 const unsigned char *, size_t),
4153 void *p_sni )
4154{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004155 conf->f_sni = f_sni;
4156 conf->p_sni = p_sni;
Paul Bakker5701cdc2012-09-27 21:49:42 +00004157}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004158#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +00004159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004160#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004161int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004162{
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004163 size_t cur_len, tot_len;
4164 const char **p;
4165
4166 /*
Brian J Murray1903fb32016-11-06 04:45:15 -08004167 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
4168 * MUST NOT be truncated."
4169 * We check lengths now rather than later.
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004170 */
4171 tot_len = 0;
4172 for( p = protos; *p != NULL; p++ )
4173 {
4174 cur_len = strlen( *p );
4175 tot_len += cur_len;
4176
Ronald Cron8216dd32020-04-23 16:41:44 +02004177 if( ( cur_len == 0 ) ||
4178 ( cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN ) ||
4179 ( tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004180 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004181 }
4182
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004183 conf->alpn_list = protos;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004184
4185 return( 0 );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004186}
4187
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004188const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004189{
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004190 return( ssl->alpn_chosen );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004191}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004192#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004193
Johan Pascalb62bb512015-12-03 21:56:45 +01004194#if defined(MBEDTLS_SSL_DTLS_SRTP)
Ron Eldoref72faf2018-07-12 11:54:20 +03004195void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf,
4196 int support_mki_value )
Ron Eldor591f1622018-01-22 12:30:04 +02004197{
4198 conf->dtls_srtp_mki_support = support_mki_value;
4199}
4200
Ron Eldoref72faf2018-07-12 11:54:20 +03004201int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
4202 unsigned char *mki_value,
Johan Pascalf6417ec2020-09-22 15:15:19 +02004203 uint16_t mki_len )
Ron Eldor591f1622018-01-22 12:30:04 +02004204{
Johan Pascal5ef72d22020-10-28 17:05:47 +01004205 if( mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH )
Ron Eldora9788042018-12-05 11:04:31 +02004206 {
Johan Pascald576fdb2020-09-22 10:39:53 +02004207 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Ron Eldora9788042018-12-05 11:04:31 +02004208 }
Ron Eldor591f1622018-01-22 12:30:04 +02004209
4210 if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED )
Ron Eldora9788042018-12-05 11:04:31 +02004211 {
Johan Pascald576fdb2020-09-22 10:39:53 +02004212 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Ron Eldora9788042018-12-05 11:04:31 +02004213 }
Ron Eldor591f1622018-01-22 12:30:04 +02004214
4215 memcpy( ssl->dtls_srtp_info.mki_value, mki_value, mki_len );
4216 ssl->dtls_srtp_info.mki_len = mki_len;
Ron Eldora9788042018-12-05 11:04:31 +02004217 return( 0 );
Ron Eldor591f1622018-01-22 12:30:04 +02004218}
4219
Ron Eldoref72faf2018-07-12 11:54:20 +03004220int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
Johan Pascal253d0262020-09-22 13:04:45 +02004221 const mbedtls_ssl_srtp_profile *profiles )
Johan Pascalb62bb512015-12-03 21:56:45 +01004222{
Johan Pascal253d0262020-09-22 13:04:45 +02004223 const mbedtls_ssl_srtp_profile *p;
4224 size_t list_size = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +01004225
Johan Pascal253d0262020-09-22 13:04:45 +02004226 /* check the profiles list: all entry must be valid,
4227 * its size cannot be more than the total number of supported profiles, currently 4 */
Johan Pascald387aa02020-09-23 18:47:56 +02004228 for( p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
4229 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
4230 p++ )
Johan Pascald576fdb2020-09-22 10:39:53 +02004231 {
Johan Pascal5ef72d22020-10-28 17:05:47 +01004232 if( mbedtls_ssl_check_srtp_profile_value( *p ) != MBEDTLS_TLS_SRTP_UNSET )
Johan Pascald576fdb2020-09-22 10:39:53 +02004233 {
Johan Pascal76fdf1d2020-10-22 23:31:00 +02004234 list_size++;
4235 }
4236 else
4237 {
4238 /* unsupported value, stop parsing and set the size to an error value */
4239 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
Johan Pascalb62bb512015-12-03 21:56:45 +01004240 }
4241 }
4242
Johan Pascal5ef72d22020-10-28 17:05:47 +01004243 if( list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH )
Johan Pascald387aa02020-09-23 18:47:56 +02004244 {
Johan Pascal253d0262020-09-22 13:04:45 +02004245 conf->dtls_srtp_profile_list = NULL;
4246 conf->dtls_srtp_profile_list_len = 0;
4247 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4248 }
4249
Johan Pascal9bc97ca2020-09-21 23:44:45 +02004250 conf->dtls_srtp_profile_list = profiles;
Johan Pascal253d0262020-09-22 13:04:45 +02004251 conf->dtls_srtp_profile_list_len = list_size;
Johan Pascalb62bb512015-12-03 21:56:45 +01004252
4253 return( 0 );
4254}
4255
Johan Pascal5ef72d22020-10-28 17:05:47 +01004256void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl,
4257 mbedtls_dtls_srtp_info *dtls_srtp_info )
Johan Pascalb62bb512015-12-03 21:56:45 +01004258{
Johan Pascal2258a4f2020-10-28 13:53:09 +01004259 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
4260 /* do not copy the mki value if there is no chosen profile */
Johan Pascal5ef72d22020-10-28 17:05:47 +01004261 if( dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET )
Johan Pascal0dbcd1d2020-10-28 11:03:07 +01004262 {
Johan Pascal2258a4f2020-10-28 13:53:09 +01004263 dtls_srtp_info->mki_len = 0;
Johan Pascal0dbcd1d2020-10-28 11:03:07 +01004264 }
Johan Pascal2258a4f2020-10-28 13:53:09 +01004265 else
4266 {
4267 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
Johan Pascal5ef72d22020-10-28 17:05:47 +01004268 memcpy( dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
4269 ssl->dtls_srtp_info.mki_len );
Johan Pascal2258a4f2020-10-28 13:53:09 +01004270 }
Johan Pascalb62bb512015-12-03 21:56:45 +01004271}
Johan Pascalb62bb512015-12-03 21:56:45 +01004272#endif /* MBEDTLS_SSL_DTLS_SRTP */
4273
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02004274void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker490ecc82011-10-06 13:04:09 +00004275{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004276 conf->max_major_ver = major;
4277 conf->max_minor_ver = minor;
Paul Bakker490ecc82011-10-06 13:04:09 +00004278}
4279
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02004280void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker1d29fb52012-09-28 13:28:45 +00004281{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004282 conf->min_major_ver = major;
4283 conf->min_minor_ver = minor;
Paul Bakker1d29fb52012-09-28 13:28:45 +00004284}
4285
Janos Follath088ce432017-04-10 12:42:31 +01004286#if defined(MBEDTLS_SSL_SRV_C)
4287void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
4288 char cert_req_ca_list )
4289{
4290 conf->cert_req_ca_list = cert_req_ca_list;
4291}
4292#endif
4293
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004294#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004295void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01004296{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004297 conf->encrypt_then_mac = etm;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01004298}
4299#endif
4300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004301#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004302void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02004303{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004304 conf->extended_ms = ems;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02004305}
4306#endif
4307
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004308#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004309int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004310{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004311 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
Angus Grattond8213d02016-05-25 20:56:48 +10004312 ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004313 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004314 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004315 }
4316
Manuel Pégourié-Gonnard6bf89d62015-05-05 17:01:57 +01004317 conf->mfl_code = mfl_code;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004318
4319 return( 0 );
4320}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004321#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004322
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004323void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
Paul Bakker48916f92012-09-16 19:57:18 +00004324{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004325 conf->allow_legacy_renegotiation = allow_legacy;
Paul Bakker48916f92012-09-16 19:57:18 +00004326}
4327
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004328#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004329void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004330{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004331 conf->disable_renegotiation = renegotiation;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004332}
4333
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004334void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02004335{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004336 conf->renego_max_records = max_records;
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02004337}
4338
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004339void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004340 const unsigned char period[8] )
4341{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004342 memcpy( conf->renego_period, period, 8 );
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004343}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004344#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +00004345
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004346#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004347#if defined(MBEDTLS_SSL_CLI_C)
4348void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004349{
Manuel Pégourié-Gonnard2b494452015-05-06 10:05:11 +01004350 conf->session_tickets = use_tickets;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004351}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004352#endif
Paul Bakker606b4ba2013-08-14 16:52:14 +02004353
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004354#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +02004355void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
4356 mbedtls_ssl_ticket_write_t *f_ticket_write,
4357 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
4358 void *p_ticket )
Paul Bakker606b4ba2013-08-14 16:52:14 +02004359{
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +02004360 conf->f_ticket_write = f_ticket_write;
4361 conf->f_ticket_parse = f_ticket_parse;
4362 conf->p_ticket = p_ticket;
Paul Bakker606b4ba2013-08-14 16:52:14 +02004363}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004364#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004365#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004366
Hanno Becker7e6c1782021-06-08 09:24:55 +01004367void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl,
4368 mbedtls_ssl_export_keys_t *f_export_keys,
4369 void *p_export_keys )
Robert Cragie4feb7ae2015-10-02 13:33:37 +01004370{
Hanno Becker7e6c1782021-06-08 09:24:55 +01004371 ssl->f_export_keys = f_export_keys;
4372 ssl->p_export_keys = p_export_keys;
Ron Eldorf5cc10d2019-05-07 18:33:40 +03004373}
Robert Cragie4feb7ae2015-10-02 13:33:37 +01004374
Gilles Peskineb74a1c72018-04-24 13:09:22 +02004375#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004376void mbedtls_ssl_conf_async_private_cb(
4377 mbedtls_ssl_config *conf,
4378 mbedtls_ssl_async_sign_t *f_async_sign,
4379 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
4380 mbedtls_ssl_async_resume_t *f_async_resume,
4381 mbedtls_ssl_async_cancel_t *f_async_cancel,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004382 void *async_config_data )
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004383{
4384 conf->f_async_sign_start = f_async_sign;
4385 conf->f_async_decrypt_start = f_async_decrypt;
4386 conf->f_async_resume = f_async_resume;
4387 conf->f_async_cancel = f_async_cancel;
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004388 conf->p_async_config_data = async_config_data;
4389}
4390
Gilles Peskine8f97af72018-04-26 11:46:10 +02004391void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
4392{
4393 return( conf->p_async_config_data );
4394}
4395
Gilles Peskine1febfef2018-04-30 11:54:39 +02004396void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004397{
4398 if( ssl->handshake == NULL )
4399 return( NULL );
4400 else
4401 return( ssl->handshake->user_async_ctx );
4402}
4403
Gilles Peskine1febfef2018-04-30 11:54:39 +02004404void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004405 void *ctx )
4406{
4407 if( ssl->handshake != NULL )
4408 ssl->handshake->user_async_ctx = ctx;
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004409}
Gilles Peskineb74a1c72018-04-24 13:09:22 +02004410#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004411
Paul Bakker5121ce52009-01-03 21:22:43 +00004412/*
4413 * SSL get accessors
4414 */
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02004415uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00004416{
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +00004417 if( ssl->session != NULL )
4418 return( ssl->session->verify_result );
4419
4420 if( ssl->session_negotiate != NULL )
4421 return( ssl->session_negotiate->verify_result );
4422
Manuel Pégourié-Gonnard6ab9b002015-05-14 11:25:04 +02004423 return( 0xFFFFFFFF );
Paul Bakker5121ce52009-01-03 21:22:43 +00004424}
4425
Glenn Strauss8f526902022-01-13 00:04:49 -05004426int mbedtls_ssl_get_ciphersuite_id_from_ssl( const mbedtls_ssl_context *ssl )
4427{
4428 if( ssl == NULL || ssl->session == NULL )
4429 return( 0 );
4430
4431 return( ssl->session->ciphersuite );
4432}
4433
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004434const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +00004435{
Paul Bakker926c8e42013-03-06 10:23:34 +01004436 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004437 return( NULL );
Paul Bakker926c8e42013-03-06 10:23:34 +01004438
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004439 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +00004440}
4441
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004442const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
Paul Bakker43ca69c2011-01-15 17:35:19 +00004443{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004444#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004445 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01004446 {
4447 switch( ssl->minor_ver )
4448 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004449 case MBEDTLS_SSL_MINOR_VERSION_3:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01004450 return( "DTLSv1.2" );
4451
4452 default:
4453 return( "unknown (DTLS)" );
4454 }
4455 }
4456#endif
4457
Paul Bakker43ca69c2011-01-15 17:35:19 +00004458 switch( ssl->minor_ver )
4459 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004460 case MBEDTLS_SSL_MINOR_VERSION_3:
Paul Bakker1ef83d62012-04-11 12:09:53 +00004461 return( "TLSv1.2" );
4462
Paul Bakker43ca69c2011-01-15 17:35:19 +00004463 default:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01004464 return( "unknown" );
Paul Bakker43ca69c2011-01-15 17:35:19 +00004465 }
Paul Bakker43ca69c2011-01-15 17:35:19 +00004466}
4467
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004468#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Andrzej Kurek90c6e842020-04-03 05:25:29 -04004469size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl )
4470{
David Horstmann95d516f2021-05-04 18:36:56 +01004471 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
Andrzej Kurek90c6e842020-04-03 05:25:29 -04004472 size_t read_mfl;
4473
4474 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
4475 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
4476 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE )
4477 {
4478 return ssl_mfl_code_to_length( ssl->conf->mfl_code );
4479 }
4480
4481 /* Check if a smaller max length was negotiated */
4482 if( ssl->session_out != NULL )
4483 {
4484 read_mfl = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
4485 if( read_mfl < max_len )
4486 {
4487 max_len = read_mfl;
4488 }
4489 }
4490
4491 // During a handshake, use the value being negotiated
4492 if( ssl->session_negotiate != NULL )
4493 {
4494 read_mfl = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
4495 if( read_mfl < max_len )
4496 {
4497 max_len = read_mfl;
4498 }
4499 }
4500
4501 return( max_len );
4502}
4503
4504size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004505{
4506 size_t max_len;
4507
4508 /*
4509 * Assume mfl_code is correct since it was checked when set
4510 */
Angus Grattond8213d02016-05-25 20:56:48 +10004511 max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004512
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02004513 /* Check if a smaller max length was negotiated */
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004514 if( ssl->session_out != NULL &&
Angus Grattond8213d02016-05-25 20:56:48 +10004515 ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004516 {
Angus Grattond8213d02016-05-25 20:56:48 +10004517 max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004518 }
4519
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02004520 /* During a handshake, use the value being negotiated */
4521 if( ssl->session_negotiate != NULL &&
4522 ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
4523 {
4524 max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
4525 }
4526
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004527 return( max_len );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004528}
4529#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4530
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004531#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker89490712020-02-05 10:50:12 +00004532size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004533{
Andrzej Kurekef43ce62018-10-09 08:24:12 -04004534 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
4535 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
4536 ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
4537 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
4538 return ( 0 );
4539
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004540 if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
4541 return( ssl->mtu );
4542
4543 if( ssl->mtu == 0 )
4544 return( ssl->handshake->mtu );
4545
4546 return( ssl->mtu < ssl->handshake->mtu ?
