TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 88aaf652b1cb8ac516e53ec55c3a52445682d3ea / . / library / ssl_tls.c
blob: ad8f024273b9f129e209a9ac6cfede6cf12ca286 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The SSL 3.0 specification was drafted by Netscape in 1996,
23 * and became an IETF standard in 1999.
24 *
25 * http://wp.netscape.com/eng/ssl3/
26 * http://www.ietf.org/rfc/rfc2246.txt
27 * http://www.ietf.org/rfc/rfc4346.txt
28 */
29
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]30#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]31#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]33#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]38#if defined(MBEDTLS_PLATFORM_C)
39#include "mbedtls/platform.h"
40#else
41#include <stdlib.h>
42#define mbedtls_calloc calloc
43#define mbedtls_free free
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]44#endif
45
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]46#include "mbedtls/debug.h"
47#include "mbedtls/ssl.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200[diff] [blame]48#include "mbedtls/ssl_internal.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]49#include "mbedtls/platform_util.h"
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]50
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]51#include <string.h>
52
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]53#if defined(MBEDTLS_USE_PSA_CRYPTO)
54#include "mbedtls/psa_util.h"
55#include "psa/crypto.h"
56#endif
57
Janos Follath23bdca02016-10-07 14:47:14 +0100[diff] [blame]58#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]59#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]60#endif
61
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]62#if defined(MBEDTLS_USE_PSA_CRYPTO)
63#include "mbedtls/psa_util.h"
64#endif
65
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]66static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]67static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]68
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]69/* Length of the "epoch" field in the record header */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]70static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]71{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]72#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]73 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]74 return( 2 );
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]75#else
76 ((void) ssl);
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]77#endif
78 return( 0 );
79}
80
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]81/*
82 * Start a timer.
83 * Passing millisecs = 0 cancels a running timer.
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]84 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]85static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]86{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]87 if( ssl->f_set_timer == NULL )
88 return;
89
90 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
91 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]92}
93
94/*
95 * Return -1 is timer is expired, 0 if it isn't.
96 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]97static int ssl_check_timer( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]98{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]99 if( ssl->f_get_timer == NULL )
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]100 return( 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]101
102 if( ssl->f_get_timer( ssl->p_timer ) == 2 )
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]103 {
104 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]105 return( -1 );
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]106 }
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]107
108 return( 0 );
109}
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]110
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]111static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
112 mbedtls_ssl_transform *transform );
113static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
114 mbedtls_ssl_transform *transform );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]115
116#define SSL_DONT_FORCE_FLUSH 0
117#define SSL_FORCE_FLUSH 1
118
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]119#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]120
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]121/* Forward declarations for functions related to message buffering. */
122static void ssl_buffering_free( mbedtls_ssl_context *ssl );
123static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
124 uint8_t slot );
125static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
126static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
127static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
128static int ssl_buffer_message( mbedtls_ssl_context *ssl );
129static int ssl_buffer_future_record( mbedtls_ssl_context *ssl );
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]130static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]131
Hanno Beckera67dee22018-08-22 10:05:20 +0100[diff] [blame]132static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]133static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]134{
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]135 size_t mtu = ssl_get_current_mtu( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]136
137 if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN )
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]138 return( mtu );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]139
140 return( MBEDTLS_SSL_OUT_BUFFER_LEN );
141}
142
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]143static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
144{
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]145 size_t const bytes_written = ssl->out_left;
146 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]147
148 /* Double-check that the write-index hasn't gone
149 * past what we can transmit in a single datagram. */
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]150 if( bytes_written > mtu )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]151 {
152 /* Should never happen... */
153 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
154 }
155
156 return( (int) ( mtu - bytes_written ) );
157}
158
159static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
160{
161 int ret;
162 size_t remaining, expansion;
Andrzej Kurek748face2018-10-11 07:20:19 -0400[diff] [blame]163 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]164
165#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
166 const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
167
168 if( max_len > mfl )
169 max_len = mfl;
Hanno Beckerf4b010e2018-08-24 10:47:29 +0100[diff] [blame]170
171 /* By the standard (RFC 6066 Sect. 4), the MFL extension
172 * only limits the maximum record payload size, so in theory
173 * we would be allowed to pack multiple records of payload size
174 * MFL into a single datagram. However, this would mean that there's
175 * no way to explicitly communicate MTU restrictions to the peer.
176 *
177 * The following reduction of max_len makes sure that we never
178 * write datagrams larger than MFL + Record Expansion Overhead.
179 */
180 if( max_len <= ssl->out_left )
181 return( 0 );
182
183 max_len -= ssl->out_left;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]184#endif
185
186 ret = ssl_get_remaining_space_in_datagram( ssl );
187 if( ret < 0 )
188 return( ret );
189 remaining = (size_t) ret;
190
191 ret = mbedtls_ssl_get_record_expansion( ssl );
192 if( ret < 0 )
193 return( ret );
194 expansion = (size_t) ret;
195
196 if( remaining <= expansion )
197 return( 0 );
198
199 remaining -= expansion;
200 if( remaining >= max_len )
201 remaining = max_len;
202
203 return( (int) remaining );
204}
205
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]206/*
207 * Double the retransmit timeout value, within the allowed range,
208 * returning -1 if the maximum value has already been reached.
209 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]210static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]211{
212 uint32_t new_timeout;
213
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]214 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]215 return( -1 );
216
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]217 /* Implement the final paragraph of RFC 6347 section 4.1.1.1
218 * in the following way: after the initial transmission and a first
219 * retransmission, back off to a temporary estimated MTU of 508 bytes.
220 * This value is guaranteed to be deliverable (if not guaranteed to be
221 * delivered) of any compliant IPv4 (and IPv6) network, and should work
222 * on most non-IP stacks too. */
223 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]224 {
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]225 ssl->handshake->mtu = 508;
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]226 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
227 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]228
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]229 new_timeout = 2 * ssl->handshake->retransmit_timeout;
230
231 /* Avoid arithmetic overflow and range overflow */
232 if( new_timeout < ssl->handshake->retransmit_timeout ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]233 new_timeout > ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]234 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]235 new_timeout = ssl->conf->hs_timeout_max;
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]236 }
237
238 ssl->handshake->retransmit_timeout = new_timeout;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]239 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]240 ssl->handshake->retransmit_timeout ) );
241
242 return( 0 );
243}
244
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]245static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]246{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]247 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]248 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]249 ssl->handshake->retransmit_timeout ) );
250}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]251#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]252
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]253#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200[diff] [blame]254/*
255 * Convert max_fragment_length codes to length.
256 * RFC 6066 says:
257 * enum{
258 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
259 * } MaxFragmentLength;
260 * and we add 0 -> extension unused
261 */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]262static unsigned int ssl_mfl_code_to_length( int mfl )
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200[diff] [blame]263{
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]264 switch( mfl )
265 {
266 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
267 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
268 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
269 return 512;
270 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
271 return 1024;
272 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
273 return 2048;
274 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
275 return 4096;
276 default:
277 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
278 }
279}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]280#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200[diff] [blame]281
Hanno Becker52055ae2019-02-06 14:30:46 +0000[diff] [blame]282int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
283 const mbedtls_ssl_session *src )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]284{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]285 mbedtls_ssl_session_free( dst );
286 memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]287
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]288#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker6d1986e2019-02-07 12:27:42 +0000[diff] [blame]289
290#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]291 if( src->peer_cert != NULL )
292 {
Paul Bakker2292d1f2013-09-15 17:06:49 +0200[diff] [blame]293 int ret;
294
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]295 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]296 if( dst->peer_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]297 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]298
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]299 mbedtls_x509_crt_init( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]301 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
Manuel Pégourié-Gonnard4d2a8eb2014-06-13 20:33:27 +0200[diff] [blame]302 src->peer_cert->raw.len ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]303 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]304 mbedtls_free( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]305 dst->peer_cert = NULL;
306 return( ret );
307 }
308 }
Hanno Becker6d1986e2019-02-07 12:27:42 +0000[diff] [blame]309#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker9198ad12019-02-05 17:00:50 +0000[diff] [blame]310 if( src->peer_cert_digest != NULL )
311 {
Hanno Becker9198ad12019-02-05 17:00:50 +0000[diff] [blame]312 dst->peer_cert_digest =
Hanno Beckeraccc5992019-02-25 10:06:59 +0000[diff] [blame]313 mbedtls_calloc( 1, src->peer_cert_digest_len );
Hanno Becker9198ad12019-02-05 17:00:50 +0000[diff] [blame]314 if( dst->peer_cert_digest == NULL )
315 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
316
317 memcpy( dst->peer_cert_digest, src->peer_cert_digest,
318 src->peer_cert_digest_len );
319 dst->peer_cert_digest_type = src->peer_cert_digest_type;
Hanno Beckeraccc5992019-02-25 10:06:59 +0000[diff] [blame]320 dst->peer_cert_digest_len = src->peer_cert_digest_len;
Hanno Becker9198ad12019-02-05 17:00:50 +0000[diff] [blame]321 }
322#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]324#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]325
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]326#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]327 if( src->ticket != NULL )
328 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]329 dst->ticket = mbedtls_calloc( 1, src->ticket_len );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]330 if( dst->ticket == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]331 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]332
333 memcpy( dst->ticket, src->ticket, src->ticket_len );
334 }
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]335#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]336
337 return( 0 );
338}
339
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]340#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
341int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]342 const unsigned char *key_enc, const unsigned char *key_dec,
343 size_t keylen,
344 const unsigned char *iv_enc, const unsigned char *iv_dec,
345 size_t ivlen,
346 const unsigned char *mac_enc, const unsigned char *mac_dec,
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]347 size_t maclen ) = NULL;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]348int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
349int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
350int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
351int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
352int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
353#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]354
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355/*
356 * Key material generation
357 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]358#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]359static int ssl3_prf( const unsigned char *secret, size_t slen,
360 const char *label,
361 const unsigned char *random, size_t rlen,
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]362 unsigned char *dstbuf, size_t dlen )
363{
Andres Amaya Garcia33952502017-07-20 16:29:16 +0100[diff] [blame]364 int ret = 0;
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]365 size_t i;
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]366 mbedtls_md5_context md5;
367 mbedtls_sha1_context sha1;
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]368 unsigned char padding[16];
369 unsigned char sha1sum[20];
370 ((void)label);
371
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]372 mbedtls_md5_init( &md5 );
373 mbedtls_sha1_init( &sha1 );
Paul Bakker5b4af392014-06-26 12:09:34 +0200[diff] [blame]374
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]375 /*
376 * SSLv3:
377 * block =
378 * MD5( secret + SHA1( 'A' + secret + random ) ) +
379 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
380 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
381 * ...
382 */
383 for( i = 0; i < dlen / 16; i++ )
384 {
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]385 memset( padding, (unsigned char) ('A' + i), 1 + i );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]386
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]387 if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]388 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]389 if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]390 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]391 if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]392 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]393 if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]394 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]395 if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]396 goto exit;
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]397
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]398 if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]399 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]400 if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]401 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]402 if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]403 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]404 if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]405 goto exit;
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]406 }
407
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]408exit:
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]409 mbedtls_md5_free( &md5 );
410 mbedtls_sha1_free( &sha1 );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]411
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]412 mbedtls_platform_zeroize( padding, sizeof( padding ) );
413 mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]414
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]415 return( ret );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]416}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]417#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]418
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]419#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]420static int tls1_prf( const unsigned char *secret, size_t slen,
421 const char *label,
422 const unsigned char *random, size_t rlen,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]423 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]424{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]425 size_t nb, hs;
426 size_t i, j, k;
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]427 const unsigned char *S1, *S2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]428 unsigned char tmp[128];
429 unsigned char h_i[20];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]430 const mbedtls_md_info_t *md_info;
431 mbedtls_md_context_t md_ctx;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]432 int ret;
433
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]434 mbedtls_md_init( &md_ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]435
436 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]437 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]438
439 hs = ( slen + 1 ) / 2;
440 S1 = secret;
441 S2 = secret + slen - hs;
442
443 nb = strlen( label );
444 memcpy( tmp + 20, label, nb );
445 memcpy( tmp + 20 + nb, random, rlen );
446 nb += rlen;
447
448 /*
449 * First compute P_md5(secret,label+random)[0..dlen]
450 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]451 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
452 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100[diff] [blame]453
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]454 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]455 return( ret );
456
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]457 mbedtls_md_hmac_starts( &md_ctx, S1, hs );
458 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
459 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460
461 for( i = 0; i < dlen; i += 16 )
462 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]463 mbedtls_md_hmac_reset ( &md_ctx );
464 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
465 mbedtls_md_hmac_finish( &md_ctx, h_i );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]466
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]467 mbedtls_md_hmac_reset ( &md_ctx );
468 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
469 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470
471 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
472
473 for( j = 0; j < k; j++ )
474 dstbuf[i + j] = h_i[j];
475 }
476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]477 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]478
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]479 /*
480 * XOR out with P_sha1(secret,label+random)[0..dlen]
481 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]482 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
483 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100[diff] [blame]484
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]485 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]486 return( ret );
487
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]488 mbedtls_md_hmac_starts( &md_ctx, S2, hs );
489 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
490 mbedtls_md_hmac_finish( &md_ctx, tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491
492 for( i = 0; i < dlen; i += 20 )
493 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]494 mbedtls_md_hmac_reset ( &md_ctx );
495 mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
496 mbedtls_md_hmac_finish( &md_ctx, h_i );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]498 mbedtls_md_hmac_reset ( &md_ctx );
499 mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
500 mbedtls_md_hmac_finish( &md_ctx, tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
502 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
503
504 for( j = 0; j < k; j++ )
505 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
506 }
507
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]508 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]509
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]510 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
511 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]512
513 return( 0 );
514}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]515#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]518#if defined(MBEDTLS_USE_PSA_CRYPTO)
519static int tls_prf_generic( mbedtls_md_type_t md_type,
520 const unsigned char *secret, size_t slen,
521 const char *label,
522 const unsigned char *random, size_t rlen,
523 unsigned char *dstbuf, size_t dlen )
524{
525 psa_status_t status;
526 psa_algorithm_t alg;
527 psa_key_policy_t policy;
Andrzej Kurekac5dc342019-01-23 06:57:34 -0500[diff] [blame]528 psa_key_handle_t master_slot;
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]529 psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
530
Andrzej Kurek2f760752019-01-28 08:08:15 -0500[diff] [blame]531 if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS )
Andrzej Kurekac5dc342019-01-23 06:57:34 -0500[diff] [blame]532 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Andrzej Kurek2d4faa62019-01-29 03:14:15 -0500[diff] [blame]533
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]534 if( md_type == MBEDTLS_MD_SHA384 )
535 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
536 else
537 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
538
Andrzej Kurek2f760752019-01-28 08:08:15 -0500[diff] [blame]539 policy = psa_key_policy_init();
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]540 psa_key_policy_set_usage( &policy,
541 PSA_KEY_USAGE_DERIVE,
542 alg );
543 status = psa_set_key_policy( master_slot, &policy );
544 if( status != PSA_SUCCESS )
545 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
546
547 status = psa_import_key( master_slot, PSA_KEY_TYPE_DERIVE, secret, slen );
548 if( status != PSA_SUCCESS )
549 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
550
551 status = psa_key_derivation( &generator,
552 master_slot, alg,
553 random, rlen,
554 (unsigned char const *) label,
555 (size_t) strlen( label ),
556 dlen );
557 if( status != PSA_SUCCESS )
558 {
559 psa_generator_abort( &generator );
560 psa_destroy_key( master_slot );
561 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
562 }
563
564 status = psa_generator_read( &generator, dstbuf, dlen );
565 if( status != PSA_SUCCESS )
566 {
567 psa_generator_abort( &generator );
568 psa_destroy_key( master_slot );
569 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
570 }
571
572 status = psa_generator_abort( &generator );
573 if( status != PSA_SUCCESS )
Andrzej Kurek70737ca2019-01-14 05:37:13 -0500[diff] [blame]574 {
575 psa_destroy_key( master_slot );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]576 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Andrzej Kurek70737ca2019-01-14 05:37:13 -0500[diff] [blame]577 }
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]578
579 status = psa_destroy_key( master_slot );
580 if( status != PSA_SUCCESS )
581 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
582
Andrzej Kurek33171262019-01-15 03:25:18 -0500[diff] [blame]583 return( 0 );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]584}
585
586#else /* MBEDTLS_USE_PSA_CRYPTO */
587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]588static int tls_prf_generic( mbedtls_md_type_t md_type,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]589 const unsigned char *secret, size_t slen,
590 const char *label,
591 const unsigned char *random, size_t rlen,
592 unsigned char *dstbuf, size_t dlen )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]593{
594 size_t nb;
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]595 size_t i, j, k, md_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]596 unsigned char tmp[128];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]597 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
598 const mbedtls_md_info_t *md_info;
599 mbedtls_md_context_t md_ctx;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]600 int ret;
601
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]602 mbedtls_md_init( &md_ctx );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]603
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]604 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
605 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]606
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]607 md_len = mbedtls_md_get_size( md_info );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]608
609 if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]610 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]611
612 nb = strlen( label );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]613 memcpy( tmp + md_len, label, nb );
614 memcpy( tmp + md_len + nb, random, rlen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]615 nb += rlen;
616
617 /*
618 * Compute P_<hash>(secret, label + random)[0..dlen]
619 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]620 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]621 return( ret );
622
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]623 mbedtls_md_hmac_starts( &md_ctx, secret, slen );
624 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
625 mbedtls_md_hmac_finish( &md_ctx, tmp );
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100[diff] [blame]626
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]627 for( i = 0; i < dlen; i += md_len )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]628 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]629 mbedtls_md_hmac_reset ( &md_ctx );
630 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
631 mbedtls_md_hmac_finish( &md_ctx, h_i );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]632
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]633 mbedtls_md_hmac_reset ( &md_ctx );
634 mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
635 mbedtls_md_hmac_finish( &md_ctx, tmp );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]636
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]637 k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]638
639 for( j = 0; j < k; j++ )
640 dstbuf[i + j] = h_i[j];
641 }
642
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]643 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]644
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]645 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
646 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]647
648 return( 0 );
649}
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]650#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]651#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]652static int tls_prf_sha256( const unsigned char *secret, size_t slen,
653 const char *label,
654 const unsigned char *random, size_t rlen,
655 unsigned char *dstbuf, size_t dlen )
656{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]657 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]658 label, random, rlen, dstbuf, dlen ) );
659}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]660#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]661
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]662#if defined(MBEDTLS_SHA512_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]663static int tls_prf_sha384( const unsigned char *secret, size_t slen,
664 const char *label,
665 const unsigned char *random, size_t rlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]666 unsigned char *dstbuf, size_t dlen )
667{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]668 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]669 label, random, rlen, dstbuf, dlen ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]670}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671#endif /* MBEDTLS_SHA512_C */
672#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]673
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]674static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]676#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
677 defined(MBEDTLS_SSL_PROTO_TLS1_1)
678static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]679#endif
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]680
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]681#if defined(MBEDTLS_SSL_PROTO_SSL3)
682static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );
683static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]684#endif
685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
687static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );
688static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]689#endif
690
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]691#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
692#if defined(MBEDTLS_SHA256_C)
693static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
694static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * );
695static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]696#endif
Paul Bakker769075d2012-11-24 11:26:46 +0100[diff] [blame]697
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]698#if defined(MBEDTLS_SHA512_C)
699static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
700static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );
701static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakker769075d2012-11-24 11:26:46 +0100[diff] [blame]702#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]703#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]704
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]705#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) && \
706 defined(MBEDTLS_USE_PSA_CRYPTO)
707static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
708{
709 if( ssl->conf->f_psk != NULL )
710 {
711 /* If we've used a callback to select the PSK,
712 * the static configuration is irrelevant. */
713 if( ssl->handshake->psk_opaque != 0 )
714 return( 1 );
715
716 return( 0 );
717 }
718
719 if( ssl->conf->psk_opaque != 0 )
720 return( 1 );
721
722 return( 0 );
723}
724#endif /* MBEDTLS_USE_PSA_CRYPTO &&
725 MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
726
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]727int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728{
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]729 int ret = 0;
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]730#if defined(MBEDTLS_USE_PSA_CRYPTO)
731 int psa_fallthrough;
732#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]733 unsigned char tmp[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]734 unsigned char keyblk[256];
735 unsigned char *key1;
736 unsigned char *key2;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]737 unsigned char *mac_enc;
738 unsigned char *mac_dec;
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]739 size_t mac_key_len;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]740 size_t iv_copy_len;
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]741 size_t taglen = 0;
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame^]742 unsigned keylen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]743 const mbedtls_cipher_info_t *cipher_info;
744 const mbedtls_md_info_t *md_info;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]745
Hanno Beckerf9ed7d52018-11-05 12:45:16 +0000[diff] [blame]746 /* cf. RFC 5246, Section 8.1:
747 * "The master secret is always exactly 48 bytes in length." */
748 size_t const master_secret_len = 48;
749
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]750#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
751 unsigned char session_hash[48];
752#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
753
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]754 mbedtls_ssl_session *session = ssl->session_negotiate;
755 mbedtls_ssl_transform *transform = ssl->transform_negotiate;
756 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]757
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]758 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]759
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]760 cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]761 if( cipher_info == NULL )
762 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]763 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]764 transform->ciphersuite_info->cipher ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]765 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]766 }
767
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]768 md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]769 if( md_info == NULL )
770 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]771 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]772 transform->ciphersuite_info->mac ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]773 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]774 }
775
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]776 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]777 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]778 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]779#if defined(MBEDTLS_SSL_PROTO_SSL3)
780 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]781 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]782 handshake->tls_prf = ssl3_prf;
783 handshake->calc_verify = ssl_calc_verify_ssl;
784 handshake->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]785 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]786 else
787#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]788#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
789 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]790 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]791 handshake->tls_prf = tls1_prf;
792 handshake->calc_verify = ssl_calc_verify_tls;
793 handshake->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]794 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]795 else
796#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]797#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
798#if defined(MBEDTLS_SHA512_C)
799 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
800 transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]801 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]802 handshake->tls_prf = tls_prf_sha384;
803 handshake->calc_verify = ssl_calc_verify_tls_sha384;
804 handshake->calc_finished = ssl_calc_finished_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]805 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]806 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]807#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]808#if defined(MBEDTLS_SHA256_C)
809 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]810 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]811 handshake->tls_prf = tls_prf_sha256;
812 handshake->calc_verify = ssl_calc_verify_tls_sha256;
813 handshake->calc_finished = ssl_calc_finished_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]814 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]815 else
816#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]817#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]818 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]819 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
820 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]821 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]822
823 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]824 * SSLv3:
825 * master =
826 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
827 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
828 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]829 *
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]830 * TLSv1+:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]831 * master = PRF( premaster, "master secret", randbytes )[0..47]
832 */
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]833 if( handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]834 {
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]835 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
836 }
837 else
838 {
839 /* The label for the KDF used for key expansion.
840 * This is either "master secret" or "extended master secret"
841 * depending on whether the Extended Master Secret extension
842 * is used. */
843 char const *lbl = "master secret";
844
845 /* The salt for the KDF used for key expansion.
846 * - If the Extended Master Secret extension is not used,
847 * this is ClientHello.Random + ServerHello.Random
848 * (see Sect. 8.1 in RFC 5246).
849 * - If the Extended Master Secret extension is used,
850 * this is the transcript of the handshake so far.
851 * (see Sect. 4 in RFC 7627). */
852 unsigned char const *salt = handshake->randbytes;
853 size_t salt_len = 64;
854
855#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
856 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
857 ssl->transform_negotiate->ciphersuite_info;
858 mbedtls_md_type_t const md_type = ciphersuite_info->mac;
859#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]861#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
862 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]863 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]864 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]865
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]866 lbl = "extended master secret";
867 salt = session_hash;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]868 ssl->handshake->calc_verify( ssl, session_hash );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]869#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
870 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]871 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]872#if defined(MBEDTLS_SHA512_C)
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]873 if( md_type == MBEDTLS_MD_SHA384 )
874 salt_len = 48;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]875 else
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]876#endif /* MBEDTLS_SHA512_C */
877 salt_len = 32;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]878 }
879 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]880#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]881 salt_len = 36;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]882
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]883 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, salt_len );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]884 }
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]885#endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */
886
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]887#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
888 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
889 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
890 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
891 ssl_use_opaque_psk( ssl ) == 1 )
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100[diff] [blame]892 {
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]893 /* Perform PSK-to-MS expansion in a single step. */
894 psa_status_t status;
895 psa_algorithm_t alg;
896 psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
Andrzej Kurek2349c4d2019-01-08 09:36:01 -0500[diff] [blame]897 psa_key_handle_t psk;
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]898
899 MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
900
901 psk = ssl->conf->psk_opaque;
902 if( ssl->handshake->psk_opaque != 0 )
903 psk = ssl->handshake->psk_opaque;
904
905 if( md_type == MBEDTLS_MD_SHA384 )
906 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
907 else
908 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
909
910 status = psa_key_derivation( &generator, psk, alg,
911 salt, salt_len,
912 (unsigned char const *) lbl,
913 (size_t) strlen( lbl ),
Hanno Beckerf9ed7d52018-11-05 12:45:16 +0000[diff] [blame]914 master_secret_len );
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]915 if( status != PSA_SUCCESS )
916 {
917 psa_generator_abort( &generator );
918 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
919 }
920
Hanno Beckerf9ed7d52018-11-05 12:45:16 +0000[diff] [blame]921 status = psa_generator_read( &generator, session->master,
922 master_secret_len );
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]923 if( status != PSA_SUCCESS )
924 {
925 psa_generator_abort( &generator );
926 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
927 }
928
929 status = psa_generator_abort( &generator );
930 if( status != PSA_SUCCESS )
931 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100[diff] [blame]932 }
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]933 else
934#endif
935 {
936 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
937 lbl, salt, salt_len,
Hanno Beckerf9ed7d52018-11-05 12:45:16 +0000[diff] [blame]938 session->master,
939 master_secret_len );
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]940 if( ret != 0 )
941 {
942 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
943 return( ret );
944 }
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]945
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]946 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret",
947 handshake->premaster,
948 handshake->pmslen );
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]949
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]950 mbedtls_platform_zeroize( handshake->premaster,
951 sizeof(handshake->premaster) );
952 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]953 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]954
955 /*
956 * Swap the client and server random values.
957 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]958 memcpy( tmp, handshake->randbytes, 64 );
959 memcpy( handshake->randbytes, tmp + 32, 32 );
960 memcpy( handshake->randbytes + 32, tmp, 32 );
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]961 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]962
963 /*
964 * SSLv3:
965 * key block =
966 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
967 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
968 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
969 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
970 * ...
971 *
972 * TLSv1:
973 * key block = PRF( master, "key expansion", randbytes )
974 */
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100[diff] [blame]975 ret = handshake->tls_prf( session->master, 48, "key expansion",
976 handshake->randbytes, 64, keyblk, 256 );
977 if( ret != 0 )
978 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]979 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100[diff] [blame]980 return( ret );
981 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]983 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
984 mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
985 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
986 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
987 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]988
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]989 mbedtls_platform_zeroize( handshake->randbytes,
990 sizeof( handshake->randbytes ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]991
992 /*
993 * Determine the appropriate key, IV and MAC length.
994 */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]995
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame^]996 keylen = cipher_info->key_bitlen / 8;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]998 if( cipher_info->mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]999 cipher_info->mode == MBEDTLS_MODE_CCM ||
1000 cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001 {
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1002 size_t explicit_ivlen;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1003
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1004 transform->maclen = 0;
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1005 mac_key_len = 0;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1006
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1007 /* All modes haves 96-bit IVs;
1008 * GCM and CCM has 4 implicit and 8 explicit bytes
1009 * ChachaPoly has all 12 bytes implicit
1010 */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1011 transform->ivlen = 12;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1012 if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
1013 transform->fixed_ivlen = 12;
1014 else
1015 transform->fixed_ivlen = 4;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1016
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1017 /* All modes have 128-bit tags, except CCM_8 (ciphersuite flag) */
1018 taglen = transform->ciphersuite_info->flags &
1019 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
1020
1021
1022 /* Minimum length of encrypted record */
1023 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
1024 transform->minlen = explicit_ivlen + taglen;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1025 }
1026 else
1027 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1028 /* Initialize HMAC contexts */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
1030 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1031 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1032 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1033 return( ret );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1034 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1035
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1036 /* Get MAC length */
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1037 mac_key_len = mbedtls_md_get_size( md_info );
1038 transform->maclen = mac_key_len;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1039
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1040#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1041 /*
1042 * If HMAC is to be truncated, we shall keep the leftmost bytes,
1043 * (rfc 6066 page 13 or rfc 2104 section 4),
1044 * so we only need to adjust the length here.
1045 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1046 if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
Hanno Beckere89353a2017-11-20 16:36:41 +0000[diff] [blame]1047 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1048 transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
Hanno Beckere89353a2017-11-20 16:36:41 +0000[diff] [blame]1049
1050#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
1051 /* Fall back to old, non-compliant version of the truncated
Hanno Becker563423f2017-11-21 17:20:17 +0000[diff] [blame]1052 * HMAC implementation which also truncates the key
1053 * (Mbed TLS versions from 1.3 to 2.6.0) */
Hanno Beckere89353a2017-11-20 16:36:41 +0000[diff] [blame]1054 mac_key_len = transform->maclen;
1055#endif
1056 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1057#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1058
1059 /* IV length */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1060 transform->ivlen = cipher_info->iv_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1061
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1062 /* Minimum length */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1063 if( cipher_info->mode == MBEDTLS_MODE_STREAM )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1064 transform->minlen = transform->maclen;
1065 else
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1066 {
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1067 /*
1068 * GenericBlockCipher:
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]1069 * 1. if EtM is in use: one block plus MAC
1070 * otherwise: * first multiple of blocklen greater than maclen
1071 * 2. IV except for SSL3 and TLS 1.0
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1072 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1073#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1074 if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]1075 {
1076 transform->minlen = transform->maclen
1077 + cipher_info->block_size;
1078 }
1079 else
1080#endif
1081 {
1082 transform->minlen = transform->maclen
1083 + cipher_info->block_size
1084 - transform->maclen % cipher_info->block_size;
1085 }
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1086
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1087#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
1088 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1089 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1090 ; /* No need to adjust minlen */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1091 else
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1092#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1093#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1094 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
1095 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1096 {
1097 transform->minlen += transform->ivlen;
1098 }
1099 else
1100#endif
1101 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1102 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1103 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1104 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1105 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1106 }
1107
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame^]1108 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
1109 (unsigned) keylen,
1110 (unsigned) transform->minlen,
1111 (unsigned) transform->ivlen,
1112 (unsigned) transform->maclen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1113
1114 /*
1115 * Finally setup the cipher contexts, IVs and MAC secrets.
1116 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1117#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1118 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1119 {
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1120 key1 = keyblk + mac_key_len * 2;
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame^]1121 key2 = keyblk + mac_key_len * 2 + keylen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1122
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1123 mac_enc = keyblk;
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1124 mac_dec = keyblk + mac_key_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1125
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1126 /*
1127 * This is not used in TLS v1.1.
1128 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1129 iv_copy_len = ( transform->fixed_ivlen ) ?
1130 transform->fixed_ivlen : transform->ivlen;
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame^]1131 memcpy( transform->iv_enc, key2 + keylen, iv_copy_len );
1132 memcpy( transform->iv_dec, key2 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1133 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1134 }
1135 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1136#endif /* MBEDTLS_SSL_CLI_C */
1137#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1138 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1139 {
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame^]1140 key1 = keyblk + mac_key_len * 2 + keylen;
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1141 key2 = keyblk + mac_key_len * 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1142
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1143 mac_enc = keyblk + mac_key_len;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1144 mac_dec = keyblk;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1145
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1146 /*
1147 * This is not used in TLS v1.1.
1148 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1149 iv_copy_len = ( transform->fixed_ivlen ) ?
1150 transform->fixed_ivlen : transform->ivlen;
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame^]1151 memcpy( transform->iv_dec, key1 + keylen, iv_copy_len );
1152 memcpy( transform->iv_enc, key1 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1153 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1154 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]1155 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1156#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]1157 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1158 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1159 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]1160 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1161
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1162#if defined(MBEDTLS_SSL_PROTO_SSL3)
1163 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1164 {
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1165 if( mac_key_len > sizeof transform->mac_enc )
Manuel Pégourié-Gonnard7cfdcb82014-01-18 18:22:55 +0100[diff] [blame]1166 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1167 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1168 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7cfdcb82014-01-18 18:22:55 +0100[diff] [blame]1169 }
1170
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1171 memcpy( transform->mac_enc, mac_enc, mac_key_len );
1172 memcpy( transform->mac_dec, mac_dec, mac_key_len );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1173 }
1174 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1175#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1176#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1177 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1178 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1179 {
Gilles Peskine039fd122018-03-19 19:06:08 +0100[diff] [blame]1180 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
1181 For AEAD-based ciphersuites, there is nothing to do here. */
1182 if( mac_key_len != 0 )
1183 {
1184 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
1185 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
1186 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1187 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1188 else
1189#endif
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1190 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1191 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1192 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1193 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1195#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
1196 if( mbedtls_ssl_hw_record_init != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1197 {
1198 int ret = 0;
1199
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1200 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1201
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame^]1202 if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, keylen,
Paul Bakker07eb38b2012-12-19 14:42:06 +0100[diff] [blame]1203 transform->iv_enc, transform->iv_dec,
1204 iv_copy_len,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1205 mac_enc, mac_dec,
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1206 mac_key_len ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1207 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1208 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
1209 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1210 }
1211 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1212#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1213
Manuel Pégourié-Gonnard024b6df2015-10-19 13:52:53 +0200[diff] [blame]1214#if defined(MBEDTLS_SSL_EXPORT_KEYS)
1215 if( ssl->conf->f_export_keys != NULL )
Robert Cragie4feb7ae2015-10-02 13:33:37 +0100[diff] [blame]1216 {
Manuel Pégourié-Gonnard024b6df2015-10-19 13:52:53 +0200[diff] [blame]1217 ssl->conf->f_export_keys( ssl->conf->p_export_keys,
1218 session->master, keyblk,
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame^]1219 mac_key_len, keylen,
Robert Cragie4feb7ae2015-10-02 13:33:37 +0100[diff] [blame]1220 iv_copy_len );
1221 }
1222#endif
1223
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1224#if defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1225
1226 /* Only use PSA-based ciphers for TLS-1.2.
1227 * That's relevant at least for TLS-1.0, where
1228 * we assume that mbedtls_cipher_crypt() updates
1229 * the structure field for the IV, which the PSA-based
1230 * implementation currently doesn't. */
1231#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1232 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1233 {
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1234 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
1235 cipher_info, taglen );
1236 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
1237 {
1238 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
1239 return( ret );
1240 }
1241
1242 if( ret == 0 )
1243 {
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100[diff] [blame]1244 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based encryption cipher context" ) );
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1245 psa_fallthrough = 0;
1246 }
1247 else
1248 {
1249 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );
1250 psa_fallthrough = 1;
1251 }
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1252 }
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1253 else
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1254 psa_fallthrough = 1;
1255#else
1256 psa_fallthrough = 1;
1257#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1258
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1259 if( psa_fallthrough == 1 )
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1260#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +0200[diff] [blame]1261 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1262 cipher_info ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1263 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +0200[diff] [blame]1264 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1265 return( ret );
1266 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1267
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1268#if defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1269 /* Only use PSA-based ciphers for TLS-1.2.
