TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b37fae122c4069a6494fd980f2d2cbda77dce902 / . / library / ssl_msg.c
blob: 896436902103fa8e1cb6d7501edc8468456d3ddb [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Hanno Beckerf1a38282020-02-05 16:14:29 +0000[diff] [blame]2 * Generic SSL/TLS messaging layer functions
3 * (record layer + retransmission state machine)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]5 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]19 */
20/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21 * http://www.ietf.org/rfc/rfc2246.txt
22 * http://www.ietf.org/rfc/rfc4346.txt
23 */
24
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]25#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]26
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]27#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]28
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]29#if defined(MBEDTLS_PLATFORM_C)
30#include "mbedtls/platform.h"
31#else
32#include <stdlib.h>
33#define mbedtls_calloc calloc
34#define mbedtls_free free
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]35#endif
36
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/ssl.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]38#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]39#include "mbedtls/debug.h"
40#include "mbedtls/error.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]41#include "mbedtls/platform_util.h"
Hanno Beckera835da52019-05-16 12:39:07 +0100[diff] [blame]42#include "mbedtls/version.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +0200[diff] [blame]43#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]44#include "mbedtls/constant_time.h"
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]45
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]46#include <string.h>
47
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]48#if defined(MBEDTLS_USE_PSA_CRYPTO)
49#include "mbedtls/psa_util.h"
50#include "psa/crypto.h"
51#endif
52
Janos Follath23bdca02016-10-07 14:47:14 +0100[diff] [blame]53#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]54#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]55#endif
56
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]57static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]58
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]59/*
60 * Start a timer.
61 * Passing millisecs = 0 cancels a running timer.
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]62 */
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]63void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]64{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]65 if( ssl->f_set_timer == NULL )
66 return;
67
68 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
69 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]70}
71
72/*
73 * Return -1 is timer is expired, 0 if it isn't.
74 */
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]75int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]76{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]77 if( ssl->f_get_timer == NULL )
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]78 return( 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]79
80 if( ssl->f_get_timer( ssl->p_timer ) == 2 )
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]81 {
82 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]83 return( -1 );
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]84 }
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]85
86 return( 0 );
87}
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]88
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]89static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
90 unsigned char *buf,
91 size_t len,
92 mbedtls_record *rec );
93
94int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
95 unsigned char *buf,
96 size_t buflen )
97{
98 int ret = 0;
99 MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
100 MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
101
102 /* We don't support record checking in TLS because
TRodziewicz2abf03c2021-06-25 14:40:09 +0200[diff] [blame]103 * there doesn't seem to be a usecase for it.
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]104 */
105 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
106 {
107 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
108 goto exit;
109 }
110#if defined(MBEDTLS_SSL_PROTO_DTLS)
111 else
112 {
113 mbedtls_record rec;
114
115 ret = ssl_parse_record_header( ssl, buf, buflen, &rec );
116 if( ret != 0 )
117 {
118 MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret );
119 goto exit;
120 }
121
122 if( ssl->transform_in != NULL )
123 {
124 ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec );
125 if( ret != 0 )
126 {
127 MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret );
128 goto exit;
129 }
130 }
131 }
132#endif /* MBEDTLS_SSL_PROTO_DTLS */
133
134exit:
135 /* On success, we have decrypted the buffer in-place, so make
136 * sure we don't leak any plaintext data. */
137 mbedtls_platform_zeroize( buf, buflen );
138
139 /* For the purpose of this API, treat messages with unexpected CID
140 * as well as such from future epochs as unexpected. */
141 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
142 ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
143 {
144 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
145 }
146
147 MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
148 return( ret );
149}
150
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]151#define SSL_DONT_FORCE_FLUSH 0
152#define SSL_FORCE_FLUSH 1
153
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]154#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]155
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]156/* Forward declarations for functions related to message buffering. */
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]157static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
158 uint8_t slot );
159static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
160static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
161static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
162static int ssl_buffer_message( mbedtls_ssl_context *ssl );
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]163static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
164 mbedtls_record const *rec );
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]165static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]166
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]167static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]168{
Hanno Becker89490712020-02-05 10:50:12 +0000[diff] [blame]169 size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]170#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
171 size_t out_buf_len = ssl->out_buf_len;
172#else
173 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
174#endif
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]175
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]176 if( mtu != 0 && mtu < out_buf_len )
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]177 return( mtu );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]178
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]179 return( out_buf_len );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]180}
181
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]182static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
183{
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]184 size_t const bytes_written = ssl->out_left;
185 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]186
187 /* Double-check that the write-index hasn't gone
188 * past what we can transmit in a single datagram. */
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]189 if( bytes_written > mtu )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]190 {
191 /* Should never happen... */
192 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
193 }
194
195 return( (int) ( mtu - bytes_written ) );
196}
197
198static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
199{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]200 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]201 size_t remaining, expansion;
Andrzej Kurek748face2018-10-11 07:20:19 -0400[diff] [blame]202 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]203
204#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]205 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]206
207 if( max_len > mfl )
208 max_len = mfl;
Hanno Beckerf4b010e2018-08-24 10:47:29 +0100[diff] [blame]209
210 /* By the standard (RFC 6066 Sect. 4), the MFL extension
211 * only limits the maximum record payload size, so in theory
212 * we would be allowed to pack multiple records of payload size
213 * MFL into a single datagram. However, this would mean that there's
214 * no way to explicitly communicate MTU restrictions to the peer.
215 *
216 * The following reduction of max_len makes sure that we never
217 * write datagrams larger than MFL + Record Expansion Overhead.
218 */
219 if( max_len <= ssl->out_left )
220 return( 0 );
221
222 max_len -= ssl->out_left;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]223#endif
224
225 ret = ssl_get_remaining_space_in_datagram( ssl );
226 if( ret < 0 )
227 return( ret );
228 remaining = (size_t) ret;
229
230 ret = mbedtls_ssl_get_record_expansion( ssl );
231 if( ret < 0 )
232 return( ret );
233 expansion = (size_t) ret;
234
235 if( remaining <= expansion )
236 return( 0 );
237
238 remaining -= expansion;
239 if( remaining >= max_len )
240 remaining = max_len;
241
242 return( (int) remaining );
243}
244
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]245/*
246 * Double the retransmit timeout value, within the allowed range,
247 * returning -1 if the maximum value has already been reached.
248 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]249static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]250{
251 uint32_t new_timeout;
252
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]253 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]254 return( -1 );
255
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]256 /* Implement the final paragraph of RFC 6347 section 4.1.1.1
257 * in the following way: after the initial transmission and a first
258 * retransmission, back off to a temporary estimated MTU of 508 bytes.