4547 ssl->mtu : ssl->handshake->mtu );
4548}
4549#endif /* MBEDTLS_SSL_PROTO_DTLS */
4550
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004551int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
4552{
4553 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
4554
Manuel Pégourié-Gonnard000281e2018-08-21 11:20:58 +02004555#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
4556 !defined(MBEDTLS_SSL_PROTO_DTLS)
4557 (void) ssl;
4558#endif
4559
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004560#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Andrzej Kurek90c6e842020-04-03 05:25:29 -04004561 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004562
4563 if( max_len > mfl )
4564 max_len = mfl;
4565#endif
4566
4567#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker89490712020-02-05 10:50:12 +00004568 if( mbedtls_ssl_get_current_mtu( ssl ) != 0 )
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004569 {
Hanno Becker89490712020-02-05 10:50:12 +00004570 const size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004571 const int ret = mbedtls_ssl_get_record_expansion( ssl );
4572 const size_t overhead = (size_t) ret;
4573
4574 if( ret < 0 )
4575 return( ret );
4576
4577 if( mtu <= overhead )
4578 {
4579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
4580 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4581 }
4582
4583 if( max_len > mtu - overhead )
4584 max_len = mtu - overhead;
4585 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004586#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004587
Hanno Becker0defedb2018-08-10 12:35:02 +01004588#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
4589 !defined(MBEDTLS_SSL_PROTO_DTLS)
4590 ((void) ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004591#endif
4592
4593 return( (int) max_len );
4594}
4595
Hanno Becker2d8e99b2021-04-21 06:19:50 +01004596int mbedtls_ssl_get_max_in_record_payload( const mbedtls_ssl_context *ssl )
4597{
4598 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
4599
4600#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4601 (void) ssl;
4602#endif
4603
4604#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4605 const size_t mfl = mbedtls_ssl_get_input_max_frag_len( ssl );
4606
4607 if( max_len > mfl )
4608 max_len = mfl;
4609#endif
4610
4611 return( (int) max_len );
4612}
4613
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004614#if defined(MBEDTLS_X509_CRT_PARSE_C)
4615const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
Paul Bakkerb0550d92012-10-30 07:51:03 +00004616{
4617 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004618 return( NULL );
Paul Bakkerb0550d92012-10-30 07:51:03 +00004619
Hanno Beckere6824572019-02-07 13:18:46 +00004620#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004621 return( ssl->session->peer_cert );
Hanno Beckere6824572019-02-07 13:18:46 +00004622#else
4623 return( NULL );
4624#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakkerb0550d92012-10-30 07:51:03 +00004625}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004626#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +00004627
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004628#if defined(MBEDTLS_SSL_CLI_C)
Hanno Beckerf852b1c2019-02-05 11:42:30 +00004629int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
4630 mbedtls_ssl_session *dst )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004631{
Hanno Beckere810bbc2021-05-14 16:01:05 +01004632 int ret;
4633
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004634 if( ssl == NULL ||
4635 dst == NULL ||
4636 ssl->session == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004637 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004638 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004639 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004640 }
4641
Hanno Beckere810bbc2021-05-14 16:01:05 +01004642 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
4643 * idempotent: Each session can only be exported once.
4644 *
4645 * (This is in preparation for TLS 1.3 support where we will
4646 * need the ability to export multiple sessions (aka tickets),
4647 * which will be achieved by calling mbedtls_ssl_get_session()
4648 * multiple times until it fails.)
4649 *
4650 * Check whether we have already exported the current session,
4651 * and fail if so.
4652 */
4653 if( ssl->session->exported == 1 )
4654 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4655
4656 ret = mbedtls_ssl_session_copy( dst, ssl->session );
4657 if( ret != 0 )
4658 return( ret );
4659
4660 /* Remember that we've exported the session. */
4661 ssl->session->exported = 1;
4662 return( 0 );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004663}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004664#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004665
Paul Bakker5121ce52009-01-03 21:22:43 +00004666/*
Hanno Beckera835da52019-05-16 12:39:07 +01004667 * Define ticket header determining Mbed TLS version
4668 * and structure of the ticket.
4669 */
4670
Hanno Becker94ef3b32019-05-16 12:50:45 +01004671/*
Hanno Becker50b59662019-05-28 14:30:45 +01004672 * Define bitflag determining compile-time settings influencing
4673 * structure of serialized SSL sessions.
Hanno Becker94ef3b32019-05-16 12:50:45 +01004674 */
4675
Hanno Becker50b59662019-05-28 14:30:45 +01004676#if defined(MBEDTLS_HAVE_TIME)
Hanno Becker3e088662019-05-29 11:10:18 +01004677#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
Hanno Becker50b59662019-05-28 14:30:45 +01004678#else
Hanno Becker3e088662019-05-29 11:10:18 +01004679#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004680#endif /* MBEDTLS_HAVE_TIME */
4681
4682#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker3e088662019-05-29 11:10:18 +01004683#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004684#else
Hanno Becker3e088662019-05-29 11:10:18 +01004685#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004686#endif /* MBEDTLS_X509_CRT_PARSE_C */
4687
4688#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
Hanno Becker3e088662019-05-29 11:10:18 +01004689#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004690#else
Hanno Becker3e088662019-05-29 11:10:18 +01004691#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004692#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
4693
4694#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Hanno Becker3e088662019-05-29 11:10:18 +01004695#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004696#else
Hanno Becker3e088662019-05-29 11:10:18 +01004697#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004698#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4699
Hanno Becker94ef3b32019-05-16 12:50:45 +01004700#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker3e088662019-05-29 11:10:18 +01004701#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004702#else
Hanno Becker3e088662019-05-29 11:10:18 +01004703#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004704#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
4705
Hanno Becker94ef3b32019-05-16 12:50:45 +01004706#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4707#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
4708#else
4709#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
4710#endif /* MBEDTLS_SSL_SESSION_TICKETS */
4711
Hanno Becker3e088662019-05-29 11:10:18 +01004712#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
4713#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
4714#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
4715#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
Hanno Becker37bdbe62021-08-01 05:38:58 +01004716#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
4717#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
Hanno Becker3e088662019-05-29 11:10:18 +01004718
Hanno Becker50b59662019-05-28 14:30:45 +01004719#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
Hanno Becker3e088662019-05-29 11:10:18 +01004720 ( (uint16_t) ( \
4721 ( SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT ) | \
4722 ( SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT ) | \
4723 ( SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT ) | \
4724 ( SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT ) | \
Hanno Becker3e088662019-05-29 11:10:18 +01004725 ( SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT ) | \
Hanno Beckerbe34e8e2019-06-04 09:43:16 +01004726 ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT ) ) )
Hanno Becker94ef3b32019-05-16 12:50:45 +01004727
Hanno Beckerf8787072019-05-16 12:41:07 +01004728static unsigned char ssl_serialized_session_header[] = {
Hanno Becker94ef3b32019-05-16 12:50:45 +01004729 MBEDTLS_VERSION_MAJOR,
4730 MBEDTLS_VERSION_MINOR,
4731 MBEDTLS_VERSION_PATCH,
Joe Subbiani2194dc42021-07-14 12:31:31 +01004732 MBEDTLS_BYTE_1( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
4733 MBEDTLS_BYTE_0( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
Hanno Beckerf8787072019-05-16 12:41:07 +01004734};
Hanno Beckera835da52019-05-16 12:39:07 +01004735
4736/*
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004737 * Serialize a session in the following format:
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004738 * (in the presentation language of TLS, RFC 8446 section 3)
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004739 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004740 * struct {
Hanno Beckerdc28b6c2019-05-29 11:08:00 +01004741 *
Hanno Beckerdce50972021-08-01 05:39:23 +01004742 * opaque mbedtls_version[3]; // library version: major, minor, patch
4743 * opaque session_format[2]; // library-version specific 16-bit field
4744 * // determining the format of the remaining
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004745 * // serialized data.
Hanno Beckerdc28b6c2019-05-29 11:08:00 +01004746 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004747 * Note: When updating the format, remember to keep
4748 * these version+format bytes.
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004749 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004750 * // In this version, `session_format` determines
4751 * // the setting of those compile-time
4752 * // configuration options which influence
4753 * // the structure of mbedtls_ssl_session.
4754 *
Hanno Beckerfa0d61e2021-08-02 08:56:14 +01004755 * uint8_t minor_ver; // Protocol-version. Possible values:
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004756 * // - TLS 1.2 (MBEDTLS_SSL_MINOR_VERSION_3)
4757 *
4758 * select (serialized_session.minor_ver) {
4759 *
4760 * case MBEDTLS_SSL_MINOR_VERSION_3: // TLS 1.2
4761 * serialized_session_tls12 data;
4762 *
4763 * };
4764 *
4765 * } serialized_session;
4766 *
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004767 */
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004768
4769#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4770/* Serialization of TLS 1.2 sessions:
4771 *
4772 * struct {
4773 * uint64 start_time;
4774 * uint8 ciphersuite[2]; // defined by the standard
4775 * uint8 compression; // 0 or 1
4776 * uint8 session_id_len; // at most 32
4777 * opaque session_id[32];
4778 * opaque master[48]; // fixed length in the standard
4779 * uint32 verify_result;
4780 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
4781 * opaque ticket<0..2^24-1>; // length 0 means no ticket
4782 * uint32 ticket_lifetime;
4783 * uint8 mfl_code; // up to 255 according to standard
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004784 * uint8 encrypt_then_mac; // 0 or 1
4785 * } serialized_session_tls12;
4786 *
4787 */
4788static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
4789 unsigned char *buf,
4790 size_t buf_len )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004791{
4792 unsigned char *p = buf;
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004793 size_t used = 0;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004794
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004795#if defined(MBEDTLS_HAVE_TIME)
4796 uint64_t start;
4797#endif
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004798#if defined(MBEDTLS_X509_CRT_PARSE_C)
4799#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4800 size_t cert_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004801#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4802#endif /* MBEDTLS_X509_CRT_PARSE_C */
4803
Hanno Beckera835da52019-05-16 12:39:07 +01004804 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004805 * Time
4806 */
4807#if defined(MBEDTLS_HAVE_TIME)
4808 used += 8;
4809
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004810 if( used <= buf_len )
4811 {
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004812 start = (uint64_t) session->start;
4813
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004814 MBEDTLS_PUT_UINT64_BE( start, p, 0 );
4815 p += 8;
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004816 }
4817#endif /* MBEDTLS_HAVE_TIME */
4818
4819 /*
4820 * Basic mandatory fields
4821 */
4822 used += 2 /* ciphersuite */
4823 + 1 /* compression */
4824 + 1 /* id_len */
4825 + sizeof( session->id )
4826 + sizeof( session->master )
4827 + 4; /* verify_result */
4828
4829 if( used <= buf_len )
4830 {
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004831 MBEDTLS_PUT_UINT16_BE( session->ciphersuite, p, 0 );
4832 p += 2;
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004833
Joe Subbiani2194dc42021-07-14 12:31:31 +01004834 *p++ = MBEDTLS_BYTE_0( session->compression );
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004835
Joe Subbiani2194dc42021-07-14 12:31:31 +01004836 *p++ = MBEDTLS_BYTE_0( session->id_len );
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004837 memcpy( p, session->id, 32 );
4838 p += 32;
4839
4840 memcpy( p, session->master, 48 );
4841 p += 48;
4842
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004843 MBEDTLS_PUT_UINT32_BE( session->verify_result, p, 0 );
4844 p += 4;
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004845 }
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004846
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004847 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004848 * Peer's end-entity certificate
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004849 */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004850#if defined(MBEDTLS_X509_CRT_PARSE_C)
4851#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4852 if( session->peer_cert == NULL )
4853 cert_len = 0;
4854 else
4855 cert_len = session->peer_cert->raw.len;
4856
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004857 used += 3 + cert_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004858
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004859 if( used <= buf_len )
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004860 {
Joe Subbiani2194dc42021-07-14 12:31:31 +01004861 *p++ = MBEDTLS_BYTE_2( cert_len );
4862 *p++ = MBEDTLS_BYTE_1( cert_len );
4863 *p++ = MBEDTLS_BYTE_0( cert_len );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004864
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004865 if( session->peer_cert != NULL )
4866 {
4867 memcpy( p, session->peer_cert->raw.p, cert_len );
4868 p += cert_len;
4869 }
4870 }
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004871#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004872 if( session->peer_cert_digest != NULL )
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004873 {
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004874 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
4875 if( used <= buf_len )
4876 {
4877 *p++ = (unsigned char) session->peer_cert_digest_type;
4878 *p++ = (unsigned char) session->peer_cert_digest_len;
4879 memcpy( p, session->peer_cert_digest,
4880 session->peer_cert_digest_len );
4881 p += session->peer_cert_digest_len;
4882 }
4883 }
4884 else
4885 {
4886 used += 2;
4887 if( used <= buf_len )
4888 {
4889 *p++ = (unsigned char) MBEDTLS_MD_NONE;
4890 *p++ = 0;
4891 }
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004892 }
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004893#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4894#endif /* MBEDTLS_X509_CRT_PARSE_C */
4895
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004896 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004897 * Session ticket if any, plus associated data
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004898 */
4899#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004900 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004901
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004902 if( used <= buf_len )
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004903 {
Joe Subbiani2194dc42021-07-14 12:31:31 +01004904 *p++ = MBEDTLS_BYTE_2( session->ticket_len );
4905 *p++ = MBEDTLS_BYTE_1( session->ticket_len );
4906 *p++ = MBEDTLS_BYTE_0( session->ticket_len );
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004907
4908 if( session->ticket != NULL )
4909 {
4910 memcpy( p, session->ticket, session->ticket_len );
4911 p += session->ticket_len;
4912 }
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004913
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004914 MBEDTLS_PUT_UINT32_BE( session->ticket_lifetime, p, 0 );
4915 p += 4;
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004916 }
4917#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
4918
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004919 /*
4920 * Misc extension-related info
4921 */
4922#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4923 used += 1;
4924
4925 if( used <= buf_len )
4926 *p++ = session->mfl_code;
4927#endif
4928
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004929#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4930 used += 1;
4931
4932 if( used <= buf_len )
Joe Subbiani2194dc42021-07-14 12:31:31 +01004933 *p++ = MBEDTLS_BYTE_0( session->encrypt_then_mac );
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004934#endif
4935
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004936 return( used );
4937}
4938#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004939
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004940static int ssl_session_save( const mbedtls_ssl_session *session,
4941 unsigned char omit_header,
4942 unsigned char *buf,
4943 size_t buf_len,
4944 size_t *olen )
4945{
4946 unsigned char *p = buf;
4947 size_t used = 0;
4948
4949 if( !omit_header )
4950 {
4951 /*
4952 * Add Mbed TLS version identifier
4953 */
4954
4955 used += sizeof( ssl_serialized_session_header );
4956
4957 if( used <= buf_len )
4958 {
4959 memcpy( p, ssl_serialized_session_header,
4960 sizeof( ssl_serialized_session_header ) );
4961 p += sizeof( ssl_serialized_session_header );
4962 }
4963 }
4964
4965 /*
4966 * TLS version identifier
4967 */
4968 used += 1;
4969 if( used <= buf_len )
4970 {
4971 *p++ = session->minor_ver;
4972 }
4973
4974 /* Forward to version-specific serialization routine. */
4975 switch( session->minor_ver )
4976 {
4977#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4978 case MBEDTLS_SSL_MINOR_VERSION_3:
4979 {
4980 size_t remaining_len = used <= buf_len ? buf_len - used : 0;
4981 used += ssl_session_save_tls12( session, p, remaining_len );
4982 break;
4983 }
4984#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4985
4986 default:
4987 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4988 }
4989
4990 *olen = used;
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004991 if( used > buf_len )
4992 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004993
4994 return( 0 );
4995}
4996
4997/*
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02004998 * Public wrapper for ssl_session_save()
4999 */
5000int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
5001 unsigned char *buf,
5002 size_t buf_len,
5003 size_t *olen )
5004{
5005 return( ssl_session_save( session, 0, buf, buf_len, olen ) );
5006}
5007
5008/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02005009 * Deserialize session, see mbedtls_ssl_session_save() for format.