1270 * That's relevant at least for TLS-1.0, where
1271 * we assume that mbedtls_cipher_crypt() updates
1272 * the structure field for the IV, which the PSA-based
1273 * implementation currently doesn't. */
1274#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1275 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1276 {
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1277 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
1278 cipher_info, taglen );
1279 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
1280 {
1281 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
1282 return( ret );
1283 }
1284
1285 if( ret == 0 )
1286 {
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100[diff] [blame]1287 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based decryption cipher context" ) );
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1288 psa_fallthrough = 0;
1289 }
1290 else
1291 {
1292 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );
1293 psa_fallthrough = 1;
1294 }
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1295 }
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1296 else
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1297 psa_fallthrough = 1;
1298#else
1299 psa_fallthrough = 1;
1300#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1301
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1302 if( psa_fallthrough == 1 )
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1303#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +0200[diff] [blame]1304 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1305 cipher_info ) ) != 0 )
1306 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +0200[diff] [blame]1307 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1308 return( ret );
1309 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1310
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1311 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +0200[diff] [blame]1312 cipher_info->key_bitlen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1313 MBEDTLS_ENCRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1314 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1315 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1316 return( ret );
1317 }
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1318
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1319 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +0200[diff] [blame]1320 cipher_info->key_bitlen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1321 MBEDTLS_DECRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1322 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1323 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1324 return( ret );
1325 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1327#if defined(MBEDTLS_CIPHER_MODE_CBC)
1328 if( cipher_info->mode == MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1329 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1330 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
1331 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +0200[diff] [blame]1332 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1333 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1334 return( ret );
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +0200[diff] [blame]1335 }
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1336
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1337 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
1338 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1339 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1340 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1341 return( ret );
1342 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1343 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1344#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1345
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]1346 mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1347
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1348#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1349 // Initialize compression
1350 //
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1351 if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1352 {
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1353 if( ssl->compress_buf == NULL )
1354 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1355 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1356 ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1357 if( ssl->compress_buf == NULL )
1358 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]1359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1360 MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]1361 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1362 }
1363 }
1364
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1365 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1366
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1367 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
1368 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1369
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1370 if( deflateInit( &transform->ctx_deflate,
1371 Z_DEFAULT_COMPRESSION ) != Z_OK ||
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1372 inflateInit( &transform->ctx_inflate ) != Z_OK )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1373 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1374 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
1375 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1376 }
1377 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1378#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1379
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1380 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1381
1382 return( 0 );
1383}
1384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1385#if defined(MBEDTLS_SSL_PROTO_SSL3)
1386void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1387{
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1388 mbedtls_md5_context md5;
1389 mbedtls_sha1_context sha1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1390 unsigned char pad_1[48];
1391 unsigned char pad_2[48];
1392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1393 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1394
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]1395 mbedtls_md5_init( &md5 );
1396 mbedtls_sha1_init( &sha1 );
1397
1398 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
1399 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1400
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1401 memset( pad_1, 0x36, 48 );
1402 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1403
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1404 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
1405 mbedtls_md5_update_ret( &md5, pad_1, 48 );
1406 mbedtls_md5_finish_ret( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1407
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1408 mbedtls_md5_starts_ret( &md5 );
1409 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
1410 mbedtls_md5_update_ret( &md5, pad_2, 48 );
1411 mbedtls_md5_update_ret( &md5, hash, 16 );
1412 mbedtls_md5_finish_ret( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1413
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1414 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
1415 mbedtls_sha1_update_ret( &sha1, pad_1, 40 );
1416 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1417
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1418 mbedtls_sha1_starts_ret( &sha1 );
1419 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
1420 mbedtls_sha1_update_ret( &sha1, pad_2, 40 );
1421 mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );
1422 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1423
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1424 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
1425 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1426
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1427 mbedtls_md5_free( &md5 );
1428 mbedtls_sha1_free( &sha1 );
Paul Bakker5b4af392014-06-26 12:09:34 +0200[diff] [blame]1429
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1430 return;
1431}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1432#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1433
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1434#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
1435void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1436{
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1437 mbedtls_md5_context md5;
1438 mbedtls_sha1_context sha1;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1439
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1440 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1441
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]1442 mbedtls_md5_init( &md5 );
1443 mbedtls_sha1_init( &sha1 );
1444
1445 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
1446 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1447
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1448 mbedtls_md5_finish_ret( &md5, hash );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1449 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1450
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1451 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
1452 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1453
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1454 mbedtls_md5_free( &md5 );
1455 mbedtls_sha1_free( &sha1 );
Paul Bakker5b4af392014-06-26 12:09:34 +0200[diff] [blame]1456
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1457 return;
1458}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1459#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1460
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1461#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1462#if defined(MBEDTLS_SHA256_C)
1463void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1464{
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1465#if defined(MBEDTLS_USE_PSA_CRYPTO)
1466 size_t hash_size;
1467 psa_status_t status;
1468 psa_hash_operation_t sha256_psa = psa_hash_operation_init();
1469
1470 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) );
1471 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
1472 if( status != PSA_SUCCESS )
1473 {
1474 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1475 return;
1476 }
1477
1478 status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size );
1479 if( status != PSA_SUCCESS )
1480 {
1481 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1482 return;
1483 }
1484 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 32 );
1485 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1486#else
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1487 mbedtls_sha256_context sha256;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1488
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]1489 mbedtls_sha256_init( &sha256 );
1490
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1491 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1492
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]1493 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1494 mbedtls_sha256_finish_ret( &sha256, hash );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1495
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1496 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
1497 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1498
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1499 mbedtls_sha256_free( &sha256 );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1500#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1501 return;
1502}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1503#endif /* MBEDTLS_SHA256_C */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1504
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1505#if defined(MBEDTLS_SHA512_C)
1506void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1507{
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1508#if defined(MBEDTLS_USE_PSA_CRYPTO)
1509 size_t hash_size;
1510 psa_status_t status;
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]1511 psa_hash_operation_t sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1512
1513 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) );
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]1514 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1515 if( status != PSA_SUCCESS )
1516 {
1517 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1518 return;
1519 }
1520
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]1521 status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1522 if( status != PSA_SUCCESS )
1523 {
1524 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1525 return;
1526 }
1527 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 48 );
1528 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1529#else
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1530 mbedtls_sha512_context sha512;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1531
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]1532 mbedtls_sha512_init( &sha512 );
1533
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1534 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1535
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1536 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1537 mbedtls_sha512_finish_ret( &sha512, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1538
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1539 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
1540 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1541
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1542 mbedtls_sha512_free( &sha512 );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1543#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1544 return;
1545}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1546#endif /* MBEDTLS_SHA512_C */
1547#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1548
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1549#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1550int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1551{
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1552 unsigned char *p = ssl->handshake->premaster;
1553 unsigned char *end = p + sizeof( ssl->handshake->premaster );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]1554 const unsigned char *psk = ssl->conf->psk;
1555 size_t psk_len = ssl->conf->psk_len;
1556
1557 /* If the psk callback was called, use its result */
1558 if( ssl->handshake->psk != NULL )
1559 {
1560 psk = ssl->handshake->psk;
1561 psk_len = ssl->handshake->psk_len;
1562 }
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1563
1564 /*
1565 * PMS = struct {
1566 * opaque other_secret<0..2^16-1>;
1567 * opaque psk<0..2^16-1>;
1568 * };
1569 * with "other_secret" depending on the particular key exchange
1570 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1571#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1572 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1573 {
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +0200[diff] [blame]1574 if( end - p < 2 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1575 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1576
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]1577 *(p++) = (unsigned char)( psk_len >> 8 );
1578 *(p++) = (unsigned char)( psk_len );
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +0200[diff] [blame]1579
1580 if( end < p || (size_t)( end - p ) < psk_len )
1581 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1582
1583 memset( p, 0, psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]1584 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1585 }
1586 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1587#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
1588#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1589 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1590 {
1591 /*
1592 * other_secret already set by the ClientKeyExchange message,
1593 * and is 48 bytes long
1594 */
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1595 if( end - p < 2 )
1596 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1597
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1598 *p++ = 0;
1599 *p++ = 48;
1600 p += 48;
1601 }
1602 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1603#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1604#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1605 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1606 {
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +0200[diff] [blame]1607 int ret;
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +0100[diff] [blame]1608 size_t len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1609
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +0200[diff] [blame]1610 /* Write length only when we know the actual value */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1611 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +0100[diff] [blame]1612 p + 2, end - ( p + 2 ), &len,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]1613 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1614 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1615 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1616 return( ret );
1617 }
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +0200[diff] [blame]1618 *(p++) = (unsigned char)( len >> 8 );
1619 *(p++) = (unsigned char)( len );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1620 p += len;
1621
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1622 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1623 }
1624 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1625#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1626#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1627 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1628 {
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +0200[diff] [blame]1629 int ret;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1630 size_t zlen;
1631
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1632 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1633 p + 2, end - ( p + 2 ),
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]1634 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1635 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1636 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1637 return( ret );
1638 }
1639
1640 *(p++) = (unsigned char)( zlen >> 8 );
1641 *(p++) = (unsigned char)( zlen );
1642 p += zlen;
1643
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]1644 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
1645 MBEDTLS_DEBUG_ECDH_Z );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1646 }
1647 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1648#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1649 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1650 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1651 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1652 }
1653
1654 /* opaque psk<0..2^16-1>; */
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +0200[diff] [blame]1655 if( end - p < 2 )
1656 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +0100[diff] [blame]1657
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]1658 *(p++) = (unsigned char)( psk_len >> 8 );
1659 *(p++) = (unsigned char)( psk_len );
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +0200[diff] [blame]1660
1661 if( end < p || (size_t)( end - p ) < psk_len )
1662 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1663
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]1664 memcpy( p, psk, psk_len );
1665 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1666
1667 ssl->handshake->pmslen = p - ssl->handshake->premaster;
1668
1669 return( 0 );
1670}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1671#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1673#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1674/*
1675 * SSLv3.0 MAC functions
1676 */
Manuel Pégourié-Gonnardb053efb2017-12-19 10:03:46 +0100[diff] [blame]1677#define SSL_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]1678static void ssl_mac( mbedtls_md_context_t *md_ctx,
1679 const unsigned char *secret,
1680 const unsigned char *buf, size_t len,
1681 const unsigned char *ctr, int type,
Manuel Pégourié-Gonnardb053efb2017-12-19 10:03:46 +0100[diff] [blame]1682 unsigned char out[SSL_MAC_MAX_BYTES] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1683{
1684 unsigned char header[11];
1685 unsigned char padding[48];
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +0200[diff] [blame]1686 int padlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1687 int md_size = mbedtls_md_get_size( md_ctx->md_info );
1688 int md_type = mbedtls_md_get_type( md_ctx->md_info );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1689
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +0200[diff] [blame]1690 /* Only MD5 and SHA-1 supported */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1691 if( md_type == MBEDTLS_MD_MD5 )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1692 padlen = 48;
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +0200[diff] [blame]1693 else
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1694 padlen = 40;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1695
1696 memcpy( header, ctr, 8 );
1697 header[ 8] = (unsigned char) type;
1698 header[ 9] = (unsigned char)( len >> 8 );
1699 header[10] = (unsigned char)( len );
1700
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1701 memset( padding, 0x36, padlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1702 mbedtls_md_starts( md_ctx );
1703 mbedtls_md_update( md_ctx, secret, md_size );
1704 mbedtls_md_update( md_ctx, padding, padlen );
1705 mbedtls_md_update( md_ctx, header, 11 );
1706 mbedtls_md_update( md_ctx, buf, len );
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]1707 mbedtls_md_finish( md_ctx, out );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1708
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1709 memset( padding, 0x5C, padlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1710 mbedtls_md_starts( md_ctx );
1711 mbedtls_md_update( md_ctx, secret, md_size );
1712 mbedtls_md_update( md_ctx, padding, padlen );
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]1713 mbedtls_md_update( md_ctx, out, md_size );
1714 mbedtls_md_finish( md_ctx, out );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]1715}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1716#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]1717
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1718#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
1719 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]1720 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C)) )
Manuel Pégourié-Gonnard8408a942015-04-09 12:14:31 +0200[diff] [blame]1721#define SSL_SOME_MODES_USE_MAC
Manuel Pégourié-Gonnard8e4b3372014-11-17 15:06:13 +0100[diff] [blame]1722#endif
1723
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1724/* The function below is only used in the Lucky 13 counter-measure in
1725 * ssl_decrypt_buf(). These are the defines that guard the call site. */
1726#if defined(SSL_SOME_MODES_USE_MAC) && \
1727 ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
1728 defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1729 defined(MBEDTLS_SSL_PROTO_TLS1_2) )
1730/* This function makes sure every byte in the memory region is accessed
1731 * (in ascending addresses order) */
1732static void ssl_read_memory( unsigned char *p, size_t len )
1733{
1734 unsigned char acc = 0;
1735 volatile unsigned char force;
1736
1737 for( ; len != 0; p++, len-- )
1738 acc ^= *p;
1739
1740 force = acc;
1741 (void) force;
1742}
1743#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */
1744
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1745/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1746 * Encryption/decryption functions
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]1747 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1748static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1749{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1750 mbedtls_cipher_mode_t mode;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1751 int auth_done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1752
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1753 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1754
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1755 if( ssl->session_out == NULL || ssl->transform_out == NULL )
1756 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1757 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1758 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1759 }
1760
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1761 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1762
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1763 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
Manuel Pégourié-Gonnard60346be2014-11-21 11:38:37 +0100[diff] [blame]1764 ssl->out_msg, ssl->out_msglen );
1765
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1766 /*
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1767 * Add MAC before if needed
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1768 */
Manuel Pégourié-Gonnard8408a942015-04-09 12:14:31 +0200[diff] [blame]1769#if defined(SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1770 if( mode == MBEDTLS_MODE_STREAM ||
1771 ( mode == MBEDTLS_MODE_CBC
1772#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1773 && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1774#endif
1775 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1776 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1777#if defined(MBEDTLS_SSL_PROTO_SSL3)
1778 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1779 {
Manuel Pégourié-Gonnardb053efb2017-12-19 10:03:46 +0100[diff] [blame]1780 unsigned char mac[SSL_MAC_MAX_BYTES];
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]1781
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1782 ssl_mac( &ssl->transform_out->md_ctx_enc,
1783 ssl->transform_out->mac_enc,
1784 ssl->out_msg, ssl->out_msglen,
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]1785 ssl->out_ctr, ssl->out_msgtype,
1786 mac );
1787
1788 memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1789 }
1790 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1791#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1792#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1793 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1794 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1795 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1796 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
1797
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1798 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
1799 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
1800 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
1801 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1802 ssl->out_msg, ssl->out_msglen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1803 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1804 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1805
1806 memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1807 }
1808 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1809#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1810 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1811 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1812 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1813 }
1814
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1815 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1816 ssl->out_msg + ssl->out_msglen,
1817 ssl->transform_out->maclen );
1818
1819 ssl->out_msglen += ssl->transform_out->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1820 auth_done++;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1821 }
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +0200[diff] [blame]1822#endif /* AEAD not the only option */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1823
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1824 /*
1825 * Encrypt
1826 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1827#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1828 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1829 {
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1830 int ret;
1831 size_t olen = 0;
1832
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1833 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1834 "including %d bytes of padding",
1835 ssl->out_msglen, 0 ) );
1836
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1837 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1838 ssl->transform_out->iv_enc,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +0200[diff] [blame]1839 ssl->transform_out->ivlen,
1840 ssl->out_msg, ssl->out_msglen,
1841 ssl->out_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1842 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1843 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1844 return( ret );
1845 }
1846
1847 if( ssl->out_msglen != olen )
1848 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1849 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1850 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1851 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1853 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1854#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1855#if defined(MBEDTLS_GCM_C) || \
1856 defined(MBEDTLS_CCM_C) || \
1857 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1858 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1859 mode == MBEDTLS_MODE_CCM ||
1860 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1861 {
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +0200[diff] [blame]1862 int ret;
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1863 size_t enc_msglen, olen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1864 unsigned char *enc_msg;
1865 unsigned char add_data[13];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1866 unsigned char iv[12];
1867 mbedtls_ssl_transform *transform = ssl->transform_out;
1868 unsigned char taglen = transform->ciphersuite_info->flags &
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1869 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1870 size_t explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1871
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1872 /*
1873 * Prepare additional authenticated data
1874 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1875 memcpy( add_data, ssl->out_ctr, 8 );
1876 add_data[8] = ssl->out_msgtype;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1877 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1878 ssl->conf->transport, add_data + 9 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1879 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1880 add_data[12] = ssl->out_msglen & 0xFF;
1881
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1882 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1883
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1884 /*
1885 * Generate IV
1886 */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1887 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
1888 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]1889 /* GCM and CCM: fixed || explicit (=seqnum) */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1890 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
1891 memcpy( iv + transform->fixed_ivlen, ssl->out_ctr, 8 );
1892 memcpy( ssl->out_iv, ssl->out_ctr, 8 );
1893
1894 }
1895 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
1896 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]1897 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1898 unsigned char i;
1899
1900 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
1901
1902 for( i = 0; i < 8; i++ )
1903 iv[i+4] ^= ssl->out_ctr[i];
1904 }
1905 else
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +0100[diff] [blame]1906 {
1907 /* Reminder if we ever add an AEAD mode with a different size */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1908 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1909 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +0100[diff] [blame]1910 }
1911
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1912 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
1913 iv, transform->ivlen );
1914 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
1915 ssl->out_iv, explicit_ivlen );
Manuel Pégourié-Gonnard226d5da2013-09-05 13:19:22 +0200[diff] [blame]1916
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1917 /*
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1918 * Fix message length with added IV
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1919 */
1920 enc_msg = ssl->out_msg;
1921 enc_msglen = ssl->out_msglen;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1922 ssl->out_msglen += explicit_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1923
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1924 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1925 "including 0 bytes of padding",
1926 ssl->out_msglen ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1927
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1928 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1929 * Encrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1930 */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1931 if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
1932 iv, transform->ivlen,
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1933 add_data, 13,
1934 enc_msg, enc_msglen,
1935 enc_msg, &olen,
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +0200[diff] [blame]1936 enc_msg + enc_msglen, taglen ) ) != 0 )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1937 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1938 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1939 return( ret );
1940 }
1941
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1942 if( olen != enc_msglen )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1943 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1944 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1945 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1946 }
1947
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +0200[diff] [blame]1948 ssl->out_msglen += taglen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1949 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1950
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1951 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1952 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1954#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1955#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]1956 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1957 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1958 {
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1959 int ret;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1960 unsigned char *enc_msg;
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]1961 size_t enc_msglen, padlen, olen = 0, i;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1962
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1963 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1964 ssl->transform_out->ivlen;
1965 if( padlen == ssl->transform_out->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1966 padlen = 0;
1967
1968 for( i = 0; i <= padlen; i++ )
1969 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1970
1971 ssl->out_msglen += padlen + 1;
1972
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1973 enc_msglen = ssl->out_msglen;
1974 enc_msg = ssl->out_msg;
1975
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1976#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1977 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1978 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1979 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1980 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1981 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1982 {
1983 /*
1984 * Generate IV
1985 */
Manuel Pégourié-Gonnardea356662015-08-27 12:02:40 +0200[diff] [blame]1986 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1987 ssl->transform_out->ivlen );
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1988 if( ret != 0 )
1989 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1990
Paul Bakker92be97b2013-01-02 17:30:03 +0100[diff] [blame]1991 memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1992 ssl->transform_out->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1993
1994 /*
1995 * Fix pointer positions and message length with added IV
1996 */
Paul Bakker92be97b2013-01-02 17:30:03 +0100[diff] [blame]1997 enc_msg = ssl->out_msg;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1998 enc_msglen = ssl->out_msglen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1999 ssl->out_msglen += ssl->transform_out->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2000 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2001#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2002
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2003 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2004 "including %d bytes of IV and %d bytes of padding",
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]2005 ssl->out_msglen, ssl->transform_out->ivlen,
2006 padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2007
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2008 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2009 ssl->transform_out->iv_enc,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +0200[diff] [blame]2010 ssl->transform_out->ivlen,
2011 enc_msg, enc_msglen,
2012 enc_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2013 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2014 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2015 return( ret );
2016 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2017
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2018 if( enc_msglen != olen )
2019 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2020 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2021 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2022 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2023
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2024#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
2025 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2026 {
2027 /*
2028 * Save IV in SSL3 and TLS1
2029 */
2030 memcpy( ssl->transform_out->iv_enc,
2031 ssl->transform_out->cipher_ctx_enc.iv,
2032 ssl->transform_out->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2033 }
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2034#endif
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2035
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2036#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2037 if( auth_done == 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2038 {
Hanno Becker3d8c9072018-01-05 16:24:22 +0000[diff] [blame]2039 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
2040
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2041 /*
2042 * MAC(MAC_write_key, seq_num +
2043 * TLSCipherText.type +
2044 * TLSCipherText.version +
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]2045 * length_of( (IV +) ENC(...) ) +
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2046 * IV + // except for TLS 1.0
2047 * ENC(content + padding + padding_length));
2048 */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2049 unsigned char pseudo_hdr[13];
2050
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2051 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2052
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2053 memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 );
2054 memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]2055 pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
2056 pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF );
2057
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2058 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2059
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2060 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
2061 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2062 ssl->out_iv, ssl->out_msglen );
Hanno Becker3d8c9072018-01-05 16:24:22 +0000[diff] [blame]2063 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2064 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2065
Hanno Becker3d8c9072018-01-05 16:24:22 +0000[diff] [blame]2066 memcpy( ssl->out_iv + ssl->out_msglen, mac,
2067 ssl->transform_out->maclen );
2068
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2069 ssl->out_msglen += ssl->transform_out->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2070 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2071 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2072#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2073 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2074 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2075#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]2076 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2077 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2079 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2080 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2081
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2082 /* Make extra sure authentication was performed, exactly once */
2083 if( auth_done != 1 )
2084 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2085 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2086 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2087 }
2088
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2089 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2090
2091 return( 0 );
2092}
2093
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2094static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2095{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2096 mbedtls_cipher_mode_t mode;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2097 int auth_done = 0;
Manuel Pégourié-Gonnard8408a942015-04-09 12:14:31 +0200[diff] [blame]2098#if defined(SSL_SOME_MODES_USE_MAC)
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]2099 size_t padlen = 0, correct = 1;
2100#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2101
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2102 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2103
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2104 if( ssl->session_in == NULL || ssl->transform_in == NULL )
2105 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2107 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2108 }
2109
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2110 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2111
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2112 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2113 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2114 MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2115 ssl->in_msglen, ssl->transform_in->minlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2116 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2117 }
2118
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2119#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
2120 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2121 {
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]2122 int ret;
2123 size_t olen = 0;
2124
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2125 padlen = 0;
2126
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2127 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2128 ssl->transform_in->iv_dec,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +0200[diff] [blame]2129 ssl->transform_in->ivlen,
2130 ssl->in_msg, ssl->in_msglen,
2131 ssl->in_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2132 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2133 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]2134 return( ret );
2135 }
2136
2137 if( ssl->in_msglen != olen )
2138 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2139 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2140 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]2141 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2142 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2143 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2144#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2145#if defined(MBEDTLS_GCM_C) || \
2146 defined(MBEDTLS_CCM_C) || \
2147 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2148 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2149 mode == MBEDTLS_MODE_CCM ||
2150 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2151 {
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +0200[diff] [blame]2152 int ret;
2153 size_t dec_msglen, olen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2154 unsigned char *dec_msg;
2155 unsigned char *dec_msg_result;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2156 unsigned char add_data[13];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2157 unsigned char iv[12];
2158 mbedtls_ssl_transform *transform = ssl->transform_in;
2159 unsigned char taglen = transform->ciphersuite_info->flags &
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2160 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2161 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2162
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2163 /*
2164 * Compute and update sizes
2165 */
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]2166 if( ssl->in_msglen < explicit_iv_len + taglen )
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]2167 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2168 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]2169 "+ taglen (%d)", ssl->in_msglen,
2170 explicit_iv_len, taglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2171 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]2172 }
2173 dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
2174
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2175 dec_msg = ssl->in_msg;
2176 dec_msg_result = ssl->in_msg;
2177 ssl->in_msglen = dec_msglen;
2178
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2179 /*
2180 * Prepare additional authenticated data
2181 */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2182 memcpy( add_data, ssl->in_ctr, 8 );
2183 add_data[8] = ssl->in_msgtype;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2184 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2185 ssl->conf->transport, add_data + 9 );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2186 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
2187 add_data[12] = ssl->in_msglen & 0xFF;
2188
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2189 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2190
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2191 /*
2192 * Prepare IV
2193 */
2194 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
2195 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]2196 /* GCM and CCM: fixed || explicit (transmitted) */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2197 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
2198 memcpy( iv + transform->fixed_ivlen, ssl->in_iv, 8 );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2199
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2200 }
2201 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
2202 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]2203 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2204 unsigned char i;
2205
2206 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
2207
2208 for( i = 0; i < 8; i++ )
2209 iv[i+4] ^= ssl->in_ctr[i];
2210 }
2211 else
2212 {
2213 /* Reminder if we ever add an AEAD mode with a different size */
2214 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2215 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2216 }
2217
2218 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2219 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2220
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]2221 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]2222 * Decrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]2223 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2224 if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2225 iv, transform->ivlen,
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]2226 add_data, 13,
2227 dec_msg, dec_msglen,
2228 dec_msg_result, &olen,
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +0200[diff] [blame]2229 dec_msg + dec_msglen, taglen ) ) != 0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2230 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2231 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]2232
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2233 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
2234 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]2235
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]2236 return( ret );
2237 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2238 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2239
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]2240 if( olen != dec_msglen )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]2241 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2242 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2243 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]2244 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2245 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2246 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2247#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
2248#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]2249 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2250 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2251 {
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2252 /*
2253 * Decrypt and check the padding
2254 */
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2255 int ret;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2256 unsigned char *dec_msg;
2257 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2258 size_t dec_msglen;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2259 size_t minlen = 0;
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2260 size_t olen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2261
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2262 /*
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2263 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2264 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2265#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
2266 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2267 minlen += ssl->transform_in->ivlen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2268#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2269
2270 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
2271 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
2272 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2273 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]2274 "+ 1 ) ( + expl IV )", ssl->in_msglen,
2275 ssl->transform_in->ivlen,
2276 ssl->transform_in->maclen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2277 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2278 }
2279
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2280 dec_msglen = ssl->in_msglen;
2281 dec_msg = ssl->in_msg;
2282 dec_msg_result = ssl->in_msg;
2283
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2284 /*
2285 * Authenticate before decrypt if enabled
2286 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2287#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2288 if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2289 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2290 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]2291 unsigned char pseudo_hdr[13];
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2292
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2293 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2294
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2295 dec_msglen -= ssl->transform_in->maclen;
2296 ssl->in_msglen -= ssl->transform_in->maclen;
2297
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]2298 memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 );
2299 memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 );
2300 pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
2301 pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF );
2302
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2303 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]2304
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2305 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
2306 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2307 ssl->in_iv, ssl->in_msglen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2308 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2309 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2310
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2311 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2312 ssl->transform_in->maclen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2313 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2314 ssl->transform_in->maclen );
2315
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2316 if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect,
2317 ssl->transform_in->maclen ) != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2318 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2319 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2320
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2321 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2322 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2323 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2324 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2325#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2326
2327 /*
2328 * Check length sanity
2329 */
2330 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
2331 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2332 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2333 ssl->in_msglen, ssl->transform_in->ivlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2334 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2335 }
2336
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2337#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2338 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2339 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2340 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2341 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2342 {
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2343 unsigned char i;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2344 dec_msglen -= ssl->transform_in->ivlen;
2345 ssl->in_msglen -= ssl->transform_in->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2346
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2347 for( i = 0; i < ssl->transform_in->ivlen; i++ )
Paul Bakker92be97b2013-01-02 17:30:03 +0100[diff] [blame]2348 ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2349 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2350#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2351
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2352 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2353 ssl->transform_in->iv_dec,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +0200[diff] [blame]2354 ssl->transform_in->ivlen,
2355 dec_msg, dec_msglen,
2356 dec_msg_result, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2357 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2358 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2359 return( ret );
2360 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2361
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2362 if( dec_msglen != olen )
2363 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2364 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2365 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2366 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2367
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2368#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
2369 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2370 {
2371 /*
2372 * Save IV in SSL3 and TLS1
2373 */
2374 memcpy( ssl->transform_in->iv_dec,
2375 ssl->transform_in->cipher_ctx_dec.iv,
2376 ssl->transform_in->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2377 }
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2378#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2379
2380 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2381
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2382 if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2383 auth_done == 0 )
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2384 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2385#if defined(MBEDTLS_SSL_DEBUG_ALL)
2386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2387 ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]2388#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2389 padlen = 0;
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2390 correct = 0;
2391 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2393#if defined(MBEDTLS_SSL_PROTO_SSL3)
2394 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2395 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2396 if( padlen > ssl->transform_in->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2397 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2398#if defined(MBEDTLS_SSL_DEBUG_ALL)
2399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2400 "should be no more than %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2401 padlen, ssl->transform_in->ivlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]2402#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2403 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2404 }
2405 }
2406 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2407#endif /* MBEDTLS_SSL_PROTO_SSL3 */
2408#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2409 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2410 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2411 {
2412 /*
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2413 * TLSv1+: always check the padding up to the first failure
2414 * and fake check up to 256 bytes of padding
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2415 */
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]2416 size_t pad_count = 0, real_count = 1;
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2417 size_t padding_idx = ssl->in_msglen - padlen;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2418 size_t i;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2419
Paul Bakker956c9e02013-12-19 14:42:28 +0100[diff] [blame]2420 /*
2421 * Padding is guaranteed to be incorrect if:
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2422 * 1. padlen > ssl->in_msglen
Paul Bakker956c9e02013-12-19 14:42:28 +0100[diff] [blame]2423 *
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2424 * 2. padding_idx > MBEDTLS_SSL_IN_CONTENT_LEN +
Paul Bakker61885c72014-04-25 12:59:03 +0200[diff] [blame]2425 * ssl->transform_in->maclen
Paul Bakker956c9e02013-12-19 14:42:28 +0100[diff] [blame]2426 *
2427 * In both cases we reset padding_idx to a safe value (0) to
2428 * prevent out-of-buffer reads.
2429 */
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2430 correct &= ( padlen <= ssl->in_msglen );
2431 correct &= ( padding_idx <= MBEDTLS_SSL_IN_CONTENT_LEN +
Paul Bakker61885c72014-04-25 12:59:03 +0200[diff] [blame]2432 ssl->transform_in->maclen );
Paul Bakker956c9e02013-12-19 14:42:28 +0100[diff] [blame]2433
2434 padding_idx *= correct;
2435
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2436 for( i = 0; i < 256; i++ )
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]2437 {
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2438 real_count &= ( i < padlen );
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]2439 pad_count += real_count *
2440 ( ssl->in_msg[padding_idx + i] == padlen - 1 );
2441 }
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2442
2443 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2444
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2445#if defined(MBEDTLS_SSL_DEBUG_ALL)
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2446 if( padlen > 0 && correct == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2447 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]2448#endif
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2449 padlen &= correct * 0x1FF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2450 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2451 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2452#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2453 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2454 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2455 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2456 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2457 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2458
2459 ssl->in_msglen -= padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2460 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2461 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2462#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]2463 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2464 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2465 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2466 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2467 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2468
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]2469#if defined(MBEDTLS_SSL_DEBUG_ALL)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2470 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2471 ssl->in_msg, ssl->in_msglen );
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]2472#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2473
2474 /*
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2475 * Authenticate if not done yet.
2476 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2477 */
Manuel Pégourié-Gonnard8408a942015-04-09 12:14:31 +0200[diff] [blame]2478#if defined(SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2479 if( auth_done == 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2480 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2481 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]2482
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2483 ssl->in_msglen -= ssl->transform_in->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2484
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]2485 ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
2486 ssl->in_len[1] = (unsigned char)( ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2487
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2488#if defined(MBEDTLS_SSL_PROTO_SSL3)
2489 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2490 {
2491 ssl_mac( &ssl->transform_in->md_ctx_dec,
2492 ssl->transform_in->mac_dec,
2493 ssl->in_msg, ssl->in_msglen,
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]2494 ssl->in_ctr, ssl->in_msgtype,
2495 mac_expect );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2496 }
2497 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2498#endif /* MBEDTLS_SSL_PROTO_SSL3 */
2499#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2500 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2501 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2502 {
2503 /*
2504 * Process MAC and always update for padlen afterwards to make
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2505 * total time independent of padlen.
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2506 *
2507 * Known timing attacks:
2508 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
2509 *
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2510 * To compensate for different timings for the MAC calculation
2511 * depending on how much padding was removed (which is determined
2512 * by padlen), process extra_run more blocks through the hash
2513 * function.
2514 *
2515 * The formula in the paper is
2516 * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
2517 * where L1 is the size of the header plus the decrypted message
2518 * plus CBC padding and L2 is the size of the header plus the
2519 * decrypted message. This is for an underlying hash function
2520 * with 64-byte blocks.
2521 * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
2522 * correctly. We round down instead of up, so -56 is the correct
2523 * value for our calculations instead of -55.
2524 *
Gilles Peskine1bd9d582018-06-04 11:58:44 +0200[diff] [blame]2525 * Repeat the formula rather than defining a block_size variable.
2526 * This avoids requiring division by a variable at runtime
2527 * (which would be marginally less efficient and would require
2528 * linking an extra division function in some builds).
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2529 */
2530 size_t j, extra_run = 0;
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2531
2532 /*
2533 * The next two sizes are the minimum and maximum values of
2534 * in_msglen over all padlen values.
2535 *
2536 * They're independent of padlen, since we previously did
2537 * in_msglen -= padlen.
2538 *
2539 * Note that max_len + maclen is never more than the buffer
2540 * length, as we previously did in_msglen -= maclen too.
2541 */
2542 const size_t max_len = ssl->in_msglen + padlen;
2543 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
2544
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2545 switch( ssl->transform_in->ciphersuite_info->mac )
2546 {
Gilles Peskined0e55a42018-06-04 12:03:30 +0200[diff] [blame]2547#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
2548 defined(MBEDTLS_SHA256_C)
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2549 case MBEDTLS_MD_MD5:
2550 case MBEDTLS_MD_SHA1:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2551 case MBEDTLS_MD_SHA256:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2552 /* 8 bytes of message size, 64-byte compression blocks */
2553 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
2554 ( 13 + ssl->in_msglen + 8 ) / 64;
2555 break;
2556#endif
Gilles Peskinea7fe25d2018-06-04 12:01:18 +0200[diff] [blame]2557#if defined(MBEDTLS_SHA512_C)
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2558 case MBEDTLS_MD_SHA384:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2559 /* 16 bytes of message size, 128-byte compression blocks */
2560 extra_run = ( 13 + ssl->in_msglen + padlen + 16 ) / 128 -
2561 ( 13 + ssl->in_msglen + 16 ) / 128;
2562 break;
2563#endif
2564 default:
Gilles Peskine5c389842018-06-04 12:02:43 +0200[diff] [blame]2565 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2566 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2567 }
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2568
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2569 extra_run &= correct * 0xFF;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2570
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2571 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 );
2572 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 );
2573 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 );
2574 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2575 ssl->in_msglen );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2576 /* Make sure we access everything even when padlen > 0. This
2577 * makes the synchronisation requirements for just-in-time
2578 * Prime+Probe attacks much tighter and hopefully impractical. */
2579 ssl_read_memory( ssl->in_msg + ssl->in_msglen, padlen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2580 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2581
2582 /* Call mbedtls_md_process at least once due to cache attacks
2583 * that observe whether md_process() was called of not */
Manuel Pégourié-Gonnard47fede02015-04-29 01:35:48 +0200[diff] [blame]2584 for( j = 0; j < extra_run + 1; j++ )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2585 mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2586
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2587 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2588
2589 /* Make sure we access all the memory that could contain the MAC,
2590 * before we check it in the next code block. This makes the
2591 * synchronisation requirements for just-in-time Prime+Probe
2592 * attacks much tighter and hopefully impractical. */
2593 ssl_read_memory( ssl->in_msg + min_len,
2594 max_len - min_len + ssl->transform_in->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2595 }
2596 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2597#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2598 MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2599 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2600 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2601 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2602 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2603
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2604#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2605 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
2606 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_msg + ssl->in_msglen,
2607 ssl->transform_in->maclen );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2608#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2609
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2610 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect,
2611 ssl->transform_in->maclen ) != 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2612 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2613#if defined(MBEDTLS_SSL_DEBUG_ALL)
2614 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2615#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2616 correct = 0;
2617 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2618 auth_done++;
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2619 }
Hanno Beckerdd3ab132018-10-17 14:43:14 +0100[diff] [blame]2620
2621 /*
2622 * Finally check the correct flag
2623 */
2624 if( correct == 0 )
2625 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard8408a942015-04-09 12:14:31 +0200[diff] [blame]2626#endif /* SSL_SOME_MODES_USE_MAC */
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2627
2628 /* Make extra sure authentication was performed, exactly once */
2629 if( auth_done != 1 )
2630 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2631 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2632 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2633 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2634
2635 if( ssl->in_msglen == 0 )
2636 {
Angus Gratton34817922018-06-19 15:58:22 +1000[diff] [blame]2637#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2638 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
2639 && ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
2640 {
2641 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
2642 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
2643 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2644 }
2645#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2646
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2647 ssl->nb_zero++;
2648
2649 /*
2650 * Three or more empty messages may be a DoS attack
2651 * (excessive CPU consumption).
