TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 9231340d7176e5f10db6b92b810d66394301b56e / . / library / ssl_msg.c
blob: 6151cbd8097b065ba0c6b2c481478cdeee7b666d [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Hanno Beckerf1a38282020-02-05 16:14:29 +0000[diff] [blame]2 * Generic SSL/TLS messaging layer functions
3 * (record layer + retransmission state machine)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4 *
Hanno Beckerf1a38282020-02-05 16:14:29 +0000[diff] [blame]5 * Copyright (C) 2006-2020, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]19 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]20 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21 */
22/*
23 * The SSL 3.0 specification was drafted by Netscape in 1996,
24 * and became an IETF standard in 1999.
25 *
26 * http://wp.netscape.com/eng/ssl3/
27 * http://www.ietf.org/rfc/rfc2246.txt
28 * http://www.ietf.org/rfc/rfc4346.txt
29 */
30
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]33#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]35#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]37#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]39#if defined(MBEDTLS_PLATFORM_C)
40#include "mbedtls/platform.h"
41#else
42#include <stdlib.h>
43#define mbedtls_calloc calloc
44#define mbedtls_free free
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]45#endif
46
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]47#include "mbedtls/ssl.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200[diff] [blame]48#include "mbedtls/ssl_internal.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]49#include "mbedtls/debug.h"
50#include "mbedtls/error.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]51#include "mbedtls/platform_util.h"
Hanno Beckera835da52019-05-16 12:39:07 +0100[diff] [blame]52#include "mbedtls/version.h"
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]53
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]54#include <string.h>
55
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]56#if defined(MBEDTLS_USE_PSA_CRYPTO)
57#include "mbedtls/psa_util.h"
58#include "psa/crypto.h"
59#endif
60
Janos Follath23bdca02016-10-07 14:47:14 +0100[diff] [blame]61#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]62#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]63#endif
64
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]65static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]66
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]67/*
68 * Start a timer.
69 * Passing millisecs = 0 cancels a running timer.
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]70 */
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]71void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]72{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]73 if( ssl->f_set_timer == NULL )
74 return;
75
76 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
77 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]78}
79
80/*
81 * Return -1 is timer is expired, 0 if it isn't.
82 */
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]83int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]84{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]85 if( ssl->f_get_timer == NULL )
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]86 return( 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]87
88 if( ssl->f_get_timer( ssl->p_timer ) == 2 )
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]89 {
90 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]91 return( -1 );
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]92 }
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]93
94 return( 0 );
95}
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]96
Hanno Beckercfe45792019-07-03 16:13:00 +0100[diff] [blame]97#if defined(MBEDTLS_SSL_RECORD_CHECKING)
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]98static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
99 unsigned char *buf,
100 size_t len,
101 mbedtls_record *rec );
102
Hanno Beckercfe45792019-07-03 16:13:00 +0100[diff] [blame]103int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
104 unsigned char *buf,
105 size_t buflen )
106{
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]107 int ret = 0;
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]108 MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
109 MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
110
111 /* We don't support record checking in TLS because
112 * (a) there doesn't seem to be a usecase for it, and
113 * (b) In SSLv3 and TLS 1.0, CBC record decryption has state
114 * and we'd need to backup the transform here.
115 */
116 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
117 {
118 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
119 goto exit;
120 }
121#if defined(MBEDTLS_SSL_PROTO_DTLS)
122 else
123 {
irwir734f0cf2019-09-26 21:03:24 +0300[diff] [blame]124 mbedtls_record rec;
125
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]126 ret = ssl_parse_record_header( ssl, buf, buflen, &rec );
127 if( ret != 0 )
128 {
129 MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret );
130 goto exit;
131 }
132
133 if( ssl->transform_in != NULL )
134 {
135 ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec );
136 if( ret != 0 )
137 {
138 MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret );
139 goto exit;
140 }
141 }
142 }
143#endif /* MBEDTLS_SSL_PROTO_DTLS */
144
145exit:
146 /* On success, we have decrypted the buffer in-place, so make
147 * sure we don't leak any plaintext data. */
148 mbedtls_platform_zeroize( buf, buflen );
149
150 /* For the purpose of this API, treat messages with unexpected CID
151 * as well as such from future epochs as unexpected. */
152 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
153 ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
154 {
155 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
156 }
157
158 MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
159 return( ret );
Hanno Beckercfe45792019-07-03 16:13:00 +0100[diff] [blame]160}
161#endif /* MBEDTLS_SSL_RECORD_CHECKING */
162
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]163#define SSL_DONT_FORCE_FLUSH 0
164#define SSL_FORCE_FLUSH 1
165
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]166#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]167
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]168/* Forward declarations for functions related to message buffering. */
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]169static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
170 uint8_t slot );
171static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
172static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
173static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
174static int ssl_buffer_message( mbedtls_ssl_context *ssl );
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]175static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
176 mbedtls_record const *rec );
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]177static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]178
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]179static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]180{
Hanno Becker89490712020-02-05 10:50:12 +0000[diff] [blame]181 size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]182#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
183 size_t out_buf_len = ssl->out_buf_len;
184#else
185 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
186#endif
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]187
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]188 if( mtu != 0 && mtu < out_buf_len )
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]189 return( mtu );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]190
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]191 return( out_buf_len );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]192}
193
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]194static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
195{
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]196 size_t const bytes_written = ssl->out_left;
197 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]198
199 /* Double-check that the write-index hasn't gone
200 * past what we can transmit in a single datagram. */
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]201 if( bytes_written > mtu )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]202 {
203 /* Should never happen... */
204 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
205 }
206
207 return( (int) ( mtu - bytes_written ) );
208}
209
210static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
211{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]212 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]213 size_t remaining, expansion;
Andrzej Kurek748face2018-10-11 07:20:19 -0400[diff] [blame]214 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]215
216#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]217 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]218
219 if( max_len > mfl )
220 max_len = mfl;
Hanno Beckerf4b010e2018-08-24 10:47:29 +0100[diff] [blame]221
222 /* By the standard (RFC 6066 Sect. 4), the MFL extension
223 * only limits the maximum record payload size, so in theory
224 * we would be allowed to pack multiple records of payload size
225 * MFL into a single datagram. However, this would mean that there's
226 * no way to explicitly communicate MTU restrictions to the peer.
227 *
228 * The following reduction of max_len makes sure that we never
229 * write datagrams larger than MFL + Record Expansion Overhead.
230 */
231 if( max_len <= ssl->out_left )
232 return( 0 );
233
234 max_len -= ssl->out_left;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]235#endif
236
237 ret = ssl_get_remaining_space_in_datagram( ssl );
238 if( ret < 0 )
239 return( ret );
240 remaining = (size_t) ret;
241
242 ret = mbedtls_ssl_get_record_expansion( ssl );
243 if( ret < 0 )
244 return( ret );
245 expansion = (size_t) ret;
246
247 if( remaining <= expansion )
248 return( 0 );
249
250 remaining -= expansion;
251 if( remaining >= max_len )
252 remaining = max_len;
253
254 return( (int) remaining );
255}
256
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]257/*
258 * Double the retransmit timeout value, within the allowed range,
259 * returning -1 if the maximum value has already been reached.
260 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]261static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]262{
263 uint32_t new_timeout;
264
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]265 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]266 return( -1 );
267
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]268 /* Implement the final paragraph of RFC 6347 section 4.1.1.1
269 * in the following way: after the initial transmission and a first
270 * retransmission, back off to a temporary estimated MTU of 508 bytes.
271 * This value is guaranteed to be deliverable (if not guaranteed to be
272 * delivered) of any compliant IPv4 (and IPv6) network, and should work
273 * on most non-IP stacks too. */
274 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]275 {
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]276 ssl->handshake->mtu = 508;
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]277 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
278 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]279
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]280 new_timeout = 2 * ssl->handshake->retransmit_timeout;
281
282 /* Avoid arithmetic overflow and range overflow */
283 if( new_timeout < ssl->handshake->retransmit_timeout ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]284 new_timeout > ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]285 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]286 new_timeout = ssl->conf->hs_timeout_max;
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]287 }
288
289 ssl->handshake->retransmit_timeout = new_timeout;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]290 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]291 ssl->handshake->retransmit_timeout ) );
292
293 return( 0 );
294}
295
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]296static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]297{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]298 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]299 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]300 ssl->handshake->retransmit_timeout ) );
301}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]302#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]303
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]304#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
305int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]306 const unsigned char *key_enc, const unsigned char *key_dec,
307 size_t keylen,
308 const unsigned char *iv_enc, const unsigned char *iv_dec,
309 size_t ivlen,
310 const unsigned char *mac_enc, const unsigned char *mac_dec,
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]311 size_t maclen ) = NULL;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]312int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
313int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
314int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
315int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
316int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
317#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]318
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]319/* The function below is only used in the Lucky 13 counter-measure in
Hanno Beckerb2ca87d2018-10-18 15:43:13 +0100[diff] [blame]320 * mbedtls_ssl_decrypt_buf(). These are the defines that guard the call site. */
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]321#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) && \
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]322 ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
323 defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
324 defined(MBEDTLS_SSL_PROTO_TLS1_2) )
325/* This function makes sure every byte in the memory region is accessed
326 * (in ascending addresses order) */
327static void ssl_read_memory( unsigned char *p, size_t len )
328{
329 unsigned char acc = 0;
330 volatile unsigned char force;
331
332 for( ; len != 0; p++, len-- )
333 acc ^= *p;
334
335 force = acc;
336 (void) force;
337}
338#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */
339
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]340/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341 * Encryption/decryption functions
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]342 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]343
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]344#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || \
345 defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]346/* This functions transforms a (D)TLS plaintext fragment and a record content
347 * type into an instance of the (D)TLSInnerPlaintext structure. This is used
348 * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
349 * a record's content type.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]350 *
351 * struct {
352 * opaque content[DTLSPlaintext.length];
353 * ContentType real_type;
354 * uint8 zeros[length_of_padding];
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]355 * } (D)TLSInnerPlaintext;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]356 *
357 * Input:
358 * - `content`: The beginning of the buffer holding the
359 * plaintext to be wrapped.
360 * - `*content_size`: The length of the plaintext in Bytes.
361 * - `max_len`: The number of Bytes available starting from
362 * `content`. This must be `>= *content_size`.
363 * - `rec_type`: The desired record content type.
364 *
365 * Output:
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]366 * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
367 * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]368 *
369 * Returns:
370 * - `0` on success.
371 * - A negative error code if `max_len` didn't offer enough space
372 * for the expansion.
373 */
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]374static int ssl_build_inner_plaintext( unsigned char *content,
375 size_t *content_size,
376 size_t remaining,
377 uint8_t rec_type )
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]378{
379 size_t len = *content_size;
Hanno Beckerb9ec44f2019-05-13 15:31:17 +0100[diff] [blame]380 size_t pad = ( MBEDTLS_SSL_CID_PADDING_GRANULARITY -
381 ( len + 1 ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY ) %
382 MBEDTLS_SSL_CID_PADDING_GRANULARITY;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]383
384 /* Write real content type */
385 if( remaining == 0 )
386 return( -1 );
387 content[ len ] = rec_type;
388 len++;
389 remaining--;
390
391 if( remaining < pad )
392 return( -1 );
393 memset( content + len, 0, pad );
394 len += pad;
395 remaining -= pad;
396
397 *content_size = len;
398 return( 0 );
399}
400
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]401/* This function parses a (D)TLSInnerPlaintext structure.
402 * See ssl_build_inner_plaintext() for details. */
403static int ssl_parse_inner_plaintext( unsigned char const *content,
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]404 size_t *content_size,
405 uint8_t *rec_type )
406{
407 size_t remaining = *content_size;
408
409 /* Determine length of padding by skipping zeroes from the back. */
410 do
411 {
412 if( remaining == 0 )
413 return( -1 );
414 remaining--;
415 } while( content[ remaining ] == 0 );
416
417 *content_size = remaining;
418 *rec_type = content[ remaining ];
419
420 return( 0 );
421}
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]422#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID ||
423 MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]424
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]425/* `add_data` must have size 13 Bytes if the CID extension is disabled,
Hanno Beckerc4a190b2019-05-08 18:15:21 +0100[diff] [blame]426 * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]427static void ssl_extract_add_data_from_record( unsigned char* add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]428 size_t *add_data_len,
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]429 mbedtls_record *rec )
430{
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]431 /* Quoting RFC 5246 (TLS 1.2):
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]432 *
433 * additional_data = seq_num + TLSCompressed.type +
434 * TLSCompressed.version + TLSCompressed.length;
435 *
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]436 * For the CID extension, this is extended as follows
437 * (quoting draft-ietf-tls-dtls-connection-id-05,
438 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05):
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]439 *
440 * additional_data = seq_num + DTLSPlaintext.type +
441 * DTLSPlaintext.version +
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]442 * cid +
443 * cid_length +
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]444 * length_of_DTLSInnerPlaintext;
445 */
446
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]447 memcpy( add_data, rec->ctr, sizeof( rec->ctr ) );
448 add_data[8] = rec->type;
Hanno Beckeredb24f82019-05-20 15:01:46 +0100[diff] [blame]449 memcpy( add_data + 9, rec->ver, sizeof( rec->ver ) );
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]450
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]451#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]452 if( rec->cid_len != 0 )
453 {
454 memcpy( add_data + 11, rec->cid, rec->cid_len );
455 add_data[11 + rec->cid_len + 0] = rec->cid_len;
456 add_data[11 + rec->cid_len + 1] = ( rec->data_len >> 8 ) & 0xFF;
457 add_data[11 + rec->cid_len + 2] = ( rec->data_len >> 0 ) & 0xFF;
458 *add_data_len = 13 + 1 + rec->cid_len;
459 }
460 else
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]461#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]462 {
463 add_data[11 + 0] = ( rec->data_len >> 8 ) & 0xFF;
464 add_data[11 + 1] = ( rec->data_len >> 0 ) & 0xFF;
465 *add_data_len = 13;
466 }
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]467}
468
Hanno Becker9d062f92020-02-07 10:26:36 +0000[diff] [blame]469#if defined(MBEDTLS_SSL_PROTO_SSL3)
470
471#define SSL3_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */
472
473/*
474 * SSLv3.0 MAC functions
475 */
476static void ssl_mac( mbedtls_md_context_t *md_ctx,
477 const unsigned char *secret,
478 const unsigned char *buf, size_t len,
479 const unsigned char *ctr, int type,
480 unsigned char out[SSL3_MAC_MAX_BYTES] )
481{
482 unsigned char header[11];
483 unsigned char padding[48];
484 int padlen;
485 int md_size = mbedtls_md_get_size( md_ctx->md_info );
486 int md_type = mbedtls_md_get_type( md_ctx->md_info );
487
488 /* Only MD5 and SHA-1 supported */
489 if( md_type == MBEDTLS_MD_MD5 )
490 padlen = 48;
491 else
492 padlen = 40;
493
494 memcpy( header, ctr, 8 );
495 header[ 8] = (unsigned char) type;
496 header[ 9] = (unsigned char)( len >> 8 );
497 header[10] = (unsigned char)( len );
498
499 memset( padding, 0x36, padlen );
500 mbedtls_md_starts( md_ctx );
501 mbedtls_md_update( md_ctx, secret, md_size );
502 mbedtls_md_update( md_ctx, padding, padlen );
503 mbedtls_md_update( md_ctx, header, 11 );
504 mbedtls_md_update( md_ctx, buf, len );
505 mbedtls_md_finish( md_ctx, out );
506
507 memset( padding, 0x5C, padlen );
508 mbedtls_md_starts( md_ctx );
509 mbedtls_md_update( md_ctx, secret, md_size );
510 mbedtls_md_update( md_ctx, padding, padlen );
511 mbedtls_md_update( md_ctx, out, md_size );
512 mbedtls_md_finish( md_ctx, out );
513}
514#endif /* MBEDTLS_SSL_PROTO_SSL3 */
515
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]516int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
517 mbedtls_ssl_transform *transform,
518 mbedtls_record *rec,
519 int (*f_rng)(void *, unsigned char *, size_t),
520 void *p_rng )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]521{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522 mbedtls_cipher_mode_t mode;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]523 int auth_done = 0;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]524 unsigned char * data;
Hanno Becker92fb4fa2019-05-20 14:54:26 +0100[diff] [blame]525 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]526 size_t add_data_len;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]527 size_t post_avail;
528
529 /* The SSL context is only used for debugging purposes! */
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]530#if !defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +0200[diff] [blame]531 ssl = NULL; /* make sure we don't use it except for debug */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]532 ((void) ssl);
533#endif
534
535 /* The PRNG is used for dynamic IV generation that's used
536 * for CBC transformations in TLS 1.1 and TLS 1.2. */
537#if !( defined(MBEDTLS_CIPHER_MODE_CBC) && \
538 ( defined(MBEDTLS_AES_C) || \
539 defined(MBEDTLS_ARIA_C) || \
540 defined(MBEDTLS_CAMELLIA_C) ) && \
541 ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) )
542 ((void) f_rng);
543 ((void) p_rng);
544#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]545
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]546 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]548 if( transform == NULL )
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]549 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) );
551 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
552 }
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]553 if( rec == NULL
554 || rec->buf == NULL
555 || rec->buf_len < rec->data_offset
556 || rec->buf_len - rec->data_offset < rec->data_len
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]557#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]558 || rec->cid_len != 0
559#endif
560 )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]561 {
562 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]563 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]564 }
565
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]566 data = rec->buf + rec->data_offset;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]567 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]568 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]569 data, rec->data_len );
570
571 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc );
572
573 if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
574 {
575 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
576 (unsigned) rec->data_len,
577 MBEDTLS_SSL_OUT_CONTENT_LEN ) );
578 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
579 }
Manuel Pégourié-Gonnard60346be2014-11-21 11:38:37 +0100[diff] [blame]580
Hanno Becker92313402020-05-20 13:58:58 +0100[diff] [blame^]581 /* The following two code paths implement the (D)TLSInnerPlaintext
582 * structure present in TLS 1.3 and DTLS 1.2 + CID.
583 *
584 * See ssl_build_inner_plaintext() for more information.
585 *
586 * Note that this changes `rec->data_len`, and hence
587 * `post_avail` needs to be recalculated afterwards.
588 *
589 * Note also that the two code paths cannot occur simultaneously
590 * since they apply to different versions of the protocol. There
591 * is hence no risk of double-addition of the inner plaintext.
592 */
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]593#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
594 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
595 {
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]596 if( ssl_build_inner_plaintext( data,
597 &rec->data_len,
598 post_avail,
599 rec->type ) != 0 )
600 {
601 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
602 }
603
604 rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
605 }
606#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
607
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]608#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]609 /*
610 * Add CID information
611 */
612 rec->cid_len = transform->out_cid_len;
613 memcpy( rec->cid, transform->out_cid, transform->out_cid_len );
614 MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]615
616 if( rec->cid_len != 0 )
617 {
618 /*
Hanno Becker07dc97d2019-05-20 15:08:01 +0100[diff] [blame]619 * Wrap plaintext into DTLSInnerPlaintext structure.