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02005010 *
5011 * This internal version is wrapped by a public function that cleans up in
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005012 * case of error, and has an extra option omit_header.
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005013 */
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01005014static int ssl_session_load_tls12( mbedtls_ssl_session *session,
5015 const unsigned char *buf,
5016 size_t len )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005017{
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005018#if defined(MBEDTLS_HAVE_TIME)
5019 uint64_t start;
5020#endif
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005021#if defined(MBEDTLS_X509_CRT_PARSE_C)
5022#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
5023 size_t cert_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005024#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5025#endif /* MBEDTLS_X509_CRT_PARSE_C */
5026
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01005027 const unsigned char *p = buf;
5028 const unsigned char * const end = buf + len;
Hanno Beckera835da52019-05-16 12:39:07 +01005029
5030 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005031 * Time
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005032 */
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005033#if defined(MBEDTLS_HAVE_TIME)
5034 if( 8 > (size_t)( end - p ) )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005035 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5036
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005037 start = ( (uint64_t) p[0] << 56 ) |
5038 ( (uint64_t) p[1] << 48 ) |
5039 ( (uint64_t) p[2] << 40 ) |
5040 ( (uint64_t) p[3] << 32 ) |
5041 ( (uint64_t) p[4] << 24 ) |
5042 ( (uint64_t) p[5] << 16 ) |
5043 ( (uint64_t) p[6] << 8 ) |
5044 ( (uint64_t) p[7] );
5045 p += 8;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005046
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005047 session->start = (time_t) start;
5048#endif /* MBEDTLS_HAVE_TIME */
5049
5050 /*
5051 * Basic mandatory fields
5052 */
5053 if( 2 + 1 + 1 + 32 + 48 + 4 > (size_t)( end - p ) )
5054 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5055
5056 session->ciphersuite = ( p[0] << 8 ) | p[1];
5057 p += 2;
5058
5059 session->compression = *p++;
5060
5061 session->id_len = *p++;
5062 memcpy( session->id, p, 32 );
5063 p += 32;
5064
5065 memcpy( session->master, p, 48 );
5066 p += 48;
5067
5068 session->verify_result = ( (uint32_t) p[0] << 24 ) |
5069 ( (uint32_t) p[1] << 16 ) |
5070 ( (uint32_t) p[2] << 8 ) |
5071 ( (uint32_t) p[3] );
5072 p += 4;
5073
5074 /* Immediately clear invalid pointer values that have been read, in case
5075 * we exit early before we replaced them with valid ones. */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005076#if defined(MBEDTLS_X509_CRT_PARSE_C)
5077#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
5078 session->peer_cert = NULL;
5079#else
5080 session->peer_cert_digest = NULL;
5081#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5082#endif /* MBEDTLS_X509_CRT_PARSE_C */
5083#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
5084 session->ticket = NULL;
5085#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
5086
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005087 /*
5088 * Peer certificate
5089 */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005090#if defined(MBEDTLS_X509_CRT_PARSE_C)
5091#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
5092 /* Deserialize CRT from the end of the ticket. */
5093 if( 3 > (size_t)( end - p ) )
5094 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5095
5096 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
5097 p += 3;
5098
5099 if( cert_len != 0 )
5100 {
Janos Follath865b3eb2019-12-16 11:46:15 +00005101 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005102
5103 if( cert_len > (size_t)( end - p ) )
5104 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5105
5106 session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
5107
5108 if( session->peer_cert == NULL )
5109 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5110
5111 mbedtls_x509_crt_init( session->peer_cert );
5112
5113 if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
5114 p, cert_len ) ) != 0 )
5115 {
5116 mbedtls_x509_crt_free( session->peer_cert );
5117 mbedtls_free( session->peer_cert );
5118 session->peer_cert = NULL;
5119 return( ret );
5120 }
5121
5122 p += cert_len;
5123 }
5124#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5125 /* Deserialize CRT digest from the end of the ticket. */
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005126 if( 2 > (size_t)( end - p ) )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005127 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5128
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005129 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
5130 session->peer_cert_digest_len = (size_t) *p++;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005131
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005132 if( session->peer_cert_digest_len != 0 )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005133 {
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005134 const mbedtls_md_info_t *md_info =
5135 mbedtls_md_info_from_type( session->peer_cert_digest_type );
5136 if( md_info == NULL )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005137 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005138 if( session->peer_cert_digest_len != mbedtls_md_get_size( md_info ) )
5139 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005140
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005141 if( session->peer_cert_digest_len > (size_t)( end - p ) )
5142 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5143
5144 session->peer_cert_digest =
5145 mbedtls_calloc( 1, session->peer_cert_digest_len );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005146 if( session->peer_cert_digest == NULL )
5147 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5148
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005149 memcpy( session->peer_cert_digest, p,
5150 session->peer_cert_digest_len );
5151 p += session->peer_cert_digest_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005152 }
5153#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5154#endif /* MBEDTLS_X509_CRT_PARSE_C */
5155
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005156 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005157 * Session ticket and associated data
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005158 */
5159#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
5160 if( 3 > (size_t)( end - p ) )
5161 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5162
5163 session->ticket_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
5164 p += 3;
5165
5166 if( session->ticket_len != 0 )
5167 {
5168 if( session->ticket_len > (size_t)( end - p ) )
5169 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5170
5171 session->ticket = mbedtls_calloc( 1, session->ticket_len );
5172 if( session->ticket == NULL )
5173 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5174
5175 memcpy( session->ticket, p, session->ticket_len );
5176 p += session->ticket_len;
5177 }
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005178
5179 if( 4 > (size_t)( end - p ) )
5180 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5181
5182 session->ticket_lifetime = ( (uint32_t) p[0] << 24 ) |
5183 ( (uint32_t) p[1] << 16 ) |
5184 ( (uint32_t) p[2] << 8 ) |
5185 ( (uint32_t) p[3] );
5186 p += 4;
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005187#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
5188
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005189 /*
5190 * Misc extension-related info
5191 */
5192#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
5193 if( 1 > (size_t)( end - p ) )
5194 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5195
5196 session->mfl_code = *p++;
5197#endif
5198
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005199#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5200 if( 1 > (size_t)( end - p ) )
5201 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5202
5203 session->encrypt_then_mac = *p++;
5204#endif
5205
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005206 /* Done, should have consumed entire buffer */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005207 if( p != end )
5208 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5209
5210 return( 0 );
5211}
5212
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01005213static int ssl_session_load( mbedtls_ssl_session *session,
5214 unsigned char omit_header,
5215 const unsigned char *buf,
5216 size_t len )
5217{
5218 const unsigned char *p = buf;
5219 const unsigned char * const end = buf + len;
5220
5221 if( !omit_header )
5222 {
5223 /*
5224 * Check Mbed TLS version identifier
5225 */
5226
5227 if( (size_t)( end - p ) < sizeof( ssl_serialized_session_header ) )
5228 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5229
5230 if( memcmp( p, ssl_serialized_session_header,
5231 sizeof( ssl_serialized_session_header ) ) != 0 )
5232 {
5233 return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
5234 }
5235 p += sizeof( ssl_serialized_session_header );
5236 }
5237
5238 /*
5239 * TLS version identifier
5240 */
5241 if( 1 > (size_t)( end - p ) )
5242 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5243 session->minor_ver = *p++;
5244
5245 /* Dispatch according to TLS version. */
5246 switch( session->minor_ver )
5247 {
5248#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5249 case MBEDTLS_SSL_MINOR_VERSION_3: /* TLS 1.2 */
5250 {
5251 size_t remaining_len = ( end - p );
5252 return( ssl_session_load_tls12( session, p, remaining_len ) );
5253 }
5254#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5255
5256 default:
5257 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5258 }
5259}
5260
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005261/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02005262 * Deserialize session: public wrapper for error cleaning
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02005263 */
5264int mbedtls_ssl_session_load( mbedtls_ssl_session *session,
5265 const unsigned char *buf,
5266 size_t len )
5267{
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005268 int ret = ssl_session_load( session, 0, buf, len );
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02005269
5270 if( ret != 0 )
5271 mbedtls_ssl_session_free( session );
5272
5273 return( ret );
5274}
5275
5276/*
Paul Bakker1961b702013-01-25 14:49:24 +01005277 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +00005278 */
Hanno Becker41934dd2021-08-07 19:13:43 +01005279static int ssl_prepare_handshake_step( mbedtls_ssl_context *ssl )
5280{
5281 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5282
5283 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
5284 return( ret );
5285
5286#if defined(MBEDTLS_SSL_PROTO_DTLS)
5287 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5288 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
5289 {
5290 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
5291 return( ret );
5292 }
5293#endif /* MBEDTLS_SSL_PROTO_DTLS */
5294
5295 return( ret );
5296}
5297
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005298int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00005299{
Hanno Becker41934dd2021-08-07 19:13:43 +01005300 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +00005301
Hanno Becker41934dd2021-08-07 19:13:43 +01005302 if( ssl == NULL ||
5303 ssl->conf == NULL ||
5304 ssl->handshake == NULL ||
5305 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5306 {
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02005307 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Hanno Becker41934dd2021-08-07 19:13:43 +01005308 }
5309
5310 ret = ssl_prepare_handshake_step( ssl );
5311 if( ret != 0 )
5312 return( ret );
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02005313
Jerry Yue7047812021-09-13 19:26:39 +08005314 ret = mbedtls_ssl_handle_pending_alert( ssl );
5315 if( ret != 0 )
5316 goto cleanup;
5317
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005318#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005319 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Jerry Yub9930e72021-08-06 17:11:51 +08005320 {
Ronald Cron6f135e12021-12-08 16:57:54 +01005321#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yub9930e72021-08-06 17:11:51 +08005322 if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
Jerry Yuf4436812021-08-26 22:59:56 +08005323 ret = mbedtls_ssl_tls13_handshake_client_step( ssl );
Ronald Cron6f135e12021-12-08 16:57:54 +01005324#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yub9930e72021-08-06 17:11:51 +08005325
5326#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5327 if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
5328 ret = mbedtls_ssl_handshake_client_step( ssl );
5329#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5330 }
Paul Bakker5121ce52009-01-03 21:22:43 +00005331#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005332#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005333 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Jerry Yub9930e72021-08-06 17:11:51 +08005334 {
Ronald Cron6f135e12021-12-08 16:57:54 +01005335#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yub9930e72021-08-06 17:11:51 +08005336 if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
Jerry Yu27561932021-08-27 17:07:38 +08005337 ret = mbedtls_ssl_tls13_handshake_server_step( ssl );
Ronald Cron6f135e12021-12-08 16:57:54 +01005338#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yub9930e72021-08-06 17:11:51 +08005339
5340#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5341 if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
5342 ret = mbedtls_ssl_handshake_server_step( ssl );
5343#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5344 }
Paul Bakker5121ce52009-01-03 21:22:43 +00005345#endif
5346
Jerry Yue7047812021-09-13 19:26:39 +08005347 if( ret != 0 )
5348 {
Jerry Yubbd5a3f2021-09-18 20:50:22 +08005349 /* handshake_step return error. And it is same
5350 * with alert_reason.
5351 */
Jerry Yu3bf1f972021-09-22 21:37:18 +08005352 if( ssl->send_alert )
Jerry Yue7047812021-09-13 19:26:39 +08005353 {
Jerry Yu3bf1f972021-09-22 21:37:18 +08005354 ret = mbedtls_ssl_handle_pending_alert( ssl );
Jerry Yue7047812021-09-13 19:26:39 +08005355 goto cleanup;
5356 }
5357 }
5358
5359cleanup:
Paul Bakker1961b702013-01-25 14:49:24 +01005360 return( ret );
5361}
5362
5363/*
5364 * Perform the SSL handshake
5365 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005366int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
Paul Bakker1961b702013-01-25 14:49:24 +01005367{
5368 int ret = 0;
5369
Hanno Beckera817ea42020-10-20 15:20:23 +01005370 /* Sanity checks */
5371
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02005372 if( ssl == NULL || ssl->conf == NULL )
5373 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5374
Hanno Beckera817ea42020-10-20 15:20:23 +01005375#if defined(MBEDTLS_SSL_PROTO_DTLS)
5376 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5377 ( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) )
5378 {
5379 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
5380 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
5381 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5382 }
5383#endif /* MBEDTLS_SSL_PROTO_DTLS */
5384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005385 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
Paul Bakker1961b702013-01-25 14:49:24 +01005386
Hanno Beckera817ea42020-10-20 15:20:23 +01005387 /* Main handshake loop */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005388 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker1961b702013-01-25 14:49:24 +01005389 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005390 ret = mbedtls_ssl_handshake_step( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01005391
5392 if( ret != 0 )
5393 break;
5394 }
5395
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005396 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005397
5398 return( ret );
5399}
5400
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005401#if defined(MBEDTLS_SSL_RENEGOTIATION)
5402#if defined(MBEDTLS_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00005403/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005404 * Write HelloRequest to request renegotiation on server
Paul Bakker48916f92012-09-16 19:57:18 +00005405 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005406static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005407{
Janos Follath865b3eb2019-12-16 11:46:15 +00005408 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005409
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005410 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005411
5412 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005413 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
5414 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005415
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02005416 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005417 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02005418 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005419 return( ret );
5420 }
5421
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005422 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005423
5424 return( 0 );
5425}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005426#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005427
5428/*
5429 * Actually renegotiate current connection, triggered by either:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005430 * - any side: calling mbedtls_ssl_renegotiate(),
5431 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
5432 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
Manuel Pégourié-Gonnard55e4ff22014-08-19 11:16:35 +02005433 * the initial handshake is completed.