2652 */
2653 if( ssl->nb_zero > 3 )
2654 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2655 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2656 "messages, possible DoS attack" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2657 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2658 }
2659 }
2660 else
2661 ssl->nb_zero = 0;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2662
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2663#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2664 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]2665 {
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]2666 ; /* in_ctr read from peer, not maintained internally */
Manuel Pégourié-Gonnardea22ce52014-09-24 09:46:10 +0200[diff] [blame]2667 }
2668 else
2669#endif
2670 {
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2671 unsigned char i;
Manuel Pégourié-Gonnardea22ce52014-09-24 09:46:10 +0200[diff] [blame]2672 for( i = 8; i > ssl_ep_len( ssl ); i-- )
2673 if( ++ssl->in_ctr[i - 1] != 0 )
2674 break;
2675
2676 /* The loop goes to its end iff the counter is wrapping */
2677 if( i == ssl_ep_len( ssl ) )
2678 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
2680 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnardea22ce52014-09-24 09:46:10 +0200[diff] [blame]2681 }
Manuel Pégourié-Gonnard83cdffc2014-03-10 21:20:29 +0100[diff] [blame]2682 }
2683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2684 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2685
2686 return( 0 );
2687}
2688
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2689#undef MAC_NONE
2690#undef MAC_PLAINTEXT
2691#undef MAC_CIPHERTEXT
2692
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2693#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2694/*
2695 * Compression/decompression functions
2696 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2697static int ssl_compress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2698{
2699 int ret;
2700 unsigned char *msg_post = ssl->out_msg;
Andrzej Kurek5462e022018-04-20 07:58:53 -0400[diff] [blame]2701 ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2702 size_t len_pre = ssl->out_msglen;
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]2703 unsigned char *msg_pre = ssl->compress_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2704
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2705 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2706
Paul Bakkerabf2f8f2013-06-30 14:57:46 +0200[diff] [blame]2707 if( len_pre == 0 )
2708 return( 0 );
2709
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2710 memcpy( msg_pre, ssl->out_msg, len_pre );
2711
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2712 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2713 ssl->out_msglen ) );
2714
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2715 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2716 ssl->out_msg, ssl->out_msglen );
2717
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2718 ssl->transform_out->ctx_deflate.next_in = msg_pre;
2719 ssl->transform_out->ctx_deflate.avail_in = len_pre;
2720 ssl->transform_out->ctx_deflate.next_out = msg_post;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2721 ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2722
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2723 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2724 if( ret != Z_OK )
2725 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2726 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
2727 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2728 }
2729
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2730 ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
Andrzej Kurek5462e022018-04-20 07:58:53 -0400[diff] [blame]2731 ssl->transform_out->ctx_deflate.avail_out - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2732
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2733 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2734 ssl->out_msglen ) );
2735
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2736 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2737 ssl->out_msg, ssl->out_msglen );
2738
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2739 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2740
2741 return( 0 );
2742}
2743
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2744static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2745{
2746 int ret;
2747 unsigned char *msg_post = ssl->in_msg;
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]2748 ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2749 size_t len_pre = ssl->in_msglen;
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]2750 unsigned char *msg_pre = ssl->compress_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2751
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2752 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2753
Paul Bakkerabf2f8f2013-06-30 14:57:46 +0200[diff] [blame]2754 if( len_pre == 0 )
2755 return( 0 );
2756
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2757 memcpy( msg_pre, ssl->in_msg, len_pre );
2758
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2759 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2760 ssl->in_msglen ) );
2761
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2762 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2763 ssl->in_msg, ssl->in_msglen );
2764
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2765 ssl->transform_in->ctx_inflate.next_in = msg_pre;
2766 ssl->transform_in->ctx_inflate.avail_in = len_pre;
2767 ssl->transform_in->ctx_inflate.next_out = msg_post;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2768 ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]2769 header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2770
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2771 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2772 if( ret != Z_OK )
2773 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2774 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
2775 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2776 }
2777
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2778 ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]2779 ssl->transform_in->ctx_inflate.avail_out - header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2780
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2781 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2782 ssl->in_msglen ) );
2783
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2784 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2785 ssl->in_msg, ssl->in_msglen );
2786
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2787 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2788
2789 return( 0 );
2790}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2791#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2792
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2793#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2794static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2795
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2796#if defined(MBEDTLS_SSL_PROTO_DTLS)
2797static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2798{
2799 /* If renegotiation is not enforced, retransmit until we would reach max
2800 * timeout if we were using the usual handshake doubling scheme */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2801 if( ssl->conf->renego_max_records < 0 )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2802 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2803 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2804 unsigned char doublings = 1;
2805
2806 while( ratio != 0 )
2807 {
2808 ++doublings;
2809 ratio >>= 1;
2810 }
2811
2812 if( ++ssl->renego_records_seen > doublings )
2813 {
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]2814 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2815 return( 0 );
2816 }
2817 }
2818
2819 return( ssl_write_hello_request( ssl ) );
2820}
2821#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2822#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]2823
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2824/*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2825 * Fill the input message buffer by appending data to it.
2826 * The amount of data already fetched is in ssl->in_left.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2827 *
2828 * If we return 0, is it guaranteed that (at least) nb_want bytes are
2829 * available (from this read and/or a previous one). Otherwise, an error code
2830 * is returned (possibly EOF or WANT_READ).
2831 *
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2832 * With stream transport (TLS) on success ssl->in_left == nb_want, but
2833 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
2834 * since we always read a whole datagram at once.
2835 *
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]2836 * For DTLS, it is up to the caller to set ssl->next_record_offset when
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2837 * they're done reading a record.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2838 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2839int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2840{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2841 int ret;
2842 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2843
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2844 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2845
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]2846 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
2847 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2848 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]2849 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2850 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]2851 }
2852
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2853 if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]2854 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2855 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
2856 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]2857 }
2858
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2859#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2860 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2861 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2862 uint32_t timeout;
2863
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]2864 /* Just to be sure */
2865 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
2866 {
2867 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
2868 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
2869 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2870 }
2871
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2872 /*
2873 * The point is, we need to always read a full datagram at once, so we
2874 * sometimes read more then requested, and handle the additional data.
2875 * It could be the rest of the current record (while fetching the
2876 * header) and/or some other records in the same datagram.
2877 */
2878
2879 /*
2880 * Move to the next record in the already read datagram if applicable
2881 */
2882 if( ssl->next_record_offset != 0 )
2883 {
2884 if( ssl->in_left < ssl->next_record_offset )
2885 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2886 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2887 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2888 }
2889
2890 ssl->in_left -= ssl->next_record_offset;
2891
2892 if( ssl->in_left != 0 )
2893 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2894 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2895 ssl->next_record_offset ) );
2896 memmove( ssl->in_hdr,
2897 ssl->in_hdr + ssl->next_record_offset,
2898 ssl->in_left );
2899 }
2900
2901 ssl->next_record_offset = 0;
2902 }
2903
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2904 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2905 ssl->in_left, nb_want ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2906
2907 /*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2908 * Done if we already have enough data.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2909 */
2910 if( nb_want <= ssl->in_left)
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2911 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2912 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2913 return( 0 );
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2914 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2915
2916 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]2917 * A record can't be split across datagrams. If we need to read but
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2918 * are not at the beginning of a new record, the caller did something
2919 * wrong.
2920 */
2921 if( ssl->in_left != 0 )
2922 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2923 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2924 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2925 }
2926
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2927 /*
2928 * Don't even try to read if time's out already.
2929 * This avoids by-passing the timer when repeatedly receiving messages
2930 * that will end up being dropped.
2931 */
2932 if( ssl_check_timer( ssl ) != 0 )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]2933 {
2934 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]2935 ret = MBEDTLS_ERR_SSL_TIMEOUT;
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]2936 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2937 else
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2938 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2939 len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2940
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2941 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2942 timeout = ssl->handshake->retransmit_timeout;
2943 else
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2944 timeout = ssl->conf->read_timeout;
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2945
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2946 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2947
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]2948 if( ssl->f_recv_timeout != NULL )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2949 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
2950 timeout );
2951 else
2952 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
2953
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2954 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2955
2956 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2957 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2958 }
2959
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]2960 if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2961 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2962 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2963 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2964
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2965 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]2966 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2967 if( ssl_double_retransmit_timeout( ssl ) != 0 )
2968 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2969 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]2970 return( MBEDTLS_ERR_SSL_TIMEOUT );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2971 }
2972
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2973 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2974 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2975 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2976 return( ret );
2977 }
2978
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]2979 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]2980 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2981#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2982 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2983 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]2984 {
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2985 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]2986 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2987 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]2988 return( ret );
2989 }
2990
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]2991 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]2992 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2993#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2994 }
2995
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2996 if( ret < 0 )
2997 return( ret );
2998
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2999 ssl->in_left = ret;
3000 }
3001 else
3002#endif
3003 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3004 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]3005 ssl->in_left, nb_want ) );
3006
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]3007 while( ssl->in_left < nb_want )
3008 {
3009 len = nb_want - ssl->in_left;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]3010
3011 if( ssl_check_timer( ssl ) != 0 )
3012 ret = MBEDTLS_ERR_SSL_TIMEOUT;
3013 else
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]3014 {
3015 if( ssl->f_recv_timeout != NULL )
3016 {
3017 ret = ssl->f_recv_timeout( ssl->p_bio,
3018 ssl->in_hdr + ssl->in_left, len,
3019 ssl->conf->read_timeout );
3020 }
3021 else
3022 {
3023 ret = ssl->f_recv( ssl->p_bio,
3024 ssl->in_hdr + ssl->in_left, len );
3025 }
3026 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]3027
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3028 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]3029 ssl->in_left, nb_want ) );
3030 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]3031
3032 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3033 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]3034
3035 if( ret < 0 )
3036 return( ret );
3037
mohammad160352aecb92018-03-28 23:41:40 -0700[diff] [blame]3038 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]3039 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]3040 MBEDTLS_SSL_DEBUG_MSG( 1,
3041 ( "f_recv returned %d bytes but only %lu were requested",
mohammad160319d392b2018-04-02 07:25:26 -0700[diff] [blame]3042 ret, (unsigned long)len ) );
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]3043 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3044 }
3045
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]3046 ssl->in_left += ret;
3047 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3048 }
3049
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3050 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3051
3052 return( 0 );
3053}
3054
3055/*
3056 * Flush any data not yet written
3057 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3058int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3059{
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]3060 int ret;
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]3061 unsigned char *buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3062
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3063 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3064
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]3065 if( ssl->f_send == NULL )
3066 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3067 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]3068 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3069 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]3070 }
3071
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]3072 /* Avoid incrementing counter if data is flushed */
3073 if( ssl->out_left == 0 )
3074 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3075 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]3076 return( 0 );
3077 }
3078
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3079 while( ssl->out_left > 0 )
3080 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3081 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
3082 mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3083
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3084 buf = ssl->out_hdr - ssl->out_left;
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]3085 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]3086
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3087 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3088
3089 if( ret <= 0 )
3090 return( ret );
3091
mohammad160352aecb92018-03-28 23:41:40 -0700[diff] [blame]3092 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]3093 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]3094 MBEDTLS_SSL_DEBUG_MSG( 1,
3095 ( "f_send returned %d bytes but only %lu bytes were sent",
mohammad160319d392b2018-04-02 07:25:26 -0700[diff] [blame]3096 ret, (unsigned long)ssl->out_left ) );
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]3097 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3098 }
3099
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3100 ssl->out_left -= ret;
3101 }
3102
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3103#if defined(MBEDTLS_SSL_PROTO_DTLS)
3104 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]3105 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3106 ssl->out_hdr = ssl->out_buf;
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]3107 }
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3108 else
3109#endif
3110 {
3111 ssl->out_hdr = ssl->out_buf + 8;
3112 }
3113 ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]3114
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3115 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3116
3117 return( 0 );
3118}
3119
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3120/*
3121 * Functions to handle the DTLS retransmission state machine
3122 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3123#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3124/*
3125 * Append current handshake message to current outgoing flight
3126 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3127static int ssl_flight_append( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3128{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3129 mbedtls_ssl_flight_item *msg;
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]3130 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
3131 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
3132 ssl->out_msg, ssl->out_msglen );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3133
3134 /* Allocate space for current message */
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]3135 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3136 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]3137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3138 sizeof( mbedtls_ssl_flight_item ) ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]3139 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3140 }
3141
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]3142 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3143 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]3144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3145 mbedtls_free( msg );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]3146 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3147 }
3148
3149 /* Copy current handshake message with headers */
3150 memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
3151 msg->len = ssl->out_msglen;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3152 msg->type = ssl->out_msgtype;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3153 msg->next = NULL;
3154
3155 /* Append to the current flight */
3156 if( ssl->handshake->flight == NULL )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3157 ssl->handshake->flight = msg;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3158 else
3159 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3160 mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3161 while( cur->next != NULL )
3162 cur = cur->next;
3163 cur->next = msg;
3164 }
3165
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]3166 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3167 return( 0 );
3168}
3169
3170/*
3171 * Free the current flight of handshake messages
3172 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3173static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3174{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3175 mbedtls_ssl_flight_item *cur = flight;
3176 mbedtls_ssl_flight_item *next;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3177
3178 while( cur != NULL )
3179 {
3180 next = cur->next;
3181
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3182 mbedtls_free( cur->p );
3183 mbedtls_free( cur );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3184
3185 cur = next;
3186 }
3187}
3188
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3189#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3190static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3191#endif
3192
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3193/*
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3194 * Swap transform_out and out_ctr with the alternative ones
3195 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3196static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3197{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3198 mbedtls_ssl_transform *tmp_transform;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3199 unsigned char tmp_out_ctr[8];
3200
3201 if( ssl->transform_out == ssl->handshake->alt_transform_out )
3202 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3203 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3204 return;
3205 }
3206
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3207 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3208
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3209 /* Swap transforms */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3210 tmp_transform = ssl->transform_out;
3211 ssl->transform_out = ssl->handshake->alt_transform_out;
3212 ssl->handshake->alt_transform_out = tmp_transform;
3213
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3214 /* Swap epoch + sequence_number */
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]3215 memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 );
3216 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3217 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3218
3219 /* Adjust to the newly activated transform */
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]3220 ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3221
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3222#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3223 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3224 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3225 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3226 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3227 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
3228 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3229 }
3230 }
3231#endif
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3232}
3233
3234/*
3235 * Retransmit the current flight of messages.
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3236 */
3237int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
3238{
3239 int ret = 0;
3240
3241 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
3242
3243 ret = mbedtls_ssl_flight_transmit( ssl );
3244
3245 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
3246
3247 return( ret );
3248}
3249
3250/*
3251 * Transmit or retransmit the current flight of messages.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3252 *
3253 * Need to remember the current message in case flush_output returns
3254 * WANT_WRITE, causing us to exit this function and come back later.
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3255 * This function must be called until state is no longer SENDING.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3256 */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3257int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3258{
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3259 int ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3260 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3261
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3262 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3263 {
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]3264 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3265
3266 ssl->handshake->cur_msg = ssl->handshake->flight;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3267 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3268 ssl_swap_epochs( ssl );
3269
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3270 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3271 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3272
3273 while( ssl->handshake->cur_msg != NULL )
3274 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3275 size_t max_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3276 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3277
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]3278 int const is_finished =
3279 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
3280 cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
3281
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]3282 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
3283 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
3284
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3285 /* Swap epochs before sending Finished: we can't do it after
3286 * sending ChangeCipherSpec, in case write returns WANT_READ.
3287 * Must be done before copying, may change out_msg pointer */
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]3288 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3289 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3290 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3291 ssl_swap_epochs( ssl );
3292 }
3293
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3294 ret = ssl_get_remaining_payload_in_datagram( ssl );
3295 if( ret < 0 )
3296 return( ret );
3297 max_frag_len = (size_t) ret;
3298
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3299 /* CCS is copied as is, while HS messages may need fragmentation */
3300 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
3301 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3302 if( max_frag_len == 0 )
3303 {
3304 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3305 return( ret );
3306
3307 continue;
3308 }
3309
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3310 memcpy( ssl->out_msg, cur->p, cur->len );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3311 ssl->out_msglen = cur->len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3312 ssl->out_msgtype = cur->type;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3313
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3314 /* Update position inside current message */
3315 ssl->handshake->cur_msg_p += cur->len;
3316 }
3317 else
3318 {
3319 const unsigned char * const p = ssl->handshake->cur_msg_p;
3320 const size_t hs_len = cur->len - 12;
3321 const size_t frag_off = p - ( cur->p + 12 );
3322 const size_t rem_len = hs_len - frag_off;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3323 size_t cur_hs_frag_len, max_hs_frag_len;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3324
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]3325 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
Manuel Pégourié-Gonnarda1071a52018-08-20 11:56:14 +0200[diff] [blame]3326 {
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]3327 if( is_finished )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3328 ssl_swap_epochs( ssl );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3329
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3330 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3331 return( ret );
3332
3333 continue;
3334 }
3335 max_hs_frag_len = max_frag_len - 12;
3336
3337 cur_hs_frag_len = rem_len > max_hs_frag_len ?
3338 max_hs_frag_len : rem_len;
3339
3340 if( frag_off == 0 && cur_hs_frag_len != hs_len )
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]3341 {
3342 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3343 (unsigned) cur_hs_frag_len,
3344 (unsigned) max_hs_frag_len ) );
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]3345 }
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]3346
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3347 /* Messages are stored with handshake headers as if not fragmented,
3348 * copy beginning of headers then fill fragmentation fields.
3349 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
3350 memcpy( ssl->out_msg, cur->p, 6 );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3351
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3352 ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
3353 ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
3354 ssl->out_msg[8] = ( ( frag_off ) & 0xff );
3355
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3356 ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
3357 ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
3358 ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3359
3360 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
3361
Hanno Becker3f7b9732018-08-28 09:53:25 +0100[diff] [blame]3362 /* Copy the handshake message content and set records fields */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3363 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
3364 ssl->out_msglen = cur_hs_frag_len + 12;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3365 ssl->out_msgtype = cur->type;
3366
3367 /* Update position inside current message */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3368 ssl->handshake->cur_msg_p += cur_hs_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3369 }
3370
3371 /* If done with the current message move to the next one if any */
3372 if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
3373 {
3374 if( cur->next != NULL )
3375 {
3376 ssl->handshake->cur_msg = cur->next;
3377 ssl->handshake->cur_msg_p = cur->next->p + 12;
3378 }
3379 else
3380 {
3381 ssl->handshake->cur_msg = NULL;
3382 ssl->handshake->cur_msg_p = NULL;
3383 }
3384 }
3385
3386 /* Actually send the message out */
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]3387 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3388 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3389 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3390 return( ret );
3391 }
3392 }
3393
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3394 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3395 return( ret );
3396
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3397 /* Update state and set timer */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3398 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
3399 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard23b7b702014-09-25 13:50:12 +0200[diff] [blame]3400 else
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]3401 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3402 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]3403 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
3404 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3405
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3406 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3407
3408 return( 0 );
3409}
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3410
3411/*
3412 * To be called when the last message of an incoming flight is received.
3413 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3414void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3415{
3416 /* We won't need to resend that one any more */
3417 ssl_flight_free( ssl->handshake->flight );
3418 ssl->handshake->flight = NULL;
3419 ssl->handshake->cur_msg = NULL;
3420
3421 /* The next incoming flight will start with this msg_seq */
3422 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
3423
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3424 /* We don't want to remember CCS's across flight boundaries. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]3425 ssl->handshake->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3426
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]3427 /* Clear future message buffering structure. */
3428 ssl_buffering_free( ssl );
3429
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]3430 /* Cancel timer */
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3431 ssl_set_timer( ssl, 0 );
3432
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3433 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3434 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3435 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3436 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3437 }
3438 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3439 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3440}
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3441
3442/*
3443 * To be called when the last message of an outgoing flight is send.
3444 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3445void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3446{
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]3447 ssl_reset_retransmit_timeout( ssl );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]3448 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3449
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3450 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3451 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3452 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3453 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3454 }
3455 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3456 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3457}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3458#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3459
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3460/*
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3461 * Handshake layer functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3462 */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3463
3464/*
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3465 * Write (DTLS: or queue) current handshake (including CCS) message.
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3466 *
3467 * - fill in handshake headers
3468 * - update handshake checksum
3469 * - DTLS: save message for resending
3470 * - then pass to the record layer
3471 *
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3472 * DTLS: except for HelloRequest, messages are only queued, and will only be
3473 * actually sent when calling flight_transmit() or resend().
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3474 *
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3475 * Inputs:
3476 * - ssl->out_msglen: 4 + actual handshake message len
3477 * (4 is the size of handshake headers for TLS)
3478 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
3479 * - ssl->out_msg + 4: the handshake message body
3480 *
Manuel Pégourié-Gonnard065a2a32018-08-20 11:09:26 +0200[diff] [blame]3481 * Outputs, ie state before passing to flight_append() or write_record():
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3482 * - ssl->out_msglen: the length of the record contents
3483 * (including handshake headers but excluding record headers)
3484 * - ssl->out_msg: the record contents (handshake headers + content)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3485 */
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3486int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3487{
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3488 int ret;
3489 const size_t hs_len = ssl->out_msglen - 4;
3490 const unsigned char hs_type = ssl->out_msg[0];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3491
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3492 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
3493
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3494 /*
3495 * Sanity checks
3496 */
Hanno Beckerc83d2b32018-08-22 16:05:47 +0100[diff] [blame]3497 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3498 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
3499 {
Hanno Beckerc83d2b32018-08-22 16:05:47 +0100[diff] [blame]3500 /* In SSLv3, the client might send a NoCertificate alert. */
3501#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
3502 if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
3503 ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
3504 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
3505#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
3506 {
3507 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3508 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3509 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3510 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3511
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]3512 /* Whenever we send anything different from a
3513 * HelloRequest we should be in a handshake - double check. */
3514 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3515 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3516 ssl->handshake == NULL )
3517 {
3518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3519 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3520 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3522#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3523 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3524 ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3525 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3526 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3527 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3528 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3529 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3530#endif
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3531
Hanno Beckerb50a2532018-08-06 11:52:54 +0100[diff] [blame]3532 /* Double-check that we did not exceed the bounds
3533 * of the outgoing record buffer.
3534 * This should never fail as the various message
3535 * writing functions must obey the bounds of the
3536 * outgoing record buffer, but better be safe.
3537 *
3538 * Note: We deliberately do not check for the MTU or MFL here.
3539 */
3540 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
3541 {
3542 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
3543 "size %u, maximum %u",
3544 (unsigned) ssl->out_msglen,
3545 (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
3546 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3547 }
3548
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3549 /*
3550 * Fill handshake headers
3551 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3552 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3553 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3554 ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
3555 ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );
3556 ssl->out_msg[3] = (unsigned char)( hs_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3557
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3558 /*
3559 * DTLS has additional fields in the Handshake layer,
3560 * between the length field and the actual payload:
3561 * uint16 message_seq;
3562 * uint24 fragment_offset;
3563 * uint24 fragment_length;
3564 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3565#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3566 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3567 {
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]3568 /* Make room for the additional DTLS fields */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3569 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]3570 {
3571 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
3572 "size %u, maximum %u",
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3573 (unsigned) ( hs_len ),
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3574 (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]3575 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3576 }
3577
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3578 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3579 ssl->out_msglen += 8;
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3580
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3581 /* Write message_seq and update it, except for HelloRequest */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3582 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3583 {
Manuel Pégourié-Gonnardd9ba0d92014-09-02 18:30:26 +0200[diff] [blame]3584 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
3585 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
3586 ++( ssl->handshake->out_msg_seq );
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3587 }
3588 else
3589 {
3590 ssl->out_msg[4] = 0;
3591 ssl->out_msg[5] = 0;
3592 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]3593
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3594 /* Handshake hashes are computed without fragmentation,
3595 * so set frag_offset = 0 and frag_len = hs_len for now */
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]3596 memset( ssl->out_msg + 6, 0x00, 3 );
3597 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3598 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3599#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3600
Hanno Becker0207e532018-08-28 10:28:28 +0100[diff] [blame]3601 /* Update running hashes of handshake messages seen */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3602 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
3603 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3604 }
3605
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3606 /* Either send now, or just save to be sent (and resent) later */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3607#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3608 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]3609 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3610 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3611 {
3612 if( ( ret = ssl_flight_append( ssl ) ) != 0 )
3613 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3614 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3615 return( ret );
3616 }
3617 }
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3618 else
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3619#endif
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3620 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3621 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3622 {
3623 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3624 return( ret );
3625 }
3626 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3627
3628 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
3629
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3630 return( 0 );
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3631}
3632
3633/*
3634 * Record layer functions
3635 */
3636
3637/*
3638 * Write current record.
3639 *
3640 * Uses:
3641 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
3642 * - ssl->out_msglen: length of the record content (excl headers)
3643 * - ssl->out_msg: record content
3644 */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3645int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3646{
3647 int ret, done = 0;
3648 size_t len = ssl->out_msglen;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3649 uint8_t flush = force_flush;
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3650
3651 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3652
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3653#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3654 if( ssl->transform_out != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3655 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]3656 {
3657 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
3658 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3659 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]3660 return( ret );
3661 }
3662
3663 len = ssl->out_msglen;
3664 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3665#endif /*MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]3666
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3667#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3668 if( mbedtls_ssl_hw_record_write != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3669 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3670 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3671
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3672 ret = mbedtls_ssl_hw_record_write( ssl );
3673 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3674 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3675 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
3676 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3677 }
Paul Bakkerc7878112012-12-19 14:41:14 +0100[diff] [blame]3678
3679 if( ret == 0 )
3680 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3681 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3682#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3683 if( !done )
3684 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3685 unsigned i;
3686 size_t protected_record_size;
3687
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3688 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3689 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3690 ssl->conf->transport, ssl->out_hdr + 1 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]3691
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]3692 memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]3693 ssl->out_len[0] = (unsigned char)( len >> 8 );
3694 ssl->out_len[1] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3695
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3696 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3697 {
3698 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
3699 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3700 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3701 return( ret );
3702 }
3703
3704 len = ssl->out_msglen;
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]3705 ssl->out_len[0] = (unsigned char)( len >> 8 );
3706 ssl->out_len[1] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3707 }
3708
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3709 protected_record_size = len + mbedtls_ssl_hdr_len( ssl );
3710
3711#if defined(MBEDTLS_SSL_PROTO_DTLS)
3712 /* In case of DTLS, double-check that we don't exceed
3713 * the remaining space in the datagram. */
3714 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3715 {
Hanno Becker554b0af2018-08-22 20:33:41 +0100[diff] [blame]3716 ret = ssl_get_remaining_space_in_datagram( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3717 if( ret < 0 )
3718 return( ret );
3719
3720 if( protected_record_size > (size_t) ret )
3721 {
3722 /* Should never happen */
3723 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3724 }
3725 }
3726#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3727
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3728 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]3729 "version = [%d:%d], msglen = %d",
3730 ssl->out_hdr[0], ssl->out_hdr[1],
3731 ssl->out_hdr[2], len ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3732
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3733 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]3734 ssl->out_hdr, protected_record_size );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3735
3736 ssl->out_left += protected_record_size;
3737 ssl->out_hdr += protected_record_size;
3738 ssl_update_out_pointers( ssl, ssl->transform_out );
3739
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]3740 for( i = 8; i > ssl_ep_len( ssl ); i-- )
3741 if( ++ssl->cur_out_ctr[i - 1] != 0 )
3742 break;
3743
3744 /* The loop goes to its end iff the counter is wrapping */
3745 if( i == ssl_ep_len( ssl ) )
3746 {
3747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
3748 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3749 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3750 }
3751
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3752#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker47db8772018-08-21 13:32:13 +0100[diff] [blame]3753 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3754 flush == SSL_DONT_FORCE_FLUSH )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3755 {
Hanno Becker1f5a15d2018-08-21 13:31:31 +0100[diff] [blame]3756 size_t remaining;
3757 ret = ssl_get_remaining_payload_in_datagram( ssl );
3758 if( ret < 0 )
3759 {
3760 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
3761 ret );
3762 return( ret );
3763 }
3764
3765 remaining = (size_t) ret;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3766 if( remaining == 0 )
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]3767 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3768 flush = SSL_FORCE_FLUSH;
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]3769 }
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3770 else
3771 {
Hanno Becker513815a2018-08-20 11:56:09 +0100[diff] [blame]3772 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3773 }
3774 }
3775#endif /* MBEDTLS_SSL_PROTO_DTLS */
3776
3777 if( ( flush == SSL_FORCE_FLUSH ) &&
3778 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3779 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3780 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3781 return( ret );
3782 }
3783
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3784 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3785
3786 return( 0 );
3787}
3788
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3789#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]3790
3791static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
3792{
3793 if( ssl->in_msglen < ssl->in_hslen ||
3794 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
3795 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
3796 {
3797 return( 1 );
3798 }
3799 return( 0 );
3800}
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]3801
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]3802static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]3803{
3804 return( ( ssl->in_msg[9] << 16 ) |
3805 ( ssl->in_msg[10] << 8 ) |
3806 ssl->in_msg[11] );
3807}
3808
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]3809static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]3810{
3811 return( ( ssl->in_msg[6] << 16 ) |
3812 ( ssl->in_msg[7] << 8 ) |
3813 ssl->in_msg[8] );
3814}
3815
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]3816static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]3817{
3818 uint32_t msg_len, frag_off, frag_len;
3819
3820 msg_len = ssl_get_hs_total_len( ssl );
3821 frag_off = ssl_get_hs_frag_off( ssl );
3822 frag_len = ssl_get_hs_frag_len( ssl );
3823
3824 if( frag_off > msg_len )
3825 return( -1 );
3826
3827 if( frag_len > msg_len - frag_off )
3828 return( -1 );
3829
3830 if( frag_len + 12 > ssl->in_msglen )
3831 return( -1 );
3832
3833 return( 0 );
3834}
3835
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3836/*
3837 * Mark bits in bitmask (used for DTLS HS reassembly)
3838 */
3839static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
3840{
3841 unsigned int start_bits, end_bits;
3842
3843 start_bits = 8 - ( offset % 8 );
3844 if( start_bits != 8 )
3845 {
3846 size_t first_byte_idx = offset / 8;
3847
Manuel Pégourié-Gonnardac030522014-09-02 14:23:40 +0200[diff] [blame]3848 /* Special case */
3849 if( len <= start_bits )
3850 {
3851 for( ; len != 0; len-- )
3852 mask[first_byte_idx] |= 1 << ( start_bits - len );
3853
3854 /* Avoid potential issues with offset or len becoming invalid */
3855 return;
3856 }
3857
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3858 offset += start_bits; /* Now offset % 8 == 0 */
3859 len -= start_bits;
3860
3861 for( ; start_bits != 0; start_bits-- )
3862 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
3863 }
3864
3865 end_bits = len % 8;
3866 if( end_bits != 0 )
3867 {
3868 size_t last_byte_idx = ( offset + len ) / 8;
3869
3870 len -= end_bits; /* Now len % 8 == 0 */
3871
3872 for( ; end_bits != 0; end_bits-- )
3873 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
3874 }
3875
3876 memset( mask + offset / 8, 0xFF, len / 8 );
3877}
3878
3879/*
3880 * Check that bitmask is full
3881 */
3882static int ssl_bitmask_check( unsigned char *mask, size_t len )
3883{
3884 size_t i;
3885
3886 for( i = 0; i < len / 8; i++ )
3887 if( mask[i] != 0xFF )
3888 return( -1 );
3889
3890 for( i = 0; i < len % 8; i++ )
3891 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
3892 return( -1 );
3893
3894 return( 0 );
3895}
3896
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]3897/* msg_len does not include the handshake header */
Hanno Becker65dc8852018-08-23 09:40:49 +0100[diff] [blame]3898static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]3899 unsigned add_bitmap )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3900{
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]3901 size_t alloc_len;
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3902
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]3903 alloc_len = 12; /* Handshake header */
3904 alloc_len += msg_len; /* Content buffer */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3905
Hanno Beckerd07df862018-08-16 09:14:58 +0100[diff] [blame]3906 if( add_bitmap )
3907 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3908
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]3909 return( alloc_len );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3910}
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]3911
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3912#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3913
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]3914static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]3915{
3916 return( ( ssl->in_msg[1] << 16 ) |
3917 ( ssl->in_msg[2] << 8 ) |
3918 ssl->in_msg[3] );
3919}
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]3920
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3921int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3922{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3923 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]3924 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3925 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]3926 ssl->in_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3927 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]3928 }
3929
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]3930 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3931
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3932 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3933 " %d, type = %d, hslen = %d",
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3934 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3935
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3936#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3937 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3938 {
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3939 int ret;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3940 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3941
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]3942 if( ssl_check_hs_header( ssl ) != 0 )
3943 {
3944 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
3945 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3946 }
3947
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3948 if( ssl->handshake != NULL &&
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]3949 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
3950 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
3951 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3952 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3953 {
Hanno Becker9e1ec222018-08-15 15:54:43 +0100[diff] [blame]3954 if( recv_msg_seq > ssl->handshake->in_msg_seq )
3955 {
3956 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
3957 recv_msg_seq,
3958 ssl->handshake->in_msg_seq ) );
3959 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3960 }
3961
Manuel Pégourié-Gonnardfc572dd2014-10-09 17:56:57 +0200[diff] [blame]3962 /* Retransmit only on last message from previous flight, to avoid
3963 * too many retransmissions.
