Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1 | /* |
Hanno Becker | f1a3828 | 2020-02-05 16:14:29 +0000 | [diff] [blame] | 2 | * Generic SSL/TLS messaging layer functions |
| 3 | * (record layer + retransmission state machine) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4 | * |
Bence Szépkúti | 1e14827 | 2020-08-07 13:07:28 +0200 | [diff] [blame] | 5 | * Copyright The Mbed TLS Contributors |
Manuel Pégourié-Gonnard | 37ff140 | 2015-09-04 14:21:07 +0200 | [diff] [blame] | 6 | * SPDX-License-Identifier: Apache-2.0 |
| 7 | * |
| 8 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 9 | * not use this file except in compliance with the License. |
| 10 | * You may obtain a copy of the License at |
| 11 | * |
| 12 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 13 | * |
| 14 | * Unless required by applicable law or agreed to in writing, software |
| 15 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 16 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 17 | * See the License for the specific language governing permissions and |
| 18 | * limitations under the License. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 19 | */ |
| 20 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 21 | * http://www.ietf.org/rfc/rfc2246.txt |
| 22 | * http://www.ietf.org/rfc/rfc4346.txt |
| 23 | */ |
| 24 | |
Gilles Peskine | db09ef6 | 2020-06-03 01:43:33 +0200 | [diff] [blame] | 25 | #include "common.h" |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 26 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 27 | #if defined(MBEDTLS_SSL_TLS_C) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 28 | |
SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 29 | #if defined(MBEDTLS_PLATFORM_C) |
| 30 | #include "mbedtls/platform.h" |
| 31 | #else |
| 32 | #include <stdlib.h> |
| 33 | #define mbedtls_calloc calloc |
| 34 | #define mbedtls_free free |
SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 35 | #endif |
| 36 | |
Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 37 | #include "mbedtls/ssl.h" |
Chris Jones | 84a773f | 2021-03-05 18:38:47 +0000 | [diff] [blame] | 38 | #include "ssl_misc.h" |
Janos Follath | 73c616b | 2019-12-18 15:07:04 +0000 | [diff] [blame] | 39 | #include "mbedtls/debug.h" |
| 40 | #include "mbedtls/error.h" |
Andres Amaya Garcia | 1f6301b | 2018-04-17 09:51:09 -0500 | [diff] [blame] | 41 | #include "mbedtls/platform_util.h" |
Hanno Becker | a835da5 | 2019-05-16 12:39:07 +0100 | [diff] [blame] | 42 | #include "mbedtls/version.h" |
Gabor Mezei | 22c9a6f | 2021-10-20 12:09:35 +0200 | [diff] [blame] | 43 | #include "constant_time_internal.h" |
Gabor Mezei | 765862c | 2021-10-19 12:22:25 +0200 | [diff] [blame] | 44 | #include "mbedtls/constant_time.h" |
Paul Bakker | 0be444a | 2013-08-27 21:55:01 +0200 | [diff] [blame] | 45 | |
Rich Evans | 00ab470 | 2015-02-06 13:43:58 +0000 | [diff] [blame] | 46 | #include <string.h> |
| 47 | |
Andrzej Kurek | d6db9be | 2019-01-10 05:27:10 -0500 | [diff] [blame] | 48 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 49 | #include "mbedtls/psa_util.h" |
| 50 | #include "psa/crypto.h" |
| 51 | #endif |
| 52 | |
Janos Follath | 23bdca0 | 2016-10-07 14:47:14 +0100 | [diff] [blame] | 53 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 54 | #include "mbedtls/oid.h" |
Manuel Pégourié-Gonnard | 0408fd1 | 2014-04-11 11:06:22 +0200 | [diff] [blame] | 55 | #endif |
| 56 | |
Hanno Becker | cd9dcda | 2018-08-28 17:18:56 +0100 | [diff] [blame] | 57 | static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ); |
Hanno Becker | 2a43f6f | 2018-08-10 11:12:52 +0100 | [diff] [blame] | 58 | |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 59 | /* |
| 60 | * Start a timer. |
| 61 | * Passing millisecs = 0 cancels a running timer. |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 62 | */ |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 63 | void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs ) |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 64 | { |
Manuel Pégourié-Gonnard | 2e01291 | 2015-05-12 20:55:41 +0200 | [diff] [blame] | 65 | if( ssl->f_set_timer == NULL ) |
| 66 | return; |
| 67 | |
| 68 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) ); |
| 69 | ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs ); |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 70 | } |
| 71 | |
| 72 | /* |
| 73 | * Return -1 is timer is expired, 0 if it isn't. |
| 74 | */ |
Hanno Becker | 7876d12 | 2020-02-05 10:39:31 +0000 | [diff] [blame] | 75 | int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 76 | { |
Manuel Pégourié-Gonnard | 2e01291 | 2015-05-12 20:55:41 +0200 | [diff] [blame] | 77 | if( ssl->f_get_timer == NULL ) |
Manuel Pégourié-Gonnard | 545102e | 2015-05-13 17:28:43 +0200 | [diff] [blame] | 78 | return( 0 ); |
Manuel Pégourié-Gonnard | 2e01291 | 2015-05-12 20:55:41 +0200 | [diff] [blame] | 79 | |
| 80 | if( ssl->f_get_timer( ssl->p_timer ) == 2 ) |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 81 | { |
| 82 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) ); |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 83 | return( -1 ); |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 84 | } |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 85 | |
| 86 | return( 0 ); |
| 87 | } |
Manuel Pégourié-Gonnard | db2858c | 2014-09-29 14:04:42 +0200 | [diff] [blame] | 88 | |
TRodziewicz | 4ca18aa | 2021-05-20 14:46:20 +0200 | [diff] [blame] | 89 | static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, |
| 90 | unsigned char *buf, |
| 91 | size_t len, |
| 92 | mbedtls_record *rec ); |
| 93 | |
| 94 | int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, |
| 95 | unsigned char *buf, |
| 96 | size_t buflen ) |
| 97 | { |
| 98 | int ret = 0; |
| 99 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) ); |
| 100 | MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen ); |
| 101 | |
| 102 | /* We don't support record checking in TLS because |
TRodziewicz | 2abf03c | 2021-06-25 14:40:09 +0200 | [diff] [blame] | 103 | * there doesn't seem to be a usecase for it. |
TRodziewicz | 4ca18aa | 2021-05-20 14:46:20 +0200 | [diff] [blame] | 104 | */ |
| 105 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) |
| 106 | { |
| 107 | ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| 108 | goto exit; |
| 109 | } |
| 110 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 111 | else |
| 112 | { |
| 113 | mbedtls_record rec; |
| 114 | |
| 115 | ret = ssl_parse_record_header( ssl, buf, buflen, &rec ); |
| 116 | if( ret != 0 ) |
| 117 | { |
| 118 | MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret ); |
| 119 | goto exit; |
| 120 | } |
| 121 | |
| 122 | if( ssl->transform_in != NULL ) |
| 123 | { |
| 124 | ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec ); |
| 125 | if( ret != 0 ) |
| 126 | { |
| 127 | MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret ); |
| 128 | goto exit; |
| 129 | } |
| 130 | } |
| 131 | } |
| 132 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 133 | |
| 134 | exit: |
| 135 | /* On success, we have decrypted the buffer in-place, so make |
| 136 | * sure we don't leak any plaintext data. */ |
| 137 | mbedtls_platform_zeroize( buf, buflen ); |
| 138 | |
| 139 | /* For the purpose of this API, treat messages with unexpected CID |
| 140 | * as well as such from future epochs as unexpected. */ |
| 141 | if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID || |
| 142 | ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) |
| 143 | { |
| 144 | ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; |
| 145 | } |
| 146 | |
| 147 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) ); |
| 148 | return( ret ); |
| 149 | } |
| 150 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 151 | #define SSL_DONT_FORCE_FLUSH 0 |
| 152 | #define SSL_FORCE_FLUSH 1 |
| 153 | |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 154 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 155 | |
Hanno Becker | d584777 | 2018-08-28 10:09:23 +0100 | [diff] [blame] | 156 | /* Forward declarations for functions related to message buffering. */ |
Hanno Becker | d584777 | 2018-08-28 10:09:23 +0100 | [diff] [blame] | 157 | static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl, |
| 158 | uint8_t slot ); |
| 159 | static void ssl_free_buffered_record( mbedtls_ssl_context *ssl ); |
| 160 | static int ssl_load_buffered_message( mbedtls_ssl_context *ssl ); |
| 161 | static int ssl_load_buffered_record( mbedtls_ssl_context *ssl ); |
| 162 | static int ssl_buffer_message( mbedtls_ssl_context *ssl ); |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 163 | static int ssl_buffer_future_record( mbedtls_ssl_context *ssl, |
| 164 | mbedtls_record const *rec ); |
Hanno Becker | ef7afdf | 2018-08-28 17:16:31 +0100 | [diff] [blame] | 165 | static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl ); |
Hanno Becker | d584777 | 2018-08-28 10:09:23 +0100 | [diff] [blame] | 166 | |
Hanno Becker | 11682cc | 2018-08-22 14:41:02 +0100 | [diff] [blame] | 167 | static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl ) |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 168 | { |
Hanno Becker | 8949071 | 2020-02-05 10:50:12 +0000 | [diff] [blame] | 169 | size_t mtu = mbedtls_ssl_get_current_mtu( ssl ); |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 170 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| 171 | size_t out_buf_len = ssl->out_buf_len; |
| 172 | #else |
| 173 | size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; |
| 174 | #endif |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 175 | |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 176 | if( mtu != 0 && mtu < out_buf_len ) |
Hanno Becker | 11682cc | 2018-08-22 14:41:02 +0100 | [diff] [blame] | 177 | return( mtu ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 178 | |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 179 | return( out_buf_len ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 180 | } |
| 181 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 182 | static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl ) |
| 183 | { |
Hanno Becker | 11682cc | 2018-08-22 14:41:02 +0100 | [diff] [blame] | 184 | size_t const bytes_written = ssl->out_left; |
| 185 | size_t const mtu = ssl_get_maximum_datagram_size( ssl ); |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 186 | |
| 187 | /* Double-check that the write-index hasn't gone |
| 188 | * past what we can transmit in a single datagram. */ |
Hanno Becker | 11682cc | 2018-08-22 14:41:02 +0100 | [diff] [blame] | 189 | if( bytes_written > mtu ) |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 190 | { |
| 191 | /* Should never happen... */ |
| 192 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 193 | } |
| 194 | |
| 195 | return( (int) ( mtu - bytes_written ) ); |
| 196 | } |
| 197 | |
| 198 | static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl ) |
| 199 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 200 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 201 | size_t remaining, expansion; |
Andrzej Kurek | 748face | 2018-10-11 07:20:19 -0400 | [diff] [blame] | 202 | size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 203 | |
| 204 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
Andrzej Kurek | 90c6e84 | 2020-04-03 05:25:29 -0400 | [diff] [blame] | 205 | const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl ); |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 206 | |
| 207 | if( max_len > mfl ) |
| 208 | max_len = mfl; |
Hanno Becker | f4b010e | 2018-08-24 10:47:29 +0100 | [diff] [blame] | 209 | |
| 210 | /* By the standard (RFC 6066 Sect. 4), the MFL extension |
| 211 | * only limits the maximum record payload size, so in theory |
| 212 | * we would be allowed to pack multiple records of payload size |
| 213 | * MFL into a single datagram. However, this would mean that there's |
| 214 | * no way to explicitly communicate MTU restrictions to the peer. |
| 215 | * |
| 216 | * The following reduction of max_len makes sure that we never |
| 217 | * write datagrams larger than MFL + Record Expansion Overhead. |
| 218 | */ |
| 219 | if( max_len <= ssl->out_left ) |
| 220 | return( 0 ); |
| 221 | |
| 222 | max_len -= ssl->out_left; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 223 | #endif |
| 224 | |
| 225 | ret = ssl_get_remaining_space_in_datagram( ssl ); |
| 226 | if( ret < 0 ) |
| 227 | return( ret ); |
| 228 | remaining = (size_t) ret; |
| 229 | |
| 230 | ret = mbedtls_ssl_get_record_expansion( ssl ); |
| 231 | if( ret < 0 ) |
| 232 | return( ret ); |
| 233 | expansion = (size_t) ret; |
| 234 | |
| 235 | if( remaining <= expansion ) |
| 236 | return( 0 ); |
| 237 | |
| 238 | remaining -= expansion; |
| 239 | if( remaining >= max_len ) |
| 240 | remaining = max_len; |
| 241 | |
| 242 | return( (int) remaining ); |
| 243 | } |
| 244 | |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 245 | /* |
| 246 | * Double the retransmit timeout value, within the allowed range, |
| 247 | * returning -1 if the maximum value has already been reached. |
| 248 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 249 | static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 250 | { |
| 251 | uint32_t new_timeout; |
| 252 | |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 253 | if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 254 | return( -1 ); |
| 255 | |
Manuel Pégourié-Gonnard | b8eec19 | 2018-08-20 09:34:02 +0200 | [diff] [blame] | 256 | /* Implement the final paragraph of RFC 6347 section 4.1.1.1 |
| 257 | * in the following way: after the initial transmission and a first |
| 258 | * retransmission, back off to a temporary estimated MTU of 508 bytes. |
| 259 | * This value is guaranteed to be deliverable (if not guaranteed to be |
| 260 | * delivered) of any compliant IPv4 (and IPv6) network, and should work |
| 261 | * on most non-IP stacks too. */ |
| 262 | if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min ) |
Andrzej Kurek | 6290dae | 2018-10-05 08:06:01 -0400 | [diff] [blame] | 263 | { |
Manuel Pégourié-Gonnard | b8eec19 | 2018-08-20 09:34:02 +0200 | [diff] [blame] | 264 | ssl->handshake->mtu = 508; |
Andrzej Kurek | 6290dae | 2018-10-05 08:06:01 -0400 | [diff] [blame] | 265 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) ); |
| 266 | } |
Manuel Pégourié-Gonnard | b8eec19 | 2018-08-20 09:34:02 +0200 | [diff] [blame] | 267 | |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 268 | new_timeout = 2 * ssl->handshake->retransmit_timeout; |
| 269 | |
| 270 | /* Avoid arithmetic overflow and range overflow */ |
| 271 | if( new_timeout < ssl->handshake->retransmit_timeout || |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 272 | new_timeout > ssl->conf->hs_timeout_max ) |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 273 | { |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 274 | new_timeout = ssl->conf->hs_timeout_max; |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 275 | } |
| 276 | |
| 277 | ssl->handshake->retransmit_timeout = new_timeout; |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 278 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs", |
| 279 | (unsigned long) ssl->handshake->retransmit_timeout ) ); |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 280 | |
| 281 | return( 0 ); |
| 282 | } |
| 283 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 284 | static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 285 | { |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 286 | ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 287 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs", |
| 288 | (unsigned long) ssl->handshake->retransmit_timeout ) ); |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 289 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 290 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 291 | |
Manuel Pégourié-Gonnard | 0098e7d | 2014-10-28 13:08:59 +0100 | [diff] [blame] | 292 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 293 | * Encryption/decryption functions |
Paul Bakker | f7abd42 | 2013-04-16 13:15:56 +0200 | [diff] [blame] | 294 | */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 295 | |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 296 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || defined(MBEDTLS_SSL_PROTO_TLS1_3) |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 297 | |
| 298 | static size_t ssl_compute_padding_length( size_t len, |
| 299 | size_t granularity ) |
| 300 | { |
| 301 | return( ( granularity - ( len + 1 ) % granularity ) % granularity ); |
| 302 | } |
| 303 | |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 304 | /* This functions transforms a (D)TLS plaintext fragment and a record content |
| 305 | * type into an instance of the (D)TLSInnerPlaintext structure. This is used |
| 306 | * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect |
| 307 | * a record's content type. |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 308 | * |
| 309 | * struct { |
| 310 | * opaque content[DTLSPlaintext.length]; |
| 311 | * ContentType real_type; |
| 312 | * uint8 zeros[length_of_padding]; |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 313 | * } (D)TLSInnerPlaintext; |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 314 | * |
| 315 | * Input: |
| 316 | * - `content`: The beginning of the buffer holding the |
| 317 | * plaintext to be wrapped. |
| 318 | * - `*content_size`: The length of the plaintext in Bytes. |
| 319 | * - `max_len`: The number of Bytes available starting from |
| 320 | * `content`. This must be `>= *content_size`. |
| 321 | * - `rec_type`: The desired record content type. |
| 322 | * |
| 323 | * Output: |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 324 | * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure. |
| 325 | * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure. |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 326 | * |
| 327 | * Returns: |
| 328 | * - `0` on success. |
| 329 | * - A negative error code if `max_len` didn't offer enough space |
| 330 | * for the expansion. |
| 331 | */ |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 332 | static int ssl_build_inner_plaintext( unsigned char *content, |
| 333 | size_t *content_size, |
| 334 | size_t remaining, |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 335 | uint8_t rec_type, |
| 336 | size_t pad ) |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 337 | { |
| 338 | size_t len = *content_size; |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 339 | |
| 340 | /* Write real content type */ |
| 341 | if( remaining == 0 ) |
| 342 | return( -1 ); |
| 343 | content[ len ] = rec_type; |
| 344 | len++; |
| 345 | remaining--; |
| 346 | |
| 347 | if( remaining < pad ) |
| 348 | return( -1 ); |
| 349 | memset( content + len, 0, pad ); |
| 350 | len += pad; |
| 351 | remaining -= pad; |
| 352 | |
| 353 | *content_size = len; |
| 354 | return( 0 ); |
| 355 | } |
| 356 | |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 357 | /* This function parses a (D)TLSInnerPlaintext structure. |
| 358 | * See ssl_build_inner_plaintext() for details. */ |
| 359 | static int ssl_parse_inner_plaintext( unsigned char const *content, |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 360 | size_t *content_size, |
| 361 | uint8_t *rec_type ) |
| 362 | { |
| 363 | size_t remaining = *content_size; |
| 364 | |
| 365 | /* Determine length of padding by skipping zeroes from the back. */ |
| 366 | do |
| 367 | { |
| 368 | if( remaining == 0 ) |
| 369 | return( -1 ); |
| 370 | remaining--; |
| 371 | } while( content[ remaining ] == 0 ); |
| 372 | |
| 373 | *content_size = remaining; |
| 374 | *rec_type = content[ remaining ]; |
| 375 | |
| 376 | return( 0 ); |
| 377 | } |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 378 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || MBEDTLS_SSL_PROTO_TLS1_3 */ |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 379 | |
Hanno Becker | d5aeab1 | 2019-05-20 14:50:53 +0100 | [diff] [blame] | 380 | /* `add_data` must have size 13 Bytes if the CID extension is disabled, |
Hanno Becker | c4a190b | 2019-05-08 18:15:21 +0100 | [diff] [blame] | 381 | * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 382 | static void ssl_extract_add_data_from_record( unsigned char* add_data, |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 383 | size_t *add_data_len, |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 384 | mbedtls_record *rec, |
Hanno Becker | 79e2d1b | 2021-03-22 11:42:19 +0000 | [diff] [blame] | 385 | unsigned minor_ver, |
| 386 | size_t taglen ) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 387 | { |
Hanno Becker | d5aeab1 | 2019-05-20 14:50:53 +0100 | [diff] [blame] | 388 | /* Quoting RFC 5246 (TLS 1.2): |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 389 | * |
| 390 | * additional_data = seq_num + TLSCompressed.type + |
| 391 | * TLSCompressed.version + TLSCompressed.length; |
| 392 | * |
Hanno Becker | d5aeab1 | 2019-05-20 14:50:53 +0100 | [diff] [blame] | 393 | * For the CID extension, this is extended as follows |
| 394 | * (quoting draft-ietf-tls-dtls-connection-id-05, |
| 395 | * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05): |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 396 | * |
| 397 | * additional_data = seq_num + DTLSPlaintext.type + |
| 398 | * DTLSPlaintext.version + |
Hanno Becker | d5aeab1 | 2019-05-20 14:50:53 +0100 | [diff] [blame] | 399 | * cid + |
| 400 | * cid_length + |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 401 | * length_of_DTLSInnerPlaintext; |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 402 | * |
| 403 | * For TLS 1.3, the record sequence number is dropped from the AAD |
| 404 | * and encoded within the nonce of the AEAD operation instead. |
Hanno Becker | 79e2d1b | 2021-03-22 11:42:19 +0000 | [diff] [blame] | 405 | * Moreover, the additional data involves the length of the TLS |
| 406 | * ciphertext, not the TLS plaintext as in earlier versions. |
| 407 | * Quoting RFC 8446 (TLS 1.3): |
| 408 | * |
| 409 | * additional_data = TLSCiphertext.opaque_type || |
| 410 | * TLSCiphertext.legacy_record_version || |
| 411 | * TLSCiphertext.length |
| 412 | * |
| 413 | * We pass the tag length to this function in order to compute the |
| 414 | * ciphertext length from the inner plaintext length rec->data_len via |
| 415 | * |
| 416 | * TLSCiphertext.length = TLSInnerPlaintext.length + taglen. |
| 417 | * |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 418 | */ |
| 419 | |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 420 | unsigned char *cur = add_data; |
Hanno Becker | 79e2d1b | 2021-03-22 11:42:19 +0000 | [diff] [blame] | 421 | size_t ad_len_field = rec->data_len; |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 422 | |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 423 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3) |
Hanno Becker | 79e2d1b | 2021-03-22 11:42:19 +0000 | [diff] [blame] | 424 | if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) |
| 425 | { |
| 426 | /* In TLS 1.3, the AAD contains the length of the TLSCiphertext, |
| 427 | * which differs from the length of the TLSInnerPlaintext |
| 428 | * by the length of the authentication tag. */ |
| 429 | ad_len_field += taglen; |
| 430 | } |
| 431 | else |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 432 | #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 433 | { |
| 434 | ((void) minor_ver); |
Hanno Becker | 79e2d1b | 2021-03-22 11:42:19 +0000 | [diff] [blame] | 435 | ((void) taglen); |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 436 | memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); |
| 437 | cur += sizeof( rec->ctr ); |
| 438 | } |
| 439 | |
| 440 | *cur = rec->type; |
| 441 | cur++; |
| 442 | |
| 443 | memcpy( cur, rec->ver, sizeof( rec->ver ) ); |
| 444 | cur += sizeof( rec->ver ); |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 445 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 446 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 95e4bbc | 2019-05-09 11:38:24 +0100 | [diff] [blame] | 447 | if( rec->cid_len != 0 ) |
| 448 | { |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 449 | memcpy( cur, rec->cid, rec->cid_len ); |
| 450 | cur += rec->cid_len; |
| 451 | |
| 452 | *cur = rec->cid_len; |
| 453 | cur++; |
| 454 | |
Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 455 | MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 ); |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 456 | cur += 2; |
Hanno Becker | 95e4bbc | 2019-05-09 11:38:24 +0100 | [diff] [blame] | 457 | } |
| 458 | else |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 459 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 95e4bbc | 2019-05-09 11:38:24 +0100 | [diff] [blame] | 460 | { |
Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 461 | MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 ); |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 462 | cur += 2; |
Hanno Becker | 95e4bbc | 2019-05-09 11:38:24 +0100 | [diff] [blame] | 463 | } |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 464 | |
| 465 | *add_data_len = cur - add_data; |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 466 | } |
| 467 | |
Hanno Becker | 67a37db | 2020-05-28 16:27:07 +0100 | [diff] [blame] | 468 | #if defined(MBEDTLS_GCM_C) || \ |
| 469 | defined(MBEDTLS_CCM_C) || \ |
| 470 | defined(MBEDTLS_CHACHAPOLY_C) |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 471 | static int ssl_transform_aead_dynamic_iv_is_explicit( |
| 472 | mbedtls_ssl_transform const *transform ) |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 473 | { |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 474 | return( transform->ivlen != transform->fixed_ivlen ); |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 475 | } |
| 476 | |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 477 | /* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV ) |
| 478 | * |
| 479 | * Concretely, this occurs in two variants: |
| 480 | * |
| 481 | * a) Fixed and dynamic IV lengths add up to total IV length, giving |
| 482 | * IV = fixed_iv || dynamic_iv |
| 483 | * |
Hanno Becker | 1595281 | 2020-06-04 13:31:46 +0100 | [diff] [blame] | 484 | * This variant is used in TLS 1.2 when used with GCM or CCM. |
| 485 | * |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 486 | * b) Fixed IV lengths matches total IV length, giving |
| 487 | * IV = fixed_iv XOR ( 0 || dynamic_iv ) |
Hanno Becker | 1595281 | 2020-06-04 13:31:46 +0100 | [diff] [blame] | 488 | * |
| 489 | * This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly. |
| 490 | * |
| 491 | * See also the documentation of mbedtls_ssl_transform. |
Hanno Becker | f486e28 | 2020-06-04 13:33:08 +0100 | [diff] [blame] | 492 | * |
| 493 | * This function has the precondition that |
| 494 | * |
| 495 | * dst_iv_len >= max( fixed_iv_len, dynamic_iv_len ) |
| 496 | * |
| 497 | * which has to be ensured by the caller. If this precondition |
| 498 | * violated, the behavior of this function is undefined. |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 499 | */ |
| 500 | static void ssl_build_record_nonce( unsigned char *dst_iv, |
| 501 | size_t dst_iv_len, |
| 502 | unsigned char const *fixed_iv, |
| 503 | size_t fixed_iv_len, |
| 504 | unsigned char const *dynamic_iv, |
| 505 | size_t dynamic_iv_len ) |
| 506 | { |
| 507 | size_t i; |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 508 | |
| 509 | /* Start with Fixed IV || 0 */ |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 510 | memset( dst_iv, 0, dst_iv_len ); |
| 511 | memcpy( dst_iv, fixed_iv, fixed_iv_len ); |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 512 | |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 513 | dst_iv += dst_iv_len - dynamic_iv_len; |
| 514 | for( i = 0; i < dynamic_iv_len; i++ ) |
| 515 | dst_iv[i] ^= dynamic_iv[i]; |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 516 | } |
Hanno Becker | 67a37db | 2020-05-28 16:27:07 +0100 | [diff] [blame] | 517 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 518 | |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 519 | int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, |
| 520 | mbedtls_ssl_transform *transform, |
| 521 | mbedtls_record *rec, |
| 522 | int (*f_rng)(void *, unsigned char *, size_t), |
| 523 | void *p_rng ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 524 | { |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 525 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 526 | mbedtls_cipher_mode_t mode; |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 527 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 528 | int auth_done = 0; |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 529 | unsigned char * data; |
Hanno Becker | 92fb4fa | 2019-05-20 14:54:26 +0100 | [diff] [blame] | 530 | unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ]; |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 531 | size_t add_data_len; |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 532 | size_t post_avail; |
| 533 | |
| 534 | /* The SSL context is only used for debugging purposes! */ |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 535 | #if !defined(MBEDTLS_DEBUG_C) |
Manuel Pégourié-Gonnard | a7505d1 | 2019-05-07 10:17:56 +0200 | [diff] [blame] | 536 | ssl = NULL; /* make sure we don't use it except for debug */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 537 | ((void) ssl); |
| 538 | #endif |
| 539 | |
| 540 | /* The PRNG is used for dynamic IV generation that's used |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 541 | * for CBC transformations in TLS 1.2. */ |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 542 | #if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 543 | defined(MBEDTLS_SSL_PROTO_TLS1_2) ) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 544 | ((void) f_rng); |
| 545 | ((void) p_rng); |
| 546 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 547 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 548 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 549 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 550 | if( transform == NULL ) |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 551 | { |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 552 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) ); |
| 553 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 554 | } |
Hanno Becker | 43c24b8 | 2019-05-01 09:45:57 +0100 | [diff] [blame] | 555 | if( rec == NULL |
| 556 | || rec->buf == NULL |
| 557 | || rec->buf_len < rec->data_offset |
| 558 | || rec->buf_len - rec->data_offset < rec->data_len |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 559 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 43c24b8 | 2019-05-01 09:45:57 +0100 | [diff] [blame] | 560 | || rec->cid_len != 0 |
| 561 | #endif |
| 562 | ) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 563 | { |
| 564 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 565 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 566 | } |
| 567 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 568 | data = rec->buf + rec->data_offset; |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 569 | post_avail = rec->buf_len - ( rec->data_len + rec->data_offset ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 570 | MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 571 | data, rec->data_len ); |
| 572 | |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 573 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 574 | mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ); |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 575 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 576 | |
| 577 | if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN ) |
| 578 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 579 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %" MBEDTLS_PRINTF_SIZET |
| 580 | " too large, maximum %" MBEDTLS_PRINTF_SIZET, |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 581 | rec->data_len, |
| 582 | (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) ); |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 583 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 584 | } |
Manuel Pégourié-Gonnard | 60346be | 2014-11-21 11:38:37 +0100 | [diff] [blame] | 585 | |
Hanno Becker | 9231340 | 2020-05-20 13:58:58 +0100 | [diff] [blame] | 586 | /* The following two code paths implement the (D)TLSInnerPlaintext |
| 587 | * structure present in TLS 1.3 and DTLS 1.2 + CID. |
| 588 | * |
| 589 | * See ssl_build_inner_plaintext() for more information. |
| 590 | * |
| 591 | * Note that this changes `rec->data_len`, and hence |
| 592 | * `post_avail` needs to be recalculated afterwards. |
| 593 | * |
| 594 | * Note also that the two code paths cannot occur simultaneously |
| 595 | * since they apply to different versions of the protocol. There |
| 596 | * is hence no risk of double-addition of the inner plaintext. |
| 597 | */ |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 598 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3) |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 599 | if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) |
| 600 | { |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 601 | size_t padding = |
| 602 | ssl_compute_padding_length( rec->data_len, |
TRodziewicz | e8dd709 | 2021-05-12 14:19:11 +0200 | [diff] [blame] | 603 | MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY ); |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 604 | if( ssl_build_inner_plaintext( data, |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 605 | &rec->data_len, |
| 606 | post_avail, |
| 607 | rec->type, |
| 608 | padding ) != 0 ) |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 609 | { |
| 610 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 611 | } |
| 612 | |
| 613 | rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA; |
| 614 | } |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 615 | #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 616 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 617 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 618 | /* |
| 619 | * Add CID information |
| 620 | */ |
| 621 | rec->cid_len = transform->out_cid_len; |
| 622 | memcpy( rec->cid, transform->out_cid, transform->out_cid_len ); |
| 623 | MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len ); |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 624 | |
| 625 | if( rec->cid_len != 0 ) |
| 626 | { |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 627 | size_t padding = |
| 628 | ssl_compute_padding_length( rec->data_len, |
TRodziewicz | e8dd709 | 2021-05-12 14:19:11 +0200 | [diff] [blame] | 629 | MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY ); |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 630 | /* |
Hanno Becker | 07dc97d | 2019-05-20 15:08:01 +0100 | [diff] [blame] | 631 | * Wrap plaintext into DTLSInnerPlaintext structure. |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 632 | * See ssl_build_inner_plaintext() for more information. |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 633 | * |
Hanno Becker | 07dc97d | 2019-05-20 15:08:01 +0100 | [diff] [blame] | 634 | * Note that this changes `rec->data_len`, and hence |
| 635 | * `post_avail` needs to be recalculated afterwards. |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 636 | */ |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 637 | if( ssl_build_inner_plaintext( data, |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 638 | &rec->data_len, |
| 639 | post_avail, |
Hanno Becker | 1399692 | 2020-05-28 16:15:19 +0100 | [diff] [blame] | 640 | rec->type, |
| 641 | padding ) != 0 ) |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 642 | { |
| 643 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 644 | } |
| 645 | |
| 646 | rec->type = MBEDTLS_SSL_MSG_CID; |
| 647 | } |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 648 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 649 | |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 650 | post_avail = rec->buf_len - ( rec->data_len + rec->data_offset ); |
| 651 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 652 | /* |
Manuel Pégourié-Gonnard | 0098e7d | 2014-10-28 13:08:59 +0100 | [diff] [blame] | 653 | * Add MAC before if needed |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 654 | */ |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 655 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 656 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 657 | if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER || |
| 658 | ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING |
| 659 | #else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 660 | if( mode == MBEDTLS_MODE_STREAM || |
| 661 | ( mode == MBEDTLS_MODE_CBC |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 662 | #endif |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 663 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 664 | && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 665 | #endif |
| 666 | ) ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 667 | { |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 668 | if( post_avail < transform->maclen ) |
| 669 | { |
| 670 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 671 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 672 | } |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 673 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 674 | unsigned char mac[MBEDTLS_SSL_MAC_ADD]; |
Gilles Peskine | ecf6beb | 2021-12-10 21:35:10 +0100 | [diff] [blame] | 675 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | 992b687 | 2017-11-09 18:57:39 +0000 | [diff] [blame] | 676 | |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 677 | ssl_extract_add_data_from_record( add_data, &add_data_len, rec, |
Hanno Becker | 79e2d1b | 2021-03-22 11:42:19 +0000 | [diff] [blame] | 678 | transform->minor_ver, |
| 679 | transform->taglen ); |
Hanno Becker | 992b687 | 2017-11-09 18:57:39 +0000 | [diff] [blame] | 680 | |
Gilles Peskine | ecf6beb | 2021-12-10 21:35:10 +0100 | [diff] [blame] | 681 | ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data, |
| 682 | add_data_len ); |
| 683 | if( ret != 0 ) |
| 684 | goto hmac_failed_etm_disabled; |
| 685 | ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, data, rec->data_len ); |
| 686 | if( ret != 0 ) |
| 687 | goto hmac_failed_etm_disabled; |
| 688 | ret = mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac ); |
| 689 | if( ret != 0 ) |
| 690 | goto hmac_failed_etm_disabled; |
| 691 | ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc ); |
| 692 | if( ret != 0 ) |
| 693 | goto hmac_failed_etm_disabled; |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 694 | |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 695 | memcpy( data + rec->data_len, mac, transform->maclen ); |
Paul Bakker | d2f068e | 2013-08-27 21:19:20 +0200 | [diff] [blame] | 696 | #endif |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 697 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 698 | MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len, |
| 699 | transform->maclen ); |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 700 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 701 | rec->data_len += transform->maclen; |
| 702 | post_avail -= transform->maclen; |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 703 | auth_done++; |
Gilles Peskine | ecf6beb | 2021-12-10 21:35:10 +0100 | [diff] [blame] | 704 | |
| 705 | hmac_failed_etm_disabled: |
Gilles Peskine | d5ba50e | 2021-12-10 21:33:21 +0100 | [diff] [blame] | 706 | mbedtls_platform_zeroize( mac, transform->maclen ); |
Gilles Peskine | ecf6beb | 2021-12-10 21:35:10 +0100 | [diff] [blame] | 707 | if( ret != 0 ) |
| 708 | { |
| 709 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_hmac_xxx", ret ); |
| 710 | return( ret ); |
| 711 | } |
Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 712 | } |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 713 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 714 | |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 715 | /* |
| 716 | * Encrypt |
| 717 | */ |
Hanno Becker | d086bf0 | 2021-03-22 13:01:27 +0000 | [diff] [blame] | 718 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 719 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 720 | if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ) |
| 721 | #else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 722 | if( mode == MBEDTLS_MODE_STREAM ) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 723 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 724 | { |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 725 | size_t olen; |
Przemyslaw Stekiel | b97556e | 2022-02-01 14:52:19 +0100 | [diff] [blame] | 726 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | 1fe065b | 2022-01-13 15:56:33 +0100 | [diff] [blame] | 727 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Przemyslaw Stekiel | b97556e | 2022-02-01 14:52:19 +0100 | [diff] [blame] | 728 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 729 | |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 730 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 731 | "including %d bytes of padding", |
| 732 | rec->data_len, 0 ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 733 | |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 734 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | b97556e | 2022-02-01 14:52:19 +0100 | [diff] [blame] | 735 | /* The only stream "cipher" we support is "NULL" */ |
| 736 | if ( transform->psa_alg != MBEDTLS_SSL_NULL_CIPHER ) |
| 737 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 738 | |
Przemyslaw Stekiel | b97556e | 2022-02-01 14:52:19 +0100 | [diff] [blame] | 739 | olen = rec->data_len; |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 740 | #else |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 741 | if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, |