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005434 * If the handshake doesn't complete due to waiting for I/O, it will continue
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005435 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005436 */
Hanno Becker40cdaa12020-02-05 10:48:27 +00005437int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00005438{
Janos Follath865b3eb2019-12-16 11:46:15 +00005439 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker48916f92012-09-16 19:57:18 +00005440
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005441 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005442
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005443 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
5444 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +00005445
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02005446 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
5447 * the ServerHello will have message_seq = 1" */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005448#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005449 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005450 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02005451 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005452 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02005453 ssl->handshake->out_msg_seq = 1;
5454 else
5455 ssl->handshake->in_msg_seq = 1;
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02005456 }
5457#endif
5458
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005459 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
5460 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
Paul Bakker48916f92012-09-16 19:57:18 +00005461
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005462 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00005463 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005464 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker48916f92012-09-16 19:57:18 +00005465 return( ret );
5466 }
5467
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005468 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005469
5470 return( 0 );
5471}
5472
5473/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005474 * Renegotiate current connection on client,
5475 * or request renegotiation on server
5476 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005477int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005478{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005479 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005480
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02005481 if( ssl == NULL || ssl->conf == NULL )
5482 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5483
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005484#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005485 /* On server, just send the request */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005486 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005487 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005488 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5489 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005490
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005491 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02005492
5493 /* Did we already try/start sending HelloRequest? */
5494 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005495 return( mbedtls_ssl_flush_output( ssl ) );
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02005496
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005497 return( ssl_write_hello_request( ssl ) );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005498 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005499#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005500
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005501#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005502 /*
5503 * On client, either start the renegotiation process or,
5504 * if already in progress, continue the handshake
5505 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005506 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005507 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005508 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5509 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005510
Hanno Becker40cdaa12020-02-05 10:48:27 +00005511 if( ( ret = mbedtls_ssl_start_renegotiation( ssl ) ) != 0 )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005512 {
Hanno Becker40cdaa12020-02-05 10:48:27 +00005513 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005514 return( ret );
5515 }
5516 }
5517 else
5518 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005519 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005520 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005521 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005522 return( ret );
5523 }
5524 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005525#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005526
Paul Bakker37ce0ff2013-10-31 14:32:04 +01005527 return( ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005528}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005529#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005530
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005531#if defined(MBEDTLS_X509_CRT_PARSE_C)
5532static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005533{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005534 mbedtls_ssl_key_cert *cur = key_cert, *next;
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005535
5536 while( cur != NULL )
5537 {
5538 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005539 mbedtls_free( cur );
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005540 cur = next;
5541 }
5542}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005543#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005544
Gilles Peskine9b562d52018-04-25 20:32:43 +02005545void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00005546{
Gilles Peskine9b562d52018-04-25 20:32:43 +02005547 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
5548
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005549 if( handshake == NULL )
5550 return;
5551
Brett Warrene0edc842021-08-17 09:53:13 +01005552#if defined(MBEDTLS_ECP_C)
5553#if !defined(MBEDTLS_DEPRECATED_REMOVED)
5554 if ( ssl->handshake->group_list_heap_allocated )
5555 mbedtls_free( (void*) handshake->group_list );
5556 handshake->group_list = NULL;
5557#endif /* MBEDTLS_DEPRECATED_REMOVED */
5558#endif /* MBEDTLS_ECP_C */
5559
Jerry Yuf017ee42022-01-12 15:49:48 +08005560#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
5561#if !defined(MBEDTLS_DEPRECATED_REMOVED)
5562 if ( ssl->handshake->sig_algs_heap_allocated )
5563 mbedtls_free( (void*) handshake->sig_algs );
5564 handshake->sig_algs = NULL;
5565#endif /* MBEDTLS_DEPRECATED_REMOVED */
5566
5567#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
5568
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02005569#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
5570 if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
5571 {
Gilles Peskine8f97af72018-04-26 11:46:10 +02005572 ssl->conf->f_async_cancel( ssl );
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02005573 handshake->async_in_progress = 0;
5574 }
5575#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
5576
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005577#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5578#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05005579#if defined(MBEDTLS_USE_PSA_CRYPTO)
5580 psa_hash_abort( &handshake->fin_sha256_psa );
5581#else
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005582 mbedtls_sha256_free( &handshake->fin_sha256 );
5583#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05005584#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02005585#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05005586#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05005587 psa_hash_abort( &handshake->fin_sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05005588#else
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005589 mbedtls_sha512_free( &handshake->fin_sha512 );
5590#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05005591#endif
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005592#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5593
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005594#if defined(MBEDTLS_DHM_C)
5595 mbedtls_dhm_free( &handshake->dhm_ctx );
Paul Bakker48916f92012-09-16 19:57:18 +00005596#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005597#if defined(MBEDTLS_ECDH_C)
5598 mbedtls_ecdh_free( &handshake->ecdh_ctx );
Paul Bakker61d113b2013-07-04 11:51:43 +02005599#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02005600#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02005601 mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02005602#if defined(MBEDTLS_SSL_CLI_C)
5603 mbedtls_free( handshake->ecjpake_cache );
5604 handshake->ecjpake_cache = NULL;
5605 handshake->ecjpake_cache_len = 0;
5606#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02005607#endif
Paul Bakker61d113b2013-07-04 11:51:43 +02005608
Janos Follath4ae5c292016-02-10 11:27:43 +00005609#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
5610 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakker9af723c2014-05-01 13:03:14 +02005611 /* explicit void pointer cast for buggy MS compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005612 mbedtls_free( (void *) handshake->curves );
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02005613#endif
5614
Gilles Peskineeccd8882020-03-10 12:19:08 +01005615#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01005616 if( handshake->psk != NULL )
5617 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05005618 mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01005619 mbedtls_free( handshake->psk );
5620 }
5621#endif
5622
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005623#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
5624 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02005625 /*
5626 * Free only the linked list wrapper, not the keys themselves
5627 * since the belong to the SNI callback
5628 */
5629 if( handshake->sni_key_cert != NULL )
5630 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005631 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02005632
5633 while( cur != NULL )
5634 {
5635 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005636 mbedtls_free( cur );
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02005637 cur = next;
5638 }
5639 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005640#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005641
Gilles Peskineeccd8882020-03-10 12:19:08 +01005642#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +02005643 mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
Hanno Becker3dad3112019-02-05 17:19:52 +00005644 if( handshake->ecrs_peer_cert != NULL )
5645 {
5646 mbedtls_x509_crt_free( handshake->ecrs_peer_cert );
5647 mbedtls_free( handshake->ecrs_peer_cert );
5648 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02005649#endif
5650
Hanno Becker75173122019-02-06 16:18:31 +00005651#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
5652 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
5653 mbedtls_pk_free( &handshake->peer_pubkey );
5654#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005656#if defined(MBEDTLS_SSL_PROTO_DTLS)
5657 mbedtls_free( handshake->verify_cookie );
Hanno Becker533ab5f2020-02-05 10:49:13 +00005658 mbedtls_ssl_flight_free( handshake->flight );
5659 mbedtls_ssl_buffering_free( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02005660#endif
5661
Hanno Becker4a63ed42019-01-08 11:39:35 +00005662#if defined(MBEDTLS_ECDH_C) && \
5663 defined(MBEDTLS_USE_PSA_CRYPTO)
5664 psa_destroy_key( handshake->ecdh_psa_privkey );
5665#endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
5666
Ronald Cron6f135e12021-12-08 16:57:54 +01005667#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yua1a568c2021-11-09 10:17:21 +08005668 mbedtls_ssl_transform_free( handshake->transform_handshake );
5669 mbedtls_ssl_transform_free( handshake->transform_earlydata );
Jerry Yuba9c7272021-10-30 11:54:10 +08005670 mbedtls_free( handshake->transform_earlydata );
5671 mbedtls_free( handshake->transform_handshake );
Ronald Cron6f135e12021-12-08 16:57:54 +01005672#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yuba9c7272021-10-30 11:54:10 +08005673
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05005674
5675#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5676 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
5677 * processes datagrams and the fact that a datagram is allowed to have
5678 * several records in it, it is possible that the I/O buffers are not
5679 * empty at this stage */
Andrzej Kurek4a063792020-10-21 15:08:44 +02005680 handle_buffer_resizing( ssl, 1, mbedtls_ssl_get_input_buflen( ssl ),
5681 mbedtls_ssl_get_output_buflen( ssl ) );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05005682#endif
Hanno Becker3aa186f2021-08-10 09:24:19 +01005683
Jerry Yuba9c7272021-10-30 11:54:10 +08005684 /* mbedtls_platform_zeroize MUST be last one in this function */
5685 mbedtls_platform_zeroize( handshake,
5686 sizeof( mbedtls_ssl_handshake_params ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005687}
5688
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005689void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
Paul Bakker48916f92012-09-16 19:57:18 +00005690{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005691 if( session == NULL )
5692 return;
5693
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005694#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker1294a0b2019-02-05 12:38:15 +00005695 ssl_clear_peer_cert( session );
Paul Bakkered27a042013-04-18 22:46:23 +02005696#endif
Paul Bakker0a597072012-09-25 21:55:46 +00005697
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02005698#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005699 mbedtls_free( session->ticket );
Paul Bakkera503a632013-08-14 13:48:06 +02005700#endif
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +02005701
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05005702 mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005703}
5704
Manuel Pégourié-Gonnard5c0e3772019-07-23 16:13:17 +02005705#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005706
5707#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5708#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
5709#else
5710#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
5711#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5712
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005713#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005714
5715#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5716#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
5717#else
5718#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
5719#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5720
5721#if defined(MBEDTLS_SSL_ALPN)
5722#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
5723#else
5724#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
5725#endif /* MBEDTLS_SSL_ALPN */
5726
5727#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
5728#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
5729#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
5730#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
5731
5732#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
5733 ( (uint32_t) ( \
5734 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT ) | \
5735 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT ) | \
5736 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT ) | \
5737 ( SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT ) | \
5738 0u ) )
5739
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005740static unsigned char ssl_serialized_context_header[] = {
5741 MBEDTLS_VERSION_MAJOR,
5742 MBEDTLS_VERSION_MINOR,
5743 MBEDTLS_VERSION_PATCH,
Joe Subbiani2194dc42021-07-14 12:31:31 +01005744 MBEDTLS_BYTE_1( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
5745 MBEDTLS_BYTE_0( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
5746 MBEDTLS_BYTE_2( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
5747 MBEDTLS_BYTE_1( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
5748 MBEDTLS_BYTE_0( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005749};
5750
Paul Bakker5121ce52009-01-03 21:22:43 +00005751/*
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005752 * Serialize a full SSL context
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02005753 *
5754 * The format of the serialized data is:
5755 * (in the presentation language of TLS, RFC 8446 section 3)
5756 *
5757 * // header
5758 * opaque mbedtls_version[3]; // major, minor, patch
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005759 * opaque context_format[5]; // version-specific field determining
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02005760 * // the format of the remaining
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005761 * // serialized data.
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005762 * Note: When updating the format, remember to keep these
5763 * version+format bytes. (We may make their size part of the API.)
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02005764 *
5765 * // session sub-structure
5766 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
5767 * // transform sub-structure
5768 * uint8 random[64]; // ServerHello.random+ClientHello.random
5769 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
5770 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
5771 * // fields from ssl_context
5772 * uint32 badmac_seen; // DTLS: number of records with failing MAC
5773 * uint64 in_window_top; // DTLS: last validated record seq_num
5774 * uint64 in_window; // DTLS: bitmask for replay protection
5775 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
5776 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
5777 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
5778 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
5779 *
5780 * Note that many fields of the ssl_context or sub-structures are not
5781 * serialized, as they fall in one of the following categories:
5782 *
5783 * 1. forced value (eg in_left must be 0)
5784 * 2. pointer to dynamically-allocated memory (eg session, transform)
5785 * 3. value can be re-derived from other data (eg session keys from MS)
5786 * 4. value was temporary (eg content of input buffer)
5787 * 5. value will be provided by the user again (eg I/O callbacks and context)
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005788 */
5789int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
5790 unsigned char *buf,
5791 size_t buf_len,
5792 size_t *olen )
5793{
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005794 unsigned char *p = buf;
5795 size_t used = 0;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005796 size_t session_len;
5797 int ret = 0;
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005798
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02005799 /*
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005800 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
5801 * this function's documentation.
5802 *
5803 * These are due to assumptions/limitations in the implementation. Some of
5804 * them are likely to stay (no handshake in progress) some might go away
5805 * (only DTLS) but are currently used to simplify the implementation.