259 * This value is guaranteed to be deliverable (if not guaranteed to be
260 * delivered) of any compliant IPv4 (and IPv6) network, and should work
261 * on most non-IP stacks too. */
262 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]263 {
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]264 ssl->handshake->mtu = 508;
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]265 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
266 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]267
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]268 new_timeout = 2 * ssl->handshake->retransmit_timeout;
269
270 /* Avoid arithmetic overflow and range overflow */
271 if( new_timeout < ssl->handshake->retransmit_timeout ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]272 new_timeout > ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]273 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]274 new_timeout = ssl->conf->hs_timeout_max;
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]275 }
276
277 ssl->handshake->retransmit_timeout = new_timeout;
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]278 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs",
279 (unsigned long) ssl->handshake->retransmit_timeout ) );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]280
281 return( 0 );
282}
283
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]284static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]285{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]286 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]287 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs",
288 (unsigned long) ssl->handshake->retransmit_timeout ) );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]289}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]290#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]291
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]292/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]293 * Encryption/decryption functions
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]294 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]295
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]296#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Becker13996922020-05-28 16:15:19 +0100[diff] [blame]297
298static size_t ssl_compute_padding_length( size_t len,
299 size_t granularity )
300{
301 return( ( granularity - ( len + 1 ) % granularity ) % granularity );
302}
303
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]304/* This functions transforms a (D)TLS plaintext fragment and a record content
305 * type into an instance of the (D)TLSInnerPlaintext structure. This is used
306 * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
307 * a record's content type.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]308 *
309 * struct {
310 * opaque content[DTLSPlaintext.length];
311 * ContentType real_type;
312 * uint8 zeros[length_of_padding];
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]313 * } (D)TLSInnerPlaintext;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]314 *
315 * Input:
316 * - `content`: The beginning of the buffer holding the
317 * plaintext to be wrapped.
318 * - `*content_size`: The length of the plaintext in Bytes.
319 * - `max_len`: The number of Bytes available starting from
320 * `content`. This must be `>= *content_size`.
321 * - `rec_type`: The desired record content type.
322 *
323 * Output:
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]324 * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
325 * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]326 *
327 * Returns:
328 * - `0` on success.
329 * - A negative error code if `max_len` didn't offer enough space
330 * for the expansion.
331 */
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]332static int ssl_build_inner_plaintext( unsigned char *content,
333 size_t *content_size,
334 size_t remaining,
Hanno Becker13996922020-05-28 16:15:19 +0100[diff] [blame]335 uint8_t rec_type,
336 size_t pad )
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]337{
338 size_t len = *content_size;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]339
340 /* Write real content type */
341 if( remaining == 0 )
342 return( -1 );
343 content[ len ] = rec_type;
344 len++;
345 remaining--;
346
347 if( remaining < pad )
348 return( -1 );
349 memset( content + len, 0, pad );
350 len += pad;
351 remaining -= pad;
352
353 *content_size = len;
354 return( 0 );
355}
356
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]357/* This function parses a (D)TLSInnerPlaintext structure.
358 * See ssl_build_inner_plaintext() for details. */
359static int ssl_parse_inner_plaintext( unsigned char const *content,
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]360 size_t *content_size,
361 uint8_t *rec_type )
362{
363 size_t remaining = *content_size;
364
365 /* Determine length of padding by skipping zeroes from the back. */
366 do
367 {
368 if( remaining == 0 )
369 return( -1 );
370 remaining--;
371 } while( content[ remaining ] == 0 );
372
373 *content_size = remaining;
374 *rec_type = content[ remaining ];
375
376 return( 0 );
377}
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]378#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]379
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]380/* `add_data` must have size 13 Bytes if the CID extension is disabled,
Hanno Beckerc4a190b2019-05-08 18:15:21 +0100[diff] [blame]381 * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]382static void ssl_extract_add_data_from_record( unsigned char* add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]383 size_t *add_data_len,
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]384 mbedtls_record *rec,
Hanno Becker79e2d1b2021-03-22 11:42:19 +0000[diff] [blame]385 unsigned minor_ver,
386 size_t taglen )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]387{
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]388 /* Quoting RFC 5246 (TLS 1.2):
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]389 *
390 * additional_data = seq_num + TLSCompressed.type +
391 * TLSCompressed.version + TLSCompressed.length;
392 *
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]393 * For the CID extension, this is extended as follows
394 * (quoting draft-ietf-tls-dtls-connection-id-05,
395 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05):
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]396 *
397 * additional_data = seq_num + DTLSPlaintext.type +
398 * DTLSPlaintext.version +
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]399 * cid +
400 * cid_length +
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]401 * length_of_DTLSInnerPlaintext;
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]402 *
403 * For TLS 1.3, the record sequence number is dropped from the AAD
404 * and encoded within the nonce of the AEAD operation instead.
Hanno Becker79e2d1b2021-03-22 11:42:19 +0000[diff] [blame]405 * Moreover, the additional data involves the length of the TLS
406 * ciphertext, not the TLS plaintext as in earlier versions.
407 * Quoting RFC 8446 (TLS 1.3):
408 *
409 * additional_data = TLSCiphertext.opaque_type ||
410 * TLSCiphertext.legacy_record_version ||
411 * TLSCiphertext.length
412 *
413 * We pass the tag length to this function in order to compute the
414 * ciphertext length from the inner plaintext length rec->data_len via
415 *
416 * TLSCiphertext.length = TLSInnerPlaintext.length + taglen.
417 *
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]418 */
419
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]420 unsigned char *cur = add_data;
Hanno Becker79e2d1b2021-03-22 11:42:19 +0000[diff] [blame]421 size_t ad_len_field = rec->data_len;
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]422
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]423#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Becker79e2d1b2021-03-22 11:42:19 +0000[diff] [blame]424 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
425 {
426 /* In TLS 1.3, the AAD contains the length of the TLSCiphertext,
427 * which differs from the length of the TLSInnerPlaintext
428 * by the length of the authentication tag. */
429 ad_len_field += taglen;
430 }
431 else
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]432#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]433 {
434 ((void) minor_ver);
Hanno Becker79e2d1b2021-03-22 11:42:19 +0000[diff] [blame]435 ((void) taglen);
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]436 memcpy( cur, rec->ctr, sizeof( rec->ctr ) );
437 cur += sizeof( rec->ctr );
438 }
439
440 *cur = rec->type;
441 cur++;
442
443 memcpy( cur, rec->ver, sizeof( rec->ver ) );
444 cur += sizeof( rec->ver );
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]445
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]446#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]447 if( rec->cid_len != 0 )
448 {
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]449 memcpy( cur, rec->cid, rec->cid_len );
450 cur += rec->cid_len;
451
452 *cur = rec->cid_len;
453 cur++;
454
Joe Subbiani6dd73642021-07-19 11:56:54 +0100[diff] [blame]455 MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 );
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]456 cur += 2;
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]457 }
458 else
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]459#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]460 {
Joe Subbiani6dd73642021-07-19 11:56:54 +0100[diff] [blame]461 MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 );
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]462 cur += 2;
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]463 }
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]464
465 *add_data_len = cur - add_data;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]466}
467
Hanno Becker67a37db2020-05-28 16:27:07 +0100[diff] [blame]468#if defined(MBEDTLS_GCM_C) || \
469 defined(MBEDTLS_CCM_C) || \
470 defined(MBEDTLS_CHACHAPOLY_C)
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]471static int ssl_transform_aead_dynamic_iv_is_explicit(
472 mbedtls_ssl_transform const *transform )
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]473{
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]474 return( transform->ivlen != transform->fixed_ivlen );
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]475}
476
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]477/* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV )
478 *
479 * Concretely, this occurs in two variants:
480 *
481 * a) Fixed and dynamic IV lengths add up to total IV length, giving
482 * IV = fixed_iv || dynamic_iv
483 *
Hanno Becker15952812020-06-04 13:31:46 +0100[diff] [blame]484 * This variant is used in TLS 1.2 when used with GCM or CCM.