| 742 | transform->iv_enc, transform->ivlen, |
| 743 | data, rec->data_len, |
| 744 | data, &olen ) ) != 0 ) |
Paul Bakker | 45125bc | 2013-09-04 16:47:11 +0200 | [diff] [blame] | 745 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 746 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 747 | return( ret ); |
| 748 | } |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 749 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 750 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 751 | if( rec->data_len != olen ) |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 752 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 753 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 754 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 755 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 756 | } |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 757 | else |
Hanno Becker | d086bf0 | 2021-03-22 13:01:27 +0000 | [diff] [blame] | 758 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 759 | |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 760 | #if defined(MBEDTLS_GCM_C) || \ |
| 761 | defined(MBEDTLS_CCM_C) || \ |
| 762 | defined(MBEDTLS_CHACHAPOLY_C) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 763 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | e884778 | 2022-01-24 23:19:21 +0100 | [diff] [blame] | 764 | if ( PSA_ALG_IS_AEAD( transform->psa_alg ) ) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 765 | #else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 766 | if( mode == MBEDTLS_MODE_GCM || |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 767 | mode == MBEDTLS_MODE_CCM || |
| 768 | mode == MBEDTLS_MODE_CHACHAPOLY ) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 769 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 770 | { |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 771 | unsigned char iv[12]; |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 772 | unsigned char *dynamic_iv; |
| 773 | size_t dynamic_iv_len; |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 774 | int dynamic_iv_is_explicit = |
| 775 | ssl_transform_aead_dynamic_iv_is_explicit( transform ); |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 776 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | d66387f | 2022-02-03 08:55:33 +0100 | [diff] [blame] | 777 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 778 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 779 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 780 | |
Hanno Becker | bd5ed1d | 2020-05-21 15:26:39 +0100 | [diff] [blame] | 781 | /* Check that there's space for the authentication tag. */ |
| 782 | if( post_avail < transform->taglen ) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 783 | { |
| 784 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 785 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 786 | } |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 787 | |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 788 | /* |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 789 | * Build nonce for AEAD encryption. |
| 790 | * |
| 791 | * Note: In the case of CCM and GCM in TLS 1.2, the dynamic |
| 792 | * part of the IV is prepended to the ciphertext and |
| 793 | * can be chosen freely - in particular, it need not |
| 794 | * agree with the record sequence number. |
| 795 | * However, since ChaChaPoly as well as all AEAD modes |
| 796 | * in TLS 1.3 use the record sequence number as the |
| 797 | * dynamic part of the nonce, we uniformly use the |
| 798 | * record sequence number here in all cases. |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 799 | */ |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 800 | dynamic_iv = rec->ctr; |
| 801 | dynamic_iv_len = sizeof( rec->ctr ); |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 802 | |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 803 | ssl_build_record_nonce( iv, sizeof( iv ), |
| 804 | transform->iv_enc, |
| 805 | transform->fixed_ivlen, |
| 806 | dynamic_iv, |
| 807 | dynamic_iv_len ); |
Manuel Pégourié-Gonnard | d056ce0 | 2014-10-29 22:29:20 +0100 | [diff] [blame] | 808 | |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 809 | /* |
| 810 | * Build additional data for AEAD encryption. |
| 811 | * This depends on the TLS version. |
| 812 | */ |
| 813 | ssl_extract_add_data_from_record( add_data, &add_data_len, rec, |
Hanno Becker | 79e2d1b | 2021-03-22 11:42:19 +0000 | [diff] [blame] | 814 | transform->minor_ver, |
| 815 | transform->taglen ); |
Hanno Becker | 1f10d76 | 2019-04-26 13:34:37 +0100 | [diff] [blame] | 816 | |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 817 | MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)", |
Hanno Becker | 7cca358 | 2020-06-04 13:27:22 +0100 | [diff] [blame] | 818 | iv, transform->ivlen ); |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 819 | MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)", |
Hanno Becker | 16bf0e2 | 2020-06-04 13:27:34 +0100 | [diff] [blame] | 820 | dynamic_iv, |
| 821 | dynamic_iv_is_explicit ? dynamic_iv_len : 0 ); |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 822 | MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 823 | add_data, add_data_len ); |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 824 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 825 | "including 0 bytes of padding", |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 826 | rec->data_len ) ); |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 827 | |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 828 | /* |
Manuel Pégourié-Gonnard | de7bb44 | 2014-05-13 12:41:10 +0200 | [diff] [blame] | 829 | * Encrypt and authenticate |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 830 | */ |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 831 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 832 | status = psa_aead_encrypt( transform->psa_key_enc, |
| 833 | transform->psa_alg, |
| 834 | iv, transform->ivlen, |
| 835 | add_data, add_data_len, |
| 836 | data, rec->data_len, |
| 837 | data, rec->buf_len - (data - rec->buf), |
| 838 | &rec->data_len ); |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 839 | |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 840 | if( status != PSA_SUCCESS ) |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 841 | { |
| 842 | ret = psa_ssl_status_to_mbedtls( status ); |
| 843 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_encrypt_buf", ret ); |
| 844 | return( ret ); |
| 845 | |
| 846 | } |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 847 | #else |
Manuel Pégourié-Gonnard | f5cf71e | 2020-12-01 11:43:40 +0100 | [diff] [blame] | 848 | if( ( ret = mbedtls_cipher_auth_encrypt_ext( &transform->cipher_ctx_enc, |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 849 | iv, transform->ivlen, |
Manuel Pégourié-Gonnard | f5cf71e | 2020-12-01 11:43:40 +0100 | [diff] [blame] | 850 | add_data, add_data_len, |
| 851 | data, rec->data_len, /* src */ |
| 852 | data, rec->buf_len - (data - rec->buf), /* dst */ |
| 853 | &rec->data_len, |
| 854 | transform->taglen ) ) != 0 ) |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 855 | { |
TRodziewicz | 18efb73 | 2021-04-29 23:12:19 +0200 | [diff] [blame] | 856 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt_ext", ret ); |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 857 | return( ret ); |
| 858 | } |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 859 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 860 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 861 | MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", |
Manuel Pégourié-Gonnard | f5cf71e | 2020-12-01 11:43:40 +0100 | [diff] [blame] | 862 | data + rec->data_len - transform->taglen, |
| 863 | transform->taglen ); |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 864 | /* Account for authentication tag. */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 865 | post_avail -= transform->taglen; |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 866 | |
| 867 | /* |
| 868 | * Prefix record content with dynamic IV in case it is explicit. |
| 869 | */ |
Hanno Becker | 1cda266 | 2020-06-04 13:28:28 +0100 | [diff] [blame] | 870 | if( dynamic_iv_is_explicit != 0 ) |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 871 | { |
| 872 | if( rec->data_offset < dynamic_iv_len ) |
| 873 | { |
| 874 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 875 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 876 | } |
| 877 | |
| 878 | memcpy( data - dynamic_iv_len, dynamic_iv, dynamic_iv_len ); |
| 879 | rec->data_offset -= dynamic_iv_len; |
| 880 | rec->data_len += dynamic_iv_len; |
| 881 | } |
| 882 | |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 883 | auth_done++; |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 884 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 885 | else |
Hanno Becker | c3f7b0b | 2020-05-28 16:27:16 +0100 | [diff] [blame] | 886 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 887 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 888 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 889 | if ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) |
| 890 | #else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 891 | if( mode == MBEDTLS_MODE_CBC ) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 892 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 893 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 894 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 895 | size_t padlen, i; |
| 896 | size_t olen; |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 897 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | d66387f | 2022-02-03 08:55:33 +0100 | [diff] [blame] | 898 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 899 | size_t part_len; |
| 900 | psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; |
| 901 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 902 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 903 | /* Currently we're always using minimal padding |
| 904 | * (up to 255 bytes would be allowed). */ |
| 905 | padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen; |
| 906 | if( padlen == transform->ivlen ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 907 | padlen = 0; |
| 908 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 909 | /* Check there's enough space in the buffer for the padding. */ |
| 910 | if( post_avail < padlen + 1 ) |
| 911 | { |
| 912 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 913 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 914 | } |
| 915 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 916 | for( i = 0; i <= padlen; i++ ) |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 917 | data[rec->data_len + i] = (unsigned char) padlen; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 918 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 919 | rec->data_len += padlen + 1; |
| 920 | post_avail -= padlen + 1; |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 921 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 922 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 923 | /* |
TRodziewicz | 2d8800e | 2021-05-13 19:14:19 +0200 | [diff] [blame] | 924 | * Prepend per-record IV for block cipher in TLS v1.2 as per |
Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 925 | * Method 1 (6.2.3.2. in RFC4346 and RFC5246) |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 926 | */ |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 927 | if( f_rng == NULL ) |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 928 | { |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 929 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) ); |
| 930 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 931 | } |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 932 | |
| 933 | if( rec->data_offset < transform->ivlen ) |
| 934 | { |
| 935 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 936 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 937 | } |
| 938 | |
| 939 | /* |
| 940 | * Generate IV |
| 941 | */ |
| 942 | ret = f_rng( p_rng, transform->iv_enc, transform->ivlen ); |
| 943 | if( ret != 0 ) |
| 944 | return( ret ); |
| 945 | |
| 946 | memcpy( data - transform->ivlen, transform->iv_enc, transform->ivlen ); |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 947 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 948 | |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 949 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " |
| 950 | "including %" MBEDTLS_PRINTF_SIZET |
| 951 | " bytes of IV and %" MBEDTLS_PRINTF_SIZET " bytes of padding", |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 952 | rec->data_len, transform->ivlen, |
Paul Bakker | b9e4e2c | 2014-05-01 14:18:25 +0200 | [diff] [blame] | 953 | padlen + 1 ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 954 | |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 955 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 956 | status = psa_cipher_encrypt_setup( &cipher_op, |
Przemyslaw Stekiel | d4eab57 | 2022-01-17 16:20:10 +0100 | [diff] [blame] | 957 | transform->psa_key_enc, transform->psa_alg ); |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 958 | |
| 959 | if( status != PSA_SUCCESS ) |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 960 | { |
| 961 | ret = psa_ssl_status_to_mbedtls( status ); |
| 962 | MBEDTLS_SSL_DEBUG_RET( 1, "psa_aead_encrypt", ret ); |
| 963 | return( ret ); |
| 964 | } |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 965 | |
| 966 | status = psa_cipher_set_iv( &cipher_op, transform->iv_enc, transform->ivlen ); |
| 967 | |
| 968 | if( status != PSA_SUCCESS ) |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 969 | { |
| 970 | ret = psa_ssl_status_to_mbedtls( status ); |
| 971 | MBEDTLS_SSL_DEBUG_RET( 1, "psa_aead_encrypt", ret ); |
| 972 | return( ret ); |
| 973 | |
| 974 | } |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 975 | |
| 976 | status = psa_cipher_update( &cipher_op, |
| 977 | data, rec->data_len, |
| 978 | data, rec->data_len, &olen ); |
| 979 | |
| 980 | if( status != PSA_SUCCESS ) |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 981 | { |
| 982 | ret = psa_ssl_status_to_mbedtls( status ); |
| 983 | MBEDTLS_SSL_DEBUG_RET( 1, "psa_aead_encrypt", ret ); |
| 984 | return( ret ); |
| 985 | |
| 986 | } |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 987 | |
| 988 | status = psa_cipher_finish( &cipher_op, |
| 989 | data + olen, rec->data_len - olen, |
| 990 | &part_len ); |
| 991 | |
| 992 | if( status != PSA_SUCCESS ) |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 993 | { |
| 994 | ret = psa_ssl_status_to_mbedtls( status ); |
| 995 | MBEDTLS_SSL_DEBUG_RET( 1, "psa_aead_encrypt", ret ); |
| 996 | return( ret ); |
| 997 | |
| 998 | } |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 999 | |
| 1000 | olen += part_len; |
| 1001 | #else |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 1002 | if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, |
| 1003 | transform->iv_enc, |
| 1004 | transform->ivlen, |
| 1005 | data, rec->data_len, |
| 1006 | data, &olen ) ) != 0 ) |
Paul Bakker | 45125bc | 2013-09-04 16:47:11 +0200 | [diff] [blame] | 1007 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1008 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 1009 | return( ret ); |
| 1010 | } |
Przemyslaw Stekiel | b37fae1 | 2022-01-13 14:28:44 +0100 | [diff] [blame] | 1011 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | da02a7f | 2013-08-31 17:25:14 +0200 | [diff] [blame] | 1012 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 1013 | if( rec->data_len != olen ) |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 1014 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1015 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1016 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 1017 | } |
Paul Bakker | da02a7f | 2013-08-31 17:25:14 +0200 | [diff] [blame] | 1018 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1019 | data -= transform->ivlen; |
| 1020 | rec->data_offset -= transform->ivlen; |
| 1021 | rec->data_len += transform->ivlen; |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1022 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1023 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1024 | if( auth_done == 0 ) |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1025 | { |
Hanno Becker | 3d8c907 | 2018-01-05 16:24:22 +0000 | [diff] [blame] | 1026 | unsigned char mac[MBEDTLS_SSL_MAC_ADD]; |
| 1027 | |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1028 | /* |
| 1029 | * MAC(MAC_write_key, seq_num + |
| 1030 | * TLSCipherText.type + |
| 1031 | * TLSCipherText.version + |
Manuel Pégourié-Gonnard | 08558e5 | 2014-11-04 14:40:21 +0100 | [diff] [blame] | 1032 | * length_of( (IV +) ENC(...) ) + |
TRodziewicz | 2abf03c | 2021-06-25 14:40:09 +0200 | [diff] [blame] | 1033 | * IV + |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1034 | * ENC(content + padding + padding_length)); |
| 1035 | */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 1036 | |
| 1037 | if( post_avail < transform->maclen) |
| 1038 | { |
| 1039 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); |
| 1040 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 1041 | } |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1042 | |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 1043 | ssl_extract_add_data_from_record( add_data, &add_data_len, |
Hanno Becker | 79e2d1b | 2021-03-22 11:42:19 +0000 | [diff] [blame] | 1044 | rec, transform->minor_ver, |
| 1045 | transform->taglen ); |
Hanno Becker | 1f10d76 | 2019-04-26 13:34:37 +0100 | [diff] [blame] | 1046 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1047 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 1048 | MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data, |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1049 | add_data_len ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1050 | |
Gilles Peskine | ecf6beb | 2021-12-10 21:35:10 +0100 | [diff] [blame] | 1051 | ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data, |
| 1052 | add_data_len ); |
| 1053 | if( ret != 0 ) |
| 1054 | goto hmac_failed_etm_enabled; |
| 1055 | ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, |
| 1056 | data, rec->data_len ); |
| 1057 | if( ret != 0 ) |
| 1058 | goto hmac_failed_etm_enabled; |
| 1059 | ret = mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac ); |
| 1060 | if( ret != 0 ) |
| 1061 | goto hmac_failed_etm_enabled; |
| 1062 | ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc ); |
| 1063 | if( ret != 0 ) |
| 1064 | goto hmac_failed_etm_enabled; |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1065 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 1066 | memcpy( data + rec->data_len, mac, transform->maclen ); |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1067 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 1068 | rec->data_len += transform->maclen; |
| 1069 | post_avail -= transform->maclen; |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1070 | auth_done++; |
Gilles Peskine | ecf6beb | 2021-12-10 21:35:10 +0100 | [diff] [blame] | 1071 | |
| 1072 | hmac_failed_etm_enabled: |
Gilles Peskine | d5ba50e | 2021-12-10 21:33:21 +0100 | [diff] [blame] | 1073 | mbedtls_platform_zeroize( mac, transform->maclen ); |
Gilles Peskine | ecf6beb | 2021-12-10 21:35:10 +0100 | [diff] [blame] | 1074 | if( ret != 0 ) |
| 1075 | { |
| 1076 | MBEDTLS_SSL_DEBUG_RET( 1, "HMAC calculation failed", ret ); |
| 1077 | return( ret ); |
| 1078 | } |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1079 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1080 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1081 | } |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 1082 | else |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 1083 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */ |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 1084 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1085 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1086 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 1087 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1088 | |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1089 | /* Make extra sure authentication was performed, exactly once */ |
| 1090 | if( auth_done != 1 ) |
| 1091 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1092 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1093 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1094 | } |
| 1095 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1096 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1097 | |
| 1098 | return( 0 ); |
| 1099 | } |
| 1100 | |
Hanno Becker | 605949f | 2019-07-12 08:23:59 +0100 | [diff] [blame] | 1101 | int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 1102 | mbedtls_ssl_transform *transform, |
| 1103 | mbedtls_record *rec ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1104 | { |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1105 | size_t olen; |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 1106 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | b97556e | 2022-02-01 14:52:19 +0100 | [diff] [blame] | 1107 | int ret; |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 1108 | |
| 1109 | #else |
| 1110 | mbedtls_cipher_mode_t mode; |
| 1111 | int ret; |
| 1112 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 1113 | |
Przemyslaw Stekiel | b97556e | 2022-02-01 14:52:19 +0100 | [diff] [blame] | 1114 | int auth_done = 0; |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 1115 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) |
Paul Bakker | 1e5369c | 2013-12-19 16:40:57 +0100 | [diff] [blame] | 1116 | size_t padlen = 0, correct = 1; |
| 1117 | #endif |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1118 | unsigned char* data; |
Hanno Becker | 92fb4fa | 2019-05-20 14:54:26 +0100 | [diff] [blame] | 1119 | unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ]; |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1120 | size_t add_data_len; |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1121 | |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 1122 | #if !defined(MBEDTLS_DEBUG_C) |
Manuel Pégourié-Gonnard | a7505d1 | 2019-05-07 10:17:56 +0200 | [diff] [blame] | 1123 | ssl = NULL; /* make sure we don't use it except for debug */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1124 | ((void) ssl); |
| 1125 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1126 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1127 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1128 | if( rec == NULL || |
| 1129 | rec->buf == NULL || |
| 1130 | rec->buf_len < rec->data_offset || |
| 1131 | rec->buf_len - rec->data_offset < rec->data_len ) |
| 1132 | { |
| 1133 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1134 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1135 | } |
| 1136 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1137 | data = rec->buf + rec->data_offset; |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 1138 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1139 | mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec ); |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 1140 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1141 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1142 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1143 | /* |
| 1144 | * Match record's CID with incoming CID. |
| 1145 | */ |
Hanno Becker | 938489a | 2019-05-08 13:02:22 +0100 | [diff] [blame] | 1146 | if( rec->cid_len != transform->in_cid_len || |
| 1147 | memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 ) |
| 1148 | { |
Hanno Becker | 8367ccc | 2019-05-14 11:30:10 +0100 | [diff] [blame] | 1149 | return( MBEDTLS_ERR_SSL_UNEXPECTED_CID ); |
Hanno Becker | 938489a | 2019-05-08 13:02:22 +0100 | [diff] [blame] | 1150 | } |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1151 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1152 | |
Hanno Becker | d086bf0 | 2021-03-22 13:01:27 +0000 | [diff] [blame] | 1153 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 1154 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 1155 | if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ) |
| 1156 | #else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1157 | if( mode == MBEDTLS_MODE_STREAM ) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 1158 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1159 | { |
| 1160 | padlen = 0; |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1161 | |
| 1162 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | b97556e | 2022-02-01 14:52:19 +0100 | [diff] [blame] | 1163 | /* The only stream "cipher" we support is "NULL" */ |
| 1164 | if ( transform->psa_alg != MBEDTLS_SSL_NULL_CIPHER ) |
| 1165 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1166 | |
Przemyslaw Stekiel | b97556e | 2022-02-01 14:52:19 +0100 | [diff] [blame] | 1167 | olen = rec->data_len; |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1168 | #else |
| 1169 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1170 | if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec, |
| 1171 | transform->iv_dec, |
| 1172 | transform->ivlen, |
| 1173 | data, rec->data_len, |
| 1174 | data, &olen ) ) != 0 ) |
Paul Bakker | 45125bc | 2013-09-04 16:47:11 +0200 | [diff] [blame] | 1175 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1176 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 1177 | return( ret ); |
| 1178 | } |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1179 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 1180 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1181 | if( rec->data_len != olen ) |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 1182 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1183 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1184 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Paul Bakker | ea6ad3f | 2013-09-02 14:57:01 +0200 | [diff] [blame] | 1185 | } |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1186 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1187 | } |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1188 | else |
Hanno Becker | d086bf0 | 2021-03-22 13:01:27 +0000 | [diff] [blame] | 1189 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */ |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1190 | #if defined(MBEDTLS_GCM_C) || \ |
| 1191 | defined(MBEDTLS_CCM_C) || \ |
| 1192 | defined(MBEDTLS_CHACHAPOLY_C) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 1193 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | e884778 | 2022-01-24 23:19:21 +0100 | [diff] [blame] | 1194 | if ( PSA_ALG_IS_AEAD( transform->psa_alg ) ) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 1195 | #else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1196 | if( mode == MBEDTLS_MODE_GCM || |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1197 | mode == MBEDTLS_MODE_CCM || |
| 1198 | mode == MBEDTLS_MODE_CHACHAPOLY ) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 1199 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 1200 | { |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1201 | unsigned char iv[12]; |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1202 | unsigned char *dynamic_iv; |
| 1203 | size_t dynamic_iv_len; |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1204 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | d66387f | 2022-02-03 08:55:33 +0100 | [diff] [blame] | 1205 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1206 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 1207 | |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1208 | /* |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1209 | * Extract dynamic part of nonce for AEAD decryption. |
| 1210 | * |
| 1211 | * Note: In the case of CCM and GCM in TLS 1.2, the dynamic |
| 1212 | * part of the IV is prepended to the ciphertext and |
| 1213 | * can be chosen freely - in particular, it need not |
| 1214 | * agree with the record sequence number. |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1215 | */ |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1216 | dynamic_iv_len = sizeof( rec->ctr ); |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 1217 | if( ssl_transform_aead_dynamic_iv_is_explicit( transform ) == 1 ) |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1218 | { |
| 1219 | if( rec->data_len < dynamic_iv_len ) |
| 1220 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1221 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET |
| 1222 | " ) < explicit_iv_len (%" MBEDTLS_PRINTF_SIZET ") ", |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1223 | rec->data_len, |
| 1224 | dynamic_iv_len ) ); |
| 1225 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
| 1226 | } |
| 1227 | dynamic_iv = data; |
| 1228 | |
| 1229 | data += dynamic_iv_len; |
| 1230 | rec->data_offset += dynamic_iv_len; |
| 1231 | rec->data_len -= dynamic_iv_len; |
| 1232 | } |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 1233 | else |
| 1234 | { |
| 1235 | dynamic_iv = rec->ctr; |
| 1236 | } |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1237 | |
| 1238 | /* Check that there's space for the authentication tag. */ |
| 1239 | if( rec->data_len < transform->taglen ) |
| 1240 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1241 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET |
| 1242 | ") < taglen (%" MBEDTLS_PRINTF_SIZET ") ", |
Christian von Arnim | 883d304 | 2020-12-01 11:58:29 +0100 | [diff] [blame] | 1243 | rec->data_len, |
| 1244 | transform->taglen ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1245 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Manuel Pégourié-Gonnard | 0bcc4e1 | 2014-06-17 10:54:17 +0200 | [diff] [blame] | 1246 | } |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1247 | rec->data_len -= transform->taglen; |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1248 | |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1249 | /* |
| 1250 | * Prepare nonce from dynamic and static parts. |
| 1251 | */ |
Hanno Becker | 1726380 | 2020-05-28 07:05:48 +0100 | [diff] [blame] | 1252 | ssl_build_record_nonce( iv, sizeof( iv ), |
| 1253 | transform->iv_dec, |
| 1254 | transform->fixed_ivlen, |
| 1255 | dynamic_iv, |
| 1256 | dynamic_iv_len ); |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1257 | |
Hanno Becker | df8be22 | 2020-05-21 15:30:57 +0100 | [diff] [blame] | 1258 | /* |
| 1259 | * Build additional data for AEAD encryption. |
| 1260 | * This depends on the TLS version. |
| 1261 | */ |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 1262 | ssl_extract_add_data_from_record( add_data, &add_data_len, rec, |
Hanno Becker | 79e2d1b | 2021-03-22 11:42:19 +0000 | [diff] [blame] | 1263 | transform->minor_ver, |
| 1264 | transform->taglen ); |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1265 | MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1266 | add_data, add_data_len ); |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1267 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1268 | /* Because of the check above, we know that there are |
| 1269 | * explicit_iv_len Bytes preceeding data, and taglen |
| 1270 | * bytes following data + data_len. This justifies |
Hanno Becker | 2001665 | 2019-07-10 11:44:13 +0100 | [diff] [blame] | 1271 | * the debug message and the invocation of |
TRodziewicz | 18efb73 | 2021-04-29 23:12:19 +0200 | [diff] [blame] | 1272 | * mbedtls_cipher_auth_decrypt_ext() below. */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1273 | |
Manuel Pégourié-Gonnard | 2e58e8e | 2018-06-18 11:16:43 +0200 | [diff] [blame] | 1274 | MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen ); |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1275 | MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len, |
Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 1276 | transform->taglen ); |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1277 | |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 1278 | /* |
Manuel Pégourié-Gonnard | de7bb44 | 2014-05-13 12:41:10 +0200 | [diff] [blame] | 1279 | * Decrypt and authenticate |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 1280 | */ |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1281 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 1282 | status = psa_aead_decrypt( transform->psa_key_dec, |
| 1283 | transform->psa_alg, |
| 1284 | iv, transform->ivlen, |
| 1285 | add_data, add_data_len, |
| 1286 | data, rec->data_len + transform->taglen, |
| 1287 | data, rec->buf_len - (data - rec->buf), |
Przemyslaw Stekiel | 221b527 | 2022-01-20 09:18:44 +0100 | [diff] [blame] | 1288 | &olen ); |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1289 | |
| 1290 | if( status != PSA_SUCCESS ) |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 1291 | { |
| 1292 | ret = psa_ssl_status_to_mbedtls( status ); |
| 1293 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_decrypt_buf", ret ); |
| 1294 | return( ret ); |
| 1295 | |
| 1296 | } |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1297 | #else |
Manuel Pégourié-Gonnard | f5cf71e | 2020-12-01 11:43:40 +0100 | [diff] [blame] | 1298 | if( ( ret = mbedtls_cipher_auth_decrypt_ext( &transform->cipher_ctx_dec, |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1299 | iv, transform->ivlen, |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1300 | add_data, add_data_len, |
Manuel Pégourié-Gonnard | f5cf71e | 2020-12-01 11:43:40 +0100 | [diff] [blame] | 1301 | data, rec->data_len + transform->taglen, /* src */ |
| 1302 | data, rec->buf_len - (data - rec->buf), &olen, /* dst */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1303 | transform->taglen ) ) != 0 ) |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 1304 | { |
TRodziewicz | 18efb73 | 2021-04-29 23:12:19 +0200 | [diff] [blame] | 1305 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt_ext", ret ); |
Manuel Pégourié-Gonnard | de7bb44 | 2014-05-13 12:41:10 +0200 | [diff] [blame] | 1306 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1307 | if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) |
| 1308 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Manuel Pégourié-Gonnard | de7bb44 | 2014-05-13 12:41:10 +0200 | [diff] [blame] | 1309 | |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 1310 | return( ret ); |
| 1311 | } |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1312 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 1313 | |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1314 | auth_done++; |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 1315 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1316 | /* Double-check that AEAD decryption doesn't change content length. */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1317 | if( olen != rec->data_len ) |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 1318 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1319 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1320 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | d13a409 | 2013-09-05 16:10:41 +0200 | [diff] [blame] | 1321 | } |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 1322 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1323 | else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1324 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 1325 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 1326 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 1327 | if ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) |
| 1328 | #else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1329 | if( mode == MBEDTLS_MODE_CBC ) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 1330 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1331 | { |
Paul Bakker | e47b34b | 2013-02-27 14:48:00 +0100 | [diff] [blame] | 1332 | size_t minlen = 0; |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1333 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | d66387f | 2022-02-03 08:55:33 +0100 | [diff] [blame] | 1334 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1335 | size_t part_len; |
| 1336 | psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; |
| 1337 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1338 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1339 | /* |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1340 | * Check immediate ciphertext sanity |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1341 | */ |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1342 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 1343 | /* The ciphertext is prefixed with the CBC IV. */ |
| 1344 | minlen += transform->ivlen; |
Paul Bakker | d2f068e | 2013-08-27 21:19:20 +0200 | [diff] [blame] | 1345 | #endif |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1346 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1347 | /* Size considerations: |
| 1348 | * |
| 1349 | * - The CBC cipher text must not be empty and hence |
| 1350 | * at least of size transform->ivlen. |
| 1351 | * |
| 1352 | * Together with the potential IV-prefix, this explains |
| 1353 | * the first of the two checks below. |
| 1354 | * |
| 1355 | * - The record must contain a MAC, either in plain or |
| 1356 | * encrypted, depending on whether Encrypt-then-MAC |
| 1357 | * is used or not. |
| 1358 | * - If it is, the message contains the IV-prefix, |
| 1359 | * the CBC ciphertext, and the MAC. |
| 1360 | * - If it is not, the padded plaintext, and hence |
| 1361 | * the CBC ciphertext, has at least length maclen + 1 |
| 1362 | * because there is at least the padding length byte. |
| 1363 | * |
| 1364 | * As the CBC ciphertext is not empty, both cases give the |
| 1365 | * lower bound minlen + maclen + 1 on the record size, which |
| 1366 | * we test for in the second check below. |
| 1367 | */ |
| 1368 | if( rec->data_len < minlen + transform->ivlen || |
| 1369 | rec->data_len < minlen + transform->maclen + 1 ) |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1370 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1371 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET |
| 1372 | ") < max( ivlen(%" MBEDTLS_PRINTF_SIZET |
| 1373 | "), maclen (%" MBEDTLS_PRINTF_SIZET ") " |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1374 | "+ 1 ) ( + expl IV )", rec->data_len, |
| 1375 | transform->ivlen, |
| 1376 | transform->maclen ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1377 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1378 | } |
| 1379 | |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1380 | /* |
| 1381 | * Authenticate before decrypt if enabled |
| 1382 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1383 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1384 | if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1385 | { |
Hanno Becker | 992b687 | 2017-11-09 18:57:39 +0000 | [diff] [blame] | 1386 | unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1387 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1388 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1389 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1390 | /* Update data_len in tandem with add_data. |
| 1391 | * |
| 1392 | * The subtraction is safe because of the previous check |
| 1393 | * data_len >= minlen + maclen + 1. |
| 1394 | * |
| 1395 | * Afterwards, we know that data + data_len is followed by at |
| 1396 | * least maclen Bytes, which justifies the call to |
Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 1397 | * mbedtls_ct_memcmp() below. |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1398 | * |
| 1399 | * Further, we still know that data_len > minlen */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1400 | rec->data_len -= transform->maclen; |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 1401 | ssl_extract_add_data_from_record( add_data, &add_data_len, rec, |
Hanno Becker | 79e2d1b | 2021-03-22 11:42:19 +0000 | [diff] [blame] | 1402 | transform->minor_ver, |
| 1403 | transform->taglen ); |
Manuel Pégourié-Gonnard | 08558e5 | 2014-11-04 14:40:21 +0100 | [diff] [blame] | 1404 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1405 | /* Calculate expected MAC. */ |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 1406 | MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data, |
| 1407 | add_data_len ); |
Gilles Peskine | ecf6beb | 2021-12-10 21:35:10 +0100 | [diff] [blame] | 1408 | ret = mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data, |
| 1409 | add_data_len ); |
| 1410 | if( ret != 0 ) |
| 1411 | goto hmac_failed_etm_enabled; |
| 1412 | ret = mbedtls_md_hmac_update( &transform->md_ctx_dec, |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1413 | data, rec->data_len ); |
Gilles Peskine | ecf6beb | 2021-12-10 21:35:10 +0100 | [diff] [blame] | 1414 | if( ret != 0 ) |
| 1415 | goto hmac_failed_etm_enabled; |
| 1416 | ret = mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect ); |
| 1417 | if( ret != 0 ) |
| 1418 | goto hmac_failed_etm_enabled; |
| 1419 | ret = mbedtls_md_hmac_reset( &transform->md_ctx_dec ); |
| 1420 | if( ret != 0 ) |
| 1421 | goto hmac_failed_etm_enabled; |
Manuel Pégourié-Gonnard | 08558e5 | 2014-11-04 14:40:21 +0100 | [diff] [blame] | 1422 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1423 | MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, |
| 1424 | transform->maclen ); |
Hanno Becker | 992b687 | 2017-11-09 18:57:39 +0000 | [diff] [blame] | 1425 | MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1426 | transform->maclen ); |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1427 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1428 | /* Compare expected MAC with MAC at the end of the record. */ |
Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 1429 | if( mbedtls_ct_memcmp( data + rec->data_len, mac_expect, |
gabor-mezei-arm | 4602564 | 2021-07-19 15:19:19 +0200 | [diff] [blame] | 1430 | transform->maclen ) != 0 ) |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1431 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1432 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); |
Gilles Peskine | d5ba50e | 2021-12-10 21:33:21 +0100 | [diff] [blame] | 1433 | ret = MBEDTLS_ERR_SSL_INVALID_MAC; |
| 1434 | goto hmac_failed_etm_enabled; |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1435 | } |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1436 | auth_done++; |
Gilles Peskine | d5ba50e | 2021-12-10 21:33:21 +0100 | [diff] [blame] | 1437 | |
| 1438 | hmac_failed_etm_enabled: |
| 1439 | mbedtls_platform_zeroize( mac_expect, transform->maclen ); |
| 1440 | if( ret != 0 ) |
Gilles Peskine | ecf6beb | 2021-12-10 21:35:10 +0100 | [diff] [blame] | 1441 | { |
| 1442 | if( ret != MBEDTLS_ERR_SSL_INVALID_MAC ) |
| 1443 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_hmac_xxx", ret ); |
Gilles Peskine | d5ba50e | 2021-12-10 21:33:21 +0100 | [diff] [blame] | 1444 | return( ret ); |
Gilles Peskine | ecf6beb | 2021-12-10 21:35:10 +0100 | [diff] [blame] | 1445 | } |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1446 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1447 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1448 | |
| 1449 | /* |
| 1450 | * Check length sanity |
| 1451 | */ |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1452 | |
| 1453 | /* We know from above that data_len > minlen >= 0, |
| 1454 | * so the following check in particular implies that |
| 1455 | * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1456 | if( rec->data_len % transform->ivlen != 0 ) |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1457 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1458 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET |
| 1459 | ") %% ivlen (%" MBEDTLS_PRINTF_SIZET ") != 0", |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1460 | rec->data_len, transform->ivlen ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1461 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1462 | } |
| 1463 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1464 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1465 | /* |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1466 | * Initialize for prepended IV for block cipher in TLS v1.2 |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1467 | */ |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 1468 | /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */ |
| 1469 | memcpy( transform->iv_dec, data, transform->ivlen ); |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1470 | |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 1471 | data += transform->ivlen; |
| 1472 | rec->data_offset += transform->ivlen; |
| 1473 | rec->data_len -= transform->ivlen; |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1474 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Paul Bakker | 2e11f7d | 2010-07-25 14:24:53 +0000 | [diff] [blame] | 1475 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1476 | /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */ |
| 1477 | |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1478 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 1479 | status = psa_cipher_decrypt_setup( &cipher_op, |
Przemyslaw Stekiel | d4eab57 | 2022-01-17 16:20:10 +0100 | [diff] [blame] | 1480 | transform->psa_key_dec, transform->psa_alg ); |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1481 | |
| 1482 | if( status != PSA_SUCCESS ) |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 1483 | { |
| 1484 | ret = psa_ssl_status_to_mbedtls( status ); |
| 1485 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_decrypt_buf", ret ); |
| 1486 | return( ret ); |
| 1487 | |
| 1488 | } |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1489 | |
| 1490 | status = psa_cipher_set_iv( &cipher_op, transform->iv_dec, transform->ivlen ); |
| 1491 | |
| 1492 | if( status != PSA_SUCCESS ) |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 1493 | { |
| 1494 | ret = psa_ssl_status_to_mbedtls( status ); |
| 1495 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_decrypt_buf", ret ); |
| 1496 | return( ret ); |
| 1497 | |
| 1498 | } |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1499 | |
| 1500 | status = psa_cipher_update( &cipher_op, |
| 1501 | data, rec->data_len, |
| 1502 | data, rec->data_len, &olen ); |
| 1503 | |
| 1504 | if( status != PSA_SUCCESS ) |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 1505 | { |
| 1506 | ret = psa_ssl_status_to_mbedtls( status ); |
| 1507 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_decrypt_buf", ret ); |
| 1508 | return( ret ); |
| 1509 | |
| 1510 | } |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1511 | |
| 1512 | status = psa_cipher_finish( &cipher_op, |
| 1513 | data + olen, rec->data_len - olen, |
| 1514 | &part_len ); |
| 1515 | |
| 1516 | if( status != PSA_SUCCESS ) |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 1517 | { |
| 1518 | ret = psa_ssl_status_to_mbedtls( status ); |
| 1519 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_decrypt_buf", ret ); |
| 1520 | return( ret ); |
| 1521 | |
| 1522 | } |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1523 | |
| 1524 | olen += part_len; |
| 1525 | #else |
| 1526 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1527 | if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec, |
| 1528 | transform->iv_dec, transform->ivlen, |
| 1529 | data, rec->data_len, data, &olen ) ) != 0 ) |
Paul Bakker | 45125bc | 2013-09-04 16:47:11 +0200 | [diff] [blame] | 1530 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1531 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 1532 | return( ret ); |
| 1533 | } |
Przemyslaw Stekiel | 2e9711f | 2022-01-13 14:50:15 +0100 | [diff] [blame] | 1534 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Paul Bakker | da02a7f | 2013-08-31 17:25:14 +0200 | [diff] [blame] | 1535 | |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1536 | /* Double-check that length hasn't changed during decryption. */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1537 | if( rec->data_len != olen ) |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 1538 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1539 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1540 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Paul Bakker | cca5b81 | 2013-08-31 17:40:26 +0200 | [diff] [blame] | 1541 | } |
Paul Bakker | da02a7f | 2013-08-31 17:25:14 +0200 | [diff] [blame] | 1542 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1543 | /* Safe since data_len >= minlen + maclen + 1, so after having |
| 1544 | * subtracted at most minlen and maclen up to this point, |
Hanno Becker | d96a652 | 2019-07-10 13:55:25 +0100 | [diff] [blame] | 1545 | * data_len > 0 (because of data_len % ivlen == 0, it's actually |
| 1546 | * >= ivlen ). */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1547 | padlen = data[rec->data_len - 1]; |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1548 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1549 | if( auth_done == 1 ) |
| 1550 | { |
Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 1551 | const size_t mask = mbedtls_ct_size_mask_ge( |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1552 | rec->data_len, |
| 1553 | padlen + 1 ); |
| 1554 | correct &= mask; |
| 1555 | padlen &= mask; |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1556 | } |
| 1557 | else |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1558 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1559 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1560 | if( rec->data_len < transform->maclen + padlen + 1 ) |
| 1561 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1562 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET |
| 1563 | ") < maclen (%" MBEDTLS_PRINTF_SIZET |
| 1564 | ") + padlen (%" MBEDTLS_PRINTF_SIZET ")", |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1565 | rec->data_len, |
| 1566 | transform->maclen, |
| 1567 | padlen + 1 ) ); |
| 1568 | } |
Paul Bakker | d66f070 | 2013-01-31 16:57:45 +0100 | [diff] [blame] | 1569 | #endif |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1570 | |
Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 1571 | const size_t mask = mbedtls_ct_size_mask_ge( |
Manuel Pégourié-Gonnard | 2ddec43 | 2020-08-24 12:49:23 +0200 | [diff] [blame] | 1572 | rec->data_len, |
| 1573 | transform->maclen + padlen + 1 ); |
| 1574 | correct &= mask; |
| 1575 | padlen &= mask; |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 1576 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1577 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1578 | padlen++; |
| 1579 | |
| 1580 | /* Regardless of the validity of the padding, |
| 1581 | * we have data_len >= padlen here. */ |
| 1582 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1583 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1584 | /* The padding check involves a series of up to 256 |
| 1585 | * consecutive memory reads at the end of the record |
| 1586 | * plaintext buffer. In order to hide the length and |
| 1587 | * validity of the padding, always perform exactly |
| 1588 | * `min(256,plaintext_len)` reads (but take into account |
| 1589 | * only the last `padlen` bytes for the padding check). */ |
| 1590 | size_t pad_count = 0; |
| 1591 | volatile unsigned char* const check = data; |
| 1592 | |
| 1593 | /* Index of first padding byte; it has been ensured above |
| 1594 | * that the subtraction is safe. */ |
| 1595 | size_t const padding_idx = rec->data_len - padlen; |
| 1596 | size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256; |
| 1597 | size_t const start_idx = rec->data_len - num_checks; |
| 1598 | size_t idx; |
| 1599 | |
| 1600 | for( idx = start_idx; idx < rec->data_len; idx++ ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1601 | { |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1602 | /* pad_count += (idx >= padding_idx) && |
| 1603 | * (check[idx] == padlen - 1); |
| 1604 | */ |
Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 1605 | const size_t mask = mbedtls_ct_size_mask_ge( idx, padding_idx ); |
| 1606 | const size_t equal = mbedtls_ct_size_bool_eq( check[idx], |
gabor-mezei-arm | 9fa43ce | 2021-09-28 16:14:47 +0200 | [diff] [blame] | 1607 | padlen - 1 ); |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1608 | pad_count += mask & equal; |
| 1609 | } |
Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 1610 | correct &= mbedtls_ct_size_bool_eq( pad_count, padlen ); |
Paul Bakker | e47b34b | 2013-02-27 14:48:00 +0100 | [diff] [blame] | 1611 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1612 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1613 | if( padlen > 0 && correct == 0 ) |
| 1614 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); |
Paul Bakker | d66f070 | 2013-01-31 16:57:45 +0100 | [diff] [blame] | 1615 | #endif |
Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 1616 | padlen &= mbedtls_ct_size_mask( correct ); |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1617 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1618 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1619 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1620 | /* If the padding was found to be invalid, padlen == 0 |
| 1621 | * and the subtraction is safe. If the padding was found valid, |
| 1622 | * padlen hasn't been changed and the previous assertion |
| 1623 | * data_len >= padlen still holds. */ |
| 1624 | rec->data_len -= padlen; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1625 | } |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 1626 | else |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 1627 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */ |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 1628 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1629 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1630 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | f7dc378 | 2013-09-13 14:10:44 +0200 | [diff] [blame] | 1631 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1632 | |
Manuel Pégourié-Gonnard | 6a25cfa | 2018-07-10 11:15:36 +0200 | [diff] [blame] | 1633 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1634 | MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption", |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1635 | data, rec->data_len ); |
Manuel Pégourié-Gonnard | 6a25cfa | 2018-07-10 11:15:36 +0200 | [diff] [blame] | 1636 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1637 | |
| 1638 | /* |
Manuel Pégourié-Gonnard | 313d796 | 2014-10-29 12:07:57 +0100 | [diff] [blame] | 1639 | * Authenticate if not done yet. |
| 1640 | * Compute the MAC regardless of the padding result (RFC4346, CBCTIME). |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1641 | */ |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 1642 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1643 | if( auth_done == 0 ) |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1644 | { |
Hanno Becker | 992b687 | 2017-11-09 18:57:39 +0000 | [diff] [blame] | 1645 | unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; |
Manuel Pégourié-Gonnard | 3c31afa | 2020-08-13 12:08:54 +0200 | [diff] [blame] | 1646 | unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD]; |
Paul Bakker | 1e5369c | 2013-12-19 16:40:57 +0100 | [diff] [blame] | 1647 | |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1648 | /* If the initial value of padlen was such that |
| 1649 | * data_len < maclen + padlen + 1, then padlen |
| 1650 | * got reset to 1, and the initial check |
| 1651 | * data_len >= minlen + maclen + 1 |
| 1652 | * guarantees that at this point we still |
| 1653 | * have at least data_len >= maclen. |
| 1654 | * |
| 1655 | * If the initial value of padlen was such that |
| 1656 | * data_len >= maclen + padlen + 1, then we have |
| 1657 | * subtracted either padlen + 1 (if the padding was correct) |
| 1658 | * or 0 (if the padding was incorrect) since then, |
| 1659 | * hence data_len >= maclen in any case. |
| 1660 | */ |
| 1661 | rec->data_len -= transform->maclen; |
Hanno Becker | 1cb6c2a | 2020-05-21 15:25:21 +0100 | [diff] [blame] | 1662 | ssl_extract_add_data_from_record( add_data, &add_data_len, rec, |
Hanno Becker | 79e2d1b | 2021-03-22 11:42:19 +0000 | [diff] [blame] | 1663 | transform->minor_ver, |
| 1664 | transform->taglen ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1665 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1666 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1667 | /* |
| 1668 | * The next two sizes are the minimum and maximum values of |
| 1669 | * data_len over all padlen values. |
| 1670 | * |
| 1671 | * They're independent of padlen, since we previously did |
| 1672 | * data_len -= padlen. |
| 1673 | * |
| 1674 | * Note that max_len + maclen is never more than the buffer |
| 1675 | * length, as we previously did in_msglen -= maclen too. |
| 1676 | */ |
| 1677 | const size_t max_len = rec->data_len + padlen; |
| 1678 | const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0; |
| 1679 | |
Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 1680 | ret = mbedtls_ct_hmac( &transform->md_ctx_dec, |
gabor-mezei-arm | 9fa43ce | 2021-09-28 16:14:47 +0200 | [diff] [blame] | 1681 | add_data, add_data_len, |
| 1682 | data, rec->data_len, min_len, max_len, |
| 1683 | mac_expect ); |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1684 | if( ret != 0 ) |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1685 | { |
Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 1686 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ct_hmac", ret ); |
Gilles Peskine | d5ba50e | 2021-12-10 21:33:21 +0100 | [diff] [blame] | 1687 | goto hmac_failed_etm_disabled; |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1688 | } |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1689 | |
Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 1690 | mbedtls_ct_memcpy_offset( mac_peer, data, |
gabor-mezei-arm | 9fa43ce | 2021-09-28 16:14:47 +0200 | [diff] [blame] | 1691 | rec->data_len, |
| 1692 | min_len, max_len, |
| 1693 | transform->maclen ); |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 1694 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1695 | |
Manuel Pégourié-Gonnard | 7b42030 | 2018-06-28 10:38:35 +0200 | [diff] [blame] | 1696 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 1697 | MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen ); |
Manuel Pégourié-Gonnard | 3c31afa | 2020-08-13 12:08:54 +0200 | [diff] [blame] | 1698 | MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen ); |
Manuel Pégourié-Gonnard | 7b42030 | 2018-06-28 10:38:35 +0200 | [diff] [blame] | 1699 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1700 | |
Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 1701 | if( mbedtls_ct_memcmp( mac_peer, mac_expect, |
gabor-mezei-arm | 4602564 | 2021-07-19 15:19:19 +0200 | [diff] [blame] | 1702 | transform->maclen ) != 0 ) |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1703 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1704 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
| 1705 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); |
Paul Bakker | e47b34b | 2013-02-27 14:48:00 +0100 | [diff] [blame] | 1706 | #endif |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1707 | correct = 0; |
| 1708 | } |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1709 | auth_done++; |
Gilles Peskine | d5ba50e | 2021-12-10 21:33:21 +0100 | [diff] [blame] | 1710 | |
| 1711 | hmac_failed_etm_disabled: |
| 1712 | mbedtls_platform_zeroize( mac_peer, transform->maclen ); |
| 1713 | mbedtls_platform_zeroize( mac_expect, transform->maclen ); |
| 1714 | if( ret != 0 ) |
| 1715 | return( ret ); |
Manuel Pégourié-Gonnard | 7109624 | 2013-10-25 19:31:25 +0200 | [diff] [blame] | 1716 | } |
Hanno Becker | dd3ab13 | 2018-10-17 14:43:14 +0100 | [diff] [blame] | 1717 | |
| 1718 | /* |
| 1719 | * Finally check the correct flag |
| 1720 | */ |
| 1721 | if( correct == 0 ) |
| 1722 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 1723 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1724 | |
| 1725 | /* Make extra sure authentication was performed, exactly once */ |
| 1726 | if( auth_done != 1 ) |
| 1727 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1728 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1729 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 352143f | 2015-01-13 10:59:51 +0100 | [diff] [blame] | 1730 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1731 | |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 1732 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3) |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 1733 | if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) |
| 1734 | { |
| 1735 | /* Remove inner padding and infer true content type. */ |
| 1736 | ret = ssl_parse_inner_plaintext( data, &rec->data_len, |
| 1737 | &rec->type ); |
| 1738 | |
| 1739 | if( ret != 0 ) |
| 1740 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 1741 | } |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 1742 | #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ |
Hanno Becker | ccc13d0 | 2020-05-04 12:30:04 +0100 | [diff] [blame] | 1743 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1744 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 1745 | if( rec->cid_len != 0 ) |
| 1746 | { |
Hanno Becker | 581bc1b | 2020-05-04 12:20:03 +0100 | [diff] [blame] | 1747 | ret = ssl_parse_inner_plaintext( data, &rec->data_len, |
| 1748 | &rec->type ); |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 1749 | if( ret != 0 ) |
| 1750 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 1751 | } |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1752 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 8b3eb5a | 2019-04-29 17:31:37 +0100 | [diff] [blame] | 1753 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1754 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1755 | |
| 1756 | return( 0 ); |
| 1757 | } |
| 1758 | |
Manuel Pégourié-Gonnard | 0098e7d | 2014-10-28 13:08:59 +0100 | [diff] [blame] | 1759 | #undef MAC_NONE |
| 1760 | #undef MAC_PLAINTEXT |
| 1761 | #undef MAC_CIPHERTEXT |
| 1762 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1763 | /* |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1764 | * Fill the input message buffer by appending data to it. |
| 1765 | * The amount of data already fetched is in ssl->in_left. |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1766 | * |
| 1767 | * If we return 0, is it guaranteed that (at least) nb_want bytes are |
| 1768 | * available (from this read and/or a previous one). Otherwise, an error code |
| 1769 | * is returned (possibly EOF or WANT_READ). |
| 1770 | * |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1771 | * With stream transport (TLS) on success ssl->in_left == nb_want, but |
| 1772 | * with datagram transport (DTLS) on success ssl->in_left >= nb_want, |
| 1773 | * since we always read a whole datagram at once. |
| 1774 | * |
Manuel Pégourié-Gonnard | 64dffc5 | 2014-09-02 13:39:16 +0200 | [diff] [blame] | 1775 | * For DTLS, it is up to the caller to set ssl->next_record_offset when |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1776 | * they're done reading a record. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1777 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1778 | int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1779 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 1780 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1781 | size_t len; |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 1782 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| 1783 | size_t in_buf_len = ssl->in_buf_len; |
| 1784 | #else |
| 1785 | size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; |
| 1786 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1787 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1788 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1789 | |
Manuel Pégourié-Gonnard | e6bdc44 | 2014-09-17 11:34:57 +0200 | [diff] [blame] | 1790 | if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) |
| 1791 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1792 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " |
Manuel Pégourié-Gonnard | 1b511f9 | 2015-05-06 15:54:23 +0100 | [diff] [blame] | 1793 | "or mbedtls_ssl_set_bio()" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1794 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
Manuel Pégourié-Gonnard | e6bdc44 | 2014-09-17 11:34:57 +0200 | [diff] [blame] | 1795 | } |
| 1796 | |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 1797 | if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) ) |
Paul Bakker | 1a1fbba | 2014-04-30 14:38:05 +0200 | [diff] [blame] | 1798 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1799 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) ); |
| 1800 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
Paul Bakker | 1a1fbba | 2014-04-30 14:38:05 +0200 | [diff] [blame] | 1801 | } |
| 1802 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1803 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1804 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1805 | { |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1806 | uint32_t timeout; |
| 1807 | |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1808 | /* |
| 1809 | * The point is, we need to always read a full datagram at once, so we |
| 1810 | * sometimes read more then requested, and handle the additional data. |
| 1811 | * It could be the rest of the current record (while fetching the |
| 1812 | * header) and/or some other records in the same datagram. |
| 1813 | */ |
| 1814 | |
| 1815 | /* |
| 1816 | * Move to the next record in the already read datagram if applicable |
| 1817 | */ |
| 1818 | if( ssl->next_record_offset != 0 ) |
| 1819 | { |
| 1820 | if( ssl->in_left < ssl->next_record_offset ) |
| 1821 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1822 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1823 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1824 | } |
| 1825 | |
| 1826 | ssl->in_left -= ssl->next_record_offset; |
| 1827 | |
| 1828 | if( ssl->in_left != 0 ) |
| 1829 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1830 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %" |
| 1831 | MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1832 | ssl->next_record_offset ) ); |
| 1833 | memmove( ssl->in_hdr, |
| 1834 | ssl->in_hdr + ssl->next_record_offset, |
| 1835 | ssl->in_left ); |
| 1836 | } |
| 1837 | |
| 1838 | ssl->next_record_offset = 0; |
| 1839 | } |
| 1840 | |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1841 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET |
| 1842 | ", nb_want: %" MBEDTLS_PRINTF_SIZET, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1843 | ssl->in_left, nb_want ) ); |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1844 | |
| 1845 | /* |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1846 | * Done if we already have enough data. |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1847 | */ |
| 1848 | if( nb_want <= ssl->in_left) |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 1849 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1850 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1851 | return( 0 ); |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 1852 | } |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1853 | |
| 1854 | /* |
Antonin Décimo | 36e89b5 | 2019-01-23 15:24:37 +0100 | [diff] [blame] | 1855 | * A record can't be split across datagrams. If we need to read but |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1856 | * are not at the beginning of a new record, the caller did something |
| 1857 | * wrong. |
| 1858 | */ |
| 1859 | if( ssl->in_left != 0 ) |
| 1860 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1861 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1862 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1863 | } |
| 1864 | |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1865 | /* |
| 1866 | * Don't even try to read if time's out already. |
| 1867 | * This avoids by-passing the timer when repeatedly receiving messages |
| 1868 | * that will end up being dropped. |
| 1869 | */ |
Hanno Becker | 7876d12 | 2020-02-05 10:39:31 +0000 | [diff] [blame] | 1870 | if( mbedtls_ssl_check_timer( ssl ) != 0 ) |
Hanno Becker | e65ce78 | 2017-05-22 14:47:48 +0100 | [diff] [blame] | 1871 | { |
| 1872 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) ); |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 1873 | ret = MBEDTLS_ERR_SSL_TIMEOUT; |
Hanno Becker | e65ce78 | 2017-05-22 14:47:48 +0100 | [diff] [blame] | 1874 | } |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1875 | else |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 1876 | { |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 1877 | len = in_buf_len - ( ssl->in_hdr - ssl->in_buf ); |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1878 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1879 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1880 | timeout = ssl->handshake->retransmit_timeout; |
| 1881 | else |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1882 | timeout = ssl->conf->read_timeout; |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1883 | |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 1884 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %lu ms", (unsigned long) timeout ) ); |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1885 | |
Manuel Pégourié-Gonnard | 0761733 | 2015-06-24 23:00:03 +0200 | [diff] [blame] | 1886 | if( ssl->f_recv_timeout != NULL ) |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1887 | ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len, |
| 1888 | timeout ); |
| 1889 | else |
| 1890 | ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len ); |
| 1891 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1892 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1893 | |
| 1894 | if( ret == 0 ) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1895 | return( MBEDTLS_ERR_SSL_CONN_EOF ); |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1896 | } |
| 1897 | |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 1898 | if( ret == MBEDTLS_ERR_SSL_TIMEOUT ) |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 1899 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1900 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 1901 | mbedtls_ssl_set_timer( ssl, 0 ); |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 1902 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1903 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 1904 | { |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1905 | if( ssl_double_retransmit_timeout( ssl ) != 0 ) |
| 1906 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1907 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) ); |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 1908 | return( MBEDTLS_ERR_SSL_TIMEOUT ); |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1909 | } |
| 1910 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1911 | if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1912 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1913 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 1914 | return( ret ); |
| 1915 | } |
| 1916 | |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 1917 | return( MBEDTLS_ERR_SSL_WANT_READ ); |
Manuel Pégourié-Gonnard | 0ac247f | 2014-09-30 22:21:31 +0200 | [diff] [blame] | 1918 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1919 | #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1920 | else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1921 | ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 1922 | { |
Hanno Becker | 786300f | 2020-02-05 10:46:40 +0000 | [diff] [blame] | 1923 | if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 1924 | { |
Hanno Becker | 786300f | 2020-02-05 10:46:40 +0000 | [diff] [blame] | 1925 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request", |
| 1926 | ret ); |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 1927 | return( ret ); |
| 1928 | } |
| 1929 | |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 1930 | return( MBEDTLS_ERR_SSL_WANT_READ ); |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 1931 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1932 | #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 1933 | } |
| 1934 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1935 | if( ret < 0 ) |
| 1936 | return( ret ); |
| 1937 | |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1938 | ssl->in_left = ret; |
| 1939 | } |
| 1940 | else |
| 1941 | #endif |
| 1942 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1943 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET |
| 1944 | ", nb_want: %" MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 1945 | ssl->in_left, nb_want ) ); |
| 1946 | |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1947 | while( ssl->in_left < nb_want ) |
| 1948 | { |
| 1949 | len = nb_want - ssl->in_left; |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 1950 | |
Hanno Becker | 7876d12 | 2020-02-05 10:39:31 +0000 | [diff] [blame] | 1951 | if( mbedtls_ssl_check_timer( ssl ) != 0 ) |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 1952 | ret = MBEDTLS_ERR_SSL_TIMEOUT; |
| 1953 | else |
Manuel Pégourié-Gonnard | 0761733 | 2015-06-24 23:00:03 +0200 | [diff] [blame] | 1954 | { |
| 1955 | if( ssl->f_recv_timeout != NULL ) |
| 1956 | { |
| 1957 | ret = ssl->f_recv_timeout( ssl->p_bio, |
| 1958 | ssl->in_hdr + ssl->in_left, len, |
| 1959 | ssl->conf->read_timeout ); |
| 1960 | } |
| 1961 | else |
| 1962 | { |
| 1963 | ret = ssl->f_recv( ssl->p_bio, |
| 1964 | ssl->in_hdr + ssl->in_left, len ); |
| 1965 | } |
| 1966 | } |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1967 | |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1968 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET |
| 1969 | ", nb_want: %" MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | 0761733 | 2015-06-24 23:00:03 +0200 | [diff] [blame] | 1970 | ssl->in_left, nb_want ) ); |
| 1971 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1972 | |
| 1973 | if( ret == 0 ) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1974 | return( MBEDTLS_ERR_SSL_CONN_EOF ); |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1975 | |
| 1976 | if( ret < 0 ) |
| 1977 | return( ret ); |
| 1978 | |
makise-homura | af9513b | 2020-08-24 18:26:27 +0300 | [diff] [blame] | 1979 | if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) ) |
mohammad1603 | 5bd15cb | 2018-02-28 04:30:59 -0800 | [diff] [blame] | 1980 | { |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 1981 | MBEDTLS_SSL_DEBUG_MSG( 1, |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 1982 | ( "f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " were requested", |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 1983 | ret, len ) ); |
mohammad1603 | 5bd15cb | 2018-02-28 04:30:59 -0800 | [diff] [blame] | 1984 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 1985 | } |
| 1986 | |
Manuel Pégourié-Gonnard | fe98ace | 2014-03-24 13:13:01 +0100 | [diff] [blame] | 1987 | ssl->in_left += ret; |
| 1988 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1989 | } |
| 1990 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1991 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1992 | |
| 1993 | return( 0 ); |
| 1994 | } |
| 1995 | |
| 1996 | /* |
| 1997 | * Flush any data not yet written |
| 1998 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1999 | int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2000 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2001 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | 0448462 | 2018-08-06 09:49:38 +0100 | [diff] [blame] | 2002 | unsigned char *buf; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2003 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2004 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2005 | |
Manuel Pégourié-Gonnard | e6bdc44 | 2014-09-17 11:34:57 +0200 | [diff] [blame] | 2006 | if( ssl->f_send == NULL ) |
| 2007 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2008 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " |
Manuel Pégourié-Gonnard | 1b511f9 | 2015-05-06 15:54:23 +0100 | [diff] [blame] | 2009 | "or mbedtls_ssl_set_bio()" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2010 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
Manuel Pégourié-Gonnard | e6bdc44 | 2014-09-17 11:34:57 +0200 | [diff] [blame] | 2011 | } |
| 2012 | |
Manuel Pégourié-Gonnard | 0619348 | 2014-02-14 08:39:32 +0100 | [diff] [blame] | 2013 | /* Avoid incrementing counter if data is flushed */ |
| 2014 | if( ssl->out_left == 0 ) |
| 2015 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2016 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); |
Manuel Pégourié-Gonnard | 0619348 | 2014-02-14 08:39:32 +0100 | [diff] [blame] | 2017 | return( 0 ); |
| 2018 | } |
| 2019 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2020 | while( ssl->out_left > 0 ) |
| 2021 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2022 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %" MBEDTLS_PRINTF_SIZET |
| 2023 | ", out_left: %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 2024 | mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2025 | |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2026 | buf = ssl->out_hdr - ssl->out_left; |
Manuel Pégourié-Gonnard | e6bdc44 | 2014-09-17 11:34:57 +0200 | [diff] [blame] | 2027 | ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left ); |
Paul Bakker | 186751d | 2012-05-08 13:16:14 +0000 | [diff] [blame] | 2028 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2029 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2030 | |
| 2031 | if( ret <= 0 ) |
| 2032 | return( ret ); |
| 2033 | |
makise-homura | af9513b | 2020-08-24 18:26:27 +0300 | [diff] [blame] | 2034 | if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) ) |
mohammad1603 | 4bbaeb4 | 2018-02-22 04:29:04 -0800 | [diff] [blame] | 2035 | { |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 2036 | MBEDTLS_SSL_DEBUG_MSG( 1, |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2037 | ( "f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " bytes were sent", |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 2038 | ret, ssl->out_left ) ); |
mohammad1603 | 4bbaeb4 | 2018-02-22 04:29:04 -0800 | [diff] [blame] | 2039 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 2040 | } |
| 2041 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2042 | ssl->out_left -= ret; |
| 2043 | } |
| 2044 | |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2045 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 2046 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | 0619348 | 2014-02-14 08:39:32 +0100 | [diff] [blame] | 2047 | { |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2048 | ssl->out_hdr = ssl->out_buf; |
Manuel Pégourié-Gonnard | 0619348 | 2014-02-14 08:39:32 +0100 | [diff] [blame] | 2049 | } |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2050 | else |
| 2051 | #endif |
| 2052 | { |
| 2053 | ssl->out_hdr = ssl->out_buf + 8; |
| 2054 | } |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 2055 | mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out ); |
Manuel Pégourié-Gonnard | 0619348 | 2014-02-14 08:39:32 +0100 | [diff] [blame] | 2056 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2057 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2058 | |
| 2059 | return( 0 ); |
| 2060 | } |
| 2061 | |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2062 | /* |
| 2063 | * Functions to handle the DTLS retransmission state machine |
| 2064 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2065 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2066 | /* |
| 2067 | * Append current handshake message to current outgoing flight |
| 2068 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2069 | static int ssl_flight_append( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2070 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2071 | mbedtls_ssl_flight_item *msg; |
Hanno Becker | 3b23590 | 2018-08-06 09:54:53 +0100 | [diff] [blame] | 2072 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) ); |
| 2073 | MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight", |
| 2074 | ssl->out_msg, ssl->out_msglen ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2075 | |
| 2076 | /* Allocate space for current message */ |
Manuel Pégourié-Gonnard | 7551cb9 | 2015-05-26 16:04:06 +0200 | [diff] [blame] | 2077 | if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2078 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2079 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed", |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2080 | sizeof( mbedtls_ssl_flight_item ) ) ); |
Manuel Pégourié-Gonnard | 6a8ca33 | 2015-05-28 09:33:39 +0200 | [diff] [blame] | 2081 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2082 | } |
| 2083 | |
Manuel Pégourié-Gonnard | 7551cb9 | 2015-05-26 16:04:06 +0200 | [diff] [blame] | 2084 | if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2085 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2086 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed", |
| 2087 | ssl->out_msglen ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2088 | mbedtls_free( msg ); |
Manuel Pégourié-Gonnard | 6a8ca33 | 2015-05-28 09:33:39 +0200 | [diff] [blame] | 2089 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2090 | } |
| 2091 | |
| 2092 | /* Copy current handshake message with headers */ |
| 2093 | memcpy( msg->p, ssl->out_msg, ssl->out_msglen ); |
| 2094 | msg->len = ssl->out_msglen; |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2095 | msg->type = ssl->out_msgtype; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2096 | msg->next = NULL; |
| 2097 | |
| 2098 | /* Append to the current flight */ |
| 2099 | if( ssl->handshake->flight == NULL ) |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2100 | ssl->handshake->flight = msg; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2101 | else |
| 2102 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2103 | mbedtls_ssl_flight_item *cur = ssl->handshake->flight; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2104 | while( cur->next != NULL ) |
| 2105 | cur = cur->next; |
| 2106 | cur->next = msg; |
| 2107 | } |
| 2108 | |
Hanno Becker | 3b23590 | 2018-08-06 09:54:53 +0100 | [diff] [blame] | 2109 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2110 | return( 0 ); |
| 2111 | } |
| 2112 | |
| 2113 | /* |
| 2114 | * Free the current flight of handshake messages |
| 2115 | */ |
Hanno Becker | 533ab5f | 2020-02-05 10:49:13 +0000 | [diff] [blame] | 2116 | void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2117 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2118 | mbedtls_ssl_flight_item *cur = flight; |
| 2119 | mbedtls_ssl_flight_item *next; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2120 | |
| 2121 | while( cur != NULL ) |
| 2122 | { |
| 2123 | next = cur->next; |
| 2124 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2125 | mbedtls_free( cur->p ); |
| 2126 | mbedtls_free( cur ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2127 | |
| 2128 | cur = next; |
| 2129 | } |
| 2130 | } |
| 2131 | |
| 2132 | /* |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2133 | * Swap transform_out and out_ctr with the alternative ones |
| 2134 | */ |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2135 | static int ssl_swap_epochs( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2136 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2137 | mbedtls_ssl_transform *tmp_transform; |