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02005806 */
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005807 /* The initial handshake must be over */
5808 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005809 {
5810 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Initial handshake isn't over" ) );
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02005811 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005812 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005813 if( ssl->handshake != NULL )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005814 {
5815 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Handshake isn't completed" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005816 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005817 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005818 /* Double-check that sub-structures are indeed ready */
5819 if( ssl->transform == NULL || ssl->session == NULL )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005820 {
5821 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Serialised structures aren't ready" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005822 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005823 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005824 /* There must be no pending incoming or outgoing data */
5825 if( mbedtls_ssl_check_pending( ssl ) != 0 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005826 {
5827 MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending incoming data" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005828 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005829 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005830 if( ssl->out_left != 0 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005831 {
5832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending outgoing data" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005833 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005834 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005835 /* Protocol must be DLTS, not TLS */
5836 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005837 {
5838 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only DTLS is supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005839 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005840 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005841 /* Version must be 1.2 */
5842 if( ssl->major_ver != MBEDTLS_SSL_MAJOR_VERSION_3 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005843 {
5844 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005845 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005846 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005847 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005848 {
5849 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005850 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005851 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005852 /* We must be using an AEAD ciphersuite */
5853 if( mbedtls_ssl_transform_uses_aead( ssl->transform ) != 1 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005854 {
5855 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only AEAD ciphersuites supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005856 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005857 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005858 /* Renegotiation must not be enabled */
5859#if defined(MBEDTLS_SSL_RENEGOTIATION)
5860 if( ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005861 {
5862 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Renegotiation must not be enabled" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005863 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005864 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005865#endif
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005866
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005867 /*
5868 * Version and format identifier
5869 */
5870 used += sizeof( ssl_serialized_context_header );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005871
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005872 if( used <= buf_len )
5873 {
5874 memcpy( p, ssl_serialized_context_header,
5875 sizeof( ssl_serialized_context_header ) );
5876 p += sizeof( ssl_serialized_context_header );
5877 }
5878
5879 /*
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005880 * Session (length + data)
5881 */
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005882 ret = ssl_session_save( ssl->session, 1, NULL, 0, &session_len );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005883 if( ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL )
5884 return( ret );
5885
5886 used += 4 + session_len;
5887 if( used <= buf_len )
5888 {
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01005889 MBEDTLS_PUT_UINT32_BE( session_len, p, 0 );
5890 p += 4;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005891
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005892 ret = ssl_session_save( ssl->session, 1,
5893 p, session_len, &session_len );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005894 if( ret != 0 )
5895 return( ret );
5896
5897 p += session_len;
5898 }
5899
5900 /*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005901 * Transform
5902 */
5903 used += sizeof( ssl->transform->randbytes );
5904 if( used <= buf_len )
5905 {
5906 memcpy( p, ssl->transform->randbytes,
5907 sizeof( ssl->transform->randbytes ) );
5908 p += sizeof( ssl->transform->randbytes );
5909 }
5910
5911#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5912 used += 2 + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
5913 if( used <= buf_len )
5914 {
5915 *p++ = ssl->transform->in_cid_len;
5916 memcpy( p, ssl->transform->in_cid, ssl->transform->in_cid_len );
5917 p += ssl->transform->in_cid_len;
5918
5919 *p++ = ssl->transform->out_cid_len;
5920 memcpy( p, ssl->transform->out_cid, ssl->transform->out_cid_len );
5921 p += ssl->transform->out_cid_len;
5922 }
5923#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5924
5925 /*
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005926 * Saved fields from top-level ssl_context structure
5927 */
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005928 used += 4;
5929 if( used <= buf_len )
5930 {
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01005931 MBEDTLS_PUT_UINT32_BE( ssl->badmac_seen, p, 0 );
5932 p += 4;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005933 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005934
5935#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5936 used += 16;
5937 if( used <= buf_len )
5938 {
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01005939 MBEDTLS_PUT_UINT64_BE( ssl->in_window_top, p, 0 );
5940 p += 8;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005941
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01005942 MBEDTLS_PUT_UINT64_BE( ssl->in_window, p, 0 );
5943 p += 8;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005944 }
5945#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5946
5947#if defined(MBEDTLS_SSL_PROTO_DTLS)
5948 used += 1;
5949 if( used <= buf_len )
5950 {
5951 *p++ = ssl->disable_datagram_packing;
5952 }
5953#endif /* MBEDTLS_SSL_PROTO_DTLS */
5954
Jerry Yuae0b2e22021-10-08 15:21:19 +08005955 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005956 if( used <= buf_len )
5957 {
Jerry Yuae0b2e22021-10-08 15:21:19 +08005958 memcpy( p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
5959 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005960 }
5961
5962#if defined(MBEDTLS_SSL_PROTO_DTLS)
5963 used += 2;
5964 if( used <= buf_len )
5965 {
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01005966 MBEDTLS_PUT_UINT16_BE( ssl->mtu, p, 0 );
5967 p += 2;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005968 }
5969#endif /* MBEDTLS_SSL_PROTO_DTLS */
5970
5971#if defined(MBEDTLS_SSL_ALPN)
5972 {
5973 const uint8_t alpn_len = ssl->alpn_chosen
Manuel Pégourié-Gonnardf041f4e2019-07-24 00:58:27 +02005974 ? (uint8_t) strlen( ssl->alpn_chosen )
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005975 : 0;
5976
5977 used += 1 + alpn_len;
5978 if( used <= buf_len )
5979 {
5980 *p++ = alpn_len;
5981
5982 if( ssl->alpn_chosen != NULL )
5983 {
5984 memcpy( p, ssl->alpn_chosen, alpn_len );
5985 p += alpn_len;
5986 }
5987 }
5988 }
5989#endif /* MBEDTLS_SSL_ALPN */
5990
5991 /*
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005992 * Done
5993 */
5994 *olen = used;
5995
5996 if( used > buf_len )
5997 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005998
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005999 MBEDTLS_SSL_DEBUG_BUF( 4, "saved context", buf, used );
6000
Hanno Becker43aefe22020-02-05 10:44:56 +00006001 return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02006002}
6003
6004/*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02006005 * Helper to get TLS 1.2 PRF from ciphersuite
6006 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
6007 */
6008typedef int (*tls_prf_fn)( const unsigned char *secret, size_t slen,
6009 const char *label,
6010 const unsigned char *random, size_t rlen,
6011 unsigned char *dstbuf, size_t dlen );
6012static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id )
6013{
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02006014#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02006015 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
6016 mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
6017
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02006018 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
6019 return( tls_prf_sha384 );
Jarno Lamsab7b486c2019-08-21 15:30:44 +03006020#else
6021 (void) ciphersuite_id;
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02006022#endif
6023 return( tls_prf_sha256 );
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02006024}
6025
6026/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02006027 * Deserialize context, see mbedtls_ssl_context_save() for format.
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006028 *
6029 * This internal version is wrapped by a public function that cleans up in
6030 * case of error.
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02006031 */
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006032static int ssl_context_load( mbedtls_ssl_context *ssl,
6033 const unsigned char *buf,
6034 size_t len )
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02006035{
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02006036 const unsigned char *p = buf;
6037 const unsigned char * const end = buf + len;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006038 size_t session_len;
Janos Follath865b3eb2019-12-16 11:46:15 +00006039 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02006040
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02006041 /*
6042 * The context should have been freshly setup or reset.
6043 * Give the user an error in case of obvious misuse.
Manuel Pégourié-Gonnard4ca930f2019-07-26 16:31:53 +02006044 * (Checking session is useful because it won't be NULL if we're
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02006045 * renegotiating, or if the user mistakenly loaded a session first.)
6046 */
6047 if( ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
6048 ssl->session != NULL )
6049 {
6050 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6051 }
6052
6053 /*
6054 * We can't check that the config matches the initial one, but we can at
6055 * least check it matches the requirements for serializing.
6056 */
6057 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
6058 ssl->conf->max_major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
6059 ssl->conf->min_major_ver > MBEDTLS_SSL_MAJOR_VERSION_3 ||
6060 ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ||
6061 ssl->conf->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 ||
6062#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02006063 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02006064#endif
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02006065 0 )
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02006066 {
6067 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6068 }
6069
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006070 MBEDTLS_SSL_DEBUG_BUF( 4, "context to load", buf, len );
6071
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02006072 /*
6073 * Check version identifier
6074 */
6075 if( (size_t)( end - p ) < sizeof( ssl_serialized_context_header ) )
6076 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6077
6078 if( memcmp( p, ssl_serialized_context_header,
6079 sizeof( ssl_serialized_context_header ) ) != 0 )
6080 {
6081 return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
6082 }
6083 p += sizeof( ssl_serialized_context_header );
6084
6085 /*
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006086 * Session
6087 */
6088 if( (size_t)( end - p ) < 4 )
6089 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6090
6091 session_len = ( (size_t) p[0] << 24 ) |
6092 ( (size_t) p[1] << 16 ) |
6093 ( (size_t) p[2] << 8 ) |
6094 ( (size_t) p[3] );
6095 p += 4;
6096
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02006097 /* This has been allocated by ssl_handshake_init(), called by
Hanno Becker43aefe22020-02-05 10:44:56 +00006098 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02006099 ssl->session = ssl->session_negotiate;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006100 ssl->session_in = ssl->session;
6101 ssl->session_out = ssl->session;
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02006102 ssl->session_negotiate = NULL;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006103
6104 if( (size_t)( end - p ) < session_len )
6105 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6106
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02006107 ret = ssl_session_load( ssl->session, 1, p, session_len );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006108 if( ret != 0 )
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02006109 {
6110 mbedtls_ssl_session_free( ssl->session );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006111 return( ret );
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02006112 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006113
6114 p += session_len;
6115
6116 /*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02006117 * Transform
6118 */
6119
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02006120 /* This has been allocated by ssl_handshake_init(), called by
Hanno Becker43aefe22020-02-05 10:44:56 +00006121 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02006122 ssl->transform = ssl->transform_negotiate;
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02006123 ssl->transform_in = ssl->transform;
6124 ssl->transform_out = ssl->transform;
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02006125 ssl->transform_negotiate = NULL;
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02006126
6127 /* Read random bytes and populate structure */
6128 if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) )
6129 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6130
Hanno Beckerbd257552021-03-22 06:59:27 +00006131 ret = ssl_tls12_populate_transform( ssl->transform,
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02006132 ssl->session->ciphersuite,
6133 ssl->session->master,
Hanno Beckerbd257552021-03-22 06:59:27 +00006134#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
6135 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02006136 ssl->session->encrypt_then_mac,
Hanno Beckerbd257552021-03-22 06:59:27 +00006137#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
6138 MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02006139 ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
6140 p, /* currently pointing to randbytes */
6141 MBEDTLS_SSL_MINOR_VERSION_3, /* (D)TLS 1.2 is forced */
6142 ssl->conf->endpoint,
6143 ssl );
6144 if( ret != 0 )
6145 return( ret );
6146
6147 p += sizeof( ssl->transform->randbytes );
6148
6149#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
6150 /* Read connection IDs and store them */
6151 if( (size_t)( end - p ) < 1 )
6152 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6153
6154 ssl->transform->in_cid_len = *p++;
6155
Manuel Pégourié-Gonnard5ea13b82019-07-23 15:02:54 +02006156 if( (size_t)( end - p ) < ssl->transform->in_cid_len + 1u )
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02006157 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6158
6159 memcpy( ssl->transform->in_cid, p, ssl->transform->in_cid_len );
6160 p += ssl->transform->in_cid_len;
6161
6162 ssl->transform->out_cid_len = *p++;
6163
6164 if( (size_t)( end - p ) < ssl->transform->out_cid_len )
6165 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6166
6167 memcpy( ssl->transform->out_cid, p, ssl->transform->out_cid_len );
6168 p += ssl->transform->out_cid_len;
6169#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
6170
6171 /*
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02006172 * Saved fields from top-level ssl_context structure
6173 */
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02006174 if( (size_t)( end - p ) < 4 )
6175 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6176
6177 ssl->badmac_seen = ( (uint32_t) p[0] << 24 ) |
6178 ( (uint32_t) p[1] << 16 ) |
6179 ( (uint32_t) p[2] << 8 ) |
6180 ( (uint32_t) p[3] );
6181 p += 4;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02006182
6183#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
6184 if( (size_t)( end - p ) < 16 )
6185 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6186
6187 ssl->in_window_top = ( (uint64_t) p[0] << 56 ) |
6188 ( (uint64_t) p[1] << 48 ) |
6189 ( (uint64_t) p[2] << 40 ) |
6190 ( (uint64_t) p[3] << 32 ) |
6191 ( (uint64_t) p[4] << 24 ) |
6192 ( (uint64_t) p[5] << 16 ) |
6193 ( (uint64_t) p[6] << 8 ) |
6194 ( (uint64_t) p[7] );
6195 p += 8;
6196
6197 ssl->in_window = ( (uint64_t) p[0] << 56 ) |
6198 ( (uint64_t) p[1] << 48 ) |
6199 ( (uint64_t) p[2] << 40 ) |
6200 ( (uint64_t) p[3] << 32 ) |
6201 ( (uint64_t) p[4] << 24 ) |
6202 ( (uint64_t) p[5] << 16 ) |
6203 ( (uint64_t) p[6] << 8 ) |
6204 ( (uint64_t) p[7] );
6205 p += 8;
6206#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
6207
6208#if defined(MBEDTLS_SSL_PROTO_DTLS)
6209 if( (size_t)( end - p ) < 1 )
6210 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6211
6212 ssl->disable_datagram_packing = *p++;
6213#endif /* MBEDTLS_SSL_PROTO_DTLS */
6214
Jerry Yud9a94fe2021-09-28 18:58:59 +08006215 if( (size_t)( end - p ) < sizeof( ssl->cur_out_ctr ) )
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02006216 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jerry Yud9a94fe2021-09-28 18:58:59 +08006217 memcpy( ssl->cur_out_ctr, p, sizeof( ssl->cur_out_ctr ) );
6218 p += sizeof( ssl->cur_out_ctr );
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02006219
6220#if defined(MBEDTLS_SSL_PROTO_DTLS)
6221 if( (size_t)( end - p ) < 2 )
6222 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6223
6224 ssl->mtu = ( p[0] << 8 ) | p[1];
6225 p += 2;
6226#endif /* MBEDTLS_SSL_PROTO_DTLS */
6227
6228#if defined(MBEDTLS_SSL_ALPN)
6229 {
6230 uint8_t alpn_len;
6231 const char **cur;
6232
6233 if( (size_t)( end - p ) < 1 )
6234 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6235
6236 alpn_len = *p++;
6237
6238 if( alpn_len != 0 && ssl->conf->alpn_list != NULL )
6239 {
6240 /* alpn_chosen should point to an item in the configured list */
6241 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
6242 {
6243 if( strlen( *cur ) == alpn_len &&
6244 memcmp( p, cur, alpn_len ) == 0 )
6245 {
6246 ssl->alpn_chosen = *cur;
6247 break;
6248 }
6249 }
6250 }
6251
6252 /* can only happen on conf mismatch */
6253 if( alpn_len != 0 && ssl->alpn_chosen == NULL )
6254 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6255
6256 p += alpn_len;
6257 }
6258#endif /* MBEDTLS_SSL_ALPN */
6259
6260 /*
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02006261 * Forced fields from top-level ssl_context structure
6262 *
6263 * Most of them already set to the correct value by mbedtls_ssl_init() and
6264 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
6265 */
6266 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
6267
6268 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
6269 ssl->minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
6270
Hanno Becker361b10d2019-08-30 10:42:49 +01006271 /* Adjust pointers for header fields of outgoing records to
6272 * the given transform, accounting for explicit IV and CID. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00006273 mbedtls_ssl_update_out_pointers( ssl, ssl->transform );
Hanno Becker361b10d2019-08-30 10:42:49 +01006274
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02006275#if defined(MBEDTLS_SSL_PROTO_DTLS)
6276 ssl->in_epoch = 1;
6277#endif
6278
6279 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
6280 * which we don't want - otherwise we'd end up freeing the wrong transform
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00006281 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
6282 * inappropriately. */
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02006283 if( ssl->handshake != NULL )
6284 {
6285 mbedtls_ssl_handshake_free( ssl );
6286 mbedtls_free( ssl->handshake );
6287 ssl->handshake = NULL;
6288 }
6289
6290 /*
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02006291 * Done - should have consumed entire buffer
6292 */
6293 if( p != end )
6294 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02006295
6296 return( 0 );
6297}
6298
6299/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02006300 * Deserialize context: public wrapper for error cleaning
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006301 */
6302int mbedtls_ssl_context_load( mbedtls_ssl_context *context,
6303 const unsigned char *buf,
6304 size_t len )
6305{
6306 int ret = ssl_context_load( context, buf, len );
6307
6308 if( ret != 0 )
6309 mbedtls_ssl_free( context );
6310
6311 return( ret );
6312}
Manuel Pégourié-Gonnard5c0e3772019-07-23 16:13:17 +02006313#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006314
6315/*
Paul Bakker5121ce52009-01-03 21:22:43 +00006316 * Free an SSL context
6317 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006318void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00006319{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02006320 if( ssl == NULL )
6321 return;
6322
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006323 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006324
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +01006325 if( ssl->out_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00006326 {
sander-visserb8aa2072020-05-06 22:05:13 +02006327#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
6328 size_t out_buf_len = ssl->out_buf_len;
6329#else
6330 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
6331#endif
6332
Darryl Greenb33cc762019-11-28 14:29:44 +00006333 mbedtls_platform_zeroize( ssl->out_buf, out_buf_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006334 mbedtls_free( ssl->out_buf );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05006335 ssl->out_buf = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00006336 }
6337
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +01006338 if( ssl->in_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00006339 {
sander-visserb8aa2072020-05-06 22:05:13 +02006340#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
6341 size_t in_buf_len = ssl->in_buf_len;
6342#else
6343 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
6344#endif
6345
Darryl Greenb33cc762019-11-28 14:29:44 +00006346 mbedtls_platform_zeroize( ssl->in_buf, in_buf_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006347 mbedtls_free( ssl->in_buf );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05006348 ssl->in_buf = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00006349 }
6350
Paul Bakker48916f92012-09-16 19:57:18 +00006351 if( ssl->transform )
6352 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006353 mbedtls_ssl_transform_free( ssl->transform );
6354 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00006355 }
6356
6357 if( ssl->handshake )
6358 {
Gilles Peskine9b562d52018-04-25 20:32:43 +02006359 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006360 mbedtls_ssl_transform_free( ssl->transform_negotiate );
6361 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +00006362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006363 mbedtls_free( ssl->handshake );
6364 mbedtls_free( ssl->transform_negotiate );
6365 mbedtls_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +00006366 }
6367
Ronald Cron6f135e12021-12-08 16:57:54 +01006368#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Becker3aa186f2021-08-10 09:24:19 +01006369 mbedtls_ssl_transform_free( ssl->transform_application );
6370 mbedtls_free( ssl->transform_application );
Ronald Cron6f135e12021-12-08 16:57:54 +01006371#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker3aa186f2021-08-10 09:24:19 +01006372
Paul Bakkerc0463502013-02-14 11:19:38 +01006373 if( ssl->session )
6374 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006375 mbedtls_ssl_session_free( ssl->session );
6376 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01006377 }
6378
Manuel Pégourié-Gonnard55fab2d2015-05-11 16:15:19 +02006379#if defined(MBEDTLS_X509_CRT_PARSE_C)
Paul Bakker66d5d072014-06-17 16:39:18 +02006380 if( ssl->hostname != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00006381 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006382 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006383 mbedtls_free( ssl->hostname );
Paul Bakker5121ce52009-01-03 21:22:43 +00006384 }
Paul Bakker0be444a2013-08-27 21:55:01 +02006385#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00006386
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02006387#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006388 mbedtls_free( ssl->cli_id );
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02006389#endif
6390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006391 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +00006392
Paul Bakker86f04f42013-02-14 11:20:09 +01006393 /* Actually clear after last debug message */
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006394 mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006395}
6396
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006397/*
6398 * Initialze mbedtls_ssl_config
6399 */
6400void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
6401{
6402 memset( conf, 0, sizeof( mbedtls_ssl_config ) );
6403}
6404
Gilles Peskineeccd8882020-03-10 12:19:08 +01006405#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yuf017ee42022-01-12 15:49:48 +08006406#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Gilles Peskineae270bf2021-06-02 00:05:29 +02006407/* The selection should be the same as mbedtls_x509_crt_profile_default in
Gilles Peskinea28f0f52021-06-02 15:29:38 +02006408 * x509_crt.c. Here, the order matters. Currently we favor stronger hashes,
6409 * for no fundamental reason.
