blob: 2a759832bfff05b18bee3ead9fcbcd1b0a6dfa1a [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01002 * TLS shared functions
Paul Bakker5121ce52009-01-03 21:22:43 +00003 *
Bence Szépkúti1e148272020-08-07 13:07:28 +02004 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +00005 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker5121ce52009-01-03 21:22:43 +00006 */
7/*
Paul Bakker5121ce52009-01-03 21:22:43 +00008 * http://www.ietf.org/rfc/rfc2246.txt
9 * http://www.ietf.org/rfc/rfc4346.txt
10 */
11
Harry Ramsey0f6bc412024-10-04 10:36:54 +010012#include "ssl_misc.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000013
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020014#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000015
SimonBd5800b72016-04-26 07:43:27 +010016#include "mbedtls/platform.h"
SimonBd5800b72016-04-26 07:43:27 +010017
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000018#include "mbedtls/ssl.h"
Ronald Cron9f0fba32022-02-10 16:45:15 +010019#include "ssl_client.h"
Ronald Cron27c85e72022-03-08 11:37:55 +010020#include "ssl_debug_helpers.h"
Andrzej Kurek25f27152022-08-17 16:09:31 -040021
Valerio Settib4f50762024-01-17 10:24:52 +010022#include "debug_internal.h"
Janos Follath73c616b2019-12-18 15:07:04 +000023#include "mbedtls/error.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050024#include "mbedtls/platform_util.h"
Hanno Beckera835da52019-05-16 12:39:07 +010025#include "mbedtls/version.h"
Gabor Mezei765862c2021-10-19 12:22:25 +020026#include "mbedtls/constant_time.h"
Paul Bakker0be444a2013-08-27 21:55:01 +020027
Rich Evans00ab4702015-02-06 13:43:58 +000028#include <string.h>
29
Valerio Setti384fbde2024-01-02 13:26:40 +010030#include "mbedtls/psa_util.h"
Manuel Pégourié-Gonnard02b10d82023-03-28 12:33:20 +020031#include "md_psa.h"
Manuel Pégourié-Gonnard2be8c632023-06-07 13:07:21 +020032#include "psa_util_internal.h"
Andrzej Kurekd6db9be2019-01-10 05:27:10 -050033#include "psa/crypto.h"
Andrzej Kurekd6db9be2019-01-10 05:27:10 -050034
Janos Follath23bdca02016-10-07 14:47:14 +010035#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000036#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +020037#endif
38
Andrzej Kurek00644842023-05-30 05:45:00 -040039/* Define local translating functions to save code size by not using too many
40 * arguments in each translating place. */
41static int local_err_translation(psa_status_t status)
42{
43 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -040044 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -040045 psa_generic_status_to_mbedtls);
46}
47#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek8a045ce2022-12-23 11:00:06 -050048
Ronald Cronad8c17b2022-06-10 17:18:09 +020049#if defined(MBEDTLS_TEST_HOOKS)
50static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
51
52void mbedtls_ssl_set_chk_buf_ptr_fail_args(
Gilles Peskine449bd832023-01-11 14:50:10 +010053 const uint8_t *cur, const uint8_t *end, size_t need)
Ronald Cronad8c17b2022-06-10 17:18:09 +020054{
55 chk_buf_ptr_fail_args.cur = cur;
56 chk_buf_ptr_fail_args.end = end;
57 chk_buf_ptr_fail_args.need = need;
58}
59
Gilles Peskine449bd832023-01-11 14:50:10 +010060void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
Ronald Cronad8c17b2022-06-10 17:18:09 +020061{
Gilles Peskine449bd832023-01-11 14:50:10 +010062 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
Ronald Cronad8c17b2022-06-10 17:18:09 +020063}
64
Gilles Peskine449bd832023-01-11 14:50:10 +010065int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
Ronald Cronad8c17b2022-06-10 17:18:09 +020066{
Gilles Peskine449bd832023-01-11 14:50:10 +010067 return (chk_buf_ptr_fail_args.cur != args->cur) ||
68 (chk_buf_ptr_fail_args.end != args->end) ||
69 (chk_buf_ptr_fail_args.need != args->need);
Ronald Cronad8c17b2022-06-10 17:18:09 +020070}
71#endif /* MBEDTLS_TEST_HOOKS */
72
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +020073#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +010074
Hanno Beckera0e20d02019-05-15 14:03:01 +010075#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerf8542cf2019-04-09 15:22:03 +010076/* Top-level Connection ID API */
77
Gilles Peskine449bd832023-01-11 14:50:10 +010078int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
79 size_t len,
80 int ignore_other_cid)
Hanno Beckerad4a1372019-05-03 13:06:44 +010081{
Gilles Peskine449bd832023-01-11 14:50:10 +010082 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
83 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
84 }
Hanno Beckerad4a1372019-05-03 13:06:44 +010085
Gilles Peskine449bd832023-01-11 14:50:10 +010086 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
87 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
88 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Becker611ac772019-05-14 11:45:26 +010089 }
90
91 conf->ignore_unexpected_cid = ignore_other_cid;
Hanno Beckerad4a1372019-05-03 13:06:44 +010092 conf->cid_len = len;
Gilles Peskine449bd832023-01-11 14:50:10 +010093 return 0;
Hanno Beckerad4a1372019-05-03 13:06:44 +010094}
95
Gilles Peskine449bd832023-01-11 14:50:10 +010096int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
97 int enable,
98 unsigned char const *own_cid,
99 size_t own_cid_len)
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100100{
Gilles Peskine449bd832023-01-11 14:50:10 +0100101 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
102 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
103 }
Hanno Becker76a79ab2019-05-03 14:38:32 +0100104
Hanno Beckerca092242019-04-25 16:01:49 +0100105 ssl->negotiate_cid = enable;
Gilles Peskine449bd832023-01-11 14:50:10 +0100106 if (enable == MBEDTLS_SSL_CID_DISABLED) {
107 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
108 return 0;
Hanno Beckerca092242019-04-25 16:01:49 +0100109 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100110 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
111 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
Hanno Beckerca092242019-04-25 16:01:49 +0100112
Gilles Peskine449bd832023-01-11 14:50:10 +0100113 if (own_cid_len != ssl->conf->cid_len) {
114 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
115 (unsigned) own_cid_len,
116 (unsigned) ssl->conf->cid_len));
117 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Beckerca092242019-04-25 16:01:49 +0100118 }
119
Gilles Peskine449bd832023-01-11 14:50:10 +0100120 memcpy(ssl->own_cid, own_cid, own_cid_len);
Hanno Beckerb7ee0cf2019-04-30 14:07:31 +0100121 /* Truncation is not an issue here because
122 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
123 ssl->own_cid_len = (uint8_t) own_cid_len;
Hanno Beckerca092242019-04-25 16:01:49 +0100124
Gilles Peskine449bd832023-01-11 14:50:10 +0100125 return 0;
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100126}
127
Gilles Peskine449bd832023-01-11 14:50:10 +0100128int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
129 int *enabled,
Sam Berry3504c882024-06-11 14:34:17 +0100130 unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],
Gilles Peskine449bd832023-01-11 14:50:10 +0100131 size_t *own_cid_len)
Paul Elliott0113cf12022-03-11 20:26:47 +0000132{
133 *enabled = MBEDTLS_SSL_CID_DISABLED;
134
Gilles Peskine449bd832023-01-11 14:50:10 +0100135 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
136 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
137 }
Paul Elliott0113cf12022-03-11 20:26:47 +0000138
139 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
140 * zero as this is indistinguishable from not requesting to use
141 * the CID extension. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100142 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
143 return 0;
144 }
Paul Elliott0113cf12022-03-11 20:26:47 +0000145
Gilles Peskine449bd832023-01-11 14:50:10 +0100146 if (own_cid_len != NULL) {
Paul Elliott0113cf12022-03-11 20:26:47 +0000147 *own_cid_len = ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100148 if (own_cid != NULL) {
149 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
150 }
Paul Elliott0113cf12022-03-11 20:26:47 +0000151 }
152
153 *enabled = MBEDTLS_SSL_CID_ENABLED;
154
Gilles Peskine449bd832023-01-11 14:50:10 +0100155 return 0;
Paul Elliott0113cf12022-03-11 20:26:47 +0000156}
157
Gilles Peskine449bd832023-01-11 14:50:10 +0100158int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
159 int *enabled,
160 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
161 size_t *peer_cid_len)
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100162{
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100163 *enabled = MBEDTLS_SSL_CID_DISABLED;
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100164
Gilles Peskine449bd832023-01-11 14:50:10 +0100165 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
166 mbedtls_ssl_is_handshake_over(ssl) == 0) {
167 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Becker76a79ab2019-05-03 14:38:32 +0100168 }
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100169
Hanno Beckerc5f24222019-05-03 12:54:52 +0100170 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
171 * were used, but client and server requested the empty CID.
172 * This is indistinguishable from not using the CID extension
173 * in the first place. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100174 if (ssl->transform_in->in_cid_len == 0 &&
175 ssl->transform_in->out_cid_len == 0) {
176 return 0;
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100177 }
178
Gilles Peskine449bd832023-01-11 14:50:10 +0100179 if (peer_cid_len != NULL) {
Hanno Becker615ef172019-05-22 16:50:35 +0100180 *peer_cid_len = ssl->transform_in->out_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100181 if (peer_cid != NULL) {
182 memcpy(peer_cid, ssl->transform_in->out_cid,
183 ssl->transform_in->out_cid_len);
Hanno Becker615ef172019-05-22 16:50:35 +0100184 }
185 }
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100186
187 *enabled = MBEDTLS_SSL_CID_ENABLED;
188
Gilles Peskine449bd832023-01-11 14:50:10 +0100189 return 0;
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100190}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100191#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100192
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200193#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200195#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200196/*
197 * Convert max_fragment_length codes to length.
198 * RFC 6066 says:
199 * enum{
200 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
201 * } MaxFragmentLength;
202 * and we add 0 -> extension unused
203 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100204static unsigned int ssl_mfl_code_to_length(int mfl)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200205{
Gilles Peskine449bd832023-01-11 14:50:10 +0100206 switch (mfl) {
207 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
208 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
209 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
210 return 512;
211 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
212 return 1024;
213 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
214 return 2048;
215 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
216 return 4096;
217 default:
218 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
Angus Grattond8213d02016-05-25 20:56:48 +1000219 }
220}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200221#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200222
Gilles Peskine449bd832023-01-11 14:50:10 +0100223int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
224 const mbedtls_ssl_session *src)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200225{
Gilles Peskine449bd832023-01-11 14:50:10 +0100226 mbedtls_ssl_session_free(dst);
227 memcpy(dst, src, sizeof(mbedtls_ssl_session));
吴敬辉0b716112021-11-29 10:46:35 +0800228#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
229 dst->ticket = NULL;
Xiaokang Qian87306442022-10-12 09:47:38 +0000230#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
231 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Xiaokang Qian126bf8e2022-10-13 02:22:40 +0000232 dst->hostname = NULL;
吴敬辉0b716112021-11-29 10:46:35 +0800233#endif
Xiaokang Qian87306442022-10-12 09:47:38 +0000234#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
吴敬辉0b716112021-11-29 10:46:35 +0800235
Waleed Elmelegy4dfb0e72024-03-14 01:48:40 +0000236#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
237 defined(MBEDTLS_SSL_EARLY_DATA)
238 dst->ticket_alpn = NULL;
239#endif
240
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200241#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker6d1986e2019-02-07 12:27:42 +0000242
243#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100244 if (src->peer_cert != NULL) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000245 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker2292d1f2013-09-15 17:06:49 +0200246
Gilles Peskine449bd832023-01-11 14:50:10 +0100247 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
248 if (dst->peer_cert == NULL) {
249 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
250 }
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200251
Gilles Peskine449bd832023-01-11 14:50:10 +0100252 mbedtls_x509_crt_init(dst->peer_cert);
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200253
Gilles Peskine449bd832023-01-11 14:50:10 +0100254 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
255 src->peer_cert->raw.len)) != 0) {
256 mbedtls_free(dst->peer_cert);
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200257 dst->peer_cert = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +0100258 return ret;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200259 }
260 }
Hanno Becker6d1986e2019-02-07 12:27:42 +0000261#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100262 if (src->peer_cert_digest != NULL) {
Hanno Becker9198ad12019-02-05 17:00:50 +0000263 dst->peer_cert_digest =
Gilles Peskine449bd832023-01-11 14:50:10 +0100264 mbedtls_calloc(1, src->peer_cert_digest_len);
265 if (dst->peer_cert_digest == NULL) {
266 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
267 }
Hanno Becker9198ad12019-02-05 17:00:50 +0000268
Gilles Peskine449bd832023-01-11 14:50:10 +0100269 memcpy(dst->peer_cert_digest, src->peer_cert_digest,
270 src->peer_cert_digest_len);
Hanno Becker9198ad12019-02-05 17:00:50 +0000271 dst->peer_cert_digest_type = src->peer_cert_digest_type;
Hanno Beckeraccc5992019-02-25 10:06:59 +0000272 dst->peer_cert_digest_len = src->peer_cert_digest_len;
Hanno Becker9198ad12019-02-05 17:00:50 +0000273 }
274#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
275
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200276#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200277
Waleed Elmelegy4dfb0e72024-03-14 01:48:40 +0000278#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
279 defined(MBEDTLS_SSL_EARLY_DATA)
280 {
281 int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
282 if (ret != 0) {
283 return ret;
284 }
285 }
286#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
287
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200288#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100289 if (src->ticket != NULL) {
290 dst->ticket = mbedtls_calloc(1, src->ticket_len);
291 if (dst->ticket == NULL) {
292 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
293 }
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200294
Gilles Peskine449bd832023-01-11 14:50:10 +0100295 memcpy(dst->ticket, src->ticket, src->ticket_len);
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200296 }
Xiaokang Qian126bf8e2022-10-13 02:22:40 +0000297
298#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
299 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100300 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
Xiaokang Qian126bf8e2022-10-13 02:22:40 +0000301 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100302 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
303 if (ret != 0) {
304 return ret;
305 }
Xiaokang Qian126bf8e2022-10-13 02:22:40 +0000306 }
307#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
308 MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200309#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200310
Gilles Peskine449bd832023-01-11 14:50:10 +0100311 return 0;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200312}
313
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500314#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200315MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100316static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500317{
Gilles Peskine449bd832023-01-11 14:50:10 +0100318 unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
319 if (resized_buffer == NULL) {
Yanray Wang365ee3e2023-11-22 10:28:28 +0800320 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100321 }
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500322
323 /* We want to copy len_new bytes when downsizing the buffer, and
324 * len_old bytes when upsizing, so we choose the smaller of two sizes,
325 * to fit one buffer into another. Size checks, ensuring that no data is
326 * lost, are done outside of this function. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100327 memcpy(resized_buffer, *buffer,
328 (len_new < *len_old) ? len_new : *len_old);
Tom Cosgroveca8c61b2023-07-17 15:17:40 +0100329 mbedtls_zeroize_and_free(*buffer, *len_old);
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500330
331 *buffer = resized_buffer;
332 *len_old = len_new;
333
334 return 0;
335}
Andrzej Kurek4a063792020-10-21 15:08:44 +0200336
Gilles Peskine449bd832023-01-11 14:50:10 +0100337static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
338 size_t in_buf_new_len,
339 size_t out_buf_new_len)
Andrzej Kurek4a063792020-10-21 15:08:44 +0200340{
341 int modified = 0;
Deomid rojer Ryabkovac2cf1f2024-03-10 02:11:03 +0000342 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0;
Andrzej Kurek4a063792020-10-21 15:08:44 +0200343 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100344 if (ssl->in_buf != NULL) {
Andrzej Kurek4a063792020-10-21 15:08:44 +0200345 written_in = ssl->in_msg - ssl->in_buf;
346 iv_offset_in = ssl->in_iv - ssl->in_buf;
347 len_offset_in = ssl->in_len - ssl->in_buf;
Deomid rojer Ryabkovac2cf1f2024-03-10 02:11:03 +0000348 hdr_in = ssl->in_hdr - ssl->in_buf;
Gilles Peskine449bd832023-01-11 14:50:10 +0100349 if (downsizing ?
Andrzej Kurek4a063792020-10-21 15:08:44 +0200350 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
Gilles Peskine449bd832023-01-11 14:50:10 +0100351 ssl->in_buf_len < in_buf_new_len) {
352 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
353 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
354 } else {
355 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
356 in_buf_new_len));
Andrzej Kurek4a063792020-10-21 15:08:44 +0200357 modified = 1;
358 }
359 }
360 }
361
Gilles Peskine449bd832023-01-11 14:50:10 +0100362 if (ssl->out_buf != NULL) {
Andrzej Kurek4a063792020-10-21 15:08:44 +0200363 written_out = ssl->out_msg - ssl->out_buf;
364 iv_offset_out = ssl->out_iv - ssl->out_buf;
365 len_offset_out = ssl->out_len - ssl->out_buf;
Gilles Peskine449bd832023-01-11 14:50:10 +0100366 if (downsizing ?
Andrzej Kurek4a063792020-10-21 15:08:44 +0200367 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
Gilles Peskine449bd832023-01-11 14:50:10 +0100368 ssl->out_buf_len < out_buf_new_len) {
369 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
370 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
371 } else {
372 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
373 out_buf_new_len));
Andrzej Kurek4a063792020-10-21 15:08:44 +0200374 modified = 1;
375 }
376 }
377 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100378 if (modified) {
Andrzej Kurek4a063792020-10-21 15:08:44 +0200379 /* Update pointers here to avoid doing it twice. */
Deomid rojer Ryabkovac2cf1f2024-03-10 02:11:03 +0000380 ssl->in_hdr = ssl->in_buf + hdr_in;
381 mbedtls_ssl_update_in_pointers(ssl);
382 mbedtls_ssl_reset_out_pointers(ssl);
383
Andrzej Kurek4a063792020-10-21 15:08:44 +0200384 /* Fields below might not be properly updated with record
385 * splitting or with CID, so they are manually updated here. */
386 ssl->out_msg = ssl->out_buf + written_out;
387 ssl->out_len = ssl->out_buf + len_offset_out;
388 ssl->out_iv = ssl->out_buf + iv_offset_out;
389
390 ssl->in_msg = ssl->in_buf + written_in;
391 ssl->in_len = ssl->in_buf + len_offset_in;
392 ssl->in_iv = ssl->in_buf + iv_offset_in;
393 }
394}
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500395#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
396
Jerry Yudb8c48a2022-01-27 14:54:54 +0800397#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yued14c932022-02-17 13:40:45 +0800398
399#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100400typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
401 const char *label,
402 const unsigned char *random, size_t rlen,
403 unsigned char *dstbuf, size_t dlen);
Jerry Yued14c932022-02-17 13:40:45 +0800404
Gilles Peskine449bd832023-01-11 14:50:10 +0100405static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
Jerry Yued14c932022-02-17 13:40:45 +0800406
407#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
408
409/* Type for the TLS PRF */
410typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
411 const unsigned char *, size_t,
412 unsigned char *, size_t);
413
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200414MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100415static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
416 int ciphersuite,
417 const unsigned char master[48],
Neil Armstrongf2c82f02022-04-05 11:16:53 +0200418#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100419 int encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +0200420#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +0100421 ssl_tls_prf_t tls_prf,
422 const unsigned char randbytes[64],
423 mbedtls_ssl_protocol_version tls_version,
424 unsigned endpoint,
425 const mbedtls_ssl_context *ssl);
Jerry Yued14c932022-02-17 13:40:45 +0800426
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100427#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200428MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100429static int tls_prf_sha256(const unsigned char *secret, size_t slen,
Ron Eldor51d3ab52019-05-12 14:54:30 +0300430 const char *label,
431 const unsigned char *random, size_t rlen,
Gilles Peskine449bd832023-01-11 14:50:10 +0100432 unsigned char *dstbuf, size_t dlen);
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100433static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
434static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
Gilles Peskine449bd832023-01-11 14:50:10 +0100435
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100436#endif /* PSA_WANT_ALG_SHA_256*/
Gilles Peskine449bd832023-01-11 14:50:10 +0100437
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100438#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +0100439MBEDTLS_CHECK_RETURN_CRITICAL
440static int tls_prf_sha384(const unsigned char *secret, size_t slen,
441 const char *label,
442 const unsigned char *random, size_t rlen,
443 unsigned char *dstbuf, size_t dlen);
444
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100445static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
446static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100447#endif /* PSA_WANT_ALG_SHA_384*/
Gilles Peskine449bd832023-01-11 14:50:10 +0100448
Gilles Peskine449bd832023-01-11 14:50:10 +0100449MBEDTLS_CHECK_RETURN_CRITICAL
450static int ssl_tls12_session_load(mbedtls_ssl_session *session,
451 const unsigned char *buf,
452 size_t len);
453#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
454
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100455static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
Gilles Peskine449bd832023-01-11 14:50:10 +0100456
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100457#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100458static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100459#endif /* PSA_WANT_ALG_SHA_256*/
Gilles Peskine449bd832023-01-11 14:50:10 +0100460
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100461#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100462static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100463#endif /* PSA_WANT_ALG_SHA_384*/
Gilles Peskine449bd832023-01-11 14:50:10 +0100464
465int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
466 const unsigned char *secret, size_t slen,
467 const char *label,
468 const unsigned char *random, size_t rlen,
469 unsigned char *dstbuf, size_t dlen)
Ron Eldor51d3ab52019-05-12 14:54:30 +0300470{
471 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
472
Gilles Peskine449bd832023-01-11 14:50:10 +0100473 switch (prf) {
Ron Eldord2f25f72019-05-15 14:54:22 +0300474#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100475#if defined(PSA_WANT_ALG_SHA_384)
Ron Eldor51d3ab52019-05-12 14:54:30 +0300476 case MBEDTLS_SSL_TLS_PRF_SHA384:
477 tls_prf = tls_prf_sha384;
Gilles Peskine449bd832023-01-11 14:50:10 +0100478 break;
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100479#endif /* PSA_WANT_ALG_SHA_384*/
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100480#if defined(PSA_WANT_ALG_SHA_256)
Ron Eldor51d3ab52019-05-12 14:54:30 +0300481 case MBEDTLS_SSL_TLS_PRF_SHA256:
482 tls_prf = tls_prf_sha256;
Gilles Peskine449bd832023-01-11 14:50:10 +0100483 break;
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100484#endif /* PSA_WANT_ALG_SHA_256*/
Ron Eldord2f25f72019-05-15 14:54:22 +0300485#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100486 default:
487 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Ron Eldor51d3ab52019-05-12 14:54:30 +0300488 }
489
Gilles Peskine449bd832023-01-11 14:50:10 +0100490 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
Ron Eldor51d3ab52019-05-12 14:54:30 +0300491}
492
Jerry Yuc73c6182022-02-08 20:29:25 +0800493#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100494static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
Jerry Yuc73c6182022-02-08 20:29:25 +0800495{
496#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100497 if (session->peer_cert != NULL) {
498 mbedtls_x509_crt_free(session->peer_cert);
499 mbedtls_free(session->peer_cert);
Jerry Yuc73c6182022-02-08 20:29:25 +0800500 session->peer_cert = NULL;
501 }
502#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100503 if (session->peer_cert_digest != NULL) {
Jerry Yuc73c6182022-02-08 20:29:25 +0800504 /* Zeroization is not necessary. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100505 mbedtls_free(session->peer_cert_digest);
Jerry Yuc73c6182022-02-08 20:29:25 +0800506 session->peer_cert_digest = NULL;
507 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
508 session->peer_cert_digest_len = 0;
509 }
510#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
511}
512#endif /* MBEDTLS_X509_CRT_PARSE_C */
513
Gilles Peskine449bd832023-01-11 14:50:10 +0100514uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
Jerry Yu7a485c12022-10-31 13:08:18 +0800515{
Gilles Peskine449bd832023-01-11 14:50:10 +0100516 switch (extension_type) {
Jerry Yu7a485c12022-10-31 13:08:18 +0800517 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100518 return MBEDTLS_SSL_EXT_ID_SERVERNAME;
Jerry Yu7a485c12022-10-31 13:08:18 +0800519
520 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100521 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
Jerry Yu7a485c12022-10-31 13:08:18 +0800522
523 case MBEDTLS_TLS_EXT_STATUS_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100524 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
Jerry Yu7a485c12022-10-31 13:08:18 +0800525
526 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100527 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
Jerry Yu7a485c12022-10-31 13:08:18 +0800528
529 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100530 return MBEDTLS_SSL_EXT_ID_SIG_ALG;
Jerry Yu7a485c12022-10-31 13:08:18 +0800531
532 case MBEDTLS_TLS_EXT_USE_SRTP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100533 return MBEDTLS_SSL_EXT_ID_USE_SRTP;
Jerry Yu7a485c12022-10-31 13:08:18 +0800534
535 case MBEDTLS_TLS_EXT_HEARTBEAT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100536 return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
Jerry Yu7a485c12022-10-31 13:08:18 +0800537
538 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100539 return MBEDTLS_SSL_EXT_ID_ALPN;
Jerry Yu7a485c12022-10-31 13:08:18 +0800540
541 case MBEDTLS_TLS_EXT_SCT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100542 return MBEDTLS_SSL_EXT_ID_SCT;
Jerry Yu7a485c12022-10-31 13:08:18 +0800543
544 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100545 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
Jerry Yu7a485c12022-10-31 13:08:18 +0800546
547 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100548 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
Jerry Yu7a485c12022-10-31 13:08:18 +0800549
550 case MBEDTLS_TLS_EXT_PADDING:
Gilles Peskine449bd832023-01-11 14:50:10 +0100551 return MBEDTLS_SSL_EXT_ID_PADDING;
Jerry Yu7a485c12022-10-31 13:08:18 +0800552
553 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100554 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
Jerry Yu7a485c12022-10-31 13:08:18 +0800555
556 case MBEDTLS_TLS_EXT_EARLY_DATA:
Gilles Peskine449bd832023-01-11 14:50:10 +0100557 return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
Jerry Yu7a485c12022-10-31 13:08:18 +0800558
559 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100560 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
Jerry Yu7a485c12022-10-31 13:08:18 +0800561
562 case MBEDTLS_TLS_EXT_COOKIE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100563 return MBEDTLS_SSL_EXT_ID_COOKIE;
Jerry Yu7a485c12022-10-31 13:08:18 +0800564
565 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
Gilles Peskine449bd832023-01-11 14:50:10 +0100566 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
Jerry Yu7a485c12022-10-31 13:08:18 +0800567
568 case MBEDTLS_TLS_EXT_CERT_AUTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100569 return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
Jerry Yu7a485c12022-10-31 13:08:18 +0800570
571 case MBEDTLS_TLS_EXT_OID_FILTERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100572 return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
Jerry Yu7a485c12022-10-31 13:08:18 +0800573
574 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100575 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
Jerry Yu7a485c12022-10-31 13:08:18 +0800576
577 case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100578 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
Jerry Yu7a485c12022-10-31 13:08:18 +0800579
580 case MBEDTLS_TLS_EXT_KEY_SHARE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100581 return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
Jerry Yu7a485c12022-10-31 13:08:18 +0800582
583 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100584 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
Jerry Yu7a485c12022-10-31 13:08:18 +0800585
586 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100587 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
Jerry Yu7a485c12022-10-31 13:08:18 +0800588
589 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100590 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
Jerry Yu7a485c12022-10-31 13:08:18 +0800591
592 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100593 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
Jerry Yu7a485c12022-10-31 13:08:18 +0800594
Jan Bruckner151f6422023-02-10 12:45:19 +0100595 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
596 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
597
Jerry Yu7a485c12022-10-31 13:08:18 +0800598 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100599 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
Jerry Yu7a485c12022-10-31 13:08:18 +0800600
601 }
602
Gilles Peskine449bd832023-01-11 14:50:10 +0100603 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
Jerry Yu7a485c12022-10-31 13:08:18 +0800604}
605
Gilles Peskine449bd832023-01-11 14:50:10 +0100606uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
Jerry Yu7a485c12022-10-31 13:08:18 +0800607{
Gilles Peskine449bd832023-01-11 14:50:10 +0100608 return 1 << mbedtls_ssl_get_extension_id(extension_type);
Jerry Yu7a485c12022-10-31 13:08:18 +0800609}
610
Jerry Yud25cab02022-10-31 12:48:30 +0800611#if defined(MBEDTLS_DEBUG_C)
612static const char *extension_name_table[] = {
Jerry Yuea52ed92022-11-08 21:01:17 +0800613 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
Jerry Yud25cab02022-10-31 12:48:30 +0800614 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
615 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
616 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
617 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
618 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
619 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
620 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
621 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
622 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
623 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
624 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
625 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
626 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
627 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
628 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
629 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
630 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
631 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
632 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
633 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
634 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
635 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
636 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
637 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
638 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
639 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
Jan Bruckner151f6422023-02-10 12:45:19 +0100640 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
641 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
Jerry Yud25cab02022-10-31 12:48:30 +0800642};
643
Chien Wong4e9683e2023-12-28 17:07:43 +0800644static const unsigned int extension_type_table[] = {
Jerry Yud25cab02022-10-31 12:48:30 +0800645 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
646 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
647 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
648 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
649 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
650 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
651 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
652 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
653 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
654 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
655 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
656 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
657 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
658 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
659 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
660 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
661 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
662 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
663 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
664 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
665 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
666 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
667 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
668 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
669 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
670 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
671 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
Jan Bruckner151f6422023-02-10 12:45:19 +0100672 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
673 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
Jerry Yud25cab02022-10-31 12:48:30 +0800674};
675
Gilles Peskine449bd832023-01-11 14:50:10 +0100676const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
Jerry Yud25cab02022-10-31 12:48:30 +0800677{
Gilles Peskine449bd832023-01-11 14:50:10 +0100678 return extension_name_table[
679 mbedtls_ssl_get_extension_id(extension_type)];
Jerry Yud25cab02022-10-31 12:48:30 +0800680}
681
Gilles Peskine449bd832023-01-11 14:50:10 +0100682static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
Jerry Yud25cab02022-10-31 12:48:30 +0800683{
Gilles Peskine449bd832023-01-11 14:50:10 +0100684 switch (hs_msg_type) {
Jerry Yud25cab02022-10-31 12:48:30 +0800685 case MBEDTLS_SSL_HS_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100686 return "ClientHello";
Jerry Yud25cab02022-10-31 12:48:30 +0800687 case MBEDTLS_SSL_HS_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100688 return "ServerHello";
Jerry Yud25cab02022-10-31 12:48:30 +0800689 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100690 return "HelloRetryRequest";
Jerry Yud25cab02022-10-31 12:48:30 +0800691 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100692 return "NewSessionTicket";
Jerry Yud25cab02022-10-31 12:48:30 +0800693 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100694 return "EncryptedExtensions";
Jerry Yud25cab02022-10-31 12:48:30 +0800695 case MBEDTLS_SSL_HS_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100696 return "Certificate";
Jerry Yud25cab02022-10-31 12:48:30 +0800697 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100698 return "CertificateRequest";
Jerry Yud25cab02022-10-31 12:48:30 +0800699 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100700 return "Unknown";
Jerry Yud25cab02022-10-31 12:48:30 +0800701}
702
Gilles Peskine449bd832023-01-11 14:50:10 +0100703void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
704 int level, const char *file, int line,
705 int hs_msg_type, unsigned int extension_type,
706 const char *extra_msg0, const char *extra_msg1)
Jerry Yud25cab02022-10-31 12:48:30 +0800707{
708 const char *extra_msg;
Gilles Peskine449bd832023-01-11 14:50:10 +0100709 if (extra_msg0 && extra_msg1) {
Jerry Yud25cab02022-10-31 12:48:30 +0800710 mbedtls_debug_print_msg(
711 ssl, level, file, line,
712 "%s: %s(%u) extension %s %s.",
Gilles Peskine449bd832023-01-11 14:50:10 +0100713 ssl_tls13_get_hs_msg_name(hs_msg_type),
714 mbedtls_ssl_get_extension_name(extension_type),
Jerry Yud25cab02022-10-31 12:48:30 +0800715 extension_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100716 extra_msg0, extra_msg1);
Jerry Yud25cab02022-10-31 12:48:30 +0800717 return;
718 }
719
720 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100721 if (extra_msg) {
Jerry Yud25cab02022-10-31 12:48:30 +0800722 mbedtls_debug_print_msg(
723 ssl, level, file, line,
Gilles Peskine449bd832023-01-11 14:50:10 +0100724 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
725 mbedtls_ssl_get_extension_name(extension_type), extension_type,
726 extra_msg);
Jerry Yud25cab02022-10-31 12:48:30 +0800727 return;
728 }
729
730 mbedtls_debug_print_msg(
731 ssl, level, file, line,
Gilles Peskine449bd832023-01-11 14:50:10 +0100732 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
733 mbedtls_ssl_get_extension_name(extension_type), extension_type);
Jerry Yud25cab02022-10-31 12:48:30 +0800734}
735
Gilles Peskine449bd832023-01-11 14:50:10 +0100736void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
737 int level, const char *file, int line,
738 int hs_msg_type, uint32_t extensions_mask,
739 const char *extra)
Jerry Yud25cab02022-10-31 12:48:30 +0800740{
741
Gilles Peskine449bd832023-01-11 14:50:10 +0100742 for (unsigned i = 0;
743 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
744 i++) {
Jerry Yu79aa7212022-11-08 21:30:21 +0800745 mbedtls_ssl_print_extension(
Jerry Yuea52ed92022-11-08 21:01:17 +0800746 ssl, level, file, line, hs_msg_type, extension_type_table[i],
Gilles Peskine449bd832023-01-11 14:50:10 +0100747 extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
Jerry Yud25cab02022-10-31 12:48:30 +0800748 }
749}
750
Pengyu Lvee455c02023-01-12 14:37:24 +0800751#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
Pengyu Lvee455c02023-01-12 14:37:24 +0800752static const char *ticket_flag_name_table[] =
753{
754 [0] = "ALLOW_PSK_RESUMPTION",
755 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
756 [3] = "ALLOW_EARLY_DATA",
757};
758
Pengyu Lv4938a562023-01-16 11:28:49 +0800759void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
760 int level, const char *file, int line,
761 unsigned int flags)
Pengyu Lvee455c02023-01-12 14:37:24 +0800762{
763 size_t i;
764
765 mbedtls_debug_print_msg(ssl, level, file, line,
Pengyu Lv4938a562023-01-16 11:28:49 +0800766 "print ticket_flags (0x%02x)", flags);
767
768 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
Pengyu Lvee455c02023-01-12 14:37:24 +0800769
770 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
Pengyu Lv4938a562023-01-16 11:28:49 +0800771 if ((flags & (1 << i))) {
Pengyu Lvee455c02023-01-12 14:37:24 +0800772 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
773 ticket_flag_name_table[i]);
774 }
775 }
776}
777#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
778
Jerry Yud25cab02022-10-31 12:48:30 +0800779#endif /* MBEDTLS_DEBUG_C */
780
Gilles Peskine449bd832023-01-11 14:50:10 +0100781void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
782 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
Jerry Yuc73c6182022-02-08 20:29:25 +0800783{
784 ((void) ciphersuite_info);
785
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100786#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +0100787 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
Jerry Yuc73c6182022-02-08 20:29:25 +0800788 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
Gilles Peskine449bd832023-01-11 14:50:10 +0100789 } else
Jerry Yuc73c6182022-02-08 20:29:25 +0800790#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100791#if defined(PSA_WANT_ALG_SHA_256)
Gilles Peskine449bd832023-01-11 14:50:10 +0100792 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
Jerry Yuc73c6182022-02-08 20:29:25 +0800793 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Gilles Peskine449bd832023-01-11 14:50:10 +0100794 } else
Jerry Yuc73c6182022-02-08 20:29:25 +0800795#endif
796 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100797 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Jerry Yuc73c6182022-02-08 20:29:25 +0800798 return;
799 }
800}
801
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100802int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100803 unsigned hs_type,
804 size_t total_hs_len)
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100805{
806 unsigned char hs_hdr[4];
807
808 /* Build HS header for checksum update. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100809 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
810 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
811 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
812 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100813
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100814 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100815}
816
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100817int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100818 unsigned hs_type,
819 unsigned char const *msg,
820 size_t msg_len)
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100821{
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100822 int ret;
823 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100824 if (ret != 0) {
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100825 return ret;
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100826 }
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100827 return ssl->handshake->update_checksum(ssl, msg, msg_len);
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100828}
829
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100830int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
Jerry Yuc73c6182022-02-08 20:29:25 +0800831{
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100832#if defined(PSA_WANT_ALG_SHA_256) || \
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100833 defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100834 psa_status_t status;
Manuel Pégourié-Gonnard626aaed2023-02-06 22:03:06 +0100835#else /* SHA-256 or SHA-384 */
Jerry Yuc73c6182022-02-08 20:29:25 +0800836 ((void) ssl);
Manuel Pégourié-Gonnard626aaed2023-02-06 22:03:06 +0100837#endif /* SHA-256 or SHA-384 */
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100838#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100839 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
840 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200841 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100842 }
843 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
844 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200845 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100846 }
Jerry Yuc73c6182022-02-08 20:29:25 +0800847#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100848#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100849 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
850 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200851 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100852 }
853 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
854 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200855 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnardb72ff492023-02-06 09:54:49 +0100856 }
Jerry Yuc73c6182022-02-08 20:29:25 +0800857#endif
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100858 return 0;
Jerry Yuc73c6182022-02-08 20:29:25 +0800859}
860
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100861static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100862 const unsigned char *buf, size_t len)
Jerry Yuc73c6182022-02-08 20:29:25 +0800863{
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100864#if defined(PSA_WANT_ALG_SHA_256) || \
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100865 defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnarddf949012023-02-06 10:00:52 +0100866 psa_status_t status;
Manuel Pégourié-Gonnard626aaed2023-02-06 22:03:06 +0100867#else /* SHA-256 or SHA-384 */
868 ((void) ssl);
869 (void) buf;
870 (void) len;
871#endif /* SHA-256 or SHA-384 */
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100872#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnarddf949012023-02-06 10:00:52 +0100873 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
874 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200875 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnarddf949012023-02-06 10:00:52 +0100876 }
Jerry Yuc73c6182022-02-08 20:29:25 +0800877#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100878#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnarddf949012023-02-06 10:00:52 +0100879 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
880 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200881 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnarddf949012023-02-06 10:00:52 +0100882 }
Jerry Yuc73c6182022-02-08 20:29:25 +0800883#endif
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100884 return 0;
Jerry Yuc73c6182022-02-08 20:29:25 +0800885}
886
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100887#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100888static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100889 const unsigned char *buf, size_t len)
Jerry Yuc73c6182022-02-08 20:29:25 +0800890{
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200891 return mbedtls_md_error_from_psa(psa_hash_update(
892 &ssl->handshake->fin_sha256_psa, buf, len));
Jerry Yuc73c6182022-02-08 20:29:25 +0800893}
894#endif
895
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100896#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +0100897static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard43cc1272023-02-06 11:48:19 +0100898 const unsigned char *buf, size_t len)
Jerry Yuc73c6182022-02-08 20:29:25 +0800899{
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +0200900 return mbedtls_md_error_from_psa(psa_hash_update(
901 &ssl->handshake->fin_sha384_psa, buf, len));
Jerry Yuc73c6182022-02-08 20:29:25 +0800902}
903#endif
904
Gilles Peskine449bd832023-01-11 14:50:10 +0100905static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200906{
Gilles Peskine449bd832023-01-11 14:50:10 +0100907 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200908
Elena Uziunaite0916cd72024-05-23 17:01:07 +0100909#if defined(PSA_WANT_ALG_SHA_256)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500910 handshake->fin_sha256_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -0500911#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +0100912#if defined(PSA_WANT_ALG_SHA_384)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500913 handshake->fin_sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -0500914#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200915
916 handshake->update_checksum = ssl_update_checksum_start;
Hanno Becker7e5437a2017-04-28 17:15:26 +0100917
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200918#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200919 handshake->psa_pake_ctx = psa_pake_operation_init();
920 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200921#if defined(MBEDTLS_SSL_CLI_C)
922 handshake->ecjpake_cache = NULL;
923 handshake->ecjpake_cache_len = 0;
924#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200925#endif
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200926
Gilles Peskineeccd8882020-03-10 12:19:08 +0100927#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100928 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200929#endif
930
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200931#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
932 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
933#endif
Hanno Becker75173122019-02-06 16:18:31 +0000934
935#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
936 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100937 mbedtls_pk_init(&handshake->peer_pubkey);
Hanno Becker75173122019-02-06 16:18:31 +0000938#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200939}
940
Gilles Peskine449bd832023-01-11 14:50:10 +0100941void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200942{
Gilles Peskine449bd832023-01-11 14:50:10 +0100943 memset(transform, 0, sizeof(mbedtls_ssl_transform));
Paul Bakker84bbeb52014-07-01 14:53:22 +0200944
Przemyslaw Stekiel8f80fb92022-01-11 08:28:13 +0100945 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
946 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
Przemyslaw Stekiel8f80fb92022-01-11 08:28:13 +0100947
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000948#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Neil Armstrong39b8e7d2022-02-23 09:24:45 +0100949 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
950 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrongcf8841a2022-02-24 11:17:45 +0100951#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200952}
953
Gilles Peskine449bd832023-01-11 14:50:10 +0100954void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200955{
Gilles Peskine449bd832023-01-11 14:50:10 +0100956 memset(session, 0, sizeof(mbedtls_ssl_session));
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200957}
958
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200959MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100960static int ssl_handshake_init(mbedtls_ssl_context *ssl)
Paul Bakker48916f92012-09-16 19:57:18 +0000961{
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100962 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
963
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200964 /* Clear old handshake information if present */
Jerry Yu2e199812022-12-01 18:57:19 +0800965#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +0100966 if (ssl->transform_negotiate) {
967 mbedtls_ssl_transform_free(ssl->transform_negotiate);
968 }
Jerry Yu2e199812022-12-01 18:57:19 +0800969#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100970 if (ssl->session_negotiate) {
971 mbedtls_ssl_session_free(ssl->session_negotiate);
972 }
973 if (ssl->handshake) {
974 mbedtls_ssl_handshake_free(ssl);
975 }
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200976
Jerry Yu2e199812022-12-01 18:57:19 +0800977#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200978 /*
979 * Either the pointers are now NULL or cleared properly and can be freed.
980 * Now allocate missing structures.