Jerry Yu | ae0b2e2 | 2021-10-08 15:21:19 +0800 | [diff] [blame] | 2138 | unsigned char tmp_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2139 | |
| 2140 | if( ssl->transform_out == ssl->handshake->alt_transform_out ) |
| 2141 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2142 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) ); |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2143 | return( 0 ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2144 | } |
| 2145 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2146 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2147 | |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2148 | /* Swap transforms */ |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2149 | tmp_transform = ssl->transform_out; |
| 2150 | ssl->transform_out = ssl->handshake->alt_transform_out; |
| 2151 | ssl->handshake->alt_transform_out = tmp_transform; |
| 2152 | |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2153 | /* Swap epoch + sequence_number */ |
Jerry Yu | d96a5c2 | 2021-09-29 17:46:51 +0800 | [diff] [blame] | 2154 | memcpy( tmp_out_ctr, ssl->cur_out_ctr, sizeof( tmp_out_ctr ) ); |
| 2155 | memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, |
| 2156 | sizeof( ssl->cur_out_ctr ) ); |
| 2157 | memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, |
| 2158 | sizeof( ssl->handshake->alt_out_ctr ) ); |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2159 | |
| 2160 | /* Adjust to the newly activated transform */ |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 2161 | mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out ); |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2162 | |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2163 | return( 0 ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2164 | } |
| 2165 | |
| 2166 | /* |
| 2167 | * Retransmit the current flight of messages. |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2168 | */ |
| 2169 | int mbedtls_ssl_resend( mbedtls_ssl_context *ssl ) |
| 2170 | { |
| 2171 | int ret = 0; |
| 2172 | |
| 2173 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) ); |
| 2174 | |
| 2175 | ret = mbedtls_ssl_flight_transmit( ssl ); |
| 2176 | |
| 2177 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) ); |
| 2178 | |
| 2179 | return( ret ); |
| 2180 | } |
| 2181 | |
| 2182 | /* |
| 2183 | * Transmit or retransmit the current flight of messages. |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2184 | * |
| 2185 | * Need to remember the current message in case flush_output returns |
| 2186 | * WANT_WRITE, causing us to exit this function and come back later. |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2187 | * This function must be called until state is no longer SENDING. |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2188 | */ |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2189 | int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2190 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2191 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2192 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2193 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2194 | if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING ) |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2195 | { |
Manuel Pégourié-Gonnard | 19c62f9 | 2018-08-16 10:50:39 +0200 | [diff] [blame] | 2196 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2197 | |
| 2198 | ssl->handshake->cur_msg = ssl->handshake->flight; |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2199 | ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12; |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2200 | ret = ssl_swap_epochs( ssl ); |
| 2201 | if( ret != 0 ) |
| 2202 | return( ret ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2203 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2204 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING; |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2205 | } |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2206 | |
| 2207 | while( ssl->handshake->cur_msg != NULL ) |
| 2208 | { |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2209 | size_t max_frag_len; |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2210 | const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2211 | |
Hanno Becker | e1dcb03 | 2018-08-17 16:47:58 +0100 | [diff] [blame] | 2212 | int const is_finished = |
| 2213 | ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 2214 | cur->p[0] == MBEDTLS_SSL_HS_FINISHED ); |
| 2215 | |
Hanno Becker | 04da189 | 2018-08-14 13:22:10 +0100 | [diff] [blame] | 2216 | uint8_t const force_flush = ssl->disable_datagram_packing == 1 ? |
| 2217 | SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH; |
| 2218 | |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2219 | /* Swap epochs before sending Finished: we can't do it after |
| 2220 | * sending ChangeCipherSpec, in case write returns WANT_READ. |
| 2221 | * Must be done before copying, may change out_msg pointer */ |
Hanno Becker | e1dcb03 | 2018-08-17 16:47:58 +0100 | [diff] [blame] | 2222 | if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) ) |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2223 | { |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2224 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) ); |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2225 | ret = ssl_swap_epochs( ssl ); |
| 2226 | if( ret != 0 ) |
| 2227 | return( ret ); |
Manuel Pégourié-Gonnard | c715aed | 2014-09-19 21:39:13 +0200 | [diff] [blame] | 2228 | } |
| 2229 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2230 | ret = ssl_get_remaining_payload_in_datagram( ssl ); |
| 2231 | if( ret < 0 ) |
| 2232 | return( ret ); |
| 2233 | max_frag_len = (size_t) ret; |
| 2234 | |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2235 | /* CCS is copied as is, while HS messages may need fragmentation */ |
| 2236 | if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) |
| 2237 | { |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2238 | if( max_frag_len == 0 ) |
| 2239 | { |
| 2240 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
| 2241 | return( ret ); |
| 2242 | |
| 2243 | continue; |
| 2244 | } |
| 2245 | |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2246 | memcpy( ssl->out_msg, cur->p, cur->len ); |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2247 | ssl->out_msglen = cur->len; |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2248 | ssl->out_msgtype = cur->type; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2249 | |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2250 | /* Update position inside current message */ |
| 2251 | ssl->handshake->cur_msg_p += cur->len; |
| 2252 | } |
| 2253 | else |
| 2254 | { |
| 2255 | const unsigned char * const p = ssl->handshake->cur_msg_p; |
| 2256 | const size_t hs_len = cur->len - 12; |
| 2257 | const size_t frag_off = p - ( cur->p + 12 ); |
| 2258 | const size_t rem_len = hs_len - frag_off; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2259 | size_t cur_hs_frag_len, max_hs_frag_len; |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2260 | |
Hanno Becker | e1dcb03 | 2018-08-17 16:47:58 +0100 | [diff] [blame] | 2261 | if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) ) |
Manuel Pégourié-Gonnard | a1071a5 | 2018-08-20 11:56:14 +0200 | [diff] [blame] | 2262 | { |
Hanno Becker | e1dcb03 | 2018-08-17 16:47:58 +0100 | [diff] [blame] | 2263 | if( is_finished ) |
Manuel Pégourié-Gonnard | e07bc20 | 2020-02-26 09:53:42 +0100 | [diff] [blame] | 2264 | { |
| 2265 | ret = ssl_swap_epochs( ssl ); |
| 2266 | if( ret != 0 ) |
| 2267 | return( ret ); |
| 2268 | } |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2269 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2270 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
| 2271 | return( ret ); |
| 2272 | |
| 2273 | continue; |
| 2274 | } |
| 2275 | max_hs_frag_len = max_frag_len - 12; |
| 2276 | |
| 2277 | cur_hs_frag_len = rem_len > max_hs_frag_len ? |
| 2278 | max_hs_frag_len : rem_len; |
| 2279 | |
| 2280 | if( frag_off == 0 && cur_hs_frag_len != hs_len ) |
Manuel Pégourié-Gonnard | 19c62f9 | 2018-08-16 10:50:39 +0200 | [diff] [blame] | 2281 | { |
| 2282 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)", |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2283 | (unsigned) cur_hs_frag_len, |
| 2284 | (unsigned) max_hs_frag_len ) ); |
Manuel Pégourié-Gonnard | 19c62f9 | 2018-08-16 10:50:39 +0200 | [diff] [blame] | 2285 | } |
Manuel Pégourié-Gonnard | b747c6c | 2018-08-12 13:28:53 +0200 | [diff] [blame] | 2286 | |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2287 | /* Messages are stored with handshake headers as if not fragmented, |
| 2288 | * copy beginning of headers then fill fragmentation fields. |
| 2289 | * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */ |
| 2290 | memcpy( ssl->out_msg, cur->p, 6 ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2291 | |
Joe Subbiani | 5ecac21 | 2021-06-24 13:00:03 +0100 | [diff] [blame] | 2292 | ssl->out_msg[6] = MBEDTLS_BYTE_2( frag_off ); |
| 2293 | ssl->out_msg[7] = MBEDTLS_BYTE_1( frag_off ); |
| 2294 | ssl->out_msg[8] = MBEDTLS_BYTE_0( frag_off ); |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2295 | |
Joe Subbiani | 5ecac21 | 2021-06-24 13:00:03 +0100 | [diff] [blame] | 2296 | ssl->out_msg[ 9] = MBEDTLS_BYTE_2( cur_hs_frag_len ); |
| 2297 | ssl->out_msg[10] = MBEDTLS_BYTE_1( cur_hs_frag_len ); |
| 2298 | ssl->out_msg[11] = MBEDTLS_BYTE_0( cur_hs_frag_len ); |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2299 | |
| 2300 | MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 ); |
| 2301 | |
Hanno Becker | 3f7b973 | 2018-08-28 09:53:25 +0100 | [diff] [blame] | 2302 | /* Copy the handshake message content and set records fields */ |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2303 | memcpy( ssl->out_msg + 12, p, cur_hs_frag_len ); |
| 2304 | ssl->out_msglen = cur_hs_frag_len + 12; |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2305 | ssl->out_msgtype = cur->type; |
| 2306 | |
| 2307 | /* Update position inside current message */ |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2308 | ssl->handshake->cur_msg_p += cur_hs_frag_len; |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2309 | } |
| 2310 | |
| 2311 | /* If done with the current message move to the next one if any */ |
| 2312 | if( ssl->handshake->cur_msg_p >= cur->p + cur->len ) |
| 2313 | { |
| 2314 | if( cur->next != NULL ) |
| 2315 | { |
| 2316 | ssl->handshake->cur_msg = cur->next; |
| 2317 | ssl->handshake->cur_msg_p = cur->next->p + 12; |
| 2318 | } |
| 2319 | else |
| 2320 | { |
| 2321 | ssl->handshake->cur_msg = NULL; |
| 2322 | ssl->handshake->cur_msg_p = NULL; |
| 2323 | } |
| 2324 | } |
| 2325 | |
| 2326 | /* Actually send the message out */ |
Hanno Becker | 04da189 | 2018-08-14 13:22:10 +0100 | [diff] [blame] | 2327 | if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2328 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2329 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2330 | return( ret ); |
| 2331 | } |
| 2332 | } |
| 2333 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2334 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
| 2335 | return( ret ); |
| 2336 | |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 2337 | /* Update state and set timer */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2338 | if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) |
| 2339 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; |
Manuel Pégourié-Gonnard | 23b7b70 | 2014-09-25 13:50:12 +0200 | [diff] [blame] | 2340 | else |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 2341 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2342 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 2343 | mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); |
Manuel Pégourié-Gonnard | 4e2f245 | 2014-10-02 16:51:56 +0200 | [diff] [blame] | 2344 | } |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2345 | |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2346 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2347 | |
| 2348 | return( 0 ); |
| 2349 | } |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2350 | |
| 2351 | /* |
| 2352 | * To be called when the last message of an incoming flight is received. |
| 2353 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2354 | void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2355 | { |
| 2356 | /* We won't need to resend that one any more */ |
Hanno Becker | 533ab5f | 2020-02-05 10:49:13 +0000 | [diff] [blame] | 2357 | mbedtls_ssl_flight_free( ssl->handshake->flight ); |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2358 | ssl->handshake->flight = NULL; |
| 2359 | ssl->handshake->cur_msg = NULL; |
| 2360 | |
| 2361 | /* The next incoming flight will start with this msg_seq */ |
| 2362 | ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq; |
| 2363 | |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 2364 | /* We don't want to remember CCS's across flight boundaries. */ |
Hanno Becker | d7f8ae2 | 2018-08-16 09:45:56 +0100 | [diff] [blame] | 2365 | ssl->handshake->buffering.seen_ccs = 0; |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 2366 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2367 | /* Clear future message buffering structure. */ |
Hanno Becker | 533ab5f | 2020-02-05 10:49:13 +0000 | [diff] [blame] | 2368 | mbedtls_ssl_buffering_free( ssl ); |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2369 | |
Manuel Pégourié-Gonnard | 6c1fa3a | 2014-10-01 16:58:16 +0200 | [diff] [blame] | 2370 | /* Cancel timer */ |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 2371 | mbedtls_ssl_set_timer( ssl, 0 ); |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2372 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2373 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 2374 | ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2375 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2376 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2377 | } |
| 2378 | else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2379 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; |
Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2380 | } |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2381 | |
| 2382 | /* |
| 2383 | * To be called when the last message of an outgoing flight is send. |
| 2384 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2385 | void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2386 | { |
Manuel Pégourié-Gonnard | 6c1fa3a | 2014-10-01 16:58:16 +0200 | [diff] [blame] | 2387 | ssl_reset_retransmit_timeout( ssl ); |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 2388 | mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2389 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2390 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 2391 | ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2392 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2393 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2394 | } |
| 2395 | else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2396 | ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; |
Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 2397 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2398 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2399 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2400 | /* |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2401 | * Handshake layer functions |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2402 | */ |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2403 | |
| 2404 | /* |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2405 | * Write (DTLS: or queue) current handshake (including CCS) message. |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2406 | * |
| 2407 | * - fill in handshake headers |
| 2408 | * - update handshake checksum |
| 2409 | * - DTLS: save message for resending |
| 2410 | * - then pass to the record layer |
| 2411 | * |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2412 | * DTLS: except for HelloRequest, messages are only queued, and will only be |
| 2413 | * actually sent when calling flight_transmit() or resend(). |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2414 | * |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2415 | * Inputs: |
| 2416 | * - ssl->out_msglen: 4 + actual handshake message len |
| 2417 | * (4 is the size of handshake headers for TLS) |
| 2418 | * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc) |
| 2419 | * - ssl->out_msg + 4: the handshake message body |
| 2420 | * |
Manuel Pégourié-Gonnard | 065a2a3 | 2018-08-20 11:09:26 +0200 | [diff] [blame] | 2421 | * Outputs, ie state before passing to flight_append() or write_record(): |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2422 | * - ssl->out_msglen: the length of the record contents |
| 2423 | * (including handshake headers but excluding record headers) |
| 2424 | * - ssl->out_msg: the record contents (handshake headers + content) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2425 | */ |
Hanno Becker | f3cce8b | 2021-08-07 14:29:49 +0100 | [diff] [blame] | 2426 | int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl, |
| 2427 | int update_checksum ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2428 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2429 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2430 | const size_t hs_len = ssl->out_msglen - 4; |
| 2431 | const unsigned char hs_type = ssl->out_msg[0]; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2432 | |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2433 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) ); |
| 2434 | |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2435 | /* |
| 2436 | * Sanity checks |
| 2437 | */ |
Hanno Becker | c83d2b3 | 2018-08-22 16:05:47 +0100 | [diff] [blame] | 2438 | if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2439 | ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) |
| 2440 | { |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 2441 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 2442 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2443 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2444 | |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2445 | /* Whenever we send anything different from a |
| 2446 | * HelloRequest we should be in a handshake - double check. */ |
| 2447 | if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 2448 | hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) && |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2449 | ssl->handshake == NULL ) |
| 2450 | { |
| 2451 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 2452 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 2453 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2454 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2455 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2456 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2457 | ssl->handshake != NULL && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2458 | ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2459 | { |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2460 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 2461 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2462 | } |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2463 | #endif |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2464 | |
Hanno Becker | b50a253 | 2018-08-06 11:52:54 +0100 | [diff] [blame] | 2465 | /* Double-check that we did not exceed the bounds |
| 2466 | * of the outgoing record buffer. |
| 2467 | * This should never fail as the various message |
| 2468 | * writing functions must obey the bounds of the |
| 2469 | * outgoing record buffer, but better be safe. |
| 2470 | * |
| 2471 | * Note: We deliberately do not check for the MTU or MFL here. |
| 2472 | */ |
| 2473 | if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN ) |
| 2474 | { |
| 2475 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: " |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2476 | "size %" MBEDTLS_PRINTF_SIZET |
| 2477 | ", maximum %" MBEDTLS_PRINTF_SIZET, |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 2478 | ssl->out_msglen, |
| 2479 | (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) ); |
Hanno Becker | b50a253 | 2018-08-06 11:52:54 +0100 | [diff] [blame] | 2480 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 2481 | } |
| 2482 | |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2483 | /* |
| 2484 | * Fill handshake headers |
| 2485 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2486 | if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2487 | { |
Joe Subbiani | fbeb692 | 2021-07-16 14:27:50 +0100 | [diff] [blame] | 2488 | ssl->out_msg[1] = MBEDTLS_BYTE_2( hs_len ); |
| 2489 | ssl->out_msg[2] = MBEDTLS_BYTE_1( hs_len ); |
| 2490 | ssl->out_msg[3] = MBEDTLS_BYTE_0( hs_len ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2491 | |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2492 | /* |
| 2493 | * DTLS has additional fields in the Handshake layer, |
| 2494 | * between the length field and the actual payload: |
| 2495 | * uint16 message_seq; |
| 2496 | * uint24 fragment_offset; |
| 2497 | * uint24 fragment_length; |
| 2498 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2499 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2500 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2501 | { |
Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 2502 | /* Make room for the additional DTLS fields */ |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 2503 | if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 ) |
Hanno Becker | 9648f8b | 2017-09-18 10:55:54 +0100 | [diff] [blame] | 2504 | { |
| 2505 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: " |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2506 | "size %" MBEDTLS_PRINTF_SIZET ", maximum %" MBEDTLS_PRINTF_SIZET, |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 2507 | hs_len, |
| 2508 | (size_t) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) ); |
Hanno Becker | 9648f8b | 2017-09-18 10:55:54 +0100 | [diff] [blame] | 2509 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 2510 | } |
| 2511 | |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2512 | memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len ); |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2513 | ssl->out_msglen += 8; |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2514 | |
Manuel Pégourié-Gonnard | c392b24 | 2014-08-19 17:53:11 +0200 | [diff] [blame] | 2515 | /* Write message_seq and update it, except for HelloRequest */ |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2516 | if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) |
Manuel Pégourié-Gonnard | c392b24 | 2014-08-19 17:53:11 +0200 | [diff] [blame] | 2517 | { |
Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 2518 | MBEDTLS_PUT_UINT16_BE( ssl->handshake->out_msg_seq, ssl->out_msg, 4 ); |
Manuel Pégourié-Gonnard | d9ba0d9 | 2014-09-02 18:30:26 +0200 | [diff] [blame] | 2519 | ++( ssl->handshake->out_msg_seq ); |
Manuel Pégourié-Gonnard | c392b24 | 2014-08-19 17:53:11 +0200 | [diff] [blame] | 2520 | } |
| 2521 | else |
| 2522 | { |
| 2523 | ssl->out_msg[4] = 0; |
| 2524 | ssl->out_msg[5] = 0; |
| 2525 | } |
Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 2526 | |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2527 | /* Handshake hashes are computed without fragmentation, |
| 2528 | * so set frag_offset = 0 and frag_len = hs_len for now */ |
Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 2529 | memset( ssl->out_msg + 6, 0x00, 3 ); |
| 2530 | memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ); |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2531 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2532 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2533 | |
Hanno Becker | 0207e53 | 2018-08-28 10:28:28 +0100 | [diff] [blame] | 2534 | /* Update running hashes of handshake messages seen */ |
Hanno Becker | f3cce8b | 2021-08-07 14:29:49 +0100 | [diff] [blame] | 2535 | if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST && update_checksum != 0 ) |
Manuel Pégourié-Gonnard | 9c3a8ca | 2017-09-13 09:54:27 +0200 | [diff] [blame] | 2536 | ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2537 | } |
| 2538 | |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2539 | /* Either send now, or just save to be sent (and resent) later */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2540 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2541 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2542 | ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 2543 | hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) ) |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2544 | { |
| 2545 | if( ( ret = ssl_flight_append( ssl ) ) != 0 ) |
| 2546 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2547 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2548 | return( ret ); |
| 2549 | } |
| 2550 | } |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2551 | else |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2552 | #endif |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2553 | { |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2554 | if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 ) |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2555 | { |
| 2556 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret ); |
| 2557 | return( ret ); |
| 2558 | } |
| 2559 | } |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2560 | |
| 2561 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) ); |
| 2562 | |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2563 | return( 0 ); |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2564 | } |
| 2565 | |
| 2566 | /* |
| 2567 | * Record layer functions |
| 2568 | */ |
| 2569 | |
| 2570 | /* |
| 2571 | * Write current record. |
| 2572 | * |
| 2573 | * Uses: |
| 2574 | * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS) |
| 2575 | * - ssl->out_msglen: length of the record content (excl headers) |
| 2576 | * - ssl->out_msg: record content |
| 2577 | */ |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2578 | int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2579 | { |
| 2580 | int ret, done = 0; |
| 2581 | size_t len = ssl->out_msglen; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2582 | uint8_t flush = force_flush; |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2583 | |
| 2584 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) ); |
Manuel Pégourié-Gonnard | ffa67be | 2014-09-19 11:18:57 +0200 | [diff] [blame] | 2585 | |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2586 | if( !done ) |
| 2587 | { |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2588 | unsigned i; |
| 2589 | size_t protected_record_size; |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 2590 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| 2591 | size_t out_buf_len = ssl->out_buf_len; |
| 2592 | #else |
| 2593 | size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; |
| 2594 | #endif |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 2595 | /* Skip writing the record content type to after the encryption, |
| 2596 | * as it may change when using the CID extension. */ |
Jerry Yu | 47413c2 | 2021-10-29 17:19:41 +0800 | [diff] [blame] | 2597 | int minor_ver = ssl->minor_ver; |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 2598 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3) |
Jerry Yu | 1ca80f7 | 2021-11-08 10:30:54 +0800 | [diff] [blame] | 2599 | /* TLS 1.3 still uses the TLS 1.2 version identifier |
| 2600 | * for backwards compatibility. */ |
Jerry Yu | 47413c2 | 2021-10-29 17:19:41 +0800 | [diff] [blame] | 2601 | if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) |
| 2602 | minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 2603 | #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ |
Jerry Yu | 47413c2 | 2021-10-29 17:19:41 +0800 | [diff] [blame] | 2604 | mbedtls_ssl_write_version( ssl->major_ver, minor_ver, |
| 2605 | ssl->conf->transport, ssl->out_hdr + 1 ); |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 2606 | |
Jerry Yu | ae0b2e2 | 2021-10-08 15:21:19 +0800 | [diff] [blame] | 2607 | memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); |
Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 2608 | MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0); |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2609 | |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2610 | if( ssl->transform_out != NULL ) |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2611 | { |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 2612 | mbedtls_record rec; |
| 2613 | |
| 2614 | rec.buf = ssl->out_iv; |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 2615 | rec.buf_len = out_buf_len - ( ssl->out_iv - ssl->out_buf ); |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 2616 | rec.data_len = ssl->out_msglen; |
| 2617 | rec.data_offset = ssl->out_msg - rec.buf; |
| 2618 | |
Jerry Yu | d96a5c2 | 2021-09-29 17:46:51 +0800 | [diff] [blame] | 2619 | memcpy( &rec.ctr[0], ssl->out_ctr, sizeof( rec.ctr ) ); |
Jerry Yu | 47413c2 | 2021-10-29 17:19:41 +0800 | [diff] [blame] | 2620 | mbedtls_ssl_write_version( ssl->major_ver, minor_ver, |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 2621 | ssl->conf->transport, rec.ver ); |
| 2622 | rec.type = ssl->out_msgtype; |
| 2623 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 2624 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 43c24b8 | 2019-05-01 09:45:57 +0100 | [diff] [blame] | 2625 | /* The CID is set by mbedtls_ssl_encrypt_buf(). */ |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 2626 | rec.cid_len = 0; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 2627 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | cab87e6 | 2019-04-29 13:52:53 +0100 | [diff] [blame] | 2628 | |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 2629 | if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec, |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 2630 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2631 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2632 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2633 | return( ret ); |
| 2634 | } |
| 2635 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 2636 | if( rec.data_offset != 0 ) |
| 2637 | { |
| 2638 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 2639 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 2640 | } |
| 2641 | |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 2642 | /* Update the record content type and CID. */ |
| 2643 | ssl->out_msgtype = rec.type; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 2644 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID ) |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 2645 | memcpy( ssl->out_cid, rec.cid, rec.cid_len ); |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 2646 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 78f839d | 2019-03-14 12:56:23 +0000 | [diff] [blame] | 2647 | ssl->out_msglen = len = rec.data_len; |
Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 2648 | MBEDTLS_PUT_UINT16_BE( rec.data_len, ssl->out_len, 0 ); |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2649 | } |
| 2650 | |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 2651 | protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2652 | |
| 2653 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 2654 | /* In case of DTLS, double-check that we don't exceed |
| 2655 | * the remaining space in the datagram. */ |
| 2656 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 2657 | { |
Hanno Becker | 554b0af | 2018-08-22 20:33:41 +0100 | [diff] [blame] | 2658 | ret = ssl_get_remaining_space_in_datagram( ssl ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2659 | if( ret < 0 ) |
| 2660 | return( ret ); |
| 2661 | |
| 2662 | if( protected_record_size > (size_t) ret ) |
| 2663 | { |
| 2664 | /* Should never happen */ |
| 2665 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 2666 | } |
| 2667 | } |
| 2668 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2669 | |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 2670 | /* Now write the potentially updated record content type. */ |
| 2671 | ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; |
| 2672 | |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 2673 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %u, " |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2674 | "version = [%u:%u], msglen = %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | ecbdf1c | 2018-08-28 09:53:54 +0100 | [diff] [blame] | 2675 | ssl->out_hdr[0], ssl->out_hdr[1], |
| 2676 | ssl->out_hdr[2], len ) ); |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 2677 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2678 | MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", |
Hanno Becker | ecbdf1c | 2018-08-28 09:53:54 +0100 | [diff] [blame] | 2679 | ssl->out_hdr, protected_record_size ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2680 | |
| 2681 | ssl->out_left += protected_record_size; |
| 2682 | ssl->out_hdr += protected_record_size; |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 2683 | mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out ); |
Hanno Becker | 2b1e354 | 2018-08-06 11:19:13 +0100 | [diff] [blame] | 2684 | |
Hanno Becker | dd77229 | 2020-02-05 10:38:31 +0000 | [diff] [blame] | 2685 | for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- ) |
Hanno Becker | 0448462 | 2018-08-06 09:49:38 +0100 | [diff] [blame] | 2686 | if( ++ssl->cur_out_ctr[i - 1] != 0 ) |
| 2687 | break; |
| 2688 | |
| 2689 | /* The loop goes to its end iff the counter is wrapping */ |
Hanno Becker | dd77229 | 2020-02-05 10:38:31 +0000 | [diff] [blame] | 2690 | if( i == mbedtls_ssl_ep_len( ssl ) ) |
Hanno Becker | 0448462 | 2018-08-06 09:49:38 +0100 | [diff] [blame] | 2691 | { |
| 2692 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) ); |
| 2693 | return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); |
| 2694 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2695 | } |
| 2696 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2697 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | 47db877 | 2018-08-21 13:32:13 +0100 | [diff] [blame] | 2698 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 2699 | flush == SSL_DONT_FORCE_FLUSH ) |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2700 | { |
Hanno Becker | 1f5a15d | 2018-08-21 13:31:31 +0100 | [diff] [blame] | 2701 | size_t remaining; |
| 2702 | ret = ssl_get_remaining_payload_in_datagram( ssl ); |
| 2703 | if( ret < 0 ) |
| 2704 | { |
| 2705 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram", |
| 2706 | ret ); |
| 2707 | return( ret ); |
| 2708 | } |
| 2709 | |
| 2710 | remaining = (size_t) ret; |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2711 | if( remaining == 0 ) |
Hanno Becker | f0da667 | 2018-08-28 09:55:10 +0100 | [diff] [blame] | 2712 | { |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2713 | flush = SSL_FORCE_FLUSH; |
Hanno Becker | f0da667 | 2018-08-28 09:55:10 +0100 | [diff] [blame] | 2714 | } |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2715 | else |
| 2716 | { |
Hanno Becker | 513815a | 2018-08-20 11:56:09 +0100 | [diff] [blame] | 2717 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) ); |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 2718 | } |
| 2719 | } |
| 2720 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 2721 | |
| 2722 | if( ( flush == SSL_FORCE_FLUSH ) && |
| 2723 | ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2724 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2725 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2726 | return( ret ); |
| 2727 | } |
| 2728 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2729 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2730 | |
| 2731 | return( 0 ); |
| 2732 | } |
| 2733 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2734 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | e25e3b7 | 2018-08-16 09:30:53 +0100 | [diff] [blame] | 2735 | |
| 2736 | static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl ) |
| 2737 | { |
| 2738 | if( ssl->in_msglen < ssl->in_hslen || |
| 2739 | memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 || |
| 2740 | memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 ) |
| 2741 | { |
| 2742 | return( 1 ); |
| 2743 | } |
| 2744 | return( 0 ); |
| 2745 | } |
Hanno Becker | 44650b7 | 2018-08-16 12:51:11 +0100 | [diff] [blame] | 2746 | |
Hanno Becker | cd9dcda | 2018-08-28 17:18:56 +0100 | [diff] [blame] | 2747 | static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl ) |
Hanno Becker | 44650b7 | 2018-08-16 12:51:11 +0100 | [diff] [blame] | 2748 | { |
| 2749 | return( ( ssl->in_msg[9] << 16 ) | |
| 2750 | ( ssl->in_msg[10] << 8 ) | |
| 2751 | ssl->in_msg[11] ); |
| 2752 | } |
| 2753 | |
Hanno Becker | cd9dcda | 2018-08-28 17:18:56 +0100 | [diff] [blame] | 2754 | static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl ) |
Hanno Becker | 44650b7 | 2018-08-16 12:51:11 +0100 | [diff] [blame] | 2755 | { |
| 2756 | return( ( ssl->in_msg[6] << 16 ) | |
| 2757 | ( ssl->in_msg[7] << 8 ) | |
| 2758 | ssl->in_msg[8] ); |
| 2759 | } |
| 2760 | |
Hanno Becker | cd9dcda | 2018-08-28 17:18:56 +0100 | [diff] [blame] | 2761 | static int ssl_check_hs_header( mbedtls_ssl_context const *ssl ) |
Hanno Becker | 44650b7 | 2018-08-16 12:51:11 +0100 | [diff] [blame] | 2762 | { |
| 2763 | uint32_t msg_len, frag_off, frag_len; |
| 2764 | |
| 2765 | msg_len = ssl_get_hs_total_len( ssl ); |
| 2766 | frag_off = ssl_get_hs_frag_off( ssl ); |
| 2767 | frag_len = ssl_get_hs_frag_len( ssl ); |
| 2768 | |
| 2769 | if( frag_off > msg_len ) |
| 2770 | return( -1 ); |
| 2771 | |
| 2772 | if( frag_len > msg_len - frag_off ) |
| 2773 | return( -1 ); |
| 2774 | |
| 2775 | if( frag_len + 12 > ssl->in_msglen ) |
| 2776 | return( -1 ); |
| 2777 | |
| 2778 | return( 0 ); |
| 2779 | } |
| 2780 | |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 2781 | /* |
| 2782 | * Mark bits in bitmask (used for DTLS HS reassembly) |
| 2783 | */ |
| 2784 | static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len ) |
| 2785 | { |
| 2786 | unsigned int start_bits, end_bits; |
| 2787 | |
| 2788 | start_bits = 8 - ( offset % 8 ); |
| 2789 | if( start_bits != 8 ) |
| 2790 | { |
| 2791 | size_t first_byte_idx = offset / 8; |
| 2792 | |
Manuel Pégourié-Gonnard | ac03052 | 2014-09-02 14:23:40 +0200 | [diff] [blame] | 2793 | /* Special case */ |
| 2794 | if( len <= start_bits ) |
| 2795 | { |
| 2796 | for( ; len != 0; len-- ) |
| 2797 | mask[first_byte_idx] |= 1 << ( start_bits - len ); |
| 2798 | |
| 2799 | /* Avoid potential issues with offset or len becoming invalid */ |
| 2800 | return; |
| 2801 | } |
| 2802 | |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 2803 | offset += start_bits; /* Now offset % 8 == 0 */ |
| 2804 | len -= start_bits; |
| 2805 | |
| 2806 | for( ; start_bits != 0; start_bits-- ) |
| 2807 | mask[first_byte_idx] |= 1 << ( start_bits - 1 ); |
| 2808 | } |
| 2809 | |
| 2810 | end_bits = len % 8; |
| 2811 | if( end_bits != 0 ) |
| 2812 | { |
| 2813 | size_t last_byte_idx = ( offset + len ) / 8; |
| 2814 | |
| 2815 | len -= end_bits; /* Now len % 8 == 0 */ |
| 2816 | |
| 2817 | for( ; end_bits != 0; end_bits-- ) |
| 2818 | mask[last_byte_idx] |= 1 << ( 8 - end_bits ); |
| 2819 | } |
| 2820 | |
| 2821 | memset( mask + offset / 8, 0xFF, len / 8 ); |
| 2822 | } |
| 2823 | |
| 2824 | /* |
| 2825 | * Check that bitmask is full |
| 2826 | */ |
| 2827 | static int ssl_bitmask_check( unsigned char *mask, size_t len ) |
| 2828 | { |
| 2829 | size_t i; |
| 2830 | |
| 2831 | for( i = 0; i < len / 8; i++ ) |
| 2832 | if( mask[i] != 0xFF ) |
| 2833 | return( -1 ); |
| 2834 | |
| 2835 | for( i = 0; i < len % 8; i++ ) |
| 2836 | if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 ) |
| 2837 | return( -1 ); |
| 2838 | |
| 2839 | return( 0 ); |
| 2840 | } |
| 2841 | |
Hanno Becker | 56e205e | 2018-08-16 09:06:12 +0100 | [diff] [blame] | 2842 | /* msg_len does not include the handshake header */ |
Hanno Becker | 65dc885 | 2018-08-23 09:40:49 +0100 | [diff] [blame] | 2843 | static size_t ssl_get_reassembly_buffer_size( size_t msg_len, |
Hanno Becker | 2a97b0e | 2018-08-21 15:47:49 +0100 | [diff] [blame] | 2844 | unsigned add_bitmap ) |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2845 | { |
Hanno Becker | 56e205e | 2018-08-16 09:06:12 +0100 | [diff] [blame] | 2846 | size_t alloc_len; |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 2847 | |
Hanno Becker | 56e205e | 2018-08-16 09:06:12 +0100 | [diff] [blame] | 2848 | alloc_len = 12; /* Handshake header */ |
| 2849 | alloc_len += msg_len; /* Content buffer */ |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2850 | |
Hanno Becker | d07df86 | 2018-08-16 09:14:58 +0100 | [diff] [blame] | 2851 | if( add_bitmap ) |
| 2852 | alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */ |
Manuel Pégourié-Gonnard | 502bf30 | 2014-08-20 13:12:58 +0200 | [diff] [blame] | 2853 | |
Hanno Becker | 2a97b0e | 2018-08-21 15:47:49 +0100 | [diff] [blame] | 2854 | return( alloc_len ); |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2855 | } |
Hanno Becker | 56e205e | 2018-08-16 09:06:12 +0100 | [diff] [blame] | 2856 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2857 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2858 | |
Hanno Becker | cd9dcda | 2018-08-28 17:18:56 +0100 | [diff] [blame] | 2859 | static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ) |
Hanno Becker | 12555c6 | 2018-08-16 12:47:53 +0100 | [diff] [blame] | 2860 | { |