Gilles Peskineae270bf2021-06-02 00:05:29 +02006410 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
6411 * about this list. */
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006412static int ssl_preset_default_hashes[] = {
6413#if defined(MBEDTLS_SHA512_C)
6414 MBEDTLS_MD_SHA512,
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006415#endif
6416#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006417 MBEDTLS_MD_SHA384,
6418#endif
6419#if defined(MBEDTLS_SHA256_C)
6420 MBEDTLS_MD_SHA256,
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006421#endif
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006422 MBEDTLS_MD_NONE
6423};
Jerry Yuf017ee42022-01-12 15:49:48 +08006424#endif /* !MBEDTLS_DEPRECATED_REMOVED */
6425#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006426
Gilles Peskineae270bf2021-06-02 00:05:29 +02006427/* The selection should be the same as mbedtls_x509_crt_profile_default in
6428 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
Gilles Peskineb1940a72021-06-02 15:18:12 +02006429 * curves with a lower resource usage come first.
Gilles Peskineae270bf2021-06-02 00:05:29 +02006430 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
Gilles Peskineb1940a72021-06-02 15:18:12 +02006431 * about this list.
6432 */
Brett Warrene0edc842021-08-17 09:53:13 +01006433static uint16_t ssl_preset_default_groups[] = {
Gilles Peskineae270bf2021-06-02 00:05:29 +02006434#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
Brett Warrene0edc842021-08-17 09:53:13 +01006435 MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
Gilles Peskineae270bf2021-06-02 00:05:29 +02006436#endif
6437#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Brett Warrene0edc842021-08-17 09:53:13 +01006438 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
Gilles Peskineae270bf2021-06-02 00:05:29 +02006439#endif
Gilles Peskineb1940a72021-06-02 15:18:12 +02006440#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Brett Warrene0edc842021-08-17 09:53:13 +01006441 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02006442#endif
6443#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
Brett Warrene0edc842021-08-17 09:53:13 +01006444 MBEDTLS_SSL_IANA_TLS_GROUP_X448,
Gilles Peskineb1940a72021-06-02 15:18:12 +02006445#endif
6446#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
Brett Warrene0edc842021-08-17 09:53:13 +01006447 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02006448#endif
Gilles Peskineae270bf2021-06-02 00:05:29 +02006449#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
Brett Warrene0edc842021-08-17 09:53:13 +01006450 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
Gilles Peskineae270bf2021-06-02 00:05:29 +02006451#endif
Gilles Peskineb1940a72021-06-02 15:18:12 +02006452#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
Brett Warrene0edc842021-08-17 09:53:13 +01006453 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02006454#endif
6455#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
Brett Warrene0edc842021-08-17 09:53:13 +01006456 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02006457#endif
Brett Warrene0edc842021-08-17 09:53:13 +01006458 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
Gilles Peskineae270bf2021-06-02 00:05:29 +02006459};
Gilles Peskineae270bf2021-06-02 00:05:29 +02006460
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006461static int ssl_preset_suiteb_ciphersuites[] = {
6462 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6463 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
6464 0
6465};
6466
Gilles Peskineeccd8882020-03-10 12:19:08 +01006467#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yuf017ee42022-01-12 15:49:48 +08006468#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006469static int ssl_preset_suiteb_hashes[] = {
Jerry Yuf017ee42022-01-12 15:49:48 +08006470#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006471 MBEDTLS_MD_SHA384,
Jerry Yuf017ee42022-01-12 15:49:48 +08006472#endif
6473#if defined(MBEDTLS_SHA256_C)
6474 MBEDTLS_MD_SHA256,
6475#endif
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006476 MBEDTLS_MD_NONE
6477};
Jerry Yuf017ee42022-01-12 15:49:48 +08006478#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01006479
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01006480static uint16_t ssl_preset_default_sig_algs[] = {
Jerry Yu6106fdc2022-01-12 16:36:14 +08006481#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
6482
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01006483 /* ECDSA algorithms */
6484#if defined(MBEDTLS_ECDSA_C)
6485#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Xiaofei Bai746f9482021-11-12 08:53:56 +00006486 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01006487#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
Ronald Crondb6adc52021-12-10 14:25:35 +01006488#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Xiaofei Bai746f9482021-11-12 08:53:56 +00006489 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
Ronald Crondb6adc52021-12-10 14:25:35 +01006490#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01006491#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
Xiaofei Bai746f9482021-11-12 08:53:56 +00006492 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01006493#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
6494#endif /* MBEDTLS_ECDSA_C */
XiaokangQian82d34cc2021-11-03 08:51:56 +00006495
6496 /* RSA algorithms */
6497#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Bai95395012021-11-25 08:51:30 +00006498 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
XiaokangQian82d34cc2021-11-03 08:51:56 +00006499#endif
Xiaofei Bai6dc90da2021-11-26 08:11:40 +00006500 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
Jerry Yu6106fdc2022-01-12 16:36:14 +08006501#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
XiaokangQian82d34cc2021-11-03 08:51:56 +00006502
Xiaofei Bai95395012021-11-25 08:51:30 +00006503 MBEDTLS_TLS1_3_SIG_NONE
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01006504};
6505
6506static uint16_t ssl_preset_suiteb_sig_algs[] = {
Jerry Yu6106fdc2022-01-12 16:36:14 +08006507
6508#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01006509 /* ECDSA algorithms */
6510#if defined(MBEDTLS_ECDSA_C)
6511#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Xiaofei Bai746f9482021-11-12 08:53:56 +00006512 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01006513#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
Ronald Crondb6adc52021-12-10 14:25:35 +01006514#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Xiaofei Bai746f9482021-11-12 08:53:56 +00006515 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
Ronald Crondb6adc52021-12-10 14:25:35 +01006516#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01006517#endif /* MBEDTLS_ECDSA_C */
XiaokangQian4b82ca12021-11-18 08:27:17 +00006518
6519 /* RSA algorithms */
6520#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Bai95395012021-11-25 08:51:30 +00006521 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
XiaokangQian4b82ca12021-11-18 08:27:17 +00006522#endif
Xiaofei Bai6dc90da2021-11-26 08:11:40 +00006523 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
Jerry Yu6106fdc2022-01-12 16:36:14 +08006524#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
XiaokangQian4b82ca12021-11-18 08:27:17 +00006525
Xiaofei Bai95395012021-11-25 08:51:30 +00006526 MBEDTLS_TLS1_3_SIG_NONE
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01006527};
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006528#endif
6529
Brett Warrene0edc842021-08-17 09:53:13 +01006530static uint16_t ssl_preset_suiteb_groups[] = {
Jaeden Amerod4311042019-06-03 08:27:16 +01006531#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Brett Warrene0edc842021-08-17 09:53:13 +01006532 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
Jaeden Amerod4311042019-06-03 08:27:16 +01006533#endif
6534#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Brett Warrene0edc842021-08-17 09:53:13 +01006535 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
Jaeden Amerod4311042019-06-03 08:27:16 +01006536#endif
Brett Warrene0edc842021-08-17 09:53:13 +01006537 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006538};
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006539
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006540/*
Tillmann Karras588ad502015-09-25 04:27:22 +02006541 * Load default in mbedtls_ssl_config
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006542 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02006543int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006544 int endpoint, int transport, int preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006545{
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +02006546#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Janos Follath865b3eb2019-12-16 11:46:15 +00006547 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +02006548#endif
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006549
Manuel Pégourié-Gonnard0de074f2015-05-14 12:58:01 +02006550 /* Use the functions here so that they are covered in tests,
6551 * but otherwise access member directly for efficiency */
6552 mbedtls_ssl_conf_endpoint( conf, endpoint );
6553 mbedtls_ssl_conf_transport( conf, transport );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006554
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006555 /*
6556 * Things that are common to all presets
6557 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02006558#if defined(MBEDTLS_SSL_CLI_C)
6559 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
6560 {
6561 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
6562#if defined(MBEDTLS_SSL_SESSION_TICKETS)
6563 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
6564#endif
6565 }
6566#endif
6567
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006568#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
6569 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
6570#endif
6571
6572#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6573 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
6574#endif
6575
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02006576#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006577 conf->f_cookie_write = ssl_cookie_write_dummy;
6578 conf->f_cookie_check = ssl_cookie_check_dummy;
6579#endif
6580
6581#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
6582 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
6583#endif
6584
Janos Follath088ce432017-04-10 12:42:31 +01006585#if defined(MBEDTLS_SSL_SRV_C)
6586 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
TRodziewicz3946f792021-06-14 12:11:18 +02006587 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
Janos Follath088ce432017-04-10 12:42:31 +01006588#endif
6589
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006590#if defined(MBEDTLS_SSL_PROTO_DTLS)
6591 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
6592 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
6593#endif
6594
6595#if defined(MBEDTLS_SSL_RENEGOTIATION)
6596 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
Andres AG2196c7f2016-12-15 17:01:16 +00006597 memset( conf->renego_period, 0x00, 2 );
6598 memset( conf->renego_period + 2, 0xFF, 6 );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006599#endif
6600
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006601#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Hanno Beckere2defad2021-07-24 05:59:17 +01006602 if( endpoint == MBEDTLS_SSL_IS_SERVER )
6603 {
6604 const unsigned char dhm_p[] =
6605 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
6606 const unsigned char dhm_g[] =
6607 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
Hanno Becker00d0a682017-10-04 13:14:29 +01006608
Hanno Beckere2defad2021-07-24 05:59:17 +01006609 if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
6610 dhm_p, sizeof( dhm_p ),
6611 dhm_g, sizeof( dhm_g ) ) ) != 0 )
6612 {
6613 return( ret );
6614 }
6615 }
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +02006616#endif
6617
Ronald Cron6f135e12021-12-08 16:57:54 +01006618#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Becker71f1ed62021-07-24 06:01:47 +01006619 /*
6620 * Allow all TLS 1.3 key exchange modes by default.