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]620 * See ssl_build_inner_plaintext() for more information.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]621 *
Hanno Becker07dc97d2019-05-20 15:08:01 +0100[diff] [blame]622 * Note that this changes `rec->data_len`, and hence
623 * `post_avail` needs to be recalculated afterwards.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]624 */
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]625 if( ssl_build_inner_plaintext( data,
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]626 &rec->data_len,
627 post_avail,
628 rec->type ) != 0 )
629 {
630 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
631 }
632
633 rec->type = MBEDTLS_SSL_MSG_CID;
634 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]635#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]636
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]637 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
638
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]639 /*
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]640 * Add MAC before if needed
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641 */
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]642#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]643 if( mode == MBEDTLS_MODE_STREAM ||
644 ( mode == MBEDTLS_MODE_CBC
645#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]646 && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]647#endif
648 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]649 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]650 if( post_avail < transform->maclen )
651 {
652 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
653 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
654 }
655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]656#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]657 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]658 {
Hanno Becker9d062f92020-02-07 10:26:36 +0000[diff] [blame]659 unsigned char mac[SSL3_MAC_MAX_BYTES];
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]660 ssl_mac( &transform->md_ctx_enc, transform->mac_enc,
661 data, rec->data_len, rec->ctr, rec->type, mac );
662 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]663 }
664 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]665#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]666#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
667 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]668 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]669 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]670 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
671
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]672 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]673
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]674 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]675 add_data_len );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]676 mbedtls_md_hmac_update( &transform->md_ctx_enc,
677 data, rec->data_len );
678 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
679 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
680
681 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]682 }
683 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]684#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]685 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
687 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]688 }
689
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]690 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len,
691 transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]692
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]693 rec->data_len += transform->maclen;
694 post_avail -= transform->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]695 auth_done++;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]696 }
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]697#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]698
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]699 /*
700 * Encrypt
701 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]702#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
703 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]704 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]705 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]706 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]707 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]708 "including %d bytes of padding",
709 rec->data_len, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]711 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
712 transform->iv_enc, transform->ivlen,
713 data, rec->data_len,
714 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]715 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]716 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]717 return( ret );
718 }
719
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]720 if( rec->data_len != olen )
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]721 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]722 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
723 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]724 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]725 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]726 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]727#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]728
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]729#if defined(MBEDTLS_GCM_C) || \
730 defined(MBEDTLS_CCM_C) || \
731 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]732 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]733 mode == MBEDTLS_MODE_CCM ||
734 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]735 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]736 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]737 unsigned char iv[12];
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]738 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]739
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]740 /* Check that there's space for both the authentication tag
741 * and the explicit IV before and after the record content. */
742 if( post_avail < transform->taglen ||
743 rec->data_offset < explicit_iv_len )
744 {
745 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
746 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
747 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]748
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]749 /*
750 * Generate IV
751 */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]752 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
753 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]754 /* GCM and CCM: fixed || explicit (=seqnum) */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]755 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]756 memcpy( iv + transform->fixed_ivlen, rec->ctr,
757 explicit_iv_len );
758 /* Prefix record content with explicit IV. */
759 memcpy( data - explicit_iv_len, rec->ctr, explicit_iv_len );
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]760 }
761 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
762 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]763 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]764 unsigned char i;
765
766 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
767
768 for( i = 0; i < 8; i++ )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]769 iv[i+4] ^= rec->ctr[i];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]770 }
771 else
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +0100[diff] [blame]772 {
773 /* Reminder if we ever add an AEAD mode with a different size */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]774 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
775 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +0100[diff] [blame]776 }
777
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]778 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Hanno Becker1f10d762019-04-26 13:34:37 +0100[diff] [blame]779
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]780 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
781 iv, transform->ivlen );
782 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]783 data - explicit_iv_len, explicit_iv_len );
784 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]785 add_data, add_data_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]786 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]787 "including 0 bytes of padding",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]788 rec->data_len ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]789
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]790 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]791 * Encrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]792 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]793
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]794 if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]795 iv, transform->ivlen,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]796 add_data, add_data_len, /* add data */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]797 data, rec->data_len, /* source */
798 data, &rec->data_len, /* destination */
799 data + rec->data_len, transform->taglen ) ) != 0 )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]800 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]801 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]802 return( ret );
803 }
804
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]805 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
806 data + rec->data_len, transform->taglen );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]807
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]808 rec->data_len += transform->taglen + explicit_iv_len;
809 rec->data_offset -= explicit_iv_len;
810 post_avail -= transform->taglen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]811 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]812 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]813 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]814#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
815#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]816 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]817 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]819 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]820 size_t padlen, i;
821 size_t olen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]822
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]823 /* Currently we're always using minimal padding
824 * (up to 255 bytes would be allowed). */
825 padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen;
826 if( padlen == transform->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]827 padlen = 0;
828
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]829 /* Check there's enough space in the buffer for the padding. */
830 if( post_avail < padlen + 1 )
831 {
832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
833 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
834 }
835
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836 for( i = 0; i <= padlen; i++ )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]837 data[rec->data_len + i] = (unsigned char) padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]838
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]839 rec->data_len += padlen + 1;
840 post_avail -= padlen + 1;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]841
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]842#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]843 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]844 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
845 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]846 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]847 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]848 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]849 if( f_rng == NULL )
850 {
851 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) );
852 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
853 }
854
855 if( rec->data_offset < transform->ivlen )
856 {
857 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
858 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
859 }
860
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]861 /*
862 * Generate IV
863 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]864 ret = f_rng( p_rng, transform->iv_enc, transform->ivlen );
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]865 if( ret != 0 )
866 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]867
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]868 memcpy( data - transform->ivlen, transform->iv_enc,
869 transform->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]870
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]871 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]872#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]873
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]874 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]875 "including %d bytes of IV and %d bytes of padding",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]876 rec->data_len, transform->ivlen,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]877 padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]878
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]879 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
880 transform->iv_enc,
881 transform->ivlen,
882 data, rec->data_len,
883 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]884 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]885 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]886 return( ret );
887 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]888
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]889 if( rec->data_len != olen )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]890 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]891 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
892 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]893 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]894
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]895#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]896 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]897 {
898 /*
899 * Save IV in SSL3 and TLS1
900 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]901 memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv,
902 transform->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]903 }
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]904 else
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]905#endif
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]906 {
907 data -= transform->ivlen;
908 rec->data_offset -= transform->ivlen;
909 rec->data_len += transform->ivlen;
910 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]911
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]912#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]913 if( auth_done == 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]914 {
Hanno Becker3d8c9072018-01-05 16:24:22 +0000[diff] [blame]915 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
916
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]917 /*
918 * MAC(MAC_write_key, seq_num +
919 * TLSCipherText.type +
920 * TLSCipherText.version +
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]921 * length_of( (IV +) ENC(...) ) +
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]922 * IV + // except for TLS 1.0
923 * ENC(content + padding + padding_length));
924 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]925
926 if( post_avail < transform->maclen)
927 {
928 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
929 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
930 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]931
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]932 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Hanno Becker1f10d762019-04-26 13:34:37 +0100[diff] [blame]933
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]935 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]936 add_data_len );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]937
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]938 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]939 add_data_len );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]940 mbedtls_md_hmac_update( &transform->md_ctx_enc,
941 data, rec->data_len );
942 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
943 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]944
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]945 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]946
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]947 rec->data_len += transform->maclen;
948 post_avail -= transform->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]949 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]950 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]951#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]952 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]953 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]954#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]955 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]956 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]957 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
958 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]959 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]960
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]961 /* Make extra sure authentication was performed, exactly once */
962 if( auth_done != 1 )
963 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]964 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
965 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]966 }
967
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]968 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]969
970 return( 0 );
971}
972
Hanno Becker605949f2019-07-12 08:23:59 +0100[diff] [blame]973int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]974 mbedtls_ssl_transform *transform,
975 mbedtls_record *rec )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]976{
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]977 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]978 mbedtls_cipher_mode_t mode;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]979 int ret, auth_done = 0;
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]980#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]981 size_t padlen = 0, correct = 1;
982#endif
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]983 unsigned char* data;
Hanno Becker92fb4fa2019-05-20 14:54:26 +0100[diff] [blame]984 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ];
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]985 size_t add_data_len;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]986
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]987#if !defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +0200[diff] [blame]988 ssl = NULL; /* make sure we don't use it except for debug */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]989 ((void) ssl);
990#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]991
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]992 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]993 if( rec == NULL ||
994 rec->buf == NULL ||
995 rec->buf_len < rec->data_offset ||
996 rec->buf_len - rec->data_offset < rec->data_len )
997 {
998 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]999 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1000 }
1001
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1002 data = rec->buf + rec->data_offset;
1003 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1004
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1005#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1006 /*
1007 * Match record's CID with incoming CID.
1008 */
Hanno Becker938489a2019-05-08 13:02:22 +0100[diff] [blame]1009 if( rec->cid_len != transform->in_cid_len ||
1010 memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
1011 {
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]1012 return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
Hanno Becker938489a2019-05-08 13:02:22 +0100[diff] [blame]1013 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1014#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1015
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1016#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1017 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1018 {
1019 padlen = 0;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1020 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1021 transform->iv_dec,
1022 transform->ivlen,
1023 data, rec->data_len,
1024 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1025 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1026 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1027 return( ret );
1028 }
1029
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1030 if( rec->data_len != olen )
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1031 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1032 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1033 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1034 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1035 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1036 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1037#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1038#if defined(MBEDTLS_GCM_C) || \
1039 defined(MBEDTLS_CCM_C) || \
1040 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1042 mode == MBEDTLS_MODE_CCM ||
1043 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1044 {
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1045 unsigned char iv[12];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1046 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1047
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1048 /*
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1049 * Prepare IV from explicit and implicit data.
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1050 */
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1051
1052 /* Check that there's enough space for the explicit IV
1053 * (at the beginning of the record) and the MAC (at the
1054 * end of the record). */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1055 if( rec->data_len < explicit_iv_len + transform->taglen )
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]1056 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1057 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1058 "+ taglen (%d)", rec->data_len,
1059 explicit_iv_len, transform->taglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1060 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]1061 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1062
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1063#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1064 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
1065 {
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1066 /* GCM and CCM: fixed || explicit */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1067
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1068 /* Fixed */
1069 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
1070 /* Explicit */
1071 memcpy( iv + transform->fixed_ivlen, data, 8 );
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1072 }
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1073 else
1074#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1075#if defined(MBEDTLS_CHACHAPOLY_C)
1076 if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1077 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]1078 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1079 unsigned char i;
1080
1081 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
1082
1083 for( i = 0; i < 8; i++ )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1084 iv[i+4] ^= rec->ctr[i];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1085 }
1086 else
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1087#endif /* MBEDTLS_CHACHAPOLY_C */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1088 {
1089 /* Reminder if we ever add an AEAD mode with a different size */
1090 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1091 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1092 }
1093
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1094 /* Group changes to data, data_len, and add_data, because
1095 * add_data depends on data_len. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1096 data += explicit_iv_len;
1097 rec->data_offset += explicit_iv_len;
1098 rec->data_len -= explicit_iv_len + transform->taglen;
1099
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1100 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1101 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1102 add_data, add_data_len );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1103
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1104 /* Because of the check above, we know that there are
1105 * explicit_iv_len Bytes preceeding data, and taglen
1106 * bytes following data + data_len. This justifies
Hanno Becker20016652019-07-10 11:44:13 +0100[diff] [blame]1107 * the debug message and the invocation of
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1108 * mbedtls_cipher_auth_decrypt() below. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1109
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1110 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1111 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len,
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1112 transform->taglen );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1113
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1114 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1115 * Decrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1116 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1117 if( ( ret = mbedtls_cipher_auth_decrypt( &transform->cipher_ctx_dec,
1118 iv, transform->ivlen,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1119 add_data, add_data_len,
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1120 data, rec->data_len,
1121 data, &olen,
1122 data + rec->data_len,
1123 transform->taglen ) ) != 0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1124 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1125 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1126
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1127 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
1128 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1129
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1130 return( ret );
1131 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1132 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1133
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1134 /* Double-check that AEAD decryption doesn't change content length. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1135 if( olen != rec->data_len )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1136 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1138 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1139 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1140 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1141 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1142#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1143#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]1144 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1145 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1146 {
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1147 size_t minlen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1148
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1149 /*
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1150 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1151 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1152#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1153 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
1154 {
1155 /* The ciphertext is prefixed with the CBC IV. */
1156 minlen += transform->ivlen;
1157 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1158#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1159
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1160 /* Size considerations:
1161 *
1162 * - The CBC cipher text must not be empty and hence
1163 * at least of size transform->ivlen.
1164 *
1165 * Together with the potential IV-prefix, this explains
1166 * the first of the two checks below.
1167 *
1168 * - The record must contain a MAC, either in plain or
1169 * encrypted, depending on whether Encrypt-then-MAC
1170 * is used or not.
1171 * - If it is, the message contains the IV-prefix,
1172 * the CBC ciphertext, and the MAC.
1173 * - If it is not, the padded plaintext, and hence
1174 * the CBC ciphertext, has at least length maclen + 1
1175 * because there is at least the padding length byte.
1176 *
1177 * As the CBC ciphertext is not empty, both cases give the
1178 * lower bound minlen + maclen + 1 on the record size, which
1179 * we test for in the second check below.
1180 */
1181 if( rec->data_len < minlen + transform->ivlen ||
1182 rec->data_len < minlen + transform->maclen + 1 )
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1183 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1184 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1185 "+ 1 ) ( + expl IV )", rec->data_len,
1186 transform->ivlen,
1187 transform->maclen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1188 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1189 }
1190
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1191 /*
1192 * Authenticate before decrypt if enabled
1193 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1194#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1195 if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1196 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1197 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1198
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1199 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1200
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1201 /* Update data_len in tandem with add_data.
1202 *
1203 * The subtraction is safe because of the previous check
1204 * data_len >= minlen + maclen + 1.
1205 *
1206 * Afterwards, we know that data + data_len is followed by at
1207 * least maclen Bytes, which justifies the call to
1208 * mbedtls_ssl_safer_memcmp() below.
1209 *
1210 * Further, we still know that data_len > minlen */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1211 rec->data_len -= transform->maclen;
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1212 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]1213
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1214 /* Calculate expected MAC. */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1215 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
1216 add_data_len );
1217 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1218 add_data_len );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1219 mbedtls_md_hmac_update( &transform->md_ctx_dec,
1220 data, rec->data_len );
1221 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
1222 mbedtls_md_hmac_reset( &transform->md_ctx_dec );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]1223
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1224 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len,
1225 transform->maclen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1226 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1227 transform->maclen );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1228
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1229 /* Compare expected MAC with MAC at the end of the record. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1230 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
1231 transform->maclen ) != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1232 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1233 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1234 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1235 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1236 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1237 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1238#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1239
1240 /*
1241 * Check length sanity
1242 */
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1243
1244 /* We know from above that data_len > minlen >= 0,
1245 * so the following check in particular implies that
1246 * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1247 if( rec->data_len % transform->ivlen != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1248 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1249 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1250 rec->data_len, transform->ivlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1251 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1252 }
1253
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1254#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1255 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1256 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1257 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1258 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1259 {
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1260 /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1261 memcpy( transform->iv_dec, data, transform->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1262
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1263 data += transform->ivlen;
1264 rec->data_offset += transform->ivlen;
1265 rec->data_len -= transform->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1266 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1267#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1268
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1269 /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
1270
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1271 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1272 transform->iv_dec, transform->ivlen,
1273 data, rec->data_len, data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1274 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1275 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1276 return( ret );
1277 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1278
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1279 /* Double-check that length hasn't changed during decryption. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1280 if( rec->data_len != olen )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1281 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1282 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1283 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1284 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1285
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1286#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1287 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1288 {
1289 /*
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1290 * Save IV in SSL3 and TLS1, where CBC decryption of consecutive
1291 * records is equivalent to CBC decryption of the concatenation
1292 * of the records; in other words, IVs are maintained across
1293 * record decryptions.
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1294 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1295 memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv,
1296 transform->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1297 }
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1298#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1299
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1300 /* Safe since data_len >= minlen + maclen + 1, so after having
1301 * subtracted at most minlen and maclen up to this point,
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1302 * data_len > 0 (because of data_len % ivlen == 0, it's actually
1303 * >= ivlen ). */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1304 padlen = data[rec->data_len - 1];
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1305
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1306 if( auth_done == 1 )
1307 {
1308 correct *= ( rec->data_len >= padlen + 1 );
1309 padlen *= ( rec->data_len >= padlen + 1 );
1310 }
1311 else
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1312 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1313#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1314 if( rec->data_len < transform->maclen + padlen + 1 )
1315 {
1316 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1317 rec->data_len,
1318 transform->maclen,
1319 padlen + 1 ) );
1320 }
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]1321#endif
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1322
1323 correct *= ( rec->data_len >= transform->maclen + padlen + 1 );
1324 padlen *= ( rec->data_len >= transform->maclen + padlen + 1 );
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1325 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1327 padlen++;
1328
1329 /* Regardless of the validity of the padding,
1330 * we have data_len >= padlen here. */
1331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1332#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1333 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1334 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1335 if( padlen > transform->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1337#if defined(MBEDTLS_SSL_DEBUG_ALL)
1338 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1339 "should be no more than %d",
1340 padlen, transform->ivlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]1341#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1342 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1343 }
1344 }
1345 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1346#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1347#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1348 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1349 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1350 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1351 /* The padding check involves a series of up to 256
1352 * consecutive memory reads at the end of the record
1353 * plaintext buffer. In order to hide the length and
1354 * validity of the padding, always perform exactly
1355 * `min(256,plaintext_len)` reads (but take into account
1356 * only the last `padlen` bytes for the padding check). */
1357 size_t pad_count = 0;
1358 size_t real_count = 0;
1359 volatile unsigned char* const check = data;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1360
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1361 /* Index of first padding byte; it has been ensured above
1362 * that the subtraction is safe. */
1363 size_t const padding_idx = rec->data_len - padlen;
1364 size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
1365 size_t const start_idx = rec->data_len - num_checks;
1366 size_t idx;
Paul Bakker956c9e02013-12-19 14:42:28 +0100[diff] [blame]1367
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1368 for( idx = start_idx; idx < rec->data_len; idx++ )
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]1369 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1370 real_count |= ( idx >= padding_idx );
1371 pad_count += real_count * ( check[idx] == padlen - 1 );
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]1372 }
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1373 correct &= ( pad_count == padlen );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1374
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1375#if defined(MBEDTLS_SSL_DEBUG_ALL)
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1376 if( padlen > 0 && correct == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1377 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]1378#endif
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1379 padlen &= correct * 0x1FF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1380 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1381 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1382#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1383 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1384 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1385 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1386 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1387 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1388
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1389 /* If the padding was found to be invalid, padlen == 0
1390 * and the subtraction is safe. If the padding was found valid,
1391 * padlen hasn't been changed and the previous assertion
1392 * data_len >= padlen still holds. */
1393 rec->data_len -= padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1394 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1395 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1396#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]1397 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1398 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1400 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1401 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1402
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]1403#if defined(MBEDTLS_SSL_DEBUG_ALL)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1404 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1405 data, rec->data_len );
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]1406#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1407
1408 /*
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1409 * Authenticate if not done yet.
1410 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1411 */
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]1412#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1413 if( auth_done == 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1414 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1415 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]1416
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1417 /* If the initial value of padlen was such that
1418 * data_len < maclen + padlen + 1, then padlen
1419 * got reset to 1, and the initial check
1420 * data_len >= minlen + maclen + 1
1421 * guarantees that at this point we still
1422 * have at least data_len >= maclen.
1423 *
1424 * If the initial value of padlen was such that
1425 * data_len >= maclen + padlen + 1, then we have
1426 * subtracted either padlen + 1 (if the padding was correct)
1427 * or 0 (if the padding was incorrect) since then,
1428 * hence data_len >= maclen in any case.