| 2861 | return( ( ssl->in_msg[1] << 16 ) | |
| 2862 | ( ssl->in_msg[2] << 8 ) | |
| 2863 | ssl->in_msg[3] ); |
| 2864 | } |
Hanno Becker | e25e3b7 | 2018-08-16 09:30:53 +0100 | [diff] [blame] | 2865 | |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 2866 | int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2867 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2868 | if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) ) |
Manuel Pégourié-Gonnard | 9d1d719 | 2014-09-03 11:01:14 +0200 | [diff] [blame] | 2869 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2870 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %" MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | 9d1d719 | 2014-09-03 11:01:14 +0200 | [diff] [blame] | 2871 | ssl->in_msglen ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2872 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Manuel Pégourié-Gonnard | 9d1d719 | 2014-09-03 11:01:14 +0200 | [diff] [blame] | 2873 | } |
| 2874 | |
Hanno Becker | 12555c6 | 2018-08-16 12:47:53 +0100 | [diff] [blame] | 2875 | ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl ); |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2876 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2877 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2878 | " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 2879 | ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2880 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2881 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2882 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2883 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2884 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2885 | unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2886 | |
Hanno Becker | 44650b7 | 2018-08-16 12:51:11 +0100 | [diff] [blame] | 2887 | if( ssl_check_hs_header( ssl ) != 0 ) |
| 2888 | { |
| 2889 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) ); |
| 2890 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 2891 | } |
| 2892 | |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2893 | if( ssl->handshake != NULL && |
Hanno Becker | c76c619 | 2017-06-06 10:03:17 +0100 | [diff] [blame] | 2894 | ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && |
| 2895 | recv_msg_seq != ssl->handshake->in_msg_seq ) || |
| 2896 | ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && |
| 2897 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) ) |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2898 | { |
Hanno Becker | 9e1ec22 | 2018-08-15 15:54:43 +0100 | [diff] [blame] | 2899 | if( recv_msg_seq > ssl->handshake->in_msg_seq ) |
| 2900 | { |
| 2901 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)", |
| 2902 | recv_msg_seq, |
| 2903 | ssl->handshake->in_msg_seq ) ); |
| 2904 | return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); |
| 2905 | } |
| 2906 | |
Manuel Pégourié-Gonnard | fc572dd | 2014-10-09 17:56:57 +0200 | [diff] [blame] | 2907 | /* Retransmit only on last message from previous flight, to avoid |
| 2908 | * too many retransmissions. |
| 2909 | * Besides, No sane server ever retransmits HelloVerifyRequest */ |
| 2910 | if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2911 | ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 2912 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2913 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, " |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 2914 | "message_seq = %u, start_of_flight = %u", |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 2915 | recv_msg_seq, |
| 2916 | ssl->handshake->in_flight_start_seq ) ); |
| 2917 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2918 | if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 2919 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2920 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 2921 | return( ret ); |
| 2922 | } |
| 2923 | } |
| 2924 | else |
| 2925 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2926 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: " |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 2927 | "message_seq = %u, expected = %u", |
Manuel Pégourié-Gonnard | 6a2bdfa | 2014-09-19 21:18:23 +0200 | [diff] [blame] | 2928 | recv_msg_seq, |
| 2929 | ssl->handshake->in_msg_seq ) ); |
| 2930 | } |
| 2931 | |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 2932 | return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2933 | } |
| 2934 | /* Wait until message completion to increment in_msg_seq */ |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2935 | |
Hanno Becker | 6d97ef5 | 2018-08-16 13:09:04 +0100 | [diff] [blame] | 2936 | /* Message reassembly is handled alongside buffering of future |
| 2937 | * messages; the commonality is that both handshake fragments and |
Hanno Becker | 83ab41c | 2018-08-28 17:19:38 +0100 | [diff] [blame] | 2938 | * future messages cannot be forwarded immediately to the |
Hanno Becker | 6d97ef5 | 2018-08-16 13:09:04 +0100 | [diff] [blame] | 2939 | * handshake logic layer. */ |
Hanno Becker | e25e3b7 | 2018-08-16 09:30:53 +0100 | [diff] [blame] | 2940 | if( ssl_hs_is_proper_fragment( ssl ) == 1 ) |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2941 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2942 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) ); |
Hanno Becker | 6d97ef5 | 2018-08-16 13:09:04 +0100 | [diff] [blame] | 2943 | return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2944 | } |
| 2945 | } |
| 2946 | else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2947 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | ed79a4b | 2014-08-20 10:43:01 +0200 | [diff] [blame] | 2948 | /* With TLS we don't handle fragmentation (for now) */ |
| 2949 | if( ssl->in_msglen < ssl->in_hslen ) |
| 2950 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2951 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); |
| 2952 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2953 | } |
| 2954 | |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 2955 | return( 0 ); |
| 2956 | } |
| 2957 | |
| 2958 | void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ) |
| 2959 | { |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2960 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 2961 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2962 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL ) |
Manuel Pégourié-Gonnard | 14bf706 | 2015-06-23 14:07:13 +0200 | [diff] [blame] | 2963 | { |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2964 | ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); |
Manuel Pégourié-Gonnard | 14bf706 | 2015-06-23 14:07:13 +0200 | [diff] [blame] | 2965 | } |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2966 | |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2967 | /* Handshake message is complete, increment counter */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2968 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2969 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2970 | ssl->handshake != NULL ) |
| 2971 | { |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2972 | unsigned offset; |
| 2973 | mbedtls_ssl_hs_buffer *hs_buf; |
Hanno Becker | e25e3b7 | 2018-08-16 09:30:53 +0100 | [diff] [blame] | 2974 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2975 | /* Increment handshake sequence number */ |
| 2976 | hs->in_msg_seq++; |
| 2977 | |
| 2978 | /* |
| 2979 | * Clear up handshake buffering and reassembly structure. |
| 2980 | */ |
| 2981 | |
| 2982 | /* Free first entry */ |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 2983 | ssl_buffering_free_slot( ssl, 0 ); |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2984 | |
| 2985 | /* Shift all other entries */ |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 2986 | for( offset = 0, hs_buf = &hs->buffering.hs[0]; |
| 2987 | offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS; |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 2988 | offset++, hs_buf++ ) |
| 2989 | { |
| 2990 | *hs_buf = *(hs_buf + 1); |
| 2991 | } |
| 2992 | |
| 2993 | /* Create a fresh last entry */ |
| 2994 | memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) ); |
Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 2995 | } |
| 2996 | #endif |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 2997 | } |
| 2998 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 2999 | /* |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3000 | * DTLS anti-replay: RFC 6347 4.1.2.6 |
| 3001 | * |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 3002 | * in_window is a field of bits numbered from 0 (lsb) to 63 (msb). |
| 3003 | * Bit n is set iff record number in_window_top - n has been seen. |
| 3004 | * |
| 3005 | * Usually, in_window_top is the last record number seen and the lsb of |
| 3006 | * in_window is set. The only exception is the initial state (record number 0 |
| 3007 | * not seen yet). |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3008 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3009 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
Hanno Becker | 7e8e6a6 | 2020-02-05 10:45:48 +0000 | [diff] [blame] | 3010 | void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3011 | { |
| 3012 | ssl->in_window_top = 0; |
| 3013 | ssl->in_window = 0; |
| 3014 | } |
| 3015 | |
| 3016 | static inline uint64_t ssl_load_six_bytes( unsigned char *buf ) |
| 3017 | { |
| 3018 | return( ( (uint64_t) buf[0] << 40 ) | |
| 3019 | ( (uint64_t) buf[1] << 32 ) | |
| 3020 | ( (uint64_t) buf[2] << 24 ) | |
| 3021 | ( (uint64_t) buf[3] << 16 ) | |
| 3022 | ( (uint64_t) buf[4] << 8 ) | |
| 3023 | ( (uint64_t) buf[5] ) ); |
| 3024 | } |
| 3025 | |
Arto Kinnunen | 7f8089b | 2019-10-29 11:13:33 +0200 | [diff] [blame] | 3026 | static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr ) |
| 3027 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3028 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Arto Kinnunen | 7f8089b | 2019-10-29 11:13:33 +0200 | [diff] [blame] | 3029 | unsigned char *original_in_ctr; |
| 3030 | |
| 3031 | // save original in_ctr |
| 3032 | original_in_ctr = ssl->in_ctr; |
| 3033 | |
| 3034 | // use counter from record |
| 3035 | ssl->in_ctr = record_in_ctr; |
| 3036 | |
| 3037 | ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl ); |
| 3038 | |
| 3039 | // restore the counter |
| 3040 | ssl->in_ctr = original_in_ctr; |
| 3041 | |
| 3042 | return ret; |
| 3043 | } |
| 3044 | |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3045 | /* |
| 3046 | * Return 0 if sequence number is acceptable, -1 otherwise |
| 3047 | */ |
Hanno Becker | 0183d69 | 2019-07-12 08:50:37 +0100 | [diff] [blame] | 3048 | int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl ) |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3049 | { |
| 3050 | uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); |
| 3051 | uint64_t bit; |
| 3052 | |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3053 | if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) |
Manuel Pégourié-Gonnard | 2739313 | 2014-09-24 14:41:11 +0200 | [diff] [blame] | 3054 | return( 0 ); |
| 3055 | |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3056 | if( rec_seqnum > ssl->in_window_top ) |
| 3057 | return( 0 ); |
| 3058 | |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 3059 | bit = ssl->in_window_top - rec_seqnum; |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3060 | |
| 3061 | if( bit >= 64 ) |
| 3062 | return( -1 ); |
| 3063 | |
| 3064 | if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 ) |
| 3065 | return( -1 ); |
| 3066 | |
| 3067 | return( 0 ); |
| 3068 | } |
| 3069 | |
| 3070 | /* |
| 3071 | * Update replay window on new validated record |
| 3072 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3073 | void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3074 | { |
| 3075 | uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); |
| 3076 | |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3077 | if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) |
Manuel Pégourié-Gonnard | 2739313 | 2014-09-24 14:41:11 +0200 | [diff] [blame] | 3078 | return; |
| 3079 | |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3080 | if( rec_seqnum > ssl->in_window_top ) |
| 3081 | { |
| 3082 | /* Update window_top and the contents of the window */ |
| 3083 | uint64_t shift = rec_seqnum - ssl->in_window_top; |
| 3084 | |
| 3085 | if( shift >= 64 ) |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 3086 | ssl->in_window = 1; |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3087 | else |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 3088 | { |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3089 | ssl->in_window <<= shift; |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 3090 | ssl->in_window |= 1; |
| 3091 | } |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3092 | |
| 3093 | ssl->in_window_top = rec_seqnum; |
| 3094 | } |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3095 | else |
| 3096 | { |
| 3097 | /* Mark that number as seen in the current window */ |
Manuel Pégourié-Gonnard | 4956fd7 | 2014-09-24 11:13:44 +0200 | [diff] [blame] | 3098 | uint64_t bit = ssl->in_window_top - rec_seqnum; |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3099 | |
| 3100 | if( bit < 64 ) /* Always true, but be extra sure */ |
| 3101 | ssl->in_window |= (uint64_t) 1 << bit; |
| 3102 | } |
| 3103 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3104 | #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3105 | |
Manuel Pégourié-Gonnard | ddfe5d2 | 2015-09-09 12:46:16 +0200 | [diff] [blame] | 3106 | #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3107 | /* |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3108 | * Without any SSL context, check if a datagram looks like a ClientHello with |
| 3109 | * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message. |
Simon Butcher | 0789aed | 2015-09-11 17:15:17 +0100 | [diff] [blame] | 3110 | * Both input and output include full DTLS headers. |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3111 | * |
| 3112 | * - if cookie is valid, return 0 |
| 3113 | * - if ClientHello looks superficially valid but cookie is not, |
| 3114 | * fill obuf and set olen, then |
| 3115 | * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED |
| 3116 | * - otherwise return a specific error code |
| 3117 | */ |
| 3118 | static int ssl_check_dtls_clihlo_cookie( |
| 3119 | mbedtls_ssl_cookie_write_t *f_cookie_write, |
| 3120 | mbedtls_ssl_cookie_check_t *f_cookie_check, |
| 3121 | void *p_cookie, |
| 3122 | const unsigned char *cli_id, size_t cli_id_len, |
| 3123 | const unsigned char *in, size_t in_len, |
| 3124 | unsigned char *obuf, size_t buf_len, size_t *olen ) |
| 3125 | { |
| 3126 | size_t sid_len, cookie_len; |
| 3127 | unsigned char *p; |
| 3128 | |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3129 | /* |
| 3130 | * Structure of ClientHello with record and handshake headers, |
| 3131 | * and expected values. We don't need to check a lot, more checks will be |
| 3132 | * done when actually parsing the ClientHello - skipping those checks |
| 3133 | * avoids code duplication and does not make cookie forging any easier. |
| 3134 | * |
| 3135 | * 0-0 ContentType type; copied, must be handshake |
| 3136 | * 1-2 ProtocolVersion version; copied |
| 3137 | * 3-4 uint16 epoch; copied, must be 0 |
| 3138 | * 5-10 uint48 sequence_number; copied |
| 3139 | * 11-12 uint16 length; (ignored) |
| 3140 | * |
| 3141 | * 13-13 HandshakeType msg_type; (ignored) |
| 3142 | * 14-16 uint24 length; (ignored) |
| 3143 | * 17-18 uint16 message_seq; copied |
| 3144 | * 19-21 uint24 fragment_offset; copied, must be 0 |
| 3145 | * 22-24 uint24 fragment_length; (ignored) |
| 3146 | * |
| 3147 | * 25-26 ProtocolVersion client_version; (ignored) |
| 3148 | * 27-58 Random random; (ignored) |
| 3149 | * 59-xx SessionID session_id; 1 byte len + sid_len content |
| 3150 | * 60+ opaque cookie<0..2^8-1>; 1 byte len + content |
| 3151 | * ... |
| 3152 | * |
| 3153 | * Minimum length is 61 bytes. |
| 3154 | */ |
| 3155 | if( in_len < 61 || |
| 3156 | in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || |
| 3157 | in[3] != 0 || in[4] != 0 || |
| 3158 | in[19] != 0 || in[20] != 0 || in[21] != 0 ) |
| 3159 | { |
Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 3160 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3161 | } |
| 3162 | |
| 3163 | sid_len = in[59]; |
| 3164 | if( sid_len > in_len - 61 ) |
Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 3165 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3166 | |
| 3167 | cookie_len = in[60 + sid_len]; |
| 3168 | if( cookie_len > in_len - 60 ) |
Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 3169 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3170 | |
| 3171 | if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len, |
| 3172 | cli_id, cli_id_len ) == 0 ) |
| 3173 | { |
| 3174 | /* Valid cookie */ |
| 3175 | return( 0 ); |
| 3176 | } |
| 3177 | |
| 3178 | /* |
| 3179 | * If we get here, we've got an invalid cookie, let's prepare HVR. |
| 3180 | * |
| 3181 | * 0-0 ContentType type; copied |
| 3182 | * 1-2 ProtocolVersion version; copied |
| 3183 | * 3-4 uint16 epoch; copied |
| 3184 | * 5-10 uint48 sequence_number; copied |
| 3185 | * 11-12 uint16 length; olen - 13 |
| 3186 | * |
| 3187 | * 13-13 HandshakeType msg_type; hello_verify_request |
| 3188 | * 14-16 uint24 length; olen - 25 |
| 3189 | * 17-18 uint16 message_seq; copied |
| 3190 | * 19-21 uint24 fragment_offset; copied |
| 3191 | * 22-24 uint24 fragment_length; olen - 25 |
| 3192 | * |
| 3193 | * 25-26 ProtocolVersion server_version; 0xfe 0xff |
| 3194 | * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie |
| 3195 | * |
| 3196 | * Minimum length is 28. |
| 3197 | */ |
| 3198 | if( buf_len < 28 ) |
| 3199 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
| 3200 | |
| 3201 | /* Copy most fields and adapt others */ |
| 3202 | memcpy( obuf, in, 25 ); |
| 3203 | obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; |
| 3204 | obuf[25] = 0xfe; |
| 3205 | obuf[26] = 0xff; |
| 3206 | |
| 3207 | /* Generate and write actual cookie */ |
| 3208 | p = obuf + 28; |
| 3209 | if( f_cookie_write( p_cookie, |
| 3210 | &p, obuf + buf_len, cli_id, cli_id_len ) != 0 ) |
| 3211 | { |
| 3212 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 3213 | } |
| 3214 | |
| 3215 | *olen = p - obuf; |
| 3216 | |
| 3217 | /* Go back and fill length fields */ |
| 3218 | obuf[27] = (unsigned char)( *olen - 28 ); |
| 3219 | |
Joe Subbiani | fbeb692 | 2021-07-16 14:27:50 +0100 | [diff] [blame] | 3220 | obuf[14] = obuf[22] = MBEDTLS_BYTE_2( *olen - 25 ); |
| 3221 | obuf[15] = obuf[23] = MBEDTLS_BYTE_1( *olen - 25 ); |
| 3222 | obuf[16] = obuf[24] = MBEDTLS_BYTE_0( *olen - 25 ); |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3223 | |
Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 3224 | MBEDTLS_PUT_UINT16_BE( *olen - 13, obuf, 11 ); |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3225 | |
| 3226 | return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); |
| 3227 | } |
| 3228 | |
| 3229 | /* |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3230 | * Handle possible client reconnect with the same UDP quadruplet |
| 3231 | * (RFC 6347 Section 4.2.8). |
| 3232 | * |
| 3233 | * Called by ssl_parse_record_header() in case we receive an epoch 0 record |
| 3234 | * that looks like a ClientHello. |
| 3235 | * |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3236 | * - if the input looks like a ClientHello without cookies, |
Manuel Pégourié-Gonnard | 824655c | 2020-03-11 12:51:42 +0100 | [diff] [blame] | 3237 | * send back HelloVerifyRequest, then return 0 |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3238 | * - if the input looks like a ClientHello with a valid cookie, |
| 3239 | * reset the session of the current context, and |
Manuel Pégourié-Gonnard | be619c1 | 2015-09-08 11:21:21 +0200 | [diff] [blame] | 3240 | * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3241 | * - if anything goes wrong, return a specific error code |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3242 | * |
Manuel Pégourié-Gonnard | 824655c | 2020-03-11 12:51:42 +0100 | [diff] [blame] | 3243 | * This function is called (through ssl_check_client_reconnect()) when an |
| 3244 | * unexpected record is found in ssl_get_next_record(), which will discard the |
| 3245 | * record if we return 0, and bubble up the return value otherwise (this |
| 3246 | * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected |
| 3247 | * errors, and is the right thing to do in both cases). |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3248 | */ |
| 3249 | static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) |
| 3250 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3251 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3252 | size_t len; |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3253 | |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 3254 | if( ssl->conf->f_cookie_write == NULL || |
| 3255 | ssl->conf->f_cookie_check == NULL ) |
| 3256 | { |
| 3257 | /* If we can't use cookies to verify reachability of the peer, |
| 3258 | * drop the record. */ |
Manuel Pégourié-Gonnard | 243d70f | 2020-03-31 12:07:47 +0200 | [diff] [blame] | 3259 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no cookie callbacks, " |
| 3260 | "can't check reconnect validity" ) ); |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 3261 | return( 0 ); |
| 3262 | } |
| 3263 | |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3264 | ret = ssl_check_dtls_clihlo_cookie( |
| 3265 | ssl->conf->f_cookie_write, |
| 3266 | ssl->conf->f_cookie_check, |
| 3267 | ssl->conf->p_cookie, |
| 3268 | ssl->cli_id, ssl->cli_id_len, |
| 3269 | ssl->in_buf, ssl->in_left, |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 3270 | ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len ); |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3271 | |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3272 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret ); |
| 3273 | |
| 3274 | if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3275 | { |
Manuel Pégourié-Gonnard | 243d70f | 2020-03-31 12:07:47 +0200 | [diff] [blame] | 3276 | int send_ret; |
| 3277 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) ); |
| 3278 | MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", |
| 3279 | ssl->out_buf, len ); |
Brian J Murray | 1903fb3 | 2016-11-06 04:45:15 -0800 | [diff] [blame] | 3280 | /* Don't check write errors as we can't do anything here. |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3281 | * If the error is permanent we'll catch it later, |
| 3282 | * if it's not, then hopefully it'll work next time. */ |
Manuel Pégourié-Gonnard | 243d70f | 2020-03-31 12:07:47 +0200 | [diff] [blame] | 3283 | send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len ); |
| 3284 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret ); |
| 3285 | (void) send_ret; |
| 3286 | |
Manuel Pégourié-Gonnard | 824655c | 2020-03-11 12:51:42 +0100 | [diff] [blame] | 3287 | return( 0 ); |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3288 | } |
| 3289 | |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3290 | if( ret == 0 ) |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3291 | { |
Manuel Pégourié-Gonnard | 243d70f | 2020-03-31 12:07:47 +0200 | [diff] [blame] | 3292 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) ); |
Hanno Becker | 43aefe2 | 2020-02-05 10:44:56 +0000 | [diff] [blame] | 3293 | if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 ) |
Manuel Pégourié-Gonnard | 62c74bb | 2015-09-08 17:50:29 +0200 | [diff] [blame] | 3294 | { |
| 3295 | MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret ); |
| 3296 | return( ret ); |
| 3297 | } |
| 3298 | |
| 3299 | return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT ); |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3300 | } |
| 3301 | |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3302 | return( ret ); |
| 3303 | } |
Manuel Pégourié-Gonnard | ddfe5d2 | 2015-09-09 12:46:16 +0200 | [diff] [blame] | 3304 | #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ |
Manuel Pégourié-Gonnard | 11331fc | 2015-09-08 10:30:55 +0200 | [diff] [blame] | 3305 | |
Hanno Becker | f661c9c | 2019-05-03 13:25:54 +0100 | [diff] [blame] | 3306 | static int ssl_check_record_type( uint8_t record_type ) |
| 3307 | { |
| 3308 | if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE && |
| 3309 | record_type != MBEDTLS_SSL_MSG_ALERT && |
| 3310 | record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && |
| 3311 | record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA ) |
| 3312 | { |
| 3313 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3314 | } |
| 3315 | |
| 3316 | return( 0 ); |
| 3317 | } |
| 3318 | |
Manuel Pégourié-Gonnard | 7a7e140 | 2014-09-24 10:52:58 +0200 | [diff] [blame] | 3319 | /* |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3320 | * ContentType type; |
| 3321 | * ProtocolVersion version; |
| 3322 | * uint16 epoch; // DTLS only |
| 3323 | * uint48 sequence_number; // DTLS only |
| 3324 | * uint16 length; |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3325 | * |
| 3326 | * Return 0 if header looks sane (and, for DTLS, the record is expected) |
Simon Butcher | 207990d | 2015-12-16 01:51:30 +0000 | [diff] [blame] | 3327 | * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad, |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3328 | * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected. |
| 3329 | * |
| 3330 | * With DTLS, mbedtls_ssl_read_record() will: |
Simon Butcher | 207990d | 2015-12-16 01:51:30 +0000 | [diff] [blame] | 3331 | * 1. proceed with the record if this function returns 0 |
| 3332 | * 2. drop only the current record if this function returns UNEXPECTED_RECORD |
| 3333 | * 3. return CLIENT_RECONNECT if this function return that value |
| 3334 | * 4. drop the whole datagram if this function returns anything else. |
| 3335 | * Point 2 is needed when the peer is resending, and we have already received |
| 3336 | * the first record from a datagram but are still waiting for the others. |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3337 | */ |
Hanno Becker | 331de3d | 2019-07-12 11:10:16 +0100 | [diff] [blame] | 3338 | static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3339 | unsigned char *buf, |
| 3340 | size_t len, |
| 3341 | mbedtls_record *rec ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3342 | { |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 3343 | int major_ver, minor_ver; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3344 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3345 | size_t const rec_hdr_type_offset = 0; |
| 3346 | size_t const rec_hdr_type_len = 1; |
Manuel Pégourié-Gonnard | 64dffc5 | 2014-09-02 13:39:16 +0200 | [diff] [blame] | 3347 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3348 | size_t const rec_hdr_version_offset = rec_hdr_type_offset + |
| 3349 | rec_hdr_type_len; |
| 3350 | size_t const rec_hdr_version_len = 2; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3351 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3352 | size_t const rec_hdr_ctr_len = 8; |
| 3353 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | f546625 | 2019-07-25 10:13:02 +0100 | [diff] [blame] | 3354 | uint32_t rec_epoch; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3355 | size_t const rec_hdr_ctr_offset = rec_hdr_version_offset + |
| 3356 | rec_hdr_version_len; |
| 3357 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3358 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3359 | size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset + |
| 3360 | rec_hdr_ctr_len; |
Hanno Becker | f546625 | 2019-07-25 10:13:02 +0100 | [diff] [blame] | 3361 | size_t rec_hdr_cid_len = 0; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3362 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| 3363 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3364 | |
| 3365 | size_t rec_hdr_len_offset; /* To be determined */ |
| 3366 | size_t const rec_hdr_len_len = 2; |
| 3367 | |
| 3368 | /* |
| 3369 | * Check minimum lengths for record header. |
| 3370 | */ |
| 3371 | |
| 3372 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3373 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 3374 | { |
| 3375 | rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len; |
| 3376 | } |
| 3377 | else |
| 3378 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3379 | { |
| 3380 | rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len; |
| 3381 | } |
| 3382 | |
| 3383 | if( len < rec_hdr_len_offset + rec_hdr_len_len ) |
| 3384 | { |
| 3385 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header of length %u", |
| 3386 | (unsigned) len, |
| 3387 | (unsigned)( rec_hdr_len_len + rec_hdr_len_len ) ) ); |
| 3388 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3389 | } |
| 3390 | |
| 3391 | /* |
| 3392 | * Parse and validate record content type |
| 3393 | */ |
| 3394 | |
| 3395 | rec->type = buf[ rec_hdr_type_offset ]; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3396 | |
| 3397 | /* Check record content type */ |
| 3398 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| 3399 | rec->cid_len = 0; |
| 3400 | |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3401 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3402 | ssl->conf->cid_len != 0 && |
| 3403 | rec->type == MBEDTLS_SSL_MSG_CID ) |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3404 | { |
| 3405 | /* Shift pointers to account for record header including CID |
| 3406 | * struct { |
| 3407 | * ContentType special_type = tls12_cid; |
| 3408 | * ProtocolVersion version; |
| 3409 | * uint16 epoch; |
| 3410 | * uint48 sequence_number; |
Hanno Becker | 8e55b0f | 2019-05-23 17:03:19 +0100 | [diff] [blame] | 3411 | * opaque cid[cid_length]; // Additional field compared to |
| 3412 | * // default DTLS record format |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3413 | * uint16 length; |
| 3414 | * opaque enc_content[DTLSCiphertext.length]; |
| 3415 | * } DTLSCiphertext; |
| 3416 | */ |
| 3417 | |
| 3418 | /* So far, we only support static CID lengths |
| 3419 | * fixed in the configuration. */ |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3420 | rec_hdr_cid_len = ssl->conf->cid_len; |
| 3421 | rec_hdr_len_offset += rec_hdr_cid_len; |
Hanno Becker | e538d82 | 2019-07-10 14:50:10 +0100 | [diff] [blame] | 3422 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3423 | if( len < rec_hdr_len_offset + rec_hdr_len_len ) |
Hanno Becker | e538d82 | 2019-07-10 14:50:10 +0100 | [diff] [blame] | 3424 | { |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3425 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header including CID, length %u", |
| 3426 | (unsigned) len, |
| 3427 | (unsigned)( rec_hdr_len_offset + rec_hdr_len_len ) ) ); |
Hanno Becker | 59be60e | 2019-07-10 14:53:43 +0100 | [diff] [blame] | 3428 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Hanno Becker | e538d82 | 2019-07-10 14:50:10 +0100 | [diff] [blame] | 3429 | } |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3430 | |
Manuel Pégourié-Gonnard | 7e821b5 | 2019-08-02 10:17:15 +0200 | [diff] [blame] | 3431 | /* configured CID len is guaranteed at most 255, see |
| 3432 | * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */ |
| 3433 | rec->cid_len = (uint8_t) rec_hdr_cid_len; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3434 | memcpy( rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len ); |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3435 | } |
| 3436 | else |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3437 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Manuel Pégourié-Gonnard | edcbe54 | 2014-08-11 19:27:24 +0200 | [diff] [blame] | 3438 | { |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3439 | if( ssl_check_record_type( rec->type ) ) |
| 3440 | { |
Hanno Becker | 5422981 | 2019-07-12 14:40:00 +0100 | [diff] [blame] | 3441 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type %u", |
| 3442 | (unsigned) rec->type ) ); |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3443 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3444 | } |
Manuel Pégourié-Gonnard | edcbe54 | 2014-08-11 19:27:24 +0200 | [diff] [blame] | 3445 | } |
| 3446 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3447 | /* |
| 3448 | * Parse and validate record version |
| 3449 | */ |
| 3450 | |
Hanno Becker | d0b66d0 | 2019-07-26 08:07:03 +0100 | [diff] [blame] | 3451 | rec->ver[0] = buf[ rec_hdr_version_offset + 0 ]; |
| 3452 | rec->ver[1] = buf[ rec_hdr_version_offset + 1 ]; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3453 | mbedtls_ssl_read_version( &major_ver, &minor_ver, |
| 3454 | ssl->conf->transport, |
Hanno Becker | d0b66d0 | 2019-07-26 08:07:03 +0100 | [diff] [blame] | 3455 | &rec->ver[0] ); |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3456 | |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 3457 | if( major_ver != ssl->major_ver ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3458 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3459 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); |
| 3460 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3461 | } |
| 3462 | |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3463 | if( minor_ver > ssl->conf->max_minor_ver ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3464 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3465 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); |
| 3466 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3467 | } |
| 3468 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3469 | /* |
| 3470 | * Parse/Copy record sequence number. |
| 3471 | */ |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3472 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3473 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3474 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Paul Bakker | 1a1fbba | 2014-04-30 14:38:05 +0200 | [diff] [blame] | 3475 | { |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3476 | /* Copy explicit record sequence number from input buffer. */ |
| 3477 | memcpy( &rec->ctr[0], buf + rec_hdr_ctr_offset, |
| 3478 | rec_hdr_ctr_len ); |
Paul Bakker | 1a1fbba | 2014-04-30 14:38:05 +0200 | [diff] [blame] | 3479 | } |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3480 | else |
| 3481 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3482 | { |
| 3483 | /* Copy implicit record sequence number from SSL context structure. */ |
| 3484 | memcpy( &rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len ); |
| 3485 | } |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 3486 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3487 | /* |
| 3488 | * Parse record length. |
| 3489 | */ |
| 3490 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3491 | rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len; |
Hanno Becker | 9eca276 | 2019-07-25 10:16:37 +0100 | [diff] [blame] | 3492 | rec->data_len = ( (size_t) buf[ rec_hdr_len_offset + 0 ] << 8 ) | |
| 3493 | ( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 ); |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3494 | MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3495 | |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 3496 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %u, " |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 3497 | "version = [%d:%d], msglen = %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3498 | rec->type, |
| 3499 | major_ver, minor_ver, rec->data_len ) ); |
| 3500 | |
| 3501 | rec->buf = buf; |
| 3502 | rec->buf_len = rec->data_offset + rec->data_len; |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 3503 | |
Hanno Becker | d417cc9 | 2019-07-26 08:20:27 +0100 | [diff] [blame] | 3504 | if( rec->data_len == 0 ) |
| 3505 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3506 | |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3507 | /* |
Hanno Becker | 52c6dc6 | 2017-05-26 16:07:36 +0100 | [diff] [blame] | 3508 | * DTLS-related tests. |
| 3509 | * Check epoch before checking length constraint because |
| 3510 | * the latter varies with the epoch. E.g., if a ChangeCipherSpec |
| 3511 | * message gets duplicated before the corresponding Finished message, |
| 3512 | * the second ChangeCipherSpec should be discarded because it belongs |
| 3513 | * to an old epoch, but not because its length is shorter than |
| 3514 | * the minimum record length for packets using the new record transform. |
| 3515 | * Note that these two kinds of failures are handled differently, |
| 3516 | * as an unexpected record is silently skipped but an invalid |
| 3517 | * record leads to the entire datagram being dropped. |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3518 | */ |
| 3519 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3520 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 3521 | { |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3522 | rec_epoch = ( rec->ctr[0] << 8 ) | rec->ctr[1]; |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3523 | |
Hanno Becker | 955a5c9 | 2019-07-10 17:12:07 +0100 | [diff] [blame] | 3524 | /* Check that the datagram is large enough to contain a record |
| 3525 | * of the advertised length. */ |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3526 | if( len < rec->data_offset + rec->data_len ) |
Hanno Becker | 955a5c9 | 2019-07-10 17:12:07 +0100 | [diff] [blame] | 3527 | { |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 3528 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram of length %u too small to contain record of advertised length %u.", |
| 3529 | (unsigned) len, |
| 3530 | (unsigned)( rec->data_offset + rec->data_len ) ) ); |
Hanno Becker | 955a5c9 | 2019-07-10 17:12:07 +0100 | [diff] [blame] | 3531 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3532 | } |
Hanno Becker | 37cfe73 | 2019-07-10 17:20:01 +0100 | [diff] [blame] | 3533 | |
Hanno Becker | 37cfe73 | 2019-07-10 17:20:01 +0100 | [diff] [blame] | 3534 | /* Records from other, non-matching epochs are silently discarded. |
| 3535 | * (The case of same-port Client reconnects must be considered in |
| 3536 | * the caller). */ |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3537 | if( rec_epoch != ssl->in_epoch ) |
| 3538 | { |
| 3539 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: " |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 3540 | "expected %u, received %lu", |
| 3541 | ssl->in_epoch, (unsigned long) rec_epoch ) ); |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3542 | |
Hanno Becker | 552f747 | 2019-07-19 10:59:12 +0100 | [diff] [blame] | 3543 | /* Records from the next epoch are considered for buffering |
| 3544 | * (concretely: early Finished messages). */ |
| 3545 | if( rec_epoch == (unsigned) ssl->in_epoch + 1 ) |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3546 | { |
Hanno Becker | 552f747 | 2019-07-19 10:59:12 +0100 | [diff] [blame] | 3547 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) ); |
| 3548 | return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3549 | } |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 3550 | |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 3551 | return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3552 | } |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3553 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
Hanno Becker | 37cfe73 | 2019-07-10 17:20:01 +0100 | [diff] [blame] | 3554 | /* For records from the correct epoch, check whether their |
| 3555 | * sequence number has been seen before. */ |
Arto Kinnunen | 7f8089b | 2019-10-29 11:13:33 +0200 | [diff] [blame] | 3556 | else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl, |
| 3557 | &rec->ctr[0] ) != 0 ) |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 3558 | { |
| 3559 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) ); |
| 3560 | return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); |
| 3561 | } |
| 3562 | #endif |
| 3563 | } |
| 3564 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3565 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3566 | return( 0 ); |
| 3567 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3568 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3569 | |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 3570 | #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) |
| 3571 | static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl ) |
| 3572 | { |
| 3573 | unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; |
| 3574 | |
| 3575 | /* |
| 3576 | * Check for an epoch 0 ClientHello. We can't use in_msg here to |
| 3577 | * access the first byte of record content (handshake type), as we |
| 3578 | * have an active transform (possibly iv_len != 0), so use the |
| 3579 | * fact that the record header len is 13 instead. |
| 3580 | */ |
| 3581 | if( rec_epoch == 0 && |
| 3582 | ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && |
| 3583 | ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && |
| 3584 | ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
| 3585 | ssl->in_left > 13 && |
| 3586 | ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) |
| 3587 | { |
| 3588 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect " |
| 3589 | "from the same port" ) ); |
| 3590 | return( ssl_handle_possible_reconnect( ssl ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3591 | } |
| 3592 | |
| 3593 | return( 0 ); |
| 3594 | } |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 3595 | #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3596 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3597 | /* |
Manuel Pégourié-Gonnard | c40b685 | 2020-01-03 12:18:49 +0100 | [diff] [blame] | 3598 | * If applicable, decrypt record content |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3599 | */ |