3964 * Besides, No sane server ever retransmits HelloVerifyRequest */
3965 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3966 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]3967 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3968 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]3969 "message_seq = %d, start_of_flight = %d",
3970 recv_msg_seq,
3971 ssl->handshake->in_flight_start_seq ) );
3972
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3973 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]3974 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3975 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]3976 return( ret );
3977 }
3978 }
3979 else
3980 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3981 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]3982 "message_seq = %d, expected = %d",
3983 recv_msg_seq,
3984 ssl->handshake->in_msg_seq ) );
3985 }
3986
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]3987 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3988 }
3989 /* Wait until message completion to increment in_msg_seq */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3990
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]3991 /* Message reassembly is handled alongside buffering of future
3992 * messages; the commonality is that both handshake fragments and
Hanno Becker83ab41c2018-08-28 17:19:38 +0100[diff] [blame]3993 * future messages cannot be forwarded immediately to the
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]3994 * handshake logic layer. */
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]3995 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3996 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3997 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]3998 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3999 }
4000 }
4001 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4002#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]4003 /* With TLS we don't handle fragmentation (for now) */
4004 if( ssl->in_msglen < ssl->in_hslen )
4005 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4006 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
4007 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4008 }
4009
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4010 return( 0 );
4011}
4012
4013void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
4014{
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4015 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4016
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4017 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]4018 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4019 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]4020 }
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4021
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]4022 /* Handshake message is complete, increment counter */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4023#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4024 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]4025 ssl->handshake != NULL )
4026 {
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4027 unsigned offset;
4028 mbedtls_ssl_hs_buffer *hs_buf;
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]4029
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4030 /* Increment handshake sequence number */
4031 hs->in_msg_seq++;
4032
4033 /*
4034 * Clear up handshake buffering and reassembly structure.
4035 */
4036
4037 /* Free first entry */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]4038 ssl_buffering_free_slot( ssl, 0 );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4039
4040 /* Shift all other entries */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]4041 for( offset = 0, hs_buf = &hs->buffering.hs[0];
4042 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4043 offset++, hs_buf++ )
4044 {
4045 *hs_buf = *(hs_buf + 1);
4046 }
4047
4048 /* Create a fresh last entry */
4049 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]4050 }
4051#endif
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4052}
4053
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4054/*
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4055 * DTLS anti-replay: RFC 6347 4.1.2.6
4056 *
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4057 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
4058 * Bit n is set iff record number in_window_top - n has been seen.
4059 *
4060 * Usually, in_window_top is the last record number seen and the lsb of
4061 * in_window is set. The only exception is the initial state (record number 0
4062 * not seen yet).
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4063 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4064#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4065static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4066{
4067 ssl->in_window_top = 0;
4068 ssl->in_window = 0;
4069}
4070
4071static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
4072{
4073 return( ( (uint64_t) buf[0] << 40 ) |
4074 ( (uint64_t) buf[1] << 32 ) |
4075 ( (uint64_t) buf[2] << 24 ) |
4076 ( (uint64_t) buf[3] << 16 ) |
4077 ( (uint64_t) buf[4] << 8 ) |
4078 ( (uint64_t) buf[5] ) );
4079}
4080
4081/*
4082 * Return 0 if sequence number is acceptable, -1 otherwise
4083 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4084int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4085{
4086 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
4087 uint64_t bit;
4088
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4089 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4090 return( 0 );
4091
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4092 if( rec_seqnum > ssl->in_window_top )
4093 return( 0 );
4094
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4095 bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4096
4097 if( bit >= 64 )
4098 return( -1 );
4099
4100 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
4101 return( -1 );
4102
4103 return( 0 );
4104}
4105
4106/*
4107 * Update replay window on new validated record
4108 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4109void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4110{
4111 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
4112
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4113 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4114 return;
4115
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4116 if( rec_seqnum > ssl->in_window_top )
4117 {
4118 /* Update window_top and the contents of the window */
4119 uint64_t shift = rec_seqnum - ssl->in_window_top;
4120
4121 if( shift >= 64 )
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4122 ssl->in_window = 1;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4123 else
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4124 {
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4125 ssl->in_window <<= shift;
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4126 ssl->in_window |= 1;
4127 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4128
4129 ssl->in_window_top = rec_seqnum;
4130 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4131 else
4132 {
4133 /* Mark that number as seen in the current window */
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4134 uint64_t bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4135
4136 if( bit < 64 ) /* Always true, but be extra sure */
4137 ssl->in_window |= (uint64_t) 1 << bit;
4138 }
4139}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4140#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4141
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]4142#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4143/* Forward declaration */
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]4144static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
4145
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4146/*
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4147 * Without any SSL context, check if a datagram looks like a ClientHello with
4148 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
Simon Butcher0789aed2015-09-11 17:15:17 +0100[diff] [blame]4149 * Both input and output include full DTLS headers.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4150 *
4151 * - if cookie is valid, return 0
4152 * - if ClientHello looks superficially valid but cookie is not,
4153 * fill obuf and set olen, then
4154 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
4155 * - otherwise return a specific error code
4156 */
4157static int ssl_check_dtls_clihlo_cookie(
4158 mbedtls_ssl_cookie_write_t *f_cookie_write,
4159 mbedtls_ssl_cookie_check_t *f_cookie_check,
4160 void *p_cookie,
4161 const unsigned char *cli_id, size_t cli_id_len,
4162 const unsigned char *in, size_t in_len,
4163 unsigned char *obuf, size_t buf_len, size_t *olen )
4164{
4165 size_t sid_len, cookie_len;
4166 unsigned char *p;
4167
4168 if( f_cookie_write == NULL || f_cookie_check == NULL )
4169 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4170
4171 /*
4172 * Structure of ClientHello with record and handshake headers,
4173 * and expected values. We don't need to check a lot, more checks will be
4174 * done when actually parsing the ClientHello - skipping those checks
4175 * avoids code duplication and does not make cookie forging any easier.
4176 *
4177 * 0-0 ContentType type; copied, must be handshake
4178 * 1-2 ProtocolVersion version; copied
4179 * 3-4 uint16 epoch; copied, must be 0
4180 * 5-10 uint48 sequence_number; copied
4181 * 11-12 uint16 length; (ignored)
4182 *
4183 * 13-13 HandshakeType msg_type; (ignored)
4184 * 14-16 uint24 length; (ignored)
4185 * 17-18 uint16 message_seq; copied
4186 * 19-21 uint24 fragment_offset; copied, must be 0
4187 * 22-24 uint24 fragment_length; (ignored)
4188 *
4189 * 25-26 ProtocolVersion client_version; (ignored)
4190 * 27-58 Random random; (ignored)
4191 * 59-xx SessionID session_id; 1 byte len + sid_len content
4192 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
4193 * ...
4194 *
4195 * Minimum length is 61 bytes.
4196 */
4197 if( in_len < 61 ||
4198 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
4199 in[3] != 0 || in[4] != 0 ||
4200 in[19] != 0 || in[20] != 0 || in[21] != 0 )
4201 {
4202 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4203 }
4204
4205 sid_len = in[59];
4206 if( sid_len > in_len - 61 )
4207 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4208
4209 cookie_len = in[60 + sid_len];
4210 if( cookie_len > in_len - 60 )
4211 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4212
4213 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
4214 cli_id, cli_id_len ) == 0 )
4215 {
4216 /* Valid cookie */
4217 return( 0 );
4218 }
4219
4220 /*
4221 * If we get here, we've got an invalid cookie, let's prepare HVR.
4222 *
4223 * 0-0 ContentType type; copied
4224 * 1-2 ProtocolVersion version; copied
4225 * 3-4 uint16 epoch; copied
4226 * 5-10 uint48 sequence_number; copied
4227 * 11-12 uint16 length; olen - 13
4228 *
4229 * 13-13 HandshakeType msg_type; hello_verify_request
4230 * 14-16 uint24 length; olen - 25
4231 * 17-18 uint16 message_seq; copied
4232 * 19-21 uint24 fragment_offset; copied
4233 * 22-24 uint24 fragment_length; olen - 25
4234 *
4235 * 25-26 ProtocolVersion server_version; 0xfe 0xff
4236 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
4237 *
4238 * Minimum length is 28.
4239 */
4240 if( buf_len < 28 )
4241 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
4242
4243 /* Copy most fields and adapt others */
4244 memcpy( obuf, in, 25 );
4245 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
4246 obuf[25] = 0xfe;
4247 obuf[26] = 0xff;
4248
4249 /* Generate and write actual cookie */
4250 p = obuf + 28;
4251 if( f_cookie_write( p_cookie,
4252 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
4253 {
4254 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4255 }
4256
4257 *olen = p - obuf;
4258
4259 /* Go back and fill length fields */
4260 obuf[27] = (unsigned char)( *olen - 28 );
4261
4262 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
4263 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
4264 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
4265
4266 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
4267 obuf[12] = (unsigned char)( ( *olen - 13 ) );
4268
4269 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
4270}
4271
4272/*
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4273 * Handle possible client reconnect with the same UDP quadruplet
4274 * (RFC 6347 Section 4.2.8).
4275 *
4276 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
4277 * that looks like a ClientHello.
4278 *
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4279 * - if the input looks like a ClientHello without cookies,
4280 * send back HelloVerifyRequest, then
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4281 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4282 * - if the input looks like a ClientHello with a valid cookie,
4283 * reset the session of the current context, and
Manuel Pégourié-Gonnardbe619c12015-09-08 11:21:21 +0200[diff] [blame]4284 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4285 * - if anything goes wrong, return a specific error code
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4286 *
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4287 * mbedtls_ssl_read_record() will ignore the record if anything else than
Simon Butcherd0bf6a32015-09-11 17:34:49 +0100[diff] [blame]4288 * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
4289 * cannot not return 0.
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4290 */
4291static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
4292{
4293 int ret;
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4294 size_t len;
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4295
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4296 ret = ssl_check_dtls_clihlo_cookie(
4297 ssl->conf->f_cookie_write,
4298 ssl->conf->f_cookie_check,
4299 ssl->conf->p_cookie,
4300 ssl->cli_id, ssl->cli_id_len,
4301 ssl->in_buf, ssl->in_left,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4302 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4303
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4304 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
4305
4306 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4307 {
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]4308 /* Don't check write errors as we can't do anything here.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4309 * If the error is permanent we'll catch it later,
4310 * if it's not, then hopefully it'll work next time. */
4311 (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
4312
4313 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4314 }
4315
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4316 if( ret == 0 )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4317 {
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4318 /* Got a valid cookie, partially reset context */
4319 if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
4320 {
4321 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
4322 return( ret );
4323 }
4324
4325 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4326 }
4327
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4328 return( ret );
4329}
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]4330#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4331
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4332/*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4333 * ContentType type;
4334 * ProtocolVersion version;
4335 * uint16 epoch; // DTLS only
4336 * uint48 sequence_number; // DTLS only
4337 * uint16 length;
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4338 *
4339 * Return 0 if header looks sane (and, for DTLS, the record is expected)
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]4340 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4341 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
4342 *
4343 * With DTLS, mbedtls_ssl_read_record() will:
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]4344 * 1. proceed with the record if this function returns 0
4345 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
4346 * 3. return CLIENT_RECONNECT if this function return that value
4347 * 4. drop the whole datagram if this function returns anything else.
4348 * Point 2 is needed when the peer is resending, and we have already received
4349 * the first record from a datagram but are still waiting for the others.
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4350 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4351static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4352{
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]4353 int major_ver, minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4354
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4355 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]4356
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4357 ssl->in_msgtype = ssl->in_hdr[0];
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]4358 ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4359 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4360
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4361 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4362 "version = [%d:%d], msglen = %d",
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4363 ssl->in_msgtype,
4364 major_ver, minor_ver, ssl->in_msglen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4365
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4366 /* Check record type */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4367 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
4368 ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
4369 ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
4370 ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4371 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
Andres Amaya Garcia2fad94b2017-06-26 15:11:59 +0100[diff] [blame]4373
4374#if defined(MBEDTLS_SSL_PROTO_DTLS)
Andres Amaya Garcia01692532017-06-28 09:26:46 +0100[diff] [blame]4375 /* Silently ignore invalid DTLS records as recommended by RFC 6347
4376 * Section 4.1.2.7 */
Andres Amaya Garcia2fad94b2017-06-26 15:11:59 +0100[diff] [blame]4377 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4378#endif /* MBEDTLS_SSL_PROTO_DTLS */
4379 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4380 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
4381
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4382 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4383 }
4384
4385 /* Check version */
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]4386 if( major_ver != ssl->major_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4387 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4388 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
4389 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4390 }
4391
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4392 if( minor_ver > ssl->conf->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4393 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4394 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
4395 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4396 }
4397
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4398 /* Check length against the size of our buffer */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4399 if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4400 - (size_t)( ssl->in_msg - ssl->in_buf ) )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]4401 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4402 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4403 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]4404 }
4405
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4406 /*
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4407 * DTLS-related tests.
4408 * Check epoch before checking length constraint because
4409 * the latter varies with the epoch. E.g., if a ChangeCipherSpec
4410 * message gets duplicated before the corresponding Finished message,
4411 * the second ChangeCipherSpec should be discarded because it belongs
4412 * to an old epoch, but not because its length is shorter than
4413 * the minimum record length for packets using the new record transform.
4414 * Note that these two kinds of failures are handled differently,
4415 * as an unexpected record is silently skipped but an invalid
4416 * record leads to the entire datagram being dropped.
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4417 */
4418#if defined(MBEDTLS_SSL_PROTO_DTLS)
4419 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4420 {
4421 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
4422
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4423 /* Check epoch (and sequence number) with DTLS */
4424 if( rec_epoch != ssl->in_epoch )
4425 {
4426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
4427 "expected %d, received %d",
4428 ssl->in_epoch, rec_epoch ) );
4429
4430#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
4431 /*
4432 * Check for an epoch 0 ClientHello. We can't use in_msg here to
4433 * access the first byte of record content (handshake type), as we
4434 * have an active transform (possibly iv_len != 0), so use the
4435 * fact that the record header len is 13 instead.
4436 */
4437 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4438 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
4439 rec_epoch == 0 &&
4440 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
4441 ssl->in_left > 13 &&
4442 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
4443 {
4444 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
4445 "from the same port" ) );
4446 return( ssl_handle_possible_reconnect( ssl ) );
4447 }
4448 else
4449#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4450 {
4451 /* Consider buffering the record. */
4452 if( rec_epoch == (unsigned int) ssl->in_epoch + 1 )
4453 {
4454 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
4455 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4456 }
4457
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4458 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4459 }
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4460 }
4461
4462#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4463 /* Replay detection only works for the current epoch */
4464 if( rec_epoch == ssl->in_epoch &&
4465 mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
4466 {
4467 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
4468 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4469 }
4470#endif
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4471
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4472 /* Drop unexpected ApplicationData records,
4473 * except at the beginning of renegotiations */
4474 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
4475 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
4476#if defined(MBEDTLS_SSL_RENEGOTIATION)
4477 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
4478 ssl->state == MBEDTLS_SSL_SERVER_HELLO )
4479#endif
4480 )
4481 {
4482 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
4483 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4484 }
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4485 }
4486#endif /* MBEDTLS_SSL_PROTO_DTLS */
4487
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4488
4489 /* Check length against bounds of the current transform and version */
4490 if( ssl->transform_in == NULL )
4491 {
4492 if( ssl->in_msglen < 1 ||
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4493 ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4494 {
4495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4496 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4497 }
4498 }
4499 else
4500 {
4501 if( ssl->in_msglen < ssl->transform_in->minlen )
4502 {
4503 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4504 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4505 }
4506
4507#if defined(MBEDTLS_SSL_PROTO_SSL3)
4508 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4509 ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4510 {
4511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4512 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4513 }
4514#endif
4515#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
4516 defined(MBEDTLS_SSL_PROTO_TLS1_2)
4517 /*
4518 * TLS encrypted messages can have up to 256 bytes of padding
4519 */
4520 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
4521 ssl->in_msglen > ssl->transform_in->minlen +
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4522 MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4523 {
4524 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4525 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4526 }
4527#endif
4528 }
4529
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4530 return( 0 );
4531}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4532
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4533/*
4534 * If applicable, decrypt (and decompress) record content
4535 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4536static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4537{
4538 int ret, done = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]4539
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4540 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
4541 ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4543#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
4544 if( mbedtls_ssl_hw_record_read != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]4545 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4546 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]4547
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4548 ret = mbedtls_ssl_hw_record_read( ssl );
4549 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]4550 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4551 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
4552 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]4553 }
Paul Bakkerc7878112012-12-19 14:41:14 +0100[diff] [blame]4554
4555 if( ret == 0 )
4556 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]4557 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4558#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]4559 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4560 {
4561 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
4562 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4563 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4564 return( ret );
4565 }
4566
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4567 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4568 ssl->in_msg, ssl->in_msglen );
4569
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4570 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4571 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4573 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4574 }
4575 }
4576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4577#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]4578 if( ssl->transform_in != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4579 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4580 {
4581 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
4582 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4583 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4584 return( ret );
4585 }
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4586 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4587#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4588
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4589#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4590 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]4591 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4592 mbedtls_ssl_dtls_replay_update( ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]4593 }
4594#endif
4595
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4596 return( 0 );
4597}
4598
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4599static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]4600
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4601/*
4602 * Read a record.
4603 *
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]4604 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
4605 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
4606 *
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4607 */
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4608
4609/* Helper functions for mbedtls_ssl_read_record(). */
4610static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4611static int ssl_get_next_record( mbedtls_ssl_context *ssl );
4612static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
Hanno Becker4162b112018-08-15 14:05:04 +0100[diff] [blame]4613
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]4614int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]4615 unsigned update_hs_digest )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4616{
4617 int ret;
4618
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4619 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4620
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4621 if( ssl->keep_current_message == 0 )
4622 {
4623 do {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4624
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]4625 ret = ssl_consume_current_message( ssl );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4626 if( ret != 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4627 return( ret );
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]4628
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4629 if( ssl_record_is_in_progress( ssl ) == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4630 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4631#if defined(MBEDTLS_SSL_PROTO_DTLS)
4632 int have_buffered = 0;
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4633
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4634 /* We only check for buffered messages if the
4635 * current datagram is fully consumed. */
4636 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]4637 ssl_next_record_is_in_datagram( ssl ) == 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4638 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4639 if( ssl_load_buffered_message( ssl ) == 0 )
4640 have_buffered = 1;
4641 }
4642
4643 if( have_buffered == 0 )
4644#endif /* MBEDTLS_SSL_PROTO_DTLS */
4645 {
4646 ret = ssl_get_next_record( ssl );
4647 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
4648 continue;
4649
4650 if( ret != 0 )
4651 {
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]4652 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4653 return( ret );
4654 }
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4655 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4656 }
4657
4658 ret = mbedtls_ssl_handle_message_type( ssl );
4659
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4660#if defined(MBEDTLS_SSL_PROTO_DTLS)
4661 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4662 {
4663 /* Buffer future message */
4664 ret = ssl_buffer_message( ssl );
4665 if( ret != 0 )
4666 return( ret );
4667
4668 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
4669 }
4670#endif /* MBEDTLS_SSL_PROTO_DTLS */
4671
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4672 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||
4673 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4674
4675 if( 0 != ret )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4676 {
Hanno Becker05c4fc82017-11-09 14:34:06 +0000[diff] [blame]4677 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4678 return( ret );
4679 }
4680
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]4681 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]4682 update_hs_digest == 1 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4683 {
4684 mbedtls_ssl_update_handshake_status( ssl );
4685 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4686 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4687 else
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4688 {
Hanno Becker02f59072018-08-15 14:00:24 +0100[diff] [blame]4689 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4690 ssl->keep_current_message = 0;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4691 }
4692
4693 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
4694
4695 return( 0 );
4696}
4697
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4698#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]4699static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4700{
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4701 if( ssl->in_left > ssl->next_record_offset )
4702 return( 1 );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4703
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4704 return( 0 );
4705}
4706
4707static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
4708{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4709 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4710 mbedtls_ssl_hs_buffer * hs_buf;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4711 int ret = 0;
4712
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4713 if( hs == NULL )
4714 return( -1 );
4715
Hanno Beckere00ae372018-08-20 09:39:42 +0100[diff] [blame]4716 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
4717
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4718 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
4719 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4720 {
4721 /* Check if we have seen a ChangeCipherSpec before.
4722 * If yes, synthesize a CCS record. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4723 if( !hs->buffering.seen_ccs )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4724 {
4725 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
4726 ret = -1;
Hanno Becker0d4b3762018-08-20 09:36:59 +0100[diff] [blame]4727 goto exit;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4728 }
4729
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]4730 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4731 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
4732 ssl->in_msglen = 1;
4733 ssl->in_msg[0] = 1;
4734
4735 /* As long as they are equal, the exact value doesn't matter. */
4736 ssl->in_left = 0;
4737 ssl->next_record_offset = 0;
4738
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]4739 hs->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4740 goto exit;
4741 }
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4742
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]4743#if defined(MBEDTLS_DEBUG_C)
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4744 /* Debug only */
4745 {
4746 unsigned offset;
4747 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
4748 {
4749 hs_buf = &hs->buffering.hs[offset];
4750 if( hs_buf->is_valid == 1 )
4751 {
4752 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
4753 hs->in_msg_seq + offset,
Hanno Beckera591c482018-08-28 17:20:00 +0100[diff] [blame]4754 hs_buf->is_complete ? "fully" : "partially" ) );
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4755 }
4756 }
4757 }
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]4758#endif /* MBEDTLS_DEBUG_C */
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4759
4760 /* Check if we have buffered and/or fully reassembled the
4761 * next handshake message. */
4762 hs_buf = &hs->buffering.hs[0];
4763 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
4764 {
4765 /* Synthesize a record containing the buffered HS message. */
4766 size_t msg_len = ( hs_buf->data[1] << 16 ) |
4767 ( hs_buf->data[2] << 8 ) |
4768 hs_buf->data[3];
4769
4770 /* Double-check that we haven't accidentally buffered
4771 * a message that doesn't fit into the input buffer. */
4772 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
4773 {
4774 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4775 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4776 }
4777
4778 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
4779 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
4780 hs_buf->data, msg_len + 12 );
4781
4782 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4783 ssl->in_hslen = msg_len + 12;
4784 ssl->in_msglen = msg_len + 12;
4785 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
4786
4787 ret = 0;
4788 goto exit;
4789 }
4790 else
4791 {
4792 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
4793 hs->in_msg_seq ) );
4794 }
4795
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4796 ret = -1;
4797
4798exit:
4799
4800 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
4801 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4802}
4803
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4804static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
4805 size_t desired )
4806{
4807 int offset;
4808 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4809 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
4810 (unsigned) desired ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4811
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4812 /* Get rid of future records epoch first, if such exist. */
4813 ssl_free_buffered_record( ssl );
4814
4815 /* Check if we have enough space available now. */
4816 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4817 hs->buffering.total_bytes_buffered ) )
4818 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4819 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4820 return( 0 );
4821 }
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4822
Hanno Becker4f432ad2018-08-28 10:02:32 +0100[diff] [blame]4823 /* We don't have enough space to buffer the next expected handshake
4824 * message. Remove buffers used for future messages to gain space,
4825 * starting with the most distant one. */
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4826 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
4827 offset >= 0; offset-- )
4828 {
4829 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
4830 offset ) );
4831
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]4832 ssl_buffering_free_slot( ssl, (uint8_t) offset );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4833
4834 /* Check if we have enough space available now. */
4835 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4836 hs->buffering.total_bytes_buffered ) )
4837 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4838 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4839 return( 0 );
4840 }
4841 }
4842
4843 return( -1 );
4844}
4845
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4846static int ssl_buffer_message( mbedtls_ssl_context *ssl )
4847{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4848 int ret = 0;
4849 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4850
4851 if( hs == NULL )
4852 return( 0 );
4853
4854 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
4855
4856 switch( ssl->in_msgtype )
4857 {
4858 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
4859 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4860
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]4861 hs->buffering.seen_ccs = 1;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4862 break;
4863
4864 case MBEDTLS_SSL_MSG_HANDSHAKE:
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4865 {
4866 unsigned recv_msg_seq_offset;
4867 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
4868 mbedtls_ssl_hs_buffer *hs_buf;
4869 size_t msg_len = ssl->in_hslen - 12;
4870
4871 /* We should never receive an old handshake
4872 * message - double-check nonetheless. */
4873 if( recv_msg_seq < ssl->handshake->in_msg_seq )
4874 {
4875 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4876 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4877 }
4878
4879 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
4880 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
4881 {
4882 /* Silently ignore -- message too far in the future */
4883 MBEDTLS_SSL_DEBUG_MSG( 2,
4884 ( "Ignore future HS message with sequence number %u, "
4885 "buffering window %u - %u",
4886 recv_msg_seq, ssl->handshake->in_msg_seq,
4887 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
4888
4889 goto exit;
4890 }
4891
4892 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
4893 recv_msg_seq, recv_msg_seq_offset ) );
4894
4895 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
4896
4897 /* Check if the buffering for this seq nr has already commenced. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4898 if( !hs_buf->is_valid )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4899 {
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4900 size_t reassembly_buf_sz;
4901
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4902 hs_buf->is_fragmented =
4903 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
4904
4905 /* We copy the message back into the input buffer
4906 * after reassembly, so check that it's not too large.
4907 * This is an implementation-specific limitation
4908 * and not one from the standard, hence it is not
4909 * checked in ssl_check_hs_header(). */
Hanno Becker96a6c692018-08-21 15:56:03 +0100[diff] [blame]4910 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4911 {
4912 /* Ignore message */
4913 goto exit;
4914 }
4915
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4916 /* Check if we have enough space to buffer the message. */
4917 if( hs->buffering.total_bytes_buffered >
4918 MBEDTLS_SSL_DTLS_MAX_BUFFERING )
4919 {
4920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4921 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4922 }
4923
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4924 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
4925 hs_buf->is_fragmented );
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4926
4927 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4928 hs->buffering.total_bytes_buffered ) )
4929 {
4930 if( recv_msg_seq_offset > 0 )
4931 {
4932 /* If we can't buffer a future message because
4933 * of space limitations -- ignore. */
4934 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
4935 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4936 (unsigned) hs->buffering.total_bytes_buffered ) );
4937 goto exit;
4938 }
Hanno Beckere1801392018-08-21 16:51:05 +0100[diff] [blame]4939 else
4940 {
4941 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
4942 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4943 (unsigned) hs->buffering.total_bytes_buffered ) );
4944 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4945
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4946 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]4947 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4948 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
4949 (unsigned) msg_len,
4950 (unsigned) reassembly_buf_sz,
4951 MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4952 (unsigned) hs->buffering.total_bytes_buffered ) );
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]4953 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4954 goto exit;
4955 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4956 }
4957
4958 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
4959 msg_len ) );
4960
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4961 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
4962 if( hs_buf->data == NULL )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4963 {
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4964 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4965 goto exit;
4966 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4967 hs_buf->data_len = reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4968
4969 /* Prepare final header: copy msg_type, length and message_seq,
4970 * then add standardised fragment_offset and fragment_length */
4971 memcpy( hs_buf->data, ssl->in_msg, 6 );
4972 memset( hs_buf->data + 6, 0, 3 );
4973 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
4974
4975 hs_buf->is_valid = 1;
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4976
4977 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4978 }
4979 else
4980 {
4981 /* Make sure msg_type and length are consistent */
4982 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
4983 {
4984 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
4985 /* Ignore */
4986 goto exit;
4987 }
4988 }
4989
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4990 if( !hs_buf->is_complete )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4991 {
4992 size_t frag_len, frag_off;
4993 unsigned char * const msg = hs_buf->data + 12;
4994
4995 /*
4996 * Check and copy current fragment
4997 */
4998
4999 /* Validation of header fields already done in
5000 * mbedtls_ssl_prepare_handshake_record(). */
5001 frag_off = ssl_get_hs_frag_off( ssl );
5002 frag_len = ssl_get_hs_frag_len( ssl );
5003
5004 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
5005 frag_off, frag_len ) );
5006 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
5007
5008 if( hs_buf->is_fragmented )
5009 {
5010 unsigned char * const bitmask = msg + msg_len;
5011 ssl_bitmask_set( bitmask, frag_off, frag_len );
5012 hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
5013 msg_len ) == 0 );
5014 }
5015 else
5016 {
5017 hs_buf->is_complete = 1;
5018 }
5019
5020 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
5021 hs_buf->is_complete ? "" : "not yet " ) );
5022 }
5023
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5024 break;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]5025 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5026
5027 default:
Hanno Becker360bef32018-08-28 10:04:33 +0100[diff] [blame]5028 /* We don't buffer other types of messages. */
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5029 break;
5030 }
5031
5032exit:
5033
5034 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
5035 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]5036}
5037#endif /* MBEDTLS_SSL_PROTO_DTLS */
5038
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]5039static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5040{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5041 /*
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5042 * Consume last content-layer message and potentially
5043 * update in_msglen which keeps track of the contents'
5044 * consumption state.
5045 *
5046 * (1) Handshake messages:
5047 * Remove last handshake message, move content
5048 * and adapt in_msglen.
5049 *
5050 * (2) Alert messages:
5051 * Consume whole record content, in_msglen = 0.
5052 *
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5053 * (3) Change cipher spec:
5054 * Consume whole record content, in_msglen = 0.
5055 *
5056 * (4) Application data:
5057 * Don't do anything - the record layer provides
5058 * the application data as a stream transport
5059 * and consumes through mbedtls_ssl_read only.
5060 *
5061 */
5062
5063 /* Case (1): Handshake messages */
5064 if( ssl->in_hslen != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5065 {
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]5066 /* Hard assertion to be sure that no application data
5067 * is in flight, as corrupting ssl->in_msglen during
5068 * ssl->in_offt != NULL is fatal. */
5069 if( ssl->in_offt != NULL )
5070 {
5071 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5072 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5073 }
5074
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5075 /*
5076 * Get next Handshake message in the current record
5077 */
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5078
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5079 /* Notes:
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]5080 * (1) in_hslen is not necessarily the size of the
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5081 * current handshake content: If DTLS handshake
5082 * fragmentation is used, that's the fragment
5083 * size instead. Using the total handshake message
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]5084 * size here is faulty and should be changed at
5085 * some point.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5086 * (2) While it doesn't seem to cause problems, one
5087 * has to be very careful not to assume that in_hslen
5088 * is always <= in_msglen in a sensible communication.
5089 * Again, it's wrong for DTLS handshake fragmentation.
5090 * The following check is therefore mandatory, and
5091 * should not be treated as a silently corrected assertion.
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]5092 * Additionally, ssl->in_hslen might be arbitrarily out of
5093 * bounds after handling a DTLS message with an unexpected
5094 * sequence number, see mbedtls_ssl_prepare_handshake_record.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5095 */
5096 if( ssl->in_hslen < ssl->in_msglen )
5097 {
5098 ssl->in_msglen -= ssl->in_hslen;
5099 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
5100 ssl->in_msglen );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5101
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5102 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
5103 ssl->in_msg, ssl->in_msglen );
5104 }
5105 else
5106 {
5107 ssl->in_msglen = 0;
5108 }
Manuel Pégourié-Gonnard4a175362014-09-09 17:45:31 +0200[diff] [blame]5109
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5110 ssl->in_hslen = 0;
5111 }
5112 /* Case (4): Application data */
5113 else if( ssl->in_offt != NULL )
5114 {
5115 return( 0 );
5116 }
5117 /* Everything else (CCS & Alerts) */
5118 else
5119 {
5120 ssl->in_msglen = 0;
5121 }
5122
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]5123 return( 0 );
5124}
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5125
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]5126static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
5127{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5128 if( ssl->in_msglen > 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]5129 return( 1 );
5130
5131 return( 0 );
5132}
5133
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5134#if defined(MBEDTLS_SSL_PROTO_DTLS)
5135
5136static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
5137{
5138 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5139 if( hs == NULL )
5140 return;
5141
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5142 if( hs->buffering.future_record.data != NULL )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5143 {
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5144 hs->buffering.total_bytes_buffered -=
5145 hs->buffering.future_record.len;
5146
5147 mbedtls_free( hs->buffering.future_record.data );
5148 hs->buffering.future_record.data = NULL;
5149 }
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5150}
5151
5152static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
5153{
5154 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5155 unsigned char * rec;
5156 size_t rec_len;
5157 unsigned rec_epoch;
5158
5159 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5160 return( 0 );
5161
5162 if( hs == NULL )
5163 return( 0 );
5164
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5165 rec = hs->buffering.future_record.data;
5166 rec_len = hs->buffering.future_record.len;
5167 rec_epoch = hs->buffering.future_record.epoch;
5168
5169 if( rec == NULL )
5170 return( 0 );
5171
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]5172 /* Only consider loading future records if the
5173 * input buffer is empty. */
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]5174 if( ssl_next_record_is_in_datagram( ssl ) == 1 )
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]5175 return( 0 );
5176
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5177 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
5178
5179 if( rec_epoch != ssl->in_epoch )
5180 {
5181 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
5182 goto exit;
5183 }
5184
5185 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
5186
5187 /* Double-check that the record is not too large */
5188 if( rec_len > MBEDTLS_SSL_IN_BUFFER_LEN -
5189 (size_t)( ssl->in_hdr - ssl->in_buf ) )
5190 {
5191 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5192 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5193 }
5194
5195 memcpy( ssl->in_hdr, rec, rec_len );
5196 ssl->in_left = rec_len;
5197 ssl->next_record_offset = 0;
5198
5199 ssl_free_buffered_record( ssl );
5200
5201exit:
5202 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
5203 return( 0 );
5204}
5205
5206static int ssl_buffer_future_record( mbedtls_ssl_context *ssl )
5207{
5208 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5209 size_t const rec_hdr_len = 13;
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5210 size_t const total_buf_sz = rec_hdr_len + ssl->in_msglen;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5211
5212 /* Don't buffer future records outside handshakes. */
5213 if( hs == NULL )
5214 return( 0 );
5215
5216 /* Only buffer handshake records (we are only interested
5217 * in Finished messages). */
5218 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
5219 return( 0 );
5220
5221 /* Don't buffer more than one future epoch record. */
5222 if( hs->buffering.future_record.data != NULL )
5223 return( 0 );
5224
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5225 /* Don't buffer record if there's not enough buffering space remaining. */
5226 if( total_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
5227 hs->buffering.total_bytes_buffered ) )
5228 {
5229 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
5230 (unsigned) total_buf_sz, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
5231 (unsigned) hs->buffering.total_bytes_buffered ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5232 return( 0 );
5233 }
5234
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5235 /* Buffer record */
5236 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
5237 ssl->in_epoch + 1 ) );
5238 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", ssl->in_hdr,
5239 rec_hdr_len + ssl->in_msglen );
5240
5241 /* ssl_parse_record_header() only considers records
5242 * of the next epoch as candidates for buffering. */
5243 hs->buffering.future_record.epoch = ssl->in_epoch + 1;
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5244 hs->buffering.future_record.len = total_buf_sz;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5245
5246 hs->buffering.future_record.data =
5247 mbedtls_calloc( 1, hs->buffering.future_record.len );
5248 if( hs->buffering.future_record.data == NULL )
5249 {
5250 /* If we run out of RAM trying to buffer a
5251 * record from the next epoch, just ignore. */
5252 return( 0 );
5253 }
5254
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5255 memcpy( hs->buffering.future_record.data, ssl->in_hdr, total_buf_sz );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5256
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5257 hs->buffering.total_bytes_buffered += total_buf_sz;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5258 return( 0 );
5259}
5260
5261#endif /* MBEDTLS_SSL_PROTO_DTLS */
5262
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]5263static int ssl_get_next_record( mbedtls_ssl_context *ssl )
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]5264{
5265 int ret;
5266
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5267#if defined(MBEDTLS_SSL_PROTO_DTLS)
5268 /* We might have buffered a future record; if so,
5269 * and if the epoch matches now, load it.