6621 */
Xiaofei Bai746f9482021-11-12 08:53:56 +00006622 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
Ronald Cron6f135e12021-12-08 16:57:54 +01006623#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker71f1ed62021-07-24 06:01:47 +01006624
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006625 /*
6626 * Preset-specific defaults
6627 */
6628 switch( preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006629 {
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006630 /*
6631 * NSA Suite B
6632 */
6633 case MBEDTLS_SSL_PRESET_SUITEB:
6634 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
6635 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
6636 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
6637 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
6638
Hanno Beckerd60b6c62021-04-29 12:04:11 +01006639 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006640
6641#if defined(MBEDTLS_X509_CRT_PARSE_C)
6642 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006643#endif
6644
Gilles Peskineeccd8882020-03-10 12:19:08 +01006645#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yuf017ee42022-01-12 15:49:48 +08006646#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006647 conf->sig_hashes = ssl_preset_suiteb_hashes;
Jerry Yuf017ee42022-01-12 15:49:48 +08006648#endif /* !MBEDTLS_DEPRECATED_REMOVED */
6649 conf->sig_algs = ssl_preset_suiteb_sig_algs;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006650#endif
6651
Brett Warrene0edc842021-08-17 09:53:13 +01006652#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6653 conf->curve_list = NULL;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006654#endif
Brett Warrene0edc842021-08-17 09:53:13 +01006655 conf->group_list = ssl_preset_suiteb_groups;
Manuel Pégourié-Gonnardc98204e2015-08-11 04:21:01 +02006656 break;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006657
6658 /*
6659 * Default
6660 */
6661 default:
Ron Eldor5e9f14d2017-05-28 10:46:38 +03006662 conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
6663 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
6664 MBEDTLS_SSL_MIN_MAJOR_VERSION :
6665 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
6666 conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
6667 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
6668 MBEDTLS_SSL_MIN_MINOR_VERSION :
6669 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006670 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
6671 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
6672
6673#if defined(MBEDTLS_SSL_PROTO_DTLS)
6674 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
TRodziewiczef73f012021-05-13 14:53:36 +02006675 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006676#endif
Hanno Beckerd60b6c62021-04-29 12:04:11 +01006677 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006678
6679#if defined(MBEDTLS_X509_CRT_PARSE_C)
6680 conf->cert_profile = &mbedtls_x509_crt_profile_default;
6681#endif
6682
Gilles Peskineeccd8882020-03-10 12:19:08 +01006683#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yuf017ee42022-01-12 15:49:48 +08006684#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006685 conf->sig_hashes = ssl_preset_default_hashes;
Jerry Yuf017ee42022-01-12 15:49:48 +08006686#endif /* !MBEDTLS_DEPRECATED_REMOVED */
6687 conf->sig_algs = ssl_preset_default_sig_algs;
Hanno Beckerdeb68ce2021-08-10 16:04:05 +01006688#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006689
Brett Warrene0edc842021-08-17 09:53:13 +01006690#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6691 conf->curve_list = NULL;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006692#endif
Brett Warrene0edc842021-08-17 09:53:13 +01006693 conf->group_list = ssl_preset_default_groups;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006694
6695#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
6696 conf->dhm_min_bitlen = 1024;
6697#endif
6698 }
6699
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006700 return( 0 );
6701}
6702
6703/*
6704 * Free mbedtls_ssl_config
6705 */
6706void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
6707{
6708#if defined(MBEDTLS_DHM_C)
6709 mbedtls_mpi_free( &conf->dhm_P );
6710 mbedtls_mpi_free( &conf->dhm_G );
6711#endif
6712
Gilles Peskineeccd8882020-03-10 12:19:08 +01006713#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006714 if( conf->psk != NULL )
6715 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006716 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006717 mbedtls_free( conf->psk );
Azim Khan27e8a122018-03-21 14:24:11 +00006718 conf->psk = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006719 conf->psk_len = 0;
junyeonLEE316b1622017-12-20 16:29:30 +09006720 }
6721
6722 if( conf->psk_identity != NULL )
6723 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006724 mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
junyeonLEE316b1622017-12-20 16:29:30 +09006725 mbedtls_free( conf->psk_identity );
Azim Khan27e8a122018-03-21 14:24:11 +00006726 conf->psk_identity = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006727 conf->psk_identity_len = 0;
6728 }
6729#endif
6730
6731#if defined(MBEDTLS_X509_CRT_PARSE_C)
6732 ssl_key_cert_free( conf->key_cert );
6733#endif
6734
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006735 mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006736}
6737
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +02006738#if defined(MBEDTLS_PK_C) && \
6739 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006740/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006741 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006742 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006743unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006744{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006745#if defined(MBEDTLS_RSA_C)
6746 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
6747 return( MBEDTLS_SSL_SIG_RSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006748#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006749#if defined(MBEDTLS_ECDSA_C)
6750 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
6751 return( MBEDTLS_SSL_SIG_ECDSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006752#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006753 return( MBEDTLS_SSL_SIG_ANON );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006754}
6755
Hanno Becker7e5437a2017-04-28 17:15:26 +01006756unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
6757{
6758 switch( type ) {
6759 case MBEDTLS_PK_RSA:
6760 return( MBEDTLS_SSL_SIG_RSA );
6761 case MBEDTLS_PK_ECDSA:
6762 case MBEDTLS_PK_ECKEY:
6763 return( MBEDTLS_SSL_SIG_ECDSA );
6764 default:
6765 return( MBEDTLS_SSL_SIG_ANON );
6766 }
6767}
6768
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006769mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006770{
6771 switch( sig )
6772 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006773#if defined(MBEDTLS_RSA_C)
6774 case MBEDTLS_SSL_SIG_RSA:
6775 return( MBEDTLS_PK_RSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006776#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006777#if defined(MBEDTLS_ECDSA_C)
6778 case MBEDTLS_SSL_SIG_ECDSA:
6779 return( MBEDTLS_PK_ECDSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006780#endif
6781 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006782 return( MBEDTLS_PK_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006783 }
6784}
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +02006785#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006786
Hanno Becker7e5437a2017-04-28 17:15:26 +01006787#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +01006788 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +01006789
6790/* Find an entry in a signature-hash set matching a given hash algorithm. */
6791mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
6792 mbedtls_pk_type_t sig_alg )
6793{
6794 switch( sig_alg )
6795 {
6796 case MBEDTLS_PK_RSA:
6797 return( set->rsa );
6798 case MBEDTLS_PK_ECDSA:
6799 return( set->ecdsa );
6800 default:
6801 return( MBEDTLS_MD_NONE );
6802 }
6803}
6804
6805/* Add a signature-hash-pair to a signature-hash set */
6806void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
6807 mbedtls_pk_type_t sig_alg,
6808 mbedtls_md_type_t md_alg )
6809{
6810 switch( sig_alg )
6811 {
6812 case MBEDTLS_PK_RSA:
6813 if( set->rsa == MBEDTLS_MD_NONE )
6814 set->rsa = md_alg;
6815 break;
6816
6817 case MBEDTLS_PK_ECDSA:
6818 if( set->ecdsa == MBEDTLS_MD_NONE )
6819 set->ecdsa = md_alg;
6820 break;
6821
6822 default:
6823 break;
6824 }
6825}
6826
6827/* Allow exactly one hash algorithm for each signature. */
6828void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
6829 mbedtls_md_type_t md_alg )
6830{
6831 set->rsa = md_alg;
6832 set->ecdsa = md_alg;
6833}
6834
6835#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
Gilles Peskineeccd8882020-03-10 12:19:08 +01006836 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +01006837
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02006838/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006839 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02006840 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006841mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006842{
6843 switch( hash )
6844 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006845#if defined(MBEDTLS_MD5_C)
6846 case MBEDTLS_SSL_HASH_MD5:
6847 return( MBEDTLS_MD_MD5 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006848#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006849#if defined(MBEDTLS_SHA1_C)
6850 case MBEDTLS_SSL_HASH_SHA1:
6851 return( MBEDTLS_MD_SHA1 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006852#endif
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006853#if defined(MBEDTLS_SHA224_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006854 case MBEDTLS_SSL_HASH_SHA224:
6855 return( MBEDTLS_MD_SHA224 );
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006856#endif
6857#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006858 case MBEDTLS_SSL_HASH_SHA256:
6859 return( MBEDTLS_MD_SHA256 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006860#endif
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006861#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006862 case MBEDTLS_SSL_HASH_SHA384:
6863 return( MBEDTLS_MD_SHA384 );
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006864#endif
6865#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006866 case MBEDTLS_SSL_HASH_SHA512:
6867 return( MBEDTLS_MD_SHA512 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006868#endif
6869 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006870 return( MBEDTLS_MD_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006871 }
6872}
6873
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006874/*
6875 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
6876 */
6877unsigned char mbedtls_ssl_hash_from_md_alg( int md )
6878{
6879 switch( md )
6880 {
6881#if defined(MBEDTLS_MD5_C)
6882 case MBEDTLS_MD_MD5:
6883 return( MBEDTLS_SSL_HASH_MD5 );
6884#endif
6885#if defined(MBEDTLS_SHA1_C)
6886 case MBEDTLS_MD_SHA1:
6887 return( MBEDTLS_SSL_HASH_SHA1 );
6888#endif
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006889#if defined(MBEDTLS_SHA224_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006890 case MBEDTLS_MD_SHA224:
6891 return( MBEDTLS_SSL_HASH_SHA224 );
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006892#endif
6893#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006894 case MBEDTLS_MD_SHA256:
6895 return( MBEDTLS_SSL_HASH_SHA256 );
6896#endif
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006897#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006898 case MBEDTLS_MD_SHA384:
6899 return( MBEDTLS_SSL_HASH_SHA384 );
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006900#endif
6901#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006902 case MBEDTLS_MD_SHA512:
6903 return( MBEDTLS_SSL_HASH_SHA512 );
6904#endif
6905 default:
6906 return( MBEDTLS_SSL_HASH_NONE );
6907 }
6908}
6909
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02006910#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006911/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006912 * Check if a curve proposed by the peer is in our list.
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006913 * Return 0 if we're willing to use it, -1 otherwise.
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006914 */
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006915int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006916{
Brett Warrene0edc842021-08-17 09:53:13 +01006917 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006918
Brett Warrene0edc842021-08-17 09:53:13 +01006919 if( group_list == NULL )
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006920 return( -1 );
Brett Warrene0edc842021-08-17 09:53:13 +01006921 uint16_t tls_id = mbedtls_ecp_curve_info_from_grp_id(grp_id)->tls_id;
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006922
Brett Warrene0edc842021-08-17 09:53:13 +01006923 for( ; *group_list != 0; group_list++ )
6924 {
6925 if( *group_list == tls_id )
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006926 return( 0 );
Brett Warrene0edc842021-08-17 09:53:13 +01006927 }
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006928
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006929 return( -1 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006930}
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02006931#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006932
Gilles Peskineeccd8882020-03-10 12:19:08 +01006933#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006934/*
6935 * Check if a hash proposed by the peer is in our list.
6936 * Return 0 if we're willing to use it, -1 otherwise.
6937 */
6938int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
6939 mbedtls_md_type_t md )
6940{
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006941
Jerry Yu6106fdc2022-01-12 16:36:14 +08006942 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
Jerry Yu1abd1bc2021-12-21 21:27:48 +08006943 if( sig_alg == NULL )
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006944 return( -1 );
6945
Jerry Yu1abd1bc2021-12-21 21:27:48 +08006946 for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
6947 {
6948 mbedtls_md_type_t hash = mbedtls_ssl_md_alg_from_hash(
6949 ( *sig_alg >> 8 ) & 0xff );
6950 if( hash == md )
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006951 return( 0 );
Jerry Yu1abd1bc2021-12-21 21:27:48 +08006952 }
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006953
6954 return( -1 );
6955}
Gilles Peskineeccd8882020-03-10 12:19:08 +01006956#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006957
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006958#if defined(MBEDTLS_X509_CRT_PARSE_C)
6959int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
6960 const mbedtls_ssl_ciphersuite_t *ciphersuite,
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006961 int cert_endpoint,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02006962 uint32_t *flags )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006963{
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006964 int ret = 0;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006965 int usage = 0;
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006966 const char *ext_oid;
6967 size_t ext_len;
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006968
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006969 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006970 {
6971 /* Server part of the key exchange */
6972 switch( ciphersuite->key_exchange )
6973 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006974 case MBEDTLS_KEY_EXCHANGE_RSA:
6975 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01006976 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006977 break;
6978
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006979 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
6980 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
6981 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
6982 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006983 break;
6984
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006985 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
6986 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01006987 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006988 break;
6989
6990 /* Don't use default: we want warnings when adding new values */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006991 case MBEDTLS_KEY_EXCHANGE_NONE:
6992 case MBEDTLS_KEY_EXCHANGE_PSK:
6993 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
6994 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +02006995 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006996 usage = 0;
6997 }
6998 }
6999 else
7000 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007001 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
7002 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02007003 }
7004
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007005 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01007006 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01007007 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01007008 ret = -1;
7009 }
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02007010
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007011 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02007012 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007013 ext_oid = MBEDTLS_OID_SERVER_AUTH;
7014 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02007015 }
7016 else
7017 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007018 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
7019 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02007020 }
7021
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007022 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01007023 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01007024 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01007025 ret = -1;
7026 }
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02007027
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01007028 return( ret );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02007029}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007030#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard3a306b92014-04-29 15:11:17 +02007031
Simon Butcher99000142016-10-13 17:21:01 +01007032int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
7033{
7034#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
7035 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Becker541af852021-05-14 16:49:01 +01007036 return( -1 );