485 *
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]486 * b) Fixed IV lengths matches total IV length, giving
487 * IV = fixed_iv XOR ( 0 || dynamic_iv )
Hanno Becker15952812020-06-04 13:31:46 +0100[diff] [blame]488 *
489 * This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly.
490 *
491 * See also the documentation of mbedtls_ssl_transform.
Hanno Beckerf486e282020-06-04 13:33:08 +0100[diff] [blame]492 *
493 * This function has the precondition that
494 *
495 * dst_iv_len >= max( fixed_iv_len, dynamic_iv_len )
496 *
497 * which has to be ensured by the caller. If this precondition
498 * violated, the behavior of this function is undefined.
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]499 */
500static void ssl_build_record_nonce( unsigned char *dst_iv,
501 size_t dst_iv_len,
502 unsigned char const *fixed_iv,
503 size_t fixed_iv_len,
504 unsigned char const *dynamic_iv,
505 size_t dynamic_iv_len )
506{
507 size_t i;
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]508
509 /* Start with Fixed IV || 0 */
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]510 memset( dst_iv, 0, dst_iv_len );
511 memcpy( dst_iv, fixed_iv, fixed_iv_len );
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]512
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]513 dst_iv += dst_iv_len - dynamic_iv_len;
514 for( i = 0; i < dynamic_iv_len; i++ )
515 dst_iv[i] ^= dynamic_iv[i];
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]516}
Hanno Becker67a37db2020-05-28 16:27:07 +0100[diff] [blame]517#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]518
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]519int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
520 mbedtls_ssl_transform *transform,
521 mbedtls_record *rec,
522 int (*f_rng)(void *, unsigned char *, size_t),
523 void *p_rng )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]524{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]525 mbedtls_cipher_mode_t mode;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]526 int auth_done = 0;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]527 unsigned char * data;
Hanno Becker92fb4fa2019-05-20 14:54:26 +0100[diff] [blame]528 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]529 size_t add_data_len;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]530 size_t post_avail;
531
532 /* The SSL context is only used for debugging purposes! */
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]533#if !defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +0200[diff] [blame]534 ssl = NULL; /* make sure we don't use it except for debug */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]535 ((void) ssl);
536#endif
537
538 /* The PRNG is used for dynamic IV generation that's used
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]539 * for CBC transformations in TLS 1.2. */
Manuel Pégourié-Gonnard2df1f1f2020-07-09 12:11:39 +0200[diff] [blame]540#if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]541 defined(MBEDTLS_SSL_PROTO_TLS1_2) )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]542 ((void) f_rng);
543 ((void) p_rng);
544#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]545
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]546 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]548 if( transform == NULL )
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]549 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) );
551 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
552 }
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]553 if( rec == NULL
554 || rec->buf == NULL
555 || rec->buf_len < rec->data_offset
556 || rec->buf_len - rec->data_offset < rec->data_len
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]557#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]558 || rec->cid_len != 0
559#endif
560 )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]561 {
562 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]563 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]564 }
565
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]566 data = rec->buf + rec->data_offset;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]567 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]568 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]569 data, rec->data_len );
570
571 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc );
572
573 if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
574 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]575 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %" MBEDTLS_PRINTF_SIZET
576 " too large, maximum %" MBEDTLS_PRINTF_SIZET,
Paul Elliott3891caf2020-12-17 18:42:40 +0000[diff] [blame]577 rec->data_len,
578 (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]579 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
580 }
Manuel Pégourié-Gonnard60346be2014-11-21 11:38:37 +0100[diff] [blame]581
Hanno Becker92313402020-05-20 13:58:58 +0100[diff] [blame]582 /* The following two code paths implement the (D)TLSInnerPlaintext
583 * structure present in TLS 1.3 and DTLS 1.2 + CID.
584 *
585 * See ssl_build_inner_plaintext() for more information.
586 *
587 * Note that this changes `rec->data_len`, and hence
588 * `post_avail` needs to be recalculated afterwards.
589 *
590 * Note also that the two code paths cannot occur simultaneously
591 * since they apply to different versions of the protocol. There
592 * is hence no risk of double-addition of the inner plaintext.
593 */
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]594#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]595 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
596 {
Hanno Becker13996922020-05-28 16:15:19 +0100[diff] [blame]597 size_t padding =
598 ssl_compute_padding_length( rec->data_len,
TRodziewicze8dd7092021-05-12 14:19:11 +0200[diff] [blame]599 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY );
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]600 if( ssl_build_inner_plaintext( data,
Hanno Becker13996922020-05-28 16:15:19 +0100[diff] [blame]601 &rec->data_len,
602 post_avail,
603 rec->type,
604 padding ) != 0 )
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]605 {
606 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
607 }
608
609 rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
610 }
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]611#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]612
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]613#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]614 /*
615 * Add CID information
616 */
617 rec->cid_len = transform->out_cid_len;
618 memcpy( rec->cid, transform->out_cid, transform->out_cid_len );
619 MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]620
621 if( rec->cid_len != 0 )
622 {
Hanno Becker13996922020-05-28 16:15:19 +0100[diff] [blame]623 size_t padding =
624 ssl_compute_padding_length( rec->data_len,
TRodziewicze8dd7092021-05-12 14:19:11 +0200[diff] [blame]625 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY );
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]626 /*
Hanno Becker07dc97d2019-05-20 15:08:01 +0100[diff] [blame]627 * Wrap plaintext into DTLSInnerPlaintext structure.