5270 * On success, this call will set ssl->in_left to
5271 * the length of the buffered record, so that
5272 * the calls to ssl_fetch_input() below will
5273 * essentially be no-ops. */
5274 ret = ssl_load_buffered_record( ssl );
5275 if( ret != 0 )
5276 return( ret );
5277#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5278
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5279 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5280 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5281 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5282 return( ret );
5283 }
5284
5285 if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5286 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5287#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardbe619c12015-09-08 11:21:21 +0200[diff] [blame]5288 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5289 ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5290 {
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5291 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
5292 {
5293 ret = ssl_buffer_future_record( ssl );
5294 if( ret != 0 )
5295 return( ret );
5296
5297 /* Fall through to handling of unexpected records */
5298 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
5299 }
5300
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]5301 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
5302 {
5303 /* Skip unexpected record (but not whole datagram) */
5304 ssl->next_record_offset = ssl->in_msglen
5305 + mbedtls_ssl_hdr_len( ssl );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5306
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]5307 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
5308 "(header)" ) );
5309 }
5310 else
5311 {
5312 /* Skip invalid record and the rest of the datagram */
5313 ssl->next_record_offset = 0;
5314 ssl->in_left = 0;
5315
5316 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
5317 "(header)" ) );
5318 }
5319
5320 /* Get next record */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5321 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5322 }
5323#endif
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5324 return( ret );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5325 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5326
5327 /*
5328 * Read and optionally decrypt the message contents
5329 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5330 if( ( ret = mbedtls_ssl_fetch_input( ssl,
5331 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5332 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5333 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5334 return( ret );
5335 }
5336
5337 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5338#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5339 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]5340 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5341 ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]5342 if( ssl->next_record_offset < ssl->in_left )
5343 {
5344 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
5345 }
5346 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5347 else
5348#endif
5349 ssl->in_left = 0;
5350
5351 if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5352 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5353#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5354 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5355 {
5356 /* Silently discard invalid records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5357 if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD ||
5358 ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5359 {
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]5360 /* Except when waiting for Finished as a bad mac here
5361 * probably means something went wrong in the handshake
5362 * (eg wrong psk used, mitm downgrade attempt, etc.) */
5363 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
5364 ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
5365 {
5366#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
5367 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
5368 {
5369 mbedtls_ssl_send_alert_message( ssl,
5370 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5371 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
5372 }
5373#endif
5374 return( ret );
5375 }
5376
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5377#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5378 if( ssl->conf->badmac_limit != 0 &&
5379 ++ssl->badmac_seen >= ssl->conf->badmac_limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]5380 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
5382 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]5383 }
5384#endif
5385
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5386 /* As above, invalid records cause
5387 * dismissal of the whole datagram. */
5388
5389 ssl->next_record_offset = 0;
5390 ssl->in_left = 0;
5391
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5392 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5393 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5394 }
5395
5396 return( ret );
5397 }
5398 else
5399#endif
5400 {
5401 /* Error out (and send alert) on invalid records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5402#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
5403 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5404 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5405 mbedtls_ssl_send_alert_message( ssl,
5406 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5407 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5408 }
5409#endif
5410 return( ret );
5411 }
5412 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5413
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5414 return( 0 );
5415}
5416
5417int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
5418{
5419 int ret;
5420
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5421 /*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5422 * Handle particular types of records
5423 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5424 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5425 {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5426 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
5427 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]5428 return( ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5429 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5430 }
5431
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]5432 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5433 {
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]5434 if( ssl->in_msglen != 1 )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5435 {
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]5436 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
5437 ssl->in_msglen ) );
5438 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5439 }
5440
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]5441 if( ssl->in_msg[0] != 1 )
5442 {
5443 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
5444 ssl->in_msg[0] ) );
5445 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
5446 }
5447
5448#if defined(MBEDTLS_SSL_PROTO_DTLS)
5449 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5450 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
5451 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
5452 {
5453 if( ssl->handshake == NULL )
5454 {
5455 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
5456 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
5457 }
5458
5459 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
5460 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
5461 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5462#endif
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]5463 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5464
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5465 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5466 {
Angus Gratton1a7a17e2018-06-20 15:43:50 +1000[diff] [blame]5467 if( ssl->in_msglen != 2 )
5468 {
5469 /* Note: Standard allows for more than one 2 byte alert
5470 to be packed in a single message, but Mbed TLS doesn't
5471 currently support this. */
5472 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
5473 ssl->in_msglen ) );
5474 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
5475 }
5476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5477 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5478 ssl->in_msg[0], ssl->in_msg[1] ) );
5479
5480 /*
Simon Butcher459a9502015-10-27 16:09:03 +0000[diff] [blame]5481 * Ignore non-fatal alerts, except close_notify and no_renegotiation
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5482 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5483 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5484 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5485 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]5486 ssl->in_msg[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5487 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5488 }
5489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5490 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5491 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5492 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5493 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
5494 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5495 }
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]5496
5497#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
5498 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5499 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
5500 {
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5501 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]5502 /* Will be handled when trying to parse ServerHello */
5503 return( 0 );
5504 }
5505#endif
5506
5507#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
5508 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
5509 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5510 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5511 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
5512 {
5513 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
5514 /* Will be handled in mbedtls_ssl_parse_certificate() */
5515 return( 0 );
5516 }
5517#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
5518
5519 /* Silently ignore: fetch new message */
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5520 return MBEDTLS_ERR_SSL_NON_FATAL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5521 }
5522
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]5523#if defined(MBEDTLS_SSL_PROTO_DTLS)
5524 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5525 ssl->handshake != NULL &&
5526 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5527 {
5528 ssl_handshake_wrapup_free_hs_transform( ssl );
5529 }
5530#endif
5531
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5532 return( 0 );
5533}
5534
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5535int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5536{
5537 int ret;
5538
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5539 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5540 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5541 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5542 {
5543 return( ret );
5544 }
5545
5546 return( 0 );
5547}
5548
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5549int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5550 unsigned char level,
5551 unsigned char message )
5552{
5553 int ret;
5554
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5555 if( ssl == NULL || ssl->conf == NULL )
5556 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5557
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5558 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5559 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5560
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5561 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5562 ssl->out_msglen = 2;
5563 ssl->out_msg[0] = level;
5564 ssl->out_msg[1] = message;
5565
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]5566 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5567 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5568 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5569 return( ret );
5570 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5571 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5572
5573 return( 0 );
5574}
5575
Hanno Beckerb9d44792019-02-08 07:19:04 +0000[diff] [blame]5576#if defined(MBEDTLS_X509_CRT_PARSE_C)
5577static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
5578{
5579#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
5580 if( session->peer_cert != NULL )
5581 {
5582 mbedtls_x509_crt_free( session->peer_cert );
5583 mbedtls_free( session->peer_cert );
5584 session->peer_cert = NULL;
5585 }
5586#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5587 if( session->peer_cert_digest != NULL )
5588 {
5589 /* Zeroization is not necessary. */
5590 mbedtls_free( session->peer_cert_digest );
5591 session->peer_cert_digest = NULL;
5592 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
5593 session->peer_cert_digest_len = 0;
5594 }
5595#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5596}
5597#endif /* MBEDTLS_X509_CRT_PARSE_C */
5598
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5599/*
5600 * Handshake functions
5601 */
Hanno Becker21489932019-02-05 13:20:55 +0000[diff] [blame]5602#if !defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]5603/* No certificate support -> dummy functions */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5604int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5605{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5606 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5607
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5608 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5609
Hanno Becker7177a882019-02-05 13:36:46 +0000[diff] [blame]5610 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]5611 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5612 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]5613 ssl->state++;
5614 return( 0 );
5615 }
5616
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5617 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5618 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5619}
5620
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5621int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5622{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5623 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5624
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5625 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5626
Hanno Becker7177a882019-02-05 13:36:46 +0000[diff] [blame]5627 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5628 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5629 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5630 ssl->state++;
5631 return( 0 );
5632 }
5633
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5634 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5635 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5636}
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]5637
Hanno Becker21489932019-02-05 13:20:55 +0000[diff] [blame]5638#else /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]5639/* Some certificate support -> implement write and parse */
5640
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5641int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5642{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5643 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5644 size_t i, n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5645 const mbedtls_x509_crt *crt;
5646 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5647
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5648 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5649
Hanno Becker7177a882019-02-05 13:36:46 +0000[diff] [blame]5650 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5651 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5652 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5653 ssl->state++;
5654 return( 0 );
5655 }
5656
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5657#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5658 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5659 {
5660 if( ssl->client_auth == 0 )
5661 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5662 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5663 ssl->state++;
5664 return( 0 );
5665 }
5666
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5667#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5668 /*
5669 * If using SSLv3 and got no cert, send an Alert message
5670 * (otherwise an empty Certificate message will be sent).
5671 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5672 if( mbedtls_ssl_own_cert( ssl ) == NULL &&
5673 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5674 {
5675 ssl->out_msglen = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5676 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
5677 ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
5678 ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5680 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5681 goto write_msg;
5682 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5683#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5684 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5685#endif /* MBEDTLS_SSL_CLI_C */
5686#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5687 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5688 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5689 if( mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5690 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
5692 return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5693 }
5694 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]5695#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5696
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5697 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5698
5699 /*
5700 * 0 . 0 handshake type
5701 * 1 . 3 handshake length
5702 * 4 . 6 length of all certs
5703 * 7 . 9 length of cert. 1
5704 * 10 . n-1 peer certificate
5705 * n . n+2 length of cert. 2
5706 * n+3 . ... upper level cert, etc.
5707 */
5708 i = 7;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5709 crt = mbedtls_ssl_own_cert( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5710
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]5711 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5712 {
5713 n = crt->raw.len;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]5714 if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5715 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]5717 i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5718 return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5719 }
5720
5721 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
5722 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
5723 ssl->out_msg[i + 2] = (unsigned char)( n );
5724
5725 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
5726 i += n; crt = crt->next;
5727 }
5728
5729 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
5730 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
5731 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
5732
5733 ssl->out_msglen = i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5734 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
5735 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5736
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +0200[diff] [blame]5737#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5738write_msg:
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]5739#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5740
5741 ssl->state++;
5742
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]5743 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5744 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]5745 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5746 return( ret );
5747 }
5748
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5749 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5750
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]5751 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5752}
5753
Hanno Becker84879e32019-01-31 07:44:03 +0000[diff] [blame]5754#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
Hanno Becker177475a2019-02-05 17:02:46 +0000[diff] [blame]5755
5756#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5757static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
5758 unsigned char *crt_buf,
5759 size_t crt_buf_len )
5760{
5761 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
5762
5763 if( peer_crt == NULL )
5764 return( -1 );
5765
5766 if( peer_crt->raw.len != crt_buf_len )
5767 return( -1 );
5768
Hanno Becker46f34d02019-02-08 14:00:04 +0000[diff] [blame]5769 return( memcmp( peer_crt->raw.p, crt_buf, crt_buf_len ) );
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5770}
Hanno Becker177475a2019-02-05 17:02:46 +0000[diff] [blame]5771#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5772static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
5773 unsigned char *crt_buf,
5774 size_t crt_buf_len )
5775{
5776 int ret;
5777 unsigned char const * const peer_cert_digest =
5778 ssl->session->peer_cert_digest;
5779 mbedtls_md_type_t const peer_cert_digest_type =
5780 ssl->session->peer_cert_digest_type;
5781 mbedtls_md_info_t const * const digest_info =
5782 mbedtls_md_info_from_type( peer_cert_digest_type );
5783 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
5784 size_t digest_len;
5785
5786 if( peer_cert_digest == NULL || digest_info == NULL )
5787 return( -1 );
5788
5789 digest_len = mbedtls_md_get_size( digest_info );
5790 if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN )
5791 return( -1 );
5792
5793 ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest );
5794 if( ret != 0 )
5795 return( -1 );
5796
5797 return( memcmp( tmp_digest, peer_cert_digest, digest_len ) );
5798}
5799#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker84879e32019-01-31 07:44:03 +0000[diff] [blame]5800#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5801
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]5802/*
5803 * Once the certificate message is read, parse it into a cert chain and
5804 * perform basic checks, but leave actual verification to the caller
5805 */
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5806static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
5807 mbedtls_x509_crt *chain )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5808{
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5809 int ret;
5810#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
5811 int crt_cnt=0;
5812#endif
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]5813 size_t i, n;
Gilles Peskine064a85c2017-05-10 10:46:40 +0200[diff] [blame]5814 uint8_t alert;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5815
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5816 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5817 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5818 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5819 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5820 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5821 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5822 }
5823
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5824 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||
5825 ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5826 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5827 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5828 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5829 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5830 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5831 }
5832
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5833 i = mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +0000[diff] [blame]5834
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5835 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5836 * Same message structure as in mbedtls_ssl_write_certificate()
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5837 */
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +0000[diff] [blame]5838 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5839
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +0000[diff] [blame]5840 if( ssl->in_msg[i] != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5841 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5842 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5844 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5845 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5846 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5847 }
5848
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5849 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
5850 i += 3;
5851
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5852 /* Iterate through and parse the CRTs in the provided chain. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5853 while( i < ssl->in_hslen )
5854 {
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5855 /* Check that there's room for the next CRT's length fields. */
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]5856 if ( i + 3 > ssl->in_hslen ) {
5857 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +0000[diff] [blame]5858 mbedtls_ssl_send_alert_message( ssl,
5859 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5860 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]5861 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
5862 }
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5863 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
5864 * anything beyond 2**16 ~ 64K. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5865 if( ssl->in_msg[i] != 0 )
5866 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5867 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +0000[diff] [blame]5868 mbedtls_ssl_send_alert_message( ssl,
5869 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5870 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5871 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5872 }
5873
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5874 /* Read length of the next CRT in the chain. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5875 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
5876 | (unsigned int) ssl->in_msg[i + 2];
5877 i += 3;
5878
5879 if( n < 128 || i + n > ssl->in_hslen )
5880 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5881 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +0000[diff] [blame]5882 mbedtls_ssl_send_alert_message( ssl,
5883 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5884 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5885 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5886 }
5887
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5888 /* Check if we're handling the first CRT in the chain. */
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5889#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
5890 if( crt_cnt++ == 0 &&
5891 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
5892 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5893 {
Hanno Becker46f34d02019-02-08 14:00:04 +0000[diff] [blame]5894 /* During client-side renegotiation, check that the server's
5895 * end-CRTs hasn't changed compared to the initial handshake,
5896 * mitigating the triple handshake attack. On success, reuse
5897 * the original end-CRT instead of parsing it again. */
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5898 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Check that peer CRT hasn't changed during renegotiation" ) );
5899 if( ssl_check_peer_crt_unchanged( ssl,
5900 &ssl->in_msg[i],
5901 n ) != 0 )
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5902 {
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5903 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
5904 mbedtls_ssl_send_alert_message( ssl,
5905 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5906 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
5907 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5908 }
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5909
5910 /* Now we can safely free the original chain. */
5911 ssl_clear_peer_cert( ssl->session );
5912 }
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5913#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
5914
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5915 /* Parse the next certificate in the chain. */
Hanno Becker0056eab2019-02-08 14:39:16 +0000[diff] [blame]5916#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5917 ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n );
Hanno Becker0056eab2019-02-08 14:39:16 +0000[diff] [blame]5918#else
Hanno Becker353a6f02019-02-26 11:51:34 +0000[diff] [blame]5919 /* If we don't need to store the CRT chain permanently, parse
Hanno Becker0056eab2019-02-08 14:39:16 +0000[diff] [blame]5920 * it in-place from the input buffer instead of making a copy. */
5921 ret = mbedtls_x509_crt_parse_der_nocopy( chain, ssl->in_msg + i, n );
5922#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5923 switch( ret )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5924 {
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5925 case 0: /*ok*/
5926 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
5927 /* Ignore certificate with an unknown algorithm: maybe a
5928 prior certificate was already trusted. */
5929 break;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5930
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5931 case MBEDTLS_ERR_X509_ALLOC_FAILED:
5932 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
5933 goto crt_parse_der_failed;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5934
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5935 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
5936 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
5937 goto crt_parse_der_failed;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5938
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5939 default:
5940 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
5941 crt_parse_der_failed:
5942 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
5943 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
5944 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5945 }
5946
5947 i += n;
5948 }
5949
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5950 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", chain );
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]5951 return( 0 );
5952}
5953
Hanno Becker4a55f632019-02-05 12:49:06 +0000[diff] [blame]5954#if defined(MBEDTLS_SSL_SRV_C)
5955static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
5956{
5957 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5958 return( -1 );
5959
5960#if defined(MBEDTLS_SSL_PROTO_SSL3)
5961 /*
5962 * Check if the client sent an empty certificate
5963 */
5964 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
5965 {
5966 if( ssl->in_msglen == 2 &&
5967 ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
5968 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5969 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
5970 {
5971 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
5972 return( 0 );
5973 }
5974
5975 return( -1 );
5976 }
5977#endif /* MBEDTLS_SSL_PROTO_SSL3 */
5978
5979#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
5980 defined(MBEDTLS_SSL_PROTO_TLS1_2)
5981 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
5982 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
5983 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
5984 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
5985 {
5986 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
5987 return( 0 );
5988 }
5989
5990 return( -1 );
5991#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
5992 MBEDTLS_SSL_PROTO_TLS1_2 */
5993}
5994#endif /* MBEDTLS_SSL_SRV_C */
5995
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]5996/* Check if a certificate message is expected.
5997 * Return either
5998 * - SSL_CERTIFICATE_EXPECTED, or
5999 * - SSL_CERTIFICATE_SKIP
6000 * indicating whether a Certificate message is expected or not.
6001 */
6002#define SSL_CERTIFICATE_EXPECTED 0
6003#define SSL_CERTIFICATE_SKIP 1
6004static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
6005 int authmode )
6006{
6007 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6008 ssl->transform_negotiate->ciphersuite_info;
6009
6010 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
6011 return( SSL_CERTIFICATE_SKIP );
6012
6013#if defined(MBEDTLS_SSL_SRV_C)
6014 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
6015 {
6016 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
6017 return( SSL_CERTIFICATE_SKIP );
6018
6019 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
6020 {
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]6021 ssl->session_negotiate->verify_result =
6022 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
6023 return( SSL_CERTIFICATE_SKIP );
6024 }
6025 }
Hanno Becker84d9d272019-03-01 08:10:46 +0000[diff] [blame]6026#else
6027 ((void) authmode);
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]6028#endif /* MBEDTLS_SSL_SRV_C */
6029
6030 return( SSL_CERTIFICATE_EXPECTED );
6031}
6032
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6033static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
6034 int authmode,
6035 mbedtls_x509_crt *chain,
6036 void *rs_ctx )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6037{
Hanno Becker6bdfab22019-02-05 13:11:17 +0000[diff] [blame]6038 int ret = 0;
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]6039 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6040 ssl->transform_negotiate->ciphersuite_info;
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6041 int have_ca_chain = 0;
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6042
Hanno Becker8927c832019-04-03 12:52:50 +0100[diff] [blame]6043 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
6044 void *p_vrfy;
6045
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6046 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
6047 return( 0 );
6048
Hanno Becker8927c832019-04-03 12:52:50 +0100[diff] [blame]6049 if( ssl->f_vrfy != NULL )
6050 {
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]6051 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );
Hanno Becker8927c832019-04-03 12:52:50 +0100[diff] [blame]6052 f_vrfy = ssl->f_vrfy;
6053 p_vrfy = ssl->p_vrfy;
6054 }
6055 else
6056 {
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]6057 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );
Hanno Becker8927c832019-04-03 12:52:50 +0100[diff] [blame]6058 f_vrfy = ssl->conf->f_vrfy;
6059 p_vrfy = ssl->conf->p_vrfy;
6060 }
6061
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6062 /*
6063 * Main check: verify certificate
6064 */
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6065#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
6066 if( ssl->conf->f_ca_cb != NULL )
6067 {
6068 ((void) rs_ctx);
6069 have_ca_chain = 1;
6070
6071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "use CA callback for X.509 CRT verification" ) );
Jarno Lamsa9822c0d2019-04-01 16:59:48 +0300[diff] [blame]6072 ret = mbedtls_x509_crt_verify_with_ca_cb(
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6073 chain,
6074 ssl->conf->f_ca_cb,
6075 ssl->conf->p_ca_cb,
6076 ssl->conf->cert_profile,
6077 ssl->hostname,
6078 &ssl->session_negotiate->verify_result,
Jaeden Amerofe710672019-04-16 15:03:12 +0100[diff] [blame]6079 f_vrfy, p_vrfy );
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6080 }
6081 else
6082#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
6083 {
6084 mbedtls_x509_crt *ca_chain;
6085 mbedtls_x509_crl *ca_crl;
6086
6087#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
6088 if( ssl->handshake->sni_ca_chain != NULL )
6089 {
6090 ca_chain = ssl->handshake->sni_ca_chain;
6091 ca_crl = ssl->handshake->sni_ca_crl;
6092 }
6093 else
6094#endif
6095 {
6096 ca_chain = ssl->conf->ca_chain;
6097 ca_crl = ssl->conf->ca_crl;
6098 }
6099
6100 if( ca_chain != NULL )
6101 have_ca_chain = 1;
6102
6103 ret = mbedtls_x509_crt_verify_restartable(
6104 chain,
6105 ca_chain, ca_crl,
6106 ssl->conf->cert_profile,
6107 ssl->hostname,
6108 &ssl->session_negotiate->verify_result,
Jaeden Amerofe710672019-04-16 15:03:12 +0100[diff] [blame]6109 f_vrfy, p_vrfy, rs_ctx );
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6110 }
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6111
6112 if( ret != 0 )
6113 {
6114 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
6115 }
6116
6117#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6118 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
6119 return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
6120#endif
6121
6122 /*
6123 * Secondary checks: always done, but change 'ret' only if it was 0
6124 */
6125
6126#if defined(MBEDTLS_ECP_C)
6127 {
6128 const mbedtls_pk_context *pk = &chain->pk;
6129
6130 /* If certificate uses an EC key, make sure the curve is OK */
6131 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
6132 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
6133 {
6134 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
6135
6136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
6137 if( ret == 0 )
6138 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
6139 }
6140 }
6141#endif /* MBEDTLS_ECP_C */
6142
6143 if( mbedtls_ssl_check_cert_usage( chain,
6144 ciphersuite_info,
6145 ! ssl->conf->endpoint,
6146 &ssl->session_negotiate->verify_result ) != 0 )
6147 {
6148 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
6149 if( ret == 0 )
6150 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
6151 }
6152
6153 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
6154 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
6155 * with details encoded in the verification flags. All other kinds
6156 * of error codes, including those from the user provided f_vrfy
6157 * functions, are treated as fatal and lead to a failure of
6158 * ssl_parse_certificate even if verification was optional. */
6159 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
6160 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
6161 ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
6162 {
6163 ret = 0;
6164 }
6165
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6166 if( have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6167 {
6168 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
6169 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
6170 }
6171
6172 if( ret != 0 )
6173 {
6174 uint8_t alert;
6175
6176 /* The certificate may have been rejected for several reasons.
6177 Pick one and send the corresponding alert. Which alert to send
6178 may be a subject of debate in some cases. */
6179 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
6180 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
6181 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
6182 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
6183 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
6184 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6185 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
6186 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6187 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
6188 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6189 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
6190 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6191 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
6192 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6193 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
6194 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
6195 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
6196 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
6197 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
6198 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
6199 else
6200 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
6201 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6202 alert );
6203 }
6204
6205#if defined(MBEDTLS_DEBUG_C)
6206 if( ssl->session_negotiate->verify_result != 0 )
6207 {
6208 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
6209 ssl->session_negotiate->verify_result ) );
6210 }
6211 else
6212 {
6213 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
6214 }
6215#endif /* MBEDTLS_DEBUG_C */
6216
6217 return( ret );
6218}
6219
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6220#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
6221static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
6222 unsigned char *start, size_t len )
6223{
6224 int ret;
6225 /* Remember digest of the peer's end-CRT. */
6226 ssl->session_negotiate->peer_cert_digest =
6227 mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
6228 if( ssl->session_negotiate->peer_cert_digest == NULL )
6229 {
6230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
6231 sizeof( MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) ) );
6232 mbedtls_ssl_send_alert_message( ssl,
6233 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6234 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
6235
6236 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
6237 }
6238
6239 ret = mbedtls_md( mbedtls_md_info_from_type(
6240 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
6241 start, len,
6242 ssl->session_negotiate->peer_cert_digest );
6243
6244 ssl->session_negotiate->peer_cert_digest_type =
6245 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
6246 ssl->session_negotiate->peer_cert_digest_len =
6247 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
6248
6249 return( ret );
6250}
6251
6252static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
6253 unsigned char *start, size_t len )
6254{
6255 unsigned char *end = start + len;
6256 int ret;
6257
6258 /* Make a copy of the peer's raw public key. */
6259 mbedtls_pk_init( &ssl->handshake->peer_pubkey );
6260 ret = mbedtls_pk_parse_subpubkey( &start, end,
6261 &ssl->handshake->peer_pubkey );
6262 if( ret != 0 )
6263 {
6264 /* We should have parsed the public key before. */
6265 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
6266 }
6267
6268 return( 0 );
6269}
6270#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
6271
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6272int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
6273{
6274 int ret = 0;
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]6275 int crt_expected;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6276#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
6277 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
6278 ? ssl->handshake->sni_authmode
6279 : ssl->conf->authmode;
6280#else
6281 const int authmode = ssl->conf->authmode;
6282#endif
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6283 void *rs_ctx = NULL;
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6284 mbedtls_x509_crt *chain = NULL;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6285
6286 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
6287
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]6288 crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
6289 if( crt_expected == SSL_CERTIFICATE_SKIP )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6290 {
6291 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Hanno Becker6bdfab22019-02-05 13:11:17 +0000[diff] [blame]6292 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6293 }
6294
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6295#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6296 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]6297 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6298 {
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6299 chain = ssl->handshake->ecrs_peer_cert;
6300 ssl->handshake->ecrs_peer_cert = NULL;
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6301 goto crt_verify;
6302 }
6303#endif
6304
Manuel Pégourié-Gonnard125af942018-09-11 11:08:12 +0200[diff] [blame]6305 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6306 {
6307 /* mbedtls_ssl_read_record may have sent an alert already. We
6308 let it decide whether to alert. */
6309 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6310 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6311 }
6312
Hanno Becker4a55f632019-02-05 12:49:06 +0000[diff] [blame]6313#if defined(MBEDTLS_SSL_SRV_C)
6314 if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 )
6315 {
6316 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
Hanno Becker4a55f632019-02-05 12:49:06 +0000[diff] [blame]6317
6318 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
Hanno Becker6bdfab22019-02-05 13:11:17 +0000[diff] [blame]6319 ret = 0;
6320 else
6321 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Hanno Becker4a55f632019-02-05 12:49:06 +0000[diff] [blame]6322
Hanno Becker6bdfab22019-02-05 13:11:17 +0000[diff] [blame]6323 goto exit;
Hanno Becker4a55f632019-02-05 12:49:06 +0000[diff] [blame]6324 }
6325#endif /* MBEDTLS_SSL_SRV_C */
6326
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]6327 /* Clear existing peer CRT structure in case we tried to
6328 * reuse a session but it failed, and allocate a new one. */
Hanno Becker7a955a02019-02-05 13:08:01 +0000[diff] [blame]6329 ssl_clear_peer_cert( ssl->session_negotiate );
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6330
6331 chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
6332 if( chain == NULL )
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]6333 {
6334 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
6335 sizeof( mbedtls_x509_crt ) ) );
6336 mbedtls_ssl_send_alert_message( ssl,
6337 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6338 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Hanno Becker7a955a02019-02-05 13:08:01 +0000[diff] [blame]6339
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6340 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
6341 goto exit;
6342 }
6343 mbedtls_x509_crt_init( chain );
6344
6345 ret = ssl_parse_certificate_chain( ssl, chain );
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]6346 if( ret != 0 )
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6347 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6348
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6349#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6350 if( ssl->handshake->ecrs_enabled)
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]6351 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6352
6353crt_verify:
6354 if( ssl->handshake->ecrs_enabled)
6355 rs_ctx = &ssl->handshake->ecrs_ctx;
6356#endif
6357
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6358 ret = ssl_parse_certificate_verify( ssl, authmode,
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6359 chain, rs_ctx );
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6360 if( ret != 0 )
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6361 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6362
Hanno Becker6bbd94c2019-02-05 17:02:28 +0000[diff] [blame]6363#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Becker6bbd94c2019-02-05 17:02:28 +0000[diff] [blame]6364 {
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6365 unsigned char *crt_start, *pk_start;
6366 size_t crt_len, pk_len;
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6367
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6368 /* We parse the CRT chain without copying, so
6369 * these pointers point into the input buffer,
6370 * and are hence still valid after freeing the
6371 * CRT chain. */
Hanno Becker6bbd94c2019-02-05 17:02:28 +0000[diff] [blame]6372
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6373 crt_start = chain->raw.p;
6374 crt_len = chain->raw.len;
Hanno Becker6bbd94c2019-02-05 17:02:28 +0000[diff] [blame]6375
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6376 pk_start = chain->pk_raw.p;
6377 pk_len = chain->pk_raw.len;
6378
6379 /* Free the CRT structures before computing
6380 * digest and copying the peer's public key. */
6381 mbedtls_x509_crt_free( chain );
6382 mbedtls_free( chain );
6383 chain = NULL;
6384
6385 ret = ssl_remember_peer_crt_digest( ssl, crt_start, crt_len );
Hanno Beckera2747532019-02-06 16:19:04 +0000[diff] [blame]6386 if( ret != 0 )
Hanno Beckera2747532019-02-06 16:19:04 +0000[diff] [blame]6387 goto exit;
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6388
6389 ret = ssl_remember_peer_pubkey( ssl, pk_start, pk_len );
6390 if( ret != 0 )
6391 goto exit;
Hanno Beckera2747532019-02-06 16:19:04 +0000[diff] [blame]6392 }
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6393#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
6394 /* Pass ownership to session structure. */
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6395 ssl->session_negotiate->peer_cert = chain;
6396 chain = NULL;
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6397#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6398
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6399 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6400
Hanno Becker6bdfab22019-02-05 13:11:17 +0000[diff] [blame]6401exit:
6402
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6403 if( ret == 0 )
6404 ssl->state++;
6405
6406#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6407 if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
6408 {
6409 ssl->handshake->ecrs_peer_cert = chain;
6410 chain = NULL;
6411 }
6412#endif
6413
6414 if( chain != NULL )
6415 {
6416 mbedtls_x509_crt_free( chain );
6417 mbedtls_free( chain );
6418 }
6419
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6420 return( ret );
6421}
Hanno Becker21489932019-02-05 13:20:55 +0000[diff] [blame]6422#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6423
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6424int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6425{
6426 int ret;
6427
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6428 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6429
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6430 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6431 ssl->out_msglen = 1;
6432 ssl->out_msg[0] = 1;
6433
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6434 ssl->state++;
6435
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]6436 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6437 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]6438 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6439 return( ret );
6440 }
6441
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6442 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6443
6444 return( 0 );
6445}
6446
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6447int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6448{
6449 int ret;
6450
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6451 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6452
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]6453 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6454 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6455 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6456 return( ret );
6457 }
6458
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6459 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6460 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6461 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]6462 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6463 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6464 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6465 }
6466
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]6467 /* CCS records are only accepted if they have length 1 and content '1',
6468 * so we don't need to check this here. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6469
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6470 /*
6471 * Switch to our negotiated transform and session parameters for inbound
6472 * data.