1429 */
1430 rec->data_len -= transform->maclen;
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1431 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1432
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1433#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1434 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1435 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1436 ssl_mac( &transform->md_ctx_dec,
1437 transform->mac_dec,
1438 data, rec->data_len,
1439 rec->ctr, rec->type,
1440 mac_expect );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1441 }
1442 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1443#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1444#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1445 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1446 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1447 {
1448 /*
1449 * Process MAC and always update for padlen afterwards to make
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1450 * total time independent of padlen.
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1451 *
1452 * Known timing attacks:
1453 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1454 *
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1455 * To compensate for different timings for the MAC calculation
1456 * depending on how much padding was removed (which is determined
1457 * by padlen), process extra_run more blocks through the hash
1458 * function.
1459 *
1460 * The formula in the paper is
1461 * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
1462 * where L1 is the size of the header plus the decrypted message
1463 * plus CBC padding and L2 is the size of the header plus the
1464 * decrypted message. This is for an underlying hash function
1465 * with 64-byte blocks.
1466 * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
1467 * correctly. We round down instead of up, so -56 is the correct
1468 * value for our calculations instead of -55.
1469 *
Gilles Peskine1bd9d582018-06-04 11:58:44 +0200[diff] [blame]1470 * Repeat the formula rather than defining a block_size variable.
1471 * This avoids requiring division by a variable at runtime
1472 * (which would be marginally less efficient and would require
1473 * linking an extra division function in some builds).
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1474 */
1475 size_t j, extra_run = 0;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1476 unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1477
1478 /*
1479 * The next two sizes are the minimum and maximum values of
1480 * in_msglen over all padlen values.
1481 *
1482 * They're independent of padlen, since we previously did
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1483 * data_len -= padlen.
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1484 *
1485 * Note that max_len + maclen is never more than the buffer
1486 * length, as we previously did in_msglen -= maclen too.
1487 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1488 const size_t max_len = rec->data_len + padlen;
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1489 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
1490
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1491 memset( tmp, 0, sizeof( tmp ) );
1492
1493 switch( mbedtls_md_get_type( transform->md_ctx_dec.md_info ) )
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1494 {
Gilles Peskined0e55a42018-06-04 12:03:30 +0200[diff] [blame]1495#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
1496 defined(MBEDTLS_SHA256_C)
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1497 case MBEDTLS_MD_MD5:
1498 case MBEDTLS_MD_SHA1:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1499 case MBEDTLS_MD_SHA256:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1500 /* 8 bytes of message size, 64-byte compression blocks */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1501 extra_run =
1502 ( add_data_len + rec->data_len + padlen + 8 ) / 64 -
1503 ( add_data_len + rec->data_len + 8 ) / 64;
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1504 break;
1505#endif
Gilles Peskinea7fe25d2018-06-04 12:01:18 +0200[diff] [blame]1506#if defined(MBEDTLS_SHA512_C)
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1507 case MBEDTLS_MD_SHA384:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1508 /* 16 bytes of message size, 128-byte compression blocks */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1509 extra_run =
1510 ( add_data_len + rec->data_len + padlen + 16 ) / 128 -
1511 ( add_data_len + rec->data_len + 16 ) / 128;
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1512 break;
1513#endif
1514 default:
Gilles Peskine5c389842018-06-04 12:02:43 +0200[diff] [blame]1515 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1516 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1517 }
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1518
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1519 extra_run &= correct * 0xFF;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1520
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1521 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1522 add_data_len );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1523 mbedtls_md_hmac_update( &transform->md_ctx_dec, data,
1524 rec->data_len );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1525 /* Make sure we access everything even when padlen > 0. This
1526 * makes the synchronisation requirements for just-in-time
1527 * Prime+Probe attacks much tighter and hopefully impractical. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1528 ssl_read_memory( data + rec->data_len, padlen );
1529 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1530
1531 /* Call mbedtls_md_process at least once due to cache attacks
1532 * that observe whether md_process() was called of not */
Manuel Pégourié-Gonnard47fede02015-04-29 01:35:48 +0200[diff] [blame]1533 for( j = 0; j < extra_run + 1; j++ )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1534 mbedtls_md_process( &transform->md_ctx_dec, tmp );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1535
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1536 mbedtls_md_hmac_reset( &transform->md_ctx_dec );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1537
1538 /* Make sure we access all the memory that could contain the MAC,
1539 * before we check it in the next code block. This makes the
1540 * synchronisation requirements for just-in-time Prime+Probe
1541 * attacks much tighter and hopefully impractical. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1542 ssl_read_memory( data + min_len,
1543 max_len - min_len + transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1544 }
1545 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1546#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1547 MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1548 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1549 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1550 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1551 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1552
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1553#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1554 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
1555 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, transform->maclen );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1556#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1557
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1558 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
1559 transform->maclen ) != 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1560 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1561#if defined(MBEDTLS_SSL_DEBUG_ALL)
1562 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1563#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1564 correct = 0;
1565 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1566 auth_done++;
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1567 }
Hanno Beckerdd3ab132018-10-17 14:43:14 +0100[diff] [blame]1568
1569 /*
1570 * Finally check the correct flag
1571 */
1572 if( correct == 0 )
1573 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]1574#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1575
1576 /* Make extra sure authentication was performed, exactly once */
1577 if( auth_done != 1 )
1578 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1580 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1581 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1582
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]1583#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
1584 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
1585 {
1586 /* Remove inner padding and infer true content type. */
1587 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1588 &rec->type );
1589
1590 if( ret != 0 )
1591 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1592 }
1593#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1594
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1595#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1596 if( rec->cid_len != 0 )
1597 {
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]1598 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1599 &rec->type );
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1600 if( ret != 0 )
1601 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1602 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1603#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1604
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1605 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1606
1607 return( 0 );
1608}
1609
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1610#undef MAC_NONE
1611#undef MAC_PLAINTEXT
1612#undef MAC_CIPHERTEXT
1613
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1614#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1615/*
1616 * Compression/decompression functions
1617 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1618static int ssl_compress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1619{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1620 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1621 unsigned char *msg_post = ssl->out_msg;
Andrzej Kurek5462e022018-04-20 07:58:53 -0400[diff] [blame]1622 ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1623 size_t len_pre = ssl->out_msglen;
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1624 unsigned char *msg_pre = ssl->compress_buf;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1625#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1626 size_t out_buf_len = ssl->out_buf_len;
1627#else
1628 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1629#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1630
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1631 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1632
Paul Bakkerabf2f8f2013-06-30 14:57:46 +0200[diff] [blame]1633 if( len_pre == 0 )
1634 return( 0 );
1635
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1636 memcpy( msg_pre, ssl->out_msg, len_pre );
1637
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1638 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1639 ssl->out_msglen ) );
1640
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1641 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1642 ssl->out_msg, ssl->out_msglen );
1643
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1644 ssl->transform_out->ctx_deflate.next_in = msg_pre;
1645 ssl->transform_out->ctx_deflate.avail_in = len_pre;
1646 ssl->transform_out->ctx_deflate.next_out = msg_post;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1647 ssl->transform_out->ctx_deflate.avail_out = out_buf_len - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1648
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1649 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1650 if( ret != Z_OK )
1651 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1652 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1653 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1654 }
1655
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1656 ssl->out_msglen = out_buf_len -
Andrzej Kurek5462e022018-04-20 07:58:53 -0400[diff] [blame]1657 ssl->transform_out->ctx_deflate.avail_out - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1658
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1659 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1660 ssl->out_msglen ) );
1661
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1662 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1663 ssl->out_msg, ssl->out_msglen );
1664
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1665 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1666
1667 return( 0 );
1668}
1669
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1670static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1671{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1672 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1673 unsigned char *msg_post = ssl->in_msg;
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]1674 ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1675 size_t len_pre = ssl->in_msglen;
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1676 unsigned char *msg_pre = ssl->compress_buf;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1677#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1678 size_t in_buf_len = ssl->in_buf_len;
1679#else
1680 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1681#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1683 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1684
Paul Bakkerabf2f8f2013-06-30 14:57:46 +0200[diff] [blame]1685 if( len_pre == 0 )
1686 return( 0 );
1687
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1688 memcpy( msg_pre, ssl->in_msg, len_pre );
1689
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1690 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1691 ssl->in_msglen ) );
1692
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1693 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1694 ssl->in_msg, ssl->in_msglen );
1695
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1696 ssl->transform_in->ctx_inflate.next_in = msg_pre;
1697 ssl->transform_in->ctx_inflate.avail_in = len_pre;
1698 ssl->transform_in->ctx_inflate.next_out = msg_post;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1699 ssl->transform_in->ctx_inflate.avail_out = in_buf_len - header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1700
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1701 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1702 if( ret != Z_OK )
1703 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1704 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1705 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1706 }
1707
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1708 ssl->in_msglen = in_buf_len -
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]1709 ssl->transform_in->ctx_inflate.avail_out - header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1710
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1711 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1712 ssl->in_msglen ) );
1713
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1714 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1715 ssl->in_msg, ssl->in_msglen );
1716
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1717 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1718
1719 return( 0 );
1720}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1721#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1722
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1723/*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1724 * Fill the input message buffer by appending data to it.
1725 * The amount of data already fetched is in ssl->in_left.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1726 *
1727 * If we return 0, is it guaranteed that (at least) nb_want bytes are
1728 * available (from this read and/or a previous one). Otherwise, an error code
1729 * is returned (possibly EOF or WANT_READ).
1730 *
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1731 * With stream transport (TLS) on success ssl->in_left == nb_want, but
1732 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
1733 * since we always read a whole datagram at once.
1734 *
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]1735 * For DTLS, it is up to the caller to set ssl->next_record_offset when
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1736 * they're done reading a record.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1737 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1738int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1739{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1740 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1741 size_t len;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1742#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1743 size_t in_buf_len = ssl->in_buf_len;
1744#else
1745 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1746#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1748 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1749
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1750 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
1751 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1752 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]1753 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1754 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1755 }
1756
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1757 if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]1758 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1759 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1760 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]1761 }
1762
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1763#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1764 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1765 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1766 uint32_t timeout;
1767
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]1768 /* Just to be sure */
1769 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
1770 {
1771 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
1772 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
1773 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1774 }
1775
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1776 /*
1777 * The point is, we need to always read a full datagram at once, so we
1778 * sometimes read more then requested, and handle the additional data.
1779 * It could be the rest of the current record (while fetching the
1780 * header) and/or some other records in the same datagram.
1781 */
1782
1783 /*
1784 * Move to the next record in the already read datagram if applicable
1785 */
1786 if( ssl->next_record_offset != 0 )
1787 {
1788 if( ssl->in_left < ssl->next_record_offset )
1789 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1790 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1791 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1792 }
1793
1794 ssl->in_left -= ssl->next_record_offset;
1795
1796 if( ssl->in_left != 0 )
1797 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1798 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1799 ssl->next_record_offset ) );
1800 memmove( ssl->in_hdr,
1801 ssl->in_hdr + ssl->next_record_offset,
1802 ssl->in_left );
1803 }
1804
1805 ssl->next_record_offset = 0;
1806 }
1807
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1808 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809 ssl->in_left, nb_want ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1810
1811 /*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1812 * Done if we already have enough data.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1813 */
1814 if( nb_want <= ssl->in_left)
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]1815 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1816 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1817 return( 0 );
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]1818 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1819
1820 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1821 * A record can't be split across datagrams. If we need to read but
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1822 * are not at the beginning of a new record, the caller did something
1823 * wrong.
1824 */
1825 if( ssl->in_left != 0 )
1826 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1827 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1828 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1829 }
1830
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1831 /*
1832 * Don't even try to read if time's out already.
1833 * This avoids by-passing the timer when repeatedly receiving messages
1834 * that will end up being dropped.
1835 */
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]1836 if( mbedtls_ssl_check_timer( ssl ) != 0 )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]1837 {
1838 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1839 ret = MBEDTLS_ERR_SSL_TIMEOUT;
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]1840 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1841 else
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1842 {
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1843 len = in_buf_len - ( ssl->in_hdr - ssl->in_buf );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1844
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1845 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1846 timeout = ssl->handshake->retransmit_timeout;
1847 else
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1848 timeout = ssl->conf->read_timeout;
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1849
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1850 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1851
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1852 if( ssl->f_recv_timeout != NULL )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1853 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
1854 timeout );
1855 else
1856 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
1857
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1858 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1859
1860 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1861 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1862 }
1863
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1864 if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1865 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1866 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]1867 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1868
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1869 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]1870 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1871 if( ssl_double_retransmit_timeout( ssl ) != 0 )
1872 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1873 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1874 return( MBEDTLS_ERR_SSL_TIMEOUT );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1875 }
1876
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1877 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1878 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1879 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1880 return( ret );
1881 }
1882
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1883 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]1884 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1885#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1886 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1887 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1888 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]1889 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1890 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]1891 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
1892 ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1893 return( ret );
1894 }
1895
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1896 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1897 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1898#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1899 }
1900
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1901 if( ret < 0 )
1902 return( ret );
1903
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1904 ssl->in_left = ret;
1905 }
1906 else
1907#endif
1908 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1909 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1910 ssl->in_left, nb_want ) );
1911
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1912 while( ssl->in_left < nb_want )
1913 {
1914 len = nb_want - ssl->in_left;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]1915
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]1916 if( mbedtls_ssl_check_timer( ssl ) != 0 )
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]1917 ret = MBEDTLS_ERR_SSL_TIMEOUT;
1918 else
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1919 {
1920 if( ssl->f_recv_timeout != NULL )
1921 {
1922 ret = ssl->f_recv_timeout( ssl->p_bio,
1923 ssl->in_hdr + ssl->in_left, len,
1924 ssl->conf->read_timeout );
1925 }
1926 else
1927 {
1928 ret = ssl->f_recv( ssl->p_bio,
1929 ssl->in_hdr + ssl->in_left, len );
1930 }
1931 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1932
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1933 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1934 ssl->in_left, nb_want ) );
1935 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1936
1937 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1938 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1939
1940 if( ret < 0 )
1941 return( ret );
1942
mohammad160352aecb92018-03-28 23:41:40 -0700[diff] [blame]1943 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]1944 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1945 MBEDTLS_SSL_DEBUG_MSG( 1,
1946 ( "f_recv returned %d bytes but only %lu were requested",
mohammad160319d392b2018-04-02 07:25:26 -0700[diff] [blame]1947 ret, (unsigned long)len ) );
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]1948 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1949 }
1950
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1951 ssl->in_left += ret;
1952 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953 }
1954
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1955 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1956
1957 return( 0 );
1958}
1959
1960/*
1961 * Flush any data not yet written
1962 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1963int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1964{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1965 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]1966 unsigned char *buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1967
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1968 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1969
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1970 if( ssl->f_send == NULL )
1971 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1972 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]1973 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1974 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1975 }
1976
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]1977 /* Avoid incrementing counter if data is flushed */
1978 if( ssl->out_left == 0 )
1979 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1980 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]1981 return( 0 );
1982 }
1983
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1984 while( ssl->out_left > 0 )
1985 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1986 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]1987 mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1988
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]1989 buf = ssl->out_hdr - ssl->out_left;
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1990 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1991
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1992 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1993
1994 if( ret <= 0 )
1995 return( ret );
1996
mohammad160352aecb92018-03-28 23:41:40 -0700[diff] [blame]1997 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]1998 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1999 MBEDTLS_SSL_DEBUG_MSG( 1,
2000 ( "f_send returned %d bytes but only %lu bytes were sent",
mohammad160319d392b2018-04-02 07:25:26 -0700[diff] [blame]2001 ret, (unsigned long)ssl->out_left ) );
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]2002 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2003 }
2004
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2005 ssl->out_left -= ret;
2006 }
2007
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2008#if defined(MBEDTLS_SSL_PROTO_DTLS)
2009 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]2010 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2011 ssl->out_hdr = ssl->out_buf;
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]2012 }
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2013 else
2014#endif
2015 {
2016 ssl->out_hdr = ssl->out_buf + 8;
2017 }
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]2018 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]2019
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2020 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2021
2022 return( 0 );
2023}
2024
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2025/*
2026 * Functions to handle the DTLS retransmission state machine
2027 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2028#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2029/*
2030 * Append current handshake message to current outgoing flight
2031 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2032static int ssl_flight_append( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2033{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2034 mbedtls_ssl_flight_item *msg;
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]2035 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
2036 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
2037 ssl->out_msg, ssl->out_msglen );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2038
2039 /* Allocate space for current message */
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]2040 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2041 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]2042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2043 sizeof( mbedtls_ssl_flight_item ) ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]2044 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2045 }
2046
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]2047 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2048 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]2049 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2050 mbedtls_free( msg );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]2051 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2052 }
2053
2054 /* Copy current handshake message with headers */
2055 memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
2056 msg->len = ssl->out_msglen;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2057 msg->type = ssl->out_msgtype;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2058 msg->next = NULL;
2059
2060 /* Append to the current flight */
2061 if( ssl->handshake->flight == NULL )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2062 ssl->handshake->flight = msg;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2063 else
2064 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2065 mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2066 while( cur->next != NULL )
2067 cur = cur->next;
2068 cur->next = msg;
2069 }
2070
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]2071 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2072 return( 0 );
2073}
2074
2075/*
2076 * Free the current flight of handshake messages
2077 */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]2078void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2079{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2080 mbedtls_ssl_flight_item *cur = flight;
2081 mbedtls_ssl_flight_item *next;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2082
2083 while( cur != NULL )
2084 {
2085 next = cur->next;
2086
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2087 mbedtls_free( cur->p );
2088 mbedtls_free( cur );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2089
2090 cur = next;
2091 }
2092}
2093
2094/*
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2095 * Swap transform_out and out_ctr with the alternative ones
2096 */
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2097static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2098{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2099 mbedtls_ssl_transform *tmp_transform;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2100 unsigned char tmp_out_ctr[8];
2101
2102 if( ssl->transform_out == ssl->handshake->alt_transform_out )
2103 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2104 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2105 return( 0 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2106 }
2107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2108 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2109
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2110 /* Swap transforms */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2111 tmp_transform = ssl->transform_out;
2112 ssl->transform_out = ssl->handshake->alt_transform_out;
2113 ssl->handshake->alt_transform_out = tmp_transform;
2114
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2115 /* Swap epoch + sequence_number */
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]2116 memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 );
2117 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2118 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2119
2120 /* Adjust to the newly activated transform */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]2121 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2122
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2123#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2124 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2125 {
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2126 int ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND );
2127 if( ret != 0 )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2128 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2129 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
2130 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2131 }
2132 }
2133#endif
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2134
2135 return( 0 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2136}
2137
2138/*
2139 * Retransmit the current flight of messages.
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2140 */
2141int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
2142{
2143 int ret = 0;
2144
2145 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
2146
2147 ret = mbedtls_ssl_flight_transmit( ssl );
2148
2149 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
2150
2151 return( ret );
2152}
2153
2154/*
2155 * Transmit or retransmit the current flight of messages.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2156 *
2157 * Need to remember the current message in case flush_output returns
2158 * WANT_WRITE, causing us to exit this function and come back later.