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]628 * See ssl_build_inner_plaintext() for more information.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]629 *
Hanno Becker07dc97d2019-05-20 15:08:01 +0100[diff] [blame]630 * Note that this changes `rec->data_len`, and hence
631 * `post_avail` needs to be recalculated afterwards.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]632 */
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]633 if( ssl_build_inner_plaintext( data,
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]634 &rec->data_len,
635 post_avail,
Hanno Becker13996922020-05-28 16:15:19 +0100[diff] [blame]636 rec->type,
637 padding ) != 0 )
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]638 {
639 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
640 }
641
642 rec->type = MBEDTLS_SSL_MSG_CID;
643 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]644#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]645
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]646 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
647
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]648 /*
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]649 * Add MAC before if needed
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]650 */
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000[diff] [blame]651#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]652 if( mode == MBEDTLS_MODE_STREAM ||
653 ( mode == MBEDTLS_MODE_CBC
654#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]655 && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]656#endif
657 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]659 if( post_avail < transform->maclen )
660 {
661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
662 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
663 }
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]664#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]665 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100[diff] [blame]666 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]667
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]668 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
Hanno Becker79e2d1b2021-03-22 11:42:19 +0000[diff] [blame]669 transform->minor_ver,
670 transform->taglen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]671
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100[diff] [blame]672 ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
673 add_data_len );
674 if( ret != 0 )
675 goto hmac_failed_etm_disabled;
676 ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, data, rec->data_len );
677 if( ret != 0 )
678 goto hmac_failed_etm_disabled;
679 ret = mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
680 if( ret != 0 )
681 goto hmac_failed_etm_disabled;
682 ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc );
683 if( ret != 0 )
684 goto hmac_failed_etm_disabled;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]685
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]686 memcpy( data + rec->data_len, mac, transform->maclen );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]687#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]688
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]689 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len,
690 transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]691
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]692 rec->data_len += transform->maclen;
693 post_avail -= transform->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]694 auth_done++;
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100[diff] [blame]695
696 hmac_failed_etm_disabled:
Gilles Peskined5ba50e2021-12-10 21:33:21 +0100[diff] [blame]697 mbedtls_platform_zeroize( mac, transform->maclen );
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100[diff] [blame]698 if( ret != 0 )
699 {
700 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_hmac_xxx", ret );
701 return( ret );
702 }
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]703 }
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000[diff] [blame]704#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]705
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]706 /*
707 * Encrypt
708 */
Hanno Beckerd086bf02021-03-22 13:01:27 +0000[diff] [blame]709#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]710 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]712 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]713 size_t olen;
Przemyslaw Stekielb37fae12022-01-13 14:28:44 +0100[diff] [blame^]714#if defined(MBEDTLS_USE_PSA_CRYPTO)
715 psa_status_t status;
716 size_t part_len;
717 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
718
719#endif /* MBEDTLS_USE_PSA_CRYPTO */
720
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]721 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]722 "including %d bytes of padding",
723 rec->data_len, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]724
Przemyslaw Stekielb37fae12022-01-13 14:28:44 +0100[diff] [blame^]725#if defined(MBEDTLS_USE_PSA_CRYPTO)
726 status = psa_cipher_encrypt_setup( &cipher_op,
727 transform->psa_key_enc, transform->psa_alg );
728
729 if( status != PSA_SUCCESS )
730 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
731
732 status = psa_cipher_set_iv( &cipher_op, transform->iv_enc, transform->ivlen );
733
734 if( status != PSA_SUCCESS )
735 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
736
737 status = psa_cipher_update( &cipher_op,
738 data, rec->data_len,
739 data, rec->data_len, &olen );
740
741 if( status != PSA_SUCCESS )
742 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
743
744 status = psa_cipher_finish( &cipher_op,
745 data + olen, rec->data_len - olen,
746 &part_len );
747
748 if( status != PSA_SUCCESS )
749 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
750
751 olen += part_len;
752#else
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]753 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
754 transform->iv_enc, transform->ivlen,
755 data, rec->data_len,
756 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]757 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]758 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]759 return( ret );
760 }
Przemyslaw Stekielb37fae12022-01-13 14:28:44 +0100[diff] [blame^]761#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]762
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]763 if( rec->data_len != olen )
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]764 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]765 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
766 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]767 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]768 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]769 else
Hanno Beckerd086bf02021-03-22 13:01:27 +0000[diff] [blame]770#endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]771
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]772#if defined(MBEDTLS_GCM_C) || \
773 defined(MBEDTLS_CCM_C) || \
774 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]775 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]776 mode == MBEDTLS_MODE_CCM ||
777 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]778 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]779 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]780 unsigned char iv[12];
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]781 unsigned char *dynamic_iv;
782 size_t dynamic_iv_len;
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]783 int dynamic_iv_is_explicit =
784 ssl_transform_aead_dynamic_iv_is_explicit( transform );
Przemyslaw Stekielb37fae12022-01-13 14:28:44 +0100[diff] [blame^]785#if defined(MBEDTLS_USE_PSA_CRYPTO)
786 psa_status_t status;
787 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
788#endif /* MBEDTLS_USE_PSA_CRYPTO */
789
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]790
Hanno Beckerbd5ed1d2020-05-21 15:26:39 +0100[diff] [blame]791 /* Check that there's space for the authentication tag. */
792 if( post_avail < transform->taglen )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]793 {
794 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
795 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
796 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]797
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]798 /*
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]799 * Build nonce for AEAD encryption.
800 *
801 * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
802 * part of the IV is prepended to the ciphertext and
803 * can be chosen freely - in particular, it need not
804 * agree with the record sequence number.
805 * However, since ChaChaPoly as well as all AEAD modes
806 * in TLS 1.3 use the record sequence number as the
807 * dynamic part of the nonce, we uniformly use the
808 * record sequence number here in all cases.
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]809 */
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]810 dynamic_iv = rec->ctr;
811 dynamic_iv_len = sizeof( rec->ctr );
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]812
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]813 ssl_build_record_nonce( iv, sizeof( iv ),
814 transform->iv_enc,
815 transform->fixed_ivlen,
816 dynamic_iv,
817 dynamic_iv_len );
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +0100[diff] [blame]818
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]819 /*
820 * Build additional data for AEAD encryption.
821 * This depends on the TLS version.
822 */
823 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
Hanno Becker79e2d1b2021-03-22 11:42:19 +0000[diff] [blame]824 transform->minor_ver,
825 transform->taglen );
Hanno Becker1f10d762019-04-26 13:34:37 +0100[diff] [blame]826
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]827 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
Hanno Becker7cca3582020-06-04 13:27:22 +0100[diff] [blame]828 iv, transform->ivlen );
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]829 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
Hanno Becker16bf0e22020-06-04 13:27:34 +0100[diff] [blame]830 dynamic_iv,
831 dynamic_iv_is_explicit ? dynamic_iv_len : 0 );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]832 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]833 add_data, add_data_len );
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]834 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]835 "including 0 bytes of padding",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]836 rec->data_len ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]837
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]838 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]839 * Encrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]840 */
Przemyslaw Stekielb37fae12022-01-13 14:28:44 +0100[diff] [blame^]841#if defined(MBEDTLS_USE_PSA_CRYPTO)
842 status = psa_aead_encrypt( transform->psa_key_enc,
843 transform->psa_alg,
844 iv, transform->ivlen,
845 add_data, add_data_len,
846 data, rec->data_len,
847 data, rec->buf_len - (data - rec->buf),
848 &rec->data_len );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]849
Przemyslaw Stekielb37fae12022-01-13 14:28:44 +0100[diff] [blame^]850 if( status != PSA_SUCCESS )
851 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
852#else
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]853 if( ( ret = mbedtls_cipher_auth_encrypt_ext( &transform->cipher_ctx_enc,
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]854 iv, transform->ivlen,
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]855 add_data, add_data_len,
856 data, rec->data_len, /* src */
857 data, rec->buf_len - (data - rec->buf), /* dst */
858 &rec->data_len,
859 transform->taglen ) ) != 0 )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]860 {
TRodziewicz18efb732021-04-29 23:12:19 +0200[diff] [blame]861 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt_ext", ret );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]862 return( ret );
863 }
Przemyslaw Stekielb37fae12022-01-13 14:28:44 +0100[diff] [blame^]864#endif /* MBEDTLS_USE_PSA_CRYPTO */
865
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]866 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]867 data + rec->data_len - transform->taglen,
868 transform->taglen );
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]869 /* Account for authentication tag. */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]870 post_avail -= transform->taglen;
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]871
872 /*
873 * Prefix record content with dynamic IV in case it is explicit.