Hanno Becker | fdf6604 | 2019-07-11 13:07:45 +0100 | [diff] [blame] | 3600 | static int ssl_prepare_record_content( mbedtls_ssl_context *ssl, |
| 3601 | mbedtls_record *rec ) |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3602 | { |
| 3603 | int ret, done = 0; |
Manuel Pégourié-Gonnard | b2f3be8 | 2014-07-10 17:54:52 +0200 | [diff] [blame] | 3604 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3605 | MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network", |
Hanno Becker | fdf6604 | 2019-07-11 13:07:45 +0100 | [diff] [blame] | 3606 | rec->buf, rec->buf_len ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3607 | |
Ronald Cron | 7e38cba | 2021-11-24 12:43:39 +0100 | [diff] [blame] | 3608 | /* |
| 3609 | * In TLS 1.3, always treat ChangeCipherSpec records |
| 3610 | * as unencrypted. The only thing we do with them is |
| 3611 | * check the length and content and ignore them. |
| 3612 | */ |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 3613 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3) |
Ronald Cron | 7e38cba | 2021-11-24 12:43:39 +0100 | [diff] [blame] | 3614 | if( ssl->transform_in != NULL && |
| 3615 | ssl->transform_in->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) |
| 3616 | { |
| 3617 | if( rec->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) |
| 3618 | done = 1; |
| 3619 | } |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 3620 | #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ |
Ronald Cron | 7e38cba | 2021-11-24 12:43:39 +0100 | [diff] [blame] | 3621 | |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 3622 | if( !done && ssl->transform_in != NULL ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3623 | { |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3624 | unsigned char const old_msg_type = rec->type; |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3625 | |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 3626 | if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, |
Hanno Becker | fdf6604 | 2019-07-11 13:07:45 +0100 | [diff] [blame] | 3627 | rec ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3628 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3629 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); |
Hanno Becker | 8367ccc | 2019-05-14 11:30:10 +0100 | [diff] [blame] | 3630 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3631 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 8367ccc | 2019-05-14 11:30:10 +0100 | [diff] [blame] | 3632 | if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID && |
| 3633 | ssl->conf->ignore_unexpected_cid |
| 3634 | == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ) |
| 3635 | { |
Hanno Becker | e8d6afd | 2019-05-24 10:11:06 +0100 | [diff] [blame] | 3636 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) ); |
Hanno Becker | 16ded98 | 2019-05-08 13:02:55 +0100 | [diff] [blame] | 3637 | ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; |
Hanno Becker | 8367ccc | 2019-05-14 11:30:10 +0100 | [diff] [blame] | 3638 | } |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3639 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 16ded98 | 2019-05-08 13:02:55 +0100 | [diff] [blame] | 3640 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3641 | return( ret ); |
| 3642 | } |
| 3643 | |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3644 | if( old_msg_type != rec->type ) |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 3645 | { |
| 3646 | MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d", |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3647 | old_msg_type, rec->type ) ); |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 3648 | } |
| 3649 | |
Hanno Becker | 1c0c37f | 2018-08-07 14:29:29 +0100 | [diff] [blame] | 3650 | MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt", |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3651 | rec->buf + rec->data_offset, rec->data_len ); |
Hanno Becker | 1c0c37f | 2018-08-07 14:29:29 +0100 | [diff] [blame] | 3652 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3653 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 3654 | /* We have already checked the record content type |
| 3655 | * in ssl_parse_record_header(), failing or silently |
| 3656 | * dropping the record in the case of an unknown type. |
| 3657 | * |
| 3658 | * Since with the use of CIDs, the record content type |
| 3659 | * might change during decryption, re-check the record |
| 3660 | * content type, but treat a failure as fatal this time. */ |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3661 | if( ssl_check_record_type( rec->type ) ) |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 3662 | { |
| 3663 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); |
| 3664 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3665 | } |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 3666 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 6430faf | 2019-05-08 11:57:13 +0100 | [diff] [blame] | 3667 | |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3668 | if( rec->data_len == 0 ) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3669 | { |
| 3670 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| 3671 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 |
Hanno Becker | 58ef0bf | 2019-07-12 09:35:58 +0100 | [diff] [blame] | 3672 | && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA ) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3673 | { |
| 3674 | /* TLS v1.2 explicitly disallows zero-length messages which are not application data */ |
| 3675 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) ); |
| 3676 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3677 | } |
| 3678 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| 3679 | |
| 3680 | ssl->nb_zero++; |
| 3681 | |
| 3682 | /* |
| 3683 | * Three or more empty messages may be a DoS attack |
| 3684 | * (excessive CPU consumption). |
| 3685 | */ |
| 3686 | if( ssl->nb_zero > 3 ) |
| 3687 | { |
| 3688 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty " |
Hanno Becker | 6e7700d | 2019-05-08 10:38:32 +0100 | [diff] [blame] | 3689 | "messages, possible DoS attack" ) ); |
| 3690 | /* Treat the records as if they were not properly authenticated, |
| 3691 | * thereby failing the connection if we see more than allowed |
| 3692 | * by the configured bad MAC threshold. */ |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3693 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
| 3694 | } |
| 3695 | } |
| 3696 | else |
| 3697 | ssl->nb_zero = 0; |
| 3698 | |
| 3699 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3700 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 3701 | { |
| 3702 | ; /* in_ctr read from peer, not maintained internally */ |
| 3703 | } |
| 3704 | else |
| 3705 | #endif |
| 3706 | { |
| 3707 | unsigned i; |
Jerry Yu | ae0b2e2 | 2021-10-08 15:21:19 +0800 | [diff] [blame] | 3708 | for( i = MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; |
| 3709 | i > mbedtls_ssl_ep_len( ssl ); i-- ) |
| 3710 | { |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3711 | if( ++ssl->in_ctr[i - 1] != 0 ) |
| 3712 | break; |
Jerry Yu | ae0b2e2 | 2021-10-08 15:21:19 +0800 | [diff] [blame] | 3713 | } |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3714 | |
| 3715 | /* The loop goes to its end iff the counter is wrapping */ |
Hanno Becker | dd77229 | 2020-02-05 10:38:31 +0000 | [diff] [blame] | 3716 | if( i == mbedtls_ssl_ep_len( ssl ) ) |
Hanno Becker | 2e24c3b | 2017-12-27 21:28:58 +0000 | [diff] [blame] | 3717 | { |
| 3718 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); |
| 3719 | return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); |
| 3720 | } |
| 3721 | } |
| 3722 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3723 | } |
| 3724 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3725 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3726 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | b47368a | 2014-09-24 13:29:58 +0200 | [diff] [blame] | 3727 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3728 | mbedtls_ssl_dtls_replay_update( ssl ); |
Manuel Pégourié-Gonnard | b47368a | 2014-09-24 13:29:58 +0200 | [diff] [blame] | 3729 | } |
| 3730 | #endif |
| 3731 | |
Hanno Becker | d96e10b | 2019-07-09 17:30:02 +0100 | [diff] [blame] | 3732 | /* Check actual (decrypted) record content length against |
| 3733 | * configured maximum. */ |
| 3734 | if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN ) |
| 3735 | { |
| 3736 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); |
| 3737 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 3738 | } |
| 3739 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3740 | return( 0 ); |
| 3741 | } |
| 3742 | |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 3743 | /* |
| 3744 | * Read a record. |
| 3745 | * |
Manuel Pégourié-Gonnard | fbdf06c | 2015-10-23 11:13:28 +0200 | [diff] [blame] | 3746 | * Silently ignore non-fatal alert (and for DTLS, invalid records as well, |
| 3747 | * RFC 6347 4.1.2.7) and continue reading until a valid record is found. |
| 3748 | * |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 3749 | */ |
Hanno Becker | 1097b34 | 2018-08-15 14:09:41 +0100 | [diff] [blame] | 3750 | |
| 3751 | /* Helper functions for mbedtls_ssl_read_record(). */ |
| 3752 | static int ssl_consume_current_message( mbedtls_ssl_context *ssl ); |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 3753 | static int ssl_get_next_record( mbedtls_ssl_context *ssl ); |
| 3754 | static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl ); |
Hanno Becker | 4162b11 | 2018-08-15 14:05:04 +0100 | [diff] [blame] | 3755 | |
Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 3756 | int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl, |
Hanno Becker | 3a0aad1 | 2018-08-20 09:44:02 +0100 | [diff] [blame] | 3757 | unsigned update_hs_digest ) |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3758 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3759 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3760 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3761 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) ); |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 3762 | |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3763 | if( ssl->keep_current_message == 0 ) |
| 3764 | { |
| 3765 | do { |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3766 | |
Hanno Becker | 2699459 | 2018-08-15 14:14:59 +0100 | [diff] [blame] | 3767 | ret = ssl_consume_current_message( ssl ); |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 3768 | if( ret != 0 ) |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3769 | return( ret ); |
Hanno Becker | 2699459 | 2018-08-15 14:14:59 +0100 | [diff] [blame] | 3770 | |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 3771 | if( ssl_record_is_in_progress( ssl ) == 0 ) |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3772 | { |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3773 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3774 | int have_buffered = 0; |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 3775 | |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3776 | /* We only check for buffered messages if the |
| 3777 | * current datagram is fully consumed. */ |
| 3778 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
Hanno Becker | ef7afdf | 2018-08-28 17:16:31 +0100 | [diff] [blame] | 3779 | ssl_next_record_is_in_datagram( ssl ) == 0 ) |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 3780 | { |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3781 | if( ssl_load_buffered_message( ssl ) == 0 ) |
| 3782 | have_buffered = 1; |
| 3783 | } |
| 3784 | |
| 3785 | if( have_buffered == 0 ) |
| 3786 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3787 | { |
| 3788 | ret = ssl_get_next_record( ssl ); |
| 3789 | if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ) |
| 3790 | continue; |
| 3791 | |
| 3792 | if( ret != 0 ) |
| 3793 | { |
Hanno Becker | c573ac3 | 2018-08-28 17:15:25 +0100 | [diff] [blame] | 3794 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret ); |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3795 | return( ret ); |
| 3796 | } |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 3797 | } |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3798 | } |
| 3799 | |
| 3800 | ret = mbedtls_ssl_handle_message_type( ssl ); |
| 3801 | |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3802 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3803 | if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) |
| 3804 | { |
| 3805 | /* Buffer future message */ |
| 3806 | ret = ssl_buffer_message( ssl ); |
| 3807 | if( ret != 0 ) |
| 3808 | return( ret ); |
| 3809 | |
| 3810 | ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; |
| 3811 | } |
| 3812 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3813 | |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 3814 | } while( MBEDTLS_ERR_SSL_NON_FATAL == ret || |
| 3815 | MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret ); |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3816 | |
| 3817 | if( 0 != ret ) |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3818 | { |
Hanno Becker | 05c4fc8 | 2017-11-09 14:34:06 +0000 | [diff] [blame] | 3819 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret ); |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3820 | return( ret ); |
| 3821 | } |
| 3822 | |
Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 3823 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
Hanno Becker | 3a0aad1 | 2018-08-20 09:44:02 +0100 | [diff] [blame] | 3824 | update_hs_digest == 1 ) |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3825 | { |
| 3826 | mbedtls_ssl_update_handshake_status( ssl ); |
| 3827 | } |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3828 | } |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3829 | else |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3830 | { |
Hanno Becker | 02f5907 | 2018-08-15 14:00:24 +0100 | [diff] [blame] | 3831 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) ); |
Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 3832 | ssl->keep_current_message = 0; |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3833 | } |
| 3834 | |
| 3835 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) ); |
| 3836 | |
| 3837 | return( 0 ); |
| 3838 | } |
| 3839 | |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3840 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | ef7afdf | 2018-08-28 17:16:31 +0100 | [diff] [blame] | 3841 | static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl ) |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3842 | { |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3843 | if( ssl->in_left > ssl->next_record_offset ) |
| 3844 | return( 1 ); |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 3845 | |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3846 | return( 0 ); |
| 3847 | } |
| 3848 | |
| 3849 | static int ssl_load_buffered_message( mbedtls_ssl_context *ssl ) |
| 3850 | { |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3851 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3852 | mbedtls_ssl_hs_buffer * hs_buf; |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3853 | int ret = 0; |
| 3854 | |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3855 | if( hs == NULL ) |
| 3856 | return( -1 ); |
| 3857 | |
Hanno Becker | e00ae37 | 2018-08-20 09:39:42 +0100 | [diff] [blame] | 3858 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) ); |
| 3859 | |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3860 | if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC || |
| 3861 | ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) |
| 3862 | { |
| 3863 | /* Check if we have seen a ChangeCipherSpec before. |
| 3864 | * If yes, synthesize a CCS record. */ |
Hanno Becker | 4422bbb | 2018-08-20 09:40:19 +0100 | [diff] [blame] | 3865 | if( !hs->buffering.seen_ccs ) |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3866 | { |
| 3867 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) ); |
| 3868 | ret = -1; |
Hanno Becker | 0d4b376 | 2018-08-20 09:36:59 +0100 | [diff] [blame] | 3869 | goto exit; |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3870 | } |
| 3871 | |
Hanno Becker | 39b8bc9 | 2018-08-28 17:17:13 +0100 | [diff] [blame] | 3872 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) ); |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3873 | ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; |
| 3874 | ssl->in_msglen = 1; |
| 3875 | ssl->in_msg[0] = 1; |
| 3876 | |
| 3877 | /* As long as they are equal, the exact value doesn't matter. */ |
| 3878 | ssl->in_left = 0; |
| 3879 | ssl->next_record_offset = 0; |
| 3880 | |
Hanno Becker | d7f8ae2 | 2018-08-16 09:45:56 +0100 | [diff] [blame] | 3881 | hs->buffering.seen_ccs = 0; |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3882 | goto exit; |
| 3883 | } |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3884 | |
Hanno Becker | b8f5014 | 2018-08-28 10:01:34 +0100 | [diff] [blame] | 3885 | #if defined(MBEDTLS_DEBUG_C) |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3886 | /* Debug only */ |
| 3887 | { |
| 3888 | unsigned offset; |
| 3889 | for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ ) |
| 3890 | { |
| 3891 | hs_buf = &hs->buffering.hs[offset]; |
| 3892 | if( hs_buf->is_valid == 1 ) |
| 3893 | { |
| 3894 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.", |
| 3895 | hs->in_msg_seq + offset, |
Hanno Becker | a591c48 | 2018-08-28 17:20:00 +0100 | [diff] [blame] | 3896 | hs_buf->is_complete ? "fully" : "partially" ) ); |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3897 | } |
| 3898 | } |
| 3899 | } |
Hanno Becker | b8f5014 | 2018-08-28 10:01:34 +0100 | [diff] [blame] | 3900 | #endif /* MBEDTLS_DEBUG_C */ |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 3901 | |
| 3902 | /* Check if we have buffered and/or fully reassembled the |
| 3903 | * next handshake message. */ |
| 3904 | hs_buf = &hs->buffering.hs[0]; |
| 3905 | if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) ) |
| 3906 | { |
| 3907 | /* Synthesize a record containing the buffered HS message. */ |
| 3908 | size_t msg_len = ( hs_buf->data[1] << 16 ) | |
| 3909 | ( hs_buf->data[2] << 8 ) | |
| 3910 | hs_buf->data[3]; |
| 3911 | |
| 3912 | /* Double-check that we haven't accidentally buffered |
| 3913 | * a message that doesn't fit into the input buffer. */ |
| 3914 | if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN ) |
| 3915 | { |
| 3916 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 3917 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 3918 | } |
| 3919 | |
| 3920 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) ); |
| 3921 | MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)", |
| 3922 | hs_buf->data, msg_len + 12 ); |
| 3923 | |
| 3924 | ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3925 | ssl->in_hslen = msg_len + 12; |
| 3926 | ssl->in_msglen = msg_len + 12; |
| 3927 | memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen ); |
| 3928 | |
| 3929 | ret = 0; |
| 3930 | goto exit; |
| 3931 | } |
| 3932 | else |
| 3933 | { |
| 3934 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered", |
| 3935 | hs->in_msg_seq ) ); |
| 3936 | } |
| 3937 | |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3938 | ret = -1; |
| 3939 | |
| 3940 | exit: |
| 3941 | |
| 3942 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) ); |
| 3943 | return( ret ); |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3944 | } |
| 3945 | |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3946 | static int ssl_buffer_make_space( mbedtls_ssl_context *ssl, |
| 3947 | size_t desired ) |
| 3948 | { |
| 3949 | int offset; |
| 3950 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
Hanno Becker | 6e12c1e | 2018-08-24 14:39:15 +0100 | [diff] [blame] | 3951 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available", |
| 3952 | (unsigned) desired ) ); |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3953 | |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 3954 | /* Get rid of future records epoch first, if such exist. */ |
| 3955 | ssl_free_buffered_record( ssl ); |
| 3956 | |
| 3957 | /* Check if we have enough space available now. */ |
| 3958 | if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - |
| 3959 | hs->buffering.total_bytes_buffered ) ) |
| 3960 | { |
Hanno Becker | 6e12c1e | 2018-08-24 14:39:15 +0100 | [diff] [blame] | 3961 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) ); |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 3962 | return( 0 ); |
| 3963 | } |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3964 | |
Hanno Becker | 4f432ad | 2018-08-28 10:02:32 +0100 | [diff] [blame] | 3965 | /* We don't have enough space to buffer the next expected handshake |
| 3966 | * message. Remove buffers used for future messages to gain space, |
| 3967 | * starting with the most distant one. */ |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3968 | for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1; |
| 3969 | offset >= 0; offset-- ) |
| 3970 | { |
| 3971 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message", |
| 3972 | offset ) ); |
| 3973 | |
Hanno Becker | b309b92 | 2018-08-23 13:18:05 +0100 | [diff] [blame] | 3974 | ssl_buffering_free_slot( ssl, (uint8_t) offset ); |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3975 | |
| 3976 | /* Check if we have enough space available now. */ |
| 3977 | if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - |
| 3978 | hs->buffering.total_bytes_buffered ) ) |
| 3979 | { |
Hanno Becker | 6e12c1e | 2018-08-24 14:39:15 +0100 | [diff] [blame] | 3980 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) ); |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 3981 | return( 0 ); |
| 3982 | } |
| 3983 | } |
| 3984 | |
| 3985 | return( -1 ); |
| 3986 | } |
| 3987 | |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 3988 | static int ssl_buffer_message( mbedtls_ssl_context *ssl ) |
| 3989 | { |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 3990 | int ret = 0; |
| 3991 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
| 3992 | |
| 3993 | if( hs == NULL ) |
| 3994 | return( 0 ); |
| 3995 | |
| 3996 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) ); |
| 3997 | |
| 3998 | switch( ssl->in_msgtype ) |
| 3999 | { |
| 4000 | case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC: |
| 4001 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) ); |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4002 | |
Hanno Becker | d7f8ae2 | 2018-08-16 09:45:56 +0100 | [diff] [blame] | 4003 | hs->buffering.seen_ccs = 1; |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4004 | break; |
| 4005 | |
| 4006 | case MBEDTLS_SSL_MSG_HANDSHAKE: |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4007 | { |
| 4008 | unsigned recv_msg_seq_offset; |
| 4009 | unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; |
| 4010 | mbedtls_ssl_hs_buffer *hs_buf; |
| 4011 | size_t msg_len = ssl->in_hslen - 12; |
| 4012 | |
| 4013 | /* We should never receive an old handshake |
| 4014 | * message - double-check nonetheless. */ |
| 4015 | if( recv_msg_seq < ssl->handshake->in_msg_seq ) |
| 4016 | { |
| 4017 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 4018 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 4019 | } |
| 4020 | |
| 4021 | recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq; |
| 4022 | if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS ) |
| 4023 | { |
| 4024 | /* Silently ignore -- message too far in the future */ |
| 4025 | MBEDTLS_SSL_DEBUG_MSG( 2, |
| 4026 | ( "Ignore future HS message with sequence number %u, " |
| 4027 | "buffering window %u - %u", |
| 4028 | recv_msg_seq, ssl->handshake->in_msg_seq, |
| 4029 | ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) ); |
| 4030 | |
| 4031 | goto exit; |
| 4032 | } |
| 4033 | |
| 4034 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ", |
| 4035 | recv_msg_seq, recv_msg_seq_offset ) ); |
| 4036 | |
| 4037 | hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ]; |
| 4038 | |
| 4039 | /* Check if the buffering for this seq nr has already commenced. */ |
Hanno Becker | 4422bbb | 2018-08-20 09:40:19 +0100 | [diff] [blame] | 4040 | if( !hs_buf->is_valid ) |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4041 | { |
Hanno Becker | 2a97b0e | 2018-08-21 15:47:49 +0100 | [diff] [blame] | 4042 | size_t reassembly_buf_sz; |
| 4043 | |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4044 | hs_buf->is_fragmented = |
| 4045 | ( ssl_hs_is_proper_fragment( ssl ) == 1 ); |
| 4046 | |
| 4047 | /* We copy the message back into the input buffer |
| 4048 | * after reassembly, so check that it's not too large. |
| 4049 | * This is an implementation-specific limitation |
| 4050 | * and not one from the standard, hence it is not |
| 4051 | * checked in ssl_check_hs_header(). */ |
Hanno Becker | 96a6c69 | 2018-08-21 15:56:03 +0100 | [diff] [blame] | 4052 | if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN ) |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4053 | { |
| 4054 | /* Ignore message */ |
| 4055 | goto exit; |
| 4056 | } |
| 4057 | |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4058 | /* Check if we have enough space to buffer the message. */ |
| 4059 | if( hs->buffering.total_bytes_buffered > |
| 4060 | MBEDTLS_SSL_DTLS_MAX_BUFFERING ) |
| 4061 | { |
| 4062 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 4063 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 4064 | } |
| 4065 | |
Hanno Becker | 2a97b0e | 2018-08-21 15:47:49 +0100 | [diff] [blame] | 4066 | reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len, |
| 4067 | hs_buf->is_fragmented ); |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4068 | |
| 4069 | if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - |
| 4070 | hs->buffering.total_bytes_buffered ) ) |
| 4071 | { |
| 4072 | if( recv_msg_seq_offset > 0 ) |
| 4073 | { |
| 4074 | /* If we can't buffer a future message because |
| 4075 | * of space limitations -- ignore. */ |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4076 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET |
| 4077 | " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET |
| 4078 | " (already %" MBEDTLS_PRINTF_SIZET |
| 4079 | " bytes buffered) -- ignore\n", |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 4080 | msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4081 | hs->buffering.total_bytes_buffered ) ); |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4082 | goto exit; |
| 4083 | } |
Hanno Becker | e180139 | 2018-08-21 16:51:05 +0100 | [diff] [blame] | 4084 | else |
| 4085 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4086 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET |
| 4087 | " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET |
| 4088 | " (already %" MBEDTLS_PRINTF_SIZET |
| 4089 | " bytes buffered) -- attempt to make space by freeing buffered future messages\n", |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 4090 | msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4091 | hs->buffering.total_bytes_buffered ) ); |
Hanno Becker | e180139 | 2018-08-21 16:51:05 +0100 | [diff] [blame] | 4092 | } |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4093 | |
Hanno Becker | a02b0b4 | 2018-08-21 17:20:27 +0100 | [diff] [blame] | 4094 | if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 ) |
Hanno Becker | 55e9e2a | 2018-08-21 16:07:55 +0100 | [diff] [blame] | 4095 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4096 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %" MBEDTLS_PRINTF_SIZET |
| 4097 | " (%" MBEDTLS_PRINTF_SIZET " with bitmap) would exceed" |
| 4098 | " the compile-time limit %" MBEDTLS_PRINTF_SIZET |
| 4099 | " (already %" MBEDTLS_PRINTF_SIZET |
| 4100 | " bytes buffered) -- fail\n", |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4101 | msg_len, |
| 4102 | reassembly_buf_sz, |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 4103 | (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4104 | hs->buffering.total_bytes_buffered ) ); |
Hanno Becker | 55e9e2a | 2018-08-21 16:07:55 +0100 | [diff] [blame] | 4105 | ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
| 4106 | goto exit; |
| 4107 | } |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4108 | } |
| 4109 | |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4110 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4111 | msg_len ) ); |
| 4112 | |
Hanno Becker | 2a97b0e | 2018-08-21 15:47:49 +0100 | [diff] [blame] | 4113 | hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz ); |
| 4114 | if( hs_buf->data == NULL ) |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4115 | { |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4116 | ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4117 | goto exit; |
| 4118 | } |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4119 | hs_buf->data_len = reassembly_buf_sz; |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4120 | |
| 4121 | /* Prepare final header: copy msg_type, length and message_seq, |
| 4122 | * then add standardised fragment_offset and fragment_length */ |
| 4123 | memcpy( hs_buf->data, ssl->in_msg, 6 ); |
| 4124 | memset( hs_buf->data + 6, 0, 3 ); |
| 4125 | memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 ); |
| 4126 | |
| 4127 | hs_buf->is_valid = 1; |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 4128 | |
| 4129 | hs->buffering.total_bytes_buffered += reassembly_buf_sz; |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4130 | } |
| 4131 | else |
| 4132 | { |
| 4133 | /* Make sure msg_type and length are consistent */ |
| 4134 | if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 ) |
| 4135 | { |
| 4136 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) ); |
| 4137 | /* Ignore */ |
| 4138 | goto exit; |
| 4139 | } |
| 4140 | } |
| 4141 | |
Hanno Becker | 4422bbb | 2018-08-20 09:40:19 +0100 | [diff] [blame] | 4142 | if( !hs_buf->is_complete ) |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4143 | { |
| 4144 | size_t frag_len, frag_off; |
| 4145 | unsigned char * const msg = hs_buf->data + 12; |
| 4146 | |
| 4147 | /* |
| 4148 | * Check and copy current fragment |
| 4149 | */ |
| 4150 | |
| 4151 | /* Validation of header fields already done in |
| 4152 | * mbedtls_ssl_prepare_handshake_record(). */ |
| 4153 | frag_off = ssl_get_hs_frag_off( ssl ); |
| 4154 | frag_len = ssl_get_hs_frag_len( ssl ); |
| 4155 | |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4156 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %" MBEDTLS_PRINTF_SIZET |
| 4157 | ", length = %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4158 | frag_off, frag_len ) ); |
| 4159 | memcpy( msg + frag_off, ssl->in_msg + 12, frag_len ); |
| 4160 | |
| 4161 | if( hs_buf->is_fragmented ) |
| 4162 | { |
| 4163 | unsigned char * const bitmask = msg + msg_len; |
| 4164 | ssl_bitmask_set( bitmask, frag_off, frag_len ); |
| 4165 | hs_buf->is_complete = ( ssl_bitmask_check( bitmask, |
| 4166 | msg_len ) == 0 ); |
| 4167 | } |
| 4168 | else |
| 4169 | { |
| 4170 | hs_buf->is_complete = 1; |
| 4171 | } |
| 4172 | |
| 4173 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete", |
| 4174 | hs_buf->is_complete ? "" : "not yet " ) ); |
| 4175 | } |
| 4176 | |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4177 | break; |
Hanno Becker | 37f9532 | 2018-08-16 13:55:32 +0100 | [diff] [blame] | 4178 | } |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4179 | |
| 4180 | default: |
Hanno Becker | 360bef3 | 2018-08-28 10:04:33 +0100 | [diff] [blame] | 4181 | /* We don't buffer other types of messages. */ |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4182 | break; |
| 4183 | } |
| 4184 | |
| 4185 | exit: |
| 4186 | |
| 4187 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) ); |
| 4188 | return( ret ); |
Hanno Becker | 40f5084 | 2018-08-15 14:48:01 +0100 | [diff] [blame] | 4189 | } |
| 4190 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 4191 | |
Hanno Becker | 1097b34 | 2018-08-15 14:09:41 +0100 | [diff] [blame] | 4192 | static int ssl_consume_current_message( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4193 | { |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4194 | /* |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4195 | * Consume last content-layer message and potentially |
| 4196 | * update in_msglen which keeps track of the contents' |
| 4197 | * consumption state. |
| 4198 | * |
| 4199 | * (1) Handshake messages: |
| 4200 | * Remove last handshake message, move content |
| 4201 | * and adapt in_msglen. |
| 4202 | * |
| 4203 | * (2) Alert messages: |
| 4204 | * Consume whole record content, in_msglen = 0. |
| 4205 | * |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4206 | * (3) Change cipher spec: |
| 4207 | * Consume whole record content, in_msglen = 0. |
| 4208 | * |
| 4209 | * (4) Application data: |
| 4210 | * Don't do anything - the record layer provides |
| 4211 | * the application data as a stream transport |
| 4212 | * and consumes through mbedtls_ssl_read only. |
| 4213 | * |
| 4214 | */ |
| 4215 | |
| 4216 | /* Case (1): Handshake messages */ |
| 4217 | if( ssl->in_hslen != 0 ) |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4218 | { |
Hanno Becker | bb9dd0c | 2017-06-08 11:55:34 +0100 | [diff] [blame] | 4219 | /* Hard assertion to be sure that no application data |
| 4220 | * is in flight, as corrupting ssl->in_msglen during |
| 4221 | * ssl->in_offt != NULL is fatal. */ |
| 4222 | if( ssl->in_offt != NULL ) |
| 4223 | { |
| 4224 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 4225 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 4226 | } |
| 4227 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4228 | /* |
| 4229 | * Get next Handshake message in the current record |
| 4230 | */ |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4231 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4232 | /* Notes: |
Hanno Becker | e72489d | 2017-10-23 13:23:50 +0100 | [diff] [blame] | 4233 | * (1) in_hslen is not necessarily the size of the |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4234 | * current handshake content: If DTLS handshake |
| 4235 | * fragmentation is used, that's the fragment |
| 4236 | * size instead. Using the total handshake message |
Hanno Becker | e72489d | 2017-10-23 13:23:50 +0100 | [diff] [blame] | 4237 | * size here is faulty and should be changed at |
| 4238 | * some point. |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4239 | * (2) While it doesn't seem to cause problems, one |
| 4240 | * has to be very careful not to assume that in_hslen |
| 4241 | * is always <= in_msglen in a sensible communication. |
| 4242 | * Again, it's wrong for DTLS handshake fragmentation. |
| 4243 | * The following check is therefore mandatory, and |
| 4244 | * should not be treated as a silently corrected assertion. |
Hanno Becker | bb9dd0c | 2017-06-08 11:55:34 +0100 | [diff] [blame] | 4245 | * Additionally, ssl->in_hslen might be arbitrarily out of |
| 4246 | * bounds after handling a DTLS message with an unexpected |
| 4247 | * sequence number, see mbedtls_ssl_prepare_handshake_record. |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4248 | */ |
| 4249 | if( ssl->in_hslen < ssl->in_msglen ) |
| 4250 | { |
| 4251 | ssl->in_msglen -= ssl->in_hslen; |
| 4252 | memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen, |
| 4253 | ssl->in_msglen ); |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4254 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4255 | MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record", |
| 4256 | ssl->in_msg, ssl->in_msglen ); |
| 4257 | } |
| 4258 | else |
| 4259 | { |
| 4260 | ssl->in_msglen = 0; |
| 4261 | } |
Manuel Pégourié-Gonnard | 4a17536 | 2014-09-09 17:45:31 +0200 | [diff] [blame] | 4262 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4263 | ssl->in_hslen = 0; |
| 4264 | } |
| 4265 | /* Case (4): Application data */ |
| 4266 | else if( ssl->in_offt != NULL ) |
| 4267 | { |
| 4268 | return( 0 ); |
| 4269 | } |
| 4270 | /* Everything else (CCS & Alerts) */ |
| 4271 | else |
| 4272 | { |
| 4273 | ssl->in_msglen = 0; |
| 4274 | } |
| 4275 | |
Hanno Becker | 1097b34 | 2018-08-15 14:09:41 +0100 | [diff] [blame] | 4276 | return( 0 ); |
| 4277 | } |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4278 | |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 4279 | static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl ) |
| 4280 | { |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4281 | if( ssl->in_msglen > 0 ) |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 4282 | return( 1 ); |
| 4283 | |
| 4284 | return( 0 ); |
| 4285 | } |
| 4286 | |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4287 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4288 | |
| 4289 | static void ssl_free_buffered_record( mbedtls_ssl_context *ssl ) |
| 4290 | { |
| 4291 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
| 4292 | if( hs == NULL ) |
| 4293 | return; |
| 4294 | |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 4295 | if( hs->buffering.future_record.data != NULL ) |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4296 | { |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 4297 | hs->buffering.total_bytes_buffered -= |
| 4298 | hs->buffering.future_record.len; |
| 4299 | |
| 4300 | mbedtls_free( hs->buffering.future_record.data ); |
| 4301 | hs->buffering.future_record.data = NULL; |
| 4302 | } |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4303 | } |
| 4304 | |
| 4305 | static int ssl_load_buffered_record( mbedtls_ssl_context *ssl ) |
| 4306 | { |
| 4307 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
| 4308 | unsigned char * rec; |
| 4309 | size_t rec_len; |
| 4310 | unsigned rec_epoch; |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 4311 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| 4312 | size_t in_buf_len = ssl->in_buf_len; |
| 4313 | #else |
| 4314 | size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; |
| 4315 | #endif |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4316 | if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 4317 | return( 0 ); |
| 4318 | |
| 4319 | if( hs == NULL ) |
| 4320 | return( 0 ); |
| 4321 | |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4322 | rec = hs->buffering.future_record.data; |
| 4323 | rec_len = hs->buffering.future_record.len; |
| 4324 | rec_epoch = hs->buffering.future_record.epoch; |
| 4325 | |
| 4326 | if( rec == NULL ) |
| 4327 | return( 0 ); |
| 4328 | |
Hanno Becker | 4cb782d | 2018-08-20 11:19:05 +0100 | [diff] [blame] | 4329 | /* Only consider loading future records if the |
| 4330 | * input buffer is empty. */ |
Hanno Becker | ef7afdf | 2018-08-28 17:16:31 +0100 | [diff] [blame] | 4331 | if( ssl_next_record_is_in_datagram( ssl ) == 1 ) |
Hanno Becker | 4cb782d | 2018-08-20 11:19:05 +0100 | [diff] [blame] | 4332 | return( 0 ); |
| 4333 | |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4334 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) ); |
| 4335 | |
| 4336 | if( rec_epoch != ssl->in_epoch ) |
| 4337 | { |
| 4338 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) ); |
| 4339 | goto exit; |
| 4340 | } |
| 4341 | |
| 4342 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) ); |
| 4343 | |
| 4344 | /* Double-check that the record is not too large */ |
Darryl Green | b33cc76 | 2019-11-28 14:29:44 +0000 | [diff] [blame] | 4345 | if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) ) |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4346 | { |
| 4347 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 4348 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 4349 | } |
| 4350 | |
| 4351 | memcpy( ssl->in_hdr, rec, rec_len ); |
| 4352 | ssl->in_left = rec_len; |
| 4353 | ssl->next_record_offset = 0; |
| 4354 | |
| 4355 | ssl_free_buffered_record( ssl ); |
| 4356 | |
| 4357 | exit: |
| 4358 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) ); |
| 4359 | return( 0 ); |
| 4360 | } |
| 4361 | |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4362 | static int ssl_buffer_future_record( mbedtls_ssl_context *ssl, |
| 4363 | mbedtls_record const *rec ) |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4364 | { |
| 4365 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4366 | |
| 4367 | /* Don't buffer future records outside handshakes. */ |
| 4368 | if( hs == NULL ) |
| 4369 | return( 0 ); |
| 4370 | |
| 4371 | /* Only buffer handshake records (we are only interested |
| 4372 | * in Finished messages). */ |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4373 | if( rec->type != MBEDTLS_SSL_MSG_HANDSHAKE ) |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4374 | return( 0 ); |
| 4375 | |
| 4376 | /* Don't buffer more than one future epoch record. */ |
| 4377 | if( hs->buffering.future_record.data != NULL ) |
| 4378 | return( 0 ); |
| 4379 | |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 4380 | /* Don't buffer record if there's not enough buffering space remaining. */ |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4381 | if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - |
Hanno Becker | 01315ea | 2018-08-21 17:22:17 +0100 | [diff] [blame] | 4382 | hs->buffering.total_bytes_buffered ) ) |
| 4383 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4384 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %" MBEDTLS_PRINTF_SIZET |
| 4385 | " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET |
| 4386 | " (already %" MBEDTLS_PRINTF_SIZET |
| 4387 | " bytes buffered) -- ignore\n", |
Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 4388 | rec->buf_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4389 | hs->buffering.total_bytes_buffered ) ); |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4390 | return( 0 ); |
| 4391 | } |
| 4392 | |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4393 | /* Buffer record */ |