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2159 * This function must be called until state is no longer SENDING.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2160 */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2161int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2162{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2163 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2164 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2165
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2166 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2167 {
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2168 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2169
2170 ssl->handshake->cur_msg = ssl->handshake->flight;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2171 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2172 ret = ssl_swap_epochs( ssl );
2173 if( ret != 0 )
2174 return( ret );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2175
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2176 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2177 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2178
2179 while( ssl->handshake->cur_msg != NULL )
2180 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2181 size_t max_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2182 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2183
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2184 int const is_finished =
2185 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
2186 cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
2187
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]2188 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
2189 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
2190
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2191 /* Swap epochs before sending Finished: we can't do it after
2192 * sending ChangeCipherSpec, in case write returns WANT_READ.
2193 * Must be done before copying, may change out_msg pointer */
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2194 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2195 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2196 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2197 ret = ssl_swap_epochs( ssl );
2198 if( ret != 0 )
2199 return( ret );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2200 }
2201
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2202 ret = ssl_get_remaining_payload_in_datagram( ssl );
2203 if( ret < 0 )
2204 return( ret );
2205 max_frag_len = (size_t) ret;
2206
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2207 /* CCS is copied as is, while HS messages may need fragmentation */
2208 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2209 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2210 if( max_frag_len == 0 )
2211 {
2212 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2213 return( ret );
2214
2215 continue;
2216 }
2217
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2218 memcpy( ssl->out_msg, cur->p, cur->len );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2219 ssl->out_msglen = cur->len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2220 ssl->out_msgtype = cur->type;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2221
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2222 /* Update position inside current message */
2223 ssl->handshake->cur_msg_p += cur->len;
2224 }
2225 else
2226 {
2227 const unsigned char * const p = ssl->handshake->cur_msg_p;
2228 const size_t hs_len = cur->len - 12;
2229 const size_t frag_off = p - ( cur->p + 12 );
2230 const size_t rem_len = hs_len - frag_off;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2231 size_t cur_hs_frag_len, max_hs_frag_len;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2232
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2233 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
Manuel Pégourié-Gonnarda1071a52018-08-20 11:56:14 +0200[diff] [blame]2234 {
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2235 if( is_finished )
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2236 {
2237 ret = ssl_swap_epochs( ssl );
2238 if( ret != 0 )
2239 return( ret );
2240 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2241
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2242 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2243 return( ret );
2244
2245 continue;
2246 }
2247 max_hs_frag_len = max_frag_len - 12;
2248
2249 cur_hs_frag_len = rem_len > max_hs_frag_len ?
2250 max_hs_frag_len : rem_len;
2251
2252 if( frag_off == 0 && cur_hs_frag_len != hs_len )
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2253 {
2254 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2255 (unsigned) cur_hs_frag_len,
2256 (unsigned) max_hs_frag_len ) );
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2257 }
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]2258
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2259 /* Messages are stored with handshake headers as if not fragmented,
2260 * copy beginning of headers then fill fragmentation fields.
2261 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
2262 memcpy( ssl->out_msg, cur->p, 6 );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2263
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2264 ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
2265 ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
2266 ssl->out_msg[8] = ( ( frag_off ) & 0xff );
2267
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2268 ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
2269 ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
2270 ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2271
2272 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
2273
Hanno Becker3f7b9732018-08-28 09:53:25 +0100[diff] [blame]2274 /* Copy the handshake message content and set records fields */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2275 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
2276 ssl->out_msglen = cur_hs_frag_len + 12;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2277 ssl->out_msgtype = cur->type;
2278
2279 /* Update position inside current message */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2280 ssl->handshake->cur_msg_p += cur_hs_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2281 }
2282
2283 /* If done with the current message move to the next one if any */
2284 if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
2285 {
2286 if( cur->next != NULL )
2287 {
2288 ssl->handshake->cur_msg = cur->next;
2289 ssl->handshake->cur_msg_p = cur->next->p + 12;
2290 }
2291 else
2292 {
2293 ssl->handshake->cur_msg = NULL;
2294 ssl->handshake->cur_msg_p = NULL;
2295 }
2296 }
2297
2298 /* Actually send the message out */
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]2299 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2300 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2301 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2302 return( ret );
2303 }
2304 }
2305
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2306 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2307 return( ret );
2308
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2309 /* Update state and set timer */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2310 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
2311 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard23b7b702014-09-25 13:50:12 +0200[diff] [blame]2312 else
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2313 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2314 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2315 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2316 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2317
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2318 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2319
2320 return( 0 );
2321}
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2322
2323/*
2324 * To be called when the last message of an incoming flight is received.
2325 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2326void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2327{
2328 /* We won't need to resend that one any more */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]2329 mbedtls_ssl_flight_free( ssl->handshake->flight );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2330 ssl->handshake->flight = NULL;
2331 ssl->handshake->cur_msg = NULL;
2332
2333 /* The next incoming flight will start with this msg_seq */
2334 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
2335
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]2336 /* We don't want to remember CCS's across flight boundaries. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]2337 ssl->handshake->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]2338
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2339 /* Clear future message buffering structure. */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]2340 mbedtls_ssl_buffering_free( ssl );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2341
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]2342 /* Cancel timer */
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2343 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2344
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2345 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2346 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2347 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2348 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2349 }
2350 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2351 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2352}
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2353
2354/*
2355 * To be called when the last message of an outgoing flight is send.
2356 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2357void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2358{
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]2359 ssl_reset_retransmit_timeout( ssl );
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2360 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2361
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2362 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2363 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2364 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2365 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2366 }
2367 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2368 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2369}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2370#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2371
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2372/*
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2373 * Handshake layer functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2374 */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2375
2376/*
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2377 * Write (DTLS: or queue) current handshake (including CCS) message.
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2378 *
2379 * - fill in handshake headers
2380 * - update handshake checksum
2381 * - DTLS: save message for resending
2382 * - then pass to the record layer
2383 *
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2384 * DTLS: except for HelloRequest, messages are only queued, and will only be
2385 * actually sent when calling flight_transmit() or resend().
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2386 *
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2387 * Inputs:
2388 * - ssl->out_msglen: 4 + actual handshake message len
2389 * (4 is the size of handshake headers for TLS)
2390 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
2391 * - ssl->out_msg + 4: the handshake message body
2392 *
Manuel Pégourié-Gonnard065a2a32018-08-20 11:09:26 +0200[diff] [blame]2393 * Outputs, ie state before passing to flight_append() or write_record():
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2394 * - ssl->out_msglen: the length of the record contents
2395 * (including handshake headers but excluding record headers)
2396 * - ssl->out_msg: the record contents (handshake headers + content)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2397 */
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2398int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2399{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2400 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2401 const size_t hs_len = ssl->out_msglen - 4;
2402 const unsigned char hs_type = ssl->out_msg[0];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2403
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2404 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
2405
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2406 /*
2407 * Sanity checks
2408 */
Hanno Beckerc83d2b32018-08-22 16:05:47 +0100[diff] [blame]2409 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2410 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2411 {
Hanno Beckerc83d2b32018-08-22 16:05:47 +0100[diff] [blame]2412 /* In SSLv3, the client might send a NoCertificate alert. */
2413#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
2414 if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
2415 ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
2416 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
2417#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
2418 {
2419 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2420 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2421 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2422 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2423
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2424 /* Whenever we send anything different from a
2425 * HelloRequest we should be in a handshake - double check. */
2426 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2427 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2428 ssl->handshake == NULL )
2429 {
2430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2431 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2432 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2433
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2434#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2435 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2436 ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2437 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2438 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2440 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2441 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2442#endif
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2443
Hanno Beckerb50a2532018-08-06 11:52:54 +0100[diff] [blame]2444 /* Double-check that we did not exceed the bounds
2445 * of the outgoing record buffer.
2446 * This should never fail as the various message
2447 * writing functions must obey the bounds of the
2448 * outgoing record buffer, but better be safe.
2449 *
2450 * Note: We deliberately do not check for the MTU or MFL here.
2451 */
2452 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
2453 {
2454 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
2455 "size %u, maximum %u",
2456 (unsigned) ssl->out_msglen,
2457 (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
2458 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2459 }
2460
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2461 /*
2462 * Fill handshake headers
2463 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2464 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2465 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2466 ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
2467 ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );
2468 ssl->out_msg[3] = (unsigned char)( hs_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2469
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2470 /*
2471 * DTLS has additional fields in the Handshake layer,
2472 * between the length field and the actual payload:
2473 * uint16 message_seq;
2474 * uint24 fragment_offset;
2475 * uint24 fragment_length;
2476 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2477#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2478 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2479 {
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2480 /* Make room for the additional DTLS fields */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2481 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]2482 {
2483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
2484 "size %u, maximum %u",
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2485 (unsigned) ( hs_len ),
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2486 (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]2487 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2488 }
2489
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2490 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2491 ssl->out_msglen += 8;
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2492
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2493 /* Write message_seq and update it, except for HelloRequest */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2494 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2495 {
Manuel Pégourié-Gonnardd9ba0d92014-09-02 18:30:26 +0200[diff] [blame]2496 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
2497 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
2498 ++( ssl->handshake->out_msg_seq );
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2499 }
2500 else
2501 {
2502 ssl->out_msg[4] = 0;
2503 ssl->out_msg[5] = 0;
2504 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2505
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2506 /* Handshake hashes are computed without fragmentation,
2507 * so set frag_offset = 0 and frag_len = hs_len for now */
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2508 memset( ssl->out_msg + 6, 0x00, 3 );
2509 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2510 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2511#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2512
Hanno Becker0207e532018-08-28 10:28:28 +0100[diff] [blame]2513 /* Update running hashes of handshake messages seen */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2514 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
2515 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2516 }
2517
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2518 /* Either send now, or just save to be sent (and resent) later */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2519#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2520 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2521 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2522 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2523 {
2524 if( ( ret = ssl_flight_append( ssl ) ) != 0 )
2525 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2526 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2527 return( ret );
2528 }
2529 }
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2530 else
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2531#endif
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2532 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2533 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2534 {
2535 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2536 return( ret );
2537 }
2538 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2539
2540 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
2541
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2542 return( 0 );
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2543}
2544
2545/*
2546 * Record layer functions
2547 */
2548
2549/*
2550 * Write current record.
2551 *
2552 * Uses:
2553 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
2554 * - ssl->out_msglen: length of the record content (excl headers)
2555 * - ssl->out_msg: record content
2556 */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2557int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2558{
2559 int ret, done = 0;
2560 size_t len = ssl->out_msglen;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2561 uint8_t flush = force_flush;
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2562
2563 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2564
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2565#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2566 if( ssl->transform_out != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2567 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2568 {
2569 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
2570 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2571 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2572 return( ret );
2573 }
2574
2575 len = ssl->out_msglen;
2576 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2577#endif /*MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2578
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2579#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2580 if( mbedtls_ssl_hw_record_write != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2581 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2582 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2583
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2584 ret = mbedtls_ssl_hw_record_write( ssl );
2585 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2586 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2587 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
2588 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2589 }
Paul Bakkerc7878112012-12-19 14:41:14 +0100[diff] [blame]2590
2591 if( ret == 0 )
2592 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2593 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2594#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2595 if( !done )
2596 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2597 unsigned i;
2598 size_t protected_record_size;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]2599#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2600 size_t out_buf_len = ssl->out_buf_len;
2601#else
2602 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
2603#endif
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2604 /* Skip writing the record content type to after the encryption,
2605 * as it may change when using the CID extension. */
2606
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2607 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2608 ssl->conf->transport, ssl->out_hdr + 1 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]2609
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]2610 memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]2611 ssl->out_len[0] = (unsigned char)( len >> 8 );
2612 ssl->out_len[1] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2613
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2614 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2615 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2616 mbedtls_record rec;
2617
2618 rec.buf = ssl->out_iv;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]2619 rec.buf_len = out_buf_len - ( ssl->out_iv - ssl->out_buf );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2620 rec.data_len = ssl->out_msglen;
2621 rec.data_offset = ssl->out_msg - rec.buf;
2622
2623 memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
2624 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2625 ssl->conf->transport, rec.ver );
2626 rec.type = ssl->out_msgtype;
2627
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2628#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]2629 /* The CID is set by mbedtls_ssl_encrypt_buf(). */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]2630 rec.cid_len = 0;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2631#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]2632
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]2633 if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec,
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2634 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2635 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2636 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2637 return( ret );
2638 }
2639
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2640 if( rec.data_offset != 0 )
2641 {
2642 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2643 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2644 }
2645
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2646 /* Update the record content type and CID. */
2647 ssl->out_msgtype = rec.type;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2648#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID )
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]2649 memcpy( ssl->out_cid, rec.cid, rec.cid_len );
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2650#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker78f839d2019-03-14 12:56:23 +0000[diff] [blame]2651 ssl->out_msglen = len = rec.data_len;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2652 ssl->out_len[0] = (unsigned char)( rec.data_len >> 8 );
2653 ssl->out_len[1] = (unsigned char)( rec.data_len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2654 }
2655
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]2656 protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2657
2658#if defined(MBEDTLS_SSL_PROTO_DTLS)
2659 /* In case of DTLS, double-check that we don't exceed
2660 * the remaining space in the datagram. */
2661 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2662 {
Hanno Becker554b0af2018-08-22 20:33:41 +0100[diff] [blame]2663 ret = ssl_get_remaining_space_in_datagram( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2664 if( ret < 0 )
2665 return( ret );
2666
2667 if( protected_record_size > (size_t) ret )
2668 {
2669 /* Should never happen */
2670 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2671 }
2672 }
2673#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2674
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2675 /* Now write the potentially updated record content type. */
2676 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2678 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]2679 "version = [%d:%d], msglen = %d",
2680 ssl->out_hdr[0], ssl->out_hdr[1],
2681 ssl->out_hdr[2], len ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2683 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]2684 ssl->out_hdr, protected_record_size );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2685
2686 ssl->out_left += protected_record_size;
2687 ssl->out_hdr += protected_record_size;
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]2688 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2689
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]2690 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]2691 if( ++ssl->cur_out_ctr[i - 1] != 0 )
2692 break;
2693
2694 /* The loop goes to its end iff the counter is wrapping */
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]2695 if( i == mbedtls_ssl_ep_len( ssl ) )
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]2696 {
2697 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
2698 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2699 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2700 }
2701
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2702#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker47db8772018-08-21 13:32:13 +0100[diff] [blame]2703 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2704 flush == SSL_DONT_FORCE_FLUSH )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2705 {
Hanno Becker1f5a15d2018-08-21 13:31:31 +0100[diff] [blame]2706 size_t remaining;
2707 ret = ssl_get_remaining_payload_in_datagram( ssl );
2708 if( ret < 0 )
2709 {
2710 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
2711 ret );
2712 return( ret );
2713 }
2714
2715 remaining = (size_t) ret;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2716 if( remaining == 0 )
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]2717 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2718 flush = SSL_FORCE_FLUSH;
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]2719 }
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2720 else
2721 {
Hanno Becker513815a2018-08-20 11:56:09 +0100[diff] [blame]2722 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2723 }
2724 }
2725#endif /* MBEDTLS_SSL_PROTO_DTLS */
2726
2727 if( ( flush == SSL_FORCE_FLUSH ) &&
2728 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2729 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2730 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2731 return( ret );
2732 }
2733
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2734 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2735
2736 return( 0 );
2737}
2738
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2739#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2740
2741static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
2742{
2743 if( ssl->in_msglen < ssl->in_hslen ||
2744 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
2745 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
2746 {
2747 return( 1 );
2748 }
2749 return( 0 );
2750}
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2751
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2752static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2753{
2754 return( ( ssl->in_msg[9] << 16 ) |
2755 ( ssl->in_msg[10] << 8 ) |
2756 ssl->in_msg[11] );
2757}
2758
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2759static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2760{
2761 return( ( ssl->in_msg[6] << 16 ) |
2762 ( ssl->in_msg[7] << 8 ) |
2763 ssl->in_msg[8] );
2764}
2765
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2766static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2767{
2768 uint32_t msg_len, frag_off, frag_len;
2769
2770 msg_len = ssl_get_hs_total_len( ssl );
2771 frag_off = ssl_get_hs_frag_off( ssl );
2772 frag_len = ssl_get_hs_frag_len( ssl );
2773
2774 if( frag_off > msg_len )
2775 return( -1 );
2776
2777 if( frag_len > msg_len - frag_off )
2778 return( -1 );
2779
2780 if( frag_len + 12 > ssl->in_msglen )
2781 return( -1 );
2782
2783 return( 0 );
2784}
2785
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2786/*
2787 * Mark bits in bitmask (used for DTLS HS reassembly)
2788 */
2789static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
2790{
2791 unsigned int start_bits, end_bits;
2792
2793 start_bits = 8 - ( offset % 8 );
2794 if( start_bits != 8 )
2795 {
2796 size_t first_byte_idx = offset / 8;
2797
Manuel Pégourié-Gonnardac030522014-09-02 14:23:40 +0200[diff] [blame]2798 /* Special case */
2799 if( len <= start_bits )
2800 {
2801 for( ; len != 0; len-- )
2802 mask[first_byte_idx] |= 1 << ( start_bits - len );
2803
2804 /* Avoid potential issues with offset or len becoming invalid */
2805 return;
2806 }
2807
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2808 offset += start_bits; /* Now offset % 8 == 0 */
2809 len -= start_bits;
2810
2811 for( ; start_bits != 0; start_bits-- )
2812 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
2813 }
2814
2815 end_bits = len % 8;
2816 if( end_bits != 0 )
2817 {
2818 size_t last_byte_idx = ( offset + len ) / 8;
2819
2820 len -= end_bits; /* Now len % 8 == 0 */
2821
2822 for( ; end_bits != 0; end_bits-- )
2823 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
2824 }
2825
2826 memset( mask + offset / 8, 0xFF, len / 8 );
2827}
2828
2829/*
2830 * Check that bitmask is full
2831 */
2832static int ssl_bitmask_check( unsigned char *mask, size_t len )
2833{
2834 size_t i;
2835
2836 for( i = 0; i < len / 8; i++ )
2837 if( mask[i] != 0xFF )
2838 return( -1 );
2839
2840 for( i = 0; i < len % 8; i++ )
2841 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
2842 return( -1 );
2843
2844 return( 0 );
2845}
2846
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2847/* msg_len does not include the handshake header */
Hanno Becker65dc8852018-08-23 09:40:49 +0100[diff] [blame]2848static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]2849 unsigned add_bitmap )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2850{
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2851 size_t alloc_len;
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2852
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2853 alloc_len = 12; /* Handshake header */
2854 alloc_len += msg_len; /* Content buffer */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2855
Hanno Beckerd07df862018-08-16 09:14:58 +0100[diff] [blame]2856 if( add_bitmap )
2857 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2858
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]2859 return( alloc_len );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2860}
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2861
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2862#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2863
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2864static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]2865{
2866 return( ( ssl->in_msg[1] << 16 ) |
2867 ( ssl->in_msg[2] << 8 ) |
2868 ssl->in_msg[3] );
2869}
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2870
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2871int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2872{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2873 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2874 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2875 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2876 ssl->in_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2877 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2878 }
2879
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]2880 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2881
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2882 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2883 " %d, type = %d, hslen = %d",
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2884 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2885
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2886#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2887 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2888 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2889 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2890 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2891
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2892 if( ssl_check_hs_header( ssl ) != 0 )
2893 {
2894 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
2895 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2896 }
2897
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2898 if( ssl->handshake != NULL &&
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]2899 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
2900 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
2901 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
2902 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2903 {
Hanno Becker9e1ec222018-08-15 15:54:43 +0100[diff] [blame]2904 if( recv_msg_seq > ssl->handshake->in_msg_seq )
2905 {
2906 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
2907 recv_msg_seq,
2908 ssl->handshake->in_msg_seq ) );
2909 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
2910 }
2911
Manuel Pégourié-Gonnardfc572dd2014-10-09 17:56:57 +0200[diff] [blame]2912 /* Retransmit only on last message from previous flight, to avoid
2913 * too many retransmissions.