874 */
Hanno Becker1cda2662020-06-04 13:28:28 +0100[diff] [blame]875 if( dynamic_iv_is_explicit != 0 )
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]876 {
877 if( rec->data_offset < dynamic_iv_len )
878 {
879 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
880 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
881 }
882
883 memcpy( data - dynamic_iv_len, dynamic_iv, dynamic_iv_len );
884 rec->data_offset -= dynamic_iv_len;
885 rec->data_len += dynamic_iv_len;
886 }
887
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]888 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]889 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]890 else
Hanno Beckerc3f7b0b2020-05-28 16:27:16 +0100[diff] [blame]891#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
Manuel Pégourié-Gonnard2df1f1f2020-07-09 12:11:39 +0200[diff] [blame]892#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]893 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]894 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]895 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]896 size_t padlen, i;
897 size_t olen;
Przemyslaw Stekielb37fae12022-01-13 14:28:44 +0100[diff] [blame^]898#if defined(MBEDTLS_USE_PSA_CRYPTO)
899 psa_status_t status;
900 size_t part_len;
901 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
902#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]903
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]904 /* Currently we're always using minimal padding
905 * (up to 255 bytes would be allowed). */
906 padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen;
907 if( padlen == transform->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]908 padlen = 0;
909
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]910 /* Check there's enough space in the buffer for the padding. */
911 if( post_avail < padlen + 1 )
912 {
913 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
914 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
915 }
916
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]917 for( i = 0; i <= padlen; i++ )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]918 data[rec->data_len + i] = (unsigned char) padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]919
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]920 rec->data_len += padlen + 1;
921 post_avail -= padlen + 1;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]922
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]923#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]924 /*
TRodziewicz2d8800e2021-05-13 19:14:19 +0200[diff] [blame]925 * Prepend per-record IV for block cipher in TLS v1.2 as per
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]926 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]927 */
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]928 if( f_rng == NULL )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]929 {
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]930 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) );
931 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]932 }
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]933
934 if( rec->data_offset < transform->ivlen )
935 {
936 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
937 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
938 }
939
940 /*
941 * Generate IV
942 */
943 ret = f_rng( p_rng, transform->iv_enc, transform->ivlen );
944 if( ret != 0 )
945 return( ret );
946
947 memcpy( data - transform->ivlen, transform->iv_enc, transform->ivlen );
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]948#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]949
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]950 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
951 "including %" MBEDTLS_PRINTF_SIZET
952 " bytes of IV and %" MBEDTLS_PRINTF_SIZET " bytes of padding",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]953 rec->data_len, transform->ivlen,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]954 padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955
Przemyslaw Stekielb37fae12022-01-13 14:28:44 +0100[diff] [blame^]956#if defined(MBEDTLS_USE_PSA_CRYPTO)
957 status = psa_cipher_encrypt_setup( &cipher_op,
958 transform->psa_key_enc, transform->psa_alg );
959
960 if( status != PSA_SUCCESS )
961 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
962
963 status = psa_cipher_set_iv( &cipher_op, transform->iv_enc, transform->ivlen );
964
965 if( status != PSA_SUCCESS )
966 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
967
968 status = psa_cipher_update( &cipher_op,
969 data, rec->data_len,
970 data, rec->data_len, &olen );
971
972 if( status != PSA_SUCCESS )
973 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
974
975 status = psa_cipher_finish( &cipher_op,
976 data + olen, rec->data_len - olen,
977 &part_len );
978
979 if( status != PSA_SUCCESS )
980 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
981
982 olen += part_len;
983#else
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]984 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
985 transform->iv_enc,
986 transform->ivlen,
987 data, rec->data_len,
988 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]989 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]990 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]991 return( ret );
992 }
Przemyslaw Stekielb37fae12022-01-13 14:28:44 +0100[diff] [blame^]993#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]994
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]995 if( rec->data_len != olen )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]996 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]997 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
998 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]999 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1000
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]1001 data -= transform->ivlen;
1002 rec->data_offset -= transform->ivlen;
1003 rec->data_len += transform->ivlen;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1004
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1005#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1006 if( auth_done == 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1007 {
Hanno Becker3d8c9072018-01-05 16:24:22 +0000[diff] [blame]1008 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
1009
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1010 /*
1011 * MAC(MAC_write_key, seq_num +
1012 * TLSCipherText.type +
1013 * TLSCipherText.version +
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]1014 * length_of( (IV +) ENC(...) ) +
TRodziewicz2abf03c2021-06-25 14:40:09 +0200[diff] [blame]1015 * IV +
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1016 * ENC(content + padding + padding_length));
1017 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]1018
1019 if( post_avail < transform->maclen)
1020 {
1021 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
1022 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1023 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1024
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]1025 ssl_extract_add_data_from_record( add_data, &add_data_len,
Hanno Becker79e2d1b2021-03-22 11:42:19 +0000[diff] [blame]1026 rec, transform->minor_ver,
1027 transform->taglen );
Hanno Becker1f10d762019-04-26 13:34:37 +0100[diff] [blame]1028
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]1030 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1031 add_data_len );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1032
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100[diff] [blame]1033 ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
1034 add_data_len );
1035 if( ret != 0 )
1036 goto hmac_failed_etm_enabled;
1037 ret = mbedtls_md_hmac_update( &transform->md_ctx_enc,
1038 data, rec->data_len );
1039 if( ret != 0 )
1040 goto hmac_failed_etm_enabled;
1041 ret = mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
1042 if( ret != 0 )
1043 goto hmac_failed_etm_enabled;
1044 ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc );
1045 if( ret != 0 )
1046 goto hmac_failed_etm_enabled;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1047
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]1048 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1049
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]1050 rec->data_len += transform->maclen;
1051 post_avail -= transform->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1052 auth_done++;
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100[diff] [blame]1053
1054 hmac_failed_etm_enabled:
Gilles Peskined5ba50e2021-12-10 21:33:21 +0100[diff] [blame]1055 mbedtls_platform_zeroize( mac, transform->maclen );
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100[diff] [blame]1056 if( ret != 0 )
1057 {
1058 MBEDTLS_SSL_DEBUG_RET( 1, "HMAC calculation failed", ret );
1059 return( ret );
1060 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1061 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1062#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1063 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1064 else
Manuel Pégourié-Gonnard2df1f1f2020-07-09 12:11:39 +0200[diff] [blame]1065#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1066 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1068 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1069 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1070
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1071 /* Make extra sure authentication was performed, exactly once */
1072 if( auth_done != 1 )
1073 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1074 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1075 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1076 }
1077
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1078 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079
1080 return( 0 );
1081}
1082
Hanno Becker605949f2019-07-12 08:23:59 +0100[diff] [blame]1083int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]1084 mbedtls_ssl_transform *transform,
1085 mbedtls_record *rec )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1086{
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1087 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1088 mbedtls_cipher_mode_t mode;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1089 int ret, auth_done = 0;
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000[diff] [blame]1090#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]1091 size_t padlen = 0, correct = 1;
1092#endif
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1093 unsigned char* data;
Hanno Becker92fb4fa2019-05-20 14:54:26 +0100[diff] [blame]1094 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ];
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1095 size_t add_data_len;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1096
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]1097#if !defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +0200[diff] [blame]1098 ssl = NULL; /* make sure we don't use it except for debug */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1099 ((void) ssl);
1100#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1102 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1103 if( rec == NULL ||
1104 rec->buf == NULL ||
1105 rec->buf_len < rec->data_offset ||
1106 rec->buf_len - rec->data_offset < rec->data_len )
1107 {
1108 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1109 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1110 }
1111
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1112 data = rec->buf + rec->data_offset;
1113 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1114
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1115#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1116 /*
1117 * Match record's CID with incoming CID.