Simon Butcher99000142016-10-13 17:21:01 +01007037
7038 switch( md )
7039 {
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02007040#if defined(MBEDTLS_SHA384_C)
Simon Butcher99000142016-10-13 17:21:01 +01007041 case MBEDTLS_SSL_HASH_SHA384:
7042 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
7043 break;
7044#endif
7045#if defined(MBEDTLS_SHA256_C)
7046 case MBEDTLS_SSL_HASH_SHA256:
7047 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
7048 break;
7049#endif
7050 default:
Hanno Becker541af852021-05-14 16:49:01 +01007051 return( -1 );
Simon Butcher99000142016-10-13 17:21:01 +01007052 }
7053
7054 return 0;
7055#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
7056 (void) ssl;
7057 (void) md;
7058
Hanno Becker541af852021-05-14 16:49:01 +01007059 return( -1 );
Simon Butcher99000142016-10-13 17:21:01 +01007060#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
7061}
7062
TRodziewicz0f82ec62021-05-12 17:49:18 +02007063#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007064
7065#if defined(MBEDTLS_USE_PSA_CRYPTO)
7066int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
7067 unsigned char *hash, size_t *hashlen,
7068 unsigned char *data, size_t data_len,
7069 mbedtls_md_type_t md_alg )
7070{
Andrzej Kurek814feff2019-01-14 04:35:19 -05007071 psa_status_t status;
Jaeden Amero34973232019-02-20 10:32:28 +00007072 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007073 psa_algorithm_t hash_alg = mbedtls_psa_translate_md( md_alg );
7074
Hanno Becker4c8c7aa2019-04-10 09:25:41 +01007075 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform PSA-based computation of digest of ServerKeyExchange" ) );
Andrzej Kurek814feff2019-01-14 04:35:19 -05007076
7077 if( ( status = psa_hash_setup( &hash_operation,
7078 hash_alg ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007079 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05007080 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_setup", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007081 goto exit;
7082 }
7083
Andrzej Kurek814feff2019-01-14 04:35:19 -05007084 if( ( status = psa_hash_update( &hash_operation, ssl->handshake->randbytes,
7085 64 ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007086 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05007087 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007088 goto exit;
7089 }
7090
Andrzej Kurek814feff2019-01-14 04:35:19 -05007091 if( ( status = psa_hash_update( &hash_operation,
7092 data, data_len ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007093 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05007094 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007095 goto exit;
7096 }
7097
Ronald Cron69a63422021-10-18 09:47:58 +02007098 if( ( status = psa_hash_finish( &hash_operation, hash, PSA_HASH_MAX_SIZE,
Andrzej Kurek814feff2019-01-14 04:35:19 -05007099 hashlen ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007100 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05007101 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007102 goto exit;
7103 }
7104
7105exit:
Andrzej Kurek814feff2019-01-14 04:35:19 -05007106 if( status != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007107 {
7108 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7109 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Andrzej Kurek814feff2019-01-14 04:35:19 -05007110 switch( status )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007111 {
7112 case PSA_ERROR_NOT_SUPPORTED:
7113 return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
Andrzej Kurek814feff2019-01-14 04:35:19 -05007114 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007115 case PSA_ERROR_BUFFER_TOO_SMALL:
7116 return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
7117 case PSA_ERROR_INSUFFICIENT_MEMORY:
7118 return( MBEDTLS_ERR_MD_ALLOC_FAILED );
7119 default:
TRodziewiczb579ccd2021-04-13 14:28:28 +02007120 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007121 }
7122 }
7123 return( 0 );
7124}
7125
7126#else
7127
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01007128int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +02007129 unsigned char *hash, size_t *hashlen,
7130 unsigned char *data, size_t data_len,
7131 mbedtls_md_type_t md_alg )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01007132{
7133 int ret = 0;
7134 mbedtls_md_context_t ctx;
7135 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
Gilles Peskineca1d7422018-04-24 11:53:22 +02007136 *hashlen = mbedtls_md_get_size( md_info );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01007137
Hanno Becker4c8c7aa2019-04-10 09:25:41 +01007138 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform mbedtls-based computation of digest of ServerKeyExchange" ) );
Andrzej Kurek814feff2019-01-14 04:35:19 -05007139
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01007140 mbedtls_md_init( &ctx );
7141
7142 /*
7143 * digitally-signed struct {
7144 * opaque client_random[32];
7145 * opaque server_random[32];
7146 * ServerDHParams params;
7147 * };
7148 */
7149 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
7150 {
7151 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
7152 goto exit;
7153 }
7154 if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
7155 {
7156 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
7157 goto exit;
7158 }
7159 if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
7160 {
7161 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
7162 goto exit;
7163 }
7164 if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
7165 {
7166 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
7167 goto exit;
7168 }
Gilles Peskineca1d7422018-04-24 11:53:22 +02007169 if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01007170 {
7171 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
7172 goto exit;
7173 }
7174
7175exit:
7176 mbedtls_md_free( &ctx );
7177
7178 if( ret != 0 )
7179 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7180 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
7181
7182 return( ret );
7183}
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05007184#endif /* MBEDTLS_USE_PSA_CRYPTO */
7185
TRodziewicz0f82ec62021-05-12 17:49:18 +02007186#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01007187
Jerry Yu148165c2021-09-24 23:20:59 +08007188#if defined(MBEDTLS_USE_PSA_CRYPTO)
7189int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
7190 const mbedtls_md_type_t md,
7191 unsigned char *dst,
7192 size_t dst_len,
7193 size_t *olen )
7194{
7195 ((void) ssl);
7196 ((void) md);
7197 ((void) dst);
7198 ((void) dst_len);
7199 *olen = 0;
7200 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
7201}
7202#else /* MBEDTLS_USE_PSA_CRYPTO */
7203
Jerry Yu24c0ec32021-09-09 14:21:07 +08007204#if defined(MBEDTLS_SHA384_C)
Jerry Yu000f9762021-09-14 11:12:51 +08007205static int ssl_get_handshake_transcript_sha384( mbedtls_ssl_context *ssl,
7206 unsigned char *dst,
7207 size_t dst_len,
7208 size_t *olen )
Jerry Yu24c0ec32021-09-09 14:21:07 +08007209{
Jerry Yu24c0ec32021-09-09 14:21:07 +08007210 int ret;
7211 mbedtls_sha512_context sha512;
7212
7213 if( dst_len < 48 )
7214 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
7215
7216 mbedtls_sha512_init( &sha512 );
7217 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
7218
7219 if( ( ret = mbedtls_sha512_finish( &sha512, dst ) ) != 0 )
7220 {
7221 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha512_finish", ret );
7222 goto exit;
7223 }
7224
7225 *olen = 48;
7226
7227exit:
7228
7229 mbedtls_sha512_free( &sha512 );
7230 return( ret );
Jerry Yu24c0ec32021-09-09 14:21:07 +08007231}
7232#endif /* MBEDTLS_SHA384_C */
7233
7234#if defined(MBEDTLS_SHA256_C)
Jerry Yu000f9762021-09-14 11:12:51 +08007235static int ssl_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl,
7236 unsigned char *dst,
7237 size_t dst_len,
7238 size_t *olen )
Jerry Yu24c0ec32021-09-09 14:21:07 +08007239{
Jerry Yu24c0ec32021-09-09 14:21:07 +08007240 int ret;
7241 mbedtls_sha256_context sha256;
7242
7243 if( dst_len < 32 )
7244 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
7245
7246 mbedtls_sha256_init( &sha256 );
7247 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
7248
7249 if( ( ret = mbedtls_sha256_finish( &sha256, dst ) ) != 0 )
7250 {
7251 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha256_finish", ret );
7252 goto exit;
7253 }
7254
7255 *olen = 32;
7256
7257exit:
7258
7259 mbedtls_sha256_free( &sha256 );
7260 return( ret );
Jerry Yu24c0ec32021-09-09 14:21:07 +08007261}
7262#endif /* MBEDTLS_SHA256_C */
7263
Jerry Yu000f9762021-09-14 11:12:51 +08007264int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
7265 const mbedtls_md_type_t md,
7266 unsigned char *dst,
7267 size_t dst_len,
7268 size_t *olen )
Jerry Yu24c0ec32021-09-09 14:21:07 +08007269{
Jerry Yuc1ddeef2021-10-08 15:14:45 +08007270 switch( md )
7271 {
7272
Jerry Yu24c0ec32021-09-09 14:21:07 +08007273#if defined(MBEDTLS_SHA384_C)
Jerry Yuc1ddeef2021-10-08 15:14:45 +08007274 case MBEDTLS_MD_SHA384:
Jerry Yu000f9762021-09-14 11:12:51 +08007275 return( ssl_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) );
Jerry Yuc1ddeef2021-10-08 15:14:45 +08007276#endif /* MBEDTLS_SHA384_C */
7277
Jerry Yu24c0ec32021-09-09 14:21:07 +08007278#if defined(MBEDTLS_SHA256_C)
Jerry Yuc1ddeef2021-10-08 15:14:45 +08007279 case MBEDTLS_MD_SHA256:
Jerry Yu000f9762021-09-14 11:12:51 +08007280 return( ssl_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) );
Jerry Yu24c0ec32021-09-09 14:21:07 +08007281#endif /* MBEDTLS_SHA256_C */
Jerry Yuc1ddeef2021-10-08 15:14:45 +08007282
7283 default:
7284 break;
7285 }
Jerry Yu24c0ec32021-09-09 14:21:07 +08007286 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
7287}
Jerry Yu148165c2021-09-24 23:20:59 +08007288#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Jerry Yu24c0ec32021-09-09 14:21:07 +08007289
Jerry Yu1ea9d102021-12-21 13:41:49 +08007290#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \
7291 defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
7292 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yuba073422021-12-20 22:22:15 +08007293/*
Jerry Yub925f212022-01-12 11:17:02 +08007294 * Function for writing a supported groups (TLS 1.3) or supported elliptic
7295 * curves (TLS 1.2) extension.
Jerry Yuba073422021-12-20 22:22:15 +08007296 *
Jerry Yub925f212022-01-12 11:17:02 +08007297 * The "extension_data" field of a supported groups extension contains a
7298 * "NamedGroupList" value (TLS 1.3 RFC8446):
Jerry Yuba073422021-12-20 22:22:15 +08007299 * enum {
7300 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
7301 * x25519(0x001D), x448(0x001E),
7302 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
7303 * ffdhe6144(0x0103), ffdhe8192(0x0104),
7304 * ffdhe_private_use(0x01FC..0x01FF),
7305 * ecdhe_private_use(0xFE00..0xFEFF),
7306 * (0xFFFF)
7307 * } NamedGroup;
7308 * struct {
7309 * NamedGroup named_group_list<2..2^16-1>;
7310 * } NamedGroupList;
Jerry Yub925f212022-01-12 11:17:02 +08007311 *
7312 * The "extension_data" field of a supported elliptic curves extension contains
7313 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
Jerry Yu63282b42022-01-11 15:43:53 +08007314 * enum {
7315 * deprecated(1..22),
7316 * secp256r1 (23), secp384r1 (24), secp521r1 (25),
7317 * x25519(29), x448(30),
7318 * reserved (0xFE00..0xFEFF),
7319 * deprecated(0xFF01..0xFF02),
7320 * (0xFFFF)
7321 * } NamedCurve;
7322 * struct {
7323 * NamedCurve named_curve_list<2..2^16-1>
7324 * } NamedCurveList;
7325 *
Jerry Yub925f212022-01-12 11:17:02 +08007326 * The TLS 1.3 supported groups extension was defined to be a compatible
7327 * generalization of the TLS 1.2 supported elliptic curves extension. They both
7328 * share the same extension identifier.
Jerry Yu63282b42022-01-11 15:43:53 +08007329 *
Jerry Yub925f212022-01-12 11:17:02 +08007330 * DHE groups are not supported yet.
Jerry Yuba073422021-12-20 22:22:15 +08007331 */
Jerry Yuba073422021-12-20 22:22:15 +08007332int mbedtls_ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
7333 unsigned char *buf,
Jerry Yu17532612021-12-20 22:32:09 +08007334 const unsigned char *end,
Jerry Yuba073422021-12-20 22:22:15 +08007335 size_t *out_len )
7336{
7337 unsigned char *p = buf ;
7338 unsigned char *named_group_list; /* Start of named_group_list */
7339 size_t named_group_list_len; /* Length of named_group_list */
7340 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
7341
7342 *out_len = 0;
Jerry Yuf46b0162022-01-11 16:28:00 +08007343
Jerry Yuba073422021-12-20 22:22:15 +08007344 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_groups extension" ) );
7345
7346 /* Check if we have space for header and length fields:
7347 * - extension_type (2 bytes)
7348 * - extension_data_length (2 bytes)
7349 * - named_group_list_length (2 bytes)
7350 */
7351 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
7352 p += 6;
7353
7354 named_group_list = p;
7355
7356 if( group_list == NULL )
7357 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
7358
Jerry Yu1510cea2022-01-12 10:56:49 +08007359 for( ; *group_list != 0; group_list++ )
Jerry Yuba073422021-12-20 22:22:15 +08007360 {
Jerry Yu1510cea2022-01-12 10:56:49 +08007361 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got supported group(%04x)", *group_list ) );
Jerry Yu63282b42022-01-11 15:43:53 +08007362
Jerry Yu1ea9d102021-12-21 13:41:49 +08007363#if defined(MBEDTLS_ECP_C)
Jerry Yu1510cea2022-01-12 10:56:49 +08007364 if( ( mbedtls_ssl_conf_is_tls13_enabled( ssl->conf ) &&
Jerry Yu3ad14ac2022-01-11 17:13:16 +08007365 mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) ) ||
Jerry Yu1510cea2022-01-12 10:56:49 +08007366 ( mbedtls_ssl_conf_is_tls12_enabled( ssl->conf ) &&
Jerry Yu3ad14ac2022-01-11 17:13:16 +08007367 mbedtls_ssl_tls12_named_group_is_ecdhe( *group_list ) ) )
Jerry Yuba073422021-12-20 22:22:15 +08007368 {
Jerry Yu3ad14ac2022-01-11 17:13:16 +08007369 const mbedtls_ecp_curve_info *curve_info;
7370 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
Jerry Yub925f212022-01-12 11:17:02 +08007371 if( curve_info == NULL )
Jerry Yu3ad14ac2022-01-11 17:13:16 +08007372 continue;
Jerry Yub925f212022-01-12 11:17:02 +08007373 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
7374 MBEDTLS_PUT_UINT16_BE( *group_list, p, 0 );
7375 p += 2;
7376 MBEDTLS_SSL_DEBUG_MSG( 3, ( "NamedGroup: %s ( %x )",
7377 curve_info->name, *group_list ) );
Jerry Yuba073422021-12-20 22:22:15 +08007378 }
Jerry Yu63282b42022-01-11 15:43:53 +08007379#endif /* MBEDTLS_ECP_C */
7380 /* Add DHE groups here */
Jerry Yuba073422021-12-20 22:22:15 +08007381
7382 }
7383
Jerry Yu1510cea2022-01-12 10:56:49 +08007384 /* Length of named_group_list */
Jerry Yuba073422021-12-20 22:22:15 +08007385 named_group_list_len = p - named_group_list;
7386 if( named_group_list_len == 0 )
7387 {
7388 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No group available." ) );
7389 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
7390 }
7391
7392 /* Write extension_type */
7393 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, buf, 0 );
7394 /* Write extension_data_length */
7395 MBEDTLS_PUT_UINT16_BE( named_group_list_len + 2, buf, 2 );
7396 /* Write length of named_group_list */
7397 MBEDTLS_PUT_UINT16_BE( named_group_list_len, buf, 4 );
7398
Jerry Yu7f029d82022-01-11 11:08:53 +08007399 MBEDTLS_SSL_DEBUG_BUF( 3, "Supported groups extension",
7400 buf + 4, named_group_list_len + 2 );
Jerry Yuba073422021-12-20 22:22:15 +08007401
7402 *out_len = p - buf;
7403
7404#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
7405 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
7406#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
7407
7408 return( 0 );
7409}
7410
Jerry Yu1ea9d102021-12-21 13:41:49 +08007411#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED ||
7412 MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
7413 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Jerry Yuba073422021-12-20 22:22:15 +08007414
Jerry Yuf017ee42022-01-12 15:49:48 +08007415#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
7416/*
7417 * mbedtls_ssl_tls13_write_sig_alg_ext( )
7418 *
7419 * enum {
7420 * ....
7421 * ecdsa_secp256r1_sha256( 0x0403 ),
7422 * ecdsa_secp384r1_sha384( 0x0503 ),
7423 * ecdsa_secp521r1_sha512( 0x0603 ),
7424 * ....
7425 * } SignatureScheme;
7426 *
7427 * struct {
7428 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
7429 * } SignatureSchemeList;
7430 *
7431 * Only if we handle at least one key exchange that needs signatures.
7432 */
7433int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
7434 const unsigned char *end, size_t *out_len )
7435{
7436 unsigned char *p = buf;
7437 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
7438 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
7439
7440 *out_len = 0;
7441
7442 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding signature_algorithms extension" ) );
7443
7444 /* Check if we have space for header and length field:
7445 * - extension_type (2 bytes)
7446 * - extension_data_length (2 bytes)
7447 * - supported_signature_algorithms_length (2 bytes)
7448 */
7449 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
7450 p += 6;
7451
7452 /*
7453 * Write supported_signature_algorithms
7454 */
7455 supported_sig_alg = p;
Jerry Yu6106fdc2022-01-12 16:36:14 +08007456 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
7457 if( sig_alg == NULL )
7458 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
7459
7460 for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
Jerry Yuf017ee42022-01-12 15:49:48 +08007461 {
7462 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
7463 MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
7464 p += 2;
7465 MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) );
7466 }
7467
7468 /* Length of supported_signature_algorithms */
7469 supported_sig_alg_len = p - supported_sig_alg;
7470 if( supported_sig_alg_len == 0 )
7471 {
7472 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No signature algorithms defined." ) );
7473 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
7474 }
7475
7476 /* Write extension_type */
7477 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SIG_ALG, buf, 0 );
7478 /* Write extension_data_length */
7479 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len + 2, buf, 2 );
7480 /* Write length of supported_signature_algorithms */
7481 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len, buf, 4 );
7482
7483 /* Output the total length of signature algorithms extension. */
7484 *out_len = p - buf;
7485
7486#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
7487 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
7488#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
7489 return( 0 );
7490}
7491#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
7492
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02007493#endif /* MBEDTLS_SSL_TLS_C */