981 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100982 if (ssl->transform_negotiate == NULL) {
983 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200984 }
Jerry Yu2e199812022-12-01 18:57:19 +0800985#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker48916f92012-09-16 19:57:18 +0000986
Gilles Peskine449bd832023-01-11 14:50:10 +0100987 if (ssl->session_negotiate == NULL) {
988 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200989 }
Paul Bakker48916f92012-09-16 19:57:18 +0000990
Gilles Peskine449bd832023-01-11 14:50:10 +0100991 if (ssl->handshake == NULL) {
992 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200993 }
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500994#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
995 /* If the buffers are too small - reallocate */
Andrzej Kurek8ea68722020-04-03 06:40:47 -0400996
Gilles Peskine449bd832023-01-11 14:50:10 +0100997 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
998 MBEDTLS_SSL_OUT_BUFFER_LEN);
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500999#endif
Paul Bakker48916f92012-09-16 19:57:18 +00001000
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001001 /* All pointers should exist and can be directly freed without issue */
Gilles Peskine449bd832023-01-11 14:50:10 +01001002 if (ssl->handshake == NULL ||
Jerry Yu2e199812022-12-01 18:57:19 +08001003#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker48916f92012-09-16 19:57:18 +00001004 ssl->transform_negotiate == NULL ||
Jerry Yu2e199812022-12-01 18:57:19 +08001005#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01001006 ssl->session_negotiate == NULL) {
1007 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001008
Gilles Peskine449bd832023-01-11 14:50:10 +01001009 mbedtls_free(ssl->handshake);
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001010 ssl->handshake = NULL;
Jerry Yu2e199812022-12-01 18:57:19 +08001011
1012#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01001013 mbedtls_free(ssl->transform_negotiate);
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001014 ssl->transform_negotiate = NULL;
Jerry Yu2e199812022-12-01 18:57:19 +08001015#endif
1016
Gilles Peskine449bd832023-01-11 14:50:10 +01001017 mbedtls_free(ssl->session_negotiate);
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001018 ssl->session_negotiate = NULL;
1019
Gilles Peskine449bd832023-01-11 14:50:10 +01001020 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Paul Bakker48916f92012-09-16 19:57:18 +00001021 }
1022
Jerry Yu4caf3ca2023-11-15 16:13:47 +08001023#if defined(MBEDTLS_SSL_EARLY_DATA)
1024#if defined(MBEDTLS_SSL_CLI_C)
Ronald Cron05d7cfb2024-03-03 15:39:30 +01001025 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
Ronald Cron5d0ae902024-01-05 14:20:35 +01001026#endif
Jerry Yu4caf3ca2023-11-15 16:13:47 +08001027#if defined(MBEDTLS_SSL_SRV_C)
1028 ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
1029#endif
Ronald Cron19bfe0a2024-02-26 16:43:01 +01001030 ssl->total_early_data_size = 0;
Jerry Yu4caf3ca2023-11-15 16:13:47 +08001031#endif /* MBEDTLS_SSL_EARLY_DATA */
Ronald Cron5d0ae902024-01-05 14:20:35 +01001032
Paul Bakkeraccaffe2014-06-26 13:37:14 +02001033 /* Initialize structures */
Gilles Peskine449bd832023-01-11 14:50:10 +01001034 mbedtls_ssl_session_init(ssl->session_negotiate);
1035 ssl_handshake_params_init(ssl->handshake);
Paul Bakker968afaa2014-07-09 11:09:24 +02001036
Jerry Yu2e199812022-12-01 18:57:19 +08001037#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01001038 mbedtls_ssl_transform_init(ssl->transform_negotiate);
Jerry Yu2e199812022-12-01 18:57:19 +08001039#endif
1040
Manuel Pégourié-Gonnard537f2312023-02-05 10:17:45 +01001041 /* Setup handshake checksums */
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +01001042 ret = mbedtls_ssl_reset_checksum(ssl);
1043 if (ret != 0) {
1044 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1045 return ret;
1046 }
Manuel Pégourié-Gonnard537f2312023-02-05 10:17:45 +01001047
Jerry Yud0766ec2022-09-22 10:46:57 +08001048#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
1049 defined(MBEDTLS_SSL_SRV_C) && \
1050 defined(MBEDTLS_SSL_SESSION_TICKETS)
1051 ssl->handshake->new_session_tickets_count =
Gilles Peskine449bd832023-01-11 14:50:10 +01001052 ssl->conf->new_session_tickets_count;
Jerry Yud0766ec2022-09-22 10:46:57 +08001053#endif
1054
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001055#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01001056 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02001057 ssl->handshake->alt_transform_out = ssl->transform_out;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02001058
Gilles Peskine449bd832023-01-11 14:50:10 +01001059 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02001060 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
Gilles Peskine449bd832023-01-11 14:50:10 +01001061 } else {
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02001062 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Gilles Peskine449bd832023-01-11 14:50:10 +01001063 }
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02001064
Gilles Peskine449bd832023-01-11 14:50:10 +01001065 mbedtls_ssl_set_timer(ssl, 0);
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02001066 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02001067#endif
1068
Ronald Crone68ab4f2022-10-05 12:46:29 +02001069#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Jerry Yuf017ee42022-01-12 15:49:48 +08001070#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Jerry Yua69269a2022-01-17 21:06:01 +08001071#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yu713013f2022-01-17 18:16:35 +08001072 /* Heap allocate and translate sig_hashes from internal hash identifiers to
1073 signature algorithms IANA identifiers. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001074 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
1075 ssl->conf->sig_hashes != NULL) {
Jerry Yuf017ee42022-01-12 15:49:48 +08001076 const int *md;
1077 const int *sig_hashes = ssl->conf->sig_hashes;
Jerry Yub476a442022-01-21 18:14:45 +08001078 size_t sig_algs_len = 0;
Jerry Yuf017ee42022-01-12 15:49:48 +08001079 uint16_t *p;
1080
Tom Cosgrove6ef9bb32023-03-08 14:19:51 +00001081 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN
1082 <= (SIZE_MAX - (2 * sizeof(uint16_t))),
1083 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
Jerry Yua68dca22022-01-20 16:28:27 +08001084
Gilles Peskine449bd832023-01-11 14:50:10 +01001085 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1086 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
Jerry Yuf017ee42022-01-12 15:49:48 +08001087 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01001088 }
Valerio Settie9646ec2023-08-02 20:02:28 +02001089#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01001090 sig_algs_len += sizeof(uint16_t);
Jerry Yub476a442022-01-21 18:14:45 +08001091#endif
Jerry Yua68dca22022-01-20 16:28:27 +08001092
Jerry Yub476a442022-01-21 18:14:45 +08001093#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001094 sig_algs_len += sizeof(uint16_t);
Jerry Yub476a442022-01-21 18:14:45 +08001095#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01001096 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
1097 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1098 }
Jerry Yuf017ee42022-01-12 15:49:48 +08001099 }
1100
Gilles Peskine449bd832023-01-11 14:50:10 +01001101 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
1102 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1103 }
Jerry Yuf017ee42022-01-12 15:49:48 +08001104
Gilles Peskine449bd832023-01-11 14:50:10 +01001105 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
1106 sizeof(uint16_t));
1107 if (ssl->handshake->sig_algs == NULL) {
1108 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1109 }
Jerry Yuf017ee42022-01-12 15:49:48 +08001110
Gilles Peskine449bd832023-01-11 14:50:10 +01001111 p = (uint16_t *) ssl->handshake->sig_algs;
1112 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1113 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
1114 if (hash == MBEDTLS_SSL_HASH_NONE) {
Jerry Yuf017ee42022-01-12 15:49:48 +08001115 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01001116 }
Valerio Settie9646ec2023-08-02 20:02:28 +02001117#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01001118 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
Jerry Yuf017ee42022-01-12 15:49:48 +08001119 p++;
Jerry Yu6106fdc2022-01-12 16:36:14 +08001120#endif
1121#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001122 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
Jerry Yuf017ee42022-01-12 15:49:48 +08001123 p++;
Jerry Yu6106fdc2022-01-12 16:36:14 +08001124#endif
Jerry Yuf017ee42022-01-12 15:49:48 +08001125 }
Gabor Mezei15b95a62022-05-09 16:37:58 +02001126 *p = MBEDTLS_TLS_SIG_NONE;
Jerry Yuf017ee42022-01-12 15:49:48 +08001127 ssl->handshake->sig_algs_heap_allocated = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01001128 } else
Jerry Yua69269a2022-01-17 21:06:01 +08001129#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Jerry Yuf017ee42022-01-12 15:49:48 +08001130 {
Jerry Yuf017ee42022-01-12 15:49:48 +08001131 ssl->handshake->sig_algs_heap_allocated = 0;
1132 }
Jerry Yucc539102022-06-27 16:27:35 +08001133#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Ronald Crone68ab4f2022-10-05 12:46:29 +02001134#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +01001135 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +00001136}
1137
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02001138#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001139/* Dummy cookie callbacks for defaults */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001140MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01001141static int ssl_cookie_write_dummy(void *ctx,
1142 unsigned char **p, unsigned char *end,
1143 const unsigned char *cli_id, size_t cli_id_len)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001144{
1145 ((void) ctx);
1146 ((void) p);
1147 ((void) end);
1148 ((void) cli_id);
1149 ((void) cli_id_len);
1150
Gilles Peskine449bd832023-01-11 14:50:10 +01001151 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001152}
1153
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001154MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01001155static int ssl_cookie_check_dummy(void *ctx,
1156 const unsigned char *cookie, size_t cookie_len,
1157 const unsigned char *cli_id, size_t cli_id_len)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001158{
1159 ((void) ctx);
1160 ((void) cookie);
1161 ((void) cookie_len);
1162 ((void) cli_id);
1163 ((void) cli_id_len);
1164
Gilles Peskine449bd832023-01-11 14:50:10 +01001165 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001166}
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02001167#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02001168
Paul Bakker5121ce52009-01-03 21:22:43 +00001169/*
1170 * Initialize an SSL context
1171 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001172void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02001173{
Gilles Peskine449bd832023-01-11 14:50:10 +01001174 memset(ssl, 0, sizeof(mbedtls_ssl_context));
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02001175}
1176
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001177MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01001178static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
Jerry Yu60835a82021-08-04 10:13:52 +08001179{
Ronald Cron086ee0b2022-03-15 15:18:51 +01001180 const mbedtls_ssl_config *conf = ssl->conf;
1181
Ronald Cron6f135e12021-12-08 16:57:54 +01001182#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01001183 if (mbedtls_ssl_conf_is_tls13_only(conf)) {
1184 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1185 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
1186 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQianed582dd2022-04-13 08:21:05 +00001187 }
1188
Gilles Peskine449bd832023-01-11 14:50:10 +01001189 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
1190 return 0;
Jerry Yu60835a82021-08-04 10:13:52 +08001191 }
1192#endif
1193
1194#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01001195 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
1196 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
1197 return 0;
Jerry Yu60835a82021-08-04 10:13:52 +08001198 }
1199#endif
1200
Ronald Cron6f135e12021-12-08 16:57:54 +01001201#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01001202 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
1203 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1204 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
1205 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQianed582dd2022-04-13 08:21:05 +00001206 }
1207
Gilles Peskine449bd832023-01-11 14:50:10 +01001208 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
1209 return 0;
Jerry Yu60835a82021-08-04 10:13:52 +08001210 }
1211#endif
1212
Gilles Peskine449bd832023-01-11 14:50:10 +01001213 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
1214 return MBEDTLS_ERR_SSL_BAD_CONFIG;
Jerry Yu60835a82021-08-04 10:13:52 +08001215}
1216
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001217MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu60835a82021-08-04 10:13:52 +08001218static int ssl_conf_check(const mbedtls_ssl_context *ssl)
1219{
1220 int ret;
Gilles Peskine449bd832023-01-11 14:50:10 +01001221 ret = ssl_conf_version_check(ssl);
1222 if (ret != 0) {
1223 return ret;
1224 }
Jerry Yu60835a82021-08-04 10:13:52 +08001225
1226 /* Space for further checks */
1227
Gilles Peskine449bd832023-01-11 14:50:10 +01001228 return 0;
Jerry Yu60835a82021-08-04 10:13:52 +08001229}
1230
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02001231/*
1232 * Setup an SSL context
1233 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +01001234
Gilles Peskine449bd832023-01-11 14:50:10 +01001235int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
1236 const mbedtls_ssl_config *conf)
Paul Bakker5121ce52009-01-03 21:22:43 +00001237{
Janos Follath865b3eb2019-12-16 11:46:15 +00001238 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Darryl Greenb33cc762019-11-28 14:29:44 +00001239 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1240 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
Paul Bakker5121ce52009-01-03 21:22:43 +00001241
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +02001242 ssl->conf = conf;
Paul Bakker62f2dee2012-09-28 07:31:51 +00001243
Gilles Peskine449bd832023-01-11 14:50:10 +01001244 if ((ret = ssl_conf_check(ssl)) != 0) {
1245 return ret;
1246 }
Ben Taylor602b2962025-03-07 15:52:50 +00001247
Ronald Cron8a12aee2023-03-08 15:30:43 +01001248 ssl->tls_version = ssl->conf->max_tls_version;
Jerry Yu60835a82021-08-04 10:13:52 +08001249
Paul Bakker62f2dee2012-09-28 07:31:51 +00001250 /*
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +01001251 * Prepare base structures
Paul Bakker62f2dee2012-09-28 07:31:51 +00001252 */
k-stachowiakc9a5f022018-07-24 13:53:31 +02001253
1254 /* Set to NULL in case of an error condition */
1255 ssl->out_buf = NULL;
k-stachowiaka47911c2018-07-04 17:41:58 +02001256
Darryl Greenb33cc762019-11-28 14:29:44 +00001257#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1258 ssl->in_buf_len = in_buf_len;
1259#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01001260 ssl->in_buf = mbedtls_calloc(1, in_buf_len);
1261 if (ssl->in_buf == NULL) {
1262 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
k-stachowiak9f7798e2018-07-31 16:52:32 +02001263 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02001264 goto error;
Angus Grattond8213d02016-05-25 20:56:48 +10001265 }
1266
Darryl Greenb33cc762019-11-28 14:29:44 +00001267#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1268 ssl->out_buf_len = out_buf_len;
1269#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01001270 ssl->out_buf = mbedtls_calloc(1, out_buf_len);
1271 if (ssl->out_buf == NULL) {
1272 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
k-stachowiak9f7798e2018-07-31 16:52:32 +02001273 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02001274 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +00001275 }
1276
Deomid rojer Ryabkov3dfe75e2025-01-26 10:43:42 +02001277 mbedtls_ssl_reset_in_pointers(ssl);
1278 mbedtls_ssl_reset_out_pointers(ssl);
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02001279
Johan Pascalb62bb512015-12-03 21:56:45 +01001280#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +01001281 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
Johan Pascalb62bb512015-12-03 21:56:45 +01001282#endif
1283
Gilles Peskine449bd832023-01-11 14:50:10 +01001284 if ((ret = ssl_handshake_init(ssl)) != 0) {
k-stachowiaka47911c2018-07-04 17:41:58 +02001285 goto error;
Gilles Peskine449bd832023-01-11 14:50:10 +01001286 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001287
Gilles Peskine449bd832023-01-11 14:50:10 +01001288 return 0;
k-stachowiaka47911c2018-07-04 17:41:58 +02001289
1290error:
Gilles Peskine449bd832023-01-11 14:50:10 +01001291 mbedtls_free(ssl->in_buf);
1292 mbedtls_free(ssl->out_buf);
k-stachowiaka47911c2018-07-04 17:41:58 +02001293
1294 ssl->conf = NULL;
1295
Darryl Greenb33cc762019-11-28 14:29:44 +00001296#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1297 ssl->in_buf_len = 0;
1298 ssl->out_buf_len = 0;
1299#endif
k-stachowiaka47911c2018-07-04 17:41:58 +02001300 ssl->in_buf = NULL;
1301 ssl->out_buf = NULL;
1302
1303 ssl->in_hdr = NULL;
1304 ssl->in_ctr = NULL;
1305 ssl->in_len = NULL;
1306 ssl->in_iv = NULL;
1307 ssl->in_msg = NULL;
1308
1309 ssl->out_hdr = NULL;
1310 ssl->out_ctr = NULL;
1311 ssl->out_len = NULL;
1312 ssl->out_iv = NULL;
1313 ssl->out_msg = NULL;
1314
Gilles Peskine449bd832023-01-11 14:50:10 +01001315 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00001316}
1317
1318/*
Paul Bakker7eb013f2011-10-06 12:37:39 +00001319 * Reset an initialized and used SSL context for re-use while retaining
1320 * all application-set variables, function pointers and data.
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02001321 *
1322 * If partial is non-zero, keep data in the input buffer and client ID.
1323 * (Use when a DTLS client reconnects from the same port.)
Paul Bakker7eb013f2011-10-06 12:37:39 +00001324 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001325void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1326 int partial)
Paul Bakker7eb013f2011-10-06 12:37:39 +00001327{
Darryl Greenb33cc762019-11-28 14:29:44 +00001328#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1329 size_t in_buf_len = ssl->in_buf_len;
1330 size_t out_buf_len = ssl->out_buf_len;
1331#else
1332 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1333 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1334#endif
Paul Bakker48916f92012-09-16 19:57:18 +00001335
Hanno Beckerb0302c42021-08-03 09:39:42 +01001336#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
1337 partial = 0;
Hanno Becker7e772132018-08-10 12:38:21 +01001338#endif
1339
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02001340 /* Cancel any possibly running timer */
Gilles Peskine449bd832023-01-11 14:50:10 +01001341 mbedtls_ssl_set_timer(ssl, 0);
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02001342
Deomid rojer Ryabkov3dfe75e2025-01-26 10:43:42 +02001343 mbedtls_ssl_reset_in_pointers(ssl);
1344 mbedtls_ssl_reset_out_pointers(ssl);
Hanno Beckerb0302c42021-08-03 09:39:42 +01001345
1346 /* Reset incoming message parsing */
1347 ssl->in_offt = NULL;
1348 ssl->nb_zero = 0;
1349 ssl->in_msgtype = 0;
1350 ssl->in_msglen = 0;
1351 ssl->in_hslen = 0;
Deomid rojer Ryabkovdd14c0a2025-02-13 13:41:51 +03001352 ssl->in_hsfraglen = 0;
Hanno Beckerb0302c42021-08-03 09:39:42 +01001353 ssl->keep_current_message = 0;
1354 ssl->transform_in = NULL;
1355
1356#if defined(MBEDTLS_SSL_PROTO_DTLS)
1357 ssl->next_record_offset = 0;
1358 ssl->in_epoch = 0;
1359#endif
1360
1361 /* Keep current datagram if partial == 1 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001362 if (partial == 0) {
Hanno Beckerb0302c42021-08-03 09:39:42 +01001363 ssl->in_left = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01001364 memset(ssl->in_buf, 0, in_buf_len);
Hanno Beckerb0302c42021-08-03 09:39:42 +01001365 }
1366
Ronald Cronad8c17b2022-06-10 17:18:09 +02001367 ssl->send_alert = 0;
1368
Hanno Beckerb0302c42021-08-03 09:39:42 +01001369 /* Reset outgoing message writing */
1370 ssl->out_msgtype = 0;
1371 ssl->out_msglen = 0;
1372 ssl->out_left = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01001373 memset(ssl->out_buf, 0, out_buf_len);
1374 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
Hanno Beckerb0302c42021-08-03 09:39:42 +01001375 ssl->transform_out = NULL;
1376
1377#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +01001378 mbedtls_ssl_dtls_replay_reset(ssl);
Hanno Beckerb0302c42021-08-03 09:39:42 +01001379#endif
1380
XiaokangQian2b01dc32022-01-21 02:53:13 +00001381#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01001382 if (ssl->transform) {
1383 mbedtls_ssl_transform_free(ssl->transform);
1384 mbedtls_free(ssl->transform);
Hanno Beckerb0302c42021-08-03 09:39:42 +01001385 ssl->transform = NULL;
1386 }
XiaokangQian2b01dc32022-01-21 02:53:13 +00001387#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1388
XiaokangQian2b01dc32022-01-21 02:53:13 +00001389#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01001390 mbedtls_ssl_transform_free(ssl->transform_application);
1391 mbedtls_free(ssl->transform_application);
XiaokangQian2b01dc32022-01-21 02:53:13 +00001392 ssl->transform_application = NULL;
1393
Gilles Peskine449bd832023-01-11 14:50:10 +01001394 if (ssl->handshake != NULL) {
Jerry Yu3d9b5902022-11-04 14:07:25 +08001395#if defined(MBEDTLS_SSL_EARLY_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +01001396 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
1397 mbedtls_free(ssl->handshake->transform_earlydata);
XiaokangQian2b01dc32022-01-21 02:53:13 +00001398 ssl->handshake->transform_earlydata = NULL;
Jerry Yu3d9b5902022-11-04 14:07:25 +08001399#endif
XiaokangQian2b01dc32022-01-21 02:53:13 +00001400
Gilles Peskine449bd832023-01-11 14:50:10 +01001401 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
1402 mbedtls_free(ssl->handshake->transform_handshake);
XiaokangQian2b01dc32022-01-21 02:53:13 +00001403 ssl->handshake->transform_handshake = NULL;
1404 }
1405
XiaokangQian2b01dc32022-01-21 02:53:13 +00001406#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Beckerb0302c42021-08-03 09:39:42 +01001407}
1408
Gilles Peskine449bd832023-01-11 14:50:10 +01001409int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
Hanno Beckerb0302c42021-08-03 09:39:42 +01001410{
1411 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1412
1413 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
Ronald Cron195c0bc2024-02-08 08:51:20 +01001414 ssl->tls_version = ssl->conf->max_tls_version;
Hanno Beckerb0302c42021-08-03 09:39:42 +01001415
Gilles Peskine449bd832023-01-11 14:50:10 +01001416 mbedtls_ssl_session_reset_msg_layer(ssl, partial);
Hanno Beckerb0302c42021-08-03 09:39:42 +01001417
1418 /* Reset renegotiation state */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001419#if defined(MBEDTLS_SSL_RENEGOTIATION)
1420 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001421 ssl->renego_records_seen = 0;
Paul Bakker48916f92012-09-16 19:57:18 +00001422
1423 ssl->verify_data_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01001424 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1425 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001426#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001427 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +00001428
Hanno Beckerb0302c42021-08-03 09:39:42 +01001429 ssl->session_in = NULL;
Hanno Becker78640902018-08-13 16:35:15 +01001430 ssl->session_out = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01001431 if (ssl->session) {
1432 mbedtls_ssl_session_free(ssl->session);
1433 mbedtls_free(ssl->session);
Paul Bakkerc0463502013-02-14 11:19:38 +01001434 ssl->session = NULL;
1435 }
1436
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001437#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02001438 ssl->alpn_chosen = NULL;
1439#endif
1440
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02001441#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
David Horstmann3b2276a2022-10-06 14:49:08 +01001442 int free_cli_id = 1;
Hanno Becker4ccbf062018-08-10 11:20:38 +01001443#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
Gilles Peskine449bd832023-01-11 14:50:10 +01001444 free_cli_id = (partial == 0);
Hanno Becker4ccbf062018-08-10 11:20:38 +01001445#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01001446 if (free_cli_id) {
1447 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02001448 ssl->cli_id = NULL;
1449 ssl->cli_id_len = 0;
1450 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02001451#endif
1452
Gilles Peskine449bd832023-01-11 14:50:10 +01001453 if ((ret = ssl_handshake_init(ssl)) != 0) {
1454 return ret;
1455 }
Paul Bakker2770fbd2012-07-03 13:30:23 +00001456
Gilles Peskine449bd832023-01-11 14:50:10 +01001457 return 0;
Paul Bakker7eb013f2011-10-06 12:37:39 +00001458}
1459
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02001460/*
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02001461 * Reset an initialized and used SSL context for re-use while retaining
1462 * all application-set variables, function pointers and data.
1463 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001464int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02001465{
Gilles Peskine449bd832023-01-11 14:50:10 +01001466 return mbedtls_ssl_session_reset_int(ssl, 0);
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02001467}
1468
1469/*
Paul Bakker5121ce52009-01-03 21:22:43 +00001470 * SSL set accessors
1471 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001472void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
Paul Bakker5121ce52009-01-03 21:22:43 +00001473{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001474 conf->endpoint = endpoint;
Paul Bakker5121ce52009-01-03 21:22:43 +00001475}
1476
Gilles Peskine449bd832023-01-11 14:50:10 +01001477void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001478{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001479 conf->transport = transport;
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001480}
1481
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001482#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +01001483void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02001484{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001485 conf->anti_replay = mode;
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02001486}
1487#endif
1488
Gilles Peskine449bd832023-01-11 14:50:10 +01001489void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001490{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001491 conf->badmac_limit = limit;
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001492}
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001493
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001494#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker04da1892018-08-14 13:22:10 +01001495
Gilles Peskine449bd832023-01-11 14:50:10 +01001496void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
1497 unsigned allow_packing)
Hanno Becker04da1892018-08-14 13:22:10 +01001498{
1499 ssl->disable_datagram_packing = !allow_packing;
1500}
1501
Gilles Peskine449bd832023-01-11 14:50:10 +01001502void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
1503 uint32_t min, uint32_t max)
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02001504{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001505 conf->hs_timeout_min = min;
1506 conf->hs_timeout_max = max;
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02001507}
1508#endif
1509
Gilles Peskine449bd832023-01-11 14:50:10 +01001510void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
Paul Bakker5121ce52009-01-03 21:22:43 +00001511{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001512 conf->authmode = authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +00001513}
1514
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001515#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001516void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
1517 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1518 void *p_vrfy)
Paul Bakkerb63b0af2011-01-13 17:54:59 +00001519{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001520 conf->f_vrfy = f_vrfy;
1521 conf->p_vrfy = p_vrfy;
Paul Bakkerb63b0af2011-01-13 17:54:59 +00001522}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001523#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +00001524
Gilles Peskine449bd832023-01-11 14:50:10 +01001525void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
1526 void (*f_dbg)(void *, int, const char *, int, const char *),
1527 void *p_dbg)
Paul Bakker5121ce52009-01-03 21:22:43 +00001528{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001529 conf->f_dbg = f_dbg;
1530 conf->p_dbg = p_dbg;
Paul Bakker5121ce52009-01-03 21:22:43 +00001531}
1532
Gilles Peskine449bd832023-01-11 14:50:10 +01001533void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
1534 void *p_bio,
1535 mbedtls_ssl_send_t *f_send,
1536 mbedtls_ssl_recv_t *f_recv,
1537 mbedtls_ssl_recv_timeout_t *f_recv_timeout)
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02001538{
1539 ssl->p_bio = p_bio;
1540 ssl->f_send = f_send;
1541 ssl->f_recv = f_recv;
1542 ssl->f_recv_timeout = f_recv_timeout;
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01001543}
1544
Manuel Pégourié-Gonnard6e7aaca2018-08-20 10:37:23 +02001545#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01001546void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
Manuel Pégourié-Gonnard6e7aaca2018-08-20 10:37:23 +02001547{
1548 ssl->mtu = mtu;
1549}
1550#endif
1551
Gilles Peskine449bd832023-01-11 14:50:10 +01001552void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01001553{
1554 conf->read_timeout = timeout;
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02001555}
1556
Gilles Peskine449bd832023-01-11 14:50:10 +01001557void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
1558 void *p_timer,
1559 mbedtls_ssl_set_timer_t *f_set_timer,
1560 mbedtls_ssl_get_timer_t *f_get_timer)
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02001561{
1562 ssl->p_timer = p_timer;
1563 ssl->f_set_timer = f_set_timer;
1564 ssl->f_get_timer = f_get_timer;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02001565
1566 /* Make sure we start with no timer running */
Gilles Peskine449bd832023-01-11 14:50:10 +01001567 mbedtls_ssl_set_timer(ssl, 0);
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02001568}
1569
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001570#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001571void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
1572 void *p_cache,
1573 mbedtls_ssl_cache_get_t *f_get_cache,
1574 mbedtls_ssl_cache_set_t *f_set_cache)
Paul Bakker5121ce52009-01-03 21:22:43 +00001575{
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +01001576 conf->p_cache = p_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001577 conf->f_get_cache = f_get_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02001578 conf->f_set_cache = f_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +00001579}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001580#endif /* MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00001581
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001582#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001583int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
Paul Bakker5121ce52009-01-03 21:22:43 +00001584{
Janos Follath865b3eb2019-12-16 11:46:15 +00001585 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02001586
Gilles Peskine449bd832023-01-11 14:50:10 +01001587 if (ssl == NULL ||
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02001588 session == NULL ||
1589 ssl->session_negotiate == NULL ||
Gilles Peskine449bd832023-01-11 14:50:10 +01001590 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
1591 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02001592 }
1593
Gilles Peskine449bd832023-01-11 14:50:10 +01001594 if (ssl->handshake->resume == 1) {
1595 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1596 }
Hanno Beckere810bbc2021-05-14 16:01:05 +01001597
Jerry Yu21092062022-10-10 21:21:31 +08001598#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01001599 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
Ronald Cron233fcaa2024-04-04 14:05:21 +02001600#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yu21092062022-10-10 21:21:31 +08001601 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +01001602 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
Jerry Yu21092062022-10-10 21:21:31 +08001603
Gilles Peskine449bd832023-01-11 14:50:10 +01001604 if (mbedtls_ssl_validate_ciphersuite(
Jerry Yu21092062022-10-10 21:21:31 +08001605 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
Gilles Peskine449bd832023-01-11 14:50:10 +01001606 MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
1607 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
1608 session->ciphersuite));
1609 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jerry Yu21092062022-10-10 21:21:31 +08001610 }
Ronald Cron233fcaa2024-04-04 14:05:21 +02001611#else
1612 /*
1613 * If session tickets are not enabled, it is not possible to resume a
1614 * TLS 1.3 session, thus do not make any change to the SSL context in
1615 * the first place.
1616 */
1617 return 0;
1618#endif
Jerry Yu40afab62022-10-08 10:42:13 +08001619 }
Jerry Yu21092062022-10-10 21:21:31 +08001620#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu40afab62022-10-08 10:42:13 +08001621
Gilles Peskine449bd832023-01-11 14:50:10 +01001622 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
1623 session)) != 0) {
1624 return ret;
1625 }
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02001626
Paul Bakker0a597072012-09-25 21:55:46 +00001627 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02001628
Gilles Peskine449bd832023-01-11 14:50:10 +01001629 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001630}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001631#endif /* MBEDTLS_SSL_CLI_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00001632
Gilles Peskine449bd832023-01-11 14:50:10 +01001633void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
1634 const int *ciphersuites)
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01001635{
Hanno Beckerd60b6c62021-04-29 12:04:11 +01001636 conf->ciphersuite_list = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +00001637}
1638
Ronald Cron6f135e12021-12-08 16:57:54 +01001639#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01001640void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
1641 const int kex_modes)
Hanno Becker71f1ed62021-07-24 06:01:47 +01001642{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001643 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
Hanno Becker71f1ed62021-07-24 06:01:47 +01001644}
Xiaokang Qian72de95d2022-10-25 02:54:33 +00001645
1646#if defined(MBEDTLS_SSL_EARLY_DATA)
Yanray Wangd5ed36f2023-11-07 11:40:43 +08001647void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
1648 int early_data_enabled)
Xiaokang Qian72de95d2022-10-25 02:54:33 +00001649{
1650 conf->early_data_enabled = early_data_enabled;
1651}
Jerry Yucc4e0072022-11-22 17:22:22 +08001652
1653#if defined(MBEDTLS_SSL_SRV_C)
Yanray Wang07517612023-11-07 11:47:36 +08001654void mbedtls_ssl_conf_max_early_data_size(
Gilles Peskine449bd832023-01-11 14:50:10 +01001655 mbedtls_ssl_config *conf, uint32_t max_early_data_size)
Jerry Yucc4e0072022-11-22 17:22:22 +08001656{
Jerry Yu39da9852022-12-06 16:58:36 +08001657 conf->max_early_data_size = max_early_data_size;
Jerry Yucc4e0072022-11-22 17:22:22 +08001658}
1659#endif /* MBEDTLS_SSL_SRV_C */
1660
Xiaokang Qian72de95d2022-10-25 02:54:33 +00001661#endif /* MBEDTLS_SSL_EARLY_DATA */
Ronald Cron6f135e12021-12-08 16:57:54 +01001662#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker71f1ed62021-07-24 06:01:47 +01001663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001664#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001665void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
1666 const mbedtls_x509_crt_profile *profile)
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +02001667{
1668 conf->cert_profile = profile;
1669}
1670
Gilles Peskine449bd832023-01-11 14:50:10 +01001671static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
Glenn Strauss36872db2022-01-22 05:06:31 -05001672{
1673 mbedtls_ssl_key_cert *cur = key_cert, *next;
1674
Gilles Peskine449bd832023-01-11 14:50:10 +01001675 while (cur != NULL) {
Glenn Strauss36872db2022-01-22 05:06:31 -05001676 next = cur->next;
Gilles Peskine449bd832023-01-11 14:50:10 +01001677 mbedtls_free(cur);
Glenn Strauss36872db2022-01-22 05:06:31 -05001678 cur = next;
1679 }
1680}
1681
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001682/* Append a new keycert entry to a (possibly empty) list */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001683MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01001684static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
1685 mbedtls_x509_crt *cert,
1686 mbedtls_pk_context *key)
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001687{
niisato8ee24222018-06-25 19:05:48 +09001688 mbedtls_ssl_key_cert *new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001689
Gilles Peskine449bd832023-01-11 14:50:10 +01001690 if (cert == NULL) {
Glenn Strauss36872db2022-01-22 05:06:31 -05001691 /* Free list if cert is null */
Gilles Peskine449bd832023-01-11 14:50:10 +01001692 ssl_key_cert_free(*head);
Glenn Strauss36872db2022-01-22 05:06:31 -05001693 *head = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01001694 return 0;
Glenn Strauss36872db2022-01-22 05:06:31 -05001695 }
1696
Gilles Peskine449bd832023-01-11 14:50:10 +01001697 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
1698 if (new_cert == NULL) {
1699 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1700 }
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001701
niisato8ee24222018-06-25 19:05:48 +09001702 new_cert->cert = cert;
1703 new_cert->key = key;
1704 new_cert->next = NULL;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001705
Glenn Strauss36872db2022-01-22 05:06:31 -05001706 /* Update head if the list was null, else add to the end */
Gilles Peskine449bd832023-01-11 14:50:10 +01001707 if (*head == NULL) {
niisato8ee24222018-06-25 19:05:48 +09001708 *head = new_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +01001709 } else {
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001710 mbedtls_ssl_key_cert *cur = *head;
Gilles Peskine449bd832023-01-11 14:50:10 +01001711 while (cur->next != NULL) {
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001712 cur = cur->next;
Gilles Peskine449bd832023-01-11 14:50:10 +01001713 }
niisato8ee24222018-06-25 19:05:48 +09001714 cur->next = new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001715 }
1716
Gilles Peskine449bd832023-01-11 14:50:10 +01001717 return 0;
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001718}
1719
Gilles Peskine449bd832023-01-11 14:50:10 +01001720int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001721 mbedtls_x509_crt *own_cert,
Gilles Peskine449bd832023-01-11 14:50:10 +01001722 mbedtls_pk_context *pk_key)
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02001723{
Gilles Peskine449bd832023-01-11 14:50:10 +01001724 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02001725}
1726
Gilles Peskine449bd832023-01-11 14:50:10 +01001727void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01001728 mbedtls_x509_crt *ca_chain,
Gilles Peskine449bd832023-01-11 14:50:10 +01001729 mbedtls_x509_crl *ca_crl)
Paul Bakker5121ce52009-01-03 21:22:43 +00001730{
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01001731 conf->ca_chain = ca_chain;
1732 conf->ca_crl = ca_crl;
Hanno Becker5adaad92019-03-27 16:54:37 +00001733
1734#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1735 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1736 * cannot be used together. */
1737 conf->f_ca_cb = NULL;
1738 conf->p_ca_cb = NULL;
1739#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Paul Bakker5121ce52009-01-03 21:22:43 +00001740}
Hanno Becker5adaad92019-03-27 16:54:37 +00001741
1742#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
Gilles Peskine449bd832023-01-11 14:50:10 +01001743void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
1744 mbedtls_x509_crt_ca_cb_t f_ca_cb,
1745 void *p_ca_cb)
Hanno Becker5adaad92019-03-27 16:54:37 +00001746{
1747 conf->f_ca_cb = f_ca_cb;
1748 conf->p_ca_cb = p_ca_cb;
1749
1750 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1751 * cannot be used together. */
1752 conf->ca_chain = NULL;
1753 conf->ca_crl = NULL;
1754}
1755#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001756#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +00001757
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02001758#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01001759const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
1760 size_t *name_len)
Glenn Strauss69894072022-01-24 12:58:00 -05001761{
1762 *name_len = ssl->handshake->sni_name_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001763 return ssl->handshake->sni_name;
Glenn Strauss69894072022-01-24 12:58:00 -05001764}
1765
Gilles Peskine449bd832023-01-11 14:50:10 +01001766int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
1767 mbedtls_x509_crt *own_cert,
1768 mbedtls_pk_context *pk_key)
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02001769{
Gilles Peskine449bd832023-01-11 14:50:10 +01001770 return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
1771 own_cert, pk_key);
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02001772}
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +02001773
Gilles Peskine449bd832023-01-11 14:50:10 +01001774void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
1775 mbedtls_x509_crt *ca_chain,
1776 mbedtls_x509_crl *ca_crl)
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +02001777{
1778 ssl->handshake->sni_ca_chain = ca_chain;
1779 ssl->handshake->sni_ca_crl = ca_crl;
1780}
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02001781
Glenn Strauss999ef702022-03-11 01:37:23 -05001782#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01001783void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
1784 const mbedtls_x509_crt *crt)
Glenn Strauss999ef702022-03-11 01:37:23 -05001785{
1786 ssl->handshake->dn_hints = crt;
1787}
1788#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
1789
Gilles Peskine449bd832023-01-11 14:50:10 +01001790void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
1791 int authmode)
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02001792{
1793 ssl->handshake->sni_authmode = authmode;
1794}
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02001795#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1796
Hanno Becker8927c832019-04-03 12:52:50 +01001797#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001798void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
1799 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1800 void *p_vrfy)
Hanno Becker8927c832019-04-03 12:52:50 +01001801{
1802 ssl->f_vrfy = f_vrfy;
1803 ssl->p_vrfy = p_vrfy;
1804}
1805#endif
1806
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02001807#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02001808
Przemek Stekielfde11282023-03-13 16:06:09 +01001809static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
1810static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
1811
Valerio Setti016f6822022-12-09 14:17:50 +01001812static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
Gilles Peskine449bd832023-01-11 14:50:10 +01001813 mbedtls_ssl_context *ssl,
1814 mbedtls_svc_key_id_t pwd)
Valerio Setti016f6822022-12-09 14:17:50 +01001815{
1816 psa_status_t status;
Valerio Setti016f6822022-12-09 14:17:50 +01001817 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
Przemek Stekielfde11282023-03-13 16:06:09 +01001818 const uint8_t *user = NULL;
Przemek Stekiel4cd20312023-03-01 11:11:28 +01001819 size_t user_len = 0;
Przemek Stekielfde11282023-03-13 16:06:09 +01001820 const uint8_t *peer = NULL;
Przemek Stekiel4cd20312023-03-01 11:11:28 +01001821 size_t peer_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01001822 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
1823 psa_pake_cs_set_primitive(&cipher_suite,
1824 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
1825 PSA_ECC_FAMILY_SECP_R1,
1826 256));
1827 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
Valerio Setti016f6822022-12-09 14:17:50 +01001828
Gilles Peskine449bd832023-01-11 14:50:10 +01001829 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
1830 if (status != PSA_SUCCESS) {
Valerio Setti016f6822022-12-09 14:17:50 +01001831 return status;
Gilles Peskine449bd832023-01-11 14:50:10 +01001832 }
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02001833
Gilles Peskine449bd832023-01-11 14:50:10 +01001834 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Przemek Stekielfde11282023-03-13 16:06:09 +01001835 user = jpake_server_id;
1836 user_len = sizeof(jpake_server_id);
1837 peer = jpake_client_id;
1838 peer_len = sizeof(jpake_client_id);
Gilles Peskine449bd832023-01-11 14:50:10 +01001839 } else {
Przemek Stekielfde11282023-03-13 16:06:09 +01001840 user = jpake_client_id;
1841 user_len = sizeof(jpake_client_id);
1842 peer = jpake_server_id;
1843 peer_len = sizeof(jpake_server_id);
Gilles Peskine449bd832023-01-11 14:50:10 +01001844 }
Neil Armstrongca7d5062022-05-31 14:43:23 +02001845
Przemek Stekiel4cd20312023-03-01 11:11:28 +01001846 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
1847 if (status != PSA_SUCCESS) {
1848 return status;
1849 }
1850
1851 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
Gilles Peskine449bd832023-01-11 14:50:10 +01001852 if (status != PSA_SUCCESS) {
Valerio Setti016f6822022-12-09 14:17:50 +01001853 return status;
Gilles Peskine449bd832023-01-11 14:50:10 +01001854 }
Valerio Setti016f6822022-12-09 14:17:50 +01001855
Gilles Peskine449bd832023-01-11 14:50:10 +01001856 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
1857 if (status != PSA_SUCCESS) {
Valerio Setti016f6822022-12-09 14:17:50 +01001858 return status;
Gilles Peskine449bd832023-01-11 14:50:10 +01001859 }
Valerio Setti016f6822022-12-09 14:17:50 +01001860
1861 ssl->handshake->psa_pake_ctx_is_ok = 1;
1862
Gilles Peskine449bd832023-01-11 14:50:10 +01001863 return PSA_SUCCESS;
Valerio Setti016f6822022-12-09 14:17:50 +01001864}
1865
Gilles Peskine449bd832023-01-11 14:50:10 +01001866int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
1867 const unsigned char *pw,
1868 size_t pw_len)
Valerio Setti016f6822022-12-09 14:17:50 +01001869{
1870 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1871 psa_status_t status;
1872
Gilles Peskine449bd832023-01-11 14:50:10 +01001873 if (ssl->handshake == NULL || ssl->conf == NULL) {
1874 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Neil Armstrongca7d5062022-05-31 14:43:23 +02001875 }
1876
Gilles Peskine449bd832023-01-11 14:50:10 +01001877 /* Empty password is not valid */
1878 if ((pw == NULL) || (pw_len == 0)) {
1879 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1880 }
1881
1882 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
1883 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
1884 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
1885
1886 status = psa_import_key(&attributes, pw, pw_len,
1887 &ssl->handshake->psa_pake_password);
1888 if (status != PSA_SUCCESS) {
1889 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
1890 }
1891
1892 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
1893 ssl->handshake->psa_pake_password);
1894 if (status != PSA_SUCCESS) {
1895 psa_destroy_key(ssl->handshake->psa_pake_password);
1896 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1897 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
1898 }
1899
1900 return 0;
Valerio Setti02c25b52022-11-15 14:08:42 +01001901}
Valerio Settia9a97dc2022-11-28 18:26:16 +01001902
Gilles Peskine449bd832023-01-11 14:50:10 +01001903int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
1904 mbedtls_svc_key_id_t pwd)
Valerio Settia9a97dc2022-11-28 18:26:16 +01001905{
Valerio Settia9a97dc2022-11-28 18:26:16 +01001906 psa_status_t status;
1907
Gilles Peskine449bd832023-01-11 14:50:10 +01001908 if (ssl->handshake == NULL || ssl->conf == NULL) {
1909 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Neil Armstrongca7d5062022-05-31 14:43:23 +02001910 }
1911
Gilles Peskine449bd832023-01-11 14:50:10 +01001912 if (mbedtls_svc_key_id_is_null(pwd)) {
1913 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1914 }
1915
1916 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
1917 if (status != PSA_SUCCESS) {
1918 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1919 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
1920 }
1921
1922 return 0;
Valerio Setti02c25b52022-11-15 14:08:42 +01001923}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02001924#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02001925
Ronald Cron73fe8df2022-10-05 14:31:43 +02001926#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01001927int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
Hanno Becker2ed3dce2021-04-19 21:59:14 +01001928{
Gilles Peskine449bd832023-01-11 14:50:10 +01001929 if (conf->psk_identity == NULL ||
1930 conf->psk_identity_len == 0) {
1931 return 0;
Ronald Crond29e13e2022-10-19 10:33:48 +02001932 }
1933
Gilles Peskine449bd832023-01-11 14:50:10 +01001934 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
1935 return 1;
1936 }
Ronald Crond29e13e2022-10-19 10:33:48 +02001937
Gilles Peskine449bd832023-01-11 14:50:10 +01001938 if (conf->psk != NULL && conf->psk_len != 0) {
1939 return 1;
1940 }
Hanno Becker2ed3dce2021-04-19 21:59:14 +01001941
Gilles Peskine449bd832023-01-11 14:50:10 +01001942 return 0;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01001943}
1944
Gilles Peskine449bd832023-01-11 14:50:10 +01001945static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001946{
1947 /* Remove reference to existing PSK, if any. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001948 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001949 /* The maintenance of the PSK key slot is the
1950 * user's responsibility. */
Ronald Croncf56a0a2020-08-04 09:51:30 +02001951 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001952 }
Gilles Peskine449bd832023-01-11 14:50:10 +01001953 if (conf->psk != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01001954 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001955 conf->psk = NULL;
1956 conf->psk_len = 0;
1957 }
1958
1959 /* Remove reference to PSK identity, if any. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001960 if (conf->psk_identity != NULL) {
1961 mbedtls_free(conf->psk_identity);
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01001962 conf->psk_identity = NULL;
1963 conf->psk_identity_len = 0;
1964 }
1965}
1966
Hanno Becker7390c712018-11-15 13:33:04 +00001967/* This function assumes that PSK identity in the SSL config is unset.
1968 * It checks that the provided identity is well-formed and attempts
1969 * to make a copy of it in the SSL config.