1118 */
Hanno Becker938489a2019-05-08 13:02:22 +0100[diff] [blame]1119 if( rec->cid_len != transform->in_cid_len ||
1120 memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
1121 {
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]1122 return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
Hanno Becker938489a2019-05-08 13:02:22 +0100[diff] [blame]1123 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1124#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1125
Hanno Beckerd086bf02021-03-22 13:01:27 +0000[diff] [blame]1126#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1127 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1128 {
1129 padlen = 0;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1130 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1131 transform->iv_dec,
1132 transform->ivlen,
1133 data, rec->data_len,
1134 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1135 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1136 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1137 return( ret );
1138 }
1139
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1140 if( rec->data_len != olen )
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1141 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1142 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1143 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1144 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1145 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1146 else
Hanno Beckerd086bf02021-03-22 13:01:27 +0000[diff] [blame]1147#endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1148#if defined(MBEDTLS_GCM_C) || \
1149 defined(MBEDTLS_CCM_C) || \
1150 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1151 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1152 mode == MBEDTLS_MODE_CCM ||
1153 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1154 {
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1155 unsigned char iv[12];
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]1156 unsigned char *dynamic_iv;
1157 size_t dynamic_iv_len;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1158
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1159 /*
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]1160 * Extract dynamic part of nonce for AEAD decryption.
1161 *
1162 * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
1163 * part of the IV is prepended to the ciphertext and
1164 * can be chosen freely - in particular, it need not
1165 * agree with the record sequence number.
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1166 */
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]1167 dynamic_iv_len = sizeof( rec->ctr );
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]1168 if( ssl_transform_aead_dynamic_iv_is_explicit( transform ) == 1 )
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]1169 {
1170 if( rec->data_len < dynamic_iv_len )
1171 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1172 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1173 " ) < explicit_iv_len (%" MBEDTLS_PRINTF_SIZET ") ",
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]1174 rec->data_len,
1175 dynamic_iv_len ) );
1176 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1177 }
1178 dynamic_iv = data;
1179
1180 data += dynamic_iv_len;
1181 rec->data_offset += dynamic_iv_len;
1182 rec->data_len -= dynamic_iv_len;
1183 }
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]1184 else
1185 {
1186 dynamic_iv = rec->ctr;
1187 }
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]1188
1189 /* Check that there's space for the authentication tag. */
1190 if( rec->data_len < transform->taglen )
1191 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1193 ") < taglen (%" MBEDTLS_PRINTF_SIZET ") ",
Christian von Arnim883d3042020-12-01 11:58:29 +0100[diff] [blame]1194 rec->data_len,
1195 transform->taglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1196 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]1197 }
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]1198 rec->data_len -= transform->taglen;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1199
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]1200 /*
1201 * Prepare nonce from dynamic and static parts.
1202 */
Hanno Becker17263802020-05-28 07:05:48 +0100[diff] [blame]1203 ssl_build_record_nonce( iv, sizeof( iv ),
1204 transform->iv_dec,
1205 transform->fixed_ivlen,
1206 dynamic_iv,
1207 dynamic_iv_len );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1208
Hanno Beckerdf8be222020-05-21 15:30:57 +0100[diff] [blame]1209 /*
1210 * Build additional data for AEAD encryption.
1211 * This depends on the TLS version.
1212 */
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]1213 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
Hanno Becker79e2d1b2021-03-22 11:42:19 +0000[diff] [blame]1214 transform->minor_ver,
1215 transform->taglen );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1216 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1217 add_data, add_data_len );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1218
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1219 /* Because of the check above, we know that there are
1220 * explicit_iv_len Bytes preceeding data, and taglen
1221 * bytes following data + data_len. This justifies
Hanno Becker20016652019-07-10 11:44:13 +0100[diff] [blame]1222 * the debug message and the invocation of
TRodziewicz18efb732021-04-29 23:12:19 +0200[diff] [blame]1223 * mbedtls_cipher_auth_decrypt_ext() below. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1224
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1225 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1226 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len,
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1227 transform->taglen );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1228
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1229 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1230 * Decrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1231 */
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]1232 if( ( ret = mbedtls_cipher_auth_decrypt_ext( &transform->cipher_ctx_dec,
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1233 iv, transform->ivlen,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1234 add_data, add_data_len,
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]1235 data, rec->data_len + transform->taglen, /* src */
1236 data, rec->buf_len - (data - rec->buf), &olen, /* dst */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1237 transform->taglen ) ) != 0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1238 {
TRodziewicz18efb732021-04-29 23:12:19 +0200[diff] [blame]1239 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt_ext", ret );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1240
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1241 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
1242 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1243
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1244 return( ret );
1245 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1246 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1247
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1248 /* Double-check that AEAD decryption doesn't change content length. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1249 if( olen != rec->data_len )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1250 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1252 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1253 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1254 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1255 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1256#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
Manuel Pégourié-Gonnard2df1f1f2020-07-09 12:11:39 +0200[diff] [blame]1257#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1258 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1259 {
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1260 size_t minlen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1261
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1262 /*
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1263 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1264 */
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]1265#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]1266 /* The ciphertext is prefixed with the CBC IV. */
1267 minlen += transform->ivlen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1268#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1269
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1270 /* Size considerations:
1271 *
1272 * - The CBC cipher text must not be empty and hence
1273 * at least of size transform->ivlen.