6473 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6474 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6475 ssl->transform_in = ssl->transform_negotiate;
6476 ssl->session_in = ssl->session_negotiate;
6477
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6478#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]6479 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6480 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6481#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6482 ssl_dtls_replay_reset( ssl );
6483#endif
6484
6485 /* Increment epoch */
6486 if( ++ssl->in_epoch == 0 )
6487 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]6489 /* This is highly unlikely to happen for legitimate reasons, so
6490 treat it as an attack and don't send an alert. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6491 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6492 }
6493 }
6494 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6495#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6496 memset( ssl->in_ctr, 0, 8 );
6497
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]6498 ssl_update_in_pointers( ssl, ssl->transform_negotiate );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6499
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6500#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
6501 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6502 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6503 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6504 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6505 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]6506 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6507 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6508 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6509 }
6510 }
6511#endif
6512
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6513 ssl->state++;
6514
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6515 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6516
6517 return( 0 );
6518}
6519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6520void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
6521 const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6522{
Paul Bakkerfb08fd22013-08-27 15:06:26 +0200[diff] [blame]6523 ((void) ciphersuite_info);
Paul Bakker769075d2012-11-24 11:26:46 +0100[diff] [blame]6524
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6525#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6526 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6527 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6528 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6529 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6530#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6531#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6532#if defined(MBEDTLS_SHA512_C)
6533 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6534 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
6535 else
6536#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6537#if defined(MBEDTLS_SHA256_C)
6538 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6539 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6540 else
6541#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6542#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200[diff] [blame]6543 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6545 return;
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200[diff] [blame]6546 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6547}
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]6548
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6549void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]6550{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6551#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6552 defined(MBEDTLS_SSL_PROTO_TLS1_1)
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6553 mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 );
6554 mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]6555#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6556#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6557#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6558#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2ad22972019-01-30 03:32:12 -0500[diff] [blame]6559 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6560 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
6561#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6562 mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]6563#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6564#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6565#if defined(MBEDTLS_SHA512_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6566#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2ad22972019-01-30 03:32:12 -0500[diff] [blame]6567 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6568 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6569#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6570 mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]6571#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6572#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6573#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]6574}
6575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6576static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6577 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6578{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6579#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6580 defined(MBEDTLS_SSL_PROTO_TLS1_1)
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6581 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
6582 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6583#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6584#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6585#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6586#if defined(MBEDTLS_USE_PSA_CRYPTO)
6587 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
6588#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6589 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6590#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6591#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6592#if defined(MBEDTLS_SHA512_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6593#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6594 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6595#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6596 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker769075d2012-11-24 11:26:46 +0100[diff] [blame]6597#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6598#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6599#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6600}
6601
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6602#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6603 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6604static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6605 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6606{
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6607 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
6608 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6609}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6610#endif
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6611
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6612#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6613#if defined(MBEDTLS_SHA256_C)
6614static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6615 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6616{
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6617#if defined(MBEDTLS_USE_PSA_CRYPTO)
6618 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
6619#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6620 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6621#endif
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6622}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6623#endif
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6624
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6625#if defined(MBEDTLS_SHA512_C)
6626static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6627 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6628{
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6629#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6630 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6631#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6632 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6633#endif
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6634}
Paul Bakker769075d2012-11-24 11:26:46 +0100[diff] [blame]6635#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6636#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6637
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6638#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6639static void ssl_calc_finished_ssl(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6640 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6641{
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6642 const char *sender;
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6643 mbedtls_md5_context md5;
6644 mbedtls_sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6645
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6646 unsigned char padbuf[48];
6647 unsigned char md5sum[16];
6648 unsigned char sha1sum[20];
6649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6650 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6651 if( !session )
6652 session = ssl->session;
6653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6654 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6655
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6656 mbedtls_md5_init( &md5 );
6657 mbedtls_sha1_init( &sha1 );
6658
6659 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
6660 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6661
6662 /*
6663 * SSLv3:
6664 * hash =
6665 * MD5( master + pad2 +
6666 * MD5( handshake + sender + master + pad1 ) )
6667 * + SHA1( master + pad2 +
6668 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6669 */
6670
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6671#if !defined(MBEDTLS_MD5_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6672 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
6673 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6674#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6676#if !defined(MBEDTLS_SHA1_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6677 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
6678 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6679#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6680
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6681 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6682 : "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6683
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6684 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6685
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6686 mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );
6687 mbedtls_md5_update_ret( &md5, session->master, 48 );
6688 mbedtls_md5_update_ret( &md5, padbuf, 48 );
6689 mbedtls_md5_finish_ret( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6690
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6691 mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );
6692 mbedtls_sha1_update_ret( &sha1, session->master, 48 );
6693 mbedtls_sha1_update_ret( &sha1, padbuf, 40 );
6694 mbedtls_sha1_finish_ret( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6695
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6696 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6697
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6698 mbedtls_md5_starts_ret( &md5 );
6699 mbedtls_md5_update_ret( &md5, session->master, 48 );
6700 mbedtls_md5_update_ret( &md5, padbuf, 48 );
6701 mbedtls_md5_update_ret( &md5, md5sum, 16 );
6702 mbedtls_md5_finish_ret( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6703
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6704 mbedtls_sha1_starts_ret( &sha1 );
6705 mbedtls_sha1_update_ret( &sha1, session->master, 48 );
6706 mbedtls_sha1_update_ret( &sha1, padbuf , 40 );
6707 mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );
6708 mbedtls_sha1_finish_ret( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6709
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6710 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6711
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6712 mbedtls_md5_free( &md5 );
6713 mbedtls_sha1_free( &sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6714
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]6715 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
6716 mbedtls_platform_zeroize( md5sum, sizeof( md5sum ) );
6717 mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6718
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6719 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6720}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6721#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6722
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6723#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6724static void ssl_calc_finished_tls(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6725 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6726{
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6727 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6728 const char *sender;
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6729 mbedtls_md5_context md5;
6730 mbedtls_sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6731 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6732
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6733 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6734 if( !session )
6735 session = ssl->session;
6736
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6737 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6738
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6739 mbedtls_md5_init( &md5 );
6740 mbedtls_sha1_init( &sha1 );
6741
6742 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
6743 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6744
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6745 /*
6746 * TLSv1:
6747 * hash = PRF( master, finished_label,
6748 * MD5( handshake ) + SHA1( handshake ) )[0..11]
6749 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6750
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6751#if !defined(MBEDTLS_MD5_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6752 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
6753 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6754#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6755
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6756#if !defined(MBEDTLS_SHA1_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6757 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
6758 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6759#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6760
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6761 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6762 ? "client finished"
6763 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6764
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6765 mbedtls_md5_finish_ret( &md5, padbuf );
6766 mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6767
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6768 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6769 padbuf, 36, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6770
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6771 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6772
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6773 mbedtls_md5_free( &md5 );
6774 mbedtls_sha1_free( &sha1 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6775
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]6776 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6777
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6778 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6779}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6780#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6781
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6782#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6783#if defined(MBEDTLS_SHA256_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6784static void ssl_calc_finished_tls_sha256(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6785 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6786{
6787 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6788 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6789 unsigned char padbuf[32];
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6790#if defined(MBEDTLS_USE_PSA_CRYPTO)
6791 size_t hash_size;
Jaeden Amero34973232019-02-20 10:32:28 +0000[diff] [blame]6792 psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6793 psa_status_t status;
6794#else
6795 mbedtls_sha256_context sha256;
6796#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6797
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6798 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6799 if( !session )
6800 session = ssl->session;
6801
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6802 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
6803 ? "client finished"
6804 : "server finished";
6805
6806#if defined(MBEDTLS_USE_PSA_CRYPTO)
6807 sha256_psa = psa_hash_operation_init();
6808
6809 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) );
6810
6811 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
6812 if( status != PSA_SUCCESS )
6813 {
6814 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
6815 return;
6816 }
6817
6818 status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size );
6819 if( status != PSA_SUCCESS )
6820 {
6821 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
6822 return;
6823 }
6824 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 );
6825#else
6826
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6827 mbedtls_sha256_init( &sha256 );
6828
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6829 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6830
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6831 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6832
6833 /*
6834 * TLSv1.2:
6835 * hash = PRF( master, finished_label,
6836 * Hash( handshake ) )[0.11]
6837 */
6838
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6839#if !defined(MBEDTLS_SHA256_ALT)
6840 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6841 sha256.state, sizeof( sha256.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6842#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6843
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6844 mbedtls_sha256_finish_ret( &sha256, padbuf );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6845 mbedtls_sha256_free( &sha256 );
6846#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6847
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6848 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6849 padbuf, 32, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6850
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6851 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6852
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]6853 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6854
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6855 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6856}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6857#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6858
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6859#if defined(MBEDTLS_SHA512_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6860static void ssl_calc_finished_tls_sha384(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6861 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6862{
6863 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6864 const char *sender;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6865 unsigned char padbuf[48];
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6866#if defined(MBEDTLS_USE_PSA_CRYPTO)
6867 size_t hash_size;
Jaeden Amero34973232019-02-20 10:32:28 +0000[diff] [blame]6868 psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6869 psa_status_t status;
6870#else
6871 mbedtls_sha512_context sha512;
6872#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6873
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6874 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6875 if( !session )
6876 session = ssl->session;
6877
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6878 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
6879 ? "client finished"
6880 : "server finished";
6881
6882#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6883 sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6884
6885 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) );
6886
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6887 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6888 if( status != PSA_SUCCESS )
6889 {
6890 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
6891 return;
6892 }
6893
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6894 status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6895 if( status != PSA_SUCCESS )
6896 {
6897 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
6898 return;
6899 }
6900 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 );
6901#else
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6902 mbedtls_sha512_init( &sha512 );
6903
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6904 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6905
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6906 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6907
6908 /*
6909 * TLSv1.2:
6910 * hash = PRF( master, finished_label,
6911 * Hash( handshake ) )[0.11]
6912 */
6913
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6914#if !defined(MBEDTLS_SHA512_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6915 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
6916 sha512.state, sizeof( sha512.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6917#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6918
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6919 mbedtls_sha512_finish_ret( &sha512, padbuf );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6920 mbedtls_sha512_free( &sha512 );
6921#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6922
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6923 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6924 padbuf, 48, buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6925
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6926 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6927
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]6928 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6929
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6930 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6931}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6932#endif /* MBEDTLS_SHA512_C */
6933#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6934
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6935static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6936{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6937 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6938
6939 /*
6940 * Free our handshake params
6941 */
Gilles Peskine9b562d52018-04-25 20:32:43 +0200[diff] [blame]6942 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6943 mbedtls_free( ssl->handshake );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6944 ssl->handshake = NULL;
6945
6946 /*
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6947 * Free the previous transform and swith in the current one
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6948 */
6949 if( ssl->transform )
6950 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6951 mbedtls_ssl_transform_free( ssl->transform );
6952 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6953 }
6954 ssl->transform = ssl->transform_negotiate;
6955 ssl->transform_negotiate = NULL;
6956
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6957 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6958}
6959
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6960void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6961{
6962 int resume = ssl->handshake->resume;
6963
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6964 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6965
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6966#if defined(MBEDTLS_SSL_RENEGOTIATION)
6967 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6968 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6969 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6970 ssl->renego_records_seen = 0;
6971 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]6972#endif
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6973
6974 /*
6975 * Free the previous session and switch in the current one
6976 */
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]6977 if( ssl->session )
6978 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6979#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard1a034732014-11-04 17:36:18 +0100[diff] [blame]6980 /* RFC 7366 3.1: keep the EtM state */
6981 ssl->session_negotiate->encrypt_then_mac =
6982 ssl->session->encrypt_then_mac;
6983#endif
6984
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6985 mbedtls_ssl_session_free( ssl->session );
6986 mbedtls_free( ssl->session );
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]6987 }
6988 ssl->session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6989 ssl->session_negotiate = NULL;
6990
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]6991 /*
6992 * Add cache entry
6993 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]6994 if( ssl->conf->f_set_cache != NULL &&
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]6995 ssl->session->id_len != 0 &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]6996 resume == 0 )
6997 {
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +0100[diff] [blame]6998 if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6999 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]7000 }
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]7001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7002#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7003 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]7004 ssl->handshake->flight != NULL )
7005 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]7006 /* Cancel handshake timer */
7007 ssl_set_timer( ssl, 0 );
7008
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]7009 /* Keep last flight around in case we need to resend it:
7010 * we need the handshake and transform structures for that */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7011 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]7012 }
7013 else
7014#endif
7015 ssl_handshake_wrapup_free_hs_transform( ssl );
7016
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7017 ssl->state++;
7018
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7019 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7020}
7021
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7022int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]7023{
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7024 int ret, hash_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]7025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7026 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]7027
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]7028 ssl_update_out_pointers( ssl, ssl->transform_negotiate );
Paul Bakker92be97b2013-01-02 17:30:03 +0100[diff] [blame]7029
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7030 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]7031
Manuel Pégourié-Gonnard214a8482016-02-22 11:27:26 +0100[diff] [blame]7032 /*
7033 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
7034 * may define some other value. Currently (early 2016), no defined
7035 * ciphersuite does this (and this is unlikely to change as activity has
7036 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
7037 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7038 hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7039
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7040#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7041 ssl->verify_data_len = hash_len;
7042 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]7043#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7044
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7045 ssl->out_msglen = 4 + hash_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7046 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7047 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7048
7049 /*
7050 * In case of session resuming, invert the client and server
7051 * ChangeCipherSpec messages order.
7052 */
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]7053 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7054 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7055#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7056 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7057 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]7058#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7059#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7060 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7061 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]7062#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7063 }
7064 else
7065 ssl->state++;
7066
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7067 /*
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]7068 * Switch to our negotiated transform and session parameters for outbound
7069 * data.
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7070 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]7072
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7073#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7074 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7075 {
7076 unsigned char i;
7077
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7078 /* Remember current epoch settings for resending */
7079 ssl->handshake->alt_transform_out = ssl->transform_out;
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]7080 memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7081
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7082 /* Set sequence_number to zero */
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]7083 memset( ssl->cur_out_ctr + 2, 0, 6 );
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7084
7085 /* Increment epoch */
7086 for( i = 2; i > 0; i-- )
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]7087 if( ++ssl->cur_out_ctr[i - 1] != 0 )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7088 break;
7089
7090 /* The loop goes to its end iff the counter is wrapping */
7091 if( i == 0 )
7092 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7093 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
7094 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7095 }
7096 }
7097 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7098#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]7099 memset( ssl->cur_out_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7100
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7101 ssl->transform_out = ssl->transform_negotiate;
7102 ssl->session_out = ssl->session_negotiate;
7103
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7104#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
7105 if( mbedtls_ssl_hw_record_activate != NULL )
Paul Bakker07eb38b2012-12-19 14:42:06 +0100[diff] [blame]7106 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7107 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
Paul Bakker07eb38b2012-12-19 14:42:06 +0100[diff] [blame]7108 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7109 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
7110 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker07eb38b2012-12-19 14:42:06 +0100[diff] [blame]7111 }
7112 }
7113#endif
7114
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7115#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7116 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7117 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]7118#endif
7119
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]7120 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7121 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]7122 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7123 return( ret );
7124 }
7125
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]7126#if defined(MBEDTLS_SSL_PROTO_DTLS)
7127 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
7128 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
7129 {
7130 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
7131 return( ret );
7132 }
7133#endif
7134
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7135 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7136
7137 return( 0 );
7138}
7139
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7140#if defined(MBEDTLS_SSL_PROTO_SSL3)
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +0000[diff] [blame]7141#define SSL_MAX_HASH_LEN 36
7142#else
7143#define SSL_MAX_HASH_LEN 12
7144#endif
7145
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7146int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7147{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]7148 int ret;
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7149 unsigned int hash_len;
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +0000[diff] [blame]7150 unsigned char buf[SSL_MAX_HASH_LEN];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7151
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7152 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7153
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7154 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7155
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]7156 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7157 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7158 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7159 return( ret );
7160 }
7161
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7162 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7163 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]7165 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7166 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7167 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7168 }
7169
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +0000[diff] [blame]7170 /* There is currently no ciphersuite using another length with TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7171#if defined(MBEDTLS_SSL_PROTO_SSL3)
7172 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +0000[diff] [blame]7173 hash_len = 36;
7174 else
7175#endif
7176 hash_len = 12;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7177
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7178 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||
7179 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7180 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7181 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]7182 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7183 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7184 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7185 }
7186
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7187 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
Manuel Pégourié-Gonnard4abc3272014-09-10 12:02:46 +0000[diff] [blame]7188 buf, hash_len ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7189 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7190 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]7191 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7192 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7193 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7194 }
7195
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7196#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7197 ssl->verify_data_len = hash_len;
7198 memcpy( ssl->peer_verify_data, buf, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]7199#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7200
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]7201 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7202 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7203#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7204 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7205 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]7206#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7207#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7208 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7209 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]7210#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7211 }
7212 else
7213 ssl->state++;
7214
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7215#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7216 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7217 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7218#endif
7219
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7220 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7221
7222 return( 0 );
7223}
7224
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7225static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7226{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7227 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7228
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7229#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
7230 defined(MBEDTLS_SSL_PROTO_TLS1_1)
7231 mbedtls_md5_init( &handshake->fin_md5 );
7232 mbedtls_sha1_init( &handshake->fin_sha1 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]7233 mbedtls_md5_starts_ret( &handshake->fin_md5 );
7234 mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7235#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7236#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
7237#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]7238#if defined(MBEDTLS_USE_PSA_CRYPTO)
7239 handshake->fin_sha256_psa = psa_hash_operation_init();
7240 psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
7241#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7242 mbedtls_sha256_init( &handshake->fin_sha256 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]7243 mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7244#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]7245#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7246#if defined(MBEDTLS_SHA512_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]7247#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]7248 handshake->fin_sha384_psa = psa_hash_operation_init();
7249 psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]7250#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7251 mbedtls_sha512_init( &handshake->fin_sha512 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]7252 mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7253#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]7254#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7255#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7256
7257 handshake->update_checksum = ssl_update_checksum_start;
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]7258
7259#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
7260 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7261 mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
7262#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7263
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7264#if defined(MBEDTLS_DHM_C)
7265 mbedtls_dhm_init( &handshake->dhm_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7266#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7267#if defined(MBEDTLS_ECDH_C)
7268 mbedtls_ecdh_init( &handshake->ecdh_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7269#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]7270#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200[diff] [blame]7271 mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200[diff] [blame]7272#if defined(MBEDTLS_SSL_CLI_C)
7273 handshake->ecjpake_cache = NULL;
7274 handshake->ecjpake_cache_len = 0;
7275#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200[diff] [blame]7276#endif
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]7277
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7278#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +0200[diff] [blame]7279 mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7280#endif
7281
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]7282#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7283 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
7284#endif
Hanno Becker75173122019-02-06 16:18:31 +0000[diff] [blame]7285
7286#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
7287 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7288 mbedtls_pk_init( &handshake->peer_pubkey );
7289#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7290}
7291
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7292static void ssl_transform_init( mbedtls_ssl_transform *transform )
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7293{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7294 memset( transform, 0, sizeof(mbedtls_ssl_transform) );
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]7295
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7296 mbedtls_cipher_init( &transform->cipher_ctx_enc );
7297 mbedtls_cipher_init( &transform->cipher_ctx_dec );
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]7298
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7299 mbedtls_md_init( &transform->md_ctx_enc );
7300 mbedtls_md_init( &transform->md_ctx_dec );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7301}
7302
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7303void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7304{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7305 memset( session, 0, sizeof(mbedtls_ssl_session) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7306}
7307
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7308static int ssl_handshake_init( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7309{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7310 /* Clear old handshake information if present */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7311 if( ssl->transform_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7312 mbedtls_ssl_transform_free( ssl->transform_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7313 if( ssl->session_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7314 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7315 if( ssl->handshake )
Gilles Peskine9b562d52018-04-25 20:32:43 +0200[diff] [blame]7316 mbedtls_ssl_handshake_free( ssl );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7317
7318 /*
7319 * Either the pointers are now NULL or cleared properly and can be freed.
7320 * Now allocate missing structures.
7321 */
7322 if( ssl->transform_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7323 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]7324 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7325 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7326
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7327 if( ssl->session_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7328 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]7329 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7330 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7331
Paul Bakker82788fb2014-10-20 13:59:19 +0200[diff] [blame]7332 if( ssl->handshake == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7333 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]7334 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7335 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7336
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7337 /* All pointers should exist and can be directly freed without issue */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7338 if( ssl->handshake == NULL ||
7339 ssl->transform_negotiate == NULL ||
7340 ssl->session_negotiate == NULL )
7341 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]7342 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7343
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7344 mbedtls_free( ssl->handshake );
7345 mbedtls_free( ssl->transform_negotiate );
7346 mbedtls_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7347
7348 ssl->handshake = NULL;
7349 ssl->transform_negotiate = NULL;
7350 ssl->session_negotiate = NULL;
7351
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]7352 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7353 }
7354
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7355 /* Initialize structures */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7356 mbedtls_ssl_session_init( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7357 ssl_transform_init( ssl->transform_negotiate );
Paul Bakker968afaa2014-07-09 11:09:24 +0200[diff] [blame]7358 ssl_handshake_params_init( ssl->handshake );
7359
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7360#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +0200[diff] [blame]7361 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7362 {
7363 ssl->handshake->alt_transform_out = ssl->transform_out;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7364
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +0200[diff] [blame]7365 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
7366 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
7367 else
7368 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]7369
7370 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +0200[diff] [blame]7371 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7372#endif
7373
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7374 return( 0 );
7375}
7376
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +0200[diff] [blame]7377#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]7378/* Dummy cookie callbacks for defaults */
7379static int ssl_cookie_write_dummy( void *ctx,
7380 unsigned char **p, unsigned char *end,
7381 const unsigned char *cli_id, size_t cli_id_len )
7382{
7383 ((void) ctx);
7384 ((void) p);
7385 ((void) end);
7386 ((void) cli_id);
7387 ((void) cli_id_len);
7388
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7389 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]7390}
7391
7392static int ssl_cookie_check_dummy( void *ctx,
7393 const unsigned char *cookie, size_t cookie_len,
7394 const unsigned char *cli_id, size_t cli_id_len )
7395{
7396 ((void) ctx);
7397 ((void) cookie);
7398 ((void) cookie_len);
7399 ((void) cli_id);
7400 ((void) cli_id_len);
7401
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7402 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]7403}
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +0200[diff] [blame]7404#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]7405
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]7406/* Once ssl->out_hdr as the address of the beginning of the
7407 * next outgoing record is set, deduce the other pointers.
7408 *
7409 * Note: For TLS, we save the implicit record sequence number
7410 * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
7411 * and the caller has to make sure there's space for this.
7412 */
7413
7414static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
7415 mbedtls_ssl_transform *transform )
7416{
7417#if defined(MBEDTLS_SSL_PROTO_DTLS)
7418 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7419 {
7420 ssl->out_ctr = ssl->out_hdr + 3;
7421 ssl->out_len = ssl->out_hdr + 11;
7422 ssl->out_iv = ssl->out_hdr + 13;
7423 }
7424 else
7425#endif
7426 {
7427 ssl->out_ctr = ssl->out_hdr - 8;
7428 ssl->out_len = ssl->out_hdr + 3;
7429 ssl->out_iv = ssl->out_hdr + 5;
7430 }
7431
7432 /* Adjust out_msg to make space for explicit IV, if used. */
7433 if( transform != NULL &&
7434 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
7435 {
7436 ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
7437 }
7438 else
7439 ssl->out_msg = ssl->out_iv;
7440}
7441
7442/* Once ssl->in_hdr as the address of the beginning of the
7443 * next incoming record is set, deduce the other pointers.
7444 *
7445 * Note: For TLS, we save the implicit record sequence number
7446 * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
7447 * and the caller has to make sure there's space for this.
7448 */
7449
7450static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
7451 mbedtls_ssl_transform *transform )
7452{
7453#if defined(MBEDTLS_SSL_PROTO_DTLS)
7454 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7455 {
7456 ssl->in_ctr = ssl->in_hdr + 3;
7457 ssl->in_len = ssl->in_hdr + 11;
7458 ssl->in_iv = ssl->in_hdr + 13;
7459 }
7460 else
7461#endif
7462 {
7463 ssl->in_ctr = ssl->in_hdr - 8;
7464 ssl->in_len = ssl->in_hdr + 3;
7465 ssl->in_iv = ssl->in_hdr + 5;
7466 }
7467
7468 /* Offset in_msg from in_iv to allow space for explicit IV, if used. */
7469 if( transform != NULL &&
7470 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
7471 {
7472 ssl->in_msg = ssl->in_iv + transform->ivlen - transform->fixed_ivlen;
7473 }
7474 else
7475 ssl->in_msg = ssl->in_iv;
7476}
7477
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7478/*
7479 * Initialize an SSL context
7480 */
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +0200[diff] [blame]7481void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
7482{
7483 memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
7484}
7485
7486/*
7487 * Setup an SSL context
7488 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]7489
7490static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
7491{
7492 /* Set the incoming and outgoing record pointers. */
7493#if defined(MBEDTLS_SSL_PROTO_DTLS)
7494 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7495 {
7496 ssl->out_hdr = ssl->out_buf;
7497 ssl->in_hdr = ssl->in_buf;
7498 }
7499 else
7500#endif /* MBEDTLS_SSL_PROTO_DTLS */
7501 {
7502 ssl->out_hdr = ssl->out_buf + 8;
7503 ssl->in_hdr = ssl->in_buf + 8;
7504 }
7505
7506 /* Derive other internal pointers. */
7507 ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
7508 ssl_update_in_pointers ( ssl, NULL /* no transform enabled */ );
7509}
7510
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +0200[diff] [blame]7511int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]7512 const mbedtls_ssl_config *conf )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7513{
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7514 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7515
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +0200[diff] [blame]7516 ssl->conf = conf;
Paul Bakker62f2dee2012-09-28 07:31:51 +0000[diff] [blame]7517
7518 /*
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]7519 * Prepare base structures
Paul Bakker62f2dee2012-09-28 07:31:51 +0000[diff] [blame]7520 */
k-stachowiakc9a5f022018-07-24 13:53:31 +0200[diff] [blame]7521
7522 /* Set to NULL in case of an error condition */
7523 ssl->out_buf = NULL;
k-stachowiaka47911c2018-07-04 17:41:58 +0200[diff] [blame]7524
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]7525 ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
7526 if( ssl->in_buf == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7527 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]7528 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
k-stachowiak9f7798e2018-07-31 16:52:32 +0200[diff] [blame]7529 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +0200[diff] [blame]7530 goto error;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]7531 }
7532
7533 ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
7534 if( ssl->out_buf == NULL )
7535 {
7536 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
k-stachowiak9f7798e2018-07-31 16:52:32 +0200[diff] [blame]7537 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +0200[diff] [blame]7538 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7539 }
7540
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]7541 ssl_reset_in_out_pointers( ssl );
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +0200[diff] [blame]7542
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7543 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
k-stachowiaka47911c2018-07-04 17:41:58 +0200[diff] [blame]7544 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7545
7546 return( 0 );
k-stachowiaka47911c2018-07-04 17:41:58 +0200[diff] [blame]7547
7548error:
7549 mbedtls_free( ssl->in_buf );
7550 mbedtls_free( ssl->out_buf );
7551
7552 ssl->conf = NULL;
7553
7554 ssl->in_buf = NULL;
7555 ssl->out_buf = NULL;
7556
7557 ssl->in_hdr = NULL;
7558 ssl->in_ctr = NULL;
7559 ssl->in_len = NULL;
7560 ssl->in_iv = NULL;
7561 ssl->in_msg = NULL;
7562
7563 ssl->out_hdr = NULL;
7564 ssl->out_ctr = NULL;
7565 ssl->out_len = NULL;
7566 ssl->out_iv = NULL;
7567 ssl->out_msg = NULL;
7568
k-stachowiak9f7798e2018-07-31 16:52:32 +0200[diff] [blame]7569 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7570}
7571
7572/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7573 * Reset an initialized and used SSL context for re-use while retaining
7574 * all application-set variables, function pointers and data.
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7575 *
7576 * If partial is non-zero, keep data in the input buffer and client ID.
7577 * (Use when a DTLS client reconnects from the same port.)
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7578 */
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7579static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7580{
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7581 int ret;
7582
Hanno Becker7e772132018-08-10 12:38:21 +0100[diff] [blame]7583#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || \
7584 !defined(MBEDTLS_SSL_SRV_C)
7585 ((void) partial);
7586#endif
7587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7588 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]7589
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]7590 /* Cancel any possibly running timer */
7591 ssl_set_timer( ssl, 0 );
7592
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7593#if defined(MBEDTLS_SSL_RENEGOTIATION)
7594 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]7595 ssl->renego_records_seen = 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7596
7597 ssl->verify_data_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7598 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
7599 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]7600#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7601 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7602
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7603 ssl->in_offt = NULL;
Hanno Beckerf29d4702018-08-10 11:31:15 +0100[diff] [blame]7604 ssl_reset_in_out_pointers( ssl );
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7605
7606 ssl->in_msgtype = 0;
7607 ssl->in_msglen = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7608#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]7609 ssl->next_record_offset = 0;
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]7610 ssl->in_epoch = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]7611#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7612#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]7613 ssl_dtls_replay_reset( ssl );
7614#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7615
7616 ssl->in_hslen = 0;
7617 ssl->nb_zero = 0;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]7618
7619 ssl->keep_current_message = 0;
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7620
7621 ssl->out_msgtype = 0;
7622 ssl->out_msglen = 0;
7623 ssl->out_left = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7624#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
7625 if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]7626 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]7627#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7628
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]7629 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
7630
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7631 ssl->transform_in = NULL;
7632 ssl->transform_out = NULL;
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7633
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]7634 ssl->session_in = NULL;
7635 ssl->session_out = NULL;
7636
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]7637 memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
Hanno Becker4ccbf062018-08-10 11:20:38 +0100[diff] [blame]7638
7639#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7640 if( partial == 0 )
Hanno Becker4ccbf062018-08-10 11:20:38 +0100[diff] [blame]7641#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
7642 {
7643 ssl->in_left = 0;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]7644 memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
Hanno Becker4ccbf062018-08-10 11:20:38 +0100[diff] [blame]7645 }
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]7646
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7647#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
7648 if( mbedtls_ssl_hw_record_reset != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]7649 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7650 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
7651 if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7652 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7653 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
7654 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7655 }
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]7656 }
7657#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7658
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7659 if( ssl->transform )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7660 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7661 mbedtls_ssl_transform_free( ssl->transform );
7662 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7663 ssl->transform = NULL;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7664 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7665
Paul Bakkerc0463502013-02-14 11:19:38 +0100[diff] [blame]7666 if( ssl->session )
7667 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7668 mbedtls_ssl_session_free( ssl->session );
7669 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +0100[diff] [blame]7670 ssl->session = NULL;
7671 }
7672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7673#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]7674 ssl->alpn_chosen = NULL;
7675#endif
7676
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +0200[diff] [blame]7677#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Hanno Becker4ccbf062018-08-10 11:20:38 +0100[diff] [blame]7678#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7679 if( partial == 0 )
Hanno Becker4ccbf062018-08-10 11:20:38 +0100[diff] [blame]7680#endif
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7681 {
7682 mbedtls_free( ssl->cli_id );
7683 ssl->cli_id = NULL;
7684 ssl->cli_id_len = 0;
7685 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]7686#endif
7687
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7688 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
7689 return( ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7690
7691 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7692}
7693
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]7694/*
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7695 * Reset an initialized and used SSL context for re-use while retaining
7696 * all application-set variables, function pointers and data.
7697 */
7698int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
7699{
7700 return( ssl_session_reset_int( ssl, 0 ) );
7701}
7702
7703/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7704 * SSL set accessors
7705 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7706void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7707{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7708 conf->endpoint = endpoint;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7709}
7710
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +0200[diff] [blame]7711void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +0100[diff] [blame]7712{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7713 conf->transport = transport;
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +0100[diff] [blame]7714}
7715
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7716#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7717void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]7718{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7719 conf->anti_replay = mode;
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]7720}
7721#endif
7722
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7723#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7724void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]7725{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7726 conf->badmac_limit = limit;
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]7727}
7728#endif
7729
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7730#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]7731
Hanno Becker1841b0a2018-08-24 11:13:57 +0100[diff] [blame]7732void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
7733 unsigned allow_packing )
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]7734{
7735 ssl->disable_datagram_packing = !allow_packing;
7736}
7737
7738void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
7739 uint32_t min, uint32_t max )
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +0200[diff] [blame]7740{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7741 conf->hs_timeout_min = min;
7742 conf->hs_timeout_max = max;
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +0200[diff] [blame]7743}
7744#endif
7745
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7746void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7747{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7748 conf->authmode = authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7749}
7750
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7751#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7752void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]7753 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]7754 void *p_vrfy )
7755{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7756 conf->f_vrfy = f_vrfy;
7757 conf->p_vrfy = p_vrfy;
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]7758}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7759#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]7760
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7761void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]7762 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7763 void *p_rng )
7764{
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]7765 conf->f_rng = f_rng;
7766 conf->p_rng = p_rng;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7767}
7768
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7769void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardfd474232015-06-23 16:34:24 +0200[diff] [blame]7770 void (*f_dbg)(void *, int, const char *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7771 void *p_dbg )
7772{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7773 conf->f_dbg = f_dbg;
7774 conf->p_dbg = p_dbg;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7775}
7776
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7777void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +0200[diff] [blame]7778 void *p_bio,
Simon Butchere846b512016-03-01 17:31:49 +0000[diff] [blame]7779 mbedtls_ssl_send_t *f_send,
7780 mbedtls_ssl_recv_t *f_recv,
7781 mbedtls_ssl_recv_timeout_t *f_recv_timeout )
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +0200[diff] [blame]7782{
7783 ssl->p_bio = p_bio;
7784 ssl->f_send = f_send;
7785 ssl->f_recv = f_recv;
7786 ssl->f_recv_timeout = f_recv_timeout;
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +0100[diff] [blame]7787}
7788
Manuel Pégourié-Gonnard6e7aaca2018-08-20 10:37:23 +0200[diff] [blame]7789#if defined(MBEDTLS_SSL_PROTO_DTLS)
7790void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
7791{
7792 ssl->mtu = mtu;
7793}
7794#endif
7795
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7796void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +0100[diff] [blame]7797{
7798 conf->read_timeout = timeout;
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +0200[diff] [blame]7799}
7800
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]7801void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
7802 void *p_timer,
Simon Butchere846b512016-03-01 17:31:49 +0000[diff] [blame]7803 mbedtls_ssl_set_timer_t *f_set_timer,
7804 mbedtls_ssl_get_timer_t *f_get_timer )
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]7805{
7806 ssl->p_timer = p_timer;
7807 ssl->f_set_timer = f_set_timer;
7808 ssl->f_get_timer = f_get_timer;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]7809
7810 /* Make sure we start with no timer running */
7811 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]7812}
7813
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7814#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7815void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +0100[diff] [blame]7816 void *p_cache,
7817 int (*f_get_cache)(void *, mbedtls_ssl_session *),
7818 int (*f_set_cache)(void *, const mbedtls_ssl_session *) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7819{
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +0100[diff] [blame]7820 conf->p_cache = p_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7821 conf->f_get_cache = f_get_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7822 conf->f_set_cache = f_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7823}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7824#endif /* MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7825
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7826#if defined(MBEDTLS_SSL_CLI_C)
7827int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7828{
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]7829 int ret;
7830
7831 if( ssl == NULL ||
7832 session == NULL ||
7833 ssl->session_negotiate == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7834 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]7835 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7836 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]7837 }
7838
Hanno Becker52055ae2019-02-06 14:30:46 +0000[diff] [blame]7839 if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
7840 session ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]7841 return( ret );
7842
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]7843 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]7844
7845 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7846}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7847#endif /* MBEDTLS_SSL_CLI_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7848
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7849void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7850 const int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7851{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7852 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
7853 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
7854 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
7855 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]7856}
7857
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7858void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]7859 const int *ciphersuites,
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]7860 int major, int minor )
7861{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7862 if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]7863 return;
7864
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7865 if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]7866 return;
7867
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7868 conf->ciphersuite_list[minor] = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7869}
7870
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7871#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +0200[diff] [blame]7872void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
Nicholas Wilson2088e2e2015-09-08 16:53:18 +0100[diff] [blame]7873 const mbedtls_x509_crt_profile *profile )
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +0200[diff] [blame]7874{
7875 conf->cert_profile = profile;
7876}
7877
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]7878/* Append a new keycert entry to a (possibly empty) list */
7879static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
7880 mbedtls_x509_crt *cert,
7881 mbedtls_pk_context *key )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7882{
niisato8ee24222018-06-25 19:05:48 +0900[diff] [blame]7883 mbedtls_ssl_key_cert *new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7884
niisato8ee24222018-06-25 19:05:48 +0900[diff] [blame]7885 new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
7886 if( new_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]7887 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7888
niisato8ee24222018-06-25 19:05:48 +0900[diff] [blame]7889 new_cert->cert = cert;
7890 new_cert->key = key;
7891 new_cert->next = NULL;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7892
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]7893 /* Update head is the list was null, else add to the end */
7894 if( *head == NULL )
Paul Bakker0333b972013-11-04 17:08:28 +0100[diff] [blame]7895 {
niisato8ee24222018-06-25 19:05:48 +0900[diff] [blame]7896 *head = new_cert;
Paul Bakker0333b972013-11-04 17:08:28 +0100[diff] [blame]7897 }
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7898 else
7899 {
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]7900 mbedtls_ssl_key_cert *cur = *head;
7901 while( cur->next != NULL )
7902 cur = cur->next;
niisato8ee24222018-06-25 19:05:48 +0900[diff] [blame]7903 cur->next = new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7904 }
7905
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]7906 return( 0 );
7907}
7908
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7909int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]7910 mbedtls_x509_crt *own_cert,
7911 mbedtls_pk_context *pk_key )
7912{
Manuel Pégourié-Gonnard17a40cd2015-05-10 23:17:17 +0200[diff] [blame]7913 return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7914}
7915
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7916void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +0100[diff] [blame]7917 mbedtls_x509_crt *ca_chain,
7918 mbedtls_x509_crl *ca_crl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7919{
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +0100[diff] [blame]7920 conf->ca_chain = ca_chain;
7921 conf->ca_crl = ca_crl;
Hanno Becker5adaad92019-03-27 16:54:37 +0000[diff] [blame]7922
7923#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
7924 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
7925 * cannot be used together. */
7926 conf->f_ca_cb = NULL;
7927 conf->p_ca_cb = NULL;
7928#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7929}
Hanno Becker5adaad92019-03-27 16:54:37 +0000[diff] [blame]7930
7931#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
7932void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]7933 mbedtls_x509_crt_ca_cb_t f_ca_cb,
Hanno Becker5adaad92019-03-27 16:54:37 +0000[diff] [blame]7934 void *p_ca_cb )
7935{
7936 conf->f_ca_cb = f_ca_cb;
7937 conf->p_ca_cb = p_ca_cb;
7938
7939 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
7940 * cannot be used together. */
7941 conf->ca_chain = NULL;
7942 conf->ca_crl = NULL;
7943}
7944#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7945#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +0000[diff] [blame]7946
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +0200[diff] [blame]7947#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7948int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
7949 mbedtls_x509_crt *own_cert,
7950 mbedtls_pk_context *pk_key )
7951{
7952 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
7953 own_cert, pk_key ) );
7954}
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +0200[diff] [blame]7955
7956void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
7957 mbedtls_x509_crt *ca_chain,
7958 mbedtls_x509_crl *ca_crl )
7959{
7960 ssl->handshake->sni_ca_chain = ca_chain;
7961 ssl->handshake->sni_ca_crl = ca_crl;
7962}
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]7963
7964void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
7965 int authmode )
7966{
7967 ssl->handshake->sni_authmode = authmode;
7968}
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +0200[diff] [blame]7969#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
7970
Hanno Becker8927c832019-04-03 12:52:50 +0100[diff] [blame]7971#if defined(MBEDTLS_X509_CRT_PARSE_C)
7972void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
7973 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
7974 void *p_vrfy )
7975{
7976 ssl->f_vrfy = f_vrfy;
7977 ssl->p_vrfy = p_vrfy;
7978}
7979#endif
7980
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]7981#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +0200[diff] [blame]7982/*
7983 * Set EC J-PAKE password for current handshake
7984 */
7985int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
7986 const unsigned char *pw,
7987 size_t pw_len )
7988{
7989 mbedtls_ecjpake_role role;
7990
Janos Follath8eb64132016-06-03 15:40:57 +0100[diff] [blame]7991 if( ssl->handshake == NULL || ssl->conf == NULL )
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +0200[diff] [blame]7992 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7993
7994 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
7995 role = MBEDTLS_ECJPAKE_SERVER;
7996 else
7997 role = MBEDTLS_ECJPAKE_CLIENT;
7998
7999 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
8000 role,
8001 MBEDTLS_MD_SHA256,
8002 MBEDTLS_ECP_DP_SECP256R1,
8003 pw, pw_len ) );
8004}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]8005#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +0200[diff] [blame]8006
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8007#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8008
8009static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
8010{
8011 /* Remove reference to existing PSK, if any. */
8012#if defined(MBEDTLS_USE_PSA_CRYPTO)
8013 if( conf->psk_opaque != 0 )
8014 {
8015 /* The maintenance of the PSK key slot is the
8016 * user's responsibility. */
8017 conf->psk_opaque = 0;
8018 }
Hanno Beckera63ac3f2018-11-05 12:47:16 +0000[diff] [blame]8019 /* This and the following branch should never
8020 * be taken simultaenously as we maintain the
8021 * invariant that raw and opaque PSKs are never
8022 * configured simultaneously. As a safeguard,
8023 * though, `else` is omitted here. */
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8024#endif /* MBEDTLS_USE_PSA_CRYPTO */
8025 if( conf->psk != NULL )
8026 {
8027 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
8028
8029 mbedtls_free( conf->psk );
8030 conf->psk = NULL;
8031 conf->psk_len = 0;
8032 }
8033
8034 /* Remove reference to PSK identity, if any. */
8035 if( conf->psk_identity != NULL )
8036 {
8037 mbedtls_free( conf->psk_identity );
8038 conf->psk_identity = NULL;
8039 conf->psk_identity_len = 0;
8040 }
8041}
8042
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8043/* This function assumes that PSK identity in the SSL config is unset.