2914 * Besides, No sane server ever retransmits HelloVerifyRequest */
2915 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2916 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2917 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2918 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2919 "message_seq = %d, start_of_flight = %d",
2920 recv_msg_seq,
2921 ssl->handshake->in_flight_start_seq ) );
2922
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2923 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2924 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2925 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2926 return( ret );
2927 }
2928 }
2929 else
2930 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2931 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2932 "message_seq = %d, expected = %d",
2933 recv_msg_seq,
2934 ssl->handshake->in_msg_seq ) );
2935 }
2936
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]2937 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2938 }
2939 /* Wait until message completion to increment in_msg_seq */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2940
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2941 /* Message reassembly is handled alongside buffering of future
2942 * messages; the commonality is that both handshake fragments and
Hanno Becker83ab41c2018-08-28 17:19:38 +0100[diff] [blame]2943 * future messages cannot be forwarded immediately to the
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2944 * handshake logic layer. */
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2945 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2946 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2947 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2948 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2949 }
2950 }
2951 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2952#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2953 /* With TLS we don't handle fragmentation (for now) */
2954 if( ssl->in_msglen < ssl->in_hslen )
2955 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2956 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
2957 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2958 }
2959
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2960 return( 0 );
2961}
2962
2963void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
2964{
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2965 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2966
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2967 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]2968 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2969 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]2970 }
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2971
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2972 /* Handshake message is complete, increment counter */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2973#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2974 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2975 ssl->handshake != NULL )
2976 {
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2977 unsigned offset;
2978 mbedtls_ssl_hs_buffer *hs_buf;
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2979
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2980 /* Increment handshake sequence number */
2981 hs->in_msg_seq++;
2982
2983 /*
2984 * Clear up handshake buffering and reassembly structure.
2985 */
2986
2987 /* Free first entry */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]2988 ssl_buffering_free_slot( ssl, 0 );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2989
2990 /* Shift all other entries */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]2991 for( offset = 0, hs_buf = &hs->buffering.hs[0];
2992 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2993 offset++, hs_buf++ )
2994 {
2995 *hs_buf = *(hs_buf + 1);
2996 }
2997
2998 /* Create a fresh last entry */
2999 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3000 }
3001#endif
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3002}
3003
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3004/*
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3005 * DTLS anti-replay: RFC 6347 4.1.2.6
3006 *
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3007 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
3008 * Bit n is set iff record number in_window_top - n has been seen.
3009 *
3010 * Usually, in_window_top is the last record number seen and the lsb of
3011 * in_window is set. The only exception is the initial state (record number 0
3012 * not seen yet).
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3013 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3014#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker7e8e6a62020-02-05 10:45:48 +0000[diff] [blame]3015void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3016{
3017 ssl->in_window_top = 0;
3018 ssl->in_window = 0;
3019}
3020
3021static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
3022{
3023 return( ( (uint64_t) buf[0] << 40 ) |
3024 ( (uint64_t) buf[1] << 32 ) |
3025 ( (uint64_t) buf[2] << 24 ) |
3026 ( (uint64_t) buf[3] << 16 ) |
3027 ( (uint64_t) buf[4] << 8 ) |
3028 ( (uint64_t) buf[5] ) );
3029}
3030
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]3031static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr )
3032{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3033 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]3034 unsigned char *original_in_ctr;
3035
3036 // save original in_ctr
3037 original_in_ctr = ssl->in_ctr;
3038
3039 // use counter from record
3040 ssl->in_ctr = record_in_ctr;
3041
3042 ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl );
3043
3044 // restore the counter
3045 ssl->in_ctr = original_in_ctr;
3046
3047 return ret;
3048}
3049
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3050/*
3051 * Return 0 if sequence number is acceptable, -1 otherwise
3052 */
Hanno Becker0183d692019-07-12 08:50:37 +0100[diff] [blame]3053int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3054{
3055 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3056 uint64_t bit;
3057
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3058 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3059 return( 0 );
3060
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3061 if( rec_seqnum > ssl->in_window_top )
3062 return( 0 );
3063
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3064 bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3065
3066 if( bit >= 64 )
3067 return( -1 );
3068
3069 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
3070 return( -1 );
3071
3072 return( 0 );
3073}
3074
3075/*
3076 * Update replay window on new validated record
3077 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3078void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3079{
3080 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3081
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3082 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3083 return;
3084
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3085 if( rec_seqnum > ssl->in_window_top )
3086 {
3087 /* Update window_top and the contents of the window */
3088 uint64_t shift = rec_seqnum - ssl->in_window_top;
3089
3090 if( shift >= 64 )
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3091 ssl->in_window = 1;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3092 else
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3093 {
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3094 ssl->in_window <<= shift;
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3095 ssl->in_window |= 1;
3096 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3097
3098 ssl->in_window_top = rec_seqnum;
3099 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3100 else
3101 {
3102 /* Mark that number as seen in the current window */
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3103 uint64_t bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3104
3105 if( bit < 64 ) /* Always true, but be extra sure */
3106 ssl->in_window |= (uint64_t) 1 << bit;
3107 }
3108}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3109#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3110
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]3111#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3112/*
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3113 * Without any SSL context, check if a datagram looks like a ClientHello with
3114 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
Simon Butcher0789aed2015-09-11 17:15:17 +0100[diff] [blame]3115 * Both input and output include full DTLS headers.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3116 *
3117 * - if cookie is valid, return 0
3118 * - if ClientHello looks superficially valid but cookie is not,
3119 * fill obuf and set olen, then
3120 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3121 * - otherwise return a specific error code
3122 */
3123static int ssl_check_dtls_clihlo_cookie(
3124 mbedtls_ssl_cookie_write_t *f_cookie_write,
3125 mbedtls_ssl_cookie_check_t *f_cookie_check,
3126 void *p_cookie,
3127 const unsigned char *cli_id, size_t cli_id_len,
3128 const unsigned char *in, size_t in_len,
3129 unsigned char *obuf, size_t buf_len, size_t *olen )
3130{
3131 size_t sid_len, cookie_len;
3132 unsigned char *p;
3133
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3134 /*
3135 * Structure of ClientHello with record and handshake headers,
3136 * and expected values. We don't need to check a lot, more checks will be
3137 * done when actually parsing the ClientHello - skipping those checks
3138 * avoids code duplication and does not make cookie forging any easier.
3139 *
3140 * 0-0 ContentType type; copied, must be handshake
3141 * 1-2 ProtocolVersion version; copied
3142 * 3-4 uint16 epoch; copied, must be 0
3143 * 5-10 uint48 sequence_number; copied
3144 * 11-12 uint16 length; (ignored)
3145 *
3146 * 13-13 HandshakeType msg_type; (ignored)
3147 * 14-16 uint24 length; (ignored)
3148 * 17-18 uint16 message_seq; copied
3149 * 19-21 uint24 fragment_offset; copied, must be 0
3150 * 22-24 uint24 fragment_length; (ignored)
3151 *
3152 * 25-26 ProtocolVersion client_version; (ignored)
3153 * 27-58 Random random; (ignored)
3154 * 59-xx SessionID session_id; 1 byte len + sid_len content
3155 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
3156 * ...
3157 *
3158 * Minimum length is 61 bytes.
3159 */
3160 if( in_len < 61 ||
3161 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
3162 in[3] != 0 || in[4] != 0 ||
3163 in[19] != 0 || in[20] != 0 || in[21] != 0 )
3164 {
3165 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3166 }
3167
3168 sid_len = in[59];
3169 if( sid_len > in_len - 61 )
3170 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3171
3172 cookie_len = in[60 + sid_len];
3173 if( cookie_len > in_len - 60 )
3174 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3175
3176 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
3177 cli_id, cli_id_len ) == 0 )
3178 {
3179 /* Valid cookie */
3180 return( 0 );
3181 }
3182
3183 /*
3184 * If we get here, we've got an invalid cookie, let's prepare HVR.
3185 *
3186 * 0-0 ContentType type; copied
3187 * 1-2 ProtocolVersion version; copied
3188 * 3-4 uint16 epoch; copied
3189 * 5-10 uint48 sequence_number; copied
3190 * 11-12 uint16 length; olen - 13
3191 *
3192 * 13-13 HandshakeType msg_type; hello_verify_request
3193 * 14-16 uint24 length; olen - 25
3194 * 17-18 uint16 message_seq; copied
3195 * 19-21 uint24 fragment_offset; copied
3196 * 22-24 uint24 fragment_length; olen - 25
3197 *
3198 * 25-26 ProtocolVersion server_version; 0xfe 0xff
3199 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
3200 *
3201 * Minimum length is 28.
3202 */
3203 if( buf_len < 28 )
3204 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3205
3206 /* Copy most fields and adapt others */
3207 memcpy( obuf, in, 25 );
3208 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
3209 obuf[25] = 0xfe;
3210 obuf[26] = 0xff;
3211
3212 /* Generate and write actual cookie */
3213 p = obuf + 28;
3214 if( f_cookie_write( p_cookie,
3215 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
3216 {
3217 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3218 }
3219
3220 *olen = p - obuf;
3221
3222 /* Go back and fill length fields */
3223 obuf[27] = (unsigned char)( *olen - 28 );
3224
3225 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
3226 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
3227 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
3228
3229 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
3230 obuf[12] = (unsigned char)( ( *olen - 13 ) );
3231
3232 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
3233}
3234
3235/*
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3236 * Handle possible client reconnect with the same UDP quadruplet
3237 * (RFC 6347 Section 4.2.8).
3238 *
3239 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
3240 * that looks like a ClientHello.
3241 *
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3242 * - if the input looks like a ClientHello without cookies,
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3243 * send back HelloVerifyRequest, then return 0
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3244 * - if the input looks like a ClientHello with a valid cookie,
3245 * reset the session of the current context, and
Manuel Pégourié-Gonnardbe619c12015-09-08 11:21:21 +0200[diff] [blame]3246 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3247 * - if anything goes wrong, return a specific error code
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3248 *
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3249 * This function is called (through ssl_check_client_reconnect()) when an
3250 * unexpected record is found in ssl_get_next_record(), which will discard the
3251 * record if we return 0, and bubble up the return value otherwise (this
3252 * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
3253 * errors, and is the right thing to do in both cases).
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3254 */
3255static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
3256{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3257 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3258 size_t len;
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3259
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3260 if( ssl->conf->f_cookie_write == NULL ||
3261 ssl->conf->f_cookie_check == NULL )
3262 {
3263 /* If we can't use cookies to verify reachability of the peer,
3264 * drop the record. */
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3265 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no cookie callbacks, "
3266 "can't check reconnect validity" ) );
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3267 return( 0 );
3268 }
3269
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3270 ret = ssl_check_dtls_clihlo_cookie(
3271 ssl->conf->f_cookie_write,
3272 ssl->conf->f_cookie_check,
3273 ssl->conf->p_cookie,
3274 ssl->cli_id, ssl->cli_id_len,
3275 ssl->in_buf, ssl->in_left,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3276 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3277
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3278 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
3279
3280 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3281 {
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3282 int send_ret;
3283 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) );
3284 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
3285 ssl->out_buf, len );
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]3286 /* Don't check write errors as we can't do anything here.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3287 * If the error is permanent we'll catch it later,
3288 * if it's not, then hopefully it'll work next time. */
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3289 send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len );
3290 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret );
3291 (void) send_ret;
3292
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3293 return( 0 );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3294 }
3295
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3296 if( ret == 0 )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3297 {
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) );
Hanno Becker43aefe22020-02-05 10:44:56 +0000[diff] [blame]3299 if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3300 {
3301 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
3302 return( ret );
3303 }
3304
3305 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3306 }
3307
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3308 return( ret );
3309}
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]3310#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3311
Hanno Beckerf661c9c2019-05-03 13:25:54 +0100[diff] [blame]3312static int ssl_check_record_type( uint8_t record_type )
3313{
3314 if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
3315 record_type != MBEDTLS_SSL_MSG_ALERT &&
3316 record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
3317 record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3318 {
3319 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3320 }
3321
3322 return( 0 );
3323}
3324
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3325/*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3326 * ContentType type;
3327 * ProtocolVersion version;
3328 * uint16 epoch; // DTLS only
3329 * uint48 sequence_number; // DTLS only
3330 * uint16 length;
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3331 *
3332 * Return 0 if header looks sane (and, for DTLS, the record is expected)
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]3333 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3334 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
3335 *
3336 * With DTLS, mbedtls_ssl_read_record() will:
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]3337 * 1. proceed with the record if this function returns 0
3338 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
3339 * 3. return CLIENT_RECONNECT if this function return that value
3340 * 4. drop the whole datagram if this function returns anything else.
3341 * Point 2 is needed when the peer is resending, and we have already received
3342 * the first record from a datagram but are still waiting for the others.
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3343 */
Hanno Becker331de3d2019-07-12 11:10:16 +0100[diff] [blame]3344static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3345 unsigned char *buf,
3346 size_t len,
3347 mbedtls_record *rec )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3348{
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]3349 int major_ver, minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3350
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3351 size_t const rec_hdr_type_offset = 0;
3352 size_t const rec_hdr_type_len = 1;
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3353
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3354 size_t const rec_hdr_version_offset = rec_hdr_type_offset +
3355 rec_hdr_type_len;
3356 size_t const rec_hdr_version_len = 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3357
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3358 size_t const rec_hdr_ctr_len = 8;
3359#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckerf5466252019-07-25 10:13:02 +0100[diff] [blame]3360 uint32_t rec_epoch;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3361 size_t const rec_hdr_ctr_offset = rec_hdr_version_offset +
3362 rec_hdr_version_len;
3363
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3364#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3365 size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset +
3366 rec_hdr_ctr_len;
Hanno Beckerf5466252019-07-25 10:13:02 +0100[diff] [blame]3367 size_t rec_hdr_cid_len = 0;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3368#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3369#endif /* MBEDTLS_SSL_PROTO_DTLS */
3370
3371 size_t rec_hdr_len_offset; /* To be determined */
3372 size_t const rec_hdr_len_len = 2;
3373
3374 /*
3375 * Check minimum lengths for record header.
3376 */
3377
3378#if defined(MBEDTLS_SSL_PROTO_DTLS)
3379 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3380 {
3381 rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len;
3382 }
3383 else
3384#endif /* MBEDTLS_SSL_PROTO_DTLS */
3385 {
3386 rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len;
3387 }
3388
3389 if( len < rec_hdr_len_offset + rec_hdr_len_len )
3390 {
3391 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header of length %u",
3392 (unsigned) len,
3393 (unsigned)( rec_hdr_len_len + rec_hdr_len_len ) ) );
3394 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3395 }
3396
3397 /*
3398 * Parse and validate record content type
3399 */
3400
3401 rec->type = buf[ rec_hdr_type_offset ];
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3402
3403 /* Check record content type */
3404#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3405 rec->cid_len = 0;
3406
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3407 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3408 ssl->conf->cid_len != 0 &&
3409 rec->type == MBEDTLS_SSL_MSG_CID )
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3410 {
3411 /* Shift pointers to account for record header including CID
3412 * struct {
3413 * ContentType special_type = tls12_cid;
3414 * ProtocolVersion version;
3415 * uint16 epoch;
3416 * uint48 sequence_number;
Hanno Becker8e55b0f2019-05-23 17:03:19 +0100[diff] [blame]3417 * opaque cid[cid_length]; // Additional field compared to
3418 * // default DTLS record format
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3419 * uint16 length;
3420 * opaque enc_content[DTLSCiphertext.length];
3421 * } DTLSCiphertext;
3422 */
3423
3424 /* So far, we only support static CID lengths
3425 * fixed in the configuration. */
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3426 rec_hdr_cid_len = ssl->conf->cid_len;
3427 rec_hdr_len_offset += rec_hdr_cid_len;
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3428
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3429 if( len < rec_hdr_len_offset + rec_hdr_len_len )
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3430 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3431 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header including CID, length %u",
3432 (unsigned) len,
3433 (unsigned)( rec_hdr_len_offset + rec_hdr_len_len ) ) );
Hanno Becker59be60e2019-07-10 14:53:43 +0100[diff] [blame]3434 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3435 }
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3436
Manuel Pégourié-Gonnard7e821b52019-08-02 10:17:15 +0200[diff] [blame]3437 /* configured CID len is guaranteed at most 255, see
3438 * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */
3439 rec->cid_len = (uint8_t) rec_hdr_cid_len;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3440 memcpy( rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len );
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3441 }
3442 else
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3443#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]3444 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3445 if( ssl_check_record_type( rec->type ) )
3446 {
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]3447 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type %u",
3448 (unsigned) rec->type ) );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3449 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3450 }
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]3451 }
3452
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3453 /*
3454 * Parse and validate record version
3455 */
3456
Hanno Beckerd0b66d02019-07-26 08:07:03 +0100[diff] [blame]3457 rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
3458 rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3459 mbedtls_ssl_read_version( &major_ver, &minor_ver,
3460 ssl->conf->transport,
Hanno Beckerd0b66d02019-07-26 08:07:03 +0100[diff] [blame]3461 &rec->ver[0] );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3462
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]3463 if( major_ver != ssl->major_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3464 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3465 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
3466 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3467 }
3468
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3469 if( minor_ver > ssl->conf->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3470 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3471 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
3472 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3473 }
3474
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3475 /*
3476 * Parse/Copy record sequence number.
3477 */
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3478
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3479#if defined(MBEDTLS_SSL_PROTO_DTLS)
3480 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]3481 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3482 /* Copy explicit record sequence number from input buffer. */
3483 memcpy( &rec->ctr[0], buf + rec_hdr_ctr_offset,
3484 rec_hdr_ctr_len );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]3485 }
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3486 else
3487#endif /* MBEDTLS_SSL_PROTO_DTLS */
3488 {
3489 /* Copy implicit record sequence number from SSL context structure. */
3490 memcpy( &rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len );
3491 }
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3492
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3493 /*
3494 * Parse record length.
3495 */
3496
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3497 rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
Hanno Becker9eca2762019-07-25 10:16:37 +0100[diff] [blame]3498 rec->data_len = ( (size_t) buf[ rec_hdr_len_offset + 0 ] << 8 ) |
3499 ( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3500 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3501
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3502 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
Hanno Becker92d30f52019-05-23 17:03:44 +0100[diff] [blame]3503 "version = [%d:%d], msglen = %d",
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3504 rec->type,
3505 major_ver, minor_ver, rec->data_len ) );
3506
3507 rec->buf = buf;
3508 rec->buf_len = rec->data_offset + rec->data_len;
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3509
Hanno Beckerd417cc92019-07-26 08:20:27 +0100[diff] [blame]3510 if( rec->data_len == 0 )
3511 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3512
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3513 /*
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]3514 * DTLS-related tests.
3515 * Check epoch before checking length constraint because
3516 * the latter varies with the epoch. E.g., if a ChangeCipherSpec
3517 * message gets duplicated before the corresponding Finished message,
3518 * the second ChangeCipherSpec should be discarded because it belongs
3519 * to an old epoch, but not because its length is shorter than
3520 * the minimum record length for packets using the new record transform.
3521 * Note that these two kinds of failures are handled differently,
3522 * as an unexpected record is silently skipped but an invalid
3523 * record leads to the entire datagram being dropped.