1274 *
1275 * Together with the potential IV-prefix, this explains
1276 * the first of the two checks below.
1277 *
1278 * - The record must contain a MAC, either in plain or
1279 * encrypted, depending on whether Encrypt-then-MAC
1280 * is used or not.
1281 * - If it is, the message contains the IV-prefix,
1282 * the CBC ciphertext, and the MAC.
1283 * - If it is not, the padded plaintext, and hence
1284 * the CBC ciphertext, has at least length maclen + 1
1285 * because there is at least the padding length byte.
1286 *
1287 * As the CBC ciphertext is not empty, both cases give the
1288 * lower bound minlen + maclen + 1 on the record size, which
1289 * we test for in the second check below.
1290 */
1291 if( rec->data_len < minlen + transform->ivlen ||
1292 rec->data_len < minlen + transform->maclen + 1 )
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1293 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1294 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1295 ") < max( ivlen(%" MBEDTLS_PRINTF_SIZET
1296 "), maclen (%" MBEDTLS_PRINTF_SIZET ") "
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1297 "+ 1 ) ( + expl IV )", rec->data_len,
1298 transform->ivlen,
1299 transform->maclen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1300 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1301 }
1302
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1303 /*
1304 * Authenticate before decrypt if enabled
1305 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1306#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1307 if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1308 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1309 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1310
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1311 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1312
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1313 /* Update data_len in tandem with add_data.
1314 *
1315 * The subtraction is safe because of the previous check
1316 * data_len >= minlen + maclen + 1.
1317 *
1318 * Afterwards, we know that data + data_len is followed by at
1319 * least maclen Bytes, which justifies the call to
Gabor Mezei90437e32021-10-20 11:59:27 +0200[diff] [blame]1320 * mbedtls_ct_memcmp() below.
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1321 *
1322 * Further, we still know that data_len > minlen */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1323 rec->data_len -= transform->maclen;
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]1324 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
Hanno Becker79e2d1b2021-03-22 11:42:19 +0000[diff] [blame]1325 transform->minor_ver,
1326 transform->taglen );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]1327
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1328 /* Calculate expected MAC. */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1329 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
1330 add_data_len );
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100[diff] [blame]1331 ret = mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1332 add_data_len );
1333 if( ret != 0 )
1334 goto hmac_failed_etm_enabled;
1335 ret = mbedtls_md_hmac_update( &transform->md_ctx_dec,
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1336 data, rec->data_len );
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100[diff] [blame]1337 if( ret != 0 )
1338 goto hmac_failed_etm_enabled;
1339 ret = mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
1340 if( ret != 0 )
1341 goto hmac_failed_etm_enabled;
1342 ret = mbedtls_md_hmac_reset( &transform->md_ctx_dec );
1343 if( ret != 0 )
1344 goto hmac_failed_etm_enabled;
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]1345
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1346 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len,
1347 transform->maclen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1348 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1349 transform->maclen );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1350
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1351 /* Compare expected MAC with MAC at the end of the record. */
Gabor Mezei90437e32021-10-20 11:59:27 +0200[diff] [blame]1352 if( mbedtls_ct_memcmp( data + rec->data_len, mac_expect,
gabor-mezei-arm46025642021-07-19 15:19:19 +0200[diff] [blame]1353 transform->maclen ) != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1354 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1355 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Gilles Peskined5ba50e2021-12-10 21:33:21 +0100[diff] [blame]1356 ret = MBEDTLS_ERR_SSL_INVALID_MAC;
1357 goto hmac_failed_etm_enabled;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1358 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1359 auth_done++;
Gilles Peskined5ba50e2021-12-10 21:33:21 +0100[diff] [blame]1360
1361 hmac_failed_etm_enabled:
1362 mbedtls_platform_zeroize( mac_expect, transform->maclen );
1363 if( ret != 0 )
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100[diff] [blame]1364 {
1365 if( ret != MBEDTLS_ERR_SSL_INVALID_MAC )
1366 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_hmac_xxx", ret );
Gilles Peskined5ba50e2021-12-10 21:33:21 +0100[diff] [blame]1367 return( ret );
Gilles Peskineecf6beb2021-12-10 21:35:10 +0100[diff] [blame]1368 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1369 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1370#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1371
1372 /*
1373 * Check length sanity
1374 */
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1375
1376 /* We know from above that data_len > minlen >= 0,
1377 * so the following check in particular implies that
1378 * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1379 if( rec->data_len % transform->ivlen != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1380 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1382 ") %% ivlen (%" MBEDTLS_PRINTF_SIZET ") != 0",
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1383 rec->data_len, transform->ivlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1384 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1385 }
1386
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]1387#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1388 /*
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]1389 * Initialize for prepended IV for block cipher in TLS v1.2
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1390 */
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]1391 /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
1392 memcpy( transform->iv_dec, data, transform->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1393
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]1394 data += transform->ivlen;
1395 rec->data_offset += transform->ivlen;
1396 rec->data_len -= transform->ivlen;
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]1397#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1398
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1399 /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
1400
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1401 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1402 transform->iv_dec, transform->ivlen,
1403 data, rec->data_len, data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1404 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1405 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1406 return( ret );
1407 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1408
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1409 /* Double-check that length hasn't changed during decryption. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1410 if( rec->data_len != olen )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1411 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1412 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1413 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1414 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1415
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1416 /* Safe since data_len >= minlen + maclen + 1, so after having
1417 * subtracted at most minlen and maclen up to this point,
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1418 * data_len > 0 (because of data_len % ivlen == 0, it's actually
1419 * >= ivlen ). */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1420 padlen = data[rec->data_len - 1];
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1421
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1422 if( auth_done == 1 )
1423 {
Gabor Mezei90437e32021-10-20 11:59:27 +0200[diff] [blame]1424 const size_t mask = mbedtls_ct_size_mask_ge(
Manuel Pégourié-Gonnard2ddec432020-08-24 12:49:23 +0200[diff] [blame]1425 rec->data_len,
1426 padlen + 1 );
1427 correct &= mask;
1428 padlen &= mask;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1429 }
1430 else
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1431 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1432#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1433 if( rec->data_len < transform->maclen + padlen + 1 )
1434 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1435 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1436 ") < maclen (%" MBEDTLS_PRINTF_SIZET
1437 ") + padlen (%" MBEDTLS_PRINTF_SIZET ")",
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1438 rec->data_len,
1439 transform->maclen,
1440 padlen + 1 ) );
1441 }
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]1442#endif