| 4394 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u", |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4395 | ssl->in_epoch + 1U ) ); |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4396 | MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len ); |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4397 | |
| 4398 | /* ssl_parse_record_header() only considers records |
| 4399 | * of the next epoch as candidates for buffering. */ |
| 4400 | hs->buffering.future_record.epoch = ssl->in_epoch + 1; |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4401 | hs->buffering.future_record.len = rec->buf_len; |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4402 | |
| 4403 | hs->buffering.future_record.data = |
| 4404 | mbedtls_calloc( 1, hs->buffering.future_record.len ); |
| 4405 | if( hs->buffering.future_record.data == NULL ) |
| 4406 | { |
| 4407 | /* If we run out of RAM trying to buffer a |
| 4408 | * record from the next epoch, just ignore. */ |
| 4409 | return( 0 ); |
| 4410 | } |
| 4411 | |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4412 | memcpy( hs->buffering.future_record.data, rec->buf, rec->buf_len ); |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4413 | |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4414 | hs->buffering.total_bytes_buffered += rec->buf_len; |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4415 | return( 0 ); |
| 4416 | } |
| 4417 | |
| 4418 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 4419 | |
Hanno Becker | e74d556 | 2018-08-15 14:26:08 +0100 | [diff] [blame] | 4420 | static int ssl_get_next_record( mbedtls_ssl_context *ssl ) |
Hanno Becker | 1097b34 | 2018-08-15 14:09:41 +0100 | [diff] [blame] | 4421 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4422 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 4423 | mbedtls_record rec; |
Hanno Becker | 1097b34 | 2018-08-15 14:09:41 +0100 | [diff] [blame] | 4424 | |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4425 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4426 | /* We might have buffered a future record; if so, |
| 4427 | * and if the epoch matches now, load it. |
| 4428 | * On success, this call will set ssl->in_left to |
| 4429 | * the length of the buffered record, so that |
| 4430 | * the calls to ssl_fetch_input() below will |
| 4431 | * essentially be no-ops. */ |
| 4432 | ret = ssl_load_buffered_record( ssl ); |
| 4433 | if( ret != 0 ) |
| 4434 | return( ret ); |
| 4435 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4436 | |
Hanno Becker | ca59c2b | 2019-05-08 12:03:28 +0100 | [diff] [blame] | 4437 | /* Ensure that we have enough space available for the default form |
| 4438 | * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS, |
| 4439 | * with no space for CIDs counted in). */ |
| 4440 | ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) ); |
| 4441 | if( ret != 0 ) |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4442 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4443 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4444 | return( ret ); |
| 4445 | } |
| 4446 | |
Hanno Becker | e5e7e78 | 2019-07-11 12:29:35 +0100 | [diff] [blame] | 4447 | ret = ssl_parse_record_header( ssl, ssl->in_hdr, ssl->in_left, &rec ); |
| 4448 | if( ret != 0 ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4449 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4450 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4451 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4452 | { |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4453 | if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) |
| 4454 | { |
Hanno Becker | 519f15d | 2019-07-11 12:43:20 +0100 | [diff] [blame] | 4455 | ret = ssl_buffer_future_record( ssl, &rec ); |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 4456 | if( ret != 0 ) |
| 4457 | return( ret ); |
| 4458 | |
| 4459 | /* Fall through to handling of unexpected records */ |
| 4460 | ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; |
| 4461 | } |
| 4462 | |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 4463 | if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ) |
| 4464 | { |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4465 | #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) |
Hanno Becker | d8bf8ce | 2019-07-12 09:23:47 +0100 | [diff] [blame] | 4466 | /* Reset in pointers to default state for TLS/DTLS records, |
| 4467 | * assuming no CID and no offset between record content and |
| 4468 | * record plaintext. */ |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4469 | mbedtls_ssl_update_in_pointers( ssl ); |
Hanno Becker | d8bf8ce | 2019-07-12 09:23:47 +0100 | [diff] [blame] | 4470 | |
Hanno Becker | 7ae20e0 | 2019-07-12 08:33:49 +0100 | [diff] [blame] | 4471 | /* Setup internal message pointers from record structure. */ |
| 4472 | ssl->in_msgtype = rec.type; |
| 4473 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| 4474 | ssl->in_len = ssl->in_cid + rec.cid_len; |
| 4475 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| 4476 | ssl->in_iv = ssl->in_msg = ssl->in_len + 2; |
| 4477 | ssl->in_msglen = rec.data_len; |
| 4478 | |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4479 | ret = ssl_check_client_reconnect( ssl ); |
Manuel Pégourié-Gonnard | 243d70f | 2020-03-31 12:07:47 +0200 | [diff] [blame] | 4480 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_client_reconnect", ret ); |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4481 | if( ret != 0 ) |
| 4482 | return( ret ); |
| 4483 | #endif |
| 4484 | |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 4485 | /* Skip unexpected record (but not whole datagram) */ |
Hanno Becker | 4acada3 | 2019-07-11 12:48:53 +0100 | [diff] [blame] | 4486 | ssl->next_record_offset = rec.buf_len; |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4487 | |
Manuel Pégourié-Gonnard | e2e25e7 | 2015-12-03 16:13:17 +0100 | [diff] [blame] | 4488 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record " |
| 4489 | "(header)" ) ); |
| 4490 | } |
| 4491 | else |
| 4492 | { |
| 4493 | /* Skip invalid record and the rest of the datagram */ |
| 4494 | ssl->next_record_offset = 0; |
| 4495 | ssl->in_left = 0; |
| 4496 | |
| 4497 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record " |
| 4498 | "(header)" ) ); |
| 4499 | } |
| 4500 | |
| 4501 | /* Get next record */ |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 4502 | return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4503 | } |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4504 | else |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4505 | #endif |
Hanno Becker | 2fddd37 | 2019-07-10 14:37:41 +0100 | [diff] [blame] | 4506 | { |
| 4507 | return( ret ); |
| 4508 | } |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4509 | } |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4510 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4511 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 4512 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Hanno Becker | e65ce78 | 2017-05-22 14:47:48 +0100 | [diff] [blame] | 4513 | { |
Hanno Becker | a881479 | 2019-07-10 15:01:45 +0100 | [diff] [blame] | 4514 | /* Remember offset of next record within datagram. */ |
Hanno Becker | f50da50 | 2019-07-11 12:50:10 +0100 | [diff] [blame] | 4515 | ssl->next_record_offset = rec.buf_len; |
Hanno Becker | e65ce78 | 2017-05-22 14:47:48 +0100 | [diff] [blame] | 4516 | if( ssl->next_record_offset < ssl->in_left ) |
| 4517 | { |
| 4518 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) ); |
| 4519 | } |
| 4520 | } |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4521 | else |
| 4522 | #endif |
Hanno Becker | a881479 | 2019-07-10 15:01:45 +0100 | [diff] [blame] | 4523 | { |
Hanno Becker | 955a5c9 | 2019-07-10 17:12:07 +0100 | [diff] [blame] | 4524 | /* |
| 4525 | * Fetch record contents from underlying transport. |
| 4526 | */ |
Hanno Becker | a317566 | 2019-07-11 12:50:29 +0100 | [diff] [blame] | 4527 | ret = mbedtls_ssl_fetch_input( ssl, rec.buf_len ); |
Hanno Becker | a881479 | 2019-07-10 15:01:45 +0100 | [diff] [blame] | 4528 | if( ret != 0 ) |
| 4529 | { |
| 4530 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
| 4531 | return( ret ); |
| 4532 | } |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4533 | |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4534 | ssl->in_left = 0; |
Hanno Becker | a881479 | 2019-07-10 15:01:45 +0100 | [diff] [blame] | 4535 | } |
| 4536 | |
| 4537 | /* |
| 4538 | * Decrypt record contents. |
| 4539 | */ |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4540 | |
Hanno Becker | fdf6604 | 2019-07-11 13:07:45 +0100 | [diff] [blame] | 4541 | if( ( ret = ssl_prepare_record_content( ssl, &rec ) ) != 0 ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4542 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4543 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 4544 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4545 | { |
| 4546 | /* Silently discard invalid records */ |
Hanno Becker | 82e2a39 | 2019-05-03 16:36:59 +0100 | [diff] [blame] | 4547 | if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4548 | { |
Manuel Pégourié-Gonnard | 0a88574 | 2015-08-04 12:08:35 +0200 | [diff] [blame] | 4549 | /* Except when waiting for Finished as a bad mac here |
| 4550 | * probably means something went wrong in the handshake |
| 4551 | * (eg wrong psk used, mitm downgrade attempt, etc.) */ |
| 4552 | if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED || |
| 4553 | ssl->state == MBEDTLS_SSL_SERVER_FINISHED ) |
| 4554 | { |
| 4555 | #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) |
| 4556 | if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) |
| 4557 | { |
| 4558 | mbedtls_ssl_send_alert_message( ssl, |
| 4559 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 4560 | MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); |
| 4561 | } |
| 4562 | #endif |
| 4563 | return( ret ); |
| 4564 | } |
| 4565 | |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 4566 | if( ssl->conf->badmac_limit != 0 && |
| 4567 | ++ssl->badmac_seen >= ssl->conf->badmac_limit ) |
Manuel Pégourié-Gonnard | b0643d1 | 2014-10-14 18:30:36 +0200 | [diff] [blame] | 4568 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4569 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); |
| 4570 | return( MBEDTLS_ERR_SSL_INVALID_MAC ); |
Manuel Pégourié-Gonnard | b0643d1 | 2014-10-14 18:30:36 +0200 | [diff] [blame] | 4571 | } |
Manuel Pégourié-Gonnard | b0643d1 | 2014-10-14 18:30:36 +0200 | [diff] [blame] | 4572 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 4573 | /* As above, invalid records cause |
| 4574 | * dismissal of the whole datagram. */ |
| 4575 | |
| 4576 | ssl->next_record_offset = 0; |
| 4577 | ssl->in_left = 0; |
| 4578 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4579 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) ); |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 4580 | return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4581 | } |
| 4582 | |
| 4583 | return( ret ); |
| 4584 | } |
| 4585 | else |
| 4586 | #endif |
| 4587 | { |
| 4588 | /* Error out (and send alert) on invalid records */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4589 | #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) |
| 4590 | if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4591 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4592 | mbedtls_ssl_send_alert_message( ssl, |
| 4593 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 4594 | MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); |
Manuel Pégourié-Gonnard | 63eca93 | 2014-09-08 16:39:08 +0200 | [diff] [blame] | 4595 | } |
| 4596 | #endif |
| 4597 | return( ret ); |
| 4598 | } |
| 4599 | } |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4600 | |
Hanno Becker | 44d89b2 | 2019-07-12 09:40:44 +0100 | [diff] [blame] | 4601 | |
| 4602 | /* Reset in pointers to default state for TLS/DTLS records, |
| 4603 | * assuming no CID and no offset between record content and |
| 4604 | * record plaintext. */ |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4605 | mbedtls_ssl_update_in_pointers( ssl ); |
Hanno Becker | 44d89b2 | 2019-07-12 09:40:44 +0100 | [diff] [blame] | 4606 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| 4607 | ssl->in_len = ssl->in_cid + rec.cid_len; |
| 4608 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
irwir | 89af51f | 2019-09-26 21:04:56 +0300 | [diff] [blame] | 4609 | ssl->in_iv = ssl->in_len + 2; |
Hanno Becker | 44d89b2 | 2019-07-12 09:40:44 +0100 | [diff] [blame] | 4610 | |
Hanno Becker | 8685c82 | 2019-07-12 09:37:30 +0100 | [diff] [blame] | 4611 | /* The record content type may change during decryption, |
| 4612 | * so re-read it. */ |
| 4613 | ssl->in_msgtype = rec.type; |
| 4614 | /* Also update the input buffer, because unfortunately |
| 4615 | * the server-side ssl_parse_client_hello() reparses the |
| 4616 | * record header when receiving a ClientHello initiating |
| 4617 | * a renegotiation. */ |
| 4618 | ssl->in_hdr[0] = rec.type; |
| 4619 | ssl->in_msg = rec.buf + rec.data_offset; |
| 4620 | ssl->in_msglen = rec.data_len; |
Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 4621 | MBEDTLS_PUT_UINT16_BE( rec.data_len, ssl->in_len, 0 ); |
Hanno Becker | 8685c82 | 2019-07-12 09:37:30 +0100 | [diff] [blame] | 4622 | |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4623 | return( 0 ); |
| 4624 | } |
| 4625 | |
| 4626 | int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) |
| 4627 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4628 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4629 | |
Manuel Pégourié-Gonnard | abf1624 | 2014-09-23 09:42:16 +0200 | [diff] [blame] | 4630 | /* |
Manuel Pégourié-Gonnard | 167a376 | 2014-09-08 16:14:10 +0200 | [diff] [blame] | 4631 | * Handle particular types of records |
| 4632 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4633 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4634 | { |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4635 | if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 ) |
| 4636 | { |
Manuel Pégourié-Gonnard | a59543a | 2014-02-18 11:33:49 +0100 | [diff] [blame] | 4637 | return( ret ); |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4638 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4639 | } |
| 4640 | |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4641 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4642 | { |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4643 | if( ssl->in_msglen != 1 ) |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4644 | { |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4645 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %" MBEDTLS_PRINTF_SIZET, |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4646 | ssl->in_msglen ) ); |
| 4647 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4648 | } |
| 4649 | |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4650 | if( ssl->in_msg[0] != 1 ) |
| 4651 | { |
| 4652 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x", |
| 4653 | ssl->in_msg[0] ) ); |
| 4654 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 4655 | } |
| 4656 | |
| 4657 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4658 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 4659 | ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && |
| 4660 | ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) |
| 4661 | { |
| 4662 | if( ssl->handshake == NULL ) |
| 4663 | { |
| 4664 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) ); |
| 4665 | return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); |
| 4666 | } |
| 4667 | |
| 4668 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) ); |
| 4669 | return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); |
| 4670 | } |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4671 | #endif |
Ronald Cron | 7e38cba | 2021-11-24 12:43:39 +0100 | [diff] [blame] | 4672 | |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 4673 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3) |
Ronald Cron | 7e38cba | 2021-11-24 12:43:39 +0100 | [diff] [blame] | 4674 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) |
| 4675 | { |
| 4676 | #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) |
| 4677 | MBEDTLS_SSL_DEBUG_MSG( 1, |
| 4678 | ( "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode" ) ); |
| 4679 | return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); |
| 4680 | #else |
| 4681 | MBEDTLS_SSL_DEBUG_MSG( 1, |
| 4682 | ( "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" ) ); |
| 4683 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 4684 | #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ |
| 4685 | } |
Ronald Cron | 6f135e1 | 2021-12-08 16:57:54 +0100 | [diff] [blame] | 4686 | #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4687 | } |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 4688 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4689 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4690 | { |
Angus Gratton | 1a7a17e | 2018-06-20 15:43:50 +1000 | [diff] [blame] | 4691 | if( ssl->in_msglen != 2 ) |
| 4692 | { |
| 4693 | /* Note: Standard allows for more than one 2 byte alert |
| 4694 | to be packed in a single message, but Mbed TLS doesn't |
| 4695 | currently support this. */ |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 4696 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %" MBEDTLS_PRINTF_SIZET, |
Angus Gratton | 1a7a17e | 2018-06-20 15:43:50 +1000 | [diff] [blame] | 4697 | ssl->in_msglen ) ); |
| 4698 | return( MBEDTLS_ERR_SSL_INVALID_RECORD ); |
| 4699 | } |
| 4700 | |
Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 4701 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%u:%u]", |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4702 | ssl->in_msg[0], ssl->in_msg[1] ) ); |
| 4703 | |
| 4704 | /* |
Simon Butcher | 459a950 | 2015-10-27 16:09:03 +0000 | [diff] [blame] | 4705 | * Ignore non-fatal alerts, except close_notify and no_renegotiation |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4706 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4707 | if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4708 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4709 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)", |
Paul Bakker | 2770fbd | 2012-07-03 13:30:23 +0000 | [diff] [blame] | 4710 | ssl->in_msg[1] ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4711 | return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4712 | } |
| 4713 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4714 | if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && |
| 4715 | ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4716 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4717 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) ); |
| 4718 | return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4719 | } |
Manuel Pégourié-Gonnard | fbdf06c | 2015-10-23 11:13:28 +0200 | [diff] [blame] | 4720 | |
| 4721 | #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED) |
| 4722 | if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && |
| 4723 | ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) |
| 4724 | { |
Mateusz Starzyk | f5c5351 | 2021-04-15 13:28:52 +0200 | [diff] [blame] | 4725 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a no renegotiation alert" ) ); |
Manuel Pégourié-Gonnard | fbdf06c | 2015-10-23 11:13:28 +0200 | [diff] [blame] | 4726 | /* Will be handled when trying to parse ServerHello */ |
| 4727 | return( 0 ); |
| 4728 | } |
| 4729 | #endif |
Manuel Pégourié-Gonnard | fbdf06c | 2015-10-23 11:13:28 +0200 | [diff] [blame] | 4730 | /* Silently ignore: fetch new message */ |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4731 | return MBEDTLS_ERR_SSL_NON_FATAL; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4732 | } |
| 4733 | |
Hanno Becker | c76c619 | 2017-06-06 10:03:17 +0100 | [diff] [blame] | 4734 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | 37ae952 | 2019-05-03 16:54:26 +0100 | [diff] [blame] | 4735 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Hanno Becker | c76c619 | 2017-06-06 10:03:17 +0100 | [diff] [blame] | 4736 | { |
Hanno Becker | 37ae952 | 2019-05-03 16:54:26 +0100 | [diff] [blame] | 4737 | /* Drop unexpected ApplicationData records, |
| 4738 | * except at the beginning of renegotiations */ |
| 4739 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA && |
| 4740 | ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER |
| 4741 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 4742 | && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 4743 | ssl->state == MBEDTLS_SSL_SERVER_HELLO ) |
Hanno Becker | c76c619 | 2017-06-06 10:03:17 +0100 | [diff] [blame] | 4744 | #endif |
Hanno Becker | 37ae952 | 2019-05-03 16:54:26 +0100 | [diff] [blame] | 4745 | ) |
| 4746 | { |
| 4747 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) ); |
| 4748 | return( MBEDTLS_ERR_SSL_NON_FATAL ); |
| 4749 | } |
| 4750 | |
| 4751 | if( ssl->handshake != NULL && |
| 4752 | ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) |
| 4753 | { |
Hanno Becker | ce5f5fd | 2020-02-05 10:47:44 +0000 | [diff] [blame] | 4754 | mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl ); |
Hanno Becker | 37ae952 | 2019-05-03 16:54:26 +0100 | [diff] [blame] | 4755 | } |
| 4756 | } |
Hanno Becker | 4a4af9f | 2019-05-08 16:26:21 +0100 | [diff] [blame] | 4757 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Hanno Becker | c76c619 | 2017-06-06 10:03:17 +0100 | [diff] [blame] | 4758 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4759 | return( 0 ); |
| 4760 | } |
| 4761 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4762 | int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ) |
Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 4763 | { |
irwir | 6c0da64 | 2019-09-26 21:07:41 +0300 | [diff] [blame] | 4764 | return( mbedtls_ssl_send_alert_message( ssl, |
| 4765 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 4766 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ); |
Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 4767 | } |
| 4768 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4769 | int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4770 | unsigned char level, |
| 4771 | unsigned char message ) |
| 4772 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4773 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4774 | |
Manuel Pégourié-Gonnard | f81ee2e | 2015-09-01 17:43:40 +0200 | [diff] [blame] | 4775 | if( ssl == NULL || ssl->conf == NULL ) |
| 4776 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 4777 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4778 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); |
Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 4779 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message )); |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4780 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4781 | ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4782 | ssl->out_msglen = 2; |
| 4783 | ssl->out_msg[0] = level; |
| 4784 | ssl->out_msg[1] = message; |
| 4785 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 4786 | if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 ) |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4787 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4788 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4789 | return( ret ); |
| 4790 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4791 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) ); |
Paul Bakker | 0a92518 | 2012-04-16 06:46:41 +0000 | [diff] [blame] | 4792 | |
| 4793 | return( 0 ); |
| 4794 | } |
| 4795 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4796 | int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4797 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4798 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4799 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4800 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4801 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4802 | ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4803 | ssl->out_msglen = 1; |
| 4804 | ssl->out_msg[0] = 1; |
| 4805 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4806 | ssl->state++; |
| 4807 | |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 4808 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4809 | { |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 4810 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4811 | return( ret ); |
| 4812 | } |
| 4813 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4814 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4815 | |
| 4816 | return( 0 ); |
| 4817 | } |
| 4818 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4819 | int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4820 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4821 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4822 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4823 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4824 | |
Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 4825 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4826 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4827 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4828 | return( ret ); |
| 4829 | } |
| 4830 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4831 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4832 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4833 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); |
Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 4834 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 4835 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4836 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4837 | } |
| 4838 | |
Hanno Becker | e678eaa | 2018-08-21 14:57:46 +0100 | [diff] [blame] | 4839 | /* CCS records are only accepted if they have length 1 and content '1', |
| 4840 | * so we don't need to check this here. */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4841 | |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4842 | /* |
| 4843 | * Switch to our negotiated transform and session parameters for inbound |
| 4844 | * data. |
| 4845 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4846 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4847 | ssl->transform_in = ssl->transform_negotiate; |
| 4848 | ssl->session_in = ssl->session_negotiate; |
| 4849 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4850 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 4851 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4852 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4853 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
Hanno Becker | 7e8e6a6 | 2020-02-05 10:45:48 +0000 | [diff] [blame] | 4854 | mbedtls_ssl_dtls_replay_reset( ssl ); |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4855 | #endif |
| 4856 | |
| 4857 | /* Increment epoch */ |
| 4858 | if( ++ssl->in_epoch == 0 ) |
| 4859 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4860 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); |
Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 4861 | /* This is highly unlikely to happen for legitimate reasons, so |
| 4862 | treat it as an attack and don't send an alert. */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4863 | return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4864 | } |
| 4865 | } |
| 4866 | else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4867 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Jerry Yu | fd320e9 | 2021-10-08 21:52:41 +0800 | [diff] [blame] | 4868 | memset( ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4869 | |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4870 | mbedtls_ssl_update_in_pointers( ssl ); |
Manuel Pégourié-Gonnard | 246c13a | 2014-09-24 13:56:09 +0200 | [diff] [blame] | 4871 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4872 | ssl->state++; |
| 4873 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4874 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4875 | |
| 4876 | return( 0 ); |
| 4877 | } |
| 4878 | |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4879 | /* Once ssl->out_hdr as the address of the beginning of the |
| 4880 | * next outgoing record is set, deduce the other pointers. |
| 4881 | * |
| 4882 | * Note: For TLS, we save the implicit record sequence number |
| 4883 | * (entering MAC computation) in the 8 bytes before ssl->out_hdr, |
| 4884 | * and the caller has to make sure there's space for this. |
| 4885 | */ |
| 4886 | |
Hanno Becker | c0eefa8 | 2020-05-28 07:17:36 +0100 | [diff] [blame] | 4887 | static size_t ssl_transform_get_explicit_iv_len( |
| 4888 | mbedtls_ssl_transform const *transform ) |
| 4889 | { |
TRodziewicz | ef73f01 | 2021-05-13 14:53:36 +0200 | [diff] [blame] | 4890 | if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) |
Hanno Becker | c0eefa8 | 2020-05-28 07:17:36 +0100 | [diff] [blame] | 4891 | return( 0 ); |
| 4892 | |
| 4893 | return( transform->ivlen - transform->fixed_ivlen ); |
| 4894 | } |
| 4895 | |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4896 | void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl, |
| 4897 | mbedtls_ssl_transform *transform ) |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4898 | { |
| 4899 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4900 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 4901 | { |
| 4902 | ssl->out_ctr = ssl->out_hdr + 3; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4903 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Jerry Yu | ae0b2e2 | 2021-10-08 15:21:19 +0800 | [diff] [blame] | 4904 | ssl->out_cid = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4905 | ssl->out_len = ssl->out_cid; |
| 4906 | if( transform != NULL ) |
| 4907 | ssl->out_len += transform->out_cid_len; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4908 | #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Jerry Yu | ae0b2e2 | 2021-10-08 15:21:19 +0800 | [diff] [blame] | 4909 | ssl->out_len = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4910 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4911 | ssl->out_iv = ssl->out_len + 2; |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4912 | } |
| 4913 | else |
| 4914 | #endif |
| 4915 | { |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4916 | ssl->out_len = ssl->out_hdr + 3; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4917 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 4c3eb7c | 2019-05-08 16:43:21 +0100 | [diff] [blame] | 4918 | ssl->out_cid = ssl->out_len; |
| 4919 | #endif |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4920 | ssl->out_iv = ssl->out_hdr + 5; |
| 4921 | } |
| 4922 | |
Hanno Becker | c0eefa8 | 2020-05-28 07:17:36 +0100 | [diff] [blame] | 4923 | ssl->out_msg = ssl->out_iv; |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4924 | /* Adjust out_msg to make space for explicit IV, if used. */ |
Hanno Becker | c0eefa8 | 2020-05-28 07:17:36 +0100 | [diff] [blame] | 4925 | if( transform != NULL ) |
| 4926 | ssl->out_msg += ssl_transform_get_explicit_iv_len( transform ); |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4927 | } |
| 4928 | |
| 4929 | /* Once ssl->in_hdr as the address of the beginning of the |
| 4930 | * next incoming record is set, deduce the other pointers. |
| 4931 | * |
| 4932 | * Note: For TLS, we save the implicit record sequence number |
| 4933 | * (entering MAC computation) in the 8 bytes before ssl->in_hdr, |
| 4934 | * and the caller has to make sure there's space for this. |
| 4935 | */ |
| 4936 | |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4937 | void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ) |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4938 | { |
Hanno Becker | 79594fd | 2019-05-08 09:38:41 +0100 | [diff] [blame] | 4939 | /* This function sets the pointers to match the case |
| 4940 | * of unprotected TLS/DTLS records, with both ssl->in_iv |
| 4941 | * and ssl->in_msg pointing to the beginning of the record |
| 4942 | * content. |
| 4943 | * |
| 4944 | * When decrypting a protected record, ssl->in_msg |
| 4945 | * will be shifted to point to the beginning of the |
| 4946 | * record plaintext. |
| 4947 | */ |
| 4948 | |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4949 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4950 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 4951 | { |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4952 | /* This sets the header pointers to match records |
| 4953 | * without CID. When we receive a record containing |
| 4954 | * a CID, the fields are shifted accordingly in |
| 4955 | * ssl_parse_record_header(). */ |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4956 | ssl->in_ctr = ssl->in_hdr + 3; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4957 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Jerry Yu | ae0b2e2 | 2021-10-08 15:21:19 +0800 | [diff] [blame] | 4958 | ssl->in_cid = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4959 | ssl->in_len = ssl->in_cid; /* Default: no CID */ |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4960 | #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Jerry Yu | ae0b2e2 | 2021-10-08 15:21:19 +0800 | [diff] [blame] | 4961 | ssl->in_len = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4962 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | f9c6a4b | 2019-05-03 14:34:53 +0100 | [diff] [blame] | 4963 | ssl->in_iv = ssl->in_len + 2; |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4964 | } |
| 4965 | else |
| 4966 | #endif |
| 4967 | { |
Jerry Yu | ae0b2e2 | 2021-10-08 15:21:19 +0800 | [diff] [blame] | 4968 | ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4969 | ssl->in_len = ssl->in_hdr + 3; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 4970 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 4c3eb7c | 2019-05-08 16:43:21 +0100 | [diff] [blame] | 4971 | ssl->in_cid = ssl->in_len; |
| 4972 | #endif |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4973 | ssl->in_iv = ssl->in_hdr + 5; |
| 4974 | } |
| 4975 | |
Hanno Becker | 79594fd | 2019-05-08 09:38:41 +0100 | [diff] [blame] | 4976 | /* This will be adjusted at record decryption time. */ |
| 4977 | ssl->in_msg = ssl->in_iv; |
Hanno Becker | 5aa4e2c | 2018-08-06 09:26:08 +0100 | [diff] [blame] | 4978 | } |
| 4979 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4980 | /* |
Manuel Pégourié-Gonnard | 41d479e | 2015-04-29 00:48:22 +0200 | [diff] [blame] | 4981 | * Setup an SSL context |
| 4982 | */ |
Hanno Becker | 2a43f6f | 2018-08-10 11:12:52 +0100 | [diff] [blame] | 4983 | |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 4984 | void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl ) |
Hanno Becker | 2a43f6f | 2018-08-10 11:12:52 +0100 | [diff] [blame] | 4985 | { |
| 4986 | /* Set the incoming and outgoing record pointers. */ |
| 4987 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4988 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 4989 | { |
| 4990 | ssl->out_hdr = ssl->out_buf; |
| 4991 | ssl->in_hdr = ssl->in_buf; |
| 4992 | } |
| 4993 | else |
| 4994 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 4995 | { |
Hanno Becker | 12078f4 | 2021-03-02 15:28:41 +0000 | [diff] [blame] | 4996 | ssl->out_ctr = ssl->out_buf; |
Hanno Becker | 2a43f6f | 2018-08-10 11:12:52 +0100 | [diff] [blame] | 4997 | ssl->out_hdr = ssl->out_buf + 8; |
| 4998 | ssl->in_hdr = ssl->in_buf + 8; |
| 4999 | } |
| 5000 | |
| 5001 | /* Derive other internal pointers. */ |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 5002 | mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ ); |
| 5003 | mbedtls_ssl_update_in_pointers ( ssl ); |
Hanno Becker | 2a43f6f | 2018-08-10 11:12:52 +0100 | [diff] [blame] | 5004 | } |
| 5005 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5006 | /* |
| 5007 | * SSL get accessors |
| 5008 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5009 | size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5010 | { |
| 5011 | return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); |
| 5012 | } |
| 5013 | |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 5014 | int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl ) |
| 5015 | { |
| 5016 | /* |
| 5017 | * Case A: We're currently holding back |
| 5018 | * a message for further processing. |
| 5019 | */ |
| 5020 | |
| 5021 | if( ssl->keep_current_message == 1 ) |
| 5022 | { |
Hanno Becker | a6fb089 | 2017-10-23 13:17:48 +0100 | [diff] [blame] | 5023 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) ); |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 5024 | return( 1 ); |
| 5025 | } |
| 5026 | |
| 5027 | /* |
| 5028 | * Case B: Further records are pending in the current datagram. |
| 5029 | */ |
| 5030 | |
| 5031 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5032 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 5033 | ssl->in_left > ssl->next_record_offset ) |
| 5034 | { |
Hanno Becker | a6fb089 | 2017-10-23 13:17:48 +0100 | [diff] [blame] | 5035 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) ); |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 5036 | return( 1 ); |
| 5037 | } |
| 5038 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 5039 | |
| 5040 | /* |
| 5041 | * Case C: A handshake message is being processed. |
| 5042 | */ |
| 5043 | |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 5044 | if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen ) |
| 5045 | { |
Hanno Becker | a6fb089 | 2017-10-23 13:17:48 +0100 | [diff] [blame] | 5046 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) ); |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 5047 | return( 1 ); |
| 5048 | } |
| 5049 | |
| 5050 | /* |
| 5051 | * Case D: An application data message is being processed |
| 5052 | */ |
| 5053 | if( ssl->in_offt != NULL ) |
| 5054 | { |
Hanno Becker | a6fb089 | 2017-10-23 13:17:48 +0100 | [diff] [blame] | 5055 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) ); |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 5056 | return( 1 ); |
| 5057 | } |
| 5058 | |
| 5059 | /* |
| 5060 | * In all other cases, the rest of the message can be dropped. |
Hanno Becker | c573ac3 | 2018-08-28 17:15:25 +0100 | [diff] [blame] | 5061 | * As in ssl_get_next_record, this needs to be adapted if |
Hanno Becker | 8b170a0 | 2017-10-10 11:51:19 +0100 | [diff] [blame] | 5062 | * we implement support for multiple alerts in single records. |
| 5063 | */ |
| 5064 | |
| 5065 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) ); |
| 5066 | return( 0 ); |
| 5067 | } |
| 5068 | |
Paul Bakker | 43ca69c | 2011-01-15 17:35:19 +0000 | [diff] [blame] | 5069 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5070 | int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5071 | { |
Hanno Becker | 3136ede | 2018-08-17 15:28:19 +0100 | [diff] [blame] | 5072 | size_t transform_expansion = 0; |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5073 | const mbedtls_ssl_transform *transform = ssl->transform_out; |
Hanno Becker | 5b559ac | 2018-08-03 09:40:07 +0100 | [diff] [blame] | 5074 | unsigned block_size; |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5075 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 5076 | psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT; |
| 5077 | psa_key_type_t key_type; |
| 5078 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5079 | |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 5080 | size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl ); |
| 5081 | |
Hanno Becker | 7864090 | 2018-08-13 16:35:15 +0100 | [diff] [blame] | 5082 | if( transform == NULL ) |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 5083 | return( (int) out_hdr_len ); |
Hanno Becker | 7864090 | 2018-08-13 16:35:15 +0100 | [diff] [blame] | 5084 | |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5085 | |
| 5086 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | be47ecf | 2022-01-31 13:53:11 +0100 | [diff] [blame] | 5087 | if ( transform->psa_alg == PSA_ALG_GCM || |
| 5088 | transform->psa_alg == PSA_ALG_CCM || |
| 5089 | transform->psa_alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 8 ) || |
| 5090 | transform->psa_alg == PSA_ALG_CHACHA20_POLY1305 || |
Przemyslaw Stekiel | 1d71447 | 2022-01-24 23:46:50 +0100 | [diff] [blame] | 5091 | transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ) |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5092 | { |
Przemyslaw Stekiel | 1d71447 | 2022-01-24 23:46:50 +0100 | [diff] [blame] | 5093 | transform_expansion = transform->minlen; |
| 5094 | } |
Przemyslaw Stekiel | 399ed51 | 2022-01-31 08:38:00 +0100 | [diff] [blame] | 5095 | else if ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) |
Przemyslaw Stekiel | 1d71447 | 2022-01-24 23:46:50 +0100 | [diff] [blame] | 5096 | { |
| 5097 | (void) psa_get_key_attributes( transform->psa_key_enc, &attr ); |
| 5098 | key_type = psa_get_key_type( &attr ); |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5099 | |
Przemyslaw Stekiel | 1d71447 | 2022-01-24 23:46:50 +0100 | [diff] [blame] | 5100 | block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type ); |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5101 | |
Przemyslaw Stekiel | 1d71447 | 2022-01-24 23:46:50 +0100 | [diff] [blame] | 5102 | /* Expansion due to the addition of the MAC. */ |
| 5103 | transform_expansion += transform->maclen; |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5104 | |
Przemyslaw Stekiel | 1d71447 | 2022-01-24 23:46:50 +0100 | [diff] [blame] | 5105 | /* Expansion due to the addition of CBC padding; |
| 5106 | * Theoretically up to 256 bytes, but we never use |
| 5107 | * more than the block size of the underlying cipher. */ |
| 5108 | transform_expansion += block_size; |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5109 | |
Przemyslaw Stekiel | 1d71447 | 2022-01-24 23:46:50 +0100 | [diff] [blame] | 5110 | /* For TLS 1.2 or higher, an explicit IV is added |