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3524 */
3525#if defined(MBEDTLS_SSL_PROTO_DTLS)
3526 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3527 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3528 rec_epoch = ( rec->ctr[0] << 8 ) | rec->ctr[1];
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3529
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3530 /* Check that the datagram is large enough to contain a record
3531 * of the advertised length. */
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3532 if( len < rec->data_offset + rec->data_len )
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3533 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3534 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram of length %u too small to contain record of advertised length %u.",
3535 (unsigned) len,
3536 (unsigned)( rec->data_offset + rec->data_len ) ) );
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3537 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3538 }
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3539
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3540 /* Records from other, non-matching epochs are silently discarded.
3541 * (The case of same-port Client reconnects must be considered in
3542 * the caller). */
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3543 if( rec_epoch != ssl->in_epoch )
3544 {
3545 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
3546 "expected %d, received %d",
3547 ssl->in_epoch, rec_epoch ) );
3548
Hanno Becker552f7472019-07-19 10:59:12 +0100[diff] [blame]3549 /* Records from the next epoch are considered for buffering
3550 * (concretely: early Finished messages). */
3551 if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3552 {
Hanno Becker552f7472019-07-19 10:59:12 +0100[diff] [blame]3553 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
3554 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3555 }
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]3556
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3557 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3558 }
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3559#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3560 /* For records from the correct epoch, check whether their
3561 * sequence number has been seen before. */
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]3562 else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl,
3563 &rec->ctr[0] ) != 0 )
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3564 {
3565 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
3566 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3567 }
3568#endif
3569 }
3570#endif /* MBEDTLS_SSL_PROTO_DTLS */
3571
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3572 return( 0 );
3573}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3574
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3575
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3576#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3577static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
3578{
3579 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
3580
3581 /*
3582 * Check for an epoch 0 ClientHello. We can't use in_msg here to
3583 * access the first byte of record content (handshake type), as we
3584 * have an active transform (possibly iv_len != 0), so use the
3585 * fact that the record header len is 13 instead.
3586 */
3587 if( rec_epoch == 0 &&
3588 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
3589 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3590 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3591 ssl->in_left > 13 &&
3592 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
3593 {
3594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
3595 "from the same port" ) );
3596 return( ssl_handle_possible_reconnect( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3597 }
3598
3599 return( 0 );
3600}
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3601#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3602
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3603/*
Manuel Pégourié-Gonnardc40b6852020-01-03 12:18:49 +0100[diff] [blame]3604 * If applicable, decrypt record content
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3605 */
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3606static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
3607 mbedtls_record *rec )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3608{
3609 int ret, done = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]3610
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3611 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3612 rec->buf, rec->buf_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3613
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3614#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3615 if( mbedtls_ssl_hw_record_read != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3616 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3617 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3618
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3619 ret = mbedtls_ssl_hw_record_read( ssl );
3620 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3621 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3622 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
3623 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3624 }
Paul Bakkerc7878112012-12-19 14:41:14 +0100[diff] [blame]3625
3626 if( ret == 0 )
3627 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3628 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3629#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3630 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3631 {
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3632 unsigned char const old_msg_type = rec->type;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3633
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]3634 if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3635 rec ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3636 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3637 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3638
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3639#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3640 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
3641 ssl->conf->ignore_unexpected_cid
3642 == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
3643 {
Hanno Beckere8d6afd2019-05-24 10:11:06 +0100[diff] [blame]3644 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
Hanno Becker16ded982019-05-08 13:02:55 +0100[diff] [blame]3645 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3646 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3647#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker16ded982019-05-08 13:02:55 +0100[diff] [blame]3648
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3649 return( ret );
3650 }
3651
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3652 if( old_msg_type != rec->type )
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3653 {
3654 MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d",
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3655 old_msg_type, rec->type ) );
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3656 }
3657
Hanno Becker1c0c37f2018-08-07 14:29:29 +0100[diff] [blame]3658 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3659 rec->buf + rec->data_offset, rec->data_len );
Hanno Becker1c0c37f2018-08-07 14:29:29 +0100[diff] [blame]3660
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3661#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3662 /* We have already checked the record content type
3663 * in ssl_parse_record_header(), failing or silently
3664 * dropping the record in the case of an unknown type.
3665 *
3666 * Since with the use of CIDs, the record content type
3667 * might change during decryption, re-check the record
3668 * content type, but treat a failure as fatal this time. */
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3669 if( ssl_check_record_type( rec->type ) )
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3670 {
3671 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
3672 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3673 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3674#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3675
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3676 if( rec->data_len == 0 )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3677 {
3678#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3679 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3680 && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3681 {
3682 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
3683 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
3684 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3685 }
3686#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3687
3688 ssl->nb_zero++;
3689
3690 /*
3691 * Three or more empty messages may be a DoS attack
3692 * (excessive CPU consumption).
3693 */
3694 if( ssl->nb_zero > 3 )
3695 {
3696 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
Hanno Becker6e7700d2019-05-08 10:38:32 +0100[diff] [blame]3697 "messages, possible DoS attack" ) );
3698 /* Treat the records as if they were not properly authenticated,
3699 * thereby failing the connection if we see more than allowed
3700 * by the configured bad MAC threshold. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3701 return( MBEDTLS_ERR_SSL_INVALID_MAC );
3702 }
3703 }
3704 else
3705 ssl->nb_zero = 0;
3706
3707#if defined(MBEDTLS_SSL_PROTO_DTLS)
3708 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3709 {
3710 ; /* in_ctr read from peer, not maintained internally */
3711 }
3712 else
3713#endif
3714 {
3715 unsigned i;
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]3716 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3717 if( ++ssl->in_ctr[i - 1] != 0 )
3718 break;
3719
3720 /* The loop goes to its end iff the counter is wrapping */
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]3721 if( i == mbedtls_ssl_ep_len( ssl ) )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3722 {
3723 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
3724 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3725 }
3726 }
3727
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3728 }
3729
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3730#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3731 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3732 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3733 mbedtls_ssl_dtls_replay_update( ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3734 }
3735#endif
3736
Hanno Beckerd96e10b2019-07-09 17:30:02 +0100[diff] [blame]3737 /* Check actual (decrypted) record content length against
3738 * configured maximum. */
3739 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
3740 {
3741 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3742 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3743 }
3744
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3745 return( 0 );
3746}
3747
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3748/*
3749 * Read a record.
3750 *
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]3751 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
3752 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
3753 *
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3754 */
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]3755
3756/* Helper functions for mbedtls_ssl_read_record(). */
3757static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3758static int ssl_get_next_record( mbedtls_ssl_context *ssl );
3759static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
Hanno Becker4162b112018-08-15 14:05:04 +0100[diff] [blame]3760
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3761int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]3762 unsigned update_hs_digest )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3763{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3764 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3765
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3766 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3767
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3768 if( ssl->keep_current_message == 0 )
3769 {
3770 do {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3771
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]3772 ret = ssl_consume_current_message( ssl );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]3773 if( ret != 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3774 return( ret );
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]3775
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3776 if( ssl_record_is_in_progress( ssl ) == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3777 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3778#if defined(MBEDTLS_SSL_PROTO_DTLS)
3779 int have_buffered = 0;
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3780
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3781 /* We only check for buffered messages if the
3782 * current datagram is fully consumed. */
3783 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]3784 ssl_next_record_is_in_datagram( ssl ) == 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3785 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3786 if( ssl_load_buffered_message( ssl ) == 0 )
3787 have_buffered = 1;
3788 }
3789
3790 if( have_buffered == 0 )
3791#endif /* MBEDTLS_SSL_PROTO_DTLS */
3792 {
3793 ret = ssl_get_next_record( ssl );
3794 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
3795 continue;
3796
3797 if( ret != 0 )
3798 {
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]3799 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3800 return( ret );
3801 }
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3802 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3803 }
3804
3805 ret = mbedtls_ssl_handle_message_type( ssl );
3806
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3807#if defined(MBEDTLS_SSL_PROTO_DTLS)
3808 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
3809 {
3810 /* Buffer future message */
3811 ret = ssl_buffer_message( ssl );
3812 if( ret != 0 )
3813 return( ret );
3814
3815 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
3816 }
3817#endif /* MBEDTLS_SSL_PROTO_DTLS */
3818
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]3819 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||
3820 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3821
3822 if( 0 != ret )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3823 {
Hanno Becker05c4fc82017-11-09 14:34:06 +0000[diff] [blame]3824 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3825 return( ret );
3826 }
3827
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3828 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]3829 update_hs_digest == 1 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3830 {
3831 mbedtls_ssl_update_handshake_status( ssl );
3832 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3833 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3834 else
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3835 {
Hanno Becker02f59072018-08-15 14:00:24 +0100[diff] [blame]3836 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3837 ssl->keep_current_message = 0;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3838 }
3839
3840 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
3841
3842 return( 0 );
3843}
3844
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3845#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]3846static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3847{
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3848 if( ssl->in_left > ssl->next_record_offset )
3849 return( 1 );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3850
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3851 return( 0 );
3852}
3853
3854static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
3855{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3856 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3857 mbedtls_ssl_hs_buffer * hs_buf;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3858 int ret = 0;
3859
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3860 if( hs == NULL )
3861 return( -1 );
3862
Hanno Beckere00ae372018-08-20 09:39:42 +0100[diff] [blame]3863 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
3864
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3865 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
3866 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
3867 {
3868 /* Check if we have seen a ChangeCipherSpec before.
3869 * If yes, synthesize a CCS record. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]3870 if( !hs->buffering.seen_ccs )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3871 {
3872 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
3873 ret = -1;
Hanno Becker0d4b3762018-08-20 09:36:59 +0100[diff] [blame]3874 goto exit;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3875 }
3876
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]3877 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3878 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
3879 ssl->in_msglen = 1;
3880 ssl->in_msg[0] = 1;
3881
3882 /* As long as they are equal, the exact value doesn't matter. */
3883 ssl->in_left = 0;
3884 ssl->next_record_offset = 0;
3885
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]3886 hs->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3887 goto exit;
3888 }
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3889
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]3890#if defined(MBEDTLS_DEBUG_C)
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3891 /* Debug only */
3892 {
3893 unsigned offset;
3894 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
3895 {
3896 hs_buf = &hs->buffering.hs[offset];
3897 if( hs_buf->is_valid == 1 )
3898 {
3899 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
3900 hs->in_msg_seq + offset,
Hanno Beckera591c482018-08-28 17:20:00 +0100[diff] [blame]3901 hs_buf->is_complete ? "fully" : "partially" ) );
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3902 }
3903 }
3904 }
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]3905#endif /* MBEDTLS_DEBUG_C */
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3906
3907 /* Check if we have buffered and/or fully reassembled the
3908 * next handshake message. */
3909 hs_buf = &hs->buffering.hs[0];
3910 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
3911 {
3912 /* Synthesize a record containing the buffered HS message. */
3913 size_t msg_len = ( hs_buf->data[1] << 16 ) |
3914 ( hs_buf->data[2] << 8 ) |
3915 hs_buf->data[3];
3916
3917 /* Double-check that we haven't accidentally buffered
3918 * a message that doesn't fit into the input buffer. */
3919 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
3920 {
3921 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3922 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3923 }
3924
3925 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
3926 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
3927 hs_buf->data, msg_len + 12 );
3928
3929 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3930 ssl->in_hslen = msg_len + 12;
3931 ssl->in_msglen = msg_len + 12;
3932 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
3933
3934 ret = 0;
3935 goto exit;
3936 }
3937 else
3938 {
3939 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
3940 hs->in_msg_seq ) );
3941 }
3942
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3943 ret = -1;
3944
3945exit:
3946
3947 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
3948 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3949}
3950
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3951static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
3952 size_t desired )
3953{
3954 int offset;
3955 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]3956 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
3957 (unsigned) desired ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3958
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]3959 /* Get rid of future records epoch first, if such exist. */
3960 ssl_free_buffered_record( ssl );
3961
3962 /* Check if we have enough space available now. */
3963 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3964 hs->buffering.total_bytes_buffered ) )
3965 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]3966 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]3967 return( 0 );
3968 }
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3969
Hanno Becker4f432ad2018-08-28 10:02:32 +0100[diff] [blame]3970 /* We don't have enough space to buffer the next expected handshake
3971 * message. Remove buffers used for future messages to gain space,
3972 * starting with the most distant one. */
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3973 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
3974 offset >= 0; offset-- )
3975 {
3976 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
3977 offset ) );
3978
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]3979 ssl_buffering_free_slot( ssl, (uint8_t) offset );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3980
3981 /* Check if we have enough space available now. */
3982 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3983 hs->buffering.total_bytes_buffered ) )
3984 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]3985 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3986 return( 0 );
3987 }
3988 }
3989
3990 return( -1 );
3991}
3992
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3993static int ssl_buffer_message( mbedtls_ssl_context *ssl )
3994{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3995 int ret = 0;
3996 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3997
3998 if( hs == NULL )
3999 return( 0 );
4000
4001 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
4002
4003 switch( ssl->in_msgtype )
4004 {
4005 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
4006 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4007
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]4008 hs->buffering.seen_ccs = 1;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4009 break;
4010
4011 case MBEDTLS_SSL_MSG_HANDSHAKE:
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4012 {
4013 unsigned recv_msg_seq_offset;
4014 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
4015 mbedtls_ssl_hs_buffer *hs_buf;
4016 size_t msg_len = ssl->in_hslen - 12;
4017
4018 /* We should never receive an old handshake
4019 * message - double-check nonetheless. */
4020 if( recv_msg_seq < ssl->handshake->in_msg_seq )
4021 {
4022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4023 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4024 }
4025
4026 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
4027 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
4028 {
4029 /* Silently ignore -- message too far in the future */
4030 MBEDTLS_SSL_DEBUG_MSG( 2,
4031 ( "Ignore future HS message with sequence number %u, "
4032 "buffering window %u - %u",
4033 recv_msg_seq, ssl->handshake->in_msg_seq,
4034 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
4035
4036 goto exit;
4037 }
4038
4039 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
4040 recv_msg_seq, recv_msg_seq_offset ) );
4041
4042 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
4043
4044 /* Check if the buffering for this seq nr has already commenced. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4045 if( !hs_buf->is_valid )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4046 {
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4047 size_t reassembly_buf_sz;
4048
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4049 hs_buf->is_fragmented =
4050 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
4051
4052 /* We copy the message back into the input buffer
4053 * after reassembly, so check that it's not too large.
4054 * This is an implementation-specific limitation
4055 * and not one from the standard, hence it is not
4056 * checked in ssl_check_hs_header(). */
Hanno Becker96a6c692018-08-21 15:56:03 +0100[diff] [blame]4057 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4058 {
4059 /* Ignore message */
4060 goto exit;
4061 }
4062
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4063 /* Check if we have enough space to buffer the message. */
4064 if( hs->buffering.total_bytes_buffered >
4065 MBEDTLS_SSL_DTLS_MAX_BUFFERING )
4066 {
4067 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4068 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4069 }
4070
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4071 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
4072 hs_buf->is_fragmented );
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4073
4074 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4075 hs->buffering.total_bytes_buffered ) )
4076 {
4077 if( recv_msg_seq_offset > 0 )
4078 {
4079 /* If we can't buffer a future message because
4080 * of space limitations -- ignore. */
4081 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
4082 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4083 (unsigned) hs->buffering.total_bytes_buffered ) );
4084 goto exit;
4085 }
Hanno Beckere1801392018-08-21 16:51:05 +0100[diff] [blame]4086 else
4087 {
4088 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
4089 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4090 (unsigned) hs->buffering.total_bytes_buffered ) );
4091 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4092
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4093 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]4094 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4095 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
4096 (unsigned) msg_len,
4097 (unsigned) reassembly_buf_sz,
4098 MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4099 (unsigned) hs->buffering.total_bytes_buffered ) );
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]4100 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4101 goto exit;
4102 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4103 }
4104
4105 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
4106 msg_len ) );
4107
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4108 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
4109 if( hs_buf->data == NULL )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4110 {
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4111 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4112 goto exit;
4113 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4114 hs_buf->data_len = reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4115
4116 /* Prepare final header: copy msg_type, length and message_seq,
4117 * then add standardised fragment_offset and fragment_length */
4118 memcpy( hs_buf->data, ssl->in_msg, 6 );
4119 memset( hs_buf->data + 6, 0, 3 );
4120 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
4121
4122 hs_buf->is_valid = 1;
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4123
4124 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4125 }
4126 else
4127 {
4128 /* Make sure msg_type and length are consistent */
4129 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
4130 {
4131 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
4132 /* Ignore */
4133 goto exit;
4134 }
4135 }
4136
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4137 if( !hs_buf->is_complete )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4138 {
4139 size_t frag_len, frag_off;
4140 unsigned char * const msg = hs_buf->data + 12;
4141
4142 /*
4143 * Check and copy current fragment
4144 */
4145
4146 /* Validation of header fields already done in
4147 * mbedtls_ssl_prepare_handshake_record(). */
4148 frag_off = ssl_get_hs_frag_off( ssl );
4149 frag_len = ssl_get_hs_frag_len( ssl );
4150
4151 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
4152 frag_off, frag_len ) );
4153 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
4154
4155 if( hs_buf->is_fragmented )
4156 {
4157 unsigned char * const bitmask = msg + msg_len;
4158 ssl_bitmask_set( bitmask, frag_off, frag_len );
4159 hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
4160 msg_len ) == 0 );
4161 }
4162 else
4163 {
4164 hs_buf->is_complete = 1;
4165 }
4166
4167 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
4168 hs_buf->is_complete ? "" : "not yet " ) );
4169 }
4170
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4171 break;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4172 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4173
4174 default:
Hanno Becker360bef32018-08-28 10:04:33 +0100[diff] [blame]4175 /* We don't buffer other types of messages. */
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4176 break;
4177 }
4178
4179exit:
4180
4181 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
4182 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4183}
4184#endif /* MBEDTLS_SSL_PROTO_DTLS */
4185
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4186static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4187{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4188 /*
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4189 * Consume last content-layer message and potentially
4190 * update in_msglen which keeps track of the contents'
4191 * consumption state.
4192 *
4193 * (1) Handshake messages:
4194 * Remove last handshake message, move content
4195 * and adapt in_msglen.
4196 *
4197 * (2) Alert messages:
4198 * Consume whole record content, in_msglen = 0.
4199 *
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4200 * (3) Change cipher spec:
4201 * Consume whole record content, in_msglen = 0.
4202 *
4203 * (4) Application data:
4204 * Don't do anything - the record layer provides
4205 * the application data as a stream transport
4206 * and consumes through mbedtls_ssl_read only.
4207 *
4208 */
4209
4210 /* Case (1): Handshake messages */
4211 if( ssl->in_hslen != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4212 {
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]4213 /* Hard assertion to be sure that no application data
4214 * is in flight, as corrupting ssl->in_msglen during
4215 * ssl->in_offt != NULL is fatal. */
4216 if( ssl->in_offt != NULL )
4217 {
4218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4219 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4220 }
4221
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4222 /*
4223 * Get next Handshake message in the current record
4224 */
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4225
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4226 /* Notes:
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]4227 * (1) in_hslen is not necessarily the size of the
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4228 * current handshake content: If DTLS handshake
4229 * fragmentation is used, that's the fragment
4230 * size instead. Using the total handshake message
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]4231 * size here is faulty and should be changed at
4232 * some point.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4233 * (2) While it doesn't seem to cause problems, one
4234 * has to be very careful not to assume that in_hslen
4235 * is always <= in_msglen in a sensible communication.