1970 * On failure, the PSK identity in the config remains unset. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001971MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01001972static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
1973 unsigned char const *psk_identity,
1974 size_t psk_identity_len)
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001975{
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02001976 /* Identity len will be encoded on two bytes */
Gilles Peskine449bd832023-01-11 14:50:10 +01001977 if (psk_identity == NULL ||
Ronald Cron2a87e9b2022-10-19 10:55:26 +02001978 psk_identity_len == 0 ||
Gilles Peskine449bd832023-01-11 14:50:10 +01001979 (psk_identity_len >> 16) != 0 ||
1980 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
1981 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02001982 }
1983
Gilles Peskine449bd832023-01-11 14:50:10 +01001984 conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
1985 if (conf->psk_identity == NULL) {
1986 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1987 }
Paul Bakker6db455e2013-09-18 17:29:31 +02001988
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01001989 conf->psk_identity_len = psk_identity_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001990 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
Paul Bakker5ad403f2013-09-18 21:21:30 +02001991
Gilles Peskine449bd832023-01-11 14:50:10 +01001992 return 0;
Paul Bakker6db455e2013-09-18 17:29:31 +02001993}
1994
Gilles Peskine449bd832023-01-11 14:50:10 +01001995int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
1996 const unsigned char *psk, size_t psk_len,
1997 const unsigned char *psk_identity, size_t psk_identity_len)
Hanno Becker7390c712018-11-15 13:33:04 +00001998{
Janos Follath865b3eb2019-12-16 11:46:15 +00001999 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01002000
2001 /* We currently only support one PSK, raw or opaque. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002002 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2003 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2004 }
Hanno Becker7390c712018-11-15 13:33:04 +00002005
2006 /* Check and set raw PSK */
Gilles Peskine449bd832023-01-11 14:50:10 +01002007 if (psk == NULL) {
2008 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2009 }
2010 if (psk_len == 0) {
2011 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2012 }
2013 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2014 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2015 }
Piotr Nowicki9926eaf2019-11-20 14:54:36 +01002016
Gilles Peskine449bd832023-01-11 14:50:10 +01002017 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2018 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2019 }
Hanno Becker7390c712018-11-15 13:33:04 +00002020 conf->psk_len = psk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01002021 memcpy(conf->psk, psk, conf->psk_len);
Hanno Becker7390c712018-11-15 13:33:04 +00002022
2023 /* Check and set PSK Identity */
Gilles Peskine449bd832023-01-11 14:50:10 +01002024 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
2025 if (ret != 0) {
2026 ssl_conf_remove_psk(conf);
2027 }
Hanno Becker7390c712018-11-15 13:33:04 +00002028
Gilles Peskine449bd832023-01-11 14:50:10 +01002029 return ret;
Hanno Becker7390c712018-11-15 13:33:04 +00002030}
2031
Gilles Peskine449bd832023-01-11 14:50:10 +01002032static void ssl_remove_psk(mbedtls_ssl_context *ssl)
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01002033{
Gilles Peskine449bd832023-01-11 14:50:10 +01002034 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
Neil Armstrong501c9322022-05-03 09:35:09 +02002035 /* The maintenance of the external PSK key slot is the
2036 * user's responsibility. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002037 if (ssl->handshake->psk_opaque_is_internal) {
2038 psa_destroy_key(ssl->handshake->psk_opaque);
Neil Armstrong501c9322022-05-03 09:35:09 +02002039 ssl->handshake->psk_opaque_is_internal = 0;
2040 }
Ronald Croncf56a0a2020-08-04 09:51:30 +02002041 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01002042 }
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01002043}
2044
Gilles Peskine449bd832023-01-11 14:50:10 +01002045int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
2046 const unsigned char *psk, size_t psk_len)
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01002047{
Neil Armstrong501c9322022-05-03 09:35:09 +02002048 psa_key_attributes_t key_attributes = psa_key_attributes_init();
Jerry Yu5d01c052022-08-17 10:18:10 +08002049 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Jerry Yu24b8c812022-08-20 19:06:56 +08002050 psa_algorithm_t alg = PSA_ALG_NONE;
Jerry Yu5d01c052022-08-17 10:18:10 +08002051 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong501c9322022-05-03 09:35:09 +02002052
Gilles Peskine449bd832023-01-11 14:50:10 +01002053 if (psk == NULL || ssl->handshake == NULL) {
2054 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2055 }
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01002056
Gilles Peskine449bd832023-01-11 14:50:10 +01002057 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2058 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2059 }
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01002060
Gilles Peskine449bd832023-01-11 14:50:10 +01002061 ssl_remove_psk(ssl);
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01002062
Jerry Yuccc68a42022-07-26 16:39:20 +08002063#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01002064 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2065 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
2066 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
2067 } else {
2068 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
2069 }
2070 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
Jerry Yuccc68a42022-07-26 16:39:20 +08002071 }
2072#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Neil Armstrong501c9322022-05-03 09:35:09 +02002073
Jerry Yu568ec252022-07-22 21:27:34 +08002074#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01002075 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2076 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
2077 psa_set_key_usage_flags(&key_attributes,
2078 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
Jerry Yuccc68a42022-07-26 16:39:20 +08002079 }
2080#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2081
Gilles Peskine449bd832023-01-11 14:50:10 +01002082 psa_set_key_algorithm(&key_attributes, alg);
2083 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
Neil Armstrong501c9322022-05-03 09:35:09 +02002084
Gilles Peskine449bd832023-01-11 14:50:10 +01002085 status = psa_import_key(&key_attributes, psk, psk_len, &key);
2086 if (status != PSA_SUCCESS) {
2087 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2088 }
Neil Armstrong501c9322022-05-03 09:35:09 +02002089
2090 /* Allow calling psa_destroy_key() on psk remove */
2091 ssl->handshake->psk_opaque_is_internal = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01002092 return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01002093}
2094
Gilles Peskine449bd832023-01-11 14:50:10 +01002095int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
2096 mbedtls_svc_key_id_t psk,
2097 const unsigned char *psk_identity,
2098 size_t psk_identity_len)
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01002099{
Janos Follath865b3eb2019-12-16 11:46:15 +00002100 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01002101
2102 /* We currently only support one PSK, raw or opaque. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002103 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2104 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2105 }
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01002106
Hanno Becker7390c712018-11-15 13:33:04 +00002107 /* Check and set opaque PSK */
Gilles Peskine449bd832023-01-11 14:50:10 +01002108 if (mbedtls_svc_key_id_is_null(psk)) {
2109 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2110 }
Ronald Croncf56a0a2020-08-04 09:51:30 +02002111 conf->psk_opaque = psk;
Hanno Becker7390c712018-11-15 13:33:04 +00002112
2113 /* Check and set PSK Identity */
Gilles Peskine449bd832023-01-11 14:50:10 +01002114 ret = ssl_conf_set_psk_identity(conf, psk_identity,
2115 psk_identity_len);
2116 if (ret != 0) {
2117 ssl_conf_remove_psk(conf);
2118 }
Hanno Becker7390c712018-11-15 13:33:04 +00002119
Gilles Peskine449bd832023-01-11 14:50:10 +01002120 return ret;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01002121}
2122
Gilles Peskine449bd832023-01-11 14:50:10 +01002123int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
2124 mbedtls_svc_key_id_t psk)
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002125{
Gilles Peskine449bd832023-01-11 14:50:10 +01002126 if ((mbedtls_svc_key_id_is_null(psk)) ||
2127 (ssl->handshake == NULL)) {
2128 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2129 }
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002130
Gilles Peskine449bd832023-01-11 14:50:10 +01002131 ssl_remove_psk(ssl);
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002132 ssl->handshake->psk_opaque = psk;
Gilles Peskine449bd832023-01-11 14:50:10 +01002133 return 0;
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002134}
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002135
Jerry Yu8897c072022-08-12 13:56:53 +08002136#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01002137void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
2138 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
2139 size_t),
2140 void *p_psk)
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002141{
2142 conf->f_psk = f_psk;
2143 conf->p_psk = p_psk;
2144}
Jerry Yu8897c072022-08-12 13:56:53 +08002145#endif /* MBEDTLS_SSL_SRV_C */
2146
Ronald Cron73fe8df2022-10-05 14:31:43 +02002147#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
Przemyslaw Stekiel6928a512022-02-03 13:50:35 +01002148
Gilles Peskine301711e2022-04-26 16:57:05 +02002149static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
Gilles Peskine449bd832023-01-11 14:50:10 +01002150 psa_algorithm_t alg)
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002151{
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002152#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +01002153 if (alg == PSA_ALG_CBC_NO_PADDING) {
2154 return MBEDTLS_SSL_MODE_CBC;
2155 }
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002156#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Gilles Peskine449bd832023-01-11 14:50:10 +01002157 if (PSA_ALG_IS_AEAD(alg)) {
2158 return MBEDTLS_SSL_MODE_AEAD;
2159 }
2160 return MBEDTLS_SSL_MODE_STREAM;
Gilles Peskine301711e2022-04-26 16:57:05 +02002161}
2162
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002163
Gilles Peskinee108d982022-04-26 16:50:40 +02002164static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
2165 mbedtls_ssl_mode_t base_mode,
Gilles Peskine449bd832023-01-11 14:50:10 +01002166 int encrypt_then_mac)
Gilles Peskinee108d982022-04-26 16:50:40 +02002167{
2168#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01002169 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
2170 base_mode == MBEDTLS_SSL_MODE_CBC) {
2171 return MBEDTLS_SSL_MODE_CBC_ETM;
Gilles Peskinee108d982022-04-26 16:50:40 +02002172 }
2173#else
2174 (void) encrypt_then_mac;
2175#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01002176 return base_mode;
Gilles Peskinee108d982022-04-26 16:50:40 +02002177}
2178
Neil Armstrongab555e02022-04-04 11:07:59 +02002179mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
Gilles Peskine449bd832023-01-11 14:50:10 +01002180 const mbedtls_ssl_transform *transform)
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002181{
Gilles Peskinee108d982022-04-26 16:50:40 +02002182 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
Gilles Peskine449bd832023-01-11 14:50:10 +01002183 transform->psa_alg
Gilles Peskinee108d982022-04-26 16:50:40 +02002184 );
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002185
Gilles Peskinee108d982022-04-26 16:50:40 +02002186 int encrypt_then_mac = 0;
Neil Armstrongf2c82f02022-04-05 11:16:53 +02002187#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskinee108d982022-04-26 16:50:40 +02002188 encrypt_then_mac = transform->encrypt_then_mac;
2189#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01002190 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002191}
2192
Neil Armstrongab555e02022-04-04 11:07:59 +02002193mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongf2c82f02022-04-05 11:16:53 +02002194#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01002195 int encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02002196#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +01002197 const mbedtls_ssl_ciphersuite_t *suite)
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002198{
Gilles Peskinee108d982022-04-26 16:50:40 +02002199 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
2200
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002201 psa_status_t status;
2202 psa_algorithm_t alg;
2203 psa_key_type_t type;
2204 size_t size;
Dave Rodgman2eab4622023-10-05 13:30:37 +01002205 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher,
2206 0, &alg, &type, &size);
Gilles Peskine449bd832023-01-11 14:50:10 +01002207 if (status == PSA_SUCCESS) {
2208 base_mode = mbedtls_ssl_get_base_mode(alg);
2209 }
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002210
Gilles Peskinee108d982022-04-26 16:50:40 +02002211#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2212 int encrypt_then_mac = 0;
2213#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01002214 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002215}
2216
Jerry Yu251a12e2022-07-13 15:15:48 +08002217
Ronald Cron8b592d22024-11-12 18:08:25 +01002218const mbedtls_error_pair_t psa_to_ssl_errors[] =
2219{
2220 { PSA_SUCCESS, 0 },
2221 { PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_SSL_ALLOC_FAILED },
2222 { PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE },
2223 { PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_SSL_INVALID_MAC },
2224 { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_SSL_BAD_INPUT_DATA },
2225 { PSA_ERROR_BAD_STATE, MBEDTLS_ERR_SSL_INTERNAL_ERROR },
2226 { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL }
2227};
2228
Gilles Peskine449bd832023-01-11 14:50:10 +01002229psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2230 size_t taglen,
2231 psa_algorithm_t *alg,
2232 psa_key_type_t *key_type,
2233 size_t *key_size)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002234{
Elena Uziunaitec2561722024-07-05 11:37:33 +01002235#if !defined(PSA_WANT_ALG_CCM)
Yanray Wang19e4dc82023-11-16 18:02:05 +08002236 (void) taglen;
2237#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01002238 switch (mbedtls_cipher_type) {
Elena Uziunaite74342c72024-07-05 11:31:29 +01002239#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002240 case MBEDTLS_CIPHER_AES_128_CBC:
2241 *alg = PSA_ALG_CBC_NO_PADDING;
2242 *key_type = PSA_KEY_TYPE_AES;
2243 *key_size = 128;
2244 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002245#endif
Elena Uziunaitec2561722024-07-05 11:37:33 +01002246#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002247 case MBEDTLS_CIPHER_AES_128_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002248 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002249 *key_type = PSA_KEY_TYPE_AES;
2250 *key_size = 128;
2251 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002252#endif
Elena Uziunaite83a0d9d2024-07-05 11:41:22 +01002253#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002254 case MBEDTLS_CIPHER_AES_128_GCM:
2255 *alg = PSA_ALG_GCM;
2256 *key_type = PSA_KEY_TYPE_AES;
2257 *key_size = 128;
2258 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002259#endif
Elena Uziunaitec2561722024-07-05 11:37:33 +01002260#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002261 case MBEDTLS_CIPHER_AES_192_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002262 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002263 *key_type = PSA_KEY_TYPE_AES;
2264 *key_size = 192;
2265 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002266#endif
Elena Uziunaite83a0d9d2024-07-05 11:41:22 +01002267#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002268 case MBEDTLS_CIPHER_AES_192_GCM:
2269 *alg = PSA_ALG_GCM;
2270 *key_type = PSA_KEY_TYPE_AES;
2271 *key_size = 192;
2272 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002273#endif
Elena Uziunaite74342c72024-07-05 11:31:29 +01002274#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002275 case MBEDTLS_CIPHER_AES_256_CBC:
2276 *alg = PSA_ALG_CBC_NO_PADDING;
2277 *key_type = PSA_KEY_TYPE_AES;
2278 *key_size = 256;
2279 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002280#endif
Elena Uziunaitec2561722024-07-05 11:37:33 +01002281#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002282 case MBEDTLS_CIPHER_AES_256_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002283 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002284 *key_type = PSA_KEY_TYPE_AES;
2285 *key_size = 256;
2286 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002287#endif
Elena Uziunaite83a0d9d2024-07-05 11:41:22 +01002288#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002289 case MBEDTLS_CIPHER_AES_256_GCM:
2290 *alg = PSA_ALG_GCM;
2291 *key_type = PSA_KEY_TYPE_AES;
2292 *key_size = 256;
2293 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002294#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002295#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002296 case MBEDTLS_CIPHER_ARIA_128_CBC:
2297 *alg = PSA_ALG_CBC_NO_PADDING;
2298 *key_type = PSA_KEY_TYPE_ARIA;
2299 *key_size = 128;
2300 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002301#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002302#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002303 case MBEDTLS_CIPHER_ARIA_128_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002304 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002305 *key_type = PSA_KEY_TYPE_ARIA;
2306 *key_size = 128;
2307 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002308#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002309#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002310 case MBEDTLS_CIPHER_ARIA_128_GCM:
2311 *alg = PSA_ALG_GCM;
2312 *key_type = PSA_KEY_TYPE_ARIA;
2313 *key_size = 128;
2314 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002315#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002316#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002317 case MBEDTLS_CIPHER_ARIA_192_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002318 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002319 *key_type = PSA_KEY_TYPE_ARIA;
2320 *key_size = 192;
2321 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002322#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002323#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002324 case MBEDTLS_CIPHER_ARIA_192_GCM:
2325 *alg = PSA_ALG_GCM;
2326 *key_type = PSA_KEY_TYPE_ARIA;
2327 *key_size = 192;
2328 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002329#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002330#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002331 case MBEDTLS_CIPHER_ARIA_256_CBC:
2332 *alg = PSA_ALG_CBC_NO_PADDING;
2333 *key_type = PSA_KEY_TYPE_ARIA;
2334 *key_size = 256;
2335 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002336#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002337#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002338 case MBEDTLS_CIPHER_ARIA_256_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002339 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002340 *key_type = PSA_KEY_TYPE_ARIA;
2341 *key_size = 256;
2342 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002343#endif
Elena Uziunaite51c85a02024-07-05 11:20:17 +01002344#if defined(PSA_WANT_KEY_TYPE_ARIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002345 case MBEDTLS_CIPHER_ARIA_256_GCM:
2346 *alg = PSA_ALG_GCM;
2347 *key_type = PSA_KEY_TYPE_ARIA;
2348 *key_size = 256;
2349 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002350#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002351#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002352 case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
2353 *alg = PSA_ALG_CBC_NO_PADDING;
2354 *key_type = PSA_KEY_TYPE_CAMELLIA;
2355 *key_size = 128;
2356 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002357#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002358#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002359 case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002360 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002361 *key_type = PSA_KEY_TYPE_CAMELLIA;
2362 *key_size = 128;
2363 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002364#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002365#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002366 case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
2367 *alg = PSA_ALG_GCM;
2368 *key_type = PSA_KEY_TYPE_CAMELLIA;
2369 *key_size = 128;
2370 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002371#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002372#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002373 case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002374 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002375 *key_type = PSA_KEY_TYPE_CAMELLIA;
2376 *key_size = 192;
2377 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002378#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002379#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002380 case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
2381 *alg = PSA_ALG_GCM;
2382 *key_type = PSA_KEY_TYPE_CAMELLIA;
2383 *key_size = 192;
2384 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002385#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002386#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002387 case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
2388 *alg = PSA_ALG_CBC_NO_PADDING;
2389 *key_type = PSA_KEY_TYPE_CAMELLIA;
2390 *key_size = 256;
2391 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002392#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002393#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_CCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002394 case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
Gilles Peskine449bd832023-01-11 14:50:10 +01002395 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002396 *key_type = PSA_KEY_TYPE_CAMELLIA;
2397 *key_size = 256;
2398 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002399#endif
Elena Uziunaiteda41b602024-07-05 11:27:21 +01002400#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && defined(PSA_WANT_ALG_GCM)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002401 case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
2402 *alg = PSA_ALG_GCM;
2403 *key_type = PSA_KEY_TYPE_CAMELLIA;
2404 *key_size = 256;
2405 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002406#endif
Elena Uziunaite5c70c302024-07-05 11:44:44 +01002407#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002408 case MBEDTLS_CIPHER_CHACHA20_POLY1305:
2409 *alg = PSA_ALG_CHACHA20_POLY1305;
2410 *key_type = PSA_KEY_TYPE_CHACHA20;
2411 *key_size = 256;
2412 break;
Yanray Wang1a369d62023-11-16 15:17:31 +08002413#endif
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01002414 case MBEDTLS_CIPHER_NULL:
2415 *alg = MBEDTLS_SSL_NULL_CIPHER;
2416 *key_type = 0;
2417 *key_size = 0;
2418 break;
2419 default:
2420 return PSA_ERROR_NOT_SUPPORTED;
2421 }
2422
2423 return PSA_SUCCESS;
2424}
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01002425
Ronald Crone68ab4f2022-10-05 12:46:29 +02002426#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Jerry Yu7ddc38c2022-01-19 11:08:05 +08002427#if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02002428/*
2429 * Set allowed/preferred hashes for handshake signatures
2430 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002431void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
2432 const int *hashes)
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02002433{
2434 conf->sig_hashes = hashes;
2435}
Jerry Yu7ddc38c2022-01-19 11:08:05 +08002436#endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker1cd6e002021-08-10 13:27:10 +01002437
Jerry Yuf017ee42022-01-12 15:49:48 +08002438/* Configure allowed signature algorithms for handshake */
Gilles Peskine449bd832023-01-11 14:50:10 +01002439void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
2440 const uint16_t *sig_algs)
Hanno Becker1cd6e002021-08-10 13:27:10 +01002441{
Jerry Yuf017ee42022-01-12 15:49:48 +08002442#if !defined(MBEDTLS_DEPRECATED_REMOVED)
2443 conf->sig_hashes = NULL;
2444#endif /* !MBEDTLS_DEPRECATED_REMOVED */
2445 conf->sig_algs = sig_algs;
Hanno Becker1cd6e002021-08-10 13:27:10 +01002446}
Ronald Crone68ab4f2022-10-05 12:46:29 +02002447#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02002448
Brett Warrene0edc842021-08-17 09:53:13 +01002449/*
2450 * Set the allowed groups
2451 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002452void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
2453 const uint16_t *group_list)
Brett Warrene0edc842021-08-17 09:53:13 +01002454{
Brett Warrene0edc842021-08-17 09:53:13 +01002455 conf->group_list = group_list;
2456}
2457
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01002458#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01002459int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
Paul Bakker5121ce52009-01-03 21:22:43 +00002460{
Hanno Becker947194e2017-04-07 13:25:49 +01002461 /* Initialize to suppress unnecessary compiler warning */
2462 size_t hostname_len = 0;
2463
2464 /* Check if new hostname is valid before
2465 * making any change to current one */
Gilles Peskine449bd832023-01-11 14:50:10 +01002466 if (hostname != NULL) {
2467 hostname_len = strlen(hostname);
Hanno Becker947194e2017-04-07 13:25:49 +01002468
Gilles Peskine449bd832023-01-11 14:50:10 +01002469 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
2470 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2471 }
Hanno Becker947194e2017-04-07 13:25:49 +01002472 }
2473
2474 /* Now it's clear that we will overwrite the old hostname,
2475 * so we can free it safely */
2476
Gilles Peskine449bd832023-01-11 14:50:10 +01002477 if (ssl->hostname != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01002478 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
Hanno Becker947194e2017-04-07 13:25:49 +01002479 }
2480
2481 /* Passing NULL as hostname shall clear the old one */
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +01002482
Gilles Peskine449bd832023-01-11 14:50:10 +01002483 if (hostname == NULL) {
Hanno Becker947194e2017-04-07 13:25:49 +01002484 ssl->hostname = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01002485 } else {
2486 ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
2487 if (ssl->hostname == NULL) {
2488 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2489 }
Paul Bakker75c1a6f2013-08-19 14:25:29 +02002490
Gilles Peskine449bd832023-01-11 14:50:10 +01002491 memcpy(ssl->hostname, hostname, hostname_len);
Paul Bakker75c1a6f2013-08-19 14:25:29 +02002492
Hanno Becker947194e2017-04-07 13:25:49 +01002493 ssl->hostname[hostname_len] = '\0';
2494 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002495
Gilles Peskine449bd832023-01-11 14:50:10 +01002496 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00002497}
Hanno Becker1a9a51c2017-04-07 13:02:16 +01002498#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00002499
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01002500#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01002501void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
2502 int (*f_sni)(void *, mbedtls_ssl_context *,
2503 const unsigned char *, size_t),
2504 void *p_sni)
Paul Bakker5701cdc2012-09-27 21:49:42 +00002505{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002506 conf->f_sni = f_sni;
2507 conf->p_sni = p_sni;
Paul Bakker5701cdc2012-09-27 21:49:42 +00002508}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002509#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +00002510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002511#if defined(MBEDTLS_SSL_ALPN)
Gilles Peskine449bd832023-01-11 14:50:10 +01002512int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02002513{
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002514 size_t cur_len, tot_len;
2515 const char **p;
2516
2517 /*
Brian J Murray1903fb32016-11-06 04:45:15 -08002518 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
2519 * MUST NOT be truncated."
2520 * We check lengths now rather than later.
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002521 */
2522 tot_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01002523 for (p = protos; *p != NULL; p++) {
2524 cur_len = strlen(*p);
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002525 tot_len += cur_len;
2526
Gilles Peskine449bd832023-01-11 14:50:10 +01002527 if ((cur_len == 0) ||
2528 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
2529 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
2530 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2531 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002532 }
2533
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002534 conf->alpn_list = protos;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002535
Gilles Peskine449bd832023-01-11 14:50:10 +01002536 return 0;
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02002537}
2538
Gilles Peskine449bd832023-01-11 14:50:10 +01002539const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02002540{
Gilles Peskine449bd832023-01-11 14:50:10 +01002541 return ssl->alpn_chosen;
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02002542}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002543#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02002544
Johan Pascalb62bb512015-12-03 21:56:45 +01002545#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +01002546void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
2547 int support_mki_value)
Ron Eldor591f1622018-01-22 12:30:04 +02002548{
2549 conf->dtls_srtp_mki_support = support_mki_value;
2550}
2551
Gilles Peskine449bd832023-01-11 14:50:10 +01002552int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
2553 unsigned char *mki_value,
2554 uint16_t mki_len)
Ron Eldor591f1622018-01-22 12:30:04 +02002555{
Gilles Peskine449bd832023-01-11 14:50:10 +01002556 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
2557 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Ron Eldora9788042018-12-05 11:04:31 +02002558 }
Ron Eldor591f1622018-01-22 12:30:04 +02002559
Gilles Peskine449bd832023-01-11 14:50:10 +01002560 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
2561 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Ron Eldora9788042018-12-05 11:04:31 +02002562 }
Ron Eldor591f1622018-01-22 12:30:04 +02002563
Gilles Peskine449bd832023-01-11 14:50:10 +01002564 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
Ron Eldor591f1622018-01-22 12:30:04 +02002565 ssl->dtls_srtp_info.mki_len = mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01002566 return 0;
Ron Eldor591f1622018-01-22 12:30:04 +02002567}
2568
Gilles Peskine449bd832023-01-11 14:50:10 +01002569int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
2570 const mbedtls_ssl_srtp_profile *profiles)
Johan Pascalb62bb512015-12-03 21:56:45 +01002571{
Johan Pascal253d0262020-09-22 13:04:45 +02002572 const mbedtls_ssl_srtp_profile *p;
2573 size_t list_size = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +01002574
Johan Pascal253d0262020-09-22 13:04:45 +02002575 /* check the profiles list: all entry must be valid,
2576 * its size cannot be more than the total number of supported profiles, currently 4 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002577 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
2578 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
2579 p++) {
2580 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
Johan Pascal76fdf1d2020-10-22 23:31:00 +02002581 list_size++;
Gilles Peskine449bd832023-01-11 14:50:10 +01002582 } else {
Johan Pascal76fdf1d2020-10-22 23:31:00 +02002583 /* unsupported value, stop parsing and set the size to an error value */
2584 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
Johan Pascalb62bb512015-12-03 21:56:45 +01002585 }
2586 }
2587
Gilles Peskine449bd832023-01-11 14:50:10 +01002588 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
2589 conf->dtls_srtp_profile_list = NULL;
2590 conf->dtls_srtp_profile_list_len = 0;
2591 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Johan Pascal253d0262020-09-22 13:04:45 +02002592 }
2593
Johan Pascal9bc97ca2020-09-21 23:44:45 +02002594 conf->dtls_srtp_profile_list = profiles;
Johan Pascal253d0262020-09-22 13:04:45 +02002595 conf->dtls_srtp_profile_list_len = list_size;
Johan Pascalb62bb512015-12-03 21:56:45 +01002596
Gilles Peskine449bd832023-01-11 14:50:10 +01002597 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +01002598}
2599
Gilles Peskine449bd832023-01-11 14:50:10 +01002600void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
2601 mbedtls_dtls_srtp_info *dtls_srtp_info)
Johan Pascalb62bb512015-12-03 21:56:45 +01002602{
Johan Pascal2258a4f2020-10-28 13:53:09 +01002603 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
2604 /* do not copy the mki value if there is no chosen profile */
Gilles Peskine449bd832023-01-11 14:50:10 +01002605 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
Johan Pascal2258a4f2020-10-28 13:53:09 +01002606 dtls_srtp_info->mki_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01002607 } else {
Johan Pascal2258a4f2020-10-28 13:53:09 +01002608 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01002609 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
2610 ssl->dtls_srtp_info.mki_len);
Johan Pascal2258a4f2020-10-28 13:53:09 +01002611 }
Johan Pascalb62bb512015-12-03 21:56:45 +01002612}
Johan Pascalb62bb512015-12-03 21:56:45 +01002613#endif /* MBEDTLS_SSL_DTLS_SRTP */
2614
Aditya Patwardhan3096f332022-07-26 14:31:46 +05302615#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Gilles Peskine449bd832023-01-11 14:50:10 +01002616void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
Paul Bakker490ecc82011-10-06 13:04:09 +00002617{
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +01002618 conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
Paul Bakker490ecc82011-10-06 13:04:09 +00002619}
2620
Gilles Peskine449bd832023-01-11 14:50:10 +01002621void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
Paul Bakker1d29fb52012-09-28 13:28:45 +00002622{
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +01002623 conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
Paul Bakker1d29fb52012-09-28 13:28:45 +00002624}
Aditya Patwardhan3096f332022-07-26 14:31:46 +05302625#endif /* MBEDTLS_DEPRECATED_REMOVED */
Paul Bakker1d29fb52012-09-28 13:28:45 +00002626
Janos Follath088ce432017-04-10 12:42:31 +01002627#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01002628void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
2629 char cert_req_ca_list)
Janos Follath088ce432017-04-10 12:42:31 +01002630{
2631 conf->cert_req_ca_list = cert_req_ca_list;
2632}
2633#endif
2634
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002635#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +01002636void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01002637{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002638 conf->encrypt_then_mac = etm;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01002639}
2640#endif
2641
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002642#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +01002643void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02002644{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002645 conf->extended_ms = ems;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02002646}
2647#endif
2648
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002649#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +01002650int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02002651{
Gilles Peskine449bd832023-01-11 14:50:10 +01002652 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
2653 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
2654 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02002655 }
2656
Manuel Pégourié-Gonnard6bf89d62015-05-05 17:01:57 +01002657 conf->mfl_code = mfl_code;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02002658
Gilles Peskine449bd832023-01-11 14:50:10 +01002659 return 0;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02002660}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002661#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02002662
Gilles Peskine449bd832023-01-11 14:50:10 +01002663void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
Paul Bakker48916f92012-09-16 19:57:18 +00002664{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002665 conf->allow_legacy_renegotiation = allow_legacy;
Paul Bakker48916f92012-09-16 19:57:18 +00002666}
2667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002668#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01002669void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002670{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002671 conf->disable_renegotiation = renegotiation;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002672}
2673
Gilles Peskine449bd832023-01-11 14:50:10 +01002674void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02002675{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02002676 conf->renego_max_records = max_records;
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02002677}
2678
Gilles Peskine449bd832023-01-11 14:50:10 +01002679void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
2680 const unsigned char period[8])
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01002681{
Gilles Peskine449bd832023-01-11 14:50:10 +01002682 memcpy(conf->renego_period, period, 8);
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01002683}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002684#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +00002685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002686#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02002687#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01002688void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02002689{
Manuel Pégourié-Gonnard2b494452015-05-06 10:05:11 +01002690 conf->session_tickets = use_tickets;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02002691}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02002692#endif
Paul Bakker606b4ba2013-08-14 16:52:14 +02002693
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02002694#if defined(MBEDTLS_SSL_SRV_C)
Jerry Yu1ad7ace2022-08-09 13:28:39 +08002695
Jerry Yud0766ec2022-09-22 10:46:57 +08002696#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +01002697void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
2698 uint16_t num_tickets)
Jerry Yu1ad7ace2022-08-09 13:28:39 +08002699{
Jerry Yud0766ec2022-09-22 10:46:57 +08002700 conf->new_session_tickets_count = num_tickets;
Jerry Yu1ad7ace2022-08-09 13:28:39 +08002701}
2702#endif
2703
Gilles Peskine449bd832023-01-11 14:50:10 +01002704void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
2705 mbedtls_ssl_ticket_write_t *f_ticket_write,
2706 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
2707 void *p_ticket)
Paul Bakker606b4ba2013-08-14 16:52:14 +02002708{
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +02002709 conf->f_ticket_write = f_ticket_write;
2710 conf->f_ticket_parse = f_ticket_parse;
2711 conf->p_ticket = p_ticket;
Paul Bakker606b4ba2013-08-14 16:52:14 +02002712}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02002713#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002714#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02002715
Gilles Peskine449bd832023-01-11 14:50:10 +01002716void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
2717 mbedtls_ssl_export_keys_t *f_export_keys,
2718 void *p_export_keys)
Robert Cragie4feb7ae2015-10-02 13:33:37 +01002719{
Hanno Becker7e6c1782021-06-08 09:24:55 +01002720 ssl->f_export_keys = f_export_keys;
2721 ssl->p_export_keys = p_export_keys;
Ron Eldorf5cc10d2019-05-07 18:33:40 +03002722}
Robert Cragie4feb7ae2015-10-02 13:33:37 +01002723
Gilles Peskineb74a1c72018-04-24 13:09:22 +02002724#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002725void mbedtls_ssl_conf_async_private_cb(
2726 mbedtls_ssl_config *conf,
2727 mbedtls_ssl_async_sign_t *f_async_sign,
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002728 mbedtls_ssl_async_resume_t *f_async_resume,
2729 mbedtls_ssl_async_cancel_t *f_async_cancel,
Gilles Peskine449bd832023-01-11 14:50:10 +01002730 void *async_config_data)
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002731{
2732 conf->f_async_sign_start = f_async_sign;
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002733 conf->f_async_resume = f_async_resume;
2734 conf->f_async_cancel = f_async_cancel;
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02002735 conf->p_async_config_data = async_config_data;
2736}
2737
Gilles Peskine449bd832023-01-11 14:50:10 +01002738void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
Gilles Peskine8f97af72018-04-26 11:46:10 +02002739{
Gilles Peskine449bd832023-01-11 14:50:10 +01002740 return conf->p_async_config_data;
Gilles Peskine8f97af72018-04-26 11:46:10 +02002741}
2742
Gilles Peskine449bd832023-01-11 14:50:10 +01002743void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02002744{
Gilles Peskine449bd832023-01-11 14:50:10 +01002745 if (ssl->handshake == NULL) {
2746 return NULL;
2747 } else {
2748 return ssl->handshake->user_async_ctx;
2749 }
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02002750}
2751
Gilles Peskine449bd832023-01-11 14:50:10 +01002752void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
2753 void *ctx)
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02002754{
Gilles Peskine449bd832023-01-11 14:50:10 +01002755 if (ssl->handshake != NULL) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02002756 ssl->handshake->user_async_ctx = ctx;
Gilles Peskine449bd832023-01-11 14:50:10 +01002757 }
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002758}
Gilles Peskineb74a1c72018-04-24 13:09:22 +02002759#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine8bf79f62018-01-05 21:11:53 +01002760
Paul Bakker5121ce52009-01-03 21:22:43 +00002761/*
2762 * SSL get accessors
2763 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002764uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +00002765{
Gilles Peskine449bd832023-01-11 14:50:10 +01002766 if (ssl->session != NULL) {
2767 return ssl->session->verify_result;
2768 }
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +00002769
Gilles Peskine449bd832023-01-11 14:50:10 +01002770 if (ssl->session_negotiate != NULL) {
2771 return ssl->session_negotiate->verify_result;
2772 }
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +00002773
Gilles Peskine449bd832023-01-11 14:50:10 +01002774 return 0xFFFFFFFF;
Paul Bakker5121ce52009-01-03 21:22:43 +00002775}
2776
Gilles Peskine449bd832023-01-11 14:50:10 +01002777int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
Glenn Strauss8f526902022-01-13 00:04:49 -05002778{
Gilles Peskine449bd832023-01-11 14:50:10 +01002779 if (ssl == NULL || ssl->session == NULL) {
2780 return 0;
2781 }
Glenn Strauss8f526902022-01-13 00:04:49 -05002782
Gilles Peskine449bd832023-01-11 14:50:10 +01002783 return ssl->session->ciphersuite;
Glenn Strauss8f526902022-01-13 00:04:49 -05002784}
2785
Gilles Peskine449bd832023-01-11 14:50:10 +01002786const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
Paul Bakker72f62662011-01-16 21:27:44 +00002787{
Gilles Peskine449bd832023-01-11 14:50:10 +01002788 if (ssl == NULL || ssl->session == NULL) {
2789 return NULL;
2790 }
Paul Bakker926c8e42013-03-06 10:23:34 +01002791
Gilles Peskine449bd832023-01-11 14:50:10 +01002792 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
Paul Bakker72f62662011-01-16 21:27:44 +00002793}
2794
Gilles Peskine449bd832023-01-11 14:50:10 +01002795const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
Paul Bakker43ca69c2011-01-15 17:35:19 +00002796{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002797#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01002798 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2799 switch (ssl->tls_version) {
Glenn Strauss60bfe602022-03-14 19:04:24 -04002800 case MBEDTLS_SSL_VERSION_TLS1_2:
Gilles Peskine449bd832023-01-11 14:50:10 +01002801 return "DTLSv1.2";
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01002802 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01002803 return "unknown (DTLS)";
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01002804 }
2805 }
2806#endif
2807
Gilles Peskine449bd832023-01-11 14:50:10 +01002808 switch (ssl->tls_version) {
Glenn Strauss60bfe602022-03-14 19:04:24 -04002809 case MBEDTLS_SSL_VERSION_TLS1_2:
Gilles Peskine449bd832023-01-11 14:50:10 +01002810 return "TLSv1.2";
Glenn Strauss60bfe602022-03-14 19:04:24 -04002811 case MBEDTLS_SSL_VERSION_TLS1_3:
Gilles Peskine449bd832023-01-11 14:50:10 +01002812 return "TLSv1.3";
Paul Bakker43ca69c2011-01-15 17:35:19 +00002813 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01002814 return "unknown";
Paul Bakker43ca69c2011-01-15 17:35:19 +00002815 }
Paul Bakker43ca69c2011-01-15 17:35:19 +00002816}
2817
Waleed Elmelegy6a971fd2023-12-28 17:48:16 +00002818#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2819
2820size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
2821{
2822 const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
2823 size_t record_size_limit = max_len;
2824
2825 if (ssl->session != NULL &&
2826 ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
2827 ssl->session->record_size_limit < max_len) {
2828 record_size_limit = ssl->session->record_size_limit;
2829 }
2830
2831 // TODO: this is currently untested
2832 /* During a handshake, use the value being negotiated */
2833 if (ssl->session_negotiate != NULL &&
2834 ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
2835 ssl->session_negotiate->record_size_limit < max_len) {
2836 record_size_limit = ssl->session_negotiate->record_size_limit;
2837 }
2838
2839 return record_size_limit;
2840}
2841#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2842
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02002843#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +01002844size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002845{
David Horstmann95d516f2021-05-04 18:36:56 +01002846 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002847 size_t read_mfl;
2848
Jerry Yuddda0502022-12-01 19:43:12 +08002849#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002850 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002851 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
2852 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
2853 return ssl_mfl_code_to_length(ssl->conf->mfl_code);
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002854 }
Jerry Yuddda0502022-12-01 19:43:12 +08002855#endif
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002856
2857 /* Check if a smaller max length was negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +01002858 if (ssl->session_out != NULL) {
2859 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
2860 if (read_mfl < max_len) {
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002861 max_len = read_mfl;
2862 }
2863 }
2864
Jerry Yuddda0502022-12-01 19:43:12 +08002865 /* During a handshake, use the value being negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +01002866 if (ssl->session_negotiate != NULL) {
2867 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
2868 if (read_mfl < max_len) {
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002869 max_len = read_mfl;
2870 }
2871 }
2872
Gilles Peskine449bd832023-01-11 14:50:10 +01002873 return max_len;
Andrzej Kurek90c6e842020-04-03 05:25:29 -04002874}
2875
Gilles Peskine449bd832023-01-11 14:50:10 +01002876size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02002877{
2878 size_t max_len;
2879
2880 /*
2881 * Assume mfl_code is correct since it was checked when set
2882 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002883 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02002884
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02002885 /* Check if a smaller max length was negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +01002886 if (ssl->session_out != NULL &&
2887 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
2888 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02002889 }
2890
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02002891 /* During a handshake, use the value being negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +01002892 if (ssl->session_negotiate != NULL &&
2893 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
2894 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02002895 }
2896
Gilles Peskine449bd832023-01-11 14:50:10 +01002897 return max_len;
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02002898}
2899#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2900
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002901#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01002902size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002903{
Andrzej Kurekef43ce62018-10-09 08:24:12 -04002904 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002905 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
2906 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
2907 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) {
2908 return 0;
2909 }
Andrzej Kurekef43ce62018-10-09 08:24:12 -04002910
Gilles Peskine449bd832023-01-11 14:50:10 +01002911 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
2912 return ssl->mtu;
2913 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002914
Gilles Peskine449bd832023-01-11 14:50:10 +01002915 if (ssl->mtu == 0) {
2916 return ssl->handshake->mtu;
2917 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002918
Gilles Peskine449bd832023-01-11 14:50:10 +01002919 return ssl->mtu < ssl->handshake->mtu ?
2920 ssl->mtu : ssl->handshake->mtu;
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002921}
2922#endif /* MBEDTLS_SSL_PROTO_DTLS */
2923
Gilles Peskine449bd832023-01-11 14:50:10 +01002924int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002925{
2926 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
2927
Manuel Pégourié-Gonnard000281e2018-08-21 11:20:58 +02002928#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
Jan Brucknerf482dcc2023-03-15 09:09:06 +01002929 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
Manuel Pégourié-Gonnard000281e2018-08-21 11:20:58 +02002930 !defined(MBEDTLS_SSL_PROTO_DTLS)
2931 (void) ssl;
2932#endif
2933
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002934#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +01002935 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002936
Gilles Peskine449bd832023-01-11 14:50:10 +01002937 if (max_len > mfl) {
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002938 max_len = mfl;
Gilles Peskine449bd832023-01-11 14:50:10 +01002939 }
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002940#endif
2941
Jan Brucknerf482dcc2023-03-15 09:09:06 +01002942#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2943 const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
2944
2945 if (max_len > record_size_limit) {
2946 max_len = record_size_limit;
2947 }
2948#endif
2949
Waleed Elmelegy6a971fd2023-12-28 17:48:16 +00002950 if (ssl->transform_out != NULL &&
2951 ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
Waleed Elmelegyf5017902024-01-09 14:18:34 +00002952 /*
2953 * In TLS 1.3 case, when records are protected, `max_len` as computed
2954 * above is the maximum length of the TLSInnerPlaintext structure that
2955 * along the plaintext payload contains the inner content type (one byte)
2956 * and some zero padding. Given the algorithm used for padding
2957 * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
2958 * the plaintext payload. Round down to a multiple of
2959 * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
2960 * subtract 1.
Waleed Elmelegy6a971fd2023-12-28 17:48:16 +00002961 */
2962 max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
2963 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
2964 }
2965
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002966#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01002967 if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
2968 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
2969 const int ret = mbedtls_ssl_get_record_expansion(ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002970 const size_t overhead = (size_t) ret;
2971
Gilles Peskine449bd832023-01-11 14:50:10 +01002972 if (ret < 0) {
2973 return ret;
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002974 }
2975
Gilles Peskine449bd832023-01-11 14:50:10 +01002976 if (mtu <= overhead) {
2977 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
2978 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2979 }
2980
2981 if (max_len > mtu - overhead) {
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002982 max_len = mtu - overhead;
Gilles Peskine449bd832023-01-11 14:50:10 +01002983 }
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002984 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02002985#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002986
Hanno Becker0defedb2018-08-10 12:35:02 +01002987#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
Waleed Elmelegy049cd302023-12-20 17:28:31 +00002988 !defined(MBEDTLS_SSL_PROTO_DTLS) && \
2989 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
Hanno Becker0defedb2018-08-10 12:35:02 +01002990 ((void) ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002991#endif
2992
Gilles Peskine449bd832023-01-11 14:50:10 +01002993 return (int) max_len;
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02002994}
2995
Gilles Peskine449bd832023-01-11 14:50:10 +01002996int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
Hanno Becker2d8e99b2021-04-21 06:19:50 +01002997{
2998 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
2999
3000#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3001 (void) ssl;
3002#endif
3003
3004#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +01003005 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
Hanno Becker2d8e99b2021-04-21 06:19:50 +01003006
Gilles Peskine449bd832023-01-11 14:50:10 +01003007 if (max_len > mfl) {
Hanno Becker2d8e99b2021-04-21 06:19:50 +01003008 max_len = mfl;
Gilles Peskine449bd832023-01-11 14:50:10 +01003009 }
Hanno Becker2d8e99b2021-04-21 06:19:50 +01003010#endif
3011
Gilles Peskine449bd832023-01-11 14:50:10 +01003012 return (int) max_len;
Hanno Becker2d8e99b2021-04-21 06:19:50 +01003013}
3014
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003015#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01003016const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
Paul Bakkerb0550d92012-10-30 07:51:03 +00003017{
Gilles Peskine449bd832023-01-11 14:50:10 +01003018 if (ssl == NULL || ssl->session == NULL) {
3019 return NULL;
3020 }
Paul Bakkerb0550d92012-10-30 07:51:03 +00003021
Hanno Beckere6824572019-02-07 13:18:46 +00003022#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +01003023 return ssl->session->peer_cert;
Hanno Beckere6824572019-02-07 13:18:46 +00003024#else
Gilles Peskine449bd832023-01-11 14:50:10 +01003025 return NULL;
Hanno Beckere6824572019-02-07 13:18:46 +00003026#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakkerb0550d92012-10-30 07:51:03 +00003027}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003028#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +00003029
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003030#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01003031int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
3032 mbedtls_ssl_session *dst)
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02003033{
Hanno Beckere810bbc2021-05-14 16:01:05 +01003034 int ret;
3035
Gilles Peskine449bd832023-01-11 14:50:10 +01003036 if (ssl == NULL ||
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02003037 dst == NULL ||
3038 ssl->session == NULL ||
Gilles Peskine449bd832023-01-11 14:50:10 +01003039 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
3040 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02003041 }
3042
Hanno Beckere810bbc2021-05-14 16:01:05 +01003043 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
3044 * idempotent: Each session can only be exported once.
3045 *
3046 * (This is in preparation for TLS 1.3 support where we will
3047 * need the ability to export multiple sessions (aka tickets),
3048 * which will be achieved by calling mbedtls_ssl_get_session()
3049 * multiple times until it fails.)
3050 *
3051 * Check whether we have already exported the current session,
3052 * and fail if so.
3053 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003054 if (ssl->session->exported == 1) {
3055 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3056 }
Hanno Beckere810bbc2021-05-14 16:01:05 +01003057
Gilles Peskine449bd832023-01-11 14:50:10 +01003058 ret = mbedtls_ssl_session_copy(dst, ssl->session);
3059 if (ret != 0) {
3060 return ret;
3061 }
Hanno Beckere810bbc2021-05-14 16:01:05 +01003062
3063 /* Remember that we've exported the session. */
3064 ssl->session->exported = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01003065 return 0;
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02003066}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003067#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02003068
David Horstmanncb01b362024-02-29 17:31:46 +00003069#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3070
3071/* Serialization of TLS 1.2 sessions
David Horstmanne59f9702024-02-29 16:08:57 +00003072 *
David Horstmanncb01b362024-02-29 17:31:46 +00003073 * For more detail, see the description of ssl_session_save().
David Horstmanne59f9702024-02-29 16:08:57 +00003074 */
3075static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
3076 unsigned char *buf,
3077 size_t buf_len)
3078{
3079 unsigned char *p = buf;
3080 size_t used = 0;
3081
3082#if defined(MBEDTLS_HAVE_TIME)
3083 uint64_t start;
3084#endif
3085#if defined(MBEDTLS_X509_CRT_PARSE_C)
3086#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3087 size_t cert_len;
3088#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3089#endif /* MBEDTLS_X509_CRT_PARSE_C */
3090
3091 /*
3092 * Time
3093 */
3094#if defined(MBEDTLS_HAVE_TIME)
3095 used += 8;
3096
3097 if (used <= buf_len) {
3098 start = (uint64_t) session->start;
3099
3100 MBEDTLS_PUT_UINT64_BE(start, p, 0);
3101 p += 8;
3102 }
3103#endif /* MBEDTLS_HAVE_TIME */
3104
3105 /*
3106 * Basic mandatory fields
3107 */
3108 used += 1 /* id_len */
3109 + sizeof(session->id)
3110 + sizeof(session->master)
3111 + 4; /* verify_result */
3112
3113 if (used <= buf_len) {
3114 *p++ = MBEDTLS_BYTE_0(session->id_len);
3115 memcpy(p, session->id, 32);
3116 p += 32;
3117
3118 memcpy(p, session->master, 48);
3119 p += 48;
3120
3121 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
3122 p += 4;
3123 }
3124
3125 /*
3126 * Peer's end-entity certificate
3127 */
3128#if defined(MBEDTLS_X509_CRT_PARSE_C)
3129#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3130 if (session->peer_cert == NULL) {
3131 cert_len = 0;
3132 } else {
3133 cert_len = session->peer_cert->raw.len;
3134 }
3135
3136 used += 3 + cert_len;
3137
3138 if (used <= buf_len) {
3139 *p++ = MBEDTLS_BYTE_2(cert_len);
3140 *p++ = MBEDTLS_BYTE_1(cert_len);
3141 *p++ = MBEDTLS_BYTE_0(cert_len);
3142
3143 if (session->peer_cert != NULL) {
3144 memcpy(p, session->peer_cert->raw.p, cert_len);
3145 p += cert_len;
3146 }
3147 }
3148#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3149 if (session->peer_cert_digest != NULL) {
3150 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
3151 if (used <= buf_len) {
3152 *p++ = (unsigned char) session->peer_cert_digest_type;
3153 *p++ = (unsigned char) session->peer_cert_digest_len;
3154 memcpy(p, session->peer_cert_digest,
3155 session->peer_cert_digest_len);
3156 p += session->peer_cert_digest_len;
3157 }
3158 } else {
3159 used += 2;
3160 if (used <= buf_len) {
3161 *p++ = (unsigned char) MBEDTLS_MD_NONE;
3162 *p++ = 0;
3163 }
3164 }
3165#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3166#endif /* MBEDTLS_X509_CRT_PARSE_C */
3167
3168 /*
3169 * Session ticket if any, plus associated data
3170 */
3171#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3172#if defined(MBEDTLS_SSL_CLI_C)
3173 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3174 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
3175
3176 if (used <= buf_len) {
3177 *p++ = MBEDTLS_BYTE_2(session->ticket_len);
3178 *p++ = MBEDTLS_BYTE_1(session->ticket_len);
3179 *p++ = MBEDTLS_BYTE_0(session->ticket_len);
3180
3181 if (session->ticket != NULL) {
3182 memcpy(p, session->ticket, session->ticket_len);
3183 p += session->ticket_len;
3184 }
3185
3186 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3187 p += 4;
3188 }
3189 }
3190#endif /* MBEDTLS_SSL_CLI_C */
3191#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3192 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3193 used += 8;
3194
3195 if (used <= buf_len) {
3196 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3197 p += 8;
3198 }
3199 }
3200#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3201#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3202
3203 /*
3204 * Misc extension-related info
3205 */
3206#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3207 used += 1;
3208
3209 if (used <= buf_len) {
3210 *p++ = session->mfl_code;
3211 }
3212#endif
3213
3214#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3215 used += 1;
3216
3217 if (used <= buf_len) {
3218 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
3219 }
3220#endif
3221
3222 return used;
3223}
3224
3225MBEDTLS_CHECK_RETURN_CRITICAL
3226static int ssl_tls12_session_load(mbedtls_ssl_session *session,
3227 const unsigned char *buf,
3228 size_t len)
3229{
3230#if defined(MBEDTLS_HAVE_TIME)
3231 uint64_t start;
3232#endif
3233#if defined(MBEDTLS_X509_CRT_PARSE_C)
3234#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3235 size_t cert_len;
3236#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3237#endif /* MBEDTLS_X509_CRT_PARSE_C */
3238
3239 const unsigned char *p = buf;
3240 const unsigned char * const end = buf + len;
3241
3242 /*
3243 * Time
3244 */
3245#if defined(MBEDTLS_HAVE_TIME)
3246 if (8 > (size_t) (end - p)) {
3247 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3248 }
3249
3250 start = MBEDTLS_GET_UINT64_BE(p, 0);
3251 p += 8;
3252
3253 session->start = (time_t) start;
3254#endif /* MBEDTLS_HAVE_TIME */
3255
3256 /*
3257 * Basic mandatory fields
3258 */
3259 if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
3260 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3261 }
3262
3263 session->id_len = *p++;
3264 memcpy(session->id, p, 32);
3265 p += 32;
3266
3267 memcpy(session->master, p, 48);
3268 p += 48;
3269
3270 session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
3271 p += 4;
3272
3273 /* Immediately clear invalid pointer values that have been read, in case
3274 * we exit early before we replaced them with valid ones. */
3275#if defined(MBEDTLS_X509_CRT_PARSE_C)
3276#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3277 session->peer_cert = NULL;
3278#else
3279 session->peer_cert_digest = NULL;
3280#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3281#endif /* MBEDTLS_X509_CRT_PARSE_C */
3282#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
3283 session->ticket = NULL;
3284#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
3285
3286 /*
3287 * Peer certificate
3288 */
3289#if defined(MBEDTLS_X509_CRT_PARSE_C)
3290#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3291 /* Deserialize CRT from the end of the ticket. */
3292 if (3 > (size_t) (end - p)) {
3293 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3294 }
3295
3296 cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
3297 p += 3;
3298
3299 if (cert_len != 0) {
3300 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3301
3302 if (cert_len > (size_t) (end - p)) {
3303 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3304 }
3305
3306 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
3307
3308 if (session->peer_cert == NULL) {
3309 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3310 }
3311
3312 mbedtls_x509_crt_init(session->peer_cert);
3313
3314 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
3315 p, cert_len)) != 0) {
3316 mbedtls_x509_crt_free(session->peer_cert);
3317 mbedtls_free(session->peer_cert);
3318 session->peer_cert = NULL;
3319 return ret;
3320 }
3321
3322 p += cert_len;
3323 }
3324#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3325 /* Deserialize CRT digest from the end of the ticket. */
3326 if (2 > (size_t) (end - p)) {
3327 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3328 }
3329
3330 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
3331 session->peer_cert_digest_len = (size_t) *p++;
3332
3333 if (session->peer_cert_digest_len != 0) {
3334 const mbedtls_md_info_t *md_info =
3335 mbedtls_md_info_from_type(session->peer_cert_digest_type);
3336 if (md_info == NULL) {
3337 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3338 }
3339 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
3340 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3341 }
3342
3343 if (session->peer_cert_digest_len > (size_t) (end - p)) {
3344 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3345 }
3346
3347 session->peer_cert_digest =
3348 mbedtls_calloc(1, session->peer_cert_digest_len);
3349 if (session->peer_cert_digest == NULL) {
3350 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3351 }
3352
3353 memcpy(session->peer_cert_digest, p,
3354 session->peer_cert_digest_len);
3355 p += session->peer_cert_digest_len;
3356 }
3357#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3358#endif /* MBEDTLS_X509_CRT_PARSE_C */
3359
3360 /*
3361 * Session ticket and associated data
3362 */
3363#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3364#if defined(MBEDTLS_SSL_CLI_C)
3365 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3366 if (3 > (size_t) (end - p)) {
3367 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3368 }
3369
3370 session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
3371 p += 3;
3372
3373 if (session->ticket_len != 0) {
3374 if (session->ticket_len > (size_t) (end - p)) {
3375 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3376 }
3377
3378 session->ticket = mbedtls_calloc(1, session->ticket_len);
3379 if (session->ticket == NULL) {
3380 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3381 }
3382
3383 memcpy(session->ticket, p, session->ticket_len);
3384 p += session->ticket_len;
3385 }
3386
3387 if (4 > (size_t) (end - p)) {
3388 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3389 }
3390
3391 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3392 p += 4;
3393 }
3394#endif /* MBEDTLS_SSL_CLI_C */
3395#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3396 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3397 if (8 > (size_t) (end - p)) {
3398 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3399 }
3400 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3401 p += 8;
3402 }
3403#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3404#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3405
3406 /*
3407 * Misc extension-related info
3408 */
3409#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3410 if (1 > (size_t) (end - p)) {
3411 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3412 }
3413
3414 session->mfl_code = *p++;
3415#endif
3416
3417#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3418 if (1 > (size_t) (end - p)) {
3419 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3420 }
3421
3422 session->encrypt_then_mac = *p++;
3423#endif
3424
3425 /* Done, should have consumed entire buffer */
3426 if (p != end) {
3427 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3428 }
3429
3430 return 0;
3431}
3432
3433#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3434
3435#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3436/* Serialization of TLS 1.3 sessions:
3437 *
David Horstmanncb01b362024-02-29 17:31:46 +00003438 * For more detail, see the description of ssl_session_save().