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1443
Gabor Mezei90437e32021-10-20 11:59:27 +0200[diff] [blame]1444 const size_t mask = mbedtls_ct_size_mask_ge(
Manuel Pégourié-Gonnard2ddec432020-08-24 12:49:23 +0200[diff] [blame]1445 rec->data_len,
1446 transform->maclen + padlen + 1 );
1447 correct &= mask;
1448 padlen &= mask;
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1449 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1450
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1451 padlen++;
1452
1453 /* Regardless of the validity of the padding,
1454 * we have data_len >= padlen here. */
1455
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]1456#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1457 /* The padding check involves a series of up to 256
1458 * consecutive memory reads at the end of the record
1459 * plaintext buffer. In order to hide the length and
1460 * validity of the padding, always perform exactly
1461 * `min(256,plaintext_len)` reads (but take into account
1462 * only the last `padlen` bytes for the padding check). */
1463 size_t pad_count = 0;
1464 volatile unsigned char* const check = data;
1465
1466 /* Index of first padding byte; it has been ensured above
1467 * that the subtraction is safe. */
1468 size_t const padding_idx = rec->data_len - padlen;
1469 size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
1470 size_t const start_idx = rec->data_len - num_checks;
1471 size_t idx;
1472
1473 for( idx = start_idx; idx < rec->data_len; idx++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1474 {
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1475 /* pad_count += (idx >= padding_idx) &&
1476 * (check[idx] == padlen - 1);
1477 */
Gabor Mezei90437e32021-10-20 11:59:27 +0200[diff] [blame]1478 const size_t mask = mbedtls_ct_size_mask_ge( idx, padding_idx );
1479 const size_t equal = mbedtls_ct_size_bool_eq( check[idx],
gabor-mezei-arm9fa43ce2021-09-28 16:14:47 +0200[diff] [blame]1480 padlen - 1 );
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1481 pad_count += mask & equal;
1482 }
Gabor Mezei90437e32021-10-20 11:59:27 +0200[diff] [blame]1483 correct &= mbedtls_ct_size_bool_eq( pad_count, padlen );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1484
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1485#if defined(MBEDTLS_SSL_DEBUG_ALL)
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1486 if( padlen > 0 && correct == 0 )
1487 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]1488#endif
Gabor Mezei90437e32021-10-20 11:59:27 +0200[diff] [blame]1489 padlen &= mbedtls_ct_size_mask( correct );
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1490
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]1491#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1492
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1493 /* If the padding was found to be invalid, padlen == 0
1494 * and the subtraction is safe. If the padding was found valid,
1495 * padlen hasn't been changed and the previous assertion
1496 * data_len >= padlen still holds. */
1497 rec->data_len -= padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1498 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1499 else
Manuel Pégourié-Gonnard2df1f1f2020-07-09 12:11:39 +0200[diff] [blame]1500#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1501 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1502 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1503 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1504 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1505
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]1506#if defined(MBEDTLS_SSL_DEBUG_ALL)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1507 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1508 data, rec->data_len );
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]1509#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1510
1511 /*
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1512 * Authenticate if not done yet.
1513 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1514 */
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000[diff] [blame]1515#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1516 if( auth_done == 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1517 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1518 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Manuel Pégourié-Gonnard3c31afa2020-08-13 12:08:54 +0200[diff] [blame]1519 unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]1520
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1521 /* If the initial value of padlen was such that
1522 * data_len < maclen + padlen + 1, then padlen
1523 * got reset to 1, and the initial check
1524 * data_len >= minlen + maclen + 1
1525 * guarantees that at this point we still
1526 * have at least data_len >= maclen.
1527 *
1528 * If the initial value of padlen was such that
1529 * data_len >= maclen + padlen + 1, then we have
1530 * subtracted either padlen + 1 (if the padding was correct)
1531 * or 0 (if the padding was incorrect) since then,
1532 * hence data_len >= maclen in any case.
1533 */
1534 rec->data_len -= transform->maclen;
Hanno Becker1cb6c2a2020-05-21 15:25:21 +0100[diff] [blame]1535 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
Hanno Becker79e2d1b2021-03-22 11:42:19 +0000[diff] [blame]1536 transform->minor_ver,
1537 transform->taglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1538
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]1539#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1540 /*
1541 * The next two sizes are the minimum and maximum values of
1542 * data_len over all padlen values.
1543 *
1544 * They're independent of padlen, since we previously did
1545 * data_len -= padlen.
1546 *
1547 * Note that max_len + maclen is never more than the buffer
1548 * length, as we previously did in_msglen -= maclen too.
1549 */
1550 const size_t max_len = rec->data_len + padlen;
1551 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
1552
Gabor Mezei90437e32021-10-20 11:59:27 +0200[diff] [blame]1553 ret = mbedtls_ct_hmac( &transform->md_ctx_dec,
gabor-mezei-arm9fa43ce2021-09-28 16:14:47 +0200[diff] [blame]1554 add_data, add_data_len,
1555 data, rec->data_len, min_len, max_len,
1556 mac_expect );
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1557 if( ret != 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1558 {
Gabor Mezei90437e32021-10-20 11:59:27 +0200[diff] [blame]1559 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ct_hmac", ret );
Gilles Peskined5ba50e2021-12-10 21:33:21 +0100[diff] [blame]1560 goto hmac_failed_etm_disabled;
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1561 }
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1562
Gabor Mezei90437e32021-10-20 11:59:27 +0200[diff] [blame]1563 mbedtls_ct_memcpy_offset( mac_peer, data,
gabor-mezei-arm9fa43ce2021-09-28 16:14:47 +0200[diff] [blame]1564 rec->data_len,
1565 min_len, max_len,
1566 transform->maclen );
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]1567#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1568
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1569#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1570 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
Manuel Pégourié-Gonnard3c31afa2020-08-13 12:08:54 +0200[diff] [blame]1571 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1572#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1573
Gabor Mezei90437e32021-10-20 11:59:27 +0200[diff] [blame]1574 if( mbedtls_ct_memcmp( mac_peer, mac_expect,
gabor-mezei-arm46025642021-07-19 15:19:19 +0200[diff] [blame]1575 transform->maclen ) != 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1576 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1577#if defined(MBEDTLS_SSL_DEBUG_ALL)
1578 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1579#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1580 correct = 0;
1581 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1582 auth_done++;
Gilles Peskined5ba50e2021-12-10 21:33:21 +0100[diff] [blame]1583
1584 hmac_failed_etm_disabled:
1585 mbedtls_platform_zeroize( mac_peer, transform->maclen );
1586 mbedtls_platform_zeroize( mac_expect, transform->maclen );
1587 if( ret != 0 )
1588 return( ret );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1589 }
Hanno Beckerdd3ab132018-10-17 14:43:14 +0100[diff] [blame]1590
1591 /*
1592 * Finally check the correct flag
1593 */
1594 if( correct == 0 )
1595 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000[diff] [blame]1596#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1597
1598 /* Make extra sure authentication was performed, exactly once */
1599 if( auth_done != 1 )
1600 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1601 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1602 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1603 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1604
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]1605#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]1606 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
1607 {
1608 /* Remove inner padding and infer true content type. */
1609 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1610 &rec->type );
1611
1612 if( ret != 0 )
1613 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1614 }
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]1615#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame]1616
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1617#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1618 if( rec->cid_len != 0 )