4236 * Again, it's wrong for DTLS handshake fragmentation.
4237 * The following check is therefore mandatory, and
4238 * should not be treated as a silently corrected assertion.
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]4239 * Additionally, ssl->in_hslen might be arbitrarily out of
4240 * bounds after handling a DTLS message with an unexpected
4241 * sequence number, see mbedtls_ssl_prepare_handshake_record.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4242 */
4243 if( ssl->in_hslen < ssl->in_msglen )
4244 {
4245 ssl->in_msglen -= ssl->in_hslen;
4246 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
4247 ssl->in_msglen );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4248
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4249 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
4250 ssl->in_msg, ssl->in_msglen );
4251 }
4252 else
4253 {
4254 ssl->in_msglen = 0;
4255 }
Manuel Pégourié-Gonnard4a175362014-09-09 17:45:31 +0200[diff] [blame]4256
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4257 ssl->in_hslen = 0;
4258 }
4259 /* Case (4): Application data */
4260 else if( ssl->in_offt != NULL )
4261 {
4262 return( 0 );
4263 }
4264 /* Everything else (CCS & Alerts) */
4265 else
4266 {
4267 ssl->in_msglen = 0;
4268 }
4269
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4270 return( 0 );
4271}
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4272
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4273static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
4274{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4275 if( ssl->in_msglen > 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4276 return( 1 );
4277
4278 return( 0 );
4279}
4280
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4281#if defined(MBEDTLS_SSL_PROTO_DTLS)
4282
4283static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
4284{
4285 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4286 if( hs == NULL )
4287 return;
4288
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4289 if( hs->buffering.future_record.data != NULL )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4290 {
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4291 hs->buffering.total_bytes_buffered -=
4292 hs->buffering.future_record.len;
4293
4294 mbedtls_free( hs->buffering.future_record.data );
4295 hs->buffering.future_record.data = NULL;
4296 }
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4297}
4298
4299static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
4300{
4301 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4302 unsigned char * rec;
4303 size_t rec_len;
4304 unsigned rec_epoch;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]4305#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4306 size_t in_buf_len = ssl->in_buf_len;
4307#else
4308 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
4309#endif
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4310 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4311 return( 0 );
4312
4313 if( hs == NULL )
4314 return( 0 );
4315
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4316 rec = hs->buffering.future_record.data;
4317 rec_len = hs->buffering.future_record.len;
4318 rec_epoch = hs->buffering.future_record.epoch;
4319
4320 if( rec == NULL )
4321 return( 0 );
4322
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]4323 /* Only consider loading future records if the
4324 * input buffer is empty. */
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]4325 if( ssl_next_record_is_in_datagram( ssl ) == 1 )
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]4326 return( 0 );
4327
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4328 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
4329
4330 if( rec_epoch != ssl->in_epoch )
4331 {
4332 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
4333 goto exit;
4334 }
4335
4336 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
4337
4338 /* Double-check that the record is not too large */
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]4339 if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4340 {
4341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4342 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4343 }
4344
4345 memcpy( ssl->in_hdr, rec, rec_len );
4346 ssl->in_left = rec_len;
4347 ssl->next_record_offset = 0;
4348
4349 ssl_free_buffered_record( ssl );
4350
4351exit:
4352 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
4353 return( 0 );
4354}
4355
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4356static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
4357 mbedtls_record const *rec )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4358{
4359 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4360
4361 /* Don't buffer future records outside handshakes. */
4362 if( hs == NULL )
4363 return( 0 );
4364
4365 /* Only buffer handshake records (we are only interested
4366 * in Finished messages). */
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4367 if( rec->type != MBEDTLS_SSL_MSG_HANDSHAKE )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4368 return( 0 );
4369
4370 /* Don't buffer more than one future epoch record. */
4371 if( hs->buffering.future_record.data != NULL )
4372 return( 0 );
4373
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4374 /* Don't buffer record if there's not enough buffering space remaining. */
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4375 if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4376 hs->buffering.total_bytes_buffered ) )
4377 {
4378 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4379 (unsigned) rec->buf_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4380 (unsigned) hs->buffering.total_bytes_buffered ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4381 return( 0 );
4382 }
4383
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4384 /* Buffer record */
4385 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
4386 ssl->in_epoch + 1 ) );
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4387 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4388
4389 /* ssl_parse_record_header() only considers records
4390 * of the next epoch as candidates for buffering. */
4391 hs->buffering.future_record.epoch = ssl->in_epoch + 1;
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4392 hs->buffering.future_record.len = rec->buf_len;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4393
4394 hs->buffering.future_record.data =
4395 mbedtls_calloc( 1, hs->buffering.future_record.len );
4396 if( hs->buffering.future_record.data == NULL )
4397 {
4398 /* If we run out of RAM trying to buffer a
4399 * record from the next epoch, just ignore. */
4400 return( 0 );
4401 }
4402
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4403 memcpy( hs->buffering.future_record.data, rec->buf, rec->buf_len );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4404
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4405 hs->buffering.total_bytes_buffered += rec->buf_len;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4406 return( 0 );
4407}
4408
4409#endif /* MBEDTLS_SSL_PROTO_DTLS */
4410
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4411static int ssl_get_next_record( mbedtls_ssl_context *ssl )
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4412{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4413 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]4414 mbedtls_record rec;
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4415
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4416#if defined(MBEDTLS_SSL_PROTO_DTLS)
4417 /* We might have buffered a future record; if so,
4418 * and if the epoch matches now, load it.
4419 * On success, this call will set ssl->in_left to
4420 * the length of the buffered record, so that
4421 * the calls to ssl_fetch_input() below will
4422 * essentially be no-ops. */
4423 ret = ssl_load_buffered_record( ssl );
4424 if( ret != 0 )
4425 return( ret );
4426#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4427
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]4428 /* Ensure that we have enough space available for the default form
4429 * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,
4430 * with no space for CIDs counted in). */
4431 ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) );
4432 if( ret != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4433 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4434 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4435 return( ret );
4436 }
4437
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]4438 ret = ssl_parse_record_header( ssl, ssl->in_hdr, ssl->in_left, &rec );
4439 if( ret != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4440 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4441#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4442 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4443 {
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4444 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4445 {
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4446 ret = ssl_buffer_future_record( ssl, &rec );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4447 if( ret != 0 )
4448 return( ret );
4449
4450 /* Fall through to handling of unexpected records */
4451 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
4452 }
4453
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4454 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
4455 {
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4456#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Hanno Beckerd8bf8ce2019-07-12 09:23:47 +0100[diff] [blame]4457 /* Reset in pointers to default state for TLS/DTLS records,
4458 * assuming no CID and no offset between record content and
4459 * record plaintext. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4460 mbedtls_ssl_update_in_pointers( ssl );
Hanno Beckerd8bf8ce2019-07-12 09:23:47 +0100[diff] [blame]4461
Hanno Becker7ae20e02019-07-12 08:33:49 +0100[diff] [blame]4462 /* Setup internal message pointers from record structure. */
4463 ssl->in_msgtype = rec.type;
4464#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4465 ssl->in_len = ssl->in_cid + rec.cid_len;
4466#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4467 ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
4468 ssl->in_msglen = rec.data_len;
4469
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4470 ret = ssl_check_client_reconnect( ssl );
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]4471 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_client_reconnect", ret );
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4472 if( ret != 0 )
4473 return( ret );
4474#endif
4475
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4476 /* Skip unexpected record (but not whole datagram) */
Hanno Becker4acada32019-07-11 12:48:53 +0100[diff] [blame]4477 ssl->next_record_offset = rec.buf_len;
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4478
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4479 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
4480 "(header)" ) );
4481 }
4482 else
4483 {
4484 /* Skip invalid record and the rest of the datagram */
4485 ssl->next_record_offset = 0;
4486 ssl->in_left = 0;
4487
4488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
4489 "(header)" ) );
4490 }
4491
4492 /* Get next record */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4493 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4494 }
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4495 else
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4496#endif
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4497 {
4498 return( ret );
4499 }
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4500 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4501
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4502#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4503 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]4504 {
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4505 /* Remember offset of next record within datagram. */
Hanno Beckerf50da502019-07-11 12:50:10 +0100[diff] [blame]4506 ssl->next_record_offset = rec.buf_len;
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]4507 if( ssl->next_record_offset < ssl->in_left )
4508 {
4509 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
4510 }
4511 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4512 else
4513#endif
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4514 {
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]4515 /*
4516 * Fetch record contents from underlying transport.
4517 */
Hanno Beckera3175662019-07-11 12:50:29 +0100[diff] [blame]4518 ret = mbedtls_ssl_fetch_input( ssl, rec.buf_len );
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4519 if( ret != 0 )
4520 {
4521 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4522 return( ret );
4523 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4524
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4525 ssl->in_left = 0;
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4526 }
4527
4528 /*
4529 * Decrypt record contents.
4530 */
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4531
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]4532 if( ( ret = ssl_prepare_record_content( ssl, &rec ) ) != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4533 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4534#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4535 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4536 {
4537 /* Silently discard invalid records */
Hanno Becker82e2a392019-05-03 16:36:59 +0100[diff] [blame]4538 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4539 {
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]4540 /* Except when waiting for Finished as a bad mac here
4541 * probably means something went wrong in the handshake
4542 * (eg wrong psk used, mitm downgrade attempt, etc.) */
4543 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
4544 ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
4545 {
4546#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4547 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4548 {
4549 mbedtls_ssl_send_alert_message( ssl,
4550 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4551 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4552 }
4553#endif
4554 return( ret );
4555 }
4556
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4557#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4558 if( ssl->conf->badmac_limit != 0 &&
4559 ++ssl->badmac_seen >= ssl->conf->badmac_limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]4560 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4561 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
4562 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]4563 }
4564#endif
4565
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4566 /* As above, invalid records cause
4567 * dismissal of the whole datagram. */
4568
4569 ssl->next_record_offset = 0;
4570 ssl->in_left = 0;
4571
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4573 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4574 }
4575
4576 return( ret );
4577 }
4578 else
4579#endif
4580 {
4581 /* Error out (and send alert) on invalid records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4582#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4583 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4584 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4585 mbedtls_ssl_send_alert_message( ssl,
4586 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4587 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4588 }
4589#endif
4590 return( ret );
4591 }
4592 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4593
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4594
4595 /* Reset in pointers to default state for TLS/DTLS records,
4596 * assuming no CID and no offset between record content and
4597 * record plaintext. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4598 mbedtls_ssl_update_in_pointers( ssl );
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4599#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4600 ssl->in_len = ssl->in_cid + rec.cid_len;
4601#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
irwir89af51f2019-09-26 21:04:56 +0300[diff] [blame]4602 ssl->in_iv = ssl->in_len + 2;
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4603
Hanno Becker8685c822019-07-12 09:37:30 +0100[diff] [blame]4604 /* The record content type may change during decryption,
4605 * so re-read it. */
4606 ssl->in_msgtype = rec.type;
4607 /* Also update the input buffer, because unfortunately
4608 * the server-side ssl_parse_client_hello() reparses the
4609 * record header when receiving a ClientHello initiating
4610 * a renegotiation. */
4611 ssl->in_hdr[0] = rec.type;
4612 ssl->in_msg = rec.buf + rec.data_offset;
4613 ssl->in_msglen = rec.data_len;
4614 ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 );
4615 ssl->in_len[1] = (unsigned char)( rec.data_len );
4616
Manuel Pégourié-Gonnardc40b6852020-01-03 12:18:49 +0100[diff] [blame]4617#if defined(MBEDTLS_ZLIB_SUPPORT)
4618 if( ssl->transform_in != NULL &&
4619 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
4620 {
4621 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
4622 {
4623 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
4624 return( ret );
4625 }
4626
4627 /* Check actual (decompress) record content length against
4628 * configured maximum. */
4629 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
4630 {
4631 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4632 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4633 }
4634 }
4635#endif /* MBEDTLS_ZLIB_SUPPORT */
4636
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4637 return( 0 );
4638}
4639
4640int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
4641{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4642 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4643
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]4644 /*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4645 * Handle particular types of records
4646 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4647 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4648 {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4649 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
4650 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4651 return( ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4652 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4653 }
4654
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4655 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4656 {
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4657 if( ssl->in_msglen != 1 )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4658 {
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4659 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
4660 ssl->in_msglen ) );
4661 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4662 }
4663
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4664 if( ssl->in_msg[0] != 1 )
4665 {
4666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
4667 ssl->in_msg[0] ) );
4668 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4669 }
4670
4671#if defined(MBEDTLS_SSL_PROTO_DTLS)
4672 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4673 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
4674 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4675 {
4676 if( ssl->handshake == NULL )
4677 {
4678 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
4679 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4680 }
4681
4682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
4683 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4684 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4685#endif
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4686 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4687
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4688 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4689 {
Angus Gratton1a7a17e2018-06-20 15:43:50 +1000[diff] [blame]4690 if( ssl->in_msglen != 2 )
4691 {
4692 /* Note: Standard allows for more than one 2 byte alert
4693 to be packed in a single message, but Mbed TLS doesn't
4694 currently support this. */
4695 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
4696 ssl->in_msglen ) );
4697 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4698 }
4699
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4700 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4701 ssl->in_msg[0], ssl->in_msg[1] ) );
4702
4703 /*
Simon Butcher459a9502015-10-27 16:09:03 +0000[diff] [blame]4704 * Ignore non-fatal alerts, except close_notify and no_renegotiation
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4705 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4706 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4707 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4708 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4709 ssl->in_msg[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4710 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4711 }
4712
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4713 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4714 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4715 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4716 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
4717 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4718 }
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]4719
4720#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
4721 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4722 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
4723 {
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4724 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]4725 /* Will be handled when trying to parse ServerHello */
4726 return( 0 );
4727 }
4728#endif
4729
4730#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
4731 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
4732 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4733 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4734 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
4735 {
4736 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
4737 /* Will be handled in mbedtls_ssl_parse_certificate() */
4738 return( 0 );
4739 }
4740#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
4741
4742 /* Silently ignore: fetch new message */
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4743 return MBEDTLS_ERR_SSL_NON_FATAL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4744 }
4745
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4746#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4747 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4748 {
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4749 /* Drop unexpected ApplicationData records,
4750 * except at the beginning of renegotiations */
4751 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
4752 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
4753#if defined(MBEDTLS_SSL_RENEGOTIATION)
4754 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
4755 ssl->state == MBEDTLS_SSL_SERVER_HELLO )
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4756#endif
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4757 )
4758 {
4759 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
4760 return( MBEDTLS_ERR_SSL_NON_FATAL );
4761 }
4762
4763 if( ssl->handshake != NULL &&
4764 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
4765 {
Hanno Beckerce5f5fd2020-02-05 10:47:44 +0000[diff] [blame]4766 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4767 }
4768 }
Hanno Becker4a4af9f2019-05-08 16:26:21 +0100[diff] [blame]4769#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4770
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4771 return( 0 );
4772}
4773
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4774int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]4775{
irwir6c0da642019-09-26 21:07:41 +0300[diff] [blame]4776 return( mbedtls_ssl_send_alert_message( ssl,
4777 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4778 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]4779}
4780
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4781int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4782 unsigned char level,
4783 unsigned char message )
4784{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4785 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4786
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]4787 if( ssl == NULL || ssl->conf == NULL )
4788 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4789
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4790 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4791 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4792
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4793 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4794 ssl->out_msglen = 2;
4795 ssl->out_msg[0] = level;
4796 ssl->out_msg[1] = message;
4797
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]4798 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4799 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4800 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4801 return( ret );
4802 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4803 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4804
4805 return( 0 );
4806}
4807
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4808int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4809{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4810 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4811
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4812 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4813
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4814 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4815 ssl->out_msglen = 1;
4816 ssl->out_msg[0] = 1;
4817
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4818 ssl->state++;
4819
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]4820 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4821 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]4822 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4823 return( ret );
4824 }
4825
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4826 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4827
4828 return( 0 );
4829}
4830
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4831int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4832{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4833 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4834
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4835 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4836
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]4837 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4838 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4839 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4840 return( ret );
4841 }
4842
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4843 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4844 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4845 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4846 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4847 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4848 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4849 }
4850
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4851 /* CCS records are only accepted if they have length 1 and content '1',
4852 * so we don't need to check this here. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4853
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4854 /*
4855 * Switch to our negotiated transform and session parameters for inbound
4856 * data.
4857 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4858 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4859 ssl->transform_in = ssl->transform_negotiate;
4860 ssl->session_in = ssl->session_negotiate;
4861
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4862#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4863 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4864 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4865#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker7e8e6a62020-02-05 10:45:48 +0000[diff] [blame]4866 mbedtls_ssl_dtls_replay_reset( ssl );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4867#endif
4868
4869 /* Increment epoch */
4870 if( ++ssl->in_epoch == 0 )
4871 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4872 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4873 /* This is highly unlikely to happen for legitimate reasons, so
4874 treat it as an attack and don't send an alert. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4875 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4876 }
4877 }
4878 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4879#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4880 memset( ssl->in_ctr, 0, 8 );
4881
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4882 mbedtls_ssl_update_in_pointers( ssl );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4883
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4884#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
4885 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4886 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4887 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4888 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4889 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4890 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4891 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4892 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4893 }
4894 }
4895#endif
4896
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4897 ssl->state++;
4898
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4899 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4900
4901 return( 0 );
4902}
4903
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4904/* Once ssl->out_hdr as the address of the beginning of the
4905 * next outgoing record is set, deduce the other pointers.
4906 *
4907 * Note: For TLS, we save the implicit record sequence number
4908 * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
4909 * and the caller has to make sure there's space for this.
4910 */
4911
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4912void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
4913 mbedtls_ssl_transform *transform )
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4914{
4915#if defined(MBEDTLS_SSL_PROTO_DTLS)
4916 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4917 {
4918 ssl->out_ctr = ssl->out_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4919#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4920 ssl->out_cid = ssl->out_ctr + 8;
4921 ssl->out_len = ssl->out_cid;
4922 if( transform != NULL )
4923 ssl->out_len += transform->out_cid_len;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4924#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4925 ssl->out_len = ssl->out_ctr + 8;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4926#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4927 ssl->out_iv = ssl->out_len + 2;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4928 }
4929 else
4930#endif
4931 {
4932 ssl->out_ctr = ssl->out_hdr - 8;
4933 ssl->out_len = ssl->out_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4934#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker4c3eb7c2019-05-08 16:43:21 +0100[diff] [blame]4935 ssl->out_cid = ssl->out_len;
4936#endif
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4937 ssl->out_iv = ssl->out_hdr + 5;
4938 }
4939
4940 /* Adjust out_msg to make space for explicit IV, if used. */
4941 if( transform != NULL &&
4942 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
4943 {
4944 ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
4945 }
4946 else
4947 ssl->out_msg = ssl->out_iv;
4948}
4949
4950/* Once ssl->in_hdr as the address of the beginning of the
4951 * next incoming record is set, deduce the other pointers.
4952 *
4953 * Note: For TLS, we save the implicit record sequence number
4954 * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
4955 * and the caller has to make sure there's space for this.
4956 */
4957
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4958void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl )
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4959{
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]4960 /* This function sets the pointers to match the case
4961 * of unprotected TLS/DTLS records, with both ssl->in_iv
4962 * and ssl->in_msg pointing to the beginning of the record
4963 * content.
4964 *
4965 * When decrypting a protected record, ssl->in_msg
4966 * will be shifted to point to the beginning of the
4967 * record plaintext.