David Horstmanne59f9702024-02-29 16:08:57 +00003439 */
3440#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3441MBEDTLS_CHECK_RETURN_CRITICAL
3442static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
3443 unsigned char *buf,
3444 size_t buf_len,
3445 size_t *olen)
3446{
3447 unsigned char *p = buf;
3448#if defined(MBEDTLS_SSL_CLI_C) && \
3449 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3450 size_t hostname_len = (session->hostname == NULL) ?
3451 0 : strlen(session->hostname) + 1;
3452#endif
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003453
3454#if defined(MBEDTLS_SSL_SRV_C) && \
3455 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003456 const size_t alpn_len = (session->ticket_alpn == NULL) ?
Waleed Elmelegyb28ab0a2024-03-13 16:48:28 +00003457 0 : strlen(session->ticket_alpn) + 1;
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003458#endif
David Horstmanne59f9702024-02-29 16:08:57 +00003459 size_t needed = 4 /* ticket_age_add */
3460 + 1 /* ticket_flags */
3461 + 1; /* resumption_key length */
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003462
David Horstmanne59f9702024-02-29 16:08:57 +00003463 *olen = 0;
3464
3465 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
3466 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3467 }
3468 needed += session->resumption_key_len; /* resumption_key */
3469
3470#if defined(MBEDTLS_SSL_EARLY_DATA)
3471 needed += 4; /* max_early_data_size */
3472#endif
3473#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3474 needed += 2; /* record_size_limit */
3475#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3476
3477#if defined(MBEDTLS_HAVE_TIME)
3478 needed += 8; /* ticket_creation_time or ticket_reception_time */
3479#endif
3480
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003481#if defined(MBEDTLS_SSL_SRV_C)
3482 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3483#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003484 needed += 2 /* alpn_len */
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003485 + alpn_len; /* alpn */
3486#endif
3487 }
3488#endif /* MBEDTLS_SSL_SRV_C */
3489
David Horstmanne59f9702024-02-29 16:08:57 +00003490#if defined(MBEDTLS_SSL_CLI_C)
3491 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3492#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3493 needed += 2 /* hostname_len */
3494 + hostname_len; /* hostname */
3495#endif
3496
3497 needed += 4 /* ticket_lifetime */
3498 + 2; /* ticket_len */
3499
3500 /* Check size_t overflow */
3501 if (session->ticket_len > SIZE_MAX - needed) {
3502 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3503 }
3504
3505 needed += session->ticket_len; /* ticket */
3506 }
3507#endif /* MBEDTLS_SSL_CLI_C */
3508
3509 *olen = needed;
3510 if (needed > buf_len) {
3511 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3512 }
3513
3514 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
3515 p[4] = session->ticket_flags;
3516
3517 /* save resumption_key */
3518 p[5] = session->resumption_key_len;
3519 p += 6;
3520 memcpy(p, session->resumption_key, session->resumption_key_len);
3521 p += session->resumption_key_len;
3522
3523#if defined(MBEDTLS_SSL_EARLY_DATA)
3524 MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
3525 p += 4;
3526#endif
3527#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3528 MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
3529 p += 2;
3530#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3531
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003532#if defined(MBEDTLS_SSL_SRV_C)
David Horstmanne59f9702024-02-29 16:08:57 +00003533 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003534#if defined(MBEDTLS_HAVE_TIME)
David Horstmanne59f9702024-02-29 16:08:57 +00003535 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3536 p += 8;
David Horstmanne59f9702024-02-29 16:08:57 +00003537#endif /* MBEDTLS_HAVE_TIME */
3538
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003539#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003540 MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
3541 p += 2;
3542
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003543 if (alpn_len > 0) {
3544 /* save chosen alpn */
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00003545 memcpy(p, session->ticket_alpn, alpn_len);
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003546 p += alpn_len;
3547 }
3548#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3549 }
3550#endif /* MBEDTLS_SSL_SRV_C */
3551
David Horstmanne59f9702024-02-29 16:08:57 +00003552#if defined(MBEDTLS_SSL_CLI_C)
3553 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3554#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3555 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
3556 p += 2;
3557 if (hostname_len > 0) {
3558 /* save host name */
3559 memcpy(p, session->hostname, hostname_len);
3560 p += hostname_len;
3561 }
3562#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3563
3564#if defined(MBEDTLS_HAVE_TIME)
3565 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
3566 p += 8;
3567#endif
3568 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3569 p += 4;
3570
3571 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
3572 p += 2;
3573
3574 if (session->ticket != NULL && session->ticket_len > 0) {
3575 memcpy(p, session->ticket, session->ticket_len);
3576 p += session->ticket_len;
3577 }
3578 }
3579#endif /* MBEDTLS_SSL_CLI_C */
3580 return 0;
3581}
3582
3583MBEDTLS_CHECK_RETURN_CRITICAL
3584static int ssl_tls13_session_load(mbedtls_ssl_session *session,
3585 const unsigned char *buf,
3586 size_t len)
3587{
3588 const unsigned char *p = buf;
3589 const unsigned char *end = buf + len;
3590
3591 if (end - p < 6) {
3592 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3593 }
3594 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
3595 session->ticket_flags = p[4];
3596
3597 /* load resumption_key */
3598 session->resumption_key_len = p[5];
3599 p += 6;
3600
3601 if (end - p < session->resumption_key_len) {
3602 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3603 }
3604
3605 if (sizeof(session->resumption_key) < session->resumption_key_len) {
3606 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3607 }
3608 memcpy(session->resumption_key, p, session->resumption_key_len);
3609 p += session->resumption_key_len;
3610
3611#if defined(MBEDTLS_SSL_EARLY_DATA)
3612 if (end - p < 4) {
3613 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3614 }
3615 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
3616 p += 4;
3617#endif
3618#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3619 if (end - p < 2) {
3620 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3621 }
3622 session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
3623 p += 2;
3624#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3625
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003626#if defined(MBEDTLS_SSL_SRV_C)
David Horstmanne59f9702024-02-29 16:08:57 +00003627 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003628#if defined(MBEDTLS_HAVE_TIME)
David Horstmanne59f9702024-02-29 16:08:57 +00003629 if (end - p < 8) {
3630 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3631 }
3632 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3633 p += 8;
David Horstmanne59f9702024-02-29 16:08:57 +00003634#endif /* MBEDTLS_HAVE_TIME */
3635
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003636#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003637 size_t alpn_len;
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003638
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003639 if (end - p < 2) {
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003640 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3641 }
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00003642
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003643 alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
3644 p += 2;
3645
3646 if (end - p < (long int) alpn_len) {
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00003647 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3648 }
3649
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003650 if (alpn_len > 0) {
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003651 int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
3652 if (ret != 0) {
3653 return ret;
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003654 }
Waleed Elmelegy2824a202024-02-23 17:51:47 +00003655 p += alpn_len;
3656 }
3657#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3658 }
3659#endif /* MBEDTLS_SSL_SRV_C */
3660
David Horstmanne59f9702024-02-29 16:08:57 +00003661#if defined(MBEDTLS_SSL_CLI_C)
3662 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3663#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3664 size_t hostname_len;
3665 /* load host name */
3666 if (end - p < 2) {
3667 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3668 }
3669 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
3670 p += 2;
3671
3672 if (end - p < (long int) hostname_len) {
3673 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3674 }
3675 if (hostname_len > 0) {
3676 session->hostname = mbedtls_calloc(1, hostname_len);
3677 if (session->hostname == NULL) {
3678 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3679 }
3680 memcpy(session->hostname, p, hostname_len);
3681 p += hostname_len;
3682 }
3683#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3684
3685#if defined(MBEDTLS_HAVE_TIME)
3686 if (end - p < 8) {
3687 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3688 }
3689 session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0);
3690 p += 8;
3691#endif
3692 if (end - p < 4) {
3693 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3694 }
3695 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3696 p += 4;
3697
3698 if (end - p < 2) {
3699 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3700 }
3701 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
3702 p += 2;
3703
3704 if (end - p < (long int) session->ticket_len) {
3705 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3706 }
3707 if (session->ticket_len > 0) {
3708 session->ticket = mbedtls_calloc(1, session->ticket_len);
3709 if (session->ticket == NULL) {
3710 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3711 }
3712 memcpy(session->ticket, p, session->ticket_len);
3713 p += session->ticket_len;
3714 }
3715 }
3716#endif /* MBEDTLS_SSL_CLI_C */
3717
3718 return 0;
3719
3720}
3721#else /* MBEDTLS_SSL_SESSION_TICKETS */
3722MBEDTLS_CHECK_RETURN_CRITICAL
3723static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
3724 unsigned char *buf,
3725 size_t buf_len,
3726 size_t *olen)
3727{
3728 ((void) session);
3729 ((void) buf);
3730 ((void) buf_len);
3731 *olen = 0;
3732 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3733}
3734
3735static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
Norbert Fabritiusd36913a2023-01-24 17:48:29 +01003736 const unsigned char *buf,
David Horstmanne59f9702024-02-29 16:08:57 +00003737 size_t buf_len)
3738{
3739 ((void) session);
3740 ((void) buf);
3741 ((void) buf_len);
3742 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3743}
3744#endif /* !MBEDTLS_SSL_SESSION_TICKETS */
3745#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3746
Paul Bakker5121ce52009-01-03 21:22:43 +00003747/*
Hanno Beckera835da52019-05-16 12:39:07 +01003748 * Define ticket header determining Mbed TLS version
3749 * and structure of the ticket.
3750 */
3751
Hanno Becker94ef3b32019-05-16 12:50:45 +01003752/*
Hanno Becker50b59662019-05-28 14:30:45 +01003753 * Define bitflag determining compile-time settings influencing
3754 * structure of serialized SSL sessions.
Hanno Becker94ef3b32019-05-16 12:50:45 +01003755 */
3756
Hanno Becker50b59662019-05-28 14:30:45 +01003757#if defined(MBEDTLS_HAVE_TIME)
Hanno Becker3e088662019-05-29 11:10:18 +01003758#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
Hanno Becker50b59662019-05-28 14:30:45 +01003759#else
Hanno Becker3e088662019-05-29 11:10:18 +01003760#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01003761#endif /* MBEDTLS_HAVE_TIME */
3762
3763#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker3e088662019-05-29 11:10:18 +01003764#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01003765#else
Hanno Becker3e088662019-05-29 11:10:18 +01003766#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01003767#endif /* MBEDTLS_X509_CRT_PARSE_C */
3768
David Horstmann5c5a32f2024-02-13 17:53:35 +00003769#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
David Horstmannf686f1d2024-03-01 11:20:32 +00003770#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
David Horstmann5c5a32f2024-02-13 17:53:35 +00003771#else
David Horstmannf686f1d2024-03-01 11:20:32 +00003772#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
David Horstmann5c5a32f2024-02-13 17:53:35 +00003773#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3774
Hanno Becker94ef3b32019-05-16 12:50:45 +01003775#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
Hanno Becker3e088662019-05-29 11:10:18 +01003776#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01003777#else
Hanno Becker3e088662019-05-29 11:10:18 +01003778#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01003779#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
3780
3781#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Hanno Becker3e088662019-05-29 11:10:18 +01003782#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01003783#else
Hanno Becker3e088662019-05-29 11:10:18 +01003784#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01003785#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3786
Hanno Becker94ef3b32019-05-16 12:50:45 +01003787#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker3e088662019-05-29 11:10:18 +01003788#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01003789#else
Hanno Becker3e088662019-05-29 11:10:18 +01003790#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01003791#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
3792
Hanno Becker94ef3b32019-05-16 12:50:45 +01003793#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3794#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
3795#else
3796#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
3797#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3798
David Horstmann92b258b2024-02-13 17:23:34 +00003799#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3800#define SSL_SERIALIZED_SESSION_CONFIG_SNI 1
3801#else
3802#define SSL_SERIALIZED_SESSION_CONFIG_SNI 0
3803#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3804
3805#if defined(MBEDTLS_SSL_EARLY_DATA)
3806#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1
3807#else
3808#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0
3809#endif /* MBEDTLS_SSL_EARLY_DATA */
3810
3811#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3812#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1
3813#else
3814#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0
3815#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3816
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00003817#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \
3818 defined(MBEDTLS_SSL_EARLY_DATA)
Waleed Elmelegy11025632024-03-07 15:25:52 +00003819#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1
3820#else
3821#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0
3822#endif /* MBEDTLS_SSL_ALPN */
3823
Hanno Becker3e088662019-05-29 11:10:18 +01003824#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
3825#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
3826#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
3827#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
Hanno Becker37bdbe62021-08-01 05:38:58 +01003828#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
3829#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
David Horstmannf686f1d2024-03-01 11:20:32 +00003830#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6
David Horstmann92b258b2024-02-13 17:23:34 +00003831#define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7
3832#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8
3833#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9
Waleed Elmelegy11025632024-03-07 15:25:52 +00003834#define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10
Hanno Becker3e088662019-05-29 11:10:18 +01003835
Hanno Becker50b59662019-05-28 14:30:45 +01003836#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
Gilles Peskine449bd832023-01-11 14:50:10 +01003837 ((uint16_t) ( \
3838 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
3839 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
3840 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
3841 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
3842 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
3843 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
David Horstmann5c5a32f2024-02-13 17:53:35 +00003844 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
David Horstmann71fa1a92024-03-01 12:32:18 +00003845 (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
3846 SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \
David Horstmann92b258b2024-02-13 17:23:34 +00003847 (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \
3848 (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \
3849 SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \
3850 (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \
Waleed Elmelegy11025632024-03-07 15:25:52 +00003851 SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \
Waleed Elmelegy75e33fa2024-03-07 16:57:58 +00003852 (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \
Waleed Elmelegy11025632024-03-07 15:25:52 +00003853 SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT)))
Hanno Becker94ef3b32019-05-16 12:50:45 +01003854
Chien Wong4e9683e2023-12-28 17:07:43 +08003855static const unsigned char ssl_serialized_session_header[] = {
Hanno Becker94ef3b32019-05-16 12:50:45 +01003856 MBEDTLS_VERSION_MAJOR,
3857 MBEDTLS_VERSION_MINOR,
3858 MBEDTLS_VERSION_PATCH,
Gilles Peskine449bd832023-01-11 14:50:10 +01003859 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
3860 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
Hanno Beckerf8787072019-05-16 12:41:07 +01003861};
Hanno Beckera835da52019-05-16 12:39:07 +01003862
3863/*
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02003864 * Serialize a session in the following format:
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02003865 * (in the presentation language of TLS, RFC 8446 section 3)
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02003866 *
David Horstmanncb01b362024-02-29 17:31:46 +00003867 * TLS 1.2 session:
3868 *
3869 * struct {
3870 * #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3871 * opaque ticket<0..2^24-1>; // length 0 means no ticket
3872 * uint32 ticket_lifetime;
3873 * #endif
3874 * } ClientOnlyData;
3875 *
3876 * struct {
3877 * #if defined(MBEDTLS_HAVE_TIME)
3878 * uint64 start_time;
3879 * #endif
3880 * uint8 session_id_len; // at most 32
3881 * opaque session_id[32];
3882 * opaque master[48]; // fixed length in the standard
3883 * uint32 verify_result;
3884 * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
3885 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
3886 * #else
David Horstmann76ba26a2024-03-01 12:03:35 +00003887 * uint8 peer_cert_digest_type;
David Horstmanncb01b362024-02-29 17:31:46 +00003888 * opaque peer_cert_digest<0..2^8-1>
3889 * #endif
3890 * select (endpoint) {
3891 * case client: ClientOnlyData;
3892 * case server: uint64 ticket_creation_time;
3893 * };
3894 * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3895 * uint8 mfl_code; // up to 255 according to standard
3896 * #endif
3897 * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3898 * uint8 encrypt_then_mac; // 0 or 1
3899 * #endif
3900 * } serialized_session_tls12;
3901 *
3902 *
3903 * TLS 1.3 Session:
3904 *
3905 * struct {
3906 * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3907 * opaque hostname<0..2^16-1>;
3908 * #endif
3909 * #if defined(MBEDTLS_HAVE_TIME)
3910 * uint64 ticket_reception_time;
3911 * #endif
3912 * uint32 ticket_lifetime;
3913 * opaque ticket<1..2^16-1>;
3914 * } ClientOnlyData;
3915 *
3916 * struct {
3917 * uint32 ticket_age_add;
3918 * uint8 ticket_flags;
3919 * opaque resumption_key<0..255>;
3920 * #if defined(MBEDTLS_SSL_EARLY_DATA)
3921 * uint32 max_early_data_size;
3922 * #endif
3923 * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3924 * uint16 record_size_limit;
3925 * #endif
3926 * select ( endpoint ) {
3927 * case client: ClientOnlyData;
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00003928 * case server:
David Horstmanncb01b362024-02-29 17:31:46 +00003929 * #if defined(MBEDTLS_HAVE_TIME)
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00003930 * uint64 ticket_creation_time;
David Horstmanncb01b362024-02-29 17:31:46 +00003931 * #endif
Waleed Elmelegyfe9ae082024-03-07 15:47:31 +00003932 * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegydaa4da72024-03-13 16:25:34 +00003933 * opaque ticket_alpn<0..256>;
David Horstmanncb01b362024-02-29 17:31:46 +00003934 * #endif
3935 * };
3936 * } serialized_session_tls13;
3937 *
3938 *
3939 * SSL session:
3940 *
3941 * struct {
Hanno Beckerdc28b6c2019-05-29 11:08:00 +01003942 *
Hanno Beckerdce50972021-08-01 05:39:23 +01003943 * opaque mbedtls_version[3]; // library version: major, minor, patch
3944 * opaque session_format[2]; // library-version specific 16-bit field
3945 * // determining the format of the remaining
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003946 * // serialized data.
Hanno Beckerdc28b6c2019-05-29 11:08:00 +01003947 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003948 * Note: When updating the format, remember to keep
3949 * these version+format bytes.
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02003950 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003951 * // In this version, `session_format` determines
3952 * // the setting of those compile-time
3953 * // configuration options which influence
3954 * // the structure of mbedtls_ssl_session.
3955 *
Glenn Straussda7851c2022-03-14 13:29:48 -04003956 * uint8_t minor_ver; // Protocol minor version. Possible values:
Jerry Yu0c2a7382022-12-06 13:27:25 +08003957 * // - TLS 1.2 (0x0303)
3958 * // - TLS 1.3 (0x0304)
David Horstmann531aca22024-02-29 18:14:28 +00003959 * uint8_t endpoint;
3960 * uint16_t ciphersuite;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003961 *
Glenn Straussda7851c2022-03-14 13:29:48 -04003962 * select (serialized_session.tls_version) {
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003963 *
Glenn Straussda7851c2022-03-14 13:29:48 -04003964 * case MBEDTLS_SSL_VERSION_TLS1_2:
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003965 * serialized_session_tls12 data;
Jerry Yu0c2a7382022-12-06 13:27:25 +08003966 * case MBEDTLS_SSL_VERSION_TLS1_3:
Jerry Yuddda0502022-12-01 19:43:12 +08003967 * serialized_session_tls13 data;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003968 *
3969 * };
3970 *
3971 * } serialized_session;
3972 *
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02003973 */
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003974
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02003975MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01003976static int ssl_session_save(const mbedtls_ssl_session *session,
3977 unsigned char omit_header,
3978 unsigned char *buf,
3979 size_t buf_len,
3980 size_t *olen)
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003981{
3982 unsigned char *p = buf;
3983 size_t used = 0;
Jerry Yu251a12e2022-07-13 15:15:48 +08003984 size_t remaining_len;
Jerry Yue36fdd62022-08-17 21:31:36 +08003985#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3986 size_t out_len;
3987 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3988#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01003989 if (session == NULL) {
3990 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3991 }
Jerry Yu438ddd82022-07-07 06:55:50 +00003992
Gilles Peskine449bd832023-01-11 14:50:10 +01003993 if (!omit_header) {
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003994 /*
3995 * Add Mbed TLS version identifier
3996 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003997 used += sizeof(ssl_serialized_session_header);
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01003998
Gilles Peskine449bd832023-01-11 14:50:10 +01003999 if (used <= buf_len) {
4000 memcpy(p, ssl_serialized_session_header,
4001 sizeof(ssl_serialized_session_header));
4002 p += sizeof(ssl_serialized_session_header);
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004003 }
4004 }
4005
4006 /*
Ronald Cron40a4ab02024-01-15 10:21:30 +01004007 * TLS version identifier, endpoint, ciphersuite
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004008 */
Ronald Cron40a4ab02024-01-15 10:21:30 +01004009 used += 1 /* TLS version */
4010 + 1 /* endpoint */
4011 + 2; /* ciphersuite */
Gilles Peskine449bd832023-01-11 14:50:10 +01004012 if (used <= buf_len) {
4013 *p++ = MBEDTLS_BYTE_0(session->tls_version);
Ronald Cron40a4ab02024-01-15 10:21:30 +01004014 *p++ = session->endpoint;
4015 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
4016 p += 2;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004017 }
4018
4019 /* Forward to version-specific serialization routine. */
Jerry Yufca4d572022-07-21 10:37:48 +08004020 remaining_len = (buf_len >= used) ? buf_len - used : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004021 switch (session->tls_version) {
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004022#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01004023 case MBEDTLS_SSL_VERSION_TLS1_2:
4024 used += ssl_tls12_session_save(session, p, remaining_len);
4025 break;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004026#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4027
Jerry Yu251a12e2022-07-13 15:15:48 +08004028#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01004029 case MBEDTLS_SSL_VERSION_TLS1_3:
4030 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
4031 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
4032 return ret;
4033 }
4034 used += out_len;
4035 break;
Jerry Yu251a12e2022-07-13 15:15:48 +08004036#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4037
Gilles Peskine449bd832023-01-11 14:50:10 +01004038 default:
4039 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004040 }
4041
4042 *olen = used;
Gilles Peskine449bd832023-01-11 14:50:10 +01004043 if (used > buf_len) {
4044 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4045 }
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004046
Gilles Peskine449bd832023-01-11 14:50:10 +01004047 return 0;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004048}
4049
4050/*
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02004051 * Public wrapper for ssl_session_save()
4052 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004053int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
4054 unsigned char *buf,
4055 size_t buf_len,
4056 size_t *olen)
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02004057{
Gilles Peskine449bd832023-01-11 14:50:10 +01004058 return ssl_session_save(session, 0, buf, buf_len, olen);
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02004059}
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004060
Jerry Yuf1b23ca2022-02-18 11:48:47 +08004061/*
4062 * Deserialize session, see mbedtls_ssl_session_save() for format.
4063 *
4064 * This internal version is wrapped by a public function that cleans up in
4065 * case of error, and has an extra option omit_header.
4066 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02004067MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01004068static int ssl_session_load(mbedtls_ssl_session *session,
4069 unsigned char omit_header,
4070 const unsigned char *buf,
4071 size_t len)
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004072{
4073 const unsigned char *p = buf;
4074 const unsigned char * const end = buf + len;
Jerry Yu438ddd82022-07-07 06:55:50 +00004075 size_t remaining_len;
4076
4077
Gilles Peskine449bd832023-01-11 14:50:10 +01004078 if (session == NULL) {
4079 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4080 }
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004081
Gilles Peskine449bd832023-01-11 14:50:10 +01004082 if (!omit_header) {
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004083 /*
4084 * Check Mbed TLS version identifier
4085 */
4086
Gilles Peskine449bd832023-01-11 14:50:10 +01004087 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
4088 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004089 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004090
4091 if (memcmp(p, ssl_serialized_session_header,
4092 sizeof(ssl_serialized_session_header)) != 0) {
4093 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
4094 }
4095 p += sizeof(ssl_serialized_session_header);
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004096 }
4097
4098 /*
Ronald Cron40a4ab02024-01-15 10:21:30 +01004099 * TLS version identifier, endpoint, ciphersuite
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004100 */
Ronald Cron40a4ab02024-01-15 10:21:30 +01004101 if (4 > (size_t) (end - p)) {
Gilles Peskine449bd832023-01-11 14:50:10 +01004102 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4103 }
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +01004104 session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
Ronald Cron40a4ab02024-01-15 10:21:30 +01004105 session->endpoint = *p++;
4106 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0);
4107 p += 2;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004108
4109 /* Dispatch according to TLS version. */
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +00004110 remaining_len = (size_t) (end - p);
Gilles Peskine449bd832023-01-11 14:50:10 +01004111 switch (session->tls_version) {
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004112#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01004113 case MBEDTLS_SSL_VERSION_TLS1_2:
4114 return ssl_tls12_session_load(session, p, remaining_len);
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004115#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4116
Jerry Yu438ddd82022-07-07 06:55:50 +00004117#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01004118 case MBEDTLS_SSL_VERSION_TLS1_3:
4119 return ssl_tls13_session_load(session, p, remaining_len);
Jerry Yu438ddd82022-07-07 06:55:50 +00004120#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4121
Gilles Peskine449bd832023-01-11 14:50:10 +01004122 default:
4123 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004124 }
4125}
4126
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004127/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02004128 * Deserialize session: public wrapper for error cleaning
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004129 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004130int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
4131 const unsigned char *buf,
4132 size_t len)
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004133{
Gilles Peskine449bd832023-01-11 14:50:10 +01004134 int ret = ssl_session_load(session, 0, buf, len);
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004135
Gilles Peskine449bd832023-01-11 14:50:10 +01004136 if (ret != 0) {
4137 mbedtls_ssl_session_free(session);
4138 }
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004139
Gilles Peskine449bd832023-01-11 14:50:10 +01004140 return ret;
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004141}
4142
4143/*
Paul Bakker1961b702013-01-25 14:49:24 +01004144 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +00004145 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02004146MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01004147static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
Hanno Becker41934dd2021-08-07 19:13:43 +01004148{
4149 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4150
Ronald Cron66dbf912022-02-02 15:33:46 +01004151 /*
4152 * We may have not been able to send to the peer all the handshake data
Ronald Cron3f20b772022-03-08 16:00:02 +01004153 * that were written into the output buffer by the previous handshake step,
4154 * if the write to the network callback returned with the
Ronald Cron66dbf912022-02-02 15:33:46 +01004155 * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
4156 * We proceed to the next handshake step only when all data from the
4157 * previous one have been sent to the peer, thus we make sure that this is
4158 * the case here by calling `mbedtls_ssl_flush_output()`. The function may
4159 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
4160 * we have to wait before to go ahead.
4161 * In the case of TLS 1.3, handshake step handlers do not send data to the
4162 * peer. Data are only sent here and through
4163 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
Andrzej Kurek5c65c572022-04-13 14:28:52 -04004164 * alert occurred.
Ronald Cron66dbf912022-02-02 15:33:46 +01004165 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004166 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
4167 return ret;
4168 }
Hanno Becker41934dd2021-08-07 19:13:43 +01004169
4170#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01004171 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4172 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4173 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
4174 return ret;
4175 }
Hanno Becker41934dd2021-08-07 19:13:43 +01004176 }
4177#endif /* MBEDTLS_SSL_PROTO_DTLS */
4178
Gilles Peskine449bd832023-01-11 14:50:10 +01004179 return ret;
Hanno Becker41934dd2021-08-07 19:13:43 +01004180}
4181
Gilles Peskine449bd832023-01-11 14:50:10 +01004182int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +00004183{
Hanno Becker41934dd2021-08-07 19:13:43 +01004184 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +00004185
Gilles Peskine449bd832023-01-11 14:50:10 +01004186 if (ssl == NULL ||
Hanno Becker41934dd2021-08-07 19:13:43 +01004187 ssl->conf == NULL ||
4188 ssl->handshake == NULL ||
Gilles Peskine449bd832023-01-11 14:50:10 +01004189 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
4190 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Becker41934dd2021-08-07 19:13:43 +01004191 }
4192
Gilles Peskine449bd832023-01-11 14:50:10 +01004193 ret = ssl_prepare_handshake_step(ssl);
4194 if (ret != 0) {
4195 return ret;
4196 }
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02004197
Gilles Peskine449bd832023-01-11 14:50:10 +01004198 ret = mbedtls_ssl_handle_pending_alert(ssl);
4199 if (ret != 0) {
Jerry Yue7047812021-09-13 19:26:39 +08004200 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +01004201 }
Jerry Yue7047812021-09-13 19:26:39 +08004202
Tom Cosgrove2fdc7b32022-09-21 12:33:17 +01004203 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
4204 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
4205 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4206
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004207#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01004208 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
4209 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +01004210 mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state)));
Jerry Yub9930e72021-08-06 17:11:51 +08004211
Gilles Peskine449bd832023-01-11 14:50:10 +01004212 switch (ssl->state) {
Ronald Cron9f0fba32022-02-10 16:45:15 +01004213 case MBEDTLS_SSL_HELLO_REQUEST:
4214 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Tom Cosgrove87d9c6c2022-09-22 09:27:56 +01004215 ret = 0;
Ronald Cron9f0fba32022-02-10 16:45:15 +01004216 break;
Jerry Yub9930e72021-08-06 17:11:51 +08004217
Ronald Cron9f0fba32022-02-10 16:45:15 +01004218 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +01004219 ret = mbedtls_ssl_write_client_hello(ssl);
Ronald Cron9f0fba32022-02-10 16:45:15 +01004220 break;
4221
4222 default:
4223#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01004224 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4225 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4226 } else {
4227 ret = mbedtls_ssl_handshake_client_step(ssl);
4228 }
Ronald Cron9f0fba32022-02-10 16:45:15 +01004229#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01004230 ret = mbedtls_ssl_handshake_client_step(ssl);
Ronald Cron9f0fba32022-02-10 16:45:15 +01004231#else
Gilles Peskine449bd832023-01-11 14:50:10 +01004232 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
Ronald Cron9f0fba32022-02-10 16:45:15 +01004233#endif
4234 }
Jerry Yub9930e72021-08-06 17:11:51 +08004235 }
Ronald Cron6291b232023-03-08 15:51:25 +01004236#endif /* MBEDTLS_SSL_CLI_C */
4237
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004238#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01004239 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Ronald Cron6291b232023-03-08 15:51:25 +01004240#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4241 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
Gilles Peskine449bd832023-01-11 14:50:10 +01004242 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
Ronald Cron6291b232023-03-08 15:51:25 +01004243 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +01004244 ret = mbedtls_ssl_handshake_server_step(ssl);
4245 }
Ronald Cron6291b232023-03-08 15:51:25 +01004246#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4247 ret = mbedtls_ssl_handshake_server_step(ssl);
4248#else
4249 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +00004250#endif
Ronald Cron6291b232023-03-08 15:51:25 +01004251 }
4252#endif /* MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00004253
Gilles Peskine449bd832023-01-11 14:50:10 +01004254 if (ret != 0) {
Jerry Yubbd5a3f2021-09-18 20:50:22 +08004255 /* handshake_step return error. And it is same
4256 * with alert_reason.
4257 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004258 if (ssl->send_alert) {
4259 ret = mbedtls_ssl_handle_pending_alert(ssl);
Jerry Yue7047812021-09-13 19:26:39 +08004260 goto cleanup;
4261 }
4262 }
4263
4264cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +01004265 return ret;
Paul Bakker1961b702013-01-25 14:49:24 +01004266}
4267
4268/*
4269 * Perform the SSL handshake
4270 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004271int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
Paul Bakker1961b702013-01-25 14:49:24 +01004272{
4273 int ret = 0;
4274
Hanno Beckera817ea42020-10-20 15:20:23 +01004275 /* Sanity checks */
4276
Gilles Peskine449bd832023-01-11 14:50:10 +01004277 if (ssl == NULL || ssl->conf == NULL) {
4278 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4279 }
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02004280
Hanno Beckera817ea42020-10-20 15:20:23 +01004281#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01004282 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4283 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
4284 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
4285 "mbedtls_ssl_set_timer_cb() for DTLS"));
4286 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Hanno Beckera817ea42020-10-20 15:20:23 +01004287 }
4288#endif /* MBEDTLS_SSL_PROTO_DTLS */
4289
Gilles Peskine449bd832023-01-11 14:50:10 +01004290 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
Paul Bakker1961b702013-01-25 14:49:24 +01004291
Hanno Beckera817ea42020-10-20 15:20:23 +01004292 /* Main handshake loop */
Gilles Peskine449bd832023-01-11 14:50:10 +01004293 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
4294 ret = mbedtls_ssl_handshake_step(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +01004295
Gilles Peskine449bd832023-01-11 14:50:10 +01004296 if (ret != 0) {
Paul Bakker1961b702013-01-25 14:49:24 +01004297 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01004298 }
Paul Bakker1961b702013-01-25 14:49:24 +01004299 }
4300
Gilles Peskine449bd832023-01-11 14:50:10 +01004301 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
Paul Bakker5121ce52009-01-03 21:22:43 +00004302
Gilles Peskine449bd832023-01-11 14:50:10 +01004303 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00004304}
4305
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004306#if defined(MBEDTLS_SSL_RENEGOTIATION)
4307#if defined(MBEDTLS_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00004308/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004309 * Write HelloRequest to request renegotiation on server
Paul Bakker48916f92012-09-16 19:57:18 +00004310 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02004311MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01004312static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004313{
Janos Follath865b3eb2019-12-16 11:46:15 +00004314 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004315
Gilles Peskine449bd832023-01-11 14:50:10 +01004316 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004317
4318 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004319 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4320 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004321
Gilles Peskine449bd832023-01-11 14:50:10 +01004322 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4323 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4324 return ret;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004325 }
4326
Gilles Peskine449bd832023-01-11 14:50:10 +01004327 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004328
Gilles Peskine449bd832023-01-11 14:50:10 +01004329 return 0;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004330}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004331#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004332
4333/*
4334 * Actually renegotiate current connection, triggered by either:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004335 * - any side: calling mbedtls_ssl_renegotiate(),
4336 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
4337 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
Manuel Pégourié-Gonnard55e4ff22014-08-19 11:16:35 +02004338 * the initial handshake is completed.
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004339 * If the handshake doesn't complete due to waiting for I/O, it will continue
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004340 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004341 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004342int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl)
Paul Bakker48916f92012-09-16 19:57:18 +00004343{
Janos Follath865b3eb2019-12-16 11:46:15 +00004344 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker48916f92012-09-16 19:57:18 +00004345
Gilles Peskine449bd832023-01-11 14:50:10 +01004346 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
Paul Bakker48916f92012-09-16 19:57:18 +00004347
Gilles Peskine449bd832023-01-11 14:50:10 +01004348 if ((ret = ssl_handshake_init(ssl)) != 0) {
4349 return ret;
4350 }
Paul Bakker48916f92012-09-16 19:57:18 +00004351
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02004352 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
4353 * the ServerHello will have message_seq = 1" */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004354#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01004355 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4356 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
4357 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02004358 ssl->handshake->out_msg_seq = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01004359 } else {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02004360 ssl->handshake->in_msg_seq = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01004361 }
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02004362 }
4363#endif
4364
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004365 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
4366 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
Paul Bakker48916f92012-09-16 19:57:18 +00004367
Gilles Peskine449bd832023-01-11 14:50:10 +01004368 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4369 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4370 return ret;
Paul Bakker48916f92012-09-16 19:57:18 +00004371 }
4372
Gilles Peskine449bd832023-01-11 14:50:10 +01004373 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
Paul Bakker48916f92012-09-16 19:57:18 +00004374
Gilles Peskine449bd832023-01-11 14:50:10 +01004375 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +00004376}
4377
4378/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004379 * Renegotiate current connection on client,
4380 * or request renegotiation on server
4381 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004382int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004383{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004384 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004385
Gilles Peskine449bd832023-01-11 14:50:10 +01004386 if (ssl == NULL || ssl->conf == NULL) {
4387 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4388 }
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02004389
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004390#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004391 /* On server, just send the request */
Gilles Peskine449bd832023-01-11 14:50:10 +01004392 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4393 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4394 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4395 }
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004396
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004397 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02004398
4399 /* Did we already try/start sending HelloRequest? */
Gilles Peskine449bd832023-01-11 14:50:10 +01004400 if (ssl->out_left != 0) {
4401 return mbedtls_ssl_flush_output(ssl);
4402 }
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02004403
Gilles Peskine449bd832023-01-11 14:50:10 +01004404 return ssl_write_hello_request(ssl);
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004405 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004406#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004407
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004408#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004409 /*
4410 * On client, either start the renegotiation process or,
4411 * if already in progress, continue the handshake
4412 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004413 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
4414 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4415 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004416 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004417
4418 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
4419 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
4420 return ret;
4421 }
4422 } else {
4423 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4424 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4425 return ret;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004426 }
4427 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004428#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004429
Gilles Peskine449bd832023-01-11 14:50:10 +01004430 return ret;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004431}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004432#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004433
Gilles Peskine449bd832023-01-11 14:50:10 +01004434void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
Paul Bakker48916f92012-09-16 19:57:18 +00004435{
Gilles Peskine9b562d52018-04-25 20:32:43 +02004436 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
4437
Gilles Peskine449bd832023-01-11 14:50:10 +01004438 if (handshake == NULL) {
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004439 return;
Gilles Peskine449bd832023-01-11 14:50:10 +01004440 }
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004441
Elena Uziunaite8dde3b32024-07-05 12:10:21 +01004442#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
Brett Warrene0edc842021-08-17 09:53:13 +01004443#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Gilles Peskine449bd832023-01-11 14:50:10 +01004444 if (ssl->handshake->group_list_heap_allocated) {
4445 mbedtls_free((void *) handshake->group_list);
4446 }
Brett Warrene0edc842021-08-17 09:53:13 +01004447 handshake->group_list = NULL;
4448#endif /* MBEDTLS_DEPRECATED_REMOVED */
Elena Uziunaite8dde3b32024-07-05 12:10:21 +01004449#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
Brett Warrene0edc842021-08-17 09:53:13 +01004450
Ronald Crone68ab4f2022-10-05 12:46:29 +02004451#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Jerry Yuf017ee42022-01-12 15:49:48 +08004452#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Gilles Peskine449bd832023-01-11 14:50:10 +01004453 if (ssl->handshake->sig_algs_heap_allocated) {
4454 mbedtls_free((void *) handshake->sig_algs);
4455 }
Jerry Yuf017ee42022-01-12 15:49:48 +08004456 handshake->sig_algs = NULL;
4457#endif /* MBEDTLS_DEPRECATED_REMOVED */
Xiaofei Baic234ecf2022-02-08 09:59:23 +00004458#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01004459 if (ssl->handshake->certificate_request_context) {
4460 mbedtls_free((void *) handshake->certificate_request_context);
Xiaofei Baic234ecf2022-02-08 09:59:23 +00004461 }
4462#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Ronald Crone68ab4f2022-10-05 12:46:29 +02004463#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Jerry Yuf017ee42022-01-12 15:49:48 +08004464
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004465#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Ben Taylor6ff2da12025-03-17 09:26:20 +00004466 if (ssl->conf != NULL) {
Ben Taylor1cd1e012025-03-18 11:50:39 +00004467 if (ssl->conf->f_async_cancel != NULL) {
4468 if (handshake->async_in_progress != 0) {
4469 ssl->conf->f_async_cancel(ssl);
4470 handshake->async_in_progress = 0;
4471 }
4472 }
4473 }
Ben Taylor6ff2da12025-03-17 09:26:20 +00004474
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004475#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4476
Elena Uziunaite0916cd72024-05-23 17:01:07 +01004477#if defined(PSA_WANT_ALG_SHA_256)
Gilles Peskine449bd832023-01-11 14:50:10 +01004478 psa_hash_abort(&handshake->fin_sha256_psa);
Andrzej Kurekeb342242019-01-29 09:14:33 -05004479#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01004480#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +01004481 psa_hash_abort(&handshake->fin_sha384_psa);
Andrzej Kurekeb342242019-01-29 09:14:33 -05004482#endif
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02004483
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02004484#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01004485 psa_pake_abort(&handshake->psa_pake_ctx);
Valerio Settieb3f7882022-12-08 18:42:58 +01004486 /*
4487 * Opaque keys are not stored in the handshake's data and it's the user
4488 * responsibility to destroy them. Clear ones, instead, are created by
4489 * the TLS library and should be destroyed at the same level
4490 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004491 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
4492 psa_destroy_key(handshake->psa_pake_password);
Valerio Settieb3f7882022-12-08 18:42:58 +01004493 }
Neil Armstrongca7d5062022-05-31 14:43:23 +02004494 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02004495#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01004496 mbedtls_free(handshake->ecjpake_cache);
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02004497 handshake->ecjpake_cache = NULL;
4498 handshake->ecjpake_cache_len = 0;
4499#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02004500#endif
Paul Bakker61d113b2013-07-04 11:51:43 +02004501
Valerio Setti7aeec542023-07-05 18:57:21 +02004502#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +02004503 defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
Janos Follath4ae5c292016-02-10 11:27:43 +00004504 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakker9af723c2014-05-01 13:03:14 +02004505 /* explicit void pointer cast for buggy MS compiler */
Gilles Peskine449bd832023-01-11 14:50:10 +01004506 mbedtls_free((void *) handshake->curves_tls_id);
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02004507#endif
4508
Ronald Cron73fe8df2022-10-05 14:31:43 +02004509#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01004510 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
Neil Armstrong501c9322022-05-03 09:35:09 +02004511 /* The maintenance of the external PSK key slot is the
4512 * user's responsibility. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004513 if (ssl->handshake->psk_opaque_is_internal) {
4514 psa_destroy_key(ssl->handshake->psk_opaque);
Neil Armstrong501c9322022-05-03 09:35:09 +02004515 ssl->handshake->psk_opaque_is_internal = 0;
4516 }
4517 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
4518 }
Ronald Cron73fe8df2022-10-05 14:31:43 +02004519#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01004520
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004521#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4522 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02004523 /*
4524 * Free only the linked list wrapper, not the keys themselves
4525 * since the belong to the SNI callback
4526 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004527 ssl_key_cert_free(handshake->sni_key_cert);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004528#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02004529
Gilles Peskineeccd8882020-03-10 12:19:08 +01004530#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01004531 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
4532 if (handshake->ecrs_peer_cert != NULL) {
4533 mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
4534 mbedtls_free(handshake->ecrs_peer_cert);
Hanno Becker3dad3112019-02-05 17:19:52 +00004535 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02004536#endif
4537
Hanno Becker75173122019-02-06 16:18:31 +00004538#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4539 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +01004540 mbedtls_pk_free(&handshake->peer_pubkey);
Hanno Becker75173122019-02-06 16:18:31 +00004541#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4542
XiaokangQian9b93c0d2022-02-09 06:02:25 +00004543#if defined(MBEDTLS_SSL_CLI_C) && \
Gilles Peskine449bd832023-01-11 14:50:10 +01004544 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
4545 mbedtls_free(handshake->cookie);
XiaokangQian9b93c0d2022-02-09 06:02:25 +00004546#endif /* MBEDTLS_SSL_CLI_C &&
4547 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
XiaokangQian8499b6c2022-01-27 09:00:11 +00004548
4549#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01004550 mbedtls_ssl_flight_free(handshake->flight);
4551 mbedtls_ssl_buffering_free(ssl);
XiaokangQian8499b6c2022-01-27 09:00:11 +00004552#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02004553
Valerio Settiea59c432023-07-25 11:14:03 +02004554#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +02004555 if (handshake->xxdh_psa_privkey_is_external == 0) {
4556 psa_destroy_key(handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +01004557 }
Valerio Settiea59c432023-07-25 11:14:03 +02004558#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
Hanno Becker4a63ed42019-01-08 11:39:35 +00004559
Ronald Cron6f135e12021-12-08 16:57:54 +01004560#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01004561 mbedtls_ssl_transform_free(handshake->transform_handshake);
4562 mbedtls_free(handshake->transform_handshake);
Jerry Yu3d9b5902022-11-04 14:07:25 +08004563#if defined(MBEDTLS_SSL_EARLY_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +01004564 mbedtls_ssl_transform_free(handshake->transform_earlydata);
4565 mbedtls_free(handshake->transform_earlydata);
Jerry Yu3d9b5902022-11-04 14:07:25 +08004566#endif
Ronald Cron6f135e12021-12-08 16:57:54 +01004567#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yuba9c7272021-10-30 11:54:10 +08004568
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05004569
4570#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4571 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
4572 * processes datagrams and the fact that a datagram is allowed to have
4573 * several records in it, it is possible that the I/O buffers are not
4574 * empty at this stage */
Gilles Peskine449bd832023-01-11 14:50:10 +01004575 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
4576 mbedtls_ssl_get_output_buflen(ssl));
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05004577#endif
Hanno Becker3aa186f2021-08-10 09:24:19 +01004578
Jerry Yuba9c7272021-10-30 11:54:10 +08004579 /* mbedtls_platform_zeroize MUST be last one in this function */
Gilles Peskine449bd832023-01-11 14:50:10 +01004580 mbedtls_platform_zeroize(handshake,
4581 sizeof(mbedtls_ssl_handshake_params));
Paul Bakker48916f92012-09-16 19:57:18 +00004582}
4583
Gilles Peskine449bd832023-01-11 14:50:10 +01004584void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
Paul Bakker48916f92012-09-16 19:57:18 +00004585{
Gilles Peskine449bd832023-01-11 14:50:10 +01004586 if (session == NULL) {
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004587 return;
Gilles Peskine449bd832023-01-11 14:50:10 +01004588 }
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004589
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004590#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01004591 ssl_clear_peer_cert(session);
Paul Bakkered27a042013-04-18 22:46:23 +02004592#endif
Paul Bakker0a597072012-09-25 21:55:46 +00004593
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004594#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Xiaokang Qianbc663a02022-10-09 11:14:39 +00004595#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
4596 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01004597 mbedtls_free(session->hostname);
Xiaokang Qian281fd1b2022-09-20 11:35:41 +00004598#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01004599 mbedtls_free(session->ticket);
Paul Bakkera503a632013-08-14 13:48:06 +02004600#endif
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +02004601
Waleed Elmelegy2824a202024-02-23 17:51:47 +00004602#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \
4603 defined(MBEDTLS_SSL_SRV_C)
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00004604 mbedtls_free(session->ticket_alpn);
Paul Bakker5121ce52009-01-03 21:22:43 +00004605#endif
4606
Gilles Peskine449bd832023-01-11 14:50:10 +01004607 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
Paul Bakker5121ce52009-01-03 21:22:43 +00004608}
4609
Manuel Pégourié-Gonnard5c0e3772019-07-23 16:13:17 +02004610#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02004611
4612#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4613#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
4614#else
4615#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
4616#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4617
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02004618#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02004619
4620#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4621#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
4622#else
4623#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
4624#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4625
4626#if defined(MBEDTLS_SSL_ALPN)
4627#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
4628#else
4629#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
4630#endif /* MBEDTLS_SSL_ALPN */
4631
4632#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
4633#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
4634#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
4635#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
4636
4637#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
Gilles Peskine449bd832023-01-11 14:50:10 +01004638 ((uint32_t) ( \
4639 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
4640 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
4641 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
4642 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
4643 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
4644 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
4645 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
4646 0u))
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02004647
Chien Wong4e9683e2023-12-28 17:07:43 +08004648static const unsigned char ssl_serialized_context_header[] = {
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004649 MBEDTLS_VERSION_MAJOR,
4650 MBEDTLS_VERSION_MINOR,
4651 MBEDTLS_VERSION_PATCH,
Gilles Peskine449bd832023-01-11 14:50:10 +01004652 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4653 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4654 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4655 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4656 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004657};
4658
Paul Bakker5121ce52009-01-03 21:22:43 +00004659/*
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004660 * Serialize a full SSL context
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02004661 *
4662 * The format of the serialized data is:
4663 * (in the presentation language of TLS, RFC 8446 section 3)
4664 *
4665 * // header
4666 * opaque mbedtls_version[3]; // major, minor, patch
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004667 * opaque context_format[5]; // version-specific field determining
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02004668 * // the format of the remaining
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004669 * // serialized data.