8044 * It checks that the provided identity is well-formed and attempts
8045 * to make a copy of it in the SSL config.
8046 * On failure, the PSK identity in the config remains unset. */
8047static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
8048 unsigned char const *psk_identity,
8049 size_t psk_identity_len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]8050{
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]8051 /* Identity len will be encoded on two bytes */
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8052 if( psk_identity == NULL ||
8053 ( psk_identity_len >> 16 ) != 0 ||
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]8054 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]8055 {
8056 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8057 }
8058
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8059 conf->psk_identity = mbedtls_calloc( 1, psk_identity_len );
8060 if( conf->psk_identity == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]8061 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]8062
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +0100[diff] [blame]8063 conf->psk_identity_len = psk_identity_len;
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +0100[diff] [blame]8064 memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
Paul Bakker5ad403f2013-09-18 21:21:30 +0200[diff] [blame]8065
8066 return( 0 );
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]8067}
8068
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8069int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
8070 const unsigned char *psk, size_t psk_len,
8071 const unsigned char *psk_identity, size_t psk_identity_len )
8072{
8073 int ret;
8074 /* Remove opaque/raw PSK + PSK Identity */
8075 ssl_conf_remove_psk( conf );
8076
8077 /* Check and set raw PSK */
8078 if( psk == NULL || psk_len > MBEDTLS_PSK_MAX_LEN )
8079 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8080 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
8081 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
8082 conf->psk_len = psk_len;
8083 memcpy( conf->psk, psk, conf->psk_len );
8084
8085 /* Check and set PSK Identity */
8086 ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len );
8087 if( ret != 0 )
8088 ssl_conf_remove_psk( conf );
8089
8090 return( ret );
8091}
8092
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8093static void ssl_remove_psk( mbedtls_ssl_context *ssl )
8094{
8095#if defined(MBEDTLS_USE_PSA_CRYPTO)
8096 if( ssl->handshake->psk_opaque != 0 )
8097 {
8098 ssl->handshake->psk_opaque = 0;
8099 }
8100 else
8101#endif /* MBEDTLS_USE_PSA_CRYPTO */
8102 if( ssl->handshake->psk != NULL )
8103 {
8104 mbedtls_platform_zeroize( ssl->handshake->psk,
8105 ssl->handshake->psk_len );
8106 mbedtls_free( ssl->handshake->psk );
8107 ssl->handshake->psk_len = 0;
8108 }
8109}
8110
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]8111int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
8112 const unsigned char *psk, size_t psk_len )
8113{
8114 if( psk == NULL || ssl->handshake == NULL )
8115 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8116
8117 if( psk_len > MBEDTLS_PSK_MAX_LEN )
8118 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8119
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8120 ssl_remove_psk( ssl );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]8121
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]8122 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]8123 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]8124
8125 ssl->handshake->psk_len = psk_len;
8126 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
8127
8128 return( 0 );
8129}
8130
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8131#if defined(MBEDTLS_USE_PSA_CRYPTO)
8132int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
Andrzej Kurek2349c4d2019-01-08 09:36:01 -0500[diff] [blame]8133 psa_key_handle_t psk_slot,
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8134 const unsigned char *psk_identity,
8135 size_t psk_identity_len )
8136{
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8137 int ret;
8138 /* Clear opaque/raw PSK + PSK Identity, if present. */
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8139 ssl_conf_remove_psk( conf );
8140
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8141 /* Check and set opaque PSK */
8142 if( psk_slot == 0 )
8143 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8144 conf->psk_opaque = psk_slot;
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8145
8146 /* Check and set PSK Identity */
8147 ret = ssl_conf_set_psk_identity( conf, psk_identity,
8148 psk_identity_len );
8149 if( ret != 0 )
8150 ssl_conf_remove_psk( conf );
8151
8152 return( ret );
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8153}
8154
8155int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
Andrzej Kurek2349c4d2019-01-08 09:36:01 -0500[diff] [blame]8156 psa_key_handle_t psk_slot )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8157{
8158 if( psk_slot == 0 || ssl->handshake == NULL )
8159 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8160
8161 ssl_remove_psk( ssl );
8162 ssl->handshake->psk_opaque = psk_slot;
8163 return( 0 );
8164}
8165#endif /* MBEDTLS_USE_PSA_CRYPTO */
8166
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8167void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8168 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]8169 size_t),
8170 void *p_psk )
8171{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8172 conf->f_psk = f_psk;
8173 conf->p_psk = p_psk;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]8174}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8175#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]8176
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +0200[diff] [blame]8177#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Hanno Becker470a8c42017-10-04 15:28:46 +0100[diff] [blame]8178
8179#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8180int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8181{
8182 int ret;
8183
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]8184 if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ||
8185 ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
8186 {
8187 mbedtls_mpi_free( &conf->dhm_P );
8188 mbedtls_mpi_free( &conf->dhm_G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8189 return( ret );
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]8190 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8191
8192 return( 0 );
8193}
Hanno Becker470a8c42017-10-04 15:28:46 +0100[diff] [blame]8194#endif /* MBEDTLS_DEPRECATED_REMOVED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8195
Hanno Beckera90658f2017-10-04 15:29:08 +0100[diff] [blame]8196int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
8197 const unsigned char *dhm_P, size_t P_len,
8198 const unsigned char *dhm_G, size_t G_len )
8199{
8200 int ret;
8201
8202 if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
8203 ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
8204 {
8205 mbedtls_mpi_free( &conf->dhm_P );
8206 mbedtls_mpi_free( &conf->dhm_G );
8207 return( ret );
8208 }
8209
8210 return( 0 );
8211}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8212
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8213int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]8214{
8215 int ret;
8216
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]8217 if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ||
8218 ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
8219 {
8220 mbedtls_mpi_free( &conf->dhm_P );
8221 mbedtls_mpi_free( &conf->dhm_G );
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]8222 return( ret );
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]8223 }
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]8224
8225 return( 0 );
8226}
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +0200[diff] [blame]8227#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]8228
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]8229#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
8230/*
8231 * Set the minimum length for Diffie-Hellman parameters
8232 */
8233void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
8234 unsigned int bitlen )
8235{
8236 conf->dhm_min_bitlen = bitlen;
8237}
8238#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
8239
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]8240#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +0200[diff] [blame]8241/*
8242 * Set allowed/preferred hashes for handshake signatures
8243 */
8244void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
8245 const int *hashes )
8246{
8247 conf->sig_hashes = hashes;
8248}
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8249#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +0200[diff] [blame]8250
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]8251#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +0100[diff] [blame]8252/*
8253 * Set the allowed elliptic curves
8254 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8255void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8256 const mbedtls_ecp_group_id *curve_list )
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +0100[diff] [blame]8257{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8258 conf->curve_list = curve_list;
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +0100[diff] [blame]8259}
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8260#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +0100[diff] [blame]8261
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +0100[diff] [blame]8262#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8263int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8264{
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8265 /* Initialize to suppress unnecessary compiler warning */
8266 size_t hostname_len = 0;
8267
8268 /* Check if new hostname is valid before
8269 * making any change to current one */
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8270 if( hostname != NULL )
8271 {
8272 hostname_len = strlen( hostname );
8273
8274 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
8275 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8276 }
8277
8278 /* Now it's clear that we will overwrite the old hostname,
8279 * so we can free it safely */
8280
8281 if( ssl->hostname != NULL )
8282 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]8283 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8284 mbedtls_free( ssl->hostname );
8285 }
8286
8287 /* Passing NULL as hostname shall clear the old one */
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]8288
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8289 if( hostname == NULL )
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8290 {
8291 ssl->hostname = NULL;
8292 }
8293 else
8294 {
8295 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8296 if( ssl->hostname == NULL )
8297 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker75c1a6f2013-08-19 14:25:29 +0200[diff] [blame]8298
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8299 memcpy( ssl->hostname, hostname, hostname_len );
Paul Bakker75c1a6f2013-08-19 14:25:29 +0200[diff] [blame]8300
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8301 ssl->hostname[hostname_len] = '\0';
8302 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8303
8304 return( 0 );
8305}
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]8306#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8307
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +0100[diff] [blame]8308#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8309void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8310 int (*f_sni)(void *, mbedtls_ssl_context *,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]8311 const unsigned char *, size_t),
8312 void *p_sni )
8313{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8314 conf->f_sni = f_sni;
8315 conf->p_sni = p_sni;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]8316}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8317#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]8318
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8319#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8320int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]8321{
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]8322 size_t cur_len, tot_len;
8323 const char **p;
8324
8325 /*
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]8326 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
8327 * MUST NOT be truncated."
8328 * We check lengths now rather than later.
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]8329 */
8330 tot_len = 0;
8331 for( p = protos; *p != NULL; p++ )
8332 {
8333 cur_len = strlen( *p );
8334 tot_len += cur_len;
8335
8336 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8337 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]8338 }
8339
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8340 conf->alpn_list = protos;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]8341
8342 return( 0 );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]8343}
8344
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8345const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]8346{
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]8347 return( ssl->alpn_chosen );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]8348}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8349#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]8350
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +0200[diff] [blame]8351void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]8352{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8353 conf->max_major_ver = major;
8354 conf->max_minor_ver = minor;
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]8355}
8356
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +0200[diff] [blame]8357void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]8358{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8359 conf->min_major_ver = major;
8360 conf->min_minor_ver = minor;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]8361}
8362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8363#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8364void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]8365{
Manuel Pégourié-Gonnard684b0592015-05-06 09:27:31 +0100[diff] [blame]8366 conf->fallback = fallback;
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]8367}
8368#endif
8369
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]8370#if defined(MBEDTLS_SSL_SRV_C)
8371void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
8372 char cert_req_ca_list )
8373{
8374 conf->cert_req_ca_list = cert_req_ca_list;
8375}
8376#endif
8377
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8378#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8379void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]8380{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8381 conf->encrypt_then_mac = etm;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]8382}
8383#endif
8384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8385#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8386void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]8387{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8388 conf->extended_ms = ems;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]8389}
8390#endif
8391
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200[diff] [blame]8392#if defined(MBEDTLS_ARC4_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8393void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]8394{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8395 conf->arc4_disabled = arc4;
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]8396}
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200[diff] [blame]8397#endif
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]8398
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8399#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8400int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +0200[diff] [blame]8401{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8402 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]8403 ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +0200[diff] [blame]8404 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8405 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +0200[diff] [blame]8406 }
8407
Manuel Pégourié-Gonnard6bf89d62015-05-05 17:01:57 +0100[diff] [blame]8408 conf->mfl_code = mfl_code;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +0200[diff] [blame]8409
8410 return( 0 );
8411}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8412#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +0200[diff] [blame]8413
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8414#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +0200[diff] [blame]8415void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +0200[diff] [blame]8416{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8417 conf->trunc_hmac = truncate;
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +0200[diff] [blame]8418}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8419#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +0200[diff] [blame]8420
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8421#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8422void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]8423{
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +0100[diff] [blame]8424 conf->cbc_record_splitting = split;
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]8425}
8426#endif
8427
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8428void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8429{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8430 conf->allow_legacy_renegotiation = allow_legacy;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8431}
8432
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8433#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8434void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]8435{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8436 conf->disable_renegotiation = renegotiation;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]8437}
8438
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8439void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]8440{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8441 conf->renego_max_records = max_records;
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]8442}
8443
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8444void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +0100[diff] [blame]8445 const unsigned char period[8] )
8446{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8447 memcpy( conf->renego_period, period, 8 );
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +0100[diff] [blame]8448}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8449#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8450
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8451#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]8452#if defined(MBEDTLS_SSL_CLI_C)
8453void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]8454{
Manuel Pégourié-Gonnard2b494452015-05-06 10:05:11 +0100[diff] [blame]8455 conf->session_tickets = use_tickets;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]8456}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]8457#endif
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]8458
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]8459#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]8460void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
8461 mbedtls_ssl_ticket_write_t *f_ticket_write,
8462 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
8463 void *p_ticket )
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]8464{
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]8465 conf->f_ticket_write = f_ticket_write;
8466 conf->f_ticket_parse = f_ticket_parse;
8467 conf->p_ticket = p_ticket;
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]8468}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]8469#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8470#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]8471
Robert Cragie4feb7ae2015-10-02 13:33:37 +0100[diff] [blame]8472#if defined(MBEDTLS_SSL_EXPORT_KEYS)
8473void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
8474 mbedtls_ssl_export_keys_t *f_export_keys,
8475 void *p_export_keys )
8476{
8477 conf->f_export_keys = f_export_keys;
8478 conf->p_export_keys = p_export_keys;
8479}
8480#endif
8481
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]8482#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine8bf79f62018-01-05 21:11:53 +0100[diff] [blame]8483void mbedtls_ssl_conf_async_private_cb(
8484 mbedtls_ssl_config *conf,
8485 mbedtls_ssl_async_sign_t *f_async_sign,
8486 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
8487 mbedtls_ssl_async_resume_t *f_async_resume,
8488 mbedtls_ssl_async_cancel_t *f_async_cancel,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]8489 void *async_config_data )
Gilles Peskine8bf79f62018-01-05 21:11:53 +0100[diff] [blame]8490{
8491 conf->f_async_sign_start = f_async_sign;
8492 conf->f_async_decrypt_start = f_async_decrypt;
8493 conf->f_async_resume = f_async_resume;
8494 conf->f_async_cancel = f_async_cancel;
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]8495 conf->p_async_config_data = async_config_data;
8496}
8497
Gilles Peskine8f97af72018-04-26 11:46:10 +0200[diff] [blame]8498void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
8499{
8500 return( conf->p_async_config_data );
8501}
8502
Gilles Peskine1febfef2018-04-30 11:54:39 +0200[diff] [blame]8503void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]8504{
8505 if( ssl->handshake == NULL )
8506 return( NULL );
8507 else
8508 return( ssl->handshake->user_async_ctx );
8509}
8510
Gilles Peskine1febfef2018-04-30 11:54:39 +0200[diff] [blame]8511void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]8512 void *ctx )
8513{
8514 if( ssl->handshake != NULL )
8515 ssl->handshake->user_async_ctx = ctx;
Gilles Peskine8bf79f62018-01-05 21:11:53 +0100[diff] [blame]8516}
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]8517#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine8bf79f62018-01-05 21:11:53 +0100[diff] [blame]8518
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8519/*
8520 * SSL get accessors
8521 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8522size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8523{
8524 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
8525}
8526
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8527int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
8528{
8529 /*
8530 * Case A: We're currently holding back
8531 * a message for further processing.
8532 */
8533
8534 if( ssl->keep_current_message == 1 )
8535 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]8536 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8537 return( 1 );
8538 }
8539
8540 /*
8541 * Case B: Further records are pending in the current datagram.
8542 */
8543
8544#if defined(MBEDTLS_SSL_PROTO_DTLS)
8545 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8546 ssl->in_left > ssl->next_record_offset )
8547 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]8548 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8549 return( 1 );
8550 }
8551#endif /* MBEDTLS_SSL_PROTO_DTLS */
8552
8553 /*
8554 * Case C: A handshake message is being processed.
8555 */
8556
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8557 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
8558 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]8559 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8560 return( 1 );
8561 }
8562
8563 /*
8564 * Case D: An application data message is being processed
8565 */
8566 if( ssl->in_offt != NULL )
8567 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]8568 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8569 return( 1 );
8570 }
8571
8572 /*
8573 * In all other cases, the rest of the message can be dropped.
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]8574 * As in ssl_get_next_record, this needs to be adapted if
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8575 * we implement support for multiple alerts in single records.
8576 */
8577
8578 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
8579 return( 0 );
8580}
8581
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]8582uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8583{
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +0000[diff] [blame]8584 if( ssl->session != NULL )
8585 return( ssl->session->verify_result );
8586
8587 if( ssl->session_negotiate != NULL )
8588 return( ssl->session_negotiate->verify_result );
8589
Manuel Pégourié-Gonnard6ab9b002015-05-14 11:25:04 +0200[diff] [blame]8590 return( 0xFFFFFFFF );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8591}
8592
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8593const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]8594{
Paul Bakker926c8e42013-03-06 10:23:34 +0100[diff] [blame]8595 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]8596 return( NULL );
Paul Bakker926c8e42013-03-06 10:23:34 +0100[diff] [blame]8597
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8598 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]8599}
8600
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8601const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8602{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8603#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8604 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +0100[diff] [blame]8605 {
8606 switch( ssl->minor_ver )
8607 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8608 case MBEDTLS_SSL_MINOR_VERSION_2:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +0100[diff] [blame]8609 return( "DTLSv1.0" );
8610
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8611 case MBEDTLS_SSL_MINOR_VERSION_3:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +0100[diff] [blame]8612 return( "DTLSv1.2" );
8613
8614 default:
8615 return( "unknown (DTLS)" );
8616 }
8617 }
8618#endif
8619
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8620 switch( ssl->minor_ver )
8621 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8622 case MBEDTLS_SSL_MINOR_VERSION_0:
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8623 return( "SSLv3.0" );
8624
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8625 case MBEDTLS_SSL_MINOR_VERSION_1:
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8626 return( "TLSv1.0" );
8627
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8628 case MBEDTLS_SSL_MINOR_VERSION_2:
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8629 return( "TLSv1.1" );
8630
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8631 case MBEDTLS_SSL_MINOR_VERSION_3:
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]8632 return( "TLSv1.2" );
8633
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8634 default:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +0100[diff] [blame]8635 return( "unknown" );
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8636 }
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8637}
8638
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8639int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8640{
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]8641 size_t transform_expansion = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8642 const mbedtls_ssl_transform *transform = ssl->transform_out;
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]8643 unsigned block_size;
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8644
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]8645 if( transform == NULL )
8646 return( (int) mbedtls_ssl_hdr_len( ssl ) );
8647
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8648#if defined(MBEDTLS_ZLIB_SUPPORT)
8649 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
8650 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8651#endif
8652
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8653 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8654 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8655 case MBEDTLS_MODE_GCM:
8656 case MBEDTLS_MODE_CCM:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]8657 case MBEDTLS_MODE_CHACHAPOLY:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8658 case MBEDTLS_MODE_STREAM:
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8659 transform_expansion = transform->minlen;
8660 break;
8661
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8662 case MBEDTLS_MODE_CBC:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]8663
8664 block_size = mbedtls_cipher_get_block_size(
8665 &transform->cipher_ctx_enc );
8666
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]8667 /* Expansion due to the addition of the MAC. */
8668 transform_expansion += transform->maclen;
8669
8670 /* Expansion due to the addition of CBC padding;
8671 * Theoretically up to 256 bytes, but we never use
8672 * more than the block size of the underlying cipher. */
8673 transform_expansion += block_size;
8674
8675 /* For TLS 1.1 or higher, an explicit IV is added
8676 * after the record header. */
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]8677#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
8678 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]8679 transform_expansion += block_size;
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]8680#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]8681
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8682 break;
8683
8684 default:
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]8685 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8686 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8687 }
8688
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]8689 return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8690}
8691
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8692#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
8693size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
8694{
8695 size_t max_len;
8696
8697 /*
8698 * Assume mfl_code is correct since it was checked when set
8699 */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]8700 max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8701
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8702 /* Check if a smaller max length was negotiated */
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8703 if( ssl->session_out != NULL &&
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]8704 ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8705 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]8706 max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8707 }
8708
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8709 /* During a handshake, use the value being negotiated */
8710 if( ssl->session_negotiate != NULL &&
8711 ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
8712 {
8713 max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
8714 }
8715
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8716 return( max_len );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8717}
8718#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
8719
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8720#if defined(MBEDTLS_SSL_PROTO_DTLS)
8721static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
8722{
Andrzej Kurekef43ce62018-10-09 08:24:12 -0400[diff] [blame]8723 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
8724 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
8725 ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
8726 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
8727 return ( 0 );
8728
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8729 if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
8730 return( ssl->mtu );
8731
8732 if( ssl->mtu == 0 )
8733 return( ssl->handshake->mtu );
8734
8735 return( ssl->mtu < ssl->handshake->mtu ?
8736 ssl->mtu : ssl->handshake->mtu );
8737}
8738#endif /* MBEDTLS_SSL_PROTO_DTLS */
8739
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8740int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
8741{
8742 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
8743
Manuel Pégourié-Gonnard000281e2018-08-21 11:20:58 +0200[diff] [blame]8744#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
8745 !defined(MBEDTLS_SSL_PROTO_DTLS)
8746 (void) ssl;
8747#endif
8748
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8749#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
8750 const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
8751
8752 if( max_len > mfl )
8753 max_len = mfl;
8754#endif
8755
8756#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8757 if( ssl_get_current_mtu( ssl ) != 0 )
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8758 {
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8759 const size_t mtu = ssl_get_current_mtu( ssl );
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8760 const int ret = mbedtls_ssl_get_record_expansion( ssl );
8761 const size_t overhead = (size_t) ret;
8762
8763 if( ret < 0 )
8764 return( ret );
8765
8766 if( mtu <= overhead )
8767 {
8768 MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
8769 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
8770 }
8771
8772 if( max_len > mtu - overhead )
8773 max_len = mtu - overhead;
8774 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8775#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8776
Hanno Becker0defedb2018-08-10 12:35:02 +0100[diff] [blame]8777#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
8778 !defined(MBEDTLS_SSL_PROTO_DTLS)
8779 ((void) ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8780#endif
8781
8782 return( (int) max_len );
8783}
8784
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8785#if defined(MBEDTLS_X509_CRT_PARSE_C)
8786const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
Paul Bakkerb0550d92012-10-30 07:51:03 +0000[diff] [blame]8787{
8788 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]8789 return( NULL );
Paul Bakkerb0550d92012-10-30 07:51:03 +0000[diff] [blame]8790
Hanno Beckere6824572019-02-07 13:18:46 +0000[diff] [blame]8791#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]8792 return( ssl->session->peer_cert );
Hanno Beckere6824572019-02-07 13:18:46 +0000[diff] [blame]8793#else
8794 return( NULL );
8795#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakkerb0550d92012-10-30 07:51:03 +0000[diff] [blame]8796}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8797#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +0000[diff] [blame]8798
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8799#if defined(MBEDTLS_SSL_CLI_C)
Hanno Beckerf852b1c2019-02-05 11:42:30 +0000[diff] [blame]8800int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
8801 mbedtls_ssl_session *dst )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8802{
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8803 if( ssl == NULL ||
8804 dst == NULL ||
8805 ssl->session == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8806 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8807 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8808 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8809 }
8810
Hanno Becker52055ae2019-02-06 14:30:46 +0000[diff] [blame]8811 return( mbedtls_ssl_session_copy( dst, ssl->session ) );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8812}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8813#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8814
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8815/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8816 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8817 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8818int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8819{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8820 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8821
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]8822 if( ssl == NULL || ssl->conf == NULL )
8823 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8824
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8825#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8826 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8827 ret = mbedtls_ssl_handshake_client_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8828#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8829#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8830 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8831 ret = mbedtls_ssl_handshake_server_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8832#endif
8833
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8834 return( ret );
8835}
8836
8837/*
8838 * Perform the SSL handshake
8839 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8840int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8841{
8842 int ret = 0;
8843
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]8844 if( ssl == NULL || ssl->conf == NULL )
8845 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8846
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8847 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8848
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8849 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8850 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8851 ret = mbedtls_ssl_handshake_step( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8852
8853 if( ret != 0 )
8854 break;
8855 }
8856
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8857 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8858
8859 return( ret );
8860}
8861
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8862#if defined(MBEDTLS_SSL_RENEGOTIATION)
8863#if defined(MBEDTLS_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8864/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8865 * Write HelloRequest to request renegotiation on server
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8866 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8867static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8868{
8869 int ret;
8870
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8871 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8872
8873 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8874 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
8875 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8876
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]8877 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8878 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]8879 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8880 return( ret );
8881 }
8882
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8883 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8884
8885 return( 0 );
8886}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8887#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8888
8889/*
8890 * Actually renegotiate current connection, triggered by either:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8891 * - any side: calling mbedtls_ssl_renegotiate(),
8892 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
8893 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
Manuel Pégourié-Gonnard55e4ff22014-08-19 11:16:35 +0200[diff] [blame]8894 * the initial handshake is completed.
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8895 * If the handshake doesn't complete due to waiting for I/O, it will continue
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8896 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8897 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8898static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8899{
8900 int ret;
8901
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8902 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8903
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8904 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
8905 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8906
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +0200[diff] [blame]8907 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
8908 * the ServerHello will have message_seq = 1" */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8909#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8910 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8911 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +0200[diff] [blame]8912 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8913 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]8914 ssl->handshake->out_msg_seq = 1;
8915 else
8916 ssl->handshake->in_msg_seq = 1;
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +0200[diff] [blame]8917 }
8918#endif
8919
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8920 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
8921 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8922
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8923 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8924 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8925 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8926 return( ret );
8927 }
8928
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8929 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8930
8931 return( 0 );
8932}
8933
8934/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8935 * Renegotiate current connection on client,
8936 * or request renegotiation on server
8937 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8938int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8939{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8940 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8941
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]8942 if( ssl == NULL || ssl->conf == NULL )
8943 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8944
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8945#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8946 /* On server, just send the request */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8947 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8948 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8949 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
8950 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8951
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8952 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]8953
8954 /* Did we already try/start sending HelloRequest? */
8955 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8956 return( mbedtls_ssl_flush_output( ssl ) );
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]8957
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8958 return( ssl_write_hello_request( ssl ) );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8959 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8960#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8961
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8962#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8963 /*
8964 * On client, either start the renegotiation process or,
8965 * if already in progress, continue the handshake
8966 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8967 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8968 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8969 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
8970 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8971
8972 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
8973 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8974 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8975 return( ret );
8976 }
8977 }
8978 else
8979 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8980 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8981 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8982 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8983 return( ret );
8984 }
8985 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8986#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8987
Paul Bakker37ce0ff2013-10-31 14:32:04 +0100[diff] [blame]8988 return( ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8989}
8990
8991/*
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]8992 * Check record counters and renegotiate if they're above the limit.
8993 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8994static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]8995{
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]8996 size_t ep_len = ssl_ep_len( ssl );
8997 int in_ctr_cmp;
8998 int out_ctr_cmp;
8999
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9000 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
9001 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9002 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]9003 {
9004 return( 0 );
9005 }
9006
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]9007 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
9008 ssl->conf->renego_period + ep_len, 8 - ep_len );
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]9009 out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]9010 ssl->conf->renego_period + ep_len, 8 - ep_len );
9011
9012 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]9013 {
9014 return( 0 );
9015 }
9016
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]9017 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9018 return( mbedtls_ssl_renegotiate( ssl ) );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]9019}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9020#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9021
9022/*
9023 * Receive application data decrypted from the SSL layer
9024 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9025int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9026{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9027 int ret;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]9028 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9029
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]9030 if( ssl == NULL || ssl->conf == NULL )
9031 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
9032
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9033 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9034
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9035#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9036 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]9037 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9038 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]9039 return( ret );
9040
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9041 if( ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9042 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9043 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]9044 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9045 return( ret );
9046 }
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]9047 }
9048#endif
9049
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9050 /*
9051 * Check if renegotiation is necessary and/or handshake is
9052 * in process. If yes, perform/continue, and fall through
9053 * if an unexpected packet is received while the client
9054 * is waiting for the ServerHello.
9055 *
9056 * (There is no equivalent to the last condition on
9057 * the server-side as it is not treated as within
9058 * a handshake while waiting for the ClientHello
9059 * after a renegotiation request.)
9060 */
9061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9062#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9063 ret = ssl_check_ctr_renegotiate( ssl );
9064 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
9065 ret != 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]9066 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9067 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]9068 return( ret );
9069 }
9070#endif
9071
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9072 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9073 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9074 ret = mbedtls_ssl_handshake( ssl );
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9075 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
9076 ret != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9077 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9078 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9079 return( ret );
9080 }
9081 }
9082
Hanno Beckere41158b2017-10-23 13:30:32 +0100[diff] [blame]9083 /* Loop as long as no application data record is available */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]9084 while( ssl->in_offt == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9085 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]9086 /* Start timer if not already running */
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]9087 if( ssl->f_get_timer != NULL &&
9088 ssl->f_get_timer( ssl->p_timer ) == -1 )
9089 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9090 ssl_set_timer( ssl, ssl->conf->read_timeout );
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]9091 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]9092
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]9093 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9094 {
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9095 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
9096 return( 0 );
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]9097
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9098 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
9099 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9100 }
9101
9102 if( ssl->in_msglen == 0 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9103 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9104 {
9105 /*
9106 * OpenSSL sends empty messages to randomize the IV
9107 */
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]9108 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9109 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9110 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]9111 return( 0 );
9112
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9113 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9114 return( ret );
9115 }
9116 }
9117
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9118 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9119 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9120 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9121
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9122 /*
9123 * - For client-side, expect SERVER_HELLO_REQUEST.
9124 * - For server-side, expect CLIENT_HELLO.
9125 * - Fail (TLS) or silently drop record (DTLS) in other cases.
9126 */
9127
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9128#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9129 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9130 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9131 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9132 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9133 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9134
9135 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9136#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9137 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]9138 {
9139 continue;
9140 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9141#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9142 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9143 }
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9144#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9145
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9146#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9147 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9148 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9149 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9150 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9151
9152 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9153#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9154 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]9155 {
9156 continue;
9157 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9158#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9159 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9160 }
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9161#endif /* MBEDTLS_SSL_SRV_C */
9162
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]9163#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9164 /* Determine whether renegotiation attempt should be accepted */
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]9165 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
9166 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
9167 ssl->conf->allow_legacy_renegotiation ==
9168 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
9169 {
9170 /*
9171 * Accept renegotiation request
9172 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9173
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]9174 /* DTLS clients need to know renego is server-initiated */
9175#if defined(MBEDTLS_SSL_PROTO_DTLS)
9176 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
9177 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
9178 {
9179 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
9180 }
9181#endif
9182 ret = ssl_start_renegotiation( ssl );
9183 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
9184 ret != 0 )
9185 {
9186 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
9187 return( ret );
9188 }
9189 }
9190 else
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]9191#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9192 {
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9193 /*
9194 * Refuse renegotiation
9195 */
9196
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9197 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9198
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9199#if defined(MBEDTLS_SSL_PROTO_SSL3)
9200 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9201 {
Gilles Peskine92e44262017-05-10 17:27:49 +0200[diff] [blame]9202 /* SSLv3 does not have a "no_renegotiation" warning, so
9203 we send a fatal alert and abort the connection. */
9204 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9205 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
9206 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]9207 }
9208 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9209#endif /* MBEDTLS_SSL_PROTO_SSL3 */
9210#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
9211 defined(MBEDTLS_SSL_PROTO_TLS1_2)
9212 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]9213 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9214 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
9215 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
9216 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]9217 {
9218 return( ret );
9219 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9220 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]9221 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9222#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
9223 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]9224 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9225 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
9226 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]9227 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9228 }
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]9229
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]9230 /* At this point, we don't know whether the renegotiation has been
9231 * completed or not. The cases to consider are the following:
9232 * 1) The renegotiation is complete. In this case, no new record
9233 * has been read yet.
9234 * 2) The renegotiation is incomplete because the client received
9235 * an application data record while awaiting the ServerHello.
9236 * 3) The renegotiation is incomplete because the client received
9237 * a non-handshake, non-application data message while awaiting
9238 * the ServerHello.
9239 * In each of these case, looping will be the proper action:
9240 * - For 1), the next iteration will read a new record and check
9241 * if it's application data.
9242 * - For 2), the loop condition isn't satisfied as application data
9243 * is present, hence continue is the same as break
9244 * - For 3), the loop condition is satisfied and read_record
9245 * will re-deliver the message that was held back by the client
9246 * when expecting the ServerHello.
9247 */
9248 continue;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9249 }
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]9250#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9251 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]9252 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9253 if( ssl->conf->renego_max_records >= 0 )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]9254 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9255 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]9256 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9257 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]9258 "but not honored by client" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9259 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]9260 }
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]9261 }
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]9262 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9263#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]9264
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9265 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
9266 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]9267 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9268 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]9269 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]9270 }
9271
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9272 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9273 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9274 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
9275 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9276 }
9277
9278 ssl->in_offt = ssl->in_msg;
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]9279
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9280 /* We're going to return something now, cancel timer,
9281 * except if handshake (renegotiation) is in progress */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9282 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9283 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9284
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]9285#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9286 /* If we requested renego but received AppData, resend HelloRequest.
9287 * Do it now, after setting in_offt, to avoid taking this branch
9288 * again if ssl_write_hello_request() returns WANT_WRITE */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9289#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9290 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9291 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9292 {
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]9293 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9294 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9295 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9296 return( ret );
9297 }
9298 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9299#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9300#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9301 }
9302
9303 n = ( len < ssl->in_msglen )
9304 ? len : ssl->in_msglen;
9305
9306 memcpy( buf, ssl->in_offt, n );
9307 ssl->in_msglen -= n;
9308
9309 if( ssl->in_msglen == 0 )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9310 {
9311 /* all bytes consumed */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9312 ssl->in_offt = NULL;
Hanno Beckerbdf39052017-06-09 10:42:03 +0100[diff] [blame]9313 ssl->keep_current_message = 0;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9314 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9315 else
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9316 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9317 /* more data available */
9318 ssl->in_offt += n;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9319 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9320
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9321 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9322
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]9323 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9324}
9325
9326/*
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]9327 * Send application data to be encrypted by the SSL layer, taking care of max
9328 * fragment length and buffer size.
9329 *
9330 * According to RFC 5246 Section 6.2.1:
9331 *
9332 * Zero-length fragments of Application data MAY be sent as they are
9333 * potentially useful as a traffic analysis countermeasure.
9334 *
9335 * Therefore, it is possible that the input message length is 0 and the
9336 * corresponding return code is 0 on success.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9337 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9338static int ssl_write_real( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9339 const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9340{
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]9341 int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
9342 const size_t max_len = (size_t) ret;
9343
9344 if( ret < 0 )
9345 {
9346 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
9347 return( ret );
9348 }
9349
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9350 if( len > max_len )
9351 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9352#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9353 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9354 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9355 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9356 "maximum fragment length: %d > %d",
9357 len, max_len ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9358 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9359 }
9360 else
9361#endif
9362 len = max_len;
9363 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]9364
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9365 if( ssl->out_left != 0 )
9366 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]9367 /*
9368 * The user has previously tried to send the data and
9369 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
9370 * written. In this case, we expect the high-level write function
9371 * (e.g. mbedtls_ssl_write()) to be called with the same parameters
9372 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9373 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9374 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9375 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9376 return( ret );
9377 }
9378 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]9379 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]9380 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]9381 /*
9382 * The user is trying to send a message the first time, so we need to
9383 * copy the data into the internal buffers and setup the data structure
9384 * to keep track of partial writes
9385 */
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9386 ssl->out_msglen = len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9387 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9388 memcpy( ssl->out_msg, buf, len );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]9389
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]9390 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]9391 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9392 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]9393 return( ret );
9394 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9395 }
9396
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9397 return( (int) len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9398}
9399
9400/*
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9401 * Write application data, doing 1/n-1 splitting if necessary.
9402 *
9403 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]9404 * then the caller will call us again with the same arguments, so
Hanno Becker2b187c42017-09-18 14:58:11 +0100[diff] [blame]9405 * remember whether we already did the split or not.
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9406 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9407#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9408static int ssl_write_split( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9409 const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9410{
9411 int ret;
9412
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +0100[diff] [blame]9413 if( ssl->conf->cbc_record_splitting ==
9414 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]9415 len <= 1 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9416 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
9417 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
9418 != MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9419 {
9420 return( ssl_write_real( ssl, buf, len ) );
9421 }
9422
9423 if( ssl->split_done == 0 )
9424 {
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]9425 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9426 return( ret );
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]9427 ssl->split_done = 1;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9428 }
9429
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]9430 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
9431 return( ret );
9432 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9433
9434 return( ret + 1 );
9435}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9436#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9437
9438/*
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9439 * Write application data (public-facing wrapper)
9440 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9441int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9442{
9443 int ret;
9444
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9445 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9446
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]9447 if( ssl == NULL || ssl->conf == NULL )
9448 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
9449
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9450#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9451 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
9452 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9453 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9454 return( ret );
9455 }
9456#endif
9457
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9458 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9459 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9460 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9461 {
Manuel Pégourié-Gonnard151dc772015-05-14 13:55:51 +0200[diff] [blame]9462 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9463 return( ret );
9464 }
9465 }
9466
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9467#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9468 ret = ssl_write_split( ssl, buf, len );
9469#else
9470 ret = ssl_write_real( ssl, buf, len );
9471#endif
9472
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9473 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9474
9475 return( ret );
9476}
9477
9478/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9479 * Notify the peer that the connection is being closed
9480 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9481int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9482{
9483 int ret;
9484
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]9485 if( ssl == NULL || ssl->conf == NULL )
9486 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
9487
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9488 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9489
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]9490 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9491 return( mbedtls_ssl_flush_output( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9492
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9493 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9494 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9495 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
9496 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
9497 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9498 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9499 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9500 return( ret );
9501 }
9502 }
9503
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9504 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9505
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]9506 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9507}
9508
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9509void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9510{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]9511 if( transform == NULL )
9512 return;
9513
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9514#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9515 deflateEnd( &transform->ctx_deflate );
9516 inflateEnd( &transform->ctx_inflate );
9517#endif
9518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9519 mbedtls_cipher_free( &transform->cipher_ctx_enc );
9520 mbedtls_cipher_free( &transform->cipher_ctx_dec );
Manuel Pégourié-Gonnardf71e5872013-09-23 17:12:43 +0200[diff] [blame]9521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9522 mbedtls_md_free( &transform->md_ctx_enc );
9523 mbedtls_md_free( &transform->md_ctx_dec );
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]9524
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9525 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9526}
9527
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9528#if defined(MBEDTLS_X509_CRT_PARSE_C)
9529static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]9530{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9531 mbedtls_ssl_key_cert *cur = key_cert, *next;
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]9532
9533 while( cur != NULL )
9534 {
9535 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9536 mbedtls_free( cur );
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]9537 cur = next;
9538 }
9539}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9540#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]9541
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]9542#if defined(MBEDTLS_SSL_PROTO_DTLS)
9543
9544static void ssl_buffering_free( mbedtls_ssl_context *ssl )
9545{
9546 unsigned offset;
9547 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
9548
9549 if( hs == NULL )
9550 return;
9551
Hanno Becker283f5ef2018-08-24 09:34:47 +0100[diff] [blame]9552 ssl_free_buffered_record( ssl );
9553
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]9554 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]9555 ssl_buffering_free_slot( ssl, offset );
9556}
9557
9558static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
9559 uint8_t slot )
9560{
9561 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
9562 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]9563
9564 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
9565 return;
9566
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]9567 if( hs_buf->is_valid == 1 )
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]9568 {
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]9569 hs->buffering.total_bytes_buffered -= hs_buf->data_len;
Hanno Becker805f2e12018-10-12 16:31:41 +0100[diff] [blame]9570 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]9571 mbedtls_free( hs_buf->data );
9572 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]9573 }
9574}
9575
9576#endif /* MBEDTLS_SSL_PROTO_DTLS */
9577
Gilles Peskine9b562d52018-04-25 20:32:43 +0200[diff] [blame]9578void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9579{
Gilles Peskine9b562d52018-04-25 20:32:43 +0200[diff] [blame]9580 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
9581
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]9582 if( handshake == NULL )
9583 return;
9584
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]9585#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
9586 if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
9587 {
Gilles Peskine8f97af72018-04-26 11:46:10 +0200[diff] [blame]9588 ssl->conf->f_async_cancel( ssl );
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]9589 handshake->async_in_progress = 0;
9590 }
9591#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
9592
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +0200[diff] [blame]9593#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
9594 defined(MBEDTLS_SSL_PROTO_TLS1_1)
9595 mbedtls_md5_free( &handshake->fin_md5 );
9596 mbedtls_sha1_free( &handshake->fin_sha1 );
9597#endif
9598#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
9599#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]9600#if defined(MBEDTLS_USE_PSA_CRYPTO)
9601 psa_hash_abort( &handshake->fin_sha256_psa );
9602#else
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +0200[diff] [blame]9603 mbedtls_sha256_free( &handshake->fin_sha256 );
9604#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]9605#endif
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +0200[diff] [blame]9606#if defined(MBEDTLS_SHA512_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]9607#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]9608 psa_hash_abort( &handshake->fin_sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]9609#else
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +0200[diff] [blame]9610 mbedtls_sha512_free( &handshake->fin_sha512 );
9611#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]9612#endif
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +0200[diff] [blame]9613#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9614
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9615#if defined(MBEDTLS_DHM_C)
9616 mbedtls_dhm_free( &handshake->dhm_ctx );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9617#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9618#if defined(MBEDTLS_ECDH_C)
9619 mbedtls_ecdh_free( &handshake->ecdh_ctx );
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]9620#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]9621#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200[diff] [blame]9622 mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200[diff] [blame]9623#if defined(MBEDTLS_SSL_CLI_C)
9624 mbedtls_free( handshake->ecjpake_cache );
9625 handshake->ecjpake_cache = NULL;
9626 handshake->ecjpake_cache_len = 0;
9627#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200[diff] [blame]9628#endif
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]9629
Janos Follath4ae5c292016-02-10 11:27:43 +0000[diff] [blame]9630#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
9631 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]9632 /* explicit void pointer cast for buggy MS compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9633 mbedtls_free( (void *) handshake->curves );
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]9634#endif
9635
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]9636#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
9637 if( handshake->psk != NULL )
9638 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9639 mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]9640 mbedtls_free( handshake->psk );
9641 }
9642#endif
9643
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9644#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
9645 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200[diff] [blame]9646 /*
9647 * Free only the linked list wrapper, not the keys themselves
9648 * since the belong to the SNI callback
9649 */
9650 if( handshake->sni_key_cert != NULL )
9651 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9652 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200[diff] [blame]9653
9654 while( cur != NULL )
9655 {
9656 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9657 mbedtls_free( cur );
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200[diff] [blame]9658 cur = next;
9659 }
9660 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9661#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]9662
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]9663#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +0200[diff] [blame]9664 mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]9665 if( handshake->ecrs_peer_cert != NULL )
9666 {
9667 mbedtls_x509_crt_free( handshake->ecrs_peer_cert );
9668 mbedtls_free( handshake->ecrs_peer_cert );
9669 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]9670#endif
9671
Hanno Becker75173122019-02-06 16:18:31 +0000[diff] [blame]9672#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
9673 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
9674 mbedtls_pk_free( &handshake->peer_pubkey );
9675#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
9676
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9677#if defined(MBEDTLS_SSL_PROTO_DTLS)
9678 mbedtls_free( handshake->verify_cookie );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]9679 ssl_flight_free( handshake->flight );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]9680 ssl_buffering_free( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]9681#endif
9682
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]9683#if defined(MBEDTLS_ECDH_C) && \
9684 defined(MBEDTLS_USE_PSA_CRYPTO)
9685 psa_destroy_key( handshake->ecdh_psa_privkey );
9686#endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
9687
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9688 mbedtls_platform_zeroize( handshake,
9689 sizeof( mbedtls_ssl_handshake_params ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9690}
9691
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9692void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9693{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]9694 if( session == NULL )
9695 return;
9696
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9697#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker1294a0b2019-02-05 12:38:15 +0000[diff] [blame]9698 ssl_clear_peer_cert( session );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]9699#endif
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]9700
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]9701#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9702 mbedtls_free( session->ticket );
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]9703#endif
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +0200[diff] [blame]9704
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9705 mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9706}
9707
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9708/*
9709 * Free an SSL context
9710 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9711void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9712{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]9713 if( ssl == NULL )
9714 return;
9715
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9716 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9717
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +0100[diff] [blame]9718 if( ssl->out_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9719 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]9720 mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9721 mbedtls_free( ssl->out_buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9722 }
9723
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +0100[diff] [blame]9724 if( ssl->in_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9725 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]9726 mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9727 mbedtls_free( ssl->in_buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9728 }
9729
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9730#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]9731 if( ssl->compress_buf != NULL )
9732 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]9733 mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9734 mbedtls_free( ssl->compress_buf );
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]9735 }
9736#endif
9737
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9738 if( ssl->transform )
9739 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9740 mbedtls_ssl_transform_free( ssl->transform );
9741 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9742 }
9743
9744 if( ssl->handshake )
9745 {
Gilles Peskine9b562d52018-04-25 20:32:43 +0200[diff] [blame]9746 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9747 mbedtls_ssl_transform_free( ssl->transform_negotiate );
9748 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9749
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9750 mbedtls_free( ssl->handshake );
9751 mbedtls_free( ssl->transform_negotiate );
9752 mbedtls_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9753 }
9754
Paul Bakkerc0463502013-02-14 11:19:38 +0100[diff] [blame]9755 if( ssl->session )
9756 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9757 mbedtls_ssl_session_free( ssl->session );
9758 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +0100[diff] [blame]9759 }
9760
Manuel Pégourié-Gonnard55fab2d2015-05-11 16:15:19 +0200[diff] [blame]9761#if defined(MBEDTLS_X509_CRT_PARSE_C)
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]9762 if( ssl->hostname != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9763 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9764 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9765 mbedtls_free( ssl->hostname );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9766 }
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]9767#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9768
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9769#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
9770 if( mbedtls_ssl_hw_record_finish != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]9771 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9772 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
9773 mbedtls_ssl_hw_record_finish( ssl );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]9774 }
9775#endif
9776
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +0200[diff] [blame]9777#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9778 mbedtls_free( ssl->cli_id );
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]9779#endif
9780
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9781 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]9782
Paul Bakker86f04f42013-02-14 11:20:09 +0100[diff] [blame]9783 /* Actually clear after last debug message */
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9784 mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9785}
9786
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9787/*
9788 * Initialze mbedtls_ssl_config
9789 */
9790void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
9791{
9792 memset( conf, 0, sizeof( mbedtls_ssl_config ) );
9793}
9794
Simon Butcherc97b6972015-12-27 23:48:17 +0000[diff] [blame]9795#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +0100[diff] [blame]9796static int ssl_preset_default_hashes[] = {
9797#if defined(MBEDTLS_SHA512_C)
9798 MBEDTLS_MD_SHA512,
9799 MBEDTLS_MD_SHA384,
9800#endif
9801#if defined(MBEDTLS_SHA256_C)
9802 MBEDTLS_MD_SHA256,
9803 MBEDTLS_MD_SHA224,
9804#endif
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]9805#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +0100[diff] [blame]9806 MBEDTLS_MD_SHA1,
9807#endif
9808 MBEDTLS_MD_NONE
9809};
Simon Butcherc97b6972015-12-27 23:48:17 +0000[diff] [blame]9810#endif
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +0100[diff] [blame]9811
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9812static int ssl_preset_suiteb_ciphersuites[] = {
9813 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
9814 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
9815 0
9816};
9817
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]9818#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9819static int ssl_preset_suiteb_hashes[] = {
9820 MBEDTLS_MD_SHA256,
9821 MBEDTLS_MD_SHA384,
9822 MBEDTLS_MD_NONE
9823};
9824#endif
9825
9826#if defined(MBEDTLS_ECP_C)
9827static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
9828 MBEDTLS_ECP_DP_SECP256R1,
9829 MBEDTLS_ECP_DP_SECP384R1,
9830 MBEDTLS_ECP_DP_NONE
9831};
9832#endif
9833
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9834/*
Tillmann Karras588ad502015-09-25 04:27:22 +0200[diff] [blame]9835 * Load default in mbedtls_ssl_config
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9836 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +0200[diff] [blame]9837int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9838 int endpoint, int transport, int preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9839{
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +0200[diff] [blame]9840#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9841 int ret;
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +0200[diff] [blame]9842#endif
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9843
Manuel Pégourié-Gonnard0de074f2015-05-14 12:58:01 +0200[diff] [blame]9844 /* Use the functions here so that they are covered in tests,
9845 * but otherwise access member directly for efficiency */
9846 mbedtls_ssl_conf_endpoint( conf, endpoint );
9847 mbedtls_ssl_conf_transport( conf, transport );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9848
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9849 /*
9850 * Things that are common to all presets
9851 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +0200[diff] [blame]9852#if defined(MBEDTLS_SSL_CLI_C)
9853 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
9854 {
9855 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
9856#if defined(MBEDTLS_SSL_SESSION_TICKETS)
9857 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
9858#endif
9859 }
9860#endif
9861
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200[diff] [blame]9862#if defined(MBEDTLS_ARC4_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9863 conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200[diff] [blame]9864#endif
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9865
9866#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
9867 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
9868#endif
9869
9870#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
9871 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
9872#endif
9873
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +0100[diff] [blame]9874#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
9875 conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
9876#endif
9877
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +0200[diff] [blame]9878#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9879 conf->f_cookie_write = ssl_cookie_write_dummy;
9880 conf->f_cookie_check = ssl_cookie_check_dummy;
9881#endif
9882
9883#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
9884 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
9885#endif
9886
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]9887#if defined(MBEDTLS_SSL_SRV_C)
9888 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
9889#endif
9890
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9891#if defined(MBEDTLS_SSL_PROTO_DTLS)
9892 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
9893 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
9894#endif
9895
9896#if defined(MBEDTLS_SSL_RENEGOTIATION)
9897 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]9898 memset( conf->renego_period, 0x00, 2 );
9899 memset( conf->renego_period + 2, 0xFF, 6 );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9900#endif
9901
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9902#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
9903 if( endpoint == MBEDTLS_SSL_IS_SERVER )
9904 {
Hanno Becker00d0a682017-10-04 13:14:29 +0100[diff] [blame]9905 const unsigned char dhm_p[] =
9906 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
9907 const unsigned char dhm_g[] =
9908 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
9909
Hanno Beckera90658f2017-10-04 15:29:08 +0100[diff] [blame]9910 if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
9911 dhm_p, sizeof( dhm_p ),
9912 dhm_g, sizeof( dhm_g ) ) ) != 0 )
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9913 {
9914 return( ret );
9915 }
9916 }
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]9917#endif
9918
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9919 /*
9920 * Preset-specific defaults
9921 */
9922 switch( preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9923 {
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9924 /*
9925 * NSA Suite B
9926 */
9927 case MBEDTLS_SSL_PRESET_SUITEB:
9928 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
9929 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
9930 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
9931 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
9932
9933 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
9934 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
9935 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
9936 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
9937 ssl_preset_suiteb_ciphersuites;
9938
9939#if defined(MBEDTLS_X509_CRT_PARSE_C)
9940 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9941#endif
9942
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]9943#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9944 conf->sig_hashes = ssl_preset_suiteb_hashes;
9945#endif
9946
9947#if defined(MBEDTLS_ECP_C)
9948 conf->curve_list = ssl_preset_suiteb_curves;
9949#endif
Manuel Pégourié-Gonnardc98204e2015-08-11 04:21:01 +0200[diff] [blame]9950 break;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9951
9952 /*
9953 * Default
9954 */
9955 default:
Ron Eldor5e9f14d2017-05-28 10:46:38 +0300[diff] [blame]9956 conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
9957 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
9958 MBEDTLS_SSL_MIN_MAJOR_VERSION :
9959 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
9960 conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
9961 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
9962 MBEDTLS_SSL_MIN_MINOR_VERSION :
9963 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9964 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
9965 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
9966
9967#if defined(MBEDTLS_SSL_PROTO_DTLS)
9968 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
9969 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
9970#endif
9971
9972 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
9973 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
9974 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
9975 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
9976 mbedtls_ssl_list_ciphersuites();
9977
9978#if defined(MBEDTLS_X509_CRT_PARSE_C)
9979 conf->cert_profile = &mbedtls_x509_crt_profile_default;
9980#endif
9981
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]9982#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +0100[diff] [blame]9983 conf->sig_hashes = ssl_preset_default_hashes;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9984#endif
9985
9986#if defined(MBEDTLS_ECP_C)
9987 conf->curve_list = mbedtls_ecp_grp_id_list();
9988#endif
9989
9990#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
9991 conf->dhm_min_bitlen = 1024;
9992#endif
9993 }
9994
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9995 return( 0 );
9996}
9997
9998/*
9999 * Free mbedtls_ssl_config
10000 */
10001void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
10002{
10003#if defined(MBEDTLS_DHM_C)
10004 mbedtls_mpi_free( &conf->dhm_P );
10005 mbedtls_mpi_free( &conf->dhm_G );
10006#endif
10007
10008#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
10009 if( conf->psk != NULL )
10010 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]10011 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]10012 mbedtls_free( conf->psk );
Azim Khan27e8a122018-03-21 14:24:11 +0000[diff] [blame]10013 conf->psk = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]10014 conf->psk_len = 0;
junyeonLEE316b1622017-12-20 16:29:30 +0900[diff] [blame]10015 }
10016
10017 if( conf->psk_identity != NULL )
10018 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]10019 mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
junyeonLEE316b1622017-12-20 16:29:30 +0900[diff] [blame]10020 mbedtls_free( conf->psk_identity );
Azim Khan27e8a122018-03-21 14:24:11 +0000[diff] [blame]10021 conf->psk_identity = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]10022 conf->psk_identity_len = 0;
10023 }
10024#endif
10025
10026#if defined(MBEDTLS_X509_CRT_PARSE_C)
10027 ssl_key_cert_free( conf->key_cert );
10028#endif
10029
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]10030 mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]10031}
10032
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]10033#if defined(MBEDTLS_PK_C) && \
10034 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10035/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10036 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10037 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10038unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10039{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10040#if defined(MBEDTLS_RSA_C)
10041 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
10042 return( MBEDTLS_SSL_SIG_RSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10043#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10044#if defined(MBEDTLS_ECDSA_C)
10045 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
10046 return( MBEDTLS_SSL_SIG_ECDSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10047#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10048 return( MBEDTLS_SSL_SIG_ANON );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10049}
10050
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]10051unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
10052{
10053 switch( type ) {
10054 case MBEDTLS_PK_RSA:
10055 return( MBEDTLS_SSL_SIG_RSA );
10056 case MBEDTLS_PK_ECDSA:
10057 case MBEDTLS_PK_ECKEY:
10058 return( MBEDTLS_SSL_SIG_ECDSA );
10059 default:
10060 return( MBEDTLS_SSL_SIG_ANON );
10061 }
10062}
10063
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10064mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10065{
10066 switch( sig )
10067 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10068#if defined(MBEDTLS_RSA_C)
10069 case MBEDTLS_SSL_SIG_RSA:
10070 return( MBEDTLS_PK_RSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10071#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10072#if defined(MBEDTLS_ECDSA_C)
10073 case MBEDTLS_SSL_SIG_ECDSA:
10074 return( MBEDTLS_PK_ECDSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10075#endif
10076 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10077 return( MBEDTLS_PK_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10078 }
10079}
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]10080#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10081
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]10082#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
10083 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
10084
10085/* Find an entry in a signature-hash set matching a given hash algorithm. */
10086mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
10087 mbedtls_pk_type_t sig_alg )
10088{
10089 switch( sig_alg )
10090 {
10091 case MBEDTLS_PK_RSA:
10092 return( set->rsa );
10093 case MBEDTLS_PK_ECDSA:
10094 return( set->ecdsa );
10095 default:
10096 return( MBEDTLS_MD_NONE );
10097 }
10098}
10099
10100/* Add a signature-hash-pair to a signature-hash set */
10101void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
10102 mbedtls_pk_type_t sig_alg,
10103 mbedtls_md_type_t md_alg )
10104{
10105 switch( sig_alg )
10106 {
10107 case MBEDTLS_PK_RSA:
10108 if( set->rsa == MBEDTLS_MD_NONE )
10109 set->rsa = md_alg;
10110 break;
10111
10112 case MBEDTLS_PK_ECDSA:
10113 if( set->ecdsa == MBEDTLS_MD_NONE )
10114 set->ecdsa = md_alg;
10115 break;
10116
10117 default:
10118 break;
10119 }
10120}
10121
10122/* Allow exactly one hash algorithm for each signature. */
10123void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
10124 mbedtls_md_type_t md_alg )
10125{
10126 set->rsa = md_alg;
10127 set->ecdsa = md_alg;
10128}
10129
10130#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
10131 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
10132
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +0200[diff] [blame]10133/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]10134 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +0200[diff] [blame]10135 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10136mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10137{
10138 switch( hash )
10139 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10140#if defined(MBEDTLS_MD5_C)
10141 case MBEDTLS_SSL_HASH_MD5:
10142 return( MBEDTLS_MD_MD5 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10143#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10144#if defined(MBEDTLS_SHA1_C)
10145 case MBEDTLS_SSL_HASH_SHA1:
10146 return( MBEDTLS_MD_SHA1 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10147#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10148#if defined(MBEDTLS_SHA256_C)
10149 case MBEDTLS_SSL_HASH_SHA224:
10150 return( MBEDTLS_MD_SHA224 );
10151 case MBEDTLS_SSL_HASH_SHA256:
10152 return( MBEDTLS_MD_SHA256 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10153#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10154#if defined(MBEDTLS_SHA512_C)
10155 case MBEDTLS_SSL_HASH_SHA384:
10156 return( MBEDTLS_MD_SHA384 );
10157 case MBEDTLS_SSL_HASH_SHA512:
10158 return( MBEDTLS_MD_SHA512 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10159#endif
10160 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10161 return( MBEDTLS_MD_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10162 }
10163}
10164
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]10165/*
10166 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
10167 */
10168unsigned char mbedtls_ssl_hash_from_md_alg( int md )
10169{
10170 switch( md )
10171 {
10172#if defined(MBEDTLS_MD5_C)
10173 case MBEDTLS_MD_MD5:
10174 return( MBEDTLS_SSL_HASH_MD5 );
10175#endif
10176#if defined(MBEDTLS_SHA1_C)
10177 case MBEDTLS_MD_SHA1:
10178 return( MBEDTLS_SSL_HASH_SHA1 );
10179#endif
10180#if defined(MBEDTLS_SHA256_C)
10181 case MBEDTLS_MD_SHA224:
10182 return( MBEDTLS_SSL_HASH_SHA224 );
10183 case MBEDTLS_MD_SHA256:
10184 return( MBEDTLS_SSL_HASH_SHA256 );
10185#endif
10186#if defined(MBEDTLS_SHA512_C)
10187 case MBEDTLS_MD_SHA384:
10188 return( MBEDTLS_SSL_HASH_SHA384 );
10189 case MBEDTLS_MD_SHA512:
10190 return( MBEDTLS_SSL_HASH_SHA512 );
10191#endif
10192 default:
10193 return( MBEDTLS_SSL_HASH_NONE );
10194 }
10195}
10196
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]10197#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10198/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]10199 * Check if a curve proposed by the peer is in our list.
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200[diff] [blame]10200 * Return 0 if we're willing to use it, -1 otherwise.
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10201 */
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200[diff] [blame]10202int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10203{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10204 const mbedtls_ecp_group_id *gid;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10205
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200[diff] [blame]10206 if( ssl->conf->curve_list == NULL )
10207 return( -1 );
10208
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]10209 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10210 if( *gid == grp_id )
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200[diff] [blame]10211 return( 0 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10212
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200[diff] [blame]10213 return( -1 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10214}
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]10215#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10216
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]10217#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]10218/*
10219 * Check if a hash proposed by the peer is in our list.
10220 * Return 0 if we're willing to use it, -1 otherwise.
10221 */
10222int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
10223 mbedtls_md_type_t md )
10224{
10225 const int *cur;
10226
10227 if( ssl->conf->sig_hashes == NULL )
10228 return( -1 );
10229
10230 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
10231 if( *cur == (int) md )
10232 return( 0 );
10233
10234 return( -1 );
10235}
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]10236#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]10237
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10238#if defined(MBEDTLS_X509_CRT_PARSE_C)
10239int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
10240 const mbedtls_ssl_ciphersuite_t *ciphersuite,
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10241 int cert_endpoint,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]10242 uint32_t *flags )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10243{
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10244 int ret = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10245#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10246 int usage = 0;
10247#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10248#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10249 const char *ext_oid;
10250 size_t ext_len;
10251#endif
10252
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10253#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
10254 !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10255 ((void) cert);
10256 ((void) cert_endpoint);
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10257 ((void) flags);
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10258#endif
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10259
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10260#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
10261 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10262 {
10263 /* Server part of the key exchange */
10264 switch( ciphersuite->key_exchange )
10265 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10266 case MBEDTLS_KEY_EXCHANGE_RSA:
10267 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +0100[diff] [blame]10268 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10269 break;
10270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10271 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
10272 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
10273 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
10274 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10275 break;
10276
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10277 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
10278 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +0100[diff] [blame]10279 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10280 break;
10281
10282 /* Don't use default: we want warnings when adding new values */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10283 case MBEDTLS_KEY_EXCHANGE_NONE:
10284 case MBEDTLS_KEY_EXCHANGE_PSK:
10285 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
10286 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +0200[diff] [blame]10287 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10288 usage = 0;
10289 }
10290 }
10291 else
10292 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10293 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
10294 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10295 }
10296
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10297 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10298 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +0100[diff] [blame]10299 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10300 ret = -1;
10301 }
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10302#else
10303 ((void) ciphersuite);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10304#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10305
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10306#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
10307 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10308 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10309 ext_oid = MBEDTLS_OID_SERVER_AUTH;
10310 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10311 }
10312 else
10313 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10314 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
10315 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10316 }
10317
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10318 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10319 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +0100[diff] [blame]10320 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10321 ret = -1;
10322 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10323#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10324
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10325 return( ret );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10326}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10327#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard3a306b92014-04-29 15:11:17 +0200[diff] [blame]10328
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10329/*
10330 * Convert version numbers to/from wire format
10331 * and, for DTLS, to/from TLS equivalent.
10332 *
10333 * For TLS this is the identity.
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]10334 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10335 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
10336 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
10337 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10338void mbedtls_ssl_write_version( int major, int minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10339 unsigned char ver[2] )
10340{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10341#if defined(MBEDTLS_SSL_PROTO_DTLS)
10342 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10343 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10344 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10345 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
10346
10347 ver[0] = (unsigned char)( 255 - ( major - 2 ) );
10348 ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
10349 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]10350 else
10351#else
10352 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10353#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]10354 {
10355 ver[0] = (unsigned char) major;
10356 ver[1] = (unsigned char) minor;
10357 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10358}
10359
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10360void mbedtls_ssl_read_version( int *major, int *minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10361 const unsigned char ver[2] )
10362{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10363#if defined(MBEDTLS_SSL_PROTO_DTLS)
10364 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10365 {
10366 *major = 255 - ver[0] + 2;
10367 *minor = 255 - ver[1] + 1;
10368
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10369 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10370 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
10371 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]10372 else
10373#else
10374 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10375#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]10376 {
10377 *major = ver[0];
10378 *minor = ver[1];
10379 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10380}
10381
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]10382int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
10383{
10384#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
10385 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
10386 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
10387
10388 switch( md )
10389 {
10390#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
10391#if defined(MBEDTLS_MD5_C)
10392 case MBEDTLS_SSL_HASH_MD5:
Janos Follath182013f2016-10-25 10:50:22 +0100[diff] [blame]10393 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]10394#endif
10395#if defined(MBEDTLS_SHA1_C)
10396 case MBEDTLS_SSL_HASH_SHA1:
10397 ssl->handshake->calc_verify = ssl_calc_verify_tls;
10398 break;
10399#endif
10400#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
10401#if defined(MBEDTLS_SHA512_C)
10402 case MBEDTLS_SSL_HASH_SHA384:
10403 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
10404 break;
10405#endif
10406#if defined(MBEDTLS_SHA256_C)
10407 case MBEDTLS_SSL_HASH_SHA256:
10408 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
10409 break;
10410#endif
10411 default:
10412 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
10413 }
10414
10415 return 0;
10416#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
10417 (void) ssl;
10418 (void) md;
10419
10420 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
10421#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
10422}
10423
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10424#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
10425 defined(MBEDTLS_SSL_PROTO_TLS1_1)
10426int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
10427 unsigned char *output,
10428 unsigned char *data, size_t data_len )
10429{
10430 int ret = 0;
10431 mbedtls_md5_context mbedtls_md5;
10432 mbedtls_sha1_context mbedtls_sha1;
10433
10434 mbedtls_md5_init( &mbedtls_md5 );
10435 mbedtls_sha1_init( &mbedtls_sha1 );
10436
10437 /*
10438 * digitally-signed struct {
10439 * opaque md5_hash[16];
10440 * opaque sha_hash[20];
10441 * };
10442 *
10443 * md5_hash
10444 * MD5(ClientHello.random + ServerHello.random
10445 * + ServerParams);
10446 * sha_hash
10447 * SHA(ClientHello.random + ServerHello.random
10448 * + ServerParams);
10449 */
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10450 if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10451 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10452 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10453 goto exit;
10454 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10455 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10456 ssl->handshake->randbytes, 64 ) ) != 0 )
10457 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10458 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10459 goto exit;
10460 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10461 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10462 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10463 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10464 goto exit;
10465 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10466 if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10467 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10468 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10469 goto exit;
10470 }
10471
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10472 if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10473 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10474 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10475 goto exit;
10476 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10477 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10478 ssl->handshake->randbytes, 64 ) ) != 0 )
10479 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10480 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10481 goto exit;
10482 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10483 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10484 data_len ) ) != 0 )
10485 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10486 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10487 goto exit;
10488 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10489 if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10490 output + 16 ) ) != 0 )
10491 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10492 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10493 goto exit;
10494 }
10495
10496exit:
10497 mbedtls_md5_free( &mbedtls_md5 );
10498 mbedtls_sha1_free( &mbedtls_sha1 );
10499
10500 if( ret != 0 )
10501 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
10502 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
10503
10504 return( ret );
10505
10506}
10507#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
10508 MBEDTLS_SSL_PROTO_TLS1_1 */
10509
10510#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
10511 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10512
10513#if defined(MBEDTLS_USE_PSA_CRYPTO)
10514int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
10515 unsigned char *hash, size_t *hashlen,
10516 unsigned char *data, size_t data_len,
10517 mbedtls_md_type_t md_alg )
10518{
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10519 psa_status_t status;
Jaeden Amero34973232019-02-20 10:32:28 +0000[diff] [blame]10520 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10521 psa_algorithm_t hash_alg = mbedtls_psa_translate_md( md_alg );
10522
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100[diff] [blame]10523 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform PSA-based computation of digest of ServerKeyExchange" ) );
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10524
10525 if( ( status = psa_hash_setup( &hash_operation,
10526 hash_alg ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10527 {
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10528 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_setup", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10529 goto exit;
10530 }
10531
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10532 if( ( status = psa_hash_update( &hash_operation, ssl->handshake->randbytes,
10533 64 ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10534 {
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10535 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10536 goto exit;
10537 }
10538
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10539 if( ( status = psa_hash_update( &hash_operation,
10540 data, data_len ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10541 {
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10542 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10543 goto exit;
10544 }
10545
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10546 if( ( status = psa_hash_finish( &hash_operation, hash, MBEDTLS_MD_MAX_SIZE,
10547 hashlen ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10548 {
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10549 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10550 goto exit;
10551 }
10552
10553exit:
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10554 if( status != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10555 {
10556 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
10557 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10558 switch( status )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10559 {
10560 case PSA_ERROR_NOT_SUPPORTED:
10561 return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10562 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10563 case PSA_ERROR_BUFFER_TOO_SMALL:
10564 return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
10565 case PSA_ERROR_INSUFFICIENT_MEMORY:
10566 return( MBEDTLS_ERR_MD_ALLOC_FAILED );
10567 default:
10568 return( MBEDTLS_ERR_MD_HW_ACCEL_FAILED );
10569 }
10570 }
10571 return( 0 );
10572}
10573
10574#else
10575
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10576int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]10577 unsigned char *hash, size_t *hashlen,
10578 unsigned char *data, size_t data_len,
10579 mbedtls_md_type_t md_alg )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10580{
10581 int ret = 0;
10582 mbedtls_md_context_t ctx;
10583 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]10584 *hashlen = mbedtls_md_get_size( md_info );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10585
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100[diff] [blame]10586 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform mbedtls-based computation of digest of ServerKeyExchange" ) );
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10587
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10588 mbedtls_md_init( &ctx );
10589
10590 /*
10591 * digitally-signed struct {
10592 * opaque client_random[32];
10593 * opaque server_random[32];
10594 * ServerDHParams params;
10595 * };
10596 */
10597 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
10598 {
10599 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
10600 goto exit;
10601 }
10602 if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
10603 {
10604 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
10605 goto exit;
10606 }
10607 if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
10608 {
10609 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
10610 goto exit;
10611 }
10612 if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
10613 {
10614 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
10615 goto exit;
10616 }
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]10617 if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10618 {
10619 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
10620 goto exit;
10621 }
10622
10623exit:
10624 mbedtls_md_free( &ctx );
10625
10626 if( ret != 0 )
10627 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
10628 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
10629
10630 return( ret );
10631}
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10632#endif /* MBEDTLS_USE_PSA_CRYPTO */
10633
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10634#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
10635 MBEDTLS_SSL_PROTO_TLS1_2 */
10636
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10637#endif /* MBEDTLS_SSL_TLS_C */