4968 */
4969
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4970#if defined(MBEDTLS_SSL_PROTO_DTLS)
4971 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4972 {
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4973 /* This sets the header pointers to match records
4974 * without CID. When we receive a record containing
4975 * a CID, the fields are shifted accordingly in
4976 * ssl_parse_record_header(). */
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4977 ssl->in_ctr = ssl->in_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4978#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4979 ssl->in_cid = ssl->in_ctr + 8;
4980 ssl->in_len = ssl->in_cid; /* Default: no CID */
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4981#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4982 ssl->in_len = ssl->in_ctr + 8;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4983#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4984 ssl->in_iv = ssl->in_len + 2;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4985 }
4986 else
4987#endif
4988 {
4989 ssl->in_ctr = ssl->in_hdr - 8;
4990 ssl->in_len = ssl->in_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4991#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker4c3eb7c2019-05-08 16:43:21 +0100[diff] [blame]4992 ssl->in_cid = ssl->in_len;
4993#endif
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4994 ssl->in_iv = ssl->in_hdr + 5;
4995 }
4996
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]4997 /* This will be adjusted at record decryption time. */
4998 ssl->in_msg = ssl->in_iv;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4999}
5000
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5001/*
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +0200[diff] [blame]5002 * Setup an SSL context
5003 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]5004
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]5005void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]5006{
5007 /* Set the incoming and outgoing record pointers. */
5008#if defined(MBEDTLS_SSL_PROTO_DTLS)
5009 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5010 {
5011 ssl->out_hdr = ssl->out_buf;
5012 ssl->in_hdr = ssl->in_buf;
5013 }
5014 else
5015#endif /* MBEDTLS_SSL_PROTO_DTLS */
5016 {
5017 ssl->out_hdr = ssl->out_buf + 8;
5018 ssl->in_hdr = ssl->in_buf + 8;
5019 }
5020
5021 /* Derive other internal pointers. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]5022 mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
5023 mbedtls_ssl_update_in_pointers ( ssl );
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]5024}
5025
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5026/*
5027 * SSL get accessors
5028 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5029size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5030{
5031 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
5032}
5033
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5034int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
5035{
5036 /*
5037 * Case A: We're currently holding back
5038 * a message for further processing.
5039 */
5040
5041 if( ssl->keep_current_message == 1 )
5042 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5043 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5044 return( 1 );
5045 }
5046
5047 /*
5048 * Case B: Further records are pending in the current datagram.
5049 */
5050
5051#if defined(MBEDTLS_SSL_PROTO_DTLS)
5052 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5053 ssl->in_left > ssl->next_record_offset )
5054 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5055 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5056 return( 1 );
5057 }
5058#endif /* MBEDTLS_SSL_PROTO_DTLS */
5059
5060 /*
5061 * Case C: A handshake message is being processed.
5062 */
5063
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5064 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
5065 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5066 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5067 return( 1 );
5068 }
5069
5070 /*
5071 * Case D: An application data message is being processed
5072 */
5073 if( ssl->in_offt != NULL )
5074 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5075 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5076 return( 1 );
5077 }
5078
5079 /*
5080 * In all other cases, the rest of the message can be dropped.
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]5081 * As in ssl_get_next_record, this needs to be adapted if
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5082 * we implement support for multiple alerts in single records.
5083 */
5084
5085 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
5086 return( 0 );
5087}
5088
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]5089
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5090int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5091{
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5092 size_t transform_expansion = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5093 const mbedtls_ssl_transform *transform = ssl->transform_out;
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5094 unsigned block_size;
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5095
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]5096 size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl );
5097
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]5098 if( transform == NULL )
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]5099 return( (int) out_hdr_len );
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]5100
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5101#if defined(MBEDTLS_ZLIB_SUPPORT)
5102 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
5103 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5104#endif
5105
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5106 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5107 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5108 case MBEDTLS_MODE_GCM:
5109 case MBEDTLS_MODE_CCM:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5110 case MBEDTLS_MODE_CHACHAPOLY:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5111 case MBEDTLS_MODE_STREAM:
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5112 transform_expansion = transform->minlen;
5113 break;
5114
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5115 case MBEDTLS_MODE_CBC:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5116
5117 block_size = mbedtls_cipher_get_block_size(
5118 &transform->cipher_ctx_enc );
5119
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5120 /* Expansion due to the addition of the MAC. */
5121 transform_expansion += transform->maclen;
5122
5123 /* Expansion due to the addition of CBC padding;
5124 * Theoretically up to 256 bytes, but we never use
5125 * more than the block size of the underlying cipher. */
5126 transform_expansion += block_size;
5127
5128 /* For TLS 1.1 or higher, an explicit IV is added
5129 * after the record header. */
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5130#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
5131 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5132 transform_expansion += block_size;
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5133#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5134
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5135 break;
5136
5137 default:
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]5138 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5139 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5140 }
5141
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]5142#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker6cbad552019-05-08 15:40:11 +0100[diff] [blame]5143 if( transform->out_cid_len != 0 )
5144 transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]5145#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker6cbad552019-05-08 15:40:11 +0100[diff] [blame]5146
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]5147 return( (int)( out_hdr_len + transform_expansion ) );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5148}
5149
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5150#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]5151/*
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5152 * Check record counters and renegotiate if they're above the limit.
5153 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5154static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5155{
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]5156 size_t ep_len = mbedtls_ssl_ep_len( ssl );
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5157 int in_ctr_cmp;
5158 int out_ctr_cmp;
5159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5160 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
5161 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5162 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5163 {
5164 return( 0 );
5165 }
5166
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5167 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
5168 ssl->conf->renego_period + ep_len, 8 - ep_len );
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]5169 out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5170 ssl->conf->renego_period + ep_len, 8 - ep_len );
5171
5172 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5173 {
5174 return( 0 );
5175 }
5176
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]5177 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5178 return( mbedtls_ssl_renegotiate( ssl ) );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5179}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5180#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5181
5182/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5183 * Receive application data decrypted from the SSL layer
5184 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5185int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5186{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5187 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]5188 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5189
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5190 if( ssl == NULL || ssl->conf == NULL )
5191 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5192
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5193 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5195#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5196 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5197 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5198 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5199 return( ret );
5200
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5201 if( ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5202 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5203 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]5204 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5205 return( ret );
5206 }
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5207 }
5208#endif
5209
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5210 /*
5211 * Check if renegotiation is necessary and/or handshake is
5212 * in process. If yes, perform/continue, and fall through
5213 * if an unexpected packet is received while the client
5214 * is waiting for the ServerHello.
5215 *
5216 * (There is no equivalent to the last condition on
5217 * the server-side as it is not treated as within
5218 * a handshake while waiting for the ClientHello
5219 * after a renegotiation request.)
5220 */
5221
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5222#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5223 ret = ssl_check_ctr_renegotiate( ssl );
5224 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5225 ret != 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5226 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5227 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5228 return( ret );
5229 }
5230#endif
5231
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5232 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5233 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5234 ret = mbedtls_ssl_handshake( ssl );
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5235 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5236 ret != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5237 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5238 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5239 return( ret );
5240 }
5241 }
5242
Hanno Beckere41158b2017-10-23 13:30:32 +0100[diff] [blame]5243 /* Loop as long as no application data record is available */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5244 while( ssl->in_offt == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5245 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5246 /* Start timer if not already running */
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]5247 if( ssl->f_get_timer != NULL &&
5248 ssl->f_get_timer( ssl->p_timer ) == -1 )
5249 {
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]5250 mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout );
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]5251 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5252
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]5253 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5254 {
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5255 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5256 return( 0 );
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]5257
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5258 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5259 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5260 }
5261
5262 if( ssl->in_msglen == 0 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5263 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5264 {
5265 /*
5266 * OpenSSL sends empty messages to randomize the IV
5267 */
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]5268 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5269 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5270 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]5271 return( 0 );
5272
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5273 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5274 return( ret );
5275 }
5276 }
5277
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5278 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5279 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5280 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5281
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5282 /*
5283 * - For client-side, expect SERVER_HELLO_REQUEST.
5284 * - For server-side, expect CLIENT_HELLO.
5285 * - Fail (TLS) or silently drop record (DTLS) in other cases.
5286 */
5287
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5288#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5289 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5290 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5291 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5292 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5294
5295 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5296#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5297 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5298 {
5299 continue;
5300 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5301#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5302 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5303 }
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5304#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5305
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5306#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5307 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5308 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5309 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5311
5312 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5313#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5314 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5315 {
5316 continue;
5317 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5318#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5319 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5320 }
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5321#endif /* MBEDTLS_SSL_SRV_C */
5322
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]5323#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5324 /* Determine whether renegotiation attempt should be accepted */
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5325 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5326 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
5327 ssl->conf->allow_legacy_renegotiation ==
5328 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
5329 {
5330 /*
5331 * Accept renegotiation request
5332 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5333
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5334 /* DTLS clients need to know renego is server-initiated */
5335#if defined(MBEDTLS_SSL_PROTO_DTLS)
5336 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5337 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5338 {
5339 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
5340 }
5341#endif
Hanno Becker40cdaa12020-02-05 10:48:27 +0000[diff] [blame]5342 ret = mbedtls_ssl_start_renegotiation( ssl );
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5343 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5344 ret != 0 )
5345 {
Hanno Becker40cdaa12020-02-05 10:48:27 +0000[diff] [blame]5346 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation",
5347 ret );
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5348 return( ret );
5349 }
5350 }
5351 else
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]5352#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5353 {
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5354 /*
5355 * Refuse renegotiation
5356 */
5357
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5358 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5359
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5360#if defined(MBEDTLS_SSL_PROTO_SSL3)
5361 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5362 {
Gilles Peskine92e44262017-05-10 17:27:49 +0200[diff] [blame]5363 /* SSLv3 does not have a "no_renegotiation" warning, so
5364 we send a fatal alert and abort the connection. */
5365 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5366 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
5367 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5368 }
5369 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5370#endif /* MBEDTLS_SSL_PROTO_SSL3 */
5371#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
5372 defined(MBEDTLS_SSL_PROTO_TLS1_2)
5373 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5374 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5375 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5376 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5377 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5378 {
5379 return( ret );
5380 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5381 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]5382 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5383#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
5384 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]5385 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5387 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]5388 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5389 }
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5390
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5391 /* At this point, we don't know whether the renegotiation has been
5392 * completed or not. The cases to consider are the following:
5393 * 1) The renegotiation is complete. In this case, no new record
5394 * has been read yet.
5395 * 2) The renegotiation is incomplete because the client received
5396 * an application data record while awaiting the ServerHello.
5397 * 3) The renegotiation is incomplete because the client received
5398 * a non-handshake, non-application data message while awaiting
5399 * the ServerHello.
5400 * In each of these case, looping will be the proper action:
5401 * - For 1), the next iteration will read a new record and check
5402 * if it's application data.
5403 * - For 2), the loop condition isn't satisfied as application data
5404 * is present, hence continue is the same as break
5405 * - For 3), the loop condition is satisfied and read_record
5406 * will re-deliver the message that was held back by the client
5407 * when expecting the ServerHello.
5408 */
5409 continue;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5410 }
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]5411#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5412 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]5413 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5414 if( ssl->conf->renego_max_records >= 0 )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]5415 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5416 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5417 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5418 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5419 "but not honored by client" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5420 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5421 }
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]5422 }
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]5423 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5424#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5425
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5426 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
5427 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5428 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5429 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]5430 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5431 }
5432
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5433 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5434 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5435 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
5436 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5437 }
5438
5439 ssl->in_offt = ssl->in_msg;
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5440
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5441 /* We're going to return something now, cancel timer,
5442 * except if handshake (renegotiation) is in progress */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5443 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]5444 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5445
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]5446#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5447 /* If we requested renego but received AppData, resend HelloRequest.
5448 * Do it now, after setting in_offt, to avoid taking this branch
5449 * again if ssl_write_hello_request() returns WANT_WRITE */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5450#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5451 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5452 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5453 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]5454 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5455 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]5456 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
5457 ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5458 return( ret );
5459 }
5460 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5461#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5462#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5463 }
5464
5465 n = ( len < ssl->in_msglen )
5466 ? len : ssl->in_msglen;
5467
5468 memcpy( buf, ssl->in_offt, n );
5469 ssl->in_msglen -= n;
5470
5471 if( ssl->in_msglen == 0 )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5472 {
5473 /* all bytes consumed */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5474 ssl->in_offt = NULL;
Hanno Beckerbdf39052017-06-09 10:42:03 +0100[diff] [blame]5475 ssl->keep_current_message = 0;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5476 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5477 else
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5478 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5479 /* more data available */
5480 ssl->in_offt += n;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5481 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5482
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5483 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5484
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]5485 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5486}
5487
5488/*
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5489 * Send application data to be encrypted by the SSL layer, taking care of max
5490 * fragment length and buffer size.
5491 *
5492 * According to RFC 5246 Section 6.2.1:
5493 *
5494 * Zero-length fragments of Application data MAY be sent as they are
5495 * potentially useful as a traffic analysis countermeasure.
5496 *
5497 * Therefore, it is possible that the input message length is 0 and the
5498 * corresponding return code is 0 on success.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5499 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5500static int ssl_write_real( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5501 const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5502{
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]5503 int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
5504 const size_t max_len = (size_t) ret;
5505
5506 if( ret < 0 )
5507 {
5508 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
5509 return( ret );
5510 }
5511
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5512 if( len > max_len )
5513 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5514#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5515 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5516 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5517 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5518 "maximum fragment length: %d > %d",
5519 len, max_len ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5520 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5521 }
5522 else
5523#endif
5524 len = max_len;
5525 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5526
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5527 if( ssl->out_left != 0 )
5528 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5529 /*
5530 * The user has previously tried to send the data and
5531 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
5532 * written. In this case, we expect the high-level write function
5533 * (e.g. mbedtls_ssl_write()) to be called with the same parameters
5534 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5535 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5536 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5537 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5538 return( ret );
5539 }
5540 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5541 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]5542 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5543 /*
5544 * The user is trying to send a message the first time, so we need to
5545 * copy the data into the internal buffers and setup the data structure
5546 * to keep track of partial writes
5547 */
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5548 ssl->out_msglen = len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5549 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5550 memcpy( ssl->out_msg, buf, len );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5551
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]5552 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5553 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5554 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5555 return( ret );
5556 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5557 }
5558
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5559 return( (int) len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5560}
5561
5562/*
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5563 * Write application data, doing 1/n-1 splitting if necessary.
5564 *
5565 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]5566 * then the caller will call us again with the same arguments, so
Hanno Becker2b187c42017-09-18 14:58:11 +0100[diff] [blame]5567 * remember whether we already did the split or not.
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5568 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5569#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5570static int ssl_write_split( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5571 const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5572{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5573 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5574
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +0100[diff] [blame]5575 if( ssl->conf->cbc_record_splitting ==
5576 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]5577 len <= 1 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5578 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
5579 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
5580 != MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5581 {
5582 return( ssl_write_real( ssl, buf, len ) );
5583 }
5584
5585 if( ssl->split_done == 0 )
5586 {
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]5587 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5588 return( ret );
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]5589 ssl->split_done = 1;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5590 }
5591
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]5592 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
5593 return( ret );
5594 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5595
5596 return( ret + 1 );
5597}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5598#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5599
5600/*
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5601 * Write application data (public-facing wrapper)
5602 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5603int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5604{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5605 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5606
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5607 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5608
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5609 if( ssl == NULL || ssl->conf == NULL )
5610 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5611
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5612#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5613 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
5614 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5615 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5616 return( ret );
5617 }
5618#endif
5619
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5620 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5621 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5622 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5623 {
Manuel Pégourié-Gonnard151dc772015-05-14 13:55:51 +0200[diff] [blame]5624 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5625 return( ret );
5626 }
5627 }
5628
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5629#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5630 ret = ssl_write_split( ssl, buf, len );
5631#else
5632 ret = ssl_write_real( ssl, buf, len );
5633#endif
5634
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5635 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5636
5637 return( ret );
5638}
5639
5640/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5641 * Notify the peer that the connection is being closed
5642 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5643int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5644{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5645 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5646
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5647 if( ssl == NULL || ssl->conf == NULL )
5648 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5650 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5651
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]5652 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5653 return( mbedtls_ssl_flush_output( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5654
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5655 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5656 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5657 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5658 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5659 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5660 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5661 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5662 return( ret );
5663 }
5664 }
5665
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5666 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5667
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]5668 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5669}
5670
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5671void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5672{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]5673 if( transform == NULL )
5674 return;
5675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5676#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5677 deflateEnd( &transform->ctx_deflate );
5678 inflateEnd( &transform->ctx_inflate );
5679#endif
5680
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5681 mbedtls_cipher_free( &transform->cipher_ctx_enc );
5682 mbedtls_cipher_free( &transform->cipher_ctx_dec );
Manuel Pégourié-Gonnardf71e5872013-09-23 17:12:43 +0200[diff] [blame]5683
Hanno Beckerd56ed242018-01-03 15:32:51 +0000[diff] [blame]5684#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5685 mbedtls_md_free( &transform->md_ctx_enc );
5686 mbedtls_md_free( &transform->md_ctx_dec );
Hanno Beckerd56ed242018-01-03 15:32:51 +0000[diff] [blame]5687#endif
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]5688
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]5689 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5690}
5691
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5692#if defined(MBEDTLS_SSL_PROTO_DTLS)
5693
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]5694void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl )
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5695{
5696 unsigned offset;
5697 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5698
5699 if( hs == NULL )
5700 return;
5701
Hanno Becker283f5ef2018-08-24 09:34:47 +0100[diff] [blame]5702 ssl_free_buffered_record( ssl );
5703
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5704 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5705 ssl_buffering_free_slot( ssl, offset );
5706}
5707
5708static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
5709 uint8_t slot )
5710{
5711 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5712 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]5713
5714 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
5715 return;
5716
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5717 if( hs_buf->is_valid == 1 )
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5718 {
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5719 hs->buffering.total_bytes_buffered -= hs_buf->data_len;
Hanno Becker805f2e12018-10-12 16:31:41 +0100[diff] [blame]5720 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5721 mbedtls_free( hs_buf->data );
5722 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5723 }
5724}
5725
5726#endif /* MBEDTLS_SSL_PROTO_DTLS */
5727
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5728/*
5729 * Convert version numbers to/from wire format
5730 * and, for DTLS, to/from TLS equivalent.
5731 *
5732 * For TLS this is the identity.
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]5733 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5734 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
5735 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
5736 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5737void mbedtls_ssl_write_version( int major, int minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5738 unsigned char ver[2] )
5739{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5740#if defined(MBEDTLS_SSL_PROTO_DTLS)
5741 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5742 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5743 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5744 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5745
5746 ver[0] = (unsigned char)( 255 - ( major - 2 ) );
5747 ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
5748 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5749 else
5750#else
5751 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5752#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5753 {
5754 ver[0] = (unsigned char) major;
5755 ver[1] = (unsigned char) minor;
5756 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5757}
5758
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5759void mbedtls_ssl_read_version( int *major, int *minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5760 const unsigned char ver[2] )
5761{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5762#if defined(MBEDTLS_SSL_PROTO_DTLS)
5763 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5764 {
5765 *major = 255 - ver[0] + 2;
5766 *minor = 255 - ver[1] + 1;
5767
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5768 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5769 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5770 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5771 else
5772#else
5773 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5774#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5775 {
5776 *major = ver[0];
5777 *minor = ver[1];
5778 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5779}
5780
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5781#endif /* MBEDTLS_SSL_TLS_C */