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02004670 * Note: When updating the format, remember to keep these
4671 * version+format bytes. (We may make their size part of the API.)
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02004672 *
4673 * // session sub-structure
4674 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
4675 * // transform sub-structure
4676 * uint8 random[64]; // ServerHello.random+ClientHello.random
4677 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
4678 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
4679 * // fields from ssl_context
4680 * uint32 badmac_seen; // DTLS: number of records with failing MAC
4681 * uint64 in_window_top; // DTLS: last validated record seq_num
4682 * uint64 in_window; // DTLS: bitmask for replay protection
4683 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
4684 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
4685 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
4686 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
4687 *
4688 * Note that many fields of the ssl_context or sub-structures are not
4689 * serialized, as they fall in one of the following categories:
4690 *
4691 * 1. forced value (eg in_left must be 0)
4692 * 2. pointer to dynamically-allocated memory (eg session, transform)
4693 * 3. value can be re-derived from other data (eg session keys from MS)
4694 * 4. value was temporary (eg content of input buffer)
4695 * 5. value will be provided by the user again (eg I/O callbacks and context)
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004696 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004697int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
4698 unsigned char *buf,
4699 size_t buf_len,
4700 size_t *olen)
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004701{
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004702 unsigned char *p = buf;
4703 size_t used = 0;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004704 size_t session_len;
4705 int ret = 0;
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004706
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02004707 /*
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004708 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
4709 * this function's documentation.
4710 *
4711 * These are due to assumptions/limitations in the implementation. Some of
4712 * them are likely to stay (no handshake in progress) some might go away
4713 * (only DTLS) but are currently used to simplify the implementation.
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02004714 */
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004715 /* The initial handshake must be over */
Gilles Peskine449bd832023-01-11 14:50:10 +01004716 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4717 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
4718 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004719 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004720 if (ssl->handshake != NULL) {
4721 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
4722 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004723 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004724 /* Double-check that sub-structures are indeed ready */
Gilles Peskine449bd832023-01-11 14:50:10 +01004725 if (ssl->transform == NULL || ssl->session == NULL) {
4726 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
4727 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004728 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004729 /* There must be no pending incoming or outgoing data */
Gilles Peskine449bd832023-01-11 14:50:10 +01004730 if (mbedtls_ssl_check_pending(ssl) != 0) {
4731 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
4732 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004733 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004734 if (ssl->out_left != 0) {
4735 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
4736 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004737 }
Dave Rodgman556e8a32022-12-06 16:31:25 +00004738 /* Protocol must be DTLS, not TLS */
Gilles Peskine449bd832023-01-11 14:50:10 +01004739 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
4740 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
4741 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004742 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004743 /* Version must be 1.2 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004744 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
4745 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
4746 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004747 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004748 /* We must be using an AEAD ciphersuite */
Gilles Peskine449bd832023-01-11 14:50:10 +01004749 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
4750 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
4751 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004752 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004753 /* Renegotiation must not be enabled */
4754#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01004755 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
4756 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
4757 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03004758 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02004759#endif
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004760
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004761 /*
4762 * Version and format identifier
4763 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004764 used += sizeof(ssl_serialized_context_header);
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004765
Gilles Peskine449bd832023-01-11 14:50:10 +01004766 if (used <= buf_len) {
4767 memcpy(p, ssl_serialized_context_header,
4768 sizeof(ssl_serialized_context_header));
4769 p += sizeof(ssl_serialized_context_header);
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004770 }
4771
4772 /*
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004773 * Session (length + data)
4774 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004775 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
4776 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
4777 return ret;
4778 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004779
4780 used += 4 + session_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01004781 if (used <= buf_len) {
4782 MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004783 p += 4;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004784
Gilles Peskine449bd832023-01-11 14:50:10 +01004785 ret = ssl_session_save(ssl->session, 1,
4786 p, session_len, &session_len);
4787 if (ret != 0) {
4788 return ret;
4789 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004790
4791 p += session_len;
4792 }
4793
4794 /*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004795 * Transform
4796 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004797 used += sizeof(ssl->transform->randbytes);
4798 if (used <= buf_len) {
4799 memcpy(p, ssl->transform->randbytes,
4800 sizeof(ssl->transform->randbytes));
4801 p += sizeof(ssl->transform->randbytes);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004802 }
4803
4804#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Dave Rodgmanc37ad442023-11-03 23:36:06 +00004805 used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01004806 if (used <= buf_len) {
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004807 *p++ = ssl->transform->in_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01004808 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004809 p += ssl->transform->in_cid_len;
4810
4811 *p++ = ssl->transform->out_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01004812 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004813 p += ssl->transform->out_cid_len;
4814 }
4815#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4816
4817 /*
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004818 * Saved fields from top-level ssl_context structure
4819 */
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004820 used += 4;
Gilles Peskine449bd832023-01-11 14:50:10 +01004821 if (used <= buf_len) {
4822 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004823 p += 4;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004824 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004825
4826#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4827 used += 16;
Gilles Peskine449bd832023-01-11 14:50:10 +01004828 if (used <= buf_len) {
4829 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004830 p += 8;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004831
Gilles Peskine449bd832023-01-11 14:50:10 +01004832 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004833 p += 8;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004834 }
4835#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4836
4837#if defined(MBEDTLS_SSL_PROTO_DTLS)
4838 used += 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01004839 if (used <= buf_len) {
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004840 *p++ = ssl->disable_datagram_packing;
4841 }
4842#endif /* MBEDTLS_SSL_PROTO_DTLS */
4843
Jerry Yuae0b2e22021-10-08 15:21:19 +08004844 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +01004845 if (used <= buf_len) {
4846 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
Jerry Yuae0b2e22021-10-08 15:21:19 +08004847 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004848 }
4849
4850#if defined(MBEDTLS_SSL_PROTO_DTLS)
4851 used += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +01004852 if (used <= buf_len) {
4853 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +01004854 p += 2;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004855 }
4856#endif /* MBEDTLS_SSL_PROTO_DTLS */
4857
4858#if defined(MBEDTLS_SSL_ALPN)
4859 {
4860 const uint8_t alpn_len = ssl->alpn_chosen
Gilles Peskine449bd832023-01-11 14:50:10 +01004861 ? (uint8_t) strlen(ssl->alpn_chosen)
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004862 : 0;
4863
4864 used += 1 + alpn_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01004865 if (used <= buf_len) {
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004866 *p++ = alpn_len;
4867
Gilles Peskine449bd832023-01-11 14:50:10 +01004868 if (ssl->alpn_chosen != NULL) {
4869 memcpy(p, ssl->alpn_chosen, alpn_len);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02004870 p += alpn_len;
4871 }
4872 }
4873 }
4874#endif /* MBEDTLS_SSL_ALPN */
4875
4876 /*
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004877 * Done
4878 */
4879 *olen = used;
4880
Gilles Peskine449bd832023-01-11 14:50:10 +01004881 if (used > buf_len) {
4882 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4883 }
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004884
Gilles Peskine449bd832023-01-11 14:50:10 +01004885 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004886
Gilles Peskine449bd832023-01-11 14:50:10 +01004887 return mbedtls_ssl_session_reset_int(ssl, 0);
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004888}
4889
4890/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02004891 * Deserialize context, see mbedtls_ssl_context_save() for format.
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004892 *
4893 * This internal version is wrapped by a public function that cleans up in
4894 * case of error.
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004895 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02004896MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01004897static int ssl_context_load(mbedtls_ssl_context *ssl,
4898 const unsigned char *buf,
4899 size_t len)
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02004900{
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004901 const unsigned char *p = buf;
4902 const unsigned char * const end = buf + len;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004903 size_t session_len;
Janos Follath865b3eb2019-12-16 11:46:15 +00004904 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek2d59dbc2022-10-13 08:34:38 -04004905#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurek894edde2022-09-29 06:31:14 -04004906 tls_prf_fn prf_func = NULL;
Andrzej Kurek2d59dbc2022-10-13 08:34:38 -04004907#endif
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004908
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004909 /*
4910 * The context should have been freshly setup or reset.
4911 * Give the user an error in case of obvious misuse.
Manuel Pégourié-Gonnard4ca930f2019-07-26 16:31:53 +02004912 * (Checking session is useful because it won't be NULL if we're
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004913 * renegotiating, or if the user mistakenly loaded a session first.)
4914 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004915 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
4916 ssl->session != NULL) {
4917 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004918 }
4919
4920 /*
4921 * We can't check that the config matches the initial one, but we can at
4922 * least check it matches the requirements for serializing.
4923 */
Dave Rodgmane99b24d2023-09-14 15:45:03 +01004924 if (
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004925#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02004926 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004927#endif
Dave Rodgmane99b24d2023-09-14 15:45:03 +01004928 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
4929 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
4930 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2
4931 ) {
Gilles Peskine449bd832023-01-11 14:50:10 +01004932 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02004933 }
4934
Gilles Peskine449bd832023-01-11 14:50:10 +01004935 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004936
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004937 /*
4938 * Check version identifier
4939 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004940 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
4941 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004942 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004943
4944 if (memcmp(p, ssl_serialized_context_header,
4945 sizeof(ssl_serialized_context_header)) != 0) {
4946 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
4947 }
4948 p += sizeof(ssl_serialized_context_header);
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02004949
4950 /*
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004951 * Session
4952 */
Gilles Peskine449bd832023-01-11 14:50:10 +01004953 if ((size_t) (end - p) < 4) {
4954 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4955 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004956
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +01004957 session_len = MBEDTLS_GET_UINT32_BE(p, 0);
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004958 p += 4;
4959
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004960 /* This has been allocated by ssl_handshake_init(), called by
Hanno Becker43aefe22020-02-05 10:44:56 +00004961 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004962 ssl->session = ssl->session_negotiate;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004963 ssl->session_in = ssl->session;
4964 ssl->session_out = ssl->session;
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004965 ssl->session_negotiate = NULL;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004966
Gilles Peskine449bd832023-01-11 14:50:10 +01004967 if ((size_t) (end - p) < session_len) {
4968 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4969 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004970
Gilles Peskine449bd832023-01-11 14:50:10 +01004971 ret = ssl_session_load(ssl->session, 1, p, session_len);
4972 if (ret != 0) {
4973 mbedtls_ssl_session_free(ssl->session);
4974 return ret;
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02004975 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02004976
4977 p += session_len;
4978
4979 /*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004980 * Transform
4981 */
4982
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004983 /* This has been allocated by ssl_handshake_init(), called by
Hanno Becker43aefe22020-02-05 10:44:56 +00004984 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
Jerry Yu2e199812022-12-01 18:57:19 +08004985#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004986 ssl->transform = ssl->transform_negotiate;
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004987 ssl->transform_in = ssl->transform;
4988 ssl->transform_out = ssl->transform;
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02004989 ssl->transform_negotiate = NULL;
Jerry Yu2e199812022-12-01 18:57:19 +08004990#endif
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004991
Andrzej Kurek2d59dbc2022-10-13 08:34:38 -04004992#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01004993 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
4994 if (prf_func == NULL) {
4995 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4996 }
Andrzej Kurek894edde2022-09-29 06:31:14 -04004997
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02004998 /* Read random bytes and populate structure */
Gilles Peskine449bd832023-01-11 14:50:10 +01004999 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
5000 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5001 }
Andrzej Kurek2d59dbc2022-10-13 08:34:38 -04005002
Gilles Peskine449bd832023-01-11 14:50:10 +01005003 ret = ssl_tls12_populate_transform(ssl->transform,
5004 ssl->session->ciphersuite,
5005 ssl->session->master,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02005006#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01005007 ssl->session->encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02005008#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +01005009 prf_func,
5010 p, /* currently pointing to randbytes */
5011 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
5012 ssl->conf->endpoint,
5013 ssl);
5014 if (ret != 0) {
5015 return ret;
5016 }
Jerry Yu840fbb22022-02-17 14:59:29 +08005017#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005018 p += sizeof(ssl->transform->randbytes);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005019
5020#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5021 /* Read connection IDs and store them */
Gilles Peskine449bd832023-01-11 14:50:10 +01005022 if ((size_t) (end - p) < 1) {
5023 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5024 }
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005025
5026 ssl->transform->in_cid_len = *p++;
5027
Gilles Peskine449bd832023-01-11 14:50:10 +01005028 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
5029 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5030 }
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005031
Gilles Peskine449bd832023-01-11 14:50:10 +01005032 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005033 p += ssl->transform->in_cid_len;
5034
5035 ssl->transform->out_cid_len = *p++;
5036
Gilles Peskine449bd832023-01-11 14:50:10 +01005037 if ((size_t) (end - p) < ssl->transform->out_cid_len) {
5038 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5039 }
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005040
Gilles Peskine449bd832023-01-11 14:50:10 +01005041 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005042 p += ssl->transform->out_cid_len;
5043#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5044
5045 /*
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005046 * Saved fields from top-level ssl_context structure
5047 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005048 if ((size_t) (end - p) < 4) {
5049 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5050 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005051
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +01005052 ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005053 p += 4;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005054
5055#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +01005056 if ((size_t) (end - p) < 16) {
5057 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5058 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005059
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +01005060 ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005061 p += 8;
5062
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +01005063 ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005064 p += 8;
5065#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5066
5067#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01005068 if ((size_t) (end - p) < 1) {
5069 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5070 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005071
5072 ssl->disable_datagram_packing = *p++;
5073#endif /* MBEDTLS_SSL_PROTO_DTLS */
5074
Gilles Peskine449bd832023-01-11 14:50:10 +01005075 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
5076 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5077 }
5078 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
5079 p += sizeof(ssl->cur_out_ctr);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005080
5081#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01005082 if ((size_t) (end - p) < 2) {
5083 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5084 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005085
Dave Rodgmana3d0f612023-11-03 23:34:02 +00005086 ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005087 p += 2;
5088#endif /* MBEDTLS_SSL_PROTO_DTLS */
5089
5090#if defined(MBEDTLS_SSL_ALPN)
5091 {
5092 uint8_t alpn_len;
5093 const char **cur;
5094
Gilles Peskine449bd832023-01-11 14:50:10 +01005095 if ((size_t) (end - p) < 1) {
5096 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5097 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005098
5099 alpn_len = *p++;
5100
Gilles Peskine449bd832023-01-11 14:50:10 +01005101 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005102 /* alpn_chosen should point to an item in the configured list */
Gilles Peskine449bd832023-01-11 14:50:10 +01005103 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
5104 if (strlen(*cur) == alpn_len &&
Waleed Elmelegy131b2ff2024-03-14 01:39:39 +00005105 memcmp(p, *cur, alpn_len) == 0) {
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005106 ssl->alpn_chosen = *cur;
5107 break;
5108 }
5109 }
5110 }
5111
5112 /* can only happen on conf mismatch */
Gilles Peskine449bd832023-01-11 14:50:10 +01005113 if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
5114 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5115 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005116
5117 p += alpn_len;
5118 }
5119#endif /* MBEDTLS_SSL_ALPN */
5120
5121 /*
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02005122 * Forced fields from top-level ssl_context structure
5123 *
5124 * Most of them already set to the correct value by mbedtls_ssl_init() and
5125 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
5126 */
5127 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
Glenn Strauss60bfe602022-03-14 19:04:24 -04005128 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02005129
Hanno Becker361b10d2019-08-30 10:42:49 +01005130 /* Adjust pointers for header fields of outgoing records to
5131 * the given transform, accounting for explicit IV and CID. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005132 mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
Hanno Becker361b10d2019-08-30 10:42:49 +01005133
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02005134#if defined(MBEDTLS_SSL_PROTO_DTLS)
5135 ssl->in_epoch = 1;
5136#endif
5137
5138 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
5139 * which we don't want - otherwise we'd end up freeing the wrong transform
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00005140 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
5141 * inappropriately. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005142 if (ssl->handshake != NULL) {
5143 mbedtls_ssl_handshake_free(ssl);
5144 mbedtls_free(ssl->handshake);
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02005145 ssl->handshake = NULL;
5146 }
5147
5148 /*
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005149 * Done - should have consumed entire buffer
5150 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005151 if (p != end) {
5152 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5153 }
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005154
Gilles Peskine449bd832023-01-11 14:50:10 +01005155 return 0;
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005156}
5157
5158/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02005159 * Deserialize context: public wrapper for error cleaning
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005160 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005161int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
5162 const unsigned char *buf,
5163 size_t len)
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005164{
Gilles Peskine449bd832023-01-11 14:50:10 +01005165 int ret = ssl_context_load(context, buf, len);
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005166
Gilles Peskine449bd832023-01-11 14:50:10 +01005167 if (ret != 0) {
5168 mbedtls_ssl_free(context);
5169 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005170
Gilles Peskine449bd832023-01-11 14:50:10 +01005171 return ret;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005172}
Manuel Pégourié-Gonnard5c0e3772019-07-23 16:13:17 +02005173#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005174
5175/*
Paul Bakker5121ce52009-01-03 21:22:43 +00005176 * Free an SSL context
5177 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005178void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +00005179{
Gilles Peskine449bd832023-01-11 14:50:10 +01005180 if (ssl == NULL) {
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005181 return;
Gilles Peskine449bd832023-01-11 14:50:10 +01005182 }
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005183
Gilles Peskine449bd832023-01-11 14:50:10 +01005184 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
Paul Bakker5121ce52009-01-03 21:22:43 +00005185
Gilles Peskine449bd832023-01-11 14:50:10 +01005186 if (ssl->out_buf != NULL) {
sander-visserb8aa2072020-05-06 22:05:13 +02005187#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5188 size_t out_buf_len = ssl->out_buf_len;
5189#else
5190 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
5191#endif
5192
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01005193 mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len);
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05005194 ssl->out_buf = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00005195 }
5196
Gilles Peskine449bd832023-01-11 14:50:10 +01005197 if (ssl->in_buf != NULL) {
sander-visserb8aa2072020-05-06 22:05:13 +02005198#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5199 size_t in_buf_len = ssl->in_buf_len;
5200#else
5201 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
5202#endif
5203
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01005204 mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len);
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05005205 ssl->in_buf = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00005206 }
5207
Gilles Peskine449bd832023-01-11 14:50:10 +01005208 if (ssl->transform) {
5209 mbedtls_ssl_transform_free(ssl->transform);
5210 mbedtls_free(ssl->transform);
Paul Bakker48916f92012-09-16 19:57:18 +00005211 }
5212
Gilles Peskine449bd832023-01-11 14:50:10 +01005213 if (ssl->handshake) {
5214 mbedtls_ssl_handshake_free(ssl);
5215 mbedtls_free(ssl->handshake);
Jerry Yu2e199812022-12-01 18:57:19 +08005216
5217#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01005218 mbedtls_ssl_transform_free(ssl->transform_negotiate);
5219 mbedtls_free(ssl->transform_negotiate);
Jerry Yu2e199812022-12-01 18:57:19 +08005220#endif
5221
Gilles Peskine449bd832023-01-11 14:50:10 +01005222 mbedtls_ssl_session_free(ssl->session_negotiate);
5223 mbedtls_free(ssl->session_negotiate);
Paul Bakker48916f92012-09-16 19:57:18 +00005224 }
5225
Ronald Cron6f135e12021-12-08 16:57:54 +01005226#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01005227 mbedtls_ssl_transform_free(ssl->transform_application);
5228 mbedtls_free(ssl->transform_application);
Ronald Cron6f135e12021-12-08 16:57:54 +01005229#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker3aa186f2021-08-10 09:24:19 +01005230
Gilles Peskine449bd832023-01-11 14:50:10 +01005231 if (ssl->session) {
5232 mbedtls_ssl_session_free(ssl->session);
5233 mbedtls_free(ssl->session);
Paul Bakkerc0463502013-02-14 11:19:38 +01005234 }
5235
Manuel Pégourié-Gonnard55fab2d2015-05-11 16:15:19 +02005236#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005237 if (ssl->hostname != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01005238 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
Paul Bakker5121ce52009-01-03 21:22:43 +00005239 }
Paul Bakker0be444a2013-08-27 21:55:01 +02005240#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00005241
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02005242#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005243 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02005244#endif
5245
Gilles Peskine449bd832023-01-11 14:50:10 +01005246 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
Paul Bakker2da561c2009-02-05 18:00:28 +00005247
Paul Bakker86f04f42013-02-14 11:20:09 +01005248 /* Actually clear after last debug message */
Gilles Peskine449bd832023-01-11 14:50:10 +01005249 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
Paul Bakker5121ce52009-01-03 21:22:43 +00005250}
5251
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005252/*
Shaun Case8b0ecbc2021-12-20 21:14:10 -08005253 * Initialize mbedtls_ssl_config
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005254 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005255void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005256{
Gilles Peskine449bd832023-01-11 14:50:10 +01005257 memset(conf, 0, sizeof(mbedtls_ssl_config));
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005258}
5259
Gilles Peskineae270bf2021-06-02 00:05:29 +02005260/* The selection should be the same as mbedtls_x509_crt_profile_default in
5261 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
Gilles Peskineb1940a72021-06-02 15:18:12 +02005262 * curves with a lower resource usage come first.
Manuel Pégourié-Gonnard93d45912025-01-14 11:45:44 +01005263 * See the documentation of mbedtls_ssl_conf_groups() for what we promise
Gilles Peskineb1940a72021-06-02 15:18:12 +02005264 * about this list.
5265 */
Chien Wong4e9683e2023-12-28 17:07:43 +08005266static const uint16_t ssl_preset_default_groups[] = {
Elena Uziunaite0b5d48e2024-07-05 11:48:23 +01005267#if defined(PSA_WANT_ECC_MONTGOMERY_255)
Brett Warrene0edc842021-08-17 09:53:13 +01005268 MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
Gilles Peskineae270bf2021-06-02 00:05:29 +02005269#endif
Elena Uziunaite417d05f2024-07-04 17:46:30 +01005270#if defined(PSA_WANT_ECC_SECP_R1_256)
Brett Warrene0edc842021-08-17 09:53:13 +01005271 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
Gilles Peskineae270bf2021-06-02 00:05:29 +02005272#endif
Elena Uziunaite6b4cd482024-07-04 17:50:11 +01005273#if defined(PSA_WANT_ECC_SECP_R1_384)
Brett Warrene0edc842021-08-17 09:53:13 +01005274 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02005275#endif
Elena Uziunaite0b5d48e2024-07-05 11:48:23 +01005276#if defined(PSA_WANT_ECC_MONTGOMERY_448)
Brett Warrene0edc842021-08-17 09:53:13 +01005277 MBEDTLS_SSL_IANA_TLS_GROUP_X448,
Gilles Peskineb1940a72021-06-02 15:18:12 +02005278#endif
Elena Uziunaite24e24f22024-07-04 17:53:40 +01005279#if defined(PSA_WANT_ECC_SECP_R1_521)
Brett Warrene0edc842021-08-17 09:53:13 +01005280 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02005281#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005282#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
Brett Warrene0edc842021-08-17 09:53:13 +01005283 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
Gilles Peskineae270bf2021-06-02 00:05:29 +02005284#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005285#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
Brett Warrene0edc842021-08-17 09:53:13 +01005286 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02005287#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005288#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
Brett Warrene0edc842021-08-17 09:53:13 +01005289 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
Gilles Peskineb1940a72021-06-02 15:18:12 +02005290#endif
Przemek Stekiel316c19e2023-05-31 15:25:11 +02005291#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel383f4712022-12-12 14:48:57 +01005292 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
5293 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
5294 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
5295 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144,
5296 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192,
5297#endif
Brett Warrene0edc842021-08-17 09:53:13 +01005298 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
Gilles Peskineae270bf2021-06-02 00:05:29 +02005299};
Gilles Peskineae270bf2021-06-02 00:05:29 +02005300
Alexey Tsvetkov2ca34372022-06-07 10:21:05 +03005301static const int ssl_preset_suiteb_ciphersuites[] = {
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005302 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
5303 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
5304 0
5305};
5306
Ronald Crone68ab4f2022-10-05 12:46:29 +02005307#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01005308
Jerry Yu909df7b2022-01-22 11:56:27 +08005309/* NOTICE:
Jerry Yu0b994b82022-01-25 17:22:12 +08005310 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
Jerry Yu370e1462022-01-25 10:36:53 +08005311 * rules SHOULD be upheld.
5312 * - No duplicate entries.
5313 * - But if there is a good reason, do not change the order of the algorithms.
Jerry Yu09a99fc2022-07-28 14:22:17 +08005314 * - ssl_tls12_preset* is for TLS 1.2 use only.
Jerry Yu370e1462022-01-25 10:36:53 +08005315 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
Jerry Yu1a8b4812022-01-20 17:56:50 +08005316 */
Chien Wong4e9683e2023-12-28 17:07:43 +08005317static const uint16_t ssl_preset_default_sig_algs[] = {
Jerry Yu1a8b4812022-01-20 17:56:50 +08005318
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005319#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005320 defined(PSA_WANT_ALG_SHA_256) && \
Valerio Setticf29c5d2023-09-01 09:03:41 +02005321 defined(PSA_WANT_ECC_SECP_R1_256)
Jerry Yued5e9f42022-01-26 11:21:34 +08005322 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005323 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5324#endif
Jerry Yu909df7b2022-01-22 11:56:27 +08005325
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005326#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005327 defined(PSA_WANT_ALG_SHA_384) && \
Valerio Setticf29c5d2023-09-01 09:03:41 +02005328 defined(PSA_WANT_ECC_SECP_R1_384)
Jerry Yu909df7b2022-01-22 11:56:27 +08005329 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005330 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5331#endif
Jerry Yu909df7b2022-01-22 11:56:27 +08005332
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005333#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
Gabor Mezeic15ef932024-06-13 12:53:54 +02005334 defined(PSA_WANT_ALG_SHA_512) && \
Valerio Setticf29c5d2023-09-01 09:03:41 +02005335 defined(PSA_WANT_ECC_SECP_R1_521)
Jerry Yued5e9f42022-01-26 11:21:34 +08005336 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005337 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
5338#endif
Jerry Yu909df7b2022-01-22 11:56:27 +08005339
Gabor Mezeic15ef932024-06-13 12:53:54 +02005340#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(PSA_WANT_ALG_SHA_512)
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005341 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
Yanray Wang1136fad2023-11-22 16:54:31 +08005342#endif
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005343
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005344#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(PSA_WANT_ALG_SHA_384)
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005345 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
Yanray Wang1136fad2023-11-22 16:54:31 +08005346#endif
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005347
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005348#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(PSA_WANT_ALG_SHA_256)
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005349 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
Yanray Wang1136fad2023-11-22 16:54:31 +08005350#endif
Jerry Yu9bb3ee42022-06-23 10:16:33 +08005351
Gabor Mezeic15ef932024-06-13 12:53:54 +02005352#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_512)
Jerry Yu693a47a2022-06-23 14:02:28 +08005353 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
Gabor Mezeic15ef932024-06-13 12:53:54 +02005354#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_512 */
Jerry Yu693a47a2022-06-23 14:02:28 +08005355
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005356#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_384)
Jerry Yu693a47a2022-06-23 14:02:28 +08005357 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005358#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_384 */
Jerry Yu693a47a2022-06-23 14:02:28 +08005359
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005360#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_256)
Jerry Yu693a47a2022-06-23 14:02:28 +08005361 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005362#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 */
Jerry Yu693a47a2022-06-23 14:02:28 +08005363
Gabor Mezei15b95a62022-05-09 16:37:58 +02005364 MBEDTLS_TLS_SIG_NONE
Jerry Yu909df7b2022-01-22 11:56:27 +08005365};
5366
5367/* NOTICE: see above */
5368#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5369static uint16_t ssl_tls12_preset_default_sig_algs[] = {
Yanray Wang1136fad2023-11-22 16:54:31 +08005370
Gabor Mezeic15ef932024-06-13 12:53:54 +02005371#if defined(PSA_WANT_ALG_SHA_512)
Valerio Settie9646ec2023-08-02 20:02:28 +02005372#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005373 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
Jerry Yu713013f2022-01-17 18:16:35 +08005374#endif
Jerry Yu09a99fc2022-07-28 14:22:17 +08005375#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5376 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
Yanray Wang1136fad2023-11-22 16:54:31 +08005377#endif
Gabor Mezeic1051b62022-05-10 13:13:58 +02005378#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005379 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
Gabor Mezeic1051b62022-05-10 13:13:58 +02005380#endif
Gabor Mezeic15ef932024-06-13 12:53:54 +02005381#endif /* PSA_WANT_ALG_SHA_512 */
Yanray Wang1136fad2023-11-22 16:54:31 +08005382
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005383#if defined(PSA_WANT_ALG_SHA_384)
Valerio Settie9646ec2023-08-02 20:02:28 +02005384#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005385 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
Jerry Yu11f0a9c2022-01-12 18:43:08 +08005386#endif
Jerry Yu09a99fc2022-07-28 14:22:17 +08005387#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5388 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
Yanray Wang1136fad2023-11-22 16:54:31 +08005389#endif
Gabor Mezeic1051b62022-05-10 13:13:58 +02005390#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005391 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
Gabor Mezeic1051b62022-05-10 13:13:58 +02005392#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005393#endif /* PSA_WANT_ALG_SHA_384 */
Yanray Wang1136fad2023-11-22 16:54:31 +08005394
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005395#if defined(PSA_WANT_ALG_SHA_256)
Valerio Settie9646ec2023-08-02 20:02:28 +02005396#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005397 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
Jerry Yu11f0a9c2022-01-12 18:43:08 +08005398#endif
Jerry Yu09a99fc2022-07-28 14:22:17 +08005399#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5400 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
Yanray Wang1136fad2023-11-22 16:54:31 +08005401#endif
Gabor Mezeic1051b62022-05-10 13:13:58 +02005402#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005403 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
Gabor Mezeic1051b62022-05-10 13:13:58 +02005404#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005405#endif /* PSA_WANT_ALG_SHA_256 */
Yanray Wang1136fad2023-11-22 16:54:31 +08005406
Gabor Mezei15b95a62022-05-09 16:37:58 +02005407 MBEDTLS_TLS_SIG_NONE
Jerry Yu909df7b2022-01-22 11:56:27 +08005408};
5409#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Yanray Wang1136fad2023-11-22 16:54:31 +08005410
Jerry Yu909df7b2022-01-22 11:56:27 +08005411/* NOTICE: see above */
Chien Wong4e9683e2023-12-28 17:07:43 +08005412static const uint16_t ssl_preset_suiteb_sig_algs[] = {
Jerry Yu909df7b2022-01-22 11:56:27 +08005413
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005414#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005415 defined(PSA_WANT_ALG_SHA_256) && \
Elena Uziunaite417d05f2024-07-04 17:46:30 +01005416 defined(PSA_WANT_ECC_SECP_R1_256)
Jerry Yu909df7b2022-01-22 11:56:27 +08005417 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005418 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5419#endif
Jerry Yu909df7b2022-01-22 11:56:27 +08005420
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005421#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005422 defined(PSA_WANT_ALG_SHA_384) && \
Elena Uziunaite6b4cd482024-07-04 17:50:11 +01005423 defined(PSA_WANT_ECC_SECP_R1_384)
Jerry Yu53037892022-01-25 11:02:06 +08005424 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
Manuel Pégourié-Gonnard275afe12023-09-18 11:19:20 +02005425 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5426#endif
Jerry Yu909df7b2022-01-22 11:56:27 +08005427
Gabor Mezei15b95a62022-05-09 16:37:58 +02005428 MBEDTLS_TLS_SIG_NONE
Jerry Yu713013f2022-01-17 18:16:35 +08005429};
Jerry Yu6106fdc2022-01-12 16:36:14 +08005430
Jerry Yu909df7b2022-01-22 11:56:27 +08005431/* NOTICE: see above */
5432#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5433static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
Yanray Wang1136fad2023-11-22 16:54:31 +08005434
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005435#if defined(PSA_WANT_ALG_SHA_256)
Valerio Settie9646ec2023-08-02 20:02:28 +02005436#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005437 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
Jerry Yu713013f2022-01-17 18:16:35 +08005438#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005439#endif /* PSA_WANT_ALG_SHA_256 */
Yanray Wang69ceb392023-11-22 16:32:39 +08005440
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005441#if defined(PSA_WANT_ALG_SHA_384)
Valerio Settie9646ec2023-08-02 20:02:28 +02005442#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005443 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
Jerry Yu18c833e2022-01-25 10:55:47 +08005444#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005445#endif /* PSA_WANT_ALG_SHA_384 */
Yanray Wang1136fad2023-11-22 16:54:31 +08005446
Gabor Mezei15b95a62022-05-09 16:37:58 +02005447 MBEDTLS_TLS_SIG_NONE
Hanno Becker9c6aa7b2021-08-10 13:50:43 +01005448};
Jerry Yu909df7b2022-01-22 11:56:27 +08005449#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5450
Ronald Crone68ab4f2022-10-05 12:46:29 +02005451#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005452
Chien Wong4e9683e2023-12-28 17:07:43 +08005453static const uint16_t ssl_preset_suiteb_groups[] = {
Elena Uziunaite417d05f2024-07-04 17:46:30 +01005454#if defined(PSA_WANT_ECC_SECP_R1_256)
Brett Warrene0edc842021-08-17 09:53:13 +01005455 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
Jaeden Amerod4311042019-06-03 08:27:16 +01005456#endif
Elena Uziunaite6b4cd482024-07-04 17:50:11 +01005457#if defined(PSA_WANT_ECC_SECP_R1_384)
Brett Warrene0edc842021-08-17 09:53:13 +01005458 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
Jaeden Amerod4311042019-06-03 08:27:16 +01005459#endif
Brett Warrene0edc842021-08-17 09:53:13 +01005460 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005461};
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005462
Ronald Crone68ab4f2022-10-05 12:46:29 +02005463#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Jerry Yu909df7b2022-01-22 11:56:27 +08005464/* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
Jerry Yu370e1462022-01-25 10:36:53 +08005465 * to make sure there are no duplicated signature algorithm entries. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02005466MBEDTLS_CHECK_RETURN_CRITICAL
Chien Wong4e9683e2023-12-28 17:07:43 +08005467static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
Jerry Yu1a8b4812022-01-20 17:56:50 +08005468{
5469 size_t i, j;
5470 int ret = 0;
Jerry Yu909df7b2022-01-22 11:56:27 +08005471
Gilles Peskine449bd832023-01-11 14:50:10 +01005472 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
5473 for (j = 0; j < i; j++) {
5474 if (sig_algs[i] != sig_algs[j]) {
Jerry Yuf377d642022-01-25 10:43:59 +08005475 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01005476 }
5477 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
5478 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
5479 sig_algs[i], j, i);
Jerry Yuf377d642022-01-25 10:43:59 +08005480 ret = -1;
Jerry Yu1a8b4812022-01-20 17:56:50 +08005481 }
5482 }
Gilles Peskine449bd832023-01-11 14:50:10 +01005483 return ret;
Jerry Yu1a8b4812022-01-20 17:56:50 +08005484}
5485
Ronald Crone68ab4f2022-10-05 12:46:29 +02005486#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Jerry Yu1a8b4812022-01-20 17:56:50 +08005487
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005488/*
Tillmann Karras588ad502015-09-25 04:27:22 +02005489 * Load default in mbedtls_ssl_config
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005490 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005491int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
5492 int endpoint, int transport, int preset)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005493{
Ronald Crone68ab4f2022-10-05 12:46:29 +02005494#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005495 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
5496 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
5497 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu1a8b4812022-01-20 17:56:50 +08005498 }
5499
Gilles Peskine449bd832023-01-11 14:50:10 +01005500 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
5501 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
5502 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu1a8b4812022-01-20 17:56:50 +08005503 }
Jerry Yu909df7b2022-01-22 11:56:27 +08005504
5505#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01005506 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
5507 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
5508 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu909df7b2022-01-22 11:56:27 +08005509 }
5510
Gilles Peskine449bd832023-01-11 14:50:10 +01005511 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
5512 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
5513 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu909df7b2022-01-22 11:56:27 +08005514 }
5515#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Ronald Crone68ab4f2022-10-05 12:46:29 +02005516#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Jerry Yu1a8b4812022-01-20 17:56:50 +08005517
Manuel Pégourié-Gonnard0de074f2015-05-14 12:58:01 +02005518 /* Use the functions here so that they are covered in tests,
5519 * but otherwise access member directly for efficiency */
Gilles Peskine449bd832023-01-11 14:50:10 +01005520 mbedtls_ssl_conf_endpoint(conf, endpoint);
5521 mbedtls_ssl_conf_transport(conf, transport);
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005522
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005523 /*
5524 * Things that are common to all presets
5525 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02005526#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005527 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02005528 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
5529#if defined(MBEDTLS_SSL_SESSION_TICKETS)
5530 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
5531#endif
5532 }
5533#endif
5534
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005535#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5536 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
5537#endif
5538
5539#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
5540 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
5541#endif
5542
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02005543#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005544 conf->f_cookie_write = ssl_cookie_write_dummy;
5545 conf->f_cookie_check = ssl_cookie_check_dummy;
5546#endif
5547
5548#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5549 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
5550#endif
5551
Janos Follath088ce432017-04-10 12:42:31 +01005552#if defined(MBEDTLS_SSL_SRV_C)
5553 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
TRodziewicz3946f792021-06-14 12:11:18 +02005554 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
Janos Follath088ce432017-04-10 12:42:31 +01005555#endif
5556
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005557#if defined(MBEDTLS_SSL_PROTO_DTLS)
5558 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
5559 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
5560#endif
5561
5562#if defined(MBEDTLS_SSL_RENEGOTIATION)
5563 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
Gilles Peskine449bd832023-01-11 14:50:10 +01005564 memset(conf->renego_period, 0x00, 2);
5565 memset(conf->renego_period + 2, 0xFF, 6);
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005566#endif
5567
Ronald Cron6f135e12021-12-08 16:57:54 +01005568#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu6ee56aa2022-12-06 17:47:22 +08005569
5570#if defined(MBEDTLS_SSL_EARLY_DATA)
Yanray Wangd5ed36f2023-11-07 11:40:43 +08005571 mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
Jerry Yu6ee56aa2022-12-06 17:47:22 +08005572#if defined(MBEDTLS_SSL_SRV_C)
Yanray Wang07517612023-11-07 11:47:36 +08005573 mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
Jerry Yu6ee56aa2022-12-06 17:47:22 +08005574#endif
5575#endif /* MBEDTLS_SSL_EARLY_DATA */
5576
Jerry Yud0766ec2022-09-22 10:46:57 +08005577#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yu1ad7ace2022-08-09 13:28:39 +08005578 mbedtls_ssl_conf_new_session_tickets(
Gilles Peskine449bd832023-01-11 14:50:10 +01005579 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS);
Jerry Yu1ad7ace2022-08-09 13:28:39 +08005580#endif
Hanno Becker71f1ed62021-07-24 06:01:47 +01005581 /*
5582 * Allow all TLS 1.3 key exchange modes by default.
5583 */
Xiaofei Bai746f9482021-11-12 08:53:56 +00005584 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
Ronald Cron6f135e12021-12-08 16:57:54 +01005585#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker71f1ed62021-07-24 06:01:47 +01005586
Gilles Peskine449bd832023-01-11 14:50:10 +01005587 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Glenn Strauss2dfcea22022-03-14 17:26:42 -04005588#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
XiaokangQian4d3a6042022-04-21 13:46:17 +00005589 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
XiaokangQian060d8672022-04-21 09:24:56 +00005590 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
XiaokangQian4d3a6042022-04-21 13:46:17 +00005591#else
Gilles Peskine449bd832023-01-11 14:50:10 +01005592 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQian060d8672022-04-21 09:24:56 +00005593#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01005594 } else {
XiaokangQian4d3a6042022-04-21 13:46:17 +00005595#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Ronald Cron097ba142023-03-08 16:18:00 +01005596 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5597 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQian4d3a6042022-04-21 13:46:17 +00005598#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
5599 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5600 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5601#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
5602 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5603 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5604#else
Gilles Peskine449bd832023-01-11 14:50:10 +01005605 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQian4d3a6042022-04-21 13:46:17 +00005606#endif
5607 }
Glenn Strauss2dfcea22022-03-14 17:26:42 -04005608
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005609 /*
5610 * Preset-specific defaults
5611 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005612 switch (preset) {
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005613 /*
5614 * NSA Suite B
5615 */
5616 case MBEDTLS_SSL_PRESET_SUITEB:
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005617
Hanno Beckerd60b6c62021-04-29 12:04:11 +01005618 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005619
5620#if defined(MBEDTLS_X509_CRT_PARSE_C)
5621 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005622#endif
5623
Ronald Crone68ab4f2022-10-05 12:46:29 +02005624#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Jerry Yu909df7b2022-01-22 11:56:27 +08005625#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01005626 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
Jerry Yu909df7b2022-01-22 11:56:27 +08005627 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
Gilles Peskine449bd832023-01-11 14:50:10 +01005628 } else
Jerry Yu909df7b2022-01-22 11:56:27 +08005629#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005630 conf->sig_algs = ssl_preset_suiteb_sig_algs;
Ronald Crone68ab4f2022-10-05 12:46:29 +02005631#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005632
Brett Warrene0edc842021-08-17 09:53:13 +01005633 conf->group_list = ssl_preset_suiteb_groups;
Manuel Pégourié-Gonnardc98204e2015-08-11 04:21:01 +02005634 break;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005635
5636 /*
5637 * Default
5638 */
5639 default:
Ronald Cronf6606552022-03-15 11:23:25 +01005640
Hanno Beckerd60b6c62021-04-29 12:04:11 +01005641 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005642
5643#if defined(MBEDTLS_X509_CRT_PARSE_C)
5644 conf->cert_profile = &mbedtls_x509_crt_profile_default;
5645#endif
5646
Ronald Crone68ab4f2022-10-05 12:46:29 +02005647#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Jerry Yu909df7b2022-01-22 11:56:27 +08005648#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01005649 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
Jerry Yu909df7b2022-01-22 11:56:27 +08005650 conf->sig_algs = ssl_tls12_preset_default_sig_algs;
Gilles Peskine449bd832023-01-11 14:50:10 +01005651 } else
Jerry Yu909df7b2022-01-22 11:56:27 +08005652#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005653 conf->sig_algs = ssl_preset_default_sig_algs;
Ronald Crone68ab4f2022-10-05 12:46:29 +02005654#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005655
Brett Warrene0edc842021-08-17 09:53:13 +01005656 conf->group_list = ssl_preset_default_groups;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02005657 }
5658
Gilles Peskine449bd832023-01-11 14:50:10 +01005659 return 0;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005660}
5661
5662/*
5663 * Free mbedtls_ssl_config
5664 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005665void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005666{
Troy-Butlerda73abc2024-04-02 13:37:31 -04005667 if (conf == NULL) {
5668 return;
5669 }
5670
Ronald Cron73fe8df2022-10-05 14:31:43 +02005671#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005672 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
Neil Armstrong501c9322022-05-03 09:35:09 +02005673 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
5674 }
Gilles Peskine449bd832023-01-11 14:50:10 +01005675 if (conf->psk != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01005676 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
Azim Khan27e8a122018-03-21 14:24:11 +00005677 conf->psk = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005678 conf->psk_len = 0;
junyeonLEE316b1622017-12-20 16:29:30 +09005679 }
5680
Gilles Peskine449bd832023-01-11 14:50:10 +01005681 if (conf->psk_identity != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01005682 mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len);
Azim Khan27e8a122018-03-21 14:24:11 +00005683 conf->psk_identity = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005684 conf->psk_identity_len = 0;
5685 }
Ronald Cron73fe8df2022-10-05 14:31:43 +02005686#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005687
5688#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005689 ssl_key_cert_free(conf->key_cert);
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005690#endif
5691
Gilles Peskine449bd832023-01-11 14:50:10 +01005692 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02005693}
5694
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +02005695#if defined(MBEDTLS_PK_C) && \
Valerio Settie9646ec2023-08-02 20:02:28 +02005696 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005697/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005698 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005699 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005700unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005701{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005702#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01005703 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
5704 return MBEDTLS_SSL_SIG_RSA;
5705 }
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005706#endif
Valerio Settie9646ec2023-08-02 20:02:28 +02005707#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01005708 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
5709 return MBEDTLS_SSL_SIG_ECDSA;
5710 }
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005711#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01005712 return MBEDTLS_SSL_SIG_ANON;
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005713}
5714
Gilles Peskine449bd832023-01-11 14:50:10 +01005715unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
Hanno Becker7e5437a2017-04-28 17:15:26 +01005716{
Gilles Peskine449bd832023-01-11 14:50:10 +01005717 switch (type) {
Hanno Becker7e5437a2017-04-28 17:15:26 +01005718 case MBEDTLS_PK_RSA:
Gilles Peskine449bd832023-01-11 14:50:10 +01005719 return MBEDTLS_SSL_SIG_RSA;
Hanno Becker7e5437a2017-04-28 17:15:26 +01005720 case MBEDTLS_PK_ECDSA:
5721 case MBEDTLS_PK_ECKEY:
Gilles Peskine449bd832023-01-11 14:50:10 +01005722 return MBEDTLS_SSL_SIG_ECDSA;
Hanno Becker7e5437a2017-04-28 17:15:26 +01005723 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01005724 return MBEDTLS_SSL_SIG_ANON;
Hanno Becker7e5437a2017-04-28 17:15:26 +01005725 }
5726}
5727
Gilles Peskine449bd832023-01-11 14:50:10 +01005728mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005729{
Gilles Peskine449bd832023-01-11 14:50:10 +01005730 switch (sig) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005731#if defined(MBEDTLS_RSA_C)
5732 case MBEDTLS_SSL_SIG_RSA:
Gilles Peskine449bd832023-01-11 14:50:10 +01005733 return MBEDTLS_PK_RSA;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005734#endif
Valerio Settie9646ec2023-08-02 20:02:28 +02005735#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005736 case MBEDTLS_SSL_SIG_ECDSA:
Gilles Peskine449bd832023-01-11 14:50:10 +01005737 return MBEDTLS_PK_ECDSA;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005738#endif
5739 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01005740 return MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005741 }
5742}
Valerio Settie9646ec2023-08-02 20:02:28 +02005743#endif /* MBEDTLS_PK_C &&
5744 ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005745
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02005746/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005747 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02005748 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005749mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005750{
Gilles Peskine449bd832023-01-11 14:50:10 +01005751 switch (hash) {
Elena Uziunaiteb66a9912024-05-10 14:25:58 +01005752#if defined(PSA_WANT_ALG_MD5)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005753 case MBEDTLS_SSL_HASH_MD5:
Gilles Peskine449bd832023-01-11 14:50:10 +01005754 return MBEDTLS_MD_MD5;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005755#endif
Elena Uziunaite9fc5be02024-09-04 18:12:59 +01005756#if defined(PSA_WANT_ALG_SHA_1)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005757 case MBEDTLS_SSL_HASH_SHA1:
Gilles Peskine449bd832023-01-11 14:50:10 +01005758 return MBEDTLS_MD_SHA1;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005759#endif
Elena Uziunaitefcc9afa2024-05-23 14:43:22 +01005760#if defined(PSA_WANT_ALG_SHA_224)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005761 case MBEDTLS_SSL_HASH_SHA224:
Gilles Peskine449bd832023-01-11 14:50:10 +01005762 return MBEDTLS_MD_SHA224;
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02005763#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005764#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005765 case MBEDTLS_SSL_HASH_SHA256:
Gilles Peskine449bd832023-01-11 14:50:10 +01005766 return MBEDTLS_MD_SHA256;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005767#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005768#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005769 case MBEDTLS_SSL_HASH_SHA384:
Gilles Peskine449bd832023-01-11 14:50:10 +01005770 return MBEDTLS_MD_SHA384;
Mateusz Starzyk3352a532021-04-06 14:28:22 +02005771#endif
Gabor Mezeic15ef932024-06-13 12:53:54 +02005772#if defined(PSA_WANT_ALG_SHA_512)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005773 case MBEDTLS_SSL_HASH_SHA512:
Gilles Peskine449bd832023-01-11 14:50:10 +01005774 return MBEDTLS_MD_SHA512;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005775#endif
5776 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01005777 return MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005778 }
5779}
5780
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005781/*
5782 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
5783 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005784unsigned char mbedtls_ssl_hash_from_md_alg(int md)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005785{
Gilles Peskine449bd832023-01-11 14:50:10 +01005786 switch (md) {
Elena Uziunaiteb66a9912024-05-10 14:25:58 +01005787#if defined(PSA_WANT_ALG_MD5)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005788 case MBEDTLS_MD_MD5:
Gilles Peskine449bd832023-01-11 14:50:10 +01005789 return MBEDTLS_SSL_HASH_MD5;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005790#endif
Elena Uziunaite9fc5be02024-09-04 18:12:59 +01005791#if defined(PSA_WANT_ALG_SHA_1)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005792 case MBEDTLS_MD_SHA1:
Gilles Peskine449bd832023-01-11 14:50:10 +01005793 return MBEDTLS_SSL_HASH_SHA1;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005794#endif
Elena Uziunaitefcc9afa2024-05-23 14:43:22 +01005795#if defined(PSA_WANT_ALG_SHA_224)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005796 case MBEDTLS_MD_SHA224:
Gilles Peskine449bd832023-01-11 14:50:10 +01005797 return MBEDTLS_SSL_HASH_SHA224;
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02005798#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005799#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005800 case MBEDTLS_MD_SHA256:
Gilles Peskine449bd832023-01-11 14:50:10 +01005801 return MBEDTLS_SSL_HASH_SHA256;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005802#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005803#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005804 case MBEDTLS_MD_SHA384:
Gilles Peskine449bd832023-01-11 14:50:10 +01005805 return MBEDTLS_SSL_HASH_SHA384;
Mateusz Starzyk3352a532021-04-06 14:28:22 +02005806#endif
Gabor Mezeic15ef932024-06-13 12:53:54 +02005807#if defined(PSA_WANT_ALG_SHA_512)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005808 case MBEDTLS_MD_SHA512:
Gilles Peskine449bd832023-01-11 14:50:10 +01005809 return MBEDTLS_SSL_HASH_SHA512;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005810#endif
5811 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01005812 return MBEDTLS_SSL_HASH_NONE;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005813 }
5814}
5815
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005816/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02005817 * Check if a curve proposed by the peer is in our list.
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02005818 * Return 0 if we're willing to use it, -1 otherwise.
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005819 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005820int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id)
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005821{
Manuel Pégourié-Gonnard6402c352025-01-14 12:23:56 +01005822 const uint16_t *group_list = ssl->conf->group_list;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005823
Gilles Peskine449bd832023-01-11 14:50:10 +01005824 if (group_list == NULL) {
5825 return -1;
Brett Warrene0edc842021-08-17 09:53:13 +01005826 }
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005827
Gilles Peskine449bd832023-01-11 14:50:10 +01005828 for (; *group_list != 0; group_list++) {
5829 if (*group_list == tls_id) {
5830 return 0;
5831 }
5832 }
5833
5834 return -1;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005835}
Manuel Pégourié-Gonnard0d63b842022-01-18 13:10:56 +01005836
Elena Uziunaite8dde3b32024-07-05 12:10:21 +01005837#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
Manuel Pégourié-Gonnard0d63b842022-01-18 13:10:56 +01005838/*
5839 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
5840 */
Gilles Peskine449bd832023-01-11 14:50:10 +01005841int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
Manuel Pégourié-Gonnard0d63b842022-01-18 13:10:56 +01005842{
Gilles Peskine449bd832023-01-11 14:50:10 +01005843 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Leonid Rozenboim19e59732022-08-08 16:52:38 -07005844
Gilles Peskine449bd832023-01-11 14:50:10 +01005845 if (tls_id == 0) {
Leonid Rozenboim19e59732022-08-08 16:52:38 -07005846 return -1;
Gilles Peskine449bd832023-01-11 14:50:10 +01005847 }
Leonid Rozenboim19e59732022-08-08 16:52:38 -07005848
Gilles Peskine449bd832023-01-11 14:50:10 +01005849 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
Manuel Pégourié-Gonnard0d63b842022-01-18 13:10:56 +01005850}
Elena Uziunaite8dde3b32024-07-05 12:10:21 +01005851#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
Valerio Setti67419f02023-01-04 16:12:42 +01005852
Valerio Setti18c9fed2022-12-30 17:44:24 +01005853static const struct {
5854 uint16_t tls_id;
5855 mbedtls_ecp_group_id ecp_group_id;
5856 psa_ecc_family_t psa_family;
5857 uint16_t bits;
Valerio Setti18c9fed2022-12-30 17:44:24 +01005858} tls_id_match_table[] =
5859{
Elena Uziunaite24e24f22024-07-04 17:53:40 +01005860#if defined(PSA_WANT_ECC_SECP_R1_521)
Valerio Settiacd32c02023-06-29 18:06:29 +02005861 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005862#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005863#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
Valerio Settiacd32c02023-06-29 18:06:29 +02005864 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005865#endif
Elena Uziunaite6b4cd482024-07-04 17:50:11 +01005866#if defined(PSA_WANT_ECC_SECP_R1_384)
Valerio Settiacd32c02023-06-29 18:06:29 +02005867 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005868#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005869#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
Valerio Settiacd32c02023-06-29 18:06:29 +02005870 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005871#endif
Elena Uziunaite417d05f2024-07-04 17:46:30 +01005872#if defined(PSA_WANT_ECC_SECP_R1_256)
Valerio Settiacd32c02023-06-29 18:06:29 +02005873 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005874#endif
Elena Uziunaite9e85c9f2024-07-04 18:37:34 +01005875#if defined(PSA_WANT_ECC_SECP_K1_256)
Valerio Settiacd32c02023-06-29 18:06:29 +02005876 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005877#endif
Elena Uziunaiteb8d10872024-07-05 10:51:40 +01005878#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
Valerio Settiacd32c02023-06-29 18:06:29 +02005879 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005880#endif
Elena Uziunaiteeaa0cf02024-07-04 17:41:25 +01005881#if defined(PSA_WANT_ECC_SECP_R1_224)
Valerio Settiacd32c02023-06-29 18:06:29 +02005882 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005883#endif
Elena Uziunaitea3632862024-07-04 13:52:43 +01005884#if defined(PSA_WANT_ECC_SECP_R1_192)
Valerio Settiacd32c02023-06-29 18:06:29 +02005885 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005886#endif
Elena Uziunaite9e85c9f2024-07-04 18:37:34 +01005887#if defined(PSA_WANT_ECC_SECP_K1_192)
Valerio Settiacd32c02023-06-29 18:06:29 +02005888 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005889#endif
Elena Uziunaite0b5d48e2024-07-05 11:48:23 +01005890#if defined(PSA_WANT_ECC_MONTGOMERY_255)
Valerio Settiacd32c02023-06-29 18:06:29 +02005891 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005892#endif
Elena Uziunaite0b5d48e2024-07-05 11:48:23 +01005893#if defined(PSA_WANT_ECC_MONTGOMERY_448)
Valerio Settiacd32c02023-06-29 18:06:29 +02005894 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005895#endif
Valerio Settiacd32c02023-06-29 18:06:29 +02005896 { 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
Valerio Setti18c9fed2022-12-30 17:44:24 +01005897};
5898
Gilles Peskine449bd832023-01-11 14:50:10 +01005899int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
Przemek Stekielda4fba62023-06-02 14:52:28 +02005900 psa_key_type_t *type,
Gilles Peskine449bd832023-01-11 14:50:10 +01005901 size_t *bits)
Valerio Setti18c9fed2022-12-30 17:44:24 +01005902{
Gilles Peskine449bd832023-01-11 14:50:10 +01005903 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
5904 if (tls_id_match_table[i].tls_id == tls_id) {
Przemek Stekielda4fba62023-06-02 14:52:28 +02005905 if (type != NULL) {
5906 *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
Gilles Peskine449bd832023-01-11 14:50:10 +01005907 }
5908 if (bits != NULL) {
Valerio Setti18c9fed2022-12-30 17:44:24 +01005909 *bits = tls_id_match_table[i].bits;
Gilles Peskine449bd832023-01-11 14:50:10 +01005910 }
Valerio Setti18c9fed2022-12-30 17:44:24 +01005911 return PSA_SUCCESS;
5912 }
5913 }
5914
5915 return PSA_ERROR_NOT_SUPPORTED;
5916}
5917
Gilles Peskine449bd832023-01-11 14:50:10 +01005918mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
Valerio Setti18c9fed2022-12-30 17:44:24 +01005919{
Gilles Peskine449bd832023-01-11 14:50:10 +01005920 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
5921 if (tls_id_match_table[i].tls_id == tls_id) {
Valerio Setti18c9fed2022-12-30 17:44:24 +01005922 return tls_id_match_table[i].ecp_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +01005923 }
Valerio Setti18c9fed2022-12-30 17:44:24 +01005924 }
5925
5926 return MBEDTLS_ECP_DP_NONE;
5927}
5928
Gilles Peskine449bd832023-01-11 14:50:10 +01005929uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
Valerio Setti18c9fed2022-12-30 17:44:24 +01005930{
Gilles Peskine449bd832023-01-11 14:50:10 +01005931 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
5932 i++) {
5933 if (tls_id_match_table[i].ecp_group_id == grp_id) {
Valerio Setti18c9fed2022-12-30 17:44:24 +01005934 return tls_id_match_table[i].tls_id;
Gilles Peskine449bd832023-01-11 14:50:10 +01005935 }
Valerio Setti18c9fed2022-12-30 17:44:24 +01005936 }
5937
5938 return 0;
5939}
5940
Valerio Setti67419f02023-01-04 16:12:42 +01005941#if defined(MBEDTLS_DEBUG_C)
Valerio Settiacd32c02023-06-29 18:06:29 +02005942static const struct {
5943 uint16_t tls_id;
5944 const char *name;
5945} tls_id_curve_name_table[] =
5946{
Valerio Setti54e23792023-07-07 10:49:27 +02005947 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },
5948 { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },
5949 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },
5950 { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },
5951 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
5952 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
5953 { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
5954 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
5955 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
5956 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
5957 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
5958 { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
5959 { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
Valerio Settiacd32c02023-06-29 18:06:29 +02005960 { 0, NULL },
5961};
5962
Gilles Peskine449bd832023-01-11 14:50:10 +01005963const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
Valerio Setti18c9fed2022-12-30 17:44:24 +01005964{
Valerio Settiacd32c02023-06-29 18:06:29 +02005965 for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) {
5966 if (tls_id_curve_name_table[i].tls_id == tls_id) {
5967 return tls_id_curve_name_table[i].name;
Gilles Peskine449bd832023-01-11 14:50:10 +01005968 }
Valerio Setti18c9fed2022-12-30 17:44:24 +01005969 }
5970
5971 return NULL;
5972}
Valerio Setti67419f02023-01-04 16:12:42 +01005973#endif
Valerio Setti18c9fed2022-12-30 17:44:24 +01005974
Gilles Peskine449bd832023-01-11 14:50:10 +01005975int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
5976 const mbedtls_md_type_t md,
5977 unsigned char *dst,
5978 size_t dst_len,
5979 size_t *olen)
Jerry Yu148165c2021-09-24 23:20:59 +08005980{
Ronald Cronf6893e12022-01-07 22:09:01 +01005981 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5982 psa_hash_operation_t *hash_operation_to_clone;
5983 psa_hash_operation_t hash_operation = psa_hash_operation_init();
5984
Jerry Yu148165c2021-09-24 23:20:59 +08005985 *olen = 0;
Ronald Cronf6893e12022-01-07 22:09:01 +01005986
Gilles Peskine449bd832023-01-11 14:50:10 +01005987 switch (md) {
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01005988#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +01005989 case MBEDTLS_MD_SHA384:
5990 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
5991 break;
Ronald Cronf6893e12022-01-07 22:09:01 +01005992#endif
5993
Elena Uziunaite0916cd72024-05-23 17:01:07 +01005994#if defined(PSA_WANT_ALG_SHA_256)
Gilles Peskine449bd832023-01-11 14:50:10 +01005995 case MBEDTLS_MD_SHA256:
5996 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
5997 break;
Ronald Cronf6893e12022-01-07 22:09:01 +01005998#endif
5999
Gilles Peskine449bd832023-01-11 14:50:10 +01006000 default:
6001 goto exit;
6002 }
6003
6004 status = psa_hash_clone(hash_operation_to_clone, &hash_operation);
6005 if (status != PSA_SUCCESS) {
Ronald Cronf6893e12022-01-07 22:09:01 +01006006 goto exit;
6007 }
6008
Gilles Peskine449bd832023-01-11 14:50:10 +01006009 status = psa_hash_finish(&hash_operation, dst, dst_len, olen);
6010 if (status != PSA_SUCCESS) {
Ronald Cronf6893e12022-01-07 22:09:01 +01006011 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01006012 }
Ronald Cronf6893e12022-01-07 22:09:01 +01006013
6014exit:
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006015#if !defined(PSA_WANT_ALG_SHA_384) && \
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006016 !defined(PSA_WANT_ALG_SHA_256)
Andrzej Kurekeabeb302022-10-17 07:52:51 -04006017 (void) ssl;
6018#endif
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05006019 return PSA_TO_MBEDTLS_ERR(status);
Jerry Yu148165c2021-09-24 23:20:59 +08006020}
Jerry Yu24c0ec32021-09-09 14:21:07 +08006021
Ronald Crone68ab4f2022-10-05 12:46:29 +02006022#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Gabor Mezei078e8032022-04-27 21:17:56 +02006023/* mbedtls_ssl_parse_sig_alg_ext()
6024 *
6025 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
6026 * value (TLS 1.3 RFC8446):
6027 * enum {
6028 * ....
6029 * ecdsa_secp256r1_sha256( 0x0403 ),
6030 * ecdsa_secp384r1_sha384( 0x0503 ),
6031 * ecdsa_secp521r1_sha512( 0x0603 ),
6032 * ....
6033 * } SignatureScheme;
6034 *
6035 * struct {
6036 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
6037 * } SignatureSchemeList;
6038 *
6039 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
6040 * value (TLS 1.2 RFC5246):
6041 * enum {
6042 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
6043 * sha512(6), (255)
6044 * } HashAlgorithm;
6045 *
6046 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
6047 * SignatureAlgorithm;
6048 *
6049 * struct {
6050 * HashAlgorithm hash;
6051 * SignatureAlgorithm signature;
6052 * } SignatureAndHashAlgorithm;
6053 *
6054 * SignatureAndHashAlgorithm
6055 * supported_signature_algorithms<2..2^16-2>;
6056 *
6057 * The TLS 1.3 signature algorithm extension was defined to be a compatible
6058 * generalization of the TLS 1.2 signature algorithm extension.
6059 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
6060 * `SignatureScheme` field of TLS 1.3
6061 *
6062 */
Gilles Peskine449bd832023-01-11 14:50:10 +01006063int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
6064 const unsigned char *buf,
6065 const unsigned char *end)
Gabor Mezei078e8032022-04-27 21:17:56 +02006066{
6067 const unsigned char *p = buf;
6068 size_t supported_sig_algs_len = 0;
6069 const unsigned char *supported_sig_algs_end;
6070 uint16_t sig_alg;
6071 uint32_t common_idx = 0;
6072
Gilles Peskine449bd832023-01-11 14:50:10 +01006073 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
6074 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0);
Gabor Mezei078e8032022-04-27 21:17:56 +02006075 p += 2;
6076
Gilles Peskine449bd832023-01-11 14:50:10 +01006077 memset(ssl->handshake->received_sig_algs, 0,
6078 sizeof(ssl->handshake->received_sig_algs));
Gabor Mezei078e8032022-04-27 21:17:56 +02006079
Gilles Peskine449bd832023-01-11 14:50:10 +01006080 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len);
Gabor Mezei078e8032022-04-27 21:17:56 +02006081 supported_sig_algs_end = p + supported_sig_algs_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01006082 while (p < supported_sig_algs_end) {
6083 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2);
6084 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
Gabor Mezei078e8032022-04-27 21:17:56 +02006085 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +01006086 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s",
6087 sig_alg,
6088 mbedtls_ssl_sig_alg_to_str(sig_alg)));
Jerry Yu2fe6c632022-06-29 10:02:38 +08006089#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine449bd832023-01-11 14:50:10 +01006090 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
6091 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) &&
6092 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) {
Gabor Mezei078e8032022-04-27 21:17:56 +02006093 continue;
Jerry Yu2fe6c632022-06-29 10:02:38 +08006094 }
6095#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Gabor Mezei078e8032022-04-27 21:17:56 +02006096
Gilles Peskine449bd832023-01-11 14:50:10 +01006097 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s",
6098 mbedtls_ssl_sig_alg_to_str(sig_alg)));
Gabor Mezei078e8032022-04-27 21:17:56 +02006099
Gilles Peskine449bd832023-01-11 14:50:10 +01006100 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) {
Gabor Mezei078e8032022-04-27 21:17:56 +02006101 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
6102 common_idx += 1;
6103 }
6104 }
6105 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006106 if (p != end) {
6107 MBEDTLS_SSL_DEBUG_MSG(1,
6108 ("Signature algorithms extension length misaligned"));
6109 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
6110 MBEDTLS_ERR_SSL_DECODE_ERROR);
6111 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gabor Mezei078e8032022-04-27 21:17:56 +02006112 }
6113
Gilles Peskine449bd832023-01-11 14:50:10 +01006114 if (common_idx == 0) {
6115 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common"));
6116 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
6117 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
6118 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Gabor Mezei078e8032022-04-27 21:17:56 +02006119 }
6120
Gabor Mezei15b95a62022-05-09 16:37:58 +02006121 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
Gilles Peskine449bd832023-01-11 14:50:10 +01006122 return 0;
Gabor Mezei078e8032022-04-27 21:17:56 +02006123}
6124
Ronald Crone68ab4f2022-10-05 12:46:29 +02006125#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Gabor Mezei078e8032022-04-27 21:17:56 +02006126
Jerry Yudc7bd172022-02-17 13:44:15 +08006127#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6128
Jerry Yudc7bd172022-02-17 13:44:15 +08006129
Gilles Peskine449bd832023-01-11 14:50:10 +01006130static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
6131 mbedtls_svc_key_id_t key,
6132 psa_algorithm_t alg,
6133 const unsigned char *raw_psk, size_t raw_psk_length,
6134 const unsigned char *seed, size_t seed_length,
6135 const unsigned char *label, size_t label_length,
6136 const unsigned char *other_secret,
6137 size_t other_secret_length,
6138 size_t capacity)
Jerry Yudc7bd172022-02-17 13:44:15 +08006139{
6140 psa_status_t status;
6141
Gilles Peskine449bd832023-01-11 14:50:10 +01006142 status = psa_key_derivation_setup(derivation, alg);
6143 if (status != PSA_SUCCESS) {
6144 return status;
6145 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006146
Gilles Peskine449bd832023-01-11 14:50:10 +01006147 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
6148 status = psa_key_derivation_input_bytes(derivation,
6149 PSA_KEY_DERIVATION_INPUT_SEED,
6150 seed, seed_length);
6151 if (status != PSA_SUCCESS) {
6152 return status;
Przemek Stekiel1f027032022-04-05 17:12:11 +02006153 }
6154
Gilles Peskine449bd832023-01-11 14:50:10 +01006155 if (other_secret != NULL) {
6156 status = psa_key_derivation_input_bytes(derivation,
6157 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
6158 other_secret, other_secret_length);
6159 if (status != PSA_SUCCESS) {
6160 return status;
6161 }
6162 }
6163
6164 if (mbedtls_svc_key_id_is_null(key)) {
Jerry Yudc7bd172022-02-17 13:44:15 +08006165 status = psa_key_derivation_input_bytes(
6166 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
Gilles Peskine449bd832023-01-11 14:50:10 +01006167 raw_psk, raw_psk_length);
6168 } else {
Jerry Yudc7bd172022-02-17 13:44:15 +08006169 status = psa_key_derivation_input_key(
Gilles Peskine449bd832023-01-11 14:50:10 +01006170 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
Jerry Yudc7bd172022-02-17 13:44:15 +08006171 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006172 if (status != PSA_SUCCESS) {
6173 return status;
6174 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006175
Gilles Peskine449bd832023-01-11 14:50:10 +01006176 status = psa_key_derivation_input_bytes(derivation,
6177 PSA_KEY_DERIVATION_INPUT_LABEL,
6178 label, label_length);
6179 if (status != PSA_SUCCESS) {
6180 return status;
6181 }
6182 } else {
6183 return PSA_ERROR_NOT_SUPPORTED;
Jerry Yudc7bd172022-02-17 13:44:15 +08006184 }
6185
Gilles Peskine449bd832023-01-11 14:50:10 +01006186 status = psa_key_derivation_set_capacity(derivation, capacity);
6187 if (status != PSA_SUCCESS) {
6188 return status;
6189 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006190
Gilles Peskine449bd832023-01-11 14:50:10 +01006191 return PSA_SUCCESS;
Jerry Yudc7bd172022-02-17 13:44:15 +08006192}
6193
Andrzej Kurek57d10632022-10-24 10:32:01 -04006194#if defined(PSA_WANT_ALG_SHA_384) || \
6195 defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006196MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006197static int tls_prf_generic(mbedtls_md_type_t md_type,
6198 const unsigned char *secret, size_t slen,
6199 const char *label,
6200 const unsigned char *random, size_t rlen,
6201 unsigned char *dstbuf, size_t dlen)
Jerry Yudc7bd172022-02-17 13:44:15 +08006202{
6203 psa_status_t status;
6204 psa_algorithm_t alg;
6205 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
6206 psa_key_derivation_operation_t derivation =
6207 PSA_KEY_DERIVATION_OPERATION_INIT;
6208
Gilles Peskine449bd832023-01-11 14:50:10 +01006209 if (md_type == MBEDTLS_MD_SHA384) {
Jerry Yudc7bd172022-02-17 13:44:15 +08006210 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
Gilles Peskine449bd832023-01-11 14:50:10 +01006211 } else {
Jerry Yudc7bd172022-02-17 13:44:15 +08006212 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
Gilles Peskine449bd832023-01-11 14:50:10 +01006213 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006214
6215 /* Normally a "secret" should be long enough to be impossible to
6216 * find by brute force, and in particular should not be empty. But
6217 * this PRF is also used to derive an IV, in particular in EAP-TLS,
6218 * and for this use case it makes sense to have a 0-length "secret".
6219 * Since the key API doesn't allow importing a key of length 0,
6220 * keep master_key=0, which setup_psa_key_derivation() understands
6221 * to mean a 0-length "secret" input. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006222 if (slen != 0) {
Jerry Yudc7bd172022-02-17 13:44:15 +08006223 psa_key_attributes_t key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +01006224 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
6225 psa_set_key_algorithm(&key_attributes, alg);
6226 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
Jerry Yudc7bd172022-02-17 13:44:15 +08006227
Gilles Peskine449bd832023-01-11 14:50:10 +01006228 status = psa_import_key(&key_attributes, secret, slen, &master_key);
6229 if (status != PSA_SUCCESS) {
6230 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6231 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006232 }
6233
Gilles Peskine449bd832023-01-11 14:50:10 +01006234 status = setup_psa_key_derivation(&derivation,
6235 master_key, alg,
6236 NULL, 0,
6237 random, rlen,
6238 (unsigned char const *) label,
6239 (size_t) strlen(label),
6240 NULL, 0,
6241 dlen);
6242 if (status != PSA_SUCCESS) {
6243 psa_key_derivation_abort(&derivation);
6244 psa_destroy_key(master_key);
6245 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Jerry Yudc7bd172022-02-17 13:44:15 +08006246 }
6247
Gilles Peskine449bd832023-01-11 14:50:10 +01006248 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
6249 if (status != PSA_SUCCESS) {
6250 psa_key_derivation_abort(&derivation);
6251 psa_destroy_key(master_key);
6252 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Jerry Yudc7bd172022-02-17 13:44:15 +08006253 }
6254
Gilles Peskine449bd832023-01-11 14:50:10 +01006255 status = psa_key_derivation_abort(&derivation);
6256 if (status != PSA_SUCCESS) {
6257 psa_destroy_key(master_key);
6258 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Jerry Yudc7bd172022-02-17 13:44:15 +08006259 }
6260
Gilles Peskine449bd832023-01-11 14:50:10 +01006261 if (!mbedtls_svc_key_id_is_null(master_key)) {
6262 status = psa_destroy_key(master_key);
6263 }
6264 if (status != PSA_SUCCESS) {
6265 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6266 }
Jerry Yudc7bd172022-02-17 13:44:15 +08006267
Gilles Peskine449bd832023-01-11 14:50:10 +01006268 return 0;
Jerry Yudc7bd172022-02-17 13:44:15 +08006269}
Andrzej Kurek57d10632022-10-24 10:32:01 -04006270#endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
Jerry Yudc7bd172022-02-17 13:44:15 +08006271
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006272#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006273MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006274static int tls_prf_sha256(const unsigned char *secret, size_t slen,
6275 const char *label,
6276 const unsigned char *random, size_t rlen,
6277 unsigned char *dstbuf, size_t dlen)
Jerry Yudc7bd172022-02-17 13:44:15 +08006278{
Gilles Peskine449bd832023-01-11 14:50:10 +01006279 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
6280 label, random, rlen, dstbuf, dlen);
Jerry Yudc7bd172022-02-17 13:44:15 +08006281}
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006282#endif /* PSA_WANT_ALG_SHA_256*/
Jerry Yudc7bd172022-02-17 13:44:15 +08006283
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006284#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006285MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006286static int tls_prf_sha384(const unsigned char *secret, size_t slen,
6287 const char *label,
6288 const unsigned char *random, size_t rlen,
6289 unsigned char *dstbuf, size_t dlen)
Jerry Yudc7bd172022-02-17 13:44:15 +08006290{
Gilles Peskine449bd832023-01-11 14:50:10 +01006291 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
6292 label, random, rlen, dstbuf, dlen);
Jerry Yudc7bd172022-02-17 13:44:15 +08006293}
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006294#endif /* PSA_WANT_ALG_SHA_384*/
Jerry Yudc7bd172022-02-17 13:44:15 +08006295
Jerry Yuf009d862022-02-17 14:01:37 +08006296/*
6297 * Set appropriate PRF function and other SSL / TLS1.2 functions
6298 *
6299 * Inputs:
Jerry Yuf009d862022-02-17 14:01:37 +08006300 * - hash associated with the ciphersuite (only used by TLS 1.2)
6301 *
6302 * Outputs:
6303 * - the tls_prf, calc_verify and calc_finished members of handshake structure
6304 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006305MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006306static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
6307 mbedtls_md_type_t hash)
Jerry Yuf009d862022-02-17 14:01:37 +08006308{
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006309#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +01006310 if (hash == MBEDTLS_MD_SHA384) {
Jerry Yuf009d862022-02-17 14:01:37 +08006311 handshake->tls_prf = tls_prf_sha384;
6312 handshake->calc_verify = ssl_calc_verify_tls_sha384;
6313 handshake->calc_finished = ssl_calc_finished_tls_sha384;
Gilles Peskine449bd832023-01-11 14:50:10 +01006314 } else
Jerry Yuf009d862022-02-17 14:01:37 +08006315#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006316#if defined(PSA_WANT_ALG_SHA_256)
Jerry Yuf009d862022-02-17 14:01:37 +08006317 {
Ronald Cron81591aa2022-03-07 09:05:51 +01006318 (void) hash;
Jerry Yuf009d862022-02-17 14:01:37 +08006319 handshake->tls_prf = tls_prf_sha256;
6320 handshake->calc_verify = ssl_calc_verify_tls_sha256;
6321 handshake->calc_finished = ssl_calc_finished_tls_sha256;
6322 }
Ronald Cron81591aa2022-03-07 09:05:51 +01006323#else
Jerry Yuf009d862022-02-17 14:01:37 +08006324 {
Jerry Yuf009d862022-02-17 14:01:37 +08006325 (void) handshake;
Ronald Cron81591aa2022-03-07 09:05:51 +01006326 (void) hash;
Gilles Peskine449bd832023-01-11 14:50:10 +01006327 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yuf009d862022-02-17 14:01:37 +08006328 }
Ronald Cron81591aa2022-03-07 09:05:51 +01006329#endif
Jerry Yuf009d862022-02-17 14:01:37 +08006330
Gilles Peskine449bd832023-01-11 14:50:10 +01006331 return 0;
Jerry Yuf009d862022-02-17 14:01:37 +08006332}
Jerry Yud6ab2352022-02-17 14:03:43 +08006333
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006334/*
6335 * Compute master secret if needed
6336 *
6337 * Parameters:
6338 * [in/out] handshake
6339 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
6340 * (PSA-PSK) ciphersuite_info, psk_opaque
6341 * [out] premaster (cleared)
6342 * [out] master
6343 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
6344 * debug: conf->f_dbg, conf->p_dbg
6345 * EMS: passed to calc_verify (debug + session_negotiate)
Ronald Crona25cf582022-03-07 11:10:36 +01006346 * PSA-PSA: conf
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006347 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006348MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006349static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
6350 unsigned char *master,
6351 const mbedtls_ssl_context *ssl)
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006352{
6353 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6354
6355 /* cf. RFC 5246, Section 8.1:
6356 * "The master secret is always exactly 48 bytes in length." */
6357 size_t const master_secret_len = 48;
6358
6359#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6360 unsigned char session_hash[48];
6361#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
6362
6363 /* The label for the KDF used for key expansion.
6364 * This is either "master secret" or "extended master secret"
6365 * depending on whether the Extended Master Secret extension
6366 * is used. */
6367 char const *lbl = "master secret";
6368
Przemek Stekielae4ed302022-04-05 17:15:55 +02006369 /* The seed for the KDF used for key expansion.
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006370 * - If the Extended Master Secret extension is not used,
6371 * this is ClientHello.Random + ServerHello.Random
6372 * (see Sect. 8.1 in RFC 5246).
6373 * - If the Extended Master Secret extension is used,
6374 * this is the transcript of the handshake so far.
6375 * (see Sect. 4 in RFC 7627). */
Przemek Stekielae4ed302022-04-05 17:15:55 +02006376 unsigned char const *seed = handshake->randbytes;
6377 size_t seed_len = 64;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006378
6379#if !defined(MBEDTLS_DEBUG_C) && \
6380 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
Manuel Pégourié-Gonnard07a1edd2025-01-23 11:04:48 +01006381 !defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006382 ssl = NULL; /* make sure we don't use it except for those cases */
6383 (void) ssl;
6384#endif
6385
Gilles Peskine449bd832023-01-11 14:50:10 +01006386 if (handshake->resume != 0) {
6387 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
6388 return 0;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006389 }
6390
6391#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +01006392 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006393 lbl = "extended master secret";
Przemek Stekielae4ed302022-04-05 17:15:55 +02006394 seed = session_hash;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +01006395 ret = handshake->calc_verify(ssl, session_hash, &seed_len);
6396 if (ret != 0) {
6397 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
6398 }
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006399
Gilles Peskine449bd832023-01-11 14:50:10 +01006400 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
6401 session_hash, seed_len);
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006402 }
Przemek Stekiel169bf0b2022-04-29 07:53:29 +02006403#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006404
Manuel Pégourié-Gonnard07a1edd2025-01-23 11:04:48 +01006405#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01006406 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) {
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006407 /* Perform PSK-to-MS expansion in a single step. */
6408 psa_status_t status;
6409 psa_algorithm_t alg;
6410 mbedtls_svc_key_id_t psk;
6411 psa_key_derivation_operation_t derivation =
6412 PSA_KEY_DERIVATION_OPERATION_INIT;
Dave Rodgman2eab4622023-10-05 13:30:37 +01006413 mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006414
Gilles Peskine449bd832023-01-11 14:50:10 +01006415 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006416
Gilles Peskine449bd832023-01-11 14:50:10 +01006417 psk = mbedtls_ssl_get_opaque_psk(ssl);
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006418
Gilles Peskine449bd832023-01-11 14:50:10 +01006419 if (hash_alg == MBEDTLS_MD_SHA384) {
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006420 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
Gilles Peskine449bd832023-01-11 14:50:10 +01006421 } else {
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006422 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
Gilles Peskine449bd832023-01-11 14:50:10 +01006423 }
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006424
Przemek Stekiel51a1f362022-04-13 08:57:06 +02006425 size_t other_secret_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01006426 unsigned char *other_secret = NULL;
Przemek Stekielc2033402022-04-05 17:19:41 +02006427
Gilles Peskine449bd832023-01-11 14:50:10 +01006428 switch (handshake->ciphersuite_info->key_exchange) {
Przemek Stekiel19b80f82022-04-14 08:29:31 +02006429 /* Provide other secret.
Przemek Stekiel51a1f362022-04-13 08:57:06 +02006430 * Other secret is stored in premaster, where first 2 bytes hold the
Przemek Stekiel19b80f82022-04-14 08:29:31 +02006431 * length of the other key.
Przemek Stekielc2033402022-04-05 17:19:41 +02006432 */
Przemek Stekiel19b80f82022-04-14 08:29:31 +02006433 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
6434 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
6435 other_secret = handshake->premaster + 2;
6436 break;
6437 default:
6438 break;
Przemek Stekielc2033402022-04-05 17:19:41 +02006439 }
6440
Gilles Peskine449bd832023-01-11 14:50:10 +01006441 status = setup_psa_key_derivation(&derivation, psk, alg,
6442 ssl->conf->psk, ssl->conf->psk_len,
6443 seed, seed_len,
6444 (unsigned char const *) lbl,
6445 (size_t) strlen(lbl),
6446 other_secret, other_secret_len,
6447 master_secret_len);
6448 if (status != PSA_SUCCESS) {
6449 psa_key_derivation_abort(&derivation);
6450 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006451 }
6452
Gilles Peskine449bd832023-01-11 14:50:10 +01006453 status = psa_key_derivation_output_bytes(&derivation,
6454 master,
6455 master_secret_len);
6456 if (status != PSA_SUCCESS) {
6457 psa_key_derivation_abort(&derivation);
6458 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006459 }
6460
Gilles Peskine449bd832023-01-11 14:50:10 +01006461 status = psa_key_derivation_abort(&derivation);
6462 if (status != PSA_SUCCESS) {
6463 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6464 }
6465 } else
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006466#endif
6467 {
Manuel Pégourié-Gonnard07a1edd2025-01-23 11:04:48 +01006468#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01006469 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Neil Armstrongca7d5062022-05-31 14:43:23 +02006470 psa_status_t status;
6471 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
6472 psa_key_derivation_operation_t derivation =
6473 PSA_KEY_DERIVATION_OPERATION_INIT;
6474
Gilles Peskine449bd832023-01-11 14:50:10 +01006475 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE"));
Neil Armstrongca7d5062022-05-31 14:43:23 +02006476
6477 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
6478
Gilles Peskine449bd832023-01-11 14:50:10 +01006479 status = psa_key_derivation_setup(&derivation, alg);
6480 if (status != PSA_SUCCESS) {
6481 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Neil Armstrongca7d5062022-05-31 14:43:23 +02006482 }
6483
Gilles Peskine449bd832023-01-11 14:50:10 +01006484 status = psa_key_derivation_set_capacity(&derivation,
6485 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
6486 if (status != PSA_SUCCESS) {
6487 psa_key_derivation_abort(&derivation);
6488 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Neil Armstrongca7d5062022-05-31 14:43:23 +02006489 }
6490
Gilles Peskine449bd832023-01-11 14:50:10 +01006491 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
6492 &derivation);
6493 if (status != PSA_SUCCESS) {
6494 psa_key_derivation_abort(&derivation);
6495 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Neil Armstrongca7d5062022-05-31 14:43:23 +02006496 }
6497
Gilles Peskine449bd832023-01-11 14:50:10 +01006498 status = psa_key_derivation_output_bytes(&derivation,
6499 handshake->premaster,
6500 handshake->pmslen);
6501 if (status != PSA_SUCCESS) {
6502 psa_key_derivation_abort(&derivation);
6503 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6504 }
6505
6506 status = psa_key_derivation_abort(&derivation);
6507 if (status != PSA_SUCCESS) {
6508 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Neil Armstrongca7d5062022-05-31 14:43:23 +02006509 }
6510 }
6511#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01006512 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
6513 lbl, seed, seed_len,
6514 master,
6515 master_secret_len);
6516 if (ret != 0) {
6517 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
6518 return ret;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006519 }
6520
Gilles Peskine449bd832023-01-11 14:50:10 +01006521 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
6522 handshake->premaster,
6523 handshake->pmslen);
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006524
Gilles Peskine449bd832023-01-11 14:50:10 +01006525 mbedtls_platform_zeroize(handshake->premaster,
6526 sizeof(handshake->premaster));
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006527 }
6528
Gilles Peskine449bd832023-01-11 14:50:10 +01006529 return 0;
Jerry Yu2a7b5ac2022-02-17 14:07:00 +08006530}
6531
Gilles Peskine449bd832023-01-11 14:50:10 +01006532int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
Jerry Yud62f87e2022-02-17 14:09:02 +08006533{
6534 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6535 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
6536 ssl->handshake->ciphersuite_info;
6537
Gilles Peskine449bd832023-01-11 14:50:10 +01006538 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
Jerry Yud62f87e2022-02-17 14:09:02 +08006539
6540 /* Set PRF, calc_verify and calc_finished function pointers */
Gilles Peskine449bd832023-01-11 14:50:10 +01006541 ret = ssl_set_handshake_prfs(ssl->handshake,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +01006542 (mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +01006543 if (ret != 0) {
6544 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
6545 return ret;
Jerry Yud62f87e2022-02-17 14:09:02 +08006546 }
6547
6548 /* Compute master secret if needed */
Gilles Peskine449bd832023-01-11 14:50:10 +01006549 ret = ssl_compute_master(ssl->handshake,
6550 ssl->session_negotiate->master,
6551 ssl);
6552 if (ret != 0) {
6553 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
6554 return ret;
Jerry Yud62f87e2022-02-17 14:09:02 +08006555 }
6556
6557 /* Swap the client and server random values:
6558 * - MS derivation wanted client+server (RFC 5246 8.1)
6559 * - key derivation wants server+client (RFC 5246 6.3) */
6560 {
6561 unsigned char tmp[64];
Gilles Peskine449bd832023-01-11 14:50:10 +01006562 memcpy(tmp, ssl->handshake->randbytes, 64);
6563 memcpy(ssl->handshake->randbytes, tmp + 32, 32);
6564 memcpy(ssl->handshake->randbytes + 32, tmp, 32);
6565 mbedtls_platform_zeroize(tmp, sizeof(tmp));
Jerry Yud62f87e2022-02-17 14:09:02 +08006566 }
6567
6568 /* Populate transform structure */
Gilles Peskine449bd832023-01-11 14:50:10 +01006569 ret = ssl_tls12_populate_transform(ssl->transform_negotiate,
6570 ssl->session_negotiate->ciphersuite,
6571 ssl->session_negotiate->master,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02006572#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01006573 ssl->session_negotiate->encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02006574#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +01006575 ssl->handshake->tls_prf,
6576 ssl->handshake->randbytes,
6577 ssl->tls_version,
6578 ssl->conf->endpoint,
6579 ssl);
6580 if (ret != 0) {
6581 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret);
6582 return ret;
Jerry Yud62f87e2022-02-17 14:09:02 +08006583 }
6584
6585 /* We no longer need Server/ClientHello.random values */
Gilles Peskine449bd832023-01-11 14:50:10 +01006586 mbedtls_platform_zeroize(ssl->handshake->randbytes,
6587 sizeof(ssl->handshake->randbytes));
Jerry Yud62f87e2022-02-17 14:09:02 +08006588
Gilles Peskine449bd832023-01-11 14:50:10 +01006589 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
Jerry Yud62f87e2022-02-17 14:09:02 +08006590
Gilles Peskine449bd832023-01-11 14:50:10 +01006591 return 0;
Jerry Yud62f87e2022-02-17 14:09:02 +08006592}
Jerry Yu8392e0d2022-02-17 14:10:24 +08006593
Gilles Peskine449bd832023-01-11 14:50:10 +01006594int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
Ronald Cron4dcbca92022-03-07 10:21:40 +01006595{
Gilles Peskine449bd832023-01-11 14:50:10 +01006596 switch (md) {
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006597#if defined(PSA_WANT_ALG_SHA_384)
Ronald Cron4dcbca92022-03-07 10:21:40 +01006598 case MBEDTLS_SSL_HASH_SHA384:
6599 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
6600 break;
6601#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006602#if defined(PSA_WANT_ALG_SHA_256)
Ronald Cron4dcbca92022-03-07 10:21:40 +01006603 case MBEDTLS_SSL_HASH_SHA256:
6604 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
6605 break;
6606#endif
6607 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01006608 return -1;
Ronald Cron4dcbca92022-03-07 10:21:40 +01006609 }
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006610#if !defined(PSA_WANT_ALG_SHA_384) && \
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006611 !defined(PSA_WANT_ALG_SHA_256)
Andrzej Kurekeabeb302022-10-17 07:52:51 -04006612 (void) ssl;
6613#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01006614 return 0;
Ronald Cron4dcbca92022-03-07 10:21:40 +01006615}
6616
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006617static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
6618 const psa_hash_operation_t *hs_op,
6619 size_t buffer_size,
6620 unsigned char *hash,
6621 size_t *hlen)
6622{
6623 psa_status_t status;
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02006624 psa_hash_operation_t cloned_op = psa_hash_operation_init();
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006625
6626#if !defined(MBEDTLS_DEBUG_C)
6627 (void) ssl;
6628#endif
6629 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02006630 status = psa_hash_clone(hs_op, &cloned_op);
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006631 if (status != PSA_SUCCESS) {
6632 goto exit;
6633 }
6634
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02006635 status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006636 if (status != PSA_SUCCESS) {
6637 goto exit;
6638 }
6639
6640 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
6641 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
6642
6643exit:
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02006644 psa_hash_abort(&cloned_op);
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006645 return mbedtls_md_error_from_psa(status);
6646}
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006647
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006648#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +01006649int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
6650 unsigned char *hash,
6651 size_t *hlen)
Jerry Yu8392e0d2022-02-17 14:10:24 +08006652{
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006653 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
6654 hash, hlen);
Jerry Yu8392e0d2022-02-17 14:10:24 +08006655}
Elena Uziunaite0916cd72024-05-23 17:01:07 +01006656#endif /* PSA_WANT_ALG_SHA_256 */
Jerry Yu8392e0d2022-02-17 14:10:24 +08006657
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006658#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +01006659int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
6660 unsigned char *hash,
6661 size_t *hlen)
Jerry Yuc1cb3842022-02-17 14:13:48 +08006662{
Manuel Pégourié-Gonnard74970662023-06-24 09:43:26 +02006663 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
6664 hash, hlen);
Jerry Yuc1cb3842022-02-17 14:13:48 +08006665}
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01006666#endif /* PSA_WANT_ALG_SHA_384 */
Jerry Yuc1cb3842022-02-17 14:13:48 +08006667
Jerry Yuc2c673d2022-02-17 14:20:39 +08006668#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006669MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006670static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
Jerry Yuc2c673d2022-02-17 14:20:39 +08006671
6672#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01006673int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl)
Jerry Yuc2c673d2022-02-17 14:20:39 +08006674{
6675 /* If renegotiation is not enforced, retransmit until we would reach max
6676 * timeout if we were using the usual handshake doubling scheme */
Gilles Peskine449bd832023-01-11 14:50:10 +01006677 if (ssl->conf->renego_max_records < 0) {
Jerry Yuc2c673d2022-02-17 14:20:39 +08006678 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
6679 unsigned char doublings = 1;
6680
Gilles Peskine449bd832023-01-11 14:50:10 +01006681 while (ratio != 0) {
Jerry Yuc2c673d2022-02-17 14:20:39 +08006682 ++doublings;
6683 ratio >>= 1;
6684 }
6685
Gilles Peskine449bd832023-01-11 14:50:10 +01006686 if (++ssl->renego_records_seen > doublings) {
6687 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
6688 return 0;
Jerry Yuc2c673d2022-02-17 14:20:39 +08006689 }
6690 }
6691
Gilles Peskine449bd832023-01-11 14:50:10 +01006692 return ssl_write_hello_request(ssl);
Jerry Yuc2c673d2022-02-17 14:20:39 +08006693}
6694#endif
6695#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Jerry Yud9526692022-02-17 14:23:47 +08006696
Jerry Yud9526692022-02-17 14:23:47 +08006697/*
6698 * Handshake functions
6699 */
6700#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
6701/* No certificate support -> dummy functions */
Gilles Peskine449bd832023-01-11 14:50:10 +01006702int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
Jerry Yud9526692022-02-17 14:23:47 +08006703{
6704 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6705 ssl->handshake->ciphersuite_info;
6706
Gilles Peskine449bd832023-01-11 14:50:10 +01006707 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006708
Gilles Peskine449bd832023-01-11 14:50:10 +01006709 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6710 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006711 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +01006712 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08006713 }
6714
Gilles Peskine449bd832023-01-11 14:50:10 +01006715 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6716 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006717}
6718
Gilles Peskine449bd832023-01-11 14:50:10 +01006719int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
Jerry Yud9526692022-02-17 14:23:47 +08006720{
6721 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6722 ssl->handshake->ciphersuite_info;
6723
Gilles Peskine449bd832023-01-11 14:50:10 +01006724 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006725
Gilles Peskine449bd832023-01-11 14:50:10 +01006726 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6727 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006728 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +01006729 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08006730 }
6731
Gilles Peskine449bd832023-01-11 14:50:10 +01006732 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6733 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006734}
6735
6736#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
6737/* Some certificate support -> implement write and parse */
6738
Gilles Peskine449bd832023-01-11 14:50:10 +01006739int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
Jerry Yud9526692022-02-17 14:23:47 +08006740{
6741 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
6742 size_t i, n;
6743 const mbedtls_x509_crt *crt;
6744 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6745 ssl->handshake->ciphersuite_info;
6746
Gilles Peskine449bd832023-01-11 14:50:10 +01006747 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006748
Gilles Peskine449bd832023-01-11 14:50:10 +01006749 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6750 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006751 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +01006752 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08006753 }
6754
6755#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01006756 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
6757 if (ssl->handshake->client_auth == 0) {
6758 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006759 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +01006760 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08006761 }
6762 }
6763#endif /* MBEDTLS_SSL_CLI_C */
6764#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01006765 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
6766 if (mbedtls_ssl_own_cert(ssl) == NULL) {
Jerry Yud9526692022-02-17 14:23:47 +08006767 /* Should never happen because we shouldn't have picked the
6768 * ciphersuite if we don't have a certificate. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006769 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006770 }
6771 }
6772#endif
6773
Gilles Peskine449bd832023-01-11 14:50:10 +01006774 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
Jerry Yud9526692022-02-17 14:23:47 +08006775
6776 /*
6777 * 0 . 0 handshake type
6778 * 1 . 3 handshake length
6779 * 4 . 6 length of all certs
6780 * 7 . 9 length of cert. 1
6781 * 10 . n-1 peer certificate
6782 * n . n+2 length of cert. 2
6783 * n+3 . ... upper level cert, etc.
6784 */
6785 i = 7;
Gilles Peskine449bd832023-01-11 14:50:10 +01006786 crt = mbedtls_ssl_own_cert(ssl);
Jerry Yud9526692022-02-17 14:23:47 +08006787
Gilles Peskine449bd832023-01-11 14:50:10 +01006788 while (crt != NULL) {
Jerry Yud9526692022-02-17 14:23:47 +08006789 n = crt->raw.len;
Gilles Peskine449bd832023-01-11 14:50:10 +01006790 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
6791 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
6792 " > %" MBEDTLS_PRINTF_SIZET,
6793 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
6794 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Jerry Yud9526692022-02-17 14:23:47 +08006795 }
6796
Gilles Peskine449bd832023-01-11 14:50:10 +01006797 ssl->out_msg[i] = MBEDTLS_BYTE_2(n);
6798 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n);
6799 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n);
Jerry Yud9526692022-02-17 14:23:47 +08006800
Gilles Peskine449bd832023-01-11 14:50:10 +01006801 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n);
Jerry Yud9526692022-02-17 14:23:47 +08006802 i += n; crt = crt->next;
6803 }
6804
Gilles Peskine449bd832023-01-11 14:50:10 +01006805 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7);
6806 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7);
6807 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7);
Jerry Yud9526692022-02-17 14:23:47 +08006808
6809 ssl->out_msglen = i;
6810 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
6811 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
6812
6813 ssl->state++;
6814
Gilles Peskine449bd832023-01-11 14:50:10 +01006815 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
6816 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
6817 return ret;
Jerry Yud9526692022-02-17 14:23:47 +08006818 }
6819
Gilles Peskine449bd832023-01-11 14:50:10 +01006820 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08006821
Gilles Peskine449bd832023-01-11 14:50:10 +01006822 return ret;
Jerry Yud9526692022-02-17 14:23:47 +08006823}
6824
6825#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
6826
6827#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006828MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006829static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
6830 unsigned char *crt_buf,
6831 size_t crt_buf_len)
Jerry Yud9526692022-02-17 14:23:47 +08006832{
6833 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
6834
Gilles Peskine449bd832023-01-11 14:50:10 +01006835 if (peer_crt == NULL) {
6836 return -1;
6837 }
Jerry Yud9526692022-02-17 14:23:47 +08006838
Gilles Peskine449bd832023-01-11 14:50:10 +01006839 if (peer_crt->raw.len != crt_buf_len) {
6840 return -1;
6841 }
Jerry Yud9526692022-02-17 14:23:47 +08006842
Gilles Peskine449bd832023-01-11 14:50:10 +01006843 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len);
Jerry Yud9526692022-02-17 14:23:47 +08006844}
6845#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006846MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006847static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
6848 unsigned char *crt_buf,
6849 size_t crt_buf_len)
Jerry Yud9526692022-02-17 14:23:47 +08006850{
6851 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6852 unsigned char const * const peer_cert_digest =
6853 ssl->session->peer_cert_digest;
6854 mbedtls_md_type_t const peer_cert_digest_type =
6855 ssl->session->peer_cert_digest_type;
6856 mbedtls_md_info_t const * const digest_info =
Gilles Peskine449bd832023-01-11 14:50:10 +01006857 mbedtls_md_info_from_type(peer_cert_digest_type);
Jerry Yud9526692022-02-17 14:23:47 +08006858 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
6859 size_t digest_len;
6860
Gilles Peskine449bd832023-01-11 14:50:10 +01006861 if (peer_cert_digest == NULL || digest_info == NULL) {
6862 return -1;
6863 }
Jerry Yud9526692022-02-17 14:23:47 +08006864
Gilles Peskine449bd832023-01-11 14:50:10 +01006865 digest_len = mbedtls_md_get_size(digest_info);
6866 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) {
6867 return -1;
6868 }
Jerry Yud9526692022-02-17 14:23:47 +08006869
Gilles Peskine449bd832023-01-11 14:50:10 +01006870 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
6871 if (ret != 0) {
6872 return -1;
6873 }
Jerry Yud9526692022-02-17 14:23:47 +08006874
Gilles Peskine449bd832023-01-11 14:50:10 +01006875 return memcmp(tmp_digest, peer_cert_digest, digest_len);
Jerry Yud9526692022-02-17 14:23:47 +08006876}
6877#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
6878#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
6879
6880/*
6881 * Once the certificate message is read, parse it into a cert chain and
6882 * perform basic checks, but leave actual verification to the caller
6883 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02006884MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01006885static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
6886 mbedtls_x509_crt *chain)
Jerry Yud9526692022-02-17 14:23:47 +08006887{
6888 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6889#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01006890 int crt_cnt = 0;
Jerry Yud9526692022-02-17 14:23:47 +08006891#endif
6892 size_t i, n;
6893 uint8_t alert;
6894
Gilles Peskine449bd832023-01-11 14:50:10 +01006895 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
6896 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6897 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6898 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
6899 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Jerry Yud9526692022-02-17 14:23:47 +08006900 }
6901
Gilles Peskine449bd832023-01-11 14:50:10 +01006902 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) {
6903 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6904 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
6905 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Jerry Yud9526692022-02-17 14:23:47 +08006906 }
6907
Gilles Peskine449bd832023-01-11 14:50:10 +01006908 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
6909 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6910 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6911 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
6912 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006913 }
6914
Gilles Peskine449bd832023-01-11 14:50:10 +01006915 i = mbedtls_ssl_hs_hdr_len(ssl);
Jerry Yud9526692022-02-17 14:23:47 +08006916
6917 /*
6918 * Same message structure as in mbedtls_ssl_write_certificate()
6919 */
Dave Rodgmana3d0f612023-11-03 23:34:02 +00006920 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
Jerry Yud9526692022-02-17 14:23:47 +08006921
Gilles Peskine449bd832023-01-11 14:50:10 +01006922 if (ssl->in_msg[i] != 0 ||
6923 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
6924 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6925 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6926 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
6927 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006928 }
6929
6930 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
6931 i += 3;
6932
6933 /* Iterate through and parse the CRTs in the provided chain. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006934 while (i < ssl->in_hslen) {
Jerry Yud9526692022-02-17 14:23:47 +08006935 /* Check that there's room for the next CRT's length fields. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006936 if (i + 3 > ssl->in_hslen) {
6937 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6938 mbedtls_ssl_send_alert_message(ssl,
6939 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6940 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
6941 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006942 }
6943 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
6944 * anything beyond 2**16 ~ 64K. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006945 if (ssl->in_msg[i] != 0) {
6946 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6947 mbedtls_ssl_send_alert_message(ssl,
6948 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6949 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
6950 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Jerry Yud9526692022-02-17 14:23:47 +08006951 }
6952
6953 /* Read length of the next CRT in the chain. */
Dave Rodgmana3d0f612023-11-03 23:34:02 +00006954 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
Jerry Yud9526692022-02-17 14:23:47 +08006955 i += 3;
6956
Gilles Peskine449bd832023-01-11 14:50:10 +01006957 if (n < 128 || i + n > ssl->in_hslen) {
6958 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
6959 mbedtls_ssl_send_alert_message(ssl,
6960 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6961 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
6962 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08006963 }
6964
6965 /* Check if we're handling the first CRT in the chain. */
6966#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01006967 if (crt_cnt++ == 0 &&
Jerry Yud9526692022-02-17 14:23:47 +08006968 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
Gilles Peskine449bd832023-01-11 14:50:10 +01006969 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Jerry Yud9526692022-02-17 14:23:47 +08006970 /* During client-side renegotiation, check that the server's
6971 * end-CRTs hasn't changed compared to the initial handshake,
6972 * mitigating the triple handshake attack. On success, reuse
6973 * the original end-CRT instead of parsing it again. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006974 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
6975 if (ssl_check_peer_crt_unchanged(ssl,
6976 &ssl->in_msg[i],
6977 n) != 0) {
6978 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
6979 mbedtls_ssl_send_alert_message(ssl,
6980 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6981 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
6982 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Jerry Yud9526692022-02-17 14:23:47 +08006983 }
6984
6985 /* Now we can safely free the original chain. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006986 ssl_clear_peer_cert(ssl->session);
Jerry Yud9526692022-02-17 14:23:47 +08006987 }
6988#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
6989
6990 /* Parse the next certificate in the chain. */
6991#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +01006992 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
Jerry Yud9526692022-02-17 14:23:47 +08006993#else
6994 /* If we don't need to store the CRT chain permanently, parse
6995 * it in-place from the input buffer instead of making a copy. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006996 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
Jerry Yud9526692022-02-17 14:23:47 +08006997#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006998 switch (ret) {
Jerry Yud9526692022-02-17 14:23:47 +08006999 case 0: /*ok*/
Gilles Peskinea7e14dc2024-09-16 13:10:11 +02007000 case MBEDTLS_ERR_OID_NOT_FOUND:
Jerry Yud9526692022-02-17 14:23:47 +08007001 /* Ignore certificate with an unknown algorithm: maybe a
7002 prior certificate was already trusted. */
7003 break;
7004
7005 case MBEDTLS_ERR_X509_ALLOC_FAILED:
7006 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
7007 goto crt_parse_der_failed;
7008
7009 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
7010 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7011 goto crt_parse_der_failed;
7012
7013 default:
7014 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
Gilles Peskine449bd832023-01-11 14:50:10 +01007015crt_parse_der_failed:
7016 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
7017 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
7018 return ret;
Jerry Yud9526692022-02-17 14:23:47 +08007019 }
7020
7021 i += n;
7022 }
7023
Gilles Peskine449bd832023-01-11 14:50:10 +01007024 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
7025 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08007026}
7027
7028#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02007029MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01007030static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl)
Jerry Yud9526692022-02-17 14:23:47 +08007031{
Gilles Peskine449bd832023-01-11 14:50:10 +01007032 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7033 return -1;
7034 }
Jerry Yud9526692022-02-17 14:23:47 +08007035
Gilles Peskine449bd832023-01-11 14:50:10 +01007036 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
Jerry Yud9526692022-02-17 14:23:47 +08007037 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
7038 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
Gilles Peskine449bd832023-01-11 14:50:10 +01007039 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
7040 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
7041 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08007042 }
Gilles Peskine449bd832023-01-11 14:50:10 +01007043 return -1;
Jerry Yud9526692022-02-17 14:23:47 +08007044}
7045#endif /* MBEDTLS_SSL_SRV_C */
7046
7047/* Check if a certificate message is expected.
7048 * Return either
7049 * - SSL_CERTIFICATE_EXPECTED, or
7050 * - SSL_CERTIFICATE_SKIP
7051 * indicating whether a Certificate message is expected or not.
7052 */
7053#define SSL_CERTIFICATE_EXPECTED 0
7054#define SSL_CERTIFICATE_SKIP 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02007055MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01007056static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
7057 int authmode)
Jerry Yud9526692022-02-17 14:23:47 +08007058{
7059 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7060 ssl->handshake->ciphersuite_info;
7061
Gilles Peskine449bd832023-01-11 14:50:10 +01007062 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7063 return SSL_CERTIFICATE_SKIP;
7064 }
Jerry Yud9526692022-02-17 14:23:47 +08007065
7066#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007067 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Gilles Peskine449bd832023-01-11 14:50:10 +01007068 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
Jerry Yud9526692022-02-17 14:23:47 +08007069 ssl->session_negotiate->verify_result =
7070 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
Gilles Peskine449bd832023-01-11 14:50:10 +01007071 return SSL_CERTIFICATE_SKIP;
Jerry Yud9526692022-02-17 14:23:47 +08007072 }
7073 }
7074#else
7075 ((void) authmode);
7076#endif /* MBEDTLS_SSL_SRV_C */
7077
Gilles Peskine449bd832023-01-11 14:50:10 +01007078 return SSL_CERTIFICATE_EXPECTED;
Jerry Yud9526692022-02-17 14:23:47 +08007079}
7080
Jerry Yud9526692022-02-17 14:23:47 +08007081#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02007082MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01007083static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
7084 unsigned char *start, size_t len)
Jerry Yud9526692022-02-17 14:23:47 +08007085{
7086 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7087 /* Remember digest of the peer's end-CRT. */
7088 ssl->session_negotiate->peer_cert_digest =
Gilles Peskine449bd832023-01-11 14:50:10 +01007089 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
7090 if (ssl->session_negotiate->peer_cert_digest == NULL) {
7091 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
7092 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
7093 mbedtls_ssl_send_alert_message(ssl,
7094 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7095 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
Jerry Yud9526692022-02-17 14:23:47 +08007096
Gilles Peskine449bd832023-01-11 14:50:10 +01007097 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Jerry Yud9526692022-02-17 14:23:47 +08007098 }
7099
Gilles Peskine449bd832023-01-11 14:50:10 +01007100 ret = mbedtls_md(mbedtls_md_info_from_type(
7101 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
7102 start, len,
7103 ssl->session_negotiate->peer_cert_digest);
Jerry Yud9526692022-02-17 14:23:47 +08007104
7105 ssl->session_negotiate->peer_cert_digest_type =
7106 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
7107 ssl->session_negotiate->peer_cert_digest_len =
7108 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
7109
Gilles Peskine449bd832023-01-11 14:50:10 +01007110 return ret;
Jerry Yud9526692022-02-17 14:23:47 +08007111}
7112
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02007113MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01007114static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
7115 unsigned char *start, size_t len)
Jerry Yud9526692022-02-17 14:23:47 +08007116{
7117 unsigned char *end = start + len;
7118 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7119
7120 /* Make a copy of the peer's raw public key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007121 mbedtls_pk_init(&ssl->handshake->peer_pubkey);
7122 ret = mbedtls_pk_parse_subpubkey(&start, end,
7123 &ssl->handshake->peer_pubkey);
7124 if (ret != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007125 /* We should have parsed the public key before. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007126 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yud9526692022-02-17 14:23:47 +08007127 }
7128
Gilles Peskine449bd832023-01-11 14:50:10 +01007129 return 0;
Jerry Yud9526692022-02-17 14:23:47 +08007130}
7131#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7132
Gilles Peskine449bd832023-01-11 14:50:10 +01007133int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
Jerry Yud9526692022-02-17 14:23:47 +08007134{
7135 int ret = 0;
7136 int crt_expected;
Manuel Pégourié-Gonnard58ab9ba2024-08-14 09:47:38 +02007137 /* Authmode: precedence order is SNI if used else configuration */
Jerry Yud9526692022-02-17 14:23:47 +08007138#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7139 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
7140 ? ssl->handshake->sni_authmode
7141 : ssl->conf->authmode;
7142#else
7143 const int authmode = ssl->conf->authmode;
7144#endif
7145 void *rs_ctx = NULL;
7146 mbedtls_x509_crt *chain = NULL;
7147
Gilles Peskine449bd832023-01-11 14:50:10 +01007148 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08007149
Gilles Peskine449bd832023-01-11 14:50:10 +01007150 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
7151 if (crt_expected == SSL_CERTIFICATE_SKIP) {
7152 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08007153 goto exit;
7154 }
7155
7156#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01007157 if (ssl->handshake->ecrs_enabled &&
7158 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
Jerry Yud9526692022-02-17 14:23:47 +08007159 chain = ssl->handshake->ecrs_peer_cert;
7160 ssl->handshake->ecrs_peer_cert = NULL;
7161 goto crt_verify;
7162 }
7163#endif
7164
Gilles Peskine449bd832023-01-11 14:50:10 +01007165 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007166 /* mbedtls_ssl_read_record may have sent an alert already. We
7167 let it decide whether to alert. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007168 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
Jerry Yud9526692022-02-17 14:23:47 +08007169 goto exit;
7170 }
7171
7172#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007173 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007174 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
7175
Gilles Peskine449bd832023-01-11 14:50:10 +01007176 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) {
Jerry Yud9526692022-02-17 14:23:47 +08007177 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Gilles Peskine449bd832023-01-11 14:50:10 +01007178 }
Jerry Yud9526692022-02-17 14:23:47 +08007179
7180 goto exit;
7181 }
7182#endif /* MBEDTLS_SSL_SRV_C */
7183
7184 /* Clear existing peer CRT structure in case we tried to
7185 * reuse a session but it failed, and allocate a new one. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007186 ssl_clear_peer_cert(ssl->session_negotiate);
Jerry Yud9526692022-02-17 14:23:47 +08007187
Gilles Peskine449bd832023-01-11 14:50:10 +01007188 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
7189 if (chain == NULL) {
7190 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
7191 sizeof(mbedtls_x509_crt)));
7192 mbedtls_ssl_send_alert_message(ssl,
7193 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7194 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
Jerry Yud9526692022-02-17 14:23:47 +08007195
7196 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
7197 goto exit;
7198 }
Gilles Peskine449bd832023-01-11 14:50:10 +01007199 mbedtls_x509_crt_init(chain);
Jerry Yud9526692022-02-17 14:23:47 +08007200
Gilles Peskine449bd832023-01-11 14:50:10 +01007201 ret = ssl_parse_certificate_chain(ssl, chain);
7202 if (ret != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007203 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01007204 }
Jerry Yud9526692022-02-17 14:23:47 +08007205
7206#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01007207 if (ssl->handshake->ecrs_enabled) {
Jerry Yud9526692022-02-17 14:23:47 +08007208 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
Gilles Peskine449bd832023-01-11 14:50:10 +01007209 }
Jerry Yud9526692022-02-17 14:23:47 +08007210
7211crt_verify:
Gilles Peskine449bd832023-01-11 14:50:10 +01007212 if (ssl->handshake->ecrs_enabled) {
Jerry Yud9526692022-02-17 14:23:47 +08007213 rs_ctx = &ssl->handshake->ecrs_ctx;
Gilles Peskine449bd832023-01-11 14:50:10 +01007214 }
Jerry Yud9526692022-02-17 14:23:47 +08007215#endif
7216
Manuel Pégourié-Gonnard19dd9f52024-08-16 11:03:42 +02007217 ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain,
7218 ssl->handshake->ciphersuite_info,
7219 rs_ctx);
Gilles Peskine449bd832023-01-11 14:50:10 +01007220 if (ret != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007221 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01007222 }
Jerry Yud9526692022-02-17 14:23:47 +08007223
7224#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7225 {
7226 unsigned char *crt_start, *pk_start;
7227 size_t crt_len, pk_len;
7228
7229 /* We parse the CRT chain without copying, so
7230 * these pointers point into the input buffer,
7231 * and are hence still valid after freeing the
7232 * CRT chain. */
7233
7234 crt_start = chain->raw.p;
7235 crt_len = chain->raw.len;
7236
7237 pk_start = chain->pk_raw.p;
7238 pk_len = chain->pk_raw.len;
7239
7240 /* Free the CRT structures before computing
7241 * digest and copying the peer's public key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007242 mbedtls_x509_crt_free(chain);
7243 mbedtls_free(chain);
Jerry Yud9526692022-02-17 14:23:47 +08007244 chain = NULL;
7245
Gilles Peskine449bd832023-01-11 14:50:10 +01007246 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
7247 if (ret != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007248 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01007249 }
Jerry Yud9526692022-02-17 14:23:47 +08007250
Gilles Peskine449bd832023-01-11 14:50:10 +01007251 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
7252 if (ret != 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007253 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01007254 }
Jerry Yud9526692022-02-17 14:23:47 +08007255 }
7256#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7257 /* Pass ownership to session structure. */
7258 ssl->session_negotiate->peer_cert = chain;
7259 chain = NULL;
7260#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7261
Gilles Peskine449bd832023-01-11 14:50:10 +01007262 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
Jerry Yud9526692022-02-17 14:23:47 +08007263
7264exit:
7265
Gilles Peskine449bd832023-01-11 14:50:10 +01007266 if (ret == 0) {
Jerry Yud9526692022-02-17 14:23:47 +08007267 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +01007268 }
Jerry Yud9526692022-02-17 14:23:47 +08007269
7270#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01007271 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
Jerry Yud9526692022-02-17 14:23:47 +08007272 ssl->handshake->ecrs_peer_cert = chain;
7273 chain = NULL;
7274 }
7275#endif
7276
Gilles Peskine449bd832023-01-11 14:50:10 +01007277 if (chain != NULL) {
7278 mbedtls_x509_crt_free(chain);
7279 mbedtls_free(chain);
Jerry Yud9526692022-02-17 14:23:47 +08007280 }
7281
Gilles Peskine449bd832023-01-11 14:50:10 +01007282 return ret;
Jerry Yud9526692022-02-17 14:23:47 +08007283}
7284#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
7285
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007286static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
7287 unsigned char *padbuf, size_t hlen,
7288 unsigned char *buf, int from)
Jerry Yu615bd6f2022-02-17 14:25:15 +08007289{
Dave Rodgmanc37ad442023-11-03 23:36:06 +00007290 unsigned int len = 12;
Jerry Yu615bd6f2022-02-17 14:25:15 +08007291 const char *sender;
Jerry Yu615bd6f2022-02-17 14:25:15 +08007292 psa_status_t status;
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007293 psa_hash_operation_t *hs_op = ctx;
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02007294 psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007295 size_t hash_size;
Jerry Yu615bd6f2022-02-17 14:25:15 +08007296
7297 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +01007298 if (!session) {
Jerry Yu615bd6f2022-02-17 14:25:15 +08007299 session = ssl->session;
Gilles Peskine449bd832023-01-11 14:50:10 +01007300 }
Jerry Yu615bd6f2022-02-17 14:25:15 +08007301
Gilles Peskine449bd832023-01-11 14:50:10 +01007302 sender = (from == MBEDTLS_SSL_IS_CLIENT)
Jerry Yu615bd6f2022-02-17 14:25:15 +08007303 ? "client finished"
7304 : "server finished";
7305
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007306 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
Jerry Yu615bd6f2022-02-17 14:25:15 +08007307
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02007308 status = psa_hash_clone(hs_op, &cloned_op);
Gilles Peskine449bd832023-01-11 14:50:10 +01007309 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnarde1a4caa2023-02-06 10:14:25 +01007310 goto exit;
Jerry Yu615bd6f2022-02-17 14:25:15 +08007311 }
7312
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02007313 status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01007314 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnarde1a4caa2023-02-06 10:14:25 +01007315 goto exit;
Jerry Yu615bd6f2022-02-17 14:25:15 +08007316 }
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007317 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007318
7319 MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
7320
Jerry Yu615bd6f2022-02-17 14:25:15 +08007321 /*
7322 * TLSv1.2:
7323 * hash = PRF( master, finished_label,
7324 * Hash( handshake ) )[0.11]
7325 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007326 ssl->handshake->tls_prf(session->master, 48, sender,
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007327 padbuf, hlen, buf, len);
Jerry Yu615bd6f2022-02-17 14:25:15 +08007328
Gilles Peskine449bd832023-01-11 14:50:10 +01007329 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
Jerry Yu615bd6f2022-02-17 14:25:15 +08007330
Paul Elliottecb95be2023-08-11 16:41:04 +01007331 mbedtls_platform_zeroize(padbuf, hlen);
Jerry Yu615bd6f2022-02-17 14:25:15 +08007332
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007333 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
Manuel Pégourié-Gonnarde1a4caa2023-02-06 10:14:25 +01007334
7335exit:
Manuel Pégourié-Gonnardaaad2b62023-07-04 11:35:16 +02007336 psa_hash_abort(&cloned_op);
Manuel Pégourié-Gonnard3761e9e2023-03-28 12:54:56 +02007337 return mbedtls_md_error_from_psa(status);
Jerry Yu615bd6f2022-02-17 14:25:15 +08007338}
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007339
Elena Uziunaite0916cd72024-05-23 17:01:07 +01007340#if defined(PSA_WANT_ALG_SHA_256)
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007341static int ssl_calc_finished_tls_sha256(
7342 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
7343{
7344 unsigned char padbuf[32];
7345 return ssl_calc_finished_tls_generic(ssl,
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007346 &ssl->handshake->fin_sha256_psa,
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007347 padbuf, sizeof(padbuf),
7348 buf, from);
7349}
Elena Uziunaite0916cd72024-05-23 17:01:07 +01007350#endif /* PSA_WANT_ALG_SHA_256*/
Jerry Yu615bd6f2022-02-17 14:25:15 +08007351
Jerry Yub7ba49e2022-02-17 14:25:53 +08007352
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01007353#if defined(PSA_WANT_ALG_SHA_384)
Manuel Pégourié-Gonnard226aa152023-02-05 09:46:59 +01007354static int ssl_calc_finished_tls_sha384(
Gilles Peskine449bd832023-01-11 14:50:10 +01007355 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
Jerry Yub7ba49e2022-02-17 14:25:53 +08007356{
Jerry Yub7ba49e2022-02-17 14:25:53 +08007357 unsigned char padbuf[48];
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007358 return ssl_calc_finished_tls_generic(ssl,
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007359 &ssl->handshake->fin_sha384_psa,
Manuel Pégourié-Gonnardde332782023-06-24 10:13:41 +02007360 padbuf, sizeof(padbuf),
7361 buf, from);
Jerry Yub7ba49e2022-02-17 14:25:53 +08007362}
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01007363#endif /* PSA_WANT_ALG_SHA_384*/
Jerry Yub7ba49e2022-02-17 14:25:53 +08007364
Gilles Peskine449bd832023-01-11 14:50:10 +01007365void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
Jerry Yuaef00152022-02-17 14:27:31 +08007366{
Gilles Peskine449bd832023-01-11 14:50:10 +01007367 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
Jerry Yuaef00152022-02-17 14:27:31 +08007368
7369 /*
7370 * Free our handshake params
7371 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007372 mbedtls_ssl_handshake_free(ssl);
7373 mbedtls_free(ssl->handshake);
Jerry Yuaef00152022-02-17 14:27:31 +08007374 ssl->handshake = NULL;
7375
7376 /*
Shaun Case8b0ecbc2021-12-20 21:14:10 -08007377 * Free the previous transform and switch in the current one
Jerry Yuaef00152022-02-17 14:27:31 +08007378 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007379 if (ssl->transform) {
7380 mbedtls_ssl_transform_free(ssl->transform);
7381 mbedtls_free(ssl->transform);
Jerry Yuaef00152022-02-17 14:27:31 +08007382 }
7383 ssl->transform = ssl->transform_negotiate;
7384 ssl->transform_negotiate = NULL;
7385
Gilles Peskine449bd832023-01-11 14:50:10 +01007386 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
Jerry Yuaef00152022-02-17 14:27:31 +08007387}
7388
Gilles Peskine449bd832023-01-11 14:50:10 +01007389void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
Jerry Yu2a9fff52022-02-17 14:28:51 +08007390{
7391 int resume = ssl->handshake->resume;
7392
Gilles Peskine449bd832023-01-11 14:50:10 +01007393 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
Jerry Yu2a9fff52022-02-17 14:28:51 +08007394
7395#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01007396 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Jerry Yu2a9fff52022-02-17 14:28:51 +08007397 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
7398 ssl->renego_records_seen = 0;
7399 }
7400#endif
7401
7402 /*
7403 * Free the previous session and switch in the current one
7404 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007405 if (ssl->session) {
Jerry Yu2a9fff52022-02-17 14:28:51 +08007406#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
7407 /* RFC 7366 3.1: keep the EtM state */
7408 ssl->session_negotiate->encrypt_then_mac =
Gilles Peskine449bd832023-01-11 14:50:10 +01007409 ssl->session->encrypt_then_mac;
Jerry Yu2a9fff52022-02-17 14:28:51 +08007410#endif
7411
Gilles Peskine449bd832023-01-11 14:50:10 +01007412 mbedtls_ssl_session_free(ssl->session);
7413 mbedtls_free(ssl->session);
Jerry Yu2a9fff52022-02-17 14:28:51 +08007414 }
7415 ssl->session = ssl->session_negotiate;
7416 ssl->session_negotiate = NULL;
7417
7418 /*
7419 * Add cache entry
7420 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007421 if (ssl->conf->f_set_cache != NULL &&
Jerry Yu2a9fff52022-02-17 14:28:51 +08007422 ssl->session->id_len != 0 &&
Gilles Peskine449bd832023-01-11 14:50:10 +01007423 resume == 0) {
7424 if (ssl->conf->f_set_cache(ssl->conf->p_cache,
7425 ssl->session->id,
7426 ssl->session->id_len,
7427 ssl->session) != 0) {
7428 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
7429 }
Jerry Yu2a9fff52022-02-17 14:28:51 +08007430 }
7431
7432#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01007433 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
7434 ssl->handshake->flight != NULL) {
Jerry Yu2a9fff52022-02-17 14:28:51 +08007435 /* Cancel handshake timer */
Gilles Peskine449bd832023-01-11 14:50:10 +01007436 mbedtls_ssl_set_timer(ssl, 0);
Jerry Yu2a9fff52022-02-17 14:28:51 +08007437
7438 /* Keep last flight around in case we need to resend it:
7439 * we need the handshake and transform structures for that */
Gilles Peskine449bd832023-01-11 14:50:10 +01007440 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
7441 } else
Jerry Yu2a9fff52022-02-17 14:28:51 +08007442#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01007443 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
Jerry Yu2a9fff52022-02-17 14:28:51 +08007444
Jerry Yu5ed73ff2022-10-27 13:08:42 +08007445 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
Jerry Yu2a9fff52022-02-17 14:28:51 +08007446
Gilles Peskine449bd832023-01-11 14:50:10 +01007447 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
Jerry Yu2a9fff52022-02-17 14:28:51 +08007448}
7449
Gilles Peskine449bd832023-01-11 14:50:10 +01007450int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007451{
Dave Rodgmanc37ad442023-11-03 23:36:06 +00007452 int ret;
7453 unsigned int hash_len;
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007454
Gilles Peskine449bd832023-01-11 14:50:10 +01007455 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007456
Gilles Peskine449bd832023-01-11 14:50:10 +01007457 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007458
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +01007459 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
7460 if (ret != 0) {
7461 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
7462 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007463
7464 /*
7465 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
7466 * may define some other value. Currently (early 2016), no defined
7467 * ciphersuite does this (and this is unlikely to change as activity has
7468 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
7469 */
7470 hash_len = 12;
7471
7472#if defined(MBEDTLS_SSL_RENEGOTIATION)
7473 ssl->verify_data_len = hash_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01007474 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007475#endif
7476
7477 ssl->out_msglen = 4 + hash_len;
7478 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7479 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
7480
7481 /*
7482 * In case of session resuming, invert the client and server
7483 * ChangeCipherSpec messages order.
7484 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007485 if (ssl->handshake->resume != 0) {
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007486#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007487 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007488 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Gilles Peskine449bd832023-01-11 14:50:10 +01007489 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007490#endif
7491#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007492 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007493 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Gilles Peskine449bd832023-01-11 14:50:10 +01007494 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007495#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01007496 } else {
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007497 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +01007498 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007499
7500 /*
7501 * Switch to our negotiated transform and session parameters for outbound
7502 * data.
7503 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007504 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007505
7506#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01007507 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007508 unsigned char i;
7509
7510 /* Remember current epoch settings for resending */
7511 ssl->handshake->alt_transform_out = ssl->transform_out;
Gilles Peskine449bd832023-01-11 14:50:10 +01007512 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
7513 sizeof(ssl->handshake->alt_out_ctr));
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007514
7515 /* Set sequence_number to zero */
Gilles Peskine449bd832023-01-11 14:50:10 +01007516 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2);
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007517
7518
7519 /* Increment epoch */
Gilles Peskine449bd832023-01-11 14:50:10 +01007520 for (i = 2; i > 0; i--) {
7521 if (++ssl->cur_out_ctr[i - 1] != 0) {
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007522 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01007523 }
7524 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007525
7526 /* The loop goes to its end iff the counter is wrapping */
Gilles Peskine449bd832023-01-11 14:50:10 +01007527 if (i == 0) {
7528 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
7529 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007530 }
Gilles Peskine449bd832023-01-11 14:50:10 +01007531 } else
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007532#endif /* MBEDTLS_SSL_PROTO_DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +01007533 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007534
7535 ssl->transform_out = ssl->transform_negotiate;
7536 ssl->session_out = ssl->session_negotiate;
7537
7538#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01007539 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
7540 mbedtls_ssl_send_flight_completed(ssl);
7541 }
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007542#endif
7543
Gilles Peskine449bd832023-01-11 14:50:10 +01007544 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
7545 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
7546 return ret;
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007547 }
7548
7549#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01007550 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
7551 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
7552 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
7553 return ret;
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007554 }
7555#endif
7556
Gilles Peskine449bd832023-01-11 14:50:10 +01007557 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007558
Gilles Peskine449bd832023-01-11 14:50:10 +01007559 return 0;
Jerry Yu3c8e47b2022-02-17 14:30:01 +08007560}
7561
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007562#define SSL_MAX_HASH_LEN 12
7563
Gilles Peskine449bd832023-01-11 14:50:10 +01007564int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007565{
7566 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7567 unsigned int hash_len = 12;
7568 unsigned char buf[SSL_MAX_HASH_LEN];
7569
Gilles Peskine449bd832023-01-11 14:50:10 +01007570 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007571
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +01007572 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
7573 if (ret != 0) {
7574 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
7575 }
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007576
Gilles Peskine449bd832023-01-11 14:50:10 +01007577 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
7578 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007579 goto exit;
7580 }
7581
Gilles Peskine449bd832023-01-11 14:50:10 +01007582 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
7583 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
7584 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7585 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007586 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7587 goto exit;
7588 }
7589
Gilles Peskine449bd832023-01-11 14:50:10 +01007590 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) {
7591 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7592 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007593 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7594 goto exit;
7595 }
7596
Gilles Peskine449bd832023-01-11 14:50:10 +01007597 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
7598 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
7599 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7600 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007601 ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
7602 goto exit;
7603 }
7604
Gilles Peskine449bd832023-01-11 14:50:10 +01007605 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
7606 buf, hash_len) != 0) {
7607 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
7608 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7609 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007610 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
7611 goto exit;
7612 }
7613
7614#if defined(MBEDTLS_SSL_RENEGOTIATION)
7615 ssl->verify_data_len = hash_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01007616 memcpy(ssl->peer_verify_data, buf, hash_len);
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007617#endif
7618
Gilles Peskine449bd832023-01-11 14:50:10 +01007619 if (ssl->handshake->resume != 0) {
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007620#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007621 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007622 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Gilles Peskine449bd832023-01-11 14:50:10 +01007623 }
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007624#endif
7625#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007626 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007627 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Gilles Peskine449bd832023-01-11 14:50:10 +01007628 }
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007629#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01007630 } else {
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007631 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +01007632 }
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007633
7634#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +01007635 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
7636 mbedtls_ssl_recv_flight_completed(ssl);
7637 }
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007638#endif
7639
Gilles Peskine449bd832023-01-11 14:50:10 +01007640 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007641
7642exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01007643 mbedtls_platform_zeroize(buf, hash_len);
7644 return ret;
Jerry Yu0b3d7c12022-02-17 14:30:51 +08007645}
7646
Jerry Yu392112c2022-02-17 14:34:10 +08007647#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
7648/*
7649 * Helper to get TLS 1.2 PRF from ciphersuite
7650 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
7651 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007652static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
Jerry Yu392112c2022-02-17 14:34:10 +08007653{
Jerry Yu392112c2022-02-17 14:34:10 +08007654 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +01007655 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01007656#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +01007657 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
7658 return tls_prf_sha384;
7659 } else
Jerry Yu392112c2022-02-17 14:34:10 +08007660#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01007661#if defined(PSA_WANT_ALG_SHA_256)
Andrzej Kurek894edde2022-09-29 06:31:14 -04007662 {
Gilles Peskine449bd832023-01-11 14:50:10 +01007663 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
7664 return tls_prf_sha256;
7665 }
Andrzej Kurek894edde2022-09-29 06:31:14 -04007666 }
7667#endif
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01007668#if !defined(PSA_WANT_ALG_SHA_384) && \
Elena Uziunaite0916cd72024-05-23 17:01:07 +01007669 !defined(PSA_WANT_ALG_SHA_256)
Andrzej Kurek894edde2022-09-29 06:31:14 -04007670 (void) ciphersuite_info;
7671#endif
Andrzej Kurekeabeb302022-10-17 07:52:51 -04007672
Gilles Peskine449bd832023-01-11 14:50:10 +01007673 return NULL;
Jerry Yu392112c2022-02-17 14:34:10 +08007674}
7675#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
Jerry Yue93ffcd2022-02-17 14:37:06 +08007676
Gilles Peskine449bd832023-01-11 14:50:10 +01007677static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
Jerry Yue93ffcd2022-02-17 14:37:06 +08007678{
7679 ((void) tls_prf);
Elena Uziunaiteb476d4b2024-05-23 15:33:41 +01007680#if defined(PSA_WANT_ALG_SHA_384)
Gilles Peskine449bd832023-01-11 14:50:10 +01007681 if (tls_prf == tls_prf_sha384) {
7682 return MBEDTLS_SSL_TLS_PRF_SHA384;
7683 } else
Jerry Yue93ffcd2022-02-17 14:37:06 +08007684#endif
Elena Uziunaite0916cd72024-05-23 17:01:07 +01007685#if defined(PSA_WANT_ALG_SHA_256)
Gilles Peskine449bd832023-01-11 14:50:10 +01007686 if (tls_prf == tls_prf_sha256) {
7687 return MBEDTLS_SSL_TLS_PRF_SHA256;
7688 } else
Jerry Yue93ffcd2022-02-17 14:37:06 +08007689#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01007690 return MBEDTLS_SSL_TLS_PRF_NONE;
Jerry Yue93ffcd2022-02-17 14:37:06 +08007691}
7692
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007693/*
7694 * Populate a transform structure with session keys and all the other
7695 * necessary information.
7696 *
7697 * Parameters:
7698 * - [in/out]: transform: structure to populate
7699 * [in] must be just initialised with mbedtls_ssl_transform_init()
7700 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
7701 * - [in] ciphersuite
7702 * - [in] master
7703 * - [in] encrypt_then_mac
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007704 * - [in] tls_prf: pointer to PRF to use for key derivation
7705 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
Glenn Strauss07c64162022-03-14 12:34:51 -04007706 * - [in] tls_version: TLS version
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007707 * - [in] endpoint: client or server
7708 * - [in] ssl: used for:
7709 * - ssl->conf->{f,p}_export_keys
7710 * [in] optionally used for:
7711 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
7712 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02007713MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01007714static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
7715 int ciphersuite,
7716 const unsigned char master[48],
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007717#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01007718 int encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007719#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +01007720 ssl_tls_prf_t tls_prf,
7721 const unsigned char randbytes[64],
7722 mbedtls_ssl_protocol_version tls_version,
7723 unsigned endpoint,
7724 const mbedtls_ssl_context *ssl)
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007725{
7726 int ret = 0;
7727 unsigned char keyblk[256];
7728 unsigned char *key1;
7729 unsigned char *key2;
7730 unsigned char *mac_enc;
7731 unsigned char *mac_dec;
7732 size_t mac_key_len = 0;
7733 size_t iv_copy_len;
7734 size_t keylen;
7735 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Neil Armstrong7fea33e2022-04-01 15:40:25 +02007736 mbedtls_ssl_mode_t ssl_mode;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007737
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007738 psa_key_type_t key_type;
7739 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7740 psa_algorithm_t alg;
Neil Armstronge4512952022-03-08 09:08:22 +01007741 psa_algorithm_t mac_alg = 0;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007742 size_t key_bits;
7743 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007744
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007745 /*
7746 * Some data just needs copying into the structure
7747 */
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007748#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007749 transform->encrypt_then_mac = encrypt_then_mac;
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007750#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Glenn Strauss07c64162022-03-14 12:34:51 -04007751 transform->tls_version = tls_version;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007752
7753#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
Gilles Peskine449bd832023-01-11 14:50:10 +01007754 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007755#endif
7756
7757#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01007758 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007759 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
7760 * generation separate. This should never happen. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007761 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007762 }
7763#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
7764
7765 /*
7766 * Get various info structures
7767 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007768 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
7769 if (ciphersuite_info == NULL) {
7770 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
7771 ciphersuite));
7772 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007773 }
7774
Neil Armstrongab555e02022-04-04 11:07:59 +02007775 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007776#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01007777 encrypt_then_mac,
Neil Armstrongf2c82f02022-04-05 11:16:53 +02007778#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Gilles Peskine449bd832023-01-11 14:50:10 +01007779 ciphersuite_info);
Neil Armstrong7fea33e2022-04-01 15:40:25 +02007780
Gilles Peskine449bd832023-01-11 14:50:10 +01007781 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
Neil Armstronga0eeb7f2022-04-01 17:36:10 +02007782 transform->taglen =
7783 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Gilles Peskine449bd832023-01-11 14:50:10 +01007784 }
Neil Armstronga0eeb7f2022-04-01 17:36:10 +02007785
Dave Rodgman2eab4622023-10-05 13:30:37 +01007786 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher,
Gilles Peskine449bd832023-01-11 14:50:10 +01007787 transform->taglen,
7788 &alg,
7789 &key_type,
7790 &key_bits)) != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05007791 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +01007792 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
Neil Armstronga0eeb7f2022-04-01 17:36:10 +02007793 goto end;
7794 }
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007795
Dave Rodgman2eab4622023-10-05 13:30:37 +01007796 mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +01007797 if (mac_alg == 0) {
Manuel Pégourié-Gonnard2d6d9932023-03-28 11:38:08 +02007798 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
Gilles Peskine449bd832023-01-11 14:50:10 +01007799 (unsigned) ciphersuite_info->mac));
7800 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Neil Armstronge4512952022-03-08 09:08:22 +01007801 }
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007802
7803#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
7804 /* Copy own and peer's CID if the use of the CID
7805 * extension has been negotiated. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007806 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
7807 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007808
7809 transform->in_cid_len = ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01007810 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
7811 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
7812 transform->in_cid_len);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007813
7814 transform->out_cid_len = ssl->handshake->peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01007815 memcpy(transform->out_cid, ssl->handshake->peer_cid,
7816 ssl->handshake->peer_cid_len);
7817 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
7818 transform->out_cid_len);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007819 }
7820#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
7821
7822 /*
7823 * Compute key block using the PRF
7824 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007825 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
7826 if (ret != 0) {
7827 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
7828 return ret;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007829 }
7830
Gilles Peskine449bd832023-01-11 14:50:10 +01007831 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
7832 mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
7833 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
7834 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
7835 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007836
7837 /*
7838 * Determine the appropriate key, IV and MAC length.
7839 */
7840
Neil Armstronga0eeb7f2022-04-01 17:36:10 +02007841 keylen = PSA_BITS_TO_BYTES(key_bits);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007842
Valerio Settie5707042023-10-11 11:54:42 +02007843#if defined(MBEDTLS_SSL_HAVE_AEAD)
Gilles Peskine449bd832023-01-11 14:50:10 +01007844 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007845 size_t explicit_ivlen;
7846
7847 transform->maclen = 0;
7848 mac_key_len = 0;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007849
7850 /* All modes haves 96-bit IVs, but the length of the static parts vary
7851 * with mode and version:
7852 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
7853 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
7854 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
7855 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
7856 * sequence number).
7857 */
7858 transform->ivlen = 12;
David Horstmann3b2276a2022-10-06 14:49:08 +01007859
7860 int is_chachapoly = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01007861 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20);
David Horstmann3b2276a2022-10-06 14:49:08 +01007862
Gilles Peskine449bd832023-01-11 14:50:10 +01007863 if (is_chachapoly) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007864 transform->fixed_ivlen = 12;
Gilles Peskine449bd832023-01-11 14:50:10 +01007865 } else {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007866 transform->fixed_ivlen = 4;
Gilles Peskine449bd832023-01-11 14:50:10 +01007867 }
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007868
7869 /* Minimum length of encrypted record */
7870 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
7871 transform->minlen = explicit_ivlen + transform->taglen;
Gilles Peskine449bd832023-01-11 14:50:10 +01007872 } else
Valerio Settie5707042023-10-11 11:54:42 +02007873#endif /* MBEDTLS_SSL_HAVE_AEAD */
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007874#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +01007875 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
Neil Armstrong7fea33e2022-04-01 15:40:25 +02007876 ssl_mode == MBEDTLS_SSL_MODE_CBC ||
Gilles Peskine449bd832023-01-11 14:50:10 +01007877 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
Gilles Peskine449bd832023-01-11 14:50:10 +01007878 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
Neil Armstronga0eeb7f2022-04-01 17:36:10 +02007879
Neil Armstronge4512952022-03-08 09:08:22 +01007880 /* Get MAC length */
7881 mac_key_len = PSA_HASH_LENGTH(mac_alg);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007882 transform->maclen = mac_key_len;
7883
7884 /* IV length */
Gilles Peskine449bd832023-01-11 14:50:10 +01007885 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007886
7887 /* Minimum length */
Gilles Peskine449bd832023-01-11 14:50:10 +01007888 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007889 transform->minlen = transform->maclen;
Gilles Peskine449bd832023-01-11 14:50:10 +01007890 } else {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007891 /*
7892 * GenericBlockCipher:
7893 * 1. if EtM is in use: one block plus MAC
7894 * otherwise: * first multiple of blocklen greater than maclen
7895 * 2. IV
7896 */
7897#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +01007898 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007899 transform->minlen = transform->maclen
Gilles Peskine449bd832023-01-11 14:50:10 +01007900 + block_size;
7901 } else
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007902#endif
7903 {
7904 transform->minlen = transform->maclen
Gilles Peskine449bd832023-01-11 14:50:10 +01007905 + block_size
7906 - transform->maclen % block_size;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007907 }
7908
Gilles Peskine449bd832023-01-11 14:50:10 +01007909 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007910 transform->minlen += transform->ivlen;
Gilles Peskine449bd832023-01-11 14:50:10 +01007911 } else {
7912 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007913 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7914 goto end;
7915 }
7916 }
Gilles Peskine449bd832023-01-11 14:50:10 +01007917 } else
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007918#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
7919 {
Gilles Peskine449bd832023-01-11 14:50:10 +01007920 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7921 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007922 }
7923
Gilles Peskine449bd832023-01-11 14:50:10 +01007924 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
7925 (unsigned) keylen,
7926 (unsigned) transform->minlen,
7927 (unsigned) transform->ivlen,
7928 (unsigned) transform->maclen));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007929
7930 /*
7931 * Finally setup the cipher contexts, IVs and MAC secrets.
7932 */
7933#if defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007934 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007935 key1 = keyblk + mac_key_len * 2;
7936 key2 = keyblk + mac_key_len * 2 + keylen;
7937
7938 mac_enc = keyblk;
7939 mac_dec = keyblk + mac_key_len;
7940
Gilles Peskine449bd832023-01-11 14:50:10 +01007941 iv_copy_len = (transform->fixed_ivlen) ?
7942 transform->fixed_ivlen : transform->ivlen;
7943 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len);
7944 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
7945 iv_copy_len);
7946 } else
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007947#endif /* MBEDTLS_SSL_CLI_C */
7948#if defined(MBEDTLS_SSL_SRV_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01007949 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007950 key1 = keyblk + mac_key_len * 2 + keylen;
7951 key2 = keyblk + mac_key_len * 2;
7952
7953 mac_enc = keyblk + mac_key_len;
7954 mac_dec = keyblk;
7955
Gilles Peskine449bd832023-01-11 14:50:10 +01007956 iv_copy_len = (transform->fixed_ivlen) ?
7957 transform->fixed_ivlen : transform->ivlen;
7958 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len);
7959 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
7960 iv_copy_len);
7961 } else
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007962#endif /* MBEDTLS_SSL_SRV_C */
7963 {
Gilles Peskine449bd832023-01-11 14:50:10 +01007964 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007965 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7966 goto end;
7967 }
7968
Paul Elliott4fb19552023-10-18 12:15:30 +01007969 if (ssl->f_export_keys != NULL) {
Gilles Peskine449bd832023-01-11 14:50:10 +01007970 ssl->f_export_keys(ssl->p_export_keys,
7971 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
7972 master, 48,
7973 randbytes + 32,
7974 randbytes,
7975 tls_prf_get_type(tls_prf));
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007976 }
7977
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007978 transform->psa_alg = alg;
7979
Gilles Peskine449bd832023-01-11 14:50:10 +01007980 if (alg != MBEDTLS_SSL_NULL_CIPHER) {
7981 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
7982 psa_set_key_algorithm(&attributes, alg);
7983 psa_set_key_type(&attributes, key_type);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007984
Gilles Peskine449bd832023-01-11 14:50:10 +01007985 if ((status = psa_import_key(&attributes,
7986 key1,
7987 PSA_BITS_TO_BYTES(key_bits),
7988 &transform->psa_key_enc)) != PSA_SUCCESS) {
7989 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05007990 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +01007991 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007992 goto end;
7993 }
7994
Gilles Peskine449bd832023-01-11 14:50:10 +01007995 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08007996
Gilles Peskine449bd832023-01-11 14:50:10 +01007997 if ((status = psa_import_key(&attributes,
7998 key2,
7999 PSA_BITS_TO_BYTES(key_bits),
8000 &transform->psa_key_dec)) != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05008001 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +01008002 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
Jerry Yu9bccc4c2022-02-17 14:38:28 +08008003 goto end;
8004 }
8005 }
Jerry Yu9bccc4c2022-02-17 14:38:28 +08008006
Neil Armstrong29c0c042022-03-17 17:47:28 +01008007#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8008 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
8009 For AEAD-based ciphersuites, there is nothing to do here. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008010 if (mac_key_len != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +01008011 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg);
Neil Armstrong29c0c042022-03-17 17:47:28 +01008012
Gilles Peskine449bd832023-01-11 14:50:10 +01008013 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
8014 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg));
8015 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
Neil Armstrong29c0c042022-03-17 17:47:28 +01008016
Gilles Peskine449bd832023-01-11 14:50:10 +01008017 if ((status = psa_import_key(&attributes,
8018 mac_enc, mac_key_len,
8019 &transform->psa_mac_enc)) != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05008020 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +01008021 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
Neil Armstrong29c0c042022-03-17 17:47:28 +01008022 goto end;
8023 }
8024
Gilles Peskine449bd832023-01-11 14:50:10 +01008025 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) ||
8026 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING)
Andrzej Kurek8c95ac42022-08-17 16:17:00 -04008027#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +01008028 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED)
Andrzej Kurek8c95ac42022-08-17 16:17:00 -04008029#endif
Gilles Peskine449bd832023-01-11 14:50:10 +01008030 )) {
Neil Armstrong29c0c042022-03-17 17:47:28 +01008031 /* mbedtls_ct_hmac() requires the key to be exportable */
Gilles Peskine449bd832023-01-11 14:50:10 +01008032 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
8033 PSA_KEY_USAGE_VERIFY_HASH);
8034 } else {
8035 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
8036 }
Neil Armstrong29c0c042022-03-17 17:47:28 +01008037
Gilles Peskine449bd832023-01-11 14:50:10 +01008038 if ((status = psa_import_key(&attributes,
8039 mac_dec, mac_key_len,
8040 &transform->psa_mac_dec)) != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05008041 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +01008042 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
Neil Armstrong29c0c042022-03-17 17:47:28 +01008043 goto end;
8044 }
Neil Armstrong29c0c042022-03-17 17:47:28 +01008045 }
8046#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
8047
8048 ((void) mac_dec);
8049 ((void) mac_enc);
8050
Jerry Yu9bccc4c2022-02-17 14:38:28 +08008051end:
Gilles Peskine449bd832023-01-11 14:50:10 +01008052 mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
8053 return ret;
Jerry Yu9bccc4c2022-02-17 14:38:28 +08008054}
8055
Manuel Pégourié-Gonnard07a1edd2025-01-23 11:04:48 +01008056#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Valerio Setti6b3dab02022-11-17 17:14:54 +01008057int mbedtls_psa_ecjpake_read_round(
Gilles Peskine449bd832023-01-11 14:50:10 +01008058 psa_pake_operation_t *pake_ctx,
8059 const unsigned char *buf,
8060 size_t len, mbedtls_ecjpake_rounds_t round)
Valerio Settia08b1a42022-11-17 15:10:02 +01008061{
8062 psa_status_t status;
8063 size_t input_offset = 0;
Valerio Setti819de862022-11-17 18:05:19 +01008064 /*
Valerio Setti6b3dab02022-11-17 17:14:54 +01008065 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
8066 * At round two perform a single cycle
8067 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008068 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
Valerio Settia08b1a42022-11-17 15:10:02 +01008069
Gilles Peskine449bd832023-01-11 14:50:10 +01008070 for (; remaining_steps > 0; remaining_steps--) {
8071 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
Valerio Settia08b1a42022-11-17 15:10:02 +01008072 step <= PSA_PAKE_STEP_ZK_PROOF;
Gilles Peskine449bd832023-01-11 14:50:10 +01008073 ++step) {
Valerio Settia08b1a42022-11-17 15:10:02 +01008074 /* Length is stored at the first byte */
8075 size_t length = buf[input_offset];
8076 input_offset += 1;
8077
Gilles Peskine449bd832023-01-11 14:50:10 +01008078 if (input_offset + length > len) {
Valerio Settia08b1a42022-11-17 15:10:02 +01008079 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8080 }
8081
Gilles Peskine449bd832023-01-11 14:50:10 +01008082 status = psa_pake_input(pake_ctx, step,
8083 buf + input_offset, length);
8084 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05008085 return PSA_TO_MBEDTLS_ERR(status);
Valerio Settia08b1a42022-11-17 15:10:02 +01008086 }
8087
8088 input_offset += length;
8089 }
8090 }
8091
Gilles Peskine449bd832023-01-11 14:50:10 +01008092 if (input_offset != len) {
Valerio Setti61ea17d2022-11-18 12:11:00 +01008093 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Gilles Peskine449bd832023-01-11 14:50:10 +01008094 }
Valerio Setti30ebe112022-11-17 16:23:34 +01008095
Gilles Peskine449bd832023-01-11 14:50:10 +01008096 return 0;
Valerio Settia08b1a42022-11-17 15:10:02 +01008097}
8098
Valerio Setti6b3dab02022-11-17 17:14:54 +01008099int mbedtls_psa_ecjpake_write_round(
Gilles Peskine449bd832023-01-11 14:50:10 +01008100 psa_pake_operation_t *pake_ctx,
8101 unsigned char *buf,
8102 size_t len, size_t *olen,
8103 mbedtls_ecjpake_rounds_t round)
Valerio Settia08b1a42022-11-17 15:10:02 +01008104{
8105 psa_status_t status;
8106 size_t output_offset = 0;
8107 size_t output_len;
Valerio Setti819de862022-11-17 18:05:19 +01008108 /*
Valerio Setti6b3dab02022-11-17 17:14:54 +01008109 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
8110 * At round two perform a single cycle
8111 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008112 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
Valerio Settia08b1a42022-11-17 15:10:02 +01008113
Gilles Peskine449bd832023-01-11 14:50:10 +01008114 for (; remaining_steps > 0; remaining_steps--) {
8115 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
8116 step <= PSA_PAKE_STEP_ZK_PROOF;
8117 ++step) {
Valerio Setti79f6b6b2022-11-21 14:17:03 +01008118 /*
Valerio Settid4a9b1a2022-11-22 11:11:10 +01008119 * For each step, prepend 1 byte with the length of the data as
8120 * given by psa_pake_output().
Valerio Setti79f6b6b2022-11-21 14:17:03 +01008121 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008122 status = psa_pake_output(pake_ctx, step,
8123 buf + output_offset + 1,
8124 len - output_offset - 1,
8125 &output_len);
8126 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -05008127 return PSA_TO_MBEDTLS_ERR(status);
Valerio Settia08b1a42022-11-17 15:10:02 +01008128 }
8129
Valerio Setti99d88c12022-11-22 16:03:43 +01008130 *(buf + output_offset) = (uint8_t) output_len;
Valerio Setti79f6b6b2022-11-21 14:17:03 +01008131
8132 output_offset += output_len + 1;
Valerio Settia08b1a42022-11-17 15:10:02 +01008133 }
8134 }
8135
8136 *olen = output_offset;
8137
Gilles Peskine449bd832023-01-11 14:50:10 +01008138 return 0;
Valerio Settia08b1a42022-11-17 15:10:02 +01008139}
Manuel Pégourié-Gonnard07a1edd2025-01-23 11:04:48 +01008140#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Valerio Settia08b1a42022-11-17 15:10:02 +01008141
Gilles Peskine449bd832023-01-11 14:50:10 +01008142int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
8143 unsigned char *hash, size_t *hashlen,
8144 unsigned char *data, size_t data_len,
8145 mbedtls_md_type_t md_alg)
Jerry Yuee40f9d2022-02-17 14:55:16 +08008146{
8147 psa_status_t status;
8148 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
Manuel Pégourié-Gonnard2d6d9932023-03-28 11:38:08 +02008149 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
Jerry Yuee40f9d2022-02-17 14:55:16 +08008150
Gilles Peskine449bd832023-01-11 14:50:10 +01008151 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
Jerry Yuee40f9d2022-02-17 14:55:16 +08008152
Gilles Peskine449bd832023-01-11 14:50:10 +01008153 if ((status = psa_hash_setup(&hash_operation,
8154 hash_alg)) != PSA_SUCCESS) {
8155 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
Jerry Yuee40f9d2022-02-17 14:55:16 +08008156 goto exit;
8157 }
8158
Gilles Peskine449bd832023-01-11 14:50:10 +01008159 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
8160 64)) != PSA_SUCCESS) {
8161 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
Jerry Yuee40f9d2022-02-17 14:55:16 +08008162 goto exit;
8163 }
8164
Gilles Peskine449bd832023-01-11 14:50:10 +01008165 if ((status = psa_hash_update(&hash_operation,
8166 data, data_len)) != PSA_SUCCESS) {
8167 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
Jerry Yuee40f9d2022-02-17 14:55:16 +08008168 goto exit;
8169 }
8170
Gilles Peskine449bd832023-01-11 14:50:10 +01008171 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE,
8172 hashlen)) != PSA_SUCCESS) {
8173 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
8174 goto exit;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008175 }
8176
8177exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008178 if (status != PSA_SUCCESS) {
8179 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8180 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
8181 switch (status) {
Jerry Yuee40f9d2022-02-17 14:55:16 +08008182 case PSA_ERROR_NOT_SUPPORTED:
Gilles Peskine449bd832023-01-11 14:50:10 +01008183 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008184 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
8185 case PSA_ERROR_BUFFER_TOO_SMALL:
Gilles Peskine449bd832023-01-11 14:50:10 +01008186 return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008187 case PSA_ERROR_INSUFFICIENT_MEMORY:
Gilles Peskine449bd832023-01-11 14:50:10 +01008188 return MBEDTLS_ERR_MD_ALLOC_FAILED;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008189 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01008190 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008191 }
8192 }
Gilles Peskine449bd832023-01-11 14:50:10 +01008193 return 0;
Jerry Yuee40f9d2022-02-17 14:55:16 +08008194}
8195
Jerry Yuee40f9d2022-02-17 14:55:16 +08008196
Jerry Yud9d91da2022-02-17 14:57:06 +08008197#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
8198
Gabor Mezeia3d016c2022-05-10 12:44:09 +02008199/* Find the preferred hash for a given signature algorithm. */
8200unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +01008201 mbedtls_ssl_context *ssl,
8202 unsigned int sig_alg)
Jerry Yud9d91da2022-02-17 14:57:06 +08008203{
Gabor Mezei078e8032022-04-27 21:17:56 +02008204 unsigned int i;
Gabor Mezeia3d016c2022-05-10 12:44:09 +02008205 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
Gabor Mezei078e8032022-04-27 21:17:56 +02008206
Gilles Peskine449bd832023-01-11 14:50:10 +01008207 if (sig_alg == MBEDTLS_SSL_SIG_ANON) {
8208 return MBEDTLS_SSL_HASH_NONE;
8209 }
Gabor Mezei078e8032022-04-27 21:17:56 +02008210
Gilles Peskine449bd832023-01-11 14:50:10 +01008211 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008212 unsigned int hash_alg_received =
Gilles Peskine449bd832023-01-11 14:50:10 +01008213 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
8214 received_sig_algs[i]);
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008215 unsigned int sig_alg_received =
Gilles Peskine449bd832023-01-11 14:50:10 +01008216 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
8217 received_sig_algs[i]);
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008218
Manuel Pégourié-Gonnard47bb3802023-06-05 12:40:32 +02008219 mbedtls_md_type_t md_alg =
8220 mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received);
8221 if (md_alg == MBEDTLS_MD_NONE) {
8222 continue;
8223 }
8224
Gilles Peskine449bd832023-01-11 14:50:10 +01008225 if (sig_alg == sig_alg_received) {
Gilles Peskine449bd832023-01-11 14:50:10 +01008226 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
Neil Armstrong96eceb82022-06-30 18:05:05 +02008227 psa_algorithm_t psa_hash_alg =
Manuel Pégourié-Gonnard47bb3802023-06-05 12:40:32 +02008228 mbedtls_md_psa_alg_from_type(md_alg);
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008229
Gilles Peskine449bd832023-01-11 14:50:10 +01008230 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
8231 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
8232 PSA_ALG_ECDSA(psa_hash_alg),
8233 PSA_KEY_USAGE_SIGN_HASH)) {
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008234 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01008235 }
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008236
Gilles Peskine449bd832023-01-11 14:50:10 +01008237 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
8238 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
8239 PSA_ALG_RSA_PKCS1V15_SIGN(
8240 psa_hash_alg),
8241 PSA_KEY_USAGE_SIGN_HASH)) {
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008242 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01008243 }
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008244 }
Neil Armstrong96eceb82022-06-30 18:05:05 +02008245
Gilles Peskine449bd832023-01-11 14:50:10 +01008246 return hash_alg_received;
Neil Armstrong9f1176a2022-06-24 18:19:19 +02008247 }
Jerry Yud9d91da2022-02-17 14:57:06 +08008248 }
Jerry Yud9d91da2022-02-17 14:57:06 +08008249
Gilles Peskine449bd832023-01-11 14:50:10 +01008250 return MBEDTLS_SSL_HASH_NONE;
Jerry Yud9d91da2022-02-17 14:57:06 +08008251}
8252
8253#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
8254
Jerry Yudc7bd172022-02-17 13:44:15 +08008255#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
8256
XiaokangQian75d40ef2022-04-20 11:05:24 +00008257int mbedtls_ssl_validate_ciphersuite(
8258 const mbedtls_ssl_context *ssl,
8259 const mbedtls_ssl_ciphersuite_t *suite_info,
8260 mbedtls_ssl_protocol_version min_tls_version,
Gilles Peskine449bd832023-01-11 14:50:10 +01008261 mbedtls_ssl_protocol_version max_tls_version)
XiaokangQian75d40ef2022-04-20 11:05:24 +00008262{
8263 (void) ssl;
8264
Gilles Peskine449bd832023-01-11 14:50:10 +01008265 if (suite_info == NULL) {
8266 return -1;
8267 }
XiaokangQian75d40ef2022-04-20 11:05:24 +00008268
Gilles Peskine449bd832023-01-11 14:50:10 +01008269 if ((suite_info->min_tls_version > max_tls_version) ||
8270 (suite_info->max_tls_version < min_tls_version)) {
8271 return -1;
XiaokangQian75d40ef2022-04-20 11:05:24 +00008272 }
8273
XiaokangQian060d8672022-04-21 09:24:56 +00008274#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
XiaokangQian75d40ef2022-04-20 11:05:24 +00008275#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01008276 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
Manuel Pégourié-Gonnard88800dd2025-01-23 11:01:35 +01008277 ssl->handshake->psa_pake_ctx_is_ok != 1) {
Gilles Peskine449bd832023-01-11 14:50:10 +01008278 return -1;
XiaokangQian75d40ef2022-04-20 11:05:24 +00008279 }
8280#endif
8281
8282 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
8283#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +01008284 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
8285 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
8286 return -1;
XiaokangQian75d40ef2022-04-20 11:05:24 +00008287 }
8288#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
8289#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
8290
Gilles Peskine449bd832023-01-11 14:50:10 +01008291 return 0;
XiaokangQian75d40ef2022-04-20 11:05:24 +00008292}
8293
Ronald Crone68ab4f2022-10-05 12:46:29 +02008294#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
XiaokangQianeaf36512022-04-24 09:07:44 +00008295/*
8296 * Function for writing a signature algorithm extension.
8297 *
8298 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
8299 * value (TLS 1.3 RFC8446):
8300 * enum {
8301 * ....
8302 * ecdsa_secp256r1_sha256( 0x0403 ),
8303 * ecdsa_secp384r1_sha384( 0x0503 ),
8304 * ecdsa_secp521r1_sha512( 0x0603 ),
8305 * ....
8306 * } SignatureScheme;
8307 *
8308 * struct {
8309 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
8310 * } SignatureSchemeList;
8311 *
8312 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
8313 * value (TLS 1.2 RFC5246):
8314 * enum {
8315 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
8316 * sha512(6), (255)
8317 * } HashAlgorithm;
8318 *
8319 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
8320 * SignatureAlgorithm;
8321 *
8322 * struct {
8323 * HashAlgorithm hash;
8324 * SignatureAlgorithm signature;
8325 * } SignatureAndHashAlgorithm;
8326 *
8327 * SignatureAndHashAlgorithm
8328 * supported_signature_algorithms<2..2^16-2>;
8329 *
8330 * The TLS 1.3 signature algorithm extension was defined to be a compatible
8331 * generalization of the TLS 1.2 signature algorithm extension.
8332 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
8333 * `SignatureScheme` field of TLS 1.3
8334 *
8335 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008336int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
8337 const unsigned char *end, size_t *out_len)
XiaokangQianeaf36512022-04-24 09:07:44 +00008338{
8339 unsigned char *p = buf;
8340 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
8341 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
8342
8343 *out_len = 0;
8344
Gilles Peskine449bd832023-01-11 14:50:10 +01008345 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension"));
XiaokangQianeaf36512022-04-24 09:07:44 +00008346
8347 /* Check if we have space for header and length field:
8348 * - extension_type (2 bytes)
8349 * - extension_data_length (2 bytes)
8350 * - supported_signature_algorithms_length (2 bytes)
8351 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008352 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
XiaokangQianeaf36512022-04-24 09:07:44 +00008353 p += 6;
8354
8355 /*
8356 * Write supported_signature_algorithms
8357 */
8358 supported_sig_alg = p;
Gilles Peskine449bd832023-01-11 14:50:10 +01008359 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
8360 if (sig_alg == NULL) {
8361 return MBEDTLS_ERR_SSL_BAD_CONFIG;
8362 }
XiaokangQianeaf36512022-04-24 09:07:44 +00008363
Gilles Peskine449bd832023-01-11 14:50:10 +01008364 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
8365 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s",
8366 *sig_alg,
8367 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
8368 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
XiaokangQianeaf36512022-04-24 09:07:44 +00008369 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01008370 }
8371 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
8372 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
XiaokangQianeaf36512022-04-24 09:07:44 +00008373 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +01008374 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s",
8375 *sig_alg,
8376 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
XiaokangQianeaf36512022-04-24 09:07:44 +00008377 }
8378
8379 /* Length of supported_signature_algorithms */
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +00008380 supported_sig_alg_len = (size_t) (p - supported_sig_alg);
Gilles Peskine449bd832023-01-11 14:50:10 +01008381 if (supported_sig_alg_len == 0) {
8382 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
8383 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
XiaokangQianeaf36512022-04-24 09:07:44 +00008384 }
8385
Gilles Peskine449bd832023-01-11 14:50:10 +01008386 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0);
8387 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
8388 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
XiaokangQianeaf36512022-04-24 09:07:44 +00008389
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +00008390 *out_len = (size_t) (p - buf);
XiaokangQianeaf36512022-04-24 09:07:44 +00008391
8392#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01008393 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
XiaokangQianeaf36512022-04-24 09:07:44 +00008394#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu0c354a22022-08-29 15:25:36 +08008395
Gilles Peskine449bd832023-01-11 14:50:10 +01008396 return 0;
XiaokangQianeaf36512022-04-24 09:07:44 +00008397}
Ronald Crone68ab4f2022-10-05 12:46:29 +02008398#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
XiaokangQianeaf36512022-04-24 09:07:44 +00008399
XiaokangQian40a35232022-05-07 09:02:40 +00008400#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
XiaokangQian9b2b7712022-05-17 02:57:00 +00008401/*
8402 * mbedtls_ssl_parse_server_name_ext
8403 *
8404 * Structure of server_name extension:
8405 *
8406 * enum {
8407 * host_name(0), (255)
8408 * } NameType;
8409 * opaque HostName<1..2^16-1>;
8410 *
8411 * struct {
8412 * NameType name_type;
8413 * select (name_type) {
8414 * case host_name: HostName;
8415 * } name;
8416 * } ServerName;
8417 * struct {
8418 * ServerName server_name_list<1..2^16-1>
8419 * } ServerNameList;
8420 */
Ronald Cronce7d76e2022-07-08 18:56:49 +02008421MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01008422int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
8423 const unsigned char *buf,
8424 const unsigned char *end)
XiaokangQian40a35232022-05-07 09:02:40 +00008425{
8426 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8427 const unsigned char *p = buf;
XiaokangQian9b2b7712022-05-17 02:57:00 +00008428 size_t server_name_list_len, hostname_len;
8429 const unsigned char *server_name_list_end;
XiaokangQian40a35232022-05-07 09:02:40 +00008430
Gilles Peskine449bd832023-01-11 14:50:10 +01008431 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
XiaokangQian40a35232022-05-07 09:02:40 +00008432
Gilles Peskine449bd832023-01-11 14:50:10 +01008433 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
8434 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian40a35232022-05-07 09:02:40 +00008435 p += 2;
8436
Gilles Peskine449bd832023-01-11 14:50:10 +01008437 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len);
XiaokangQian9b2b7712022-05-17 02:57:00 +00008438 server_name_list_end = p + server_name_list_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01008439 while (p < server_name_list_end) {
8440 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3);
8441 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1);
8442 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end,
8443 hostname_len + 3);
XiaokangQian40a35232022-05-07 09:02:40 +00008444
Gilles Peskine449bd832023-01-11 14:50:10 +01008445 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
XiaokangQian75fe8c72022-06-15 09:42:45 +00008446 /* sni_name is intended to be used only during the parsing of the
8447 * ClientHello message (it is reset to NULL before the end of
8448 * the message parsing). Thus it is ok to just point to the
8449 * reception buffer and not make a copy of it.
8450 */
XiaokangQianf2a94202022-05-20 06:44:24 +00008451 ssl->handshake->sni_name = p + 3;
8452 ssl->handshake->sni_name_len = hostname_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01008453 if (ssl->conf->f_sni == NULL) {
8454 return 0;
XiaokangQian40a35232022-05-07 09:02:40 +00008455 }
Gilles Peskine449bd832023-01-11 14:50:10 +01008456 ret = ssl->conf->f_sni(ssl->conf->p_sni,
8457 ssl, p + 3, hostname_len);
8458 if (ret != 0) {
8459 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
8460 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
8461 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME);
8462 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME;
8463 }
8464 return 0;
XiaokangQian40a35232022-05-07 09:02:40 +00008465 }
8466
8467 p += hostname_len + 3;
8468 }
8469
Gilles Peskine449bd832023-01-11 14:50:10 +01008470 return 0;
XiaokangQian40a35232022-05-07 09:02:40 +00008471}
8472#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
8473
XiaokangQianacb39922022-06-17 10:18:48 +00008474#if defined(MBEDTLS_SSL_ALPN)
Ronald Cronce7d76e2022-07-08 18:56:49 +02008475MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +01008476int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
8477 const unsigned char *buf,
8478 const unsigned char *end)
XiaokangQianacb39922022-06-17 10:18:48 +00008479{
8480 const unsigned char *p = buf;
XiaokangQianc7403452022-06-23 03:24:12 +00008481 size_t protocol_name_list_len;
XiaokangQian95d5f542022-06-24 02:29:26 +00008482 const unsigned char *protocol_name_list;
8483 const unsigned char *protocol_name_list_end;
XiaokangQianc7403452022-06-23 03:24:12 +00008484 size_t protocol_name_len;
XiaokangQianacb39922022-06-17 10:18:48 +00008485
8486 /* If ALPN not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +01008487 if (ssl->conf->alpn_list == NULL) {
8488 return 0;
8489 }
XiaokangQianacb39922022-06-17 10:18:48 +00008490
8491 /*
XiaokangQianc7403452022-06-23 03:24:12 +00008492 * RFC7301, section 3.1
8493 * opaque ProtocolName<1..2^8-1>;
XiaokangQianacb39922022-06-17 10:18:48 +00008494 *
XiaokangQianc7403452022-06-23 03:24:12 +00008495 * struct {
8496 * ProtocolName protocol_name_list<2..2^16-1>
8497 * } ProtocolNameList;
XiaokangQianacb39922022-06-17 10:18:48 +00008498 */
8499
XiaokangQianc7403452022-06-23 03:24:12 +00008500 /*
XiaokangQian0b776e22022-06-24 09:04:59 +00008501 * protocol_name_list_len 2 bytes
8502 * protocol_name_len 1 bytes
8503 * protocol_name >=1 byte
XiaokangQianc7403452022-06-23 03:24:12 +00008504 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008505 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
XiaokangQianacb39922022-06-17 10:18:48 +00008506
Gilles Peskine449bd832023-01-11 14:50:10 +01008507 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQianacb39922022-06-17 10:18:48 +00008508 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +01008509 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
XiaokangQian95d5f542022-06-24 02:29:26 +00008510 protocol_name_list = p;
8511 protocol_name_list_end = p + protocol_name_list_len;
XiaokangQianacb39922022-06-17 10:18:48 +00008512
8513 /* Validate peer's list (lengths) */
Gilles Peskine449bd832023-01-11 14:50:10 +01008514 while (p < protocol_name_list_end) {
XiaokangQian95d5f542022-06-24 02:29:26 +00008515 protocol_name_len = *p++;
Gilles Peskine449bd832023-01-11 14:50:10 +01008516 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end,
8517 protocol_name_len);
8518 if (protocol_name_len == 0) {
XiaokangQian95d5f542022-06-24 02:29:26 +00008519 MBEDTLS_SSL_PEND_FATAL_ALERT(
8520 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
Gilles Peskine449bd832023-01-11 14:50:10 +01008521 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
8522 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQian95d5f542022-06-24 02:29:26 +00008523 }
8524
8525 p += protocol_name_len;
XiaokangQianacb39922022-06-17 10:18:48 +00008526 }
8527
8528 /* Use our order of preference */
Gilles Peskine449bd832023-01-11 14:50:10 +01008529 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
8530 size_t const alpn_len = strlen(*alpn);
XiaokangQian95d5f542022-06-24 02:29:26 +00008531 p = protocol_name_list;
Gilles Peskine449bd832023-01-11 14:50:10 +01008532 while (p < protocol_name_list_end) {
XiaokangQian95d5f542022-06-24 02:29:26 +00008533 protocol_name_len = *p++;
Gilles Peskine449bd832023-01-11 14:50:10 +01008534 if (protocol_name_len == alpn_len &&
8535 memcmp(p, *alpn, alpn_len) == 0) {
XiaokangQianacb39922022-06-17 10:18:48 +00008536 ssl->alpn_chosen = *alpn;
Gilles Peskine449bd832023-01-11 14:50:10 +01008537 return 0;
XiaokangQianacb39922022-06-17 10:18:48 +00008538 }
XiaokangQian95d5f542022-06-24 02:29:26 +00008539
8540 p += protocol_name_len;
XiaokangQianacb39922022-06-17 10:18:48 +00008541 }
8542 }
8543
XiaokangQian95d5f542022-06-24 02:29:26 +00008544 /* If we get here, no match was found */
XiaokangQianacb39922022-06-17 10:18:48 +00008545 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +01008546 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
8547 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL);
8548 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL;
XiaokangQianacb39922022-06-17 10:18:48 +00008549}
8550
Gilles Peskine449bd832023-01-11 14:50:10 +01008551int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
8552 unsigned char *buf,
8553 unsigned char *end,
8554 size_t *out_len)
XiaokangQianacb39922022-06-17 10:18:48 +00008555{
8556 unsigned char *p = buf;
XiaokangQian95d5f542022-06-24 02:29:26 +00008557 size_t protocol_name_len;
XiaokangQianc7403452022-06-23 03:24:12 +00008558 *out_len = 0;
XiaokangQianacb39922022-06-17 10:18:48 +00008559
Gilles Peskine449bd832023-01-11 14:50:10 +01008560 if (ssl->alpn_chosen == NULL) {
8561 return 0;
XiaokangQianacb39922022-06-17 10:18:48 +00008562 }
8563
Gilles Peskine449bd832023-01-11 14:50:10 +01008564 protocol_name_len = strlen(ssl->alpn_chosen);
8565 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len);
XiaokangQianacb39922022-06-17 10:18:48 +00008566
Gilles Peskine449bd832023-01-11 14:50:10 +01008567 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension"));
XiaokangQianacb39922022-06-17 10:18:48 +00008568 /*
8569 * 0 . 1 ext identifier
8570 * 2 . 3 ext length
8571 * 4 . 5 protocol list length
8572 * 6 . 6 protocol name length
8573 * 7 . 7+n protocol name
8574 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008575 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
XiaokangQianacb39922022-06-17 10:18:48 +00008576
XiaokangQian95d5f542022-06-24 02:29:26 +00008577 *out_len = 7 + protocol_name_len;
XiaokangQianacb39922022-06-17 10:18:48 +00008578
Gilles Peskine449bd832023-01-11 14:50:10 +01008579 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2);
8580 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4);
XiaokangQian0b776e22022-06-24 09:04:59 +00008581 /* Note: the length of the chosen protocol has been checked to be less
8582 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
8583 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008584 p[6] = MBEDTLS_BYTE_0(protocol_name_len);
XiaokangQianacb39922022-06-17 10:18:48 +00008585
Gilles Peskine449bd832023-01-11 14:50:10 +01008586 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len);
Jerry Yub95dd362022-11-08 21:19:34 +08008587
8588#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine449bd832023-01-11 14:50:10 +01008589 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
Jerry Yub95dd362022-11-08 21:19:34 +08008590#endif
8591
Gilles Peskine449bd832023-01-11 14:50:10 +01008592 return 0;
XiaokangQianacb39922022-06-17 10:18:48 +00008593}
8594#endif /* MBEDTLS_SSL_ALPN */
8595
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008596#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
Xiaokang Qian03409292022-10-12 02:49:52 +00008597 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
Xiaokang Qianed0620c2022-10-12 06:58:13 +00008598 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
Xiaokang Qianed3afcd2022-10-12 08:31:11 +00008599 defined(MBEDTLS_SSL_CLI_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01008600int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
8601 const char *hostname)
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008602{
8603 /* Initialize to suppress unnecessary compiler warning */
8604 size_t hostname_len = 0;
8605
8606 /* Check if new hostname is valid before
8607 * making any change to current one */
Gilles Peskine449bd832023-01-11 14:50:10 +01008608 if (hostname != NULL) {
8609 hostname_len = strlen(hostname);
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008610
Gilles Peskine449bd832023-01-11 14:50:10 +01008611 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
8612 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8613 }
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008614 }
8615
8616 /* Now it's clear that we will overwrite the old hostname,
8617 * so we can free it safely */
Gilles Peskine449bd832023-01-11 14:50:10 +01008618 if (session->hostname != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01008619 mbedtls_zeroize_and_free(session->hostname,
Gilles Peskine449bd832023-01-11 14:50:10 +01008620 strlen(session->hostname));
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008621 }
8622
8623 /* Passing NULL as hostname shall clear the old one */
Gilles Peskine449bd832023-01-11 14:50:10 +01008624 if (hostname == NULL) {
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008625 session->hostname = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01008626 } else {
8627 session->hostname = mbedtls_calloc(1, hostname_len + 1);
8628 if (session->hostname == NULL) {
8629 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
8630 }
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008631
Gilles Peskine449bd832023-01-11 14:50:10 +01008632 memcpy(session->hostname, hostname, hostname_len);
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008633 }
8634
Gilles Peskine449bd832023-01-11 14:50:10 +01008635 return 0;
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008636}
Xiaokang Qian03409292022-10-12 02:49:52 +00008637#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
8638 MBEDTLS_SSL_SESSION_TICKETS &&
Xiaokang Qianed0620c2022-10-12 06:58:13 +00008639 MBEDTLS_SSL_SERVER_NAME_INDICATION &&
Xiaokang Qianed3afcd2022-10-12 08:31:11 +00008640 MBEDTLS_SSL_CLI_C */
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00008641
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00008642#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
8643 defined(MBEDTLS_SSL_ALPN)
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00008644int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
8645 const char *alpn)
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00008646{
8647 size_t alpn_len = 0;
8648
8649 if (alpn != NULL) {
8650 alpn_len = strlen(alpn);
8651
8652 if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) {
8653 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8654 }
8655 }
8656
8657 if (session->ticket_alpn != NULL) {
8658 mbedtls_zeroize_and_free(session->ticket_alpn,
8659 strlen(session->ticket_alpn));
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00008660 session->ticket_alpn = NULL;
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00008661 }
8662
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00008663 if (alpn != NULL) {
8664 session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1);
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00008665 if (session->ticket_alpn == NULL) {
8666 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
8667 }
Waleed Elmelegy7dfba342024-03-12 16:22:39 +00008668 memcpy(session->ticket_alpn, alpn, alpn_len);
Waleed Elmelegy883f77c2024-03-06 19:09:41 +00008669 }
8670
8671 return 0;
8672}
8673#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard5398e582024-08-20 12:14:43 +02008674
8675/*
8676 * The following functions are used by 1.2 and 1.3, client and server.
8677 */
8678#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
8679int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
8680 const mbedtls_ssl_ciphersuite_t *ciphersuite,
8681 int recv_endpoint,
8682 mbedtls_ssl_protocol_version tls_version,
8683 uint32_t *flags)
8684{
8685 int ret = 0;
8686 unsigned int usage = 0;
8687 const char *ext_oid;
8688 size_t ext_len;
8689
8690 /*
8691 * keyUsage
8692 */
8693
8694 /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants
8695 * to check what a compliant client will think while choosing which cert
8696 * to send to the client. */
8697#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
8698 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
8699 recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
8700 /* TLS 1.2 server part of the key exchange */
8701 switch (ciphersuite->key_exchange) {
Manuel Pégourié-Gonnard5398e582024-08-20 12:14:43 +02008702 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
8703 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
8704 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
8705 break;
8706
8707 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
8708 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
8709 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
8710 break;
8711
8712 /* Don't use default: we want warnings when adding new values */
8713 case MBEDTLS_KEY_EXCHANGE_NONE:
8714 case MBEDTLS_KEY_EXCHANGE_PSK:
Manuel Pégourié-Gonnard5398e582024-08-20 12:14:43 +02008715 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
8716 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
8717 usage = 0;
8718 }
8719 } else
8720#endif
8721 {
8722 /* This is either TLS 1.3 authentication, which always uses signatures,
8723 * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only
8724 * options we implement, both using signatures. */
8725 (void) tls_version;
8726 (void) ciphersuite;
8727 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
8728 }
8729
8730 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
8731 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
8732 ret = -1;
8733 }
8734
8735 /*
8736 * extKeyUsage
8737 */
8738
8739 if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
8740 ext_oid = MBEDTLS_OID_SERVER_AUTH;
8741 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
8742 } else {
8743 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
8744 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
8745 }
8746
8747 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
8748 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
8749 ret = -1;
8750 }
8751
8752 return ret;
8753}
8754
8755int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
8756 int authmode,
8757 mbedtls_x509_crt *chain,
8758 const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
8759 void *rs_ctx)
8760{
8761 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
8762 return 0;
8763 }
8764
8765 /*
8766 * Primary check: use the appropriate X.509 verification function
8767 */
8768 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
8769 void *p_vrfy;
8770 if (ssl->f_vrfy != NULL) {
8771 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
8772 f_vrfy = ssl->f_vrfy;
8773 p_vrfy = ssl->p_vrfy;
8774 } else {
8775 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
8776 f_vrfy = ssl->conf->f_vrfy;
8777 p_vrfy = ssl->conf->p_vrfy;
8778 }
8779
8780 int ret = 0;
8781 int have_ca_chain_or_callback = 0;
8782#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
8783 if (ssl->conf->f_ca_cb != NULL) {
8784 ((void) rs_ctx);
8785 have_ca_chain_or_callback = 1;
8786
8787 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
8788 ret = mbedtls_x509_crt_verify_with_ca_cb(
8789 chain,
8790 ssl->conf->f_ca_cb,
8791 ssl->conf->p_ca_cb,
8792 ssl->conf->cert_profile,
8793 ssl->hostname,
8794 &ssl->session_negotiate->verify_result,
8795 f_vrfy, p_vrfy);
8796 } else
8797#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
8798 {
8799 mbedtls_x509_crt *ca_chain;
8800 mbedtls_x509_crl *ca_crl;
8801#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
8802 if (ssl->handshake->sni_ca_chain != NULL) {
8803 ca_chain = ssl->handshake->sni_ca_chain;
8804 ca_crl = ssl->handshake->sni_ca_crl;
8805 } else
8806#endif
8807 {
8808 ca_chain = ssl->conf->ca_chain;
8809 ca_crl = ssl->conf->ca_crl;
8810 }
8811
8812 if (ca_chain != NULL) {
8813 have_ca_chain_or_callback = 1;
8814 }
8815
8816 ret = mbedtls_x509_crt_verify_restartable(
8817 chain,
8818 ca_chain, ca_crl,
8819 ssl->conf->cert_profile,
8820 ssl->hostname,
8821 &ssl->session_negotiate->verify_result,
8822 f_vrfy, p_vrfy, rs_ctx);
8823 }
8824
8825 if (ret != 0) {
8826 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
8827 }
8828
8829#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8830 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
8831 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
8832 }
8833#endif
8834
8835 /*
8836 * Secondary checks: always done, but change 'ret' only if it was 0
8837 */
8838
8839 /* With TLS 1.2 and ECC certs, check that the curve used by the
8840 * certificate is on our list of acceptable curves.
8841 *
8842 * With TLS 1.3 this is not needed because the curve is part of the
8843 * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when
8844 * we validate the signature made with the key associated to this cert.
8845 */
8846#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
8847 defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
8848 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
8849 mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) {
8850 if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) {
8851 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
8852 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
8853 if (ret == 0) {
8854 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
8855 }
8856 }
8857 }
8858#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
8859
8860 /* Check X.509 usage extensions (keyUsage, extKeyUsage) */
8861 if (mbedtls_ssl_check_cert_usage(chain,
8862 ciphersuite_info,
8863 ssl->conf->endpoint,
8864 ssl->tls_version,
8865 &ssl->session_negotiate->verify_result) != 0) {
8866 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
8867 if (ret == 0) {
8868 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
8869 }
8870 }
8871
8872 /* With authmode optional, we want to keep going if the certificate was
8873 * unacceptable, but still fail on other errors (out of memory etc),
8874 * including fatal errors from the f_vrfy callback.
8875 *
8876 * The only acceptable errors are:
8877 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check;
8878 * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks.
8879 * Anything else is a fatal error. */
8880 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
8881 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
8882 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
8883 ret = 0;
8884 }
8885
8886 /* Return a specific error as this is a user error: inconsistent
8887 * configuration - can't verify without trust anchors. */
8888 if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
8889 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
8890 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
8891 }
8892
8893 if (ret != 0) {
8894 uint8_t alert;
8895
8896 /* The certificate may have been rejected for several reasons.
8897 Pick one and send the corresponding alert. Which alert to send
8898 may be a subject of debate in some cases. */
8899 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
8900 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
8901 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
8902 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
8903 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
8904 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
8905 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
8906 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
8907 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
8908 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
8909 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
8910 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
8911 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
8912 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
8913 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
8914 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
8915 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
8916 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
8917 } else {
8918 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
8919 }
8920 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8921 alert);
8922 }
8923
8924#if defined(MBEDTLS_DEBUG_C)
8925 if (ssl->session_negotiate->verify_result != 0) {
8926 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
8927 (unsigned int) ssl->session_negotiate->verify_result));
8928 } else {
8929 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
8930 }
8931#endif /* MBEDTLS_DEBUG_C */
8932
8933 return ret;
8934}
8935#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
8936
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02008937#endif /* MBEDTLS_SSL_TLS_C */