| 5111 | * after the record header. */ |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5112 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Przemyslaw Stekiel | 1d71447 | 2022-01-24 23:46:50 +0100 | [diff] [blame] | 5113 | transform_expansion += block_size; |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5114 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Przemyslaw Stekiel | 1d71447 | 2022-01-24 23:46:50 +0100 | [diff] [blame] | 5115 | } |
| 5116 | else |
| 5117 | { |
Przemyslaw Stekiel | 6b2eedd | 2022-02-03 09:54:34 +0100 | [diff] [blame^] | 5118 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported psa_alg spotted in mbedtls_ssl_get_record_expansion()" ) ); |
Przemyslaw Stekiel | 1d71447 | 2022-01-24 23:46:50 +0100 | [diff] [blame] | 5119 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5120 | } |
| 5121 | #else |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5122 | switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) ) |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5123 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5124 | case MBEDTLS_MODE_GCM: |
| 5125 | case MBEDTLS_MODE_CCM: |
Hanno Becker | 5b559ac | 2018-08-03 09:40:07 +0100 | [diff] [blame] | 5126 | case MBEDTLS_MODE_CHACHAPOLY: |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5127 | case MBEDTLS_MODE_STREAM: |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5128 | transform_expansion = transform->minlen; |
| 5129 | break; |
| 5130 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5131 | case MBEDTLS_MODE_CBC: |
Hanno Becker | 5b559ac | 2018-08-03 09:40:07 +0100 | [diff] [blame] | 5132 | |
| 5133 | block_size = mbedtls_cipher_get_block_size( |
| 5134 | &transform->cipher_ctx_enc ); |
| 5135 | |
Hanno Becker | 3136ede | 2018-08-17 15:28:19 +0100 | [diff] [blame] | 5136 | /* Expansion due to the addition of the MAC. */ |
| 5137 | transform_expansion += transform->maclen; |
| 5138 | |
| 5139 | /* Expansion due to the addition of CBC padding; |
| 5140 | * Theoretically up to 256 bytes, but we never use |
| 5141 | * more than the block size of the underlying cipher. */ |
| 5142 | transform_expansion += block_size; |
| 5143 | |
TRodziewicz | 4ca18aa | 2021-05-20 14:46:20 +0200 | [diff] [blame] | 5144 | /* For TLS 1.2 or higher, an explicit IV is added |
Hanno Becker | 3136ede | 2018-08-17 15:28:19 +0100 | [diff] [blame] | 5145 | * after the record header. */ |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 5146 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 5147 | transform_expansion += block_size; |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 5148 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Hanno Becker | 3136ede | 2018-08-17 15:28:19 +0100 | [diff] [blame] | 5149 | |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5150 | break; |
| 5151 | |
| 5152 | default: |
Manuel Pégourié-Gonnard | cb0d212 | 2015-07-22 11:52:11 +0200 | [diff] [blame] | 5153 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5154 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5155 | } |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5156 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5157 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 5158 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 6cbad55 | 2019-05-08 15:40:11 +0100 | [diff] [blame] | 5159 | if( transform->out_cid_len != 0 ) |
| 5160 | transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 5161 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 6cbad55 | 2019-05-08 15:40:11 +0100 | [diff] [blame] | 5162 | |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 5163 | return( (int)( out_hdr_len + transform_expansion ) ); |
Manuel Pégourié-Gonnard | 9b35f18 | 2014-10-14 17:47:31 +0200 | [diff] [blame] | 5164 | } |
| 5165 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5166 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
Manuel Pégourié-Gonnard | 214eed3 | 2013-10-30 13:06:54 +0100 | [diff] [blame] | 5167 | /* |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5168 | * Check record counters and renegotiate if they're above the limit. |
| 5169 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5170 | static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5171 | { |
Hanno Becker | dd77229 | 2020-02-05 10:38:31 +0000 | [diff] [blame] | 5172 | size_t ep_len = mbedtls_ssl_ep_len( ssl ); |
Andres AG | 2196c7f | 2016-12-15 17:01:16 +0000 | [diff] [blame] | 5173 | int in_ctr_cmp; |
| 5174 | int out_ctr_cmp; |
| 5175 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5176 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || |
| 5177 | ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5178 | ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5179 | { |
| 5180 | return( 0 ); |
| 5181 | } |
| 5182 | |
Andres AG | 2196c7f | 2016-12-15 17:01:16 +0000 | [diff] [blame] | 5183 | in_ctr_cmp = memcmp( ssl->in_ctr + ep_len, |
Jerry Yu | d9a94fe | 2021-09-28 18:58:59 +0800 | [diff] [blame] | 5184 | &ssl->conf->renego_period[ep_len], |
Jerry Yu | ae0b2e2 | 2021-10-08 15:21:19 +0800 | [diff] [blame] | 5185 | MBEDTLS_SSL_SEQUENCE_NUMBER_LEN - ep_len ); |
Jerry Yu | d9a94fe | 2021-09-28 18:58:59 +0800 | [diff] [blame] | 5186 | out_ctr_cmp = memcmp( &ssl->cur_out_ctr[ep_len], |
| 5187 | &ssl->conf->renego_period[ep_len], |
| 5188 | sizeof( ssl->cur_out_ctr ) - ep_len ); |
Andres AG | 2196c7f | 2016-12-15 17:01:16 +0000 | [diff] [blame] | 5189 | |
| 5190 | if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 ) |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5191 | { |
| 5192 | return( 0 ); |
| 5193 | } |
| 5194 | |
Manuel Pégourié-Gonnard | cb0d212 | 2015-07-22 11:52:11 +0200 | [diff] [blame] | 5195 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5196 | return( mbedtls_ssl_renegotiate( ssl ) ); |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5197 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5198 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5199 | |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5200 | /* This function is called from mbedtls_ssl_read() when a handshake message is |
Hanno Becker | f26cc72 | 2021-04-21 07:30:13 +0100 | [diff] [blame] | 5201 | * received after the initial handshake. In this context, handshake messages |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5202 | * may only be sent for the purpose of initiating renegotiations. |
| 5203 | * |
| 5204 | * This function is introduced as a separate helper since the handling |
| 5205 | * of post-handshake handshake messages changes significantly in TLS 1.3, |
| 5206 | * and having a helper function allows to distinguish between TLS <= 1.2 and |
| 5207 | * TLS 1.3 in the future without bloating the logic of mbedtls_ssl_read(). |
| 5208 | */ |
Hanno Becker | cad3dba | 2020-11-24 06:57:13 +0000 | [diff] [blame] | 5209 | static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5210 | { |
Hanno Becker | fae12cf | 2021-04-21 07:20:20 +0100 | [diff] [blame] | 5211 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5212 | |
| 5213 | /* |
| 5214 | * - For client-side, expect SERVER_HELLO_REQUEST. |
| 5215 | * - For server-side, expect CLIENT_HELLO. |
| 5216 | * - Fail (TLS) or silently drop record (DTLS) in other cases. |
| 5217 | */ |
| 5218 | |
| 5219 | #if defined(MBEDTLS_SSL_CLI_C) |
| 5220 | if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && |
| 5221 | ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || |
| 5222 | ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) |
| 5223 | { |
| 5224 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) ); |
| 5225 | |
| 5226 | /* With DTLS, drop the packet (probably from last handshake) */ |
| 5227 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5228 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 5229 | { |
| 5230 | return( 0 ); |
| 5231 | } |
| 5232 | #endif |
| 5233 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
| 5234 | } |
| 5235 | #endif /* MBEDTLS_SSL_CLI_C */ |
| 5236 | |
| 5237 | #if defined(MBEDTLS_SSL_SRV_C) |
| 5238 | if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && |
| 5239 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) |
| 5240 | { |
| 5241 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); |
| 5242 | |
| 5243 | /* With DTLS, drop the packet (probably from last handshake) */ |
| 5244 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5245 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 5246 | { |
| 5247 | return( 0 ); |
| 5248 | } |
| 5249 | #endif |
| 5250 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
| 5251 | } |
| 5252 | #endif /* MBEDTLS_SSL_SRV_C */ |
| 5253 | |
| 5254 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 5255 | /* Determine whether renegotiation attempt should be accepted */ |
| 5256 | if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || |
| 5257 | ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 5258 | ssl->conf->allow_legacy_renegotiation == |
| 5259 | MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) ) |
| 5260 | { |
| 5261 | /* |
| 5262 | * Accept renegotiation request |
| 5263 | */ |
| 5264 | |
| 5265 | /* DTLS clients need to know renego is server-initiated */ |
| 5266 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5267 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 5268 | ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) |
| 5269 | { |
| 5270 | ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; |
| 5271 | } |
| 5272 | #endif |
| 5273 | ret = mbedtls_ssl_start_renegotiation( ssl ); |
| 5274 | if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && |
| 5275 | ret != 0 ) |
| 5276 | { |
| 5277 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation", |
| 5278 | ret ); |
| 5279 | return( ret ); |
| 5280 | } |
| 5281 | } |
| 5282 | else |
| 5283 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| 5284 | { |
| 5285 | /* |
| 5286 | * Refuse renegotiation |
| 5287 | */ |
| 5288 | |
| 5289 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); |
| 5290 | |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 5291 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 5292 | if( ( ret = mbedtls_ssl_send_alert_message( ssl, |
| 5293 | MBEDTLS_SSL_ALERT_LEVEL_WARNING, |
| 5294 | MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 ) |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5295 | { |
TRodziewicz | 345165c | 2021-07-06 13:42:11 +0200 | [diff] [blame] | 5296 | return( ret ); |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5297 | } |
TRodziewicz | 0f82ec6 | 2021-05-12 17:49:18 +0200 | [diff] [blame] | 5298 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5299 | } |
| 5300 | |
| 5301 | return( 0 ); |
| 5302 | } |
| 5303 | |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5304 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5305 | * Receive application data decrypted from the SSL layer |
| 5306 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5307 | int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5308 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 5309 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 5310 | size_t n; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5311 | |
Manuel Pégourié-Gonnard | f81ee2e | 2015-09-01 17:43:40 +0200 | [diff] [blame] | 5312 | if( ssl == NULL || ssl->conf == NULL ) |
| 5313 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 5314 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5315 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5316 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5317 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5318 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | abf1624 | 2014-09-23 09:42:16 +0200 | [diff] [blame] | 5319 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5320 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | abf1624 | 2014-09-23 09:42:16 +0200 | [diff] [blame] | 5321 | return( ret ); |
| 5322 | |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5323 | if( ssl->handshake != NULL && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5324 | ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5325 | { |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 5326 | if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5327 | return( ret ); |
| 5328 | } |
Manuel Pégourié-Gonnard | abf1624 | 2014-09-23 09:42:16 +0200 | [diff] [blame] | 5329 | } |
| 5330 | #endif |
| 5331 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5332 | /* |
| 5333 | * Check if renegotiation is necessary and/or handshake is |
| 5334 | * in process. If yes, perform/continue, and fall through |
| 5335 | * if an unexpected packet is received while the client |
| 5336 | * is waiting for the ServerHello. |
| 5337 | * |
| 5338 | * (There is no equivalent to the last condition on |
| 5339 | * the server-side as it is not treated as within |
| 5340 | * a handshake while waiting for the ClientHello |
| 5341 | * after a renegotiation request.) |
| 5342 | */ |
| 5343 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5344 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5345 | ret = ssl_check_ctr_renegotiate( ssl ); |
| 5346 | if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && |
| 5347 | ret != 0 ) |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5348 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5349 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); |
Manuel Pégourié-Gonnard | b445805 | 2014-11-04 21:04:22 +0100 | [diff] [blame] | 5350 | return( ret ); |
| 5351 | } |
| 5352 | #endif |
| 5353 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5354 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5355 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5356 | ret = mbedtls_ssl_handshake( ssl ); |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5357 | if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && |
| 5358 | ret != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5359 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5360 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5361 | return( ret ); |
| 5362 | } |
| 5363 | } |
| 5364 | |
Hanno Becker | e41158b | 2017-10-23 13:30:32 +0100 | [diff] [blame] | 5365 | /* Loop as long as no application data record is available */ |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 5366 | while( ssl->in_offt == NULL ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5367 | { |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 5368 | /* Start timer if not already running */ |
Manuel Pégourié-Gonnard | 545102e | 2015-05-13 17:28:43 +0200 | [diff] [blame] | 5369 | if( ssl->f_get_timer != NULL && |
| 5370 | ssl->f_get_timer( ssl->p_timer ) == -1 ) |
| 5371 | { |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 5372 | mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout ); |
Manuel Pégourié-Gonnard | 545102e | 2015-05-13 17:28:43 +0200 | [diff] [blame] | 5373 | } |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 5374 | |
Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 5375 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5376 | { |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5377 | if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) |
| 5378 | return( 0 ); |
Paul Bakker | 831a755 | 2011-05-18 13:32:51 +0000 | [diff] [blame] | 5379 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5380 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
| 5381 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5382 | } |
| 5383 | |
| 5384 | if( ssl->in_msglen == 0 && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5385 | ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5386 | { |
| 5387 | /* |
| 5388 | * OpenSSL sends empty messages to randomize the IV |
| 5389 | */ |
Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 5390 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5391 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5392 | if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) |
Paul Bakker | 831a755 | 2011-05-18 13:32:51 +0000 | [diff] [blame] | 5393 | return( 0 ); |
| 5394 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5395 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5396 | return( ret ); |
| 5397 | } |
| 5398 | } |
| 5399 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5400 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5401 | { |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5402 | ret = ssl_handle_hs_message_post_handshake( ssl ); |
| 5403 | if( ret != 0) |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5404 | { |
Hanno Becker | b03f88f | 2020-11-24 06:41:37 +0000 | [diff] [blame] | 5405 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_handle_hs_message_post_handshake", |
| 5406 | ret ); |
| 5407 | return( ret ); |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5408 | } |
Manuel Pégourié-Gonnard | f26a1e8 | 2014-08-19 12:28:50 +0200 | [diff] [blame] | 5409 | |
Hanno Becker | f26cc72 | 2021-04-21 07:30:13 +0100 | [diff] [blame] | 5410 | /* At this point, we don't know whether the renegotiation triggered |
| 5411 | * by the post-handshake message has been completed or not. The cases |
| 5412 | * to consider are the following: |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 5413 | * 1) The renegotiation is complete. In this case, no new record |
| 5414 | * has been read yet. |
| 5415 | * 2) The renegotiation is incomplete because the client received |
| 5416 | * an application data record while awaiting the ServerHello. |
| 5417 | * 3) The renegotiation is incomplete because the client received |
| 5418 | * a non-handshake, non-application data message while awaiting |
| 5419 | * the ServerHello. |
Hanno Becker | f26cc72 | 2021-04-21 07:30:13 +0100 | [diff] [blame] | 5420 | * |
| 5421 | * In each of these cases, looping will be the proper action: |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 5422 | * - For 1), the next iteration will read a new record and check |
| 5423 | * if it's application data. |
| 5424 | * - For 2), the loop condition isn't satisfied as application data |
| 5425 | * is present, hence continue is the same as break |
| 5426 | * - For 3), the loop condition is satisfied and read_record |
| 5427 | * will re-deliver the message that was held back by the client |
| 5428 | * when expecting the ServerHello. |
| 5429 | */ |
Hanno Becker | f26cc72 | 2021-04-21 07:30:13 +0100 | [diff] [blame] | 5430 | |
Hanno Becker | 90333da | 2017-10-10 11:27:13 +0100 | [diff] [blame] | 5431 | continue; |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5432 | } |
Hanno Becker | 21df7f9 | 2017-10-17 11:03:26 +0100 | [diff] [blame] | 5433 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5434 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) |
Manuel Pégourié-Gonnard | 6d8404d | 2013-10-30 16:41:45 +0100 | [diff] [blame] | 5435 | { |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5436 | if( ssl->conf->renego_max_records >= 0 ) |
Manuel Pégourié-Gonnard | a9964db | 2014-07-03 19:29:16 +0200 | [diff] [blame] | 5437 | { |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5438 | if( ++ssl->renego_records_seen > ssl->conf->renego_max_records ) |
Manuel Pégourié-Gonnard | df3acd8 | 2014-10-15 15:07:45 +0200 | [diff] [blame] | 5439 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5440 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " |
Manuel Pégourié-Gonnard | df3acd8 | 2014-10-15 15:07:45 +0200 | [diff] [blame] | 5441 | "but not honored by client" ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5442 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
Manuel Pégourié-Gonnard | df3acd8 | 2014-10-15 15:07:45 +0200 | [diff] [blame] | 5443 | } |
Manuel Pégourié-Gonnard | a9964db | 2014-07-03 19:29:16 +0200 | [diff] [blame] | 5444 | } |
Manuel Pégourié-Gonnard | 6d8404d | 2013-10-30 16:41:45 +0100 | [diff] [blame] | 5445 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5446 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
Manuel Pégourié-Gonnard | f26a1e8 | 2014-08-19 12:28:50 +0200 | [diff] [blame] | 5447 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5448 | /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */ |
| 5449 | if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) |
Manuel Pégourié-Gonnard | f26a1e8 | 2014-08-19 12:28:50 +0200 | [diff] [blame] | 5450 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5451 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); |
Manuel Pégourié-Gonnard | 8836994 | 2015-05-06 16:19:31 +0100 | [diff] [blame] | 5452 | return( MBEDTLS_ERR_SSL_WANT_READ ); |
Manuel Pégourié-Gonnard | f26a1e8 | 2014-08-19 12:28:50 +0200 | [diff] [blame] | 5453 | } |
| 5454 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5455 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5456 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5457 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); |
| 5458 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5459 | } |
| 5460 | |
| 5461 | ssl->in_offt = ssl->in_msg; |
Manuel Pégourié-Gonnard | 6b65141 | 2014-10-01 18:29:03 +0200 | [diff] [blame] | 5462 | |
Manuel Pégourié-Gonnard | ba958b8 | 2014-10-09 16:13:44 +0200 | [diff] [blame] | 5463 | /* We're going to return something now, cancel timer, |
| 5464 | * except if handshake (renegotiation) is in progress */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5465 | if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 5466 | mbedtls_ssl_set_timer( ssl, 0 ); |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5467 | |
Manuel Pégourié-Gonnard | 286a136 | 2015-05-13 16:22:05 +0200 | [diff] [blame] | 5468 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5469 | /* If we requested renego but received AppData, resend HelloRequest. |
| 5470 | * Do it now, after setting in_offt, to avoid taking this branch |
| 5471 | * again if ssl_write_hello_request() returns WANT_WRITE */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5472 | #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5473 | if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5474 | ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5475 | { |
Hanno Becker | 786300f | 2020-02-05 10:46:40 +0000 | [diff] [blame] | 5476 | if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5477 | { |
Hanno Becker | 786300f | 2020-02-05 10:46:40 +0000 | [diff] [blame] | 5478 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request", |
| 5479 | ret ); |
Manuel Pégourié-Gonnard | 26a4cf6 | 2014-10-15 13:52:48 +0200 | [diff] [blame] | 5480 | return( ret ); |
| 5481 | } |
| 5482 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5483 | #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5484 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5485 | } |
| 5486 | |
| 5487 | n = ( len < ssl->in_msglen ) |
| 5488 | ? len : ssl->in_msglen; |
| 5489 | |
| 5490 | memcpy( buf, ssl->in_offt, n ); |
| 5491 | ssl->in_msglen -= n; |
| 5492 | |
gabor-mezei-arm | a321413 | 2020-07-15 10:55:00 +0200 | [diff] [blame] | 5493 | /* Zeroising the plaintext buffer to erase unused application data |
| 5494 | from the memory. */ |
| 5495 | mbedtls_platform_zeroize( ssl->in_offt, n ); |
| 5496 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5497 | if( ssl->in_msglen == 0 ) |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5498 | { |
| 5499 | /* all bytes consumed */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5500 | ssl->in_offt = NULL; |
Hanno Becker | bdf3905 | 2017-06-09 10:42:03 +0100 | [diff] [blame] | 5501 | ssl->keep_current_message = 0; |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5502 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5503 | else |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5504 | { |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5505 | /* more data available */ |
| 5506 | ssl->in_offt += n; |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 5507 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5508 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5509 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5510 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 5511 | return( (int) n ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5512 | } |
| 5513 | |
| 5514 | /* |
Andres Amaya Garcia | 5b92352 | 2017-09-28 14:41:17 +0100 | [diff] [blame] | 5515 | * Send application data to be encrypted by the SSL layer, taking care of max |
| 5516 | * fragment length and buffer size. |
| 5517 | * |
| 5518 | * According to RFC 5246 Section 6.2.1: |
| 5519 | * |
| 5520 | * Zero-length fragments of Application data MAY be sent as they are |
| 5521 | * potentially useful as a traffic analysis countermeasure. |
| 5522 | * |
| 5523 | * Therefore, it is possible that the input message length is 0 and the |
| 5524 | * corresponding return code is 0 on success. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5525 | */ |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5526 | static int ssl_write_real( mbedtls_ssl_context *ssl, |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5527 | const unsigned char *buf, size_t len ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5528 | { |
Manuel Pégourié-Gonnard | 9468ff1 | 2017-09-21 13:49:50 +0200 | [diff] [blame] | 5529 | int ret = mbedtls_ssl_get_max_out_record_payload( ssl ); |
| 5530 | const size_t max_len = (size_t) ret; |
| 5531 | |
| 5532 | if( ret < 0 ) |
| 5533 | { |
| 5534 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret ); |
| 5535 | return( ret ); |
| 5536 | } |
| 5537 | |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5538 | if( len > max_len ) |
| 5539 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5540 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 5541 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5542 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5543 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " |
Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 5544 | "maximum fragment length: %" MBEDTLS_PRINTF_SIZET |
| 5545 | " > %" MBEDTLS_PRINTF_SIZET, |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5546 | len, max_len ) ); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5547 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5548 | } |
| 5549 | else |
| 5550 | #endif |
| 5551 | len = max_len; |
| 5552 | } |
Paul Bakker | 887bd50 | 2011-06-08 13:10:54 +0000 | [diff] [blame] | 5553 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5554 | if( ssl->out_left != 0 ) |
| 5555 | { |
Andres Amaya Garcia | 5b92352 | 2017-09-28 14:41:17 +0100 | [diff] [blame] | 5556 | /* |
| 5557 | * The user has previously tried to send the data and |
| 5558 | * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially |
| 5559 | * written. In this case, we expect the high-level write function |
| 5560 | * (e.g. mbedtls_ssl_write()) to be called with the same parameters |
| 5561 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5562 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5563 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5564 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5565 | return( ret ); |
| 5566 | } |
| 5567 | } |
Paul Bakker | 887bd50 | 2011-06-08 13:10:54 +0000 | [diff] [blame] | 5568 | else |
Paul Bakker | 1fd00bf | 2011-03-14 20:50:15 +0000 | [diff] [blame] | 5569 | { |
Andres Amaya Garcia | 5b92352 | 2017-09-28 14:41:17 +0100 | [diff] [blame] | 5570 | /* |
| 5571 | * The user is trying to send a message the first time, so we need to |
| 5572 | * copy the data into the internal buffers and setup the data structure |
| 5573 | * to keep track of partial writes |
| 5574 | */ |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5575 | ssl->out_msglen = len; |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5576 | ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5577 | memcpy( ssl->out_msg, buf, len ); |
Paul Bakker | 887bd50 | 2011-06-08 13:10:54 +0000 | [diff] [blame] | 5578 | |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 5579 | if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 ) |
Paul Bakker | 887bd50 | 2011-06-08 13:10:54 +0000 | [diff] [blame] | 5580 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5581 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); |
Paul Bakker | 887bd50 | 2011-06-08 13:10:54 +0000 | [diff] [blame] | 5582 | return( ret ); |
| 5583 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5584 | } |
| 5585 | |
Manuel Pégourié-Gonnard | 37e08e1 | 2014-10-13 17:55:52 +0200 | [diff] [blame] | 5586 | return( (int) len ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5587 | } |
| 5588 | |
| 5589 | /* |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5590 | * Write application data (public-facing wrapper) |
| 5591 | */ |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5592 | int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5593 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 5594 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5595 | |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5596 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5597 | |
Manuel Pégourié-Gonnard | f81ee2e | 2015-09-01 17:43:40 +0200 | [diff] [blame] | 5598 | if( ssl == NULL || ssl->conf == NULL ) |
| 5599 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 5600 | |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5601 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5602 | if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) |
| 5603 | { |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5604 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5605 | return( ret ); |
| 5606 | } |
| 5607 | #endif |
| 5608 | |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5609 | if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5610 | { |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5611 | if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5612 | { |
Manuel Pégourié-Gonnard | 151dc77 | 2015-05-14 13:55:51 +0200 | [diff] [blame] | 5613 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5614 | return( ret ); |
| 5615 | } |
| 5616 | } |
| 5617 | |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5618 | ret = ssl_write_real( ssl, buf, len ); |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5619 | |
Manuel Pégourié-Gonnard | 144bc22 | 2015-04-17 20:39:07 +0200 | [diff] [blame] | 5620 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 5621 | |
| 5622 | return( ret ); |
| 5623 | } |
| 5624 | |
| 5625 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5626 | * Notify the peer that the connection is being closed |
| 5627 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5628 | int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5629 | { |
Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 5630 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5631 | |
Manuel Pégourié-Gonnard | f81ee2e | 2015-09-01 17:43:40 +0200 | [diff] [blame] | 5632 | if( ssl == NULL || ssl->conf == NULL ) |
| 5633 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 5634 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5635 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5636 | |
Manuel Pégourié-Gonnard | a13500f | 2014-08-19 16:14:04 +0200 | [diff] [blame] | 5637 | if( ssl->out_left != 0 ) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5638 | return( mbedtls_ssl_flush_output( ssl ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5639 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5640 | if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5641 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5642 | if( ( ret = mbedtls_ssl_send_alert_message( ssl, |
| 5643 | MBEDTLS_SSL_ALERT_LEVEL_WARNING, |
| 5644 | MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5645 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5646 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5647 | return( ret ); |
| 5648 | } |
| 5649 | } |
| 5650 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5651 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5652 | |
Manuel Pégourié-Gonnard | a13500f | 2014-08-19 16:14:04 +0200 | [diff] [blame] | 5653 | return( 0 ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 5654 | } |
| 5655 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5656 | void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5657 | { |
Paul Bakker | accaffe | 2014-06-26 13:37:14 +0200 | [diff] [blame] | 5658 | if( transform == NULL ) |
| 5659 | return; |
| 5660 | |
Przemyslaw Stekiel | 8f80fb9 | 2022-01-11 08:28:13 +0100 | [diff] [blame] | 5661 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemyslaw Stekiel | ce37d11 | 2022-01-13 14:53:52 +0100 | [diff] [blame] | 5662 | psa_destroy_key( transform->psa_key_enc ); |
| 5663 | psa_destroy_key( transform->psa_key_dec ); |
Przemyslaw Stekiel | 6be9cf5 | 2022-01-19 16:00:22 +0100 | [diff] [blame] | 5664 | #else |
| 5665 | mbedtls_cipher_free( &transform->cipher_ctx_enc ); |
| 5666 | mbedtls_cipher_free( &transform->cipher_ctx_dec ); |
| 5667 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Przemyslaw Stekiel | 8f80fb9 | 2022-01-11 08:28:13 +0100 | [diff] [blame] | 5668 | |
Hanno Becker | fd86ca8 | 2020-11-30 08:54:23 +0000 | [diff] [blame] | 5669 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5670 | mbedtls_md_free( &transform->md_ctx_enc ); |
| 5671 | mbedtls_md_free( &transform->md_ctx_dec ); |
Hanno Becker | d56ed24 | 2018-01-03 15:32:51 +0000 | [diff] [blame] | 5672 | #endif |
Paul Bakker | 61d113b | 2013-07-04 11:51:43 +0200 | [diff] [blame] | 5673 | |
Andres Amaya Garcia | 1f6301b | 2018-04-17 09:51:09 -0500 | [diff] [blame] | 5674 | mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) ); |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5675 | } |
| 5676 | |
Jerry Yu | c7875b5 | 2021-09-05 21:05:50 +0800 | [diff] [blame] | 5677 | void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl, |
| 5678 | mbedtls_ssl_transform *transform ) |
| 5679 | { |
Jerry Yu | c7875b5 | 2021-09-05 21:05:50 +0800 | [diff] [blame] | 5680 | ssl->transform_in = transform; |
Jerry Yu | fd320e9 | 2021-10-08 21:52:41 +0800 | [diff] [blame] | 5681 | memset( ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); |
Jerry Yu | c7875b5 | 2021-09-05 21:05:50 +0800 | [diff] [blame] | 5682 | } |
| 5683 | |
| 5684 | void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl, |
| 5685 | mbedtls_ssl_transform *transform ) |
| 5686 | { |
| 5687 | ssl->transform_out = transform; |
Jerry Yu | fd320e9 | 2021-10-08 21:52:41 +0800 | [diff] [blame] | 5688 | memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) ); |
Jerry Yu | c7875b5 | 2021-09-05 21:05:50 +0800 | [diff] [blame] | 5689 | } |
| 5690 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 5691 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5692 | |
Hanno Becker | 533ab5f | 2020-02-05 10:49:13 +0000 | [diff] [blame] | 5693 | void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl ) |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 5694 | { |
| 5695 | unsigned offset; |
| 5696 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
| 5697 | |
| 5698 | if( hs == NULL ) |
| 5699 | return; |
| 5700 | |
Hanno Becker | 283f5ef | 2018-08-24 09:34:47 +0100 | [diff] [blame] | 5701 | ssl_free_buffered_record( ssl ); |
| 5702 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 5703 | for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ ) |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 5704 | ssl_buffering_free_slot( ssl, offset ); |
| 5705 | } |
| 5706 | |
| 5707 | static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl, |
| 5708 | uint8_t slot ) |
| 5709 | { |
| 5710 | mbedtls_ssl_handshake_params * const hs = ssl->handshake; |
| 5711 | mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot]; |
Hanno Becker | b309b92 | 2018-08-23 13:18:05 +0100 | [diff] [blame] | 5712 | |
| 5713 | if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS ) |
| 5714 | return; |
| 5715 | |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 5716 | if( hs_buf->is_valid == 1 ) |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 5717 | { |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 5718 | hs->buffering.total_bytes_buffered -= hs_buf->data_len; |
Hanno Becker | 805f2e1 | 2018-10-12 16:31:41 +0100 | [diff] [blame] | 5719 | mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len ); |
Hanno Becker | e605b19 | 2018-08-21 15:59:07 +0100 | [diff] [blame] | 5720 | mbedtls_free( hs_buf->data ); |
| 5721 | memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) ); |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 5722 | } |
| 5723 | } |
| 5724 | |
| 5725 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 5726 | |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5727 | /* |
| 5728 | * Convert version numbers to/from wire format |
| 5729 | * and, for DTLS, to/from TLS equivalent. |
| 5730 | * |
| 5731 | * For TLS this is the identity. |
Brian J Murray | 1903fb3 | 2016-11-06 04:45:15 -0800 | [diff] [blame] | 5732 | * For DTLS, use 1's complement (v -> 255 - v, and then map as follows: |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5733 | * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2) |
| 5734 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5735 | void mbedtls_ssl_write_version( int major, int minor, int transport, |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5736 | unsigned char ver[2] ) |
| 5737 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5738 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5739 | if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5740 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5741 | if( minor == MBEDTLS_SSL_MINOR_VERSION_2 ) |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5742 | --minor; /* DTLS 1.0 stored as TLS 1.1 internally */ |
| 5743 | |
| 5744 | ver[0] = (unsigned char)( 255 - ( major - 2 ) ); |
| 5745 | ver[1] = (unsigned char)( 255 - ( minor - 1 ) ); |
| 5746 | } |
Manuel Pégourié-Gonnard | 34c1011 | 2014-03-25 13:36:22 +0100 | [diff] [blame] | 5747 | else |
| 5748 | #else |
| 5749 | ((void) transport); |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5750 | #endif |
Manuel Pégourié-Gonnard | 34c1011 | 2014-03-25 13:36:22 +0100 | [diff] [blame] | 5751 | { |
| 5752 | ver[0] = (unsigned char) major; |
| 5753 | ver[1] = (unsigned char) minor; |
| 5754 | } |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5755 | } |
| 5756 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5757 | void mbedtls_ssl_read_version( int *major, int *minor, int transport, |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5758 | const unsigned char ver[2] ) |
| 5759 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5760 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 5761 | if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5762 | { |
| 5763 | *major = 255 - ver[0] + 2; |
| 5764 | *minor = 255 - ver[1] + 1; |
| 5765 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5766 | if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 ) |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5767 | ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */ |
| 5768 | } |
Manuel Pégourié-Gonnard | 34c1011 | 2014-03-25 13:36:22 +0100 | [diff] [blame] | 5769 | else |
| 5770 | #else |
| 5771 | ((void) transport); |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5772 | #endif |
Manuel Pégourié-Gonnard | 34c1011 | 2014-03-25 13:36:22 +0100 | [diff] [blame] | 5773 | { |
| 5774 | *major = ver[0]; |
| 5775 | *minor = ver[1]; |
| 5776 | } |
Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 5777 | } |
| 5778 | |
Jerry Yu | e704781 | 2021-09-13 19:26:39 +0800 | [diff] [blame] | 5779 | /* |
Jerry Yu | 3bf1f97 | 2021-09-22 21:37:18 +0800 | [diff] [blame] | 5780 | * Send pending fatal alert. |
| 5781 | * 0, No alert message. |
| 5782 | * !0, if mbedtls_ssl_send_alert_message() returned in error, the error code it |
| 5783 | * returned, ssl->alert_reason otherwise. |
Jerry Yu | e704781 | 2021-09-13 19:26:39 +0800 | [diff] [blame] | 5784 | */ |
| 5785 | int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl ) |
| 5786 | { |
| 5787 | int ret; |
| 5788 | |
Jerry Yu | bbd5a3f | 2021-09-18 20:50:22 +0800 | [diff] [blame] | 5789 | /* No pending alert, return success*/ |
| 5790 | if( ssl->send_alert == 0 ) |
| 5791 | return( 0 ); |
Jerry Yu | 394ece6 | 2021-09-14 22:17:21 +0800 | [diff] [blame] | 5792 | |
Jerry Yu | bbd5a3f | 2021-09-18 20:50:22 +0800 | [diff] [blame] | 5793 | ret = mbedtls_ssl_send_alert_message( ssl, |
| 5794 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 5795 | ssl->alert_type ); |
| 5796 | |
Jerry Yu | 3bf1f97 | 2021-09-22 21:37:18 +0800 | [diff] [blame] | 5797 | /* If mbedtls_ssl_send_alert_message() returned with MBEDTLS_ERR_SSL_WANT_WRITE, |
| 5798 | * do not clear the alert to be able to send it later. |
Jerry Yu | bbd5a3f | 2021-09-18 20:50:22 +0800 | [diff] [blame] | 5799 | */ |
| 5800 | if( ret != MBEDTLS_ERR_SSL_WANT_WRITE ) |
| 5801 | { |
| 5802 | ssl->send_alert = 0; |
Jerry Yu | e704781 | 2021-09-13 19:26:39 +0800 | [diff] [blame] | 5803 | } |
Jerry Yu | bbd5a3f | 2021-09-18 20:50:22 +0800 | [diff] [blame] | 5804 | |
| 5805 | if( ret != 0 ) |
Jerry Yu | bbd5a3f | 2021-09-18 20:50:22 +0800 | [diff] [blame] | 5806 | return( ret ); |
Jerry Yu | bbd5a3f | 2021-09-18 20:50:22 +0800 | [diff] [blame] | 5807 | |
Jerry Yu | bbd5a3f | 2021-09-18 20:50:22 +0800 | [diff] [blame] | 5808 | return( ssl->alert_reason ); |
Jerry Yu | e704781 | 2021-09-13 19:26:39 +0800 | [diff] [blame] | 5809 | } |
| 5810 | |
Jerry Yu | 394ece6 | 2021-09-14 22:17:21 +0800 | [diff] [blame] | 5811 | /* |
| 5812 | * Set pending fatal alert flag. |
| 5813 | */ |
| 5814 | void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl, |
| 5815 | unsigned char alert_type, |
| 5816 | int alert_reason ) |
| 5817 | { |
| 5818 | ssl->send_alert = 1; |
| 5819 | ssl->alert_type = alert_type; |
| 5820 | ssl->alert_reason = alert_reason; |
| 5821 | } |
| 5822 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 5823 | #endif /* MBEDTLS_SSL_TLS_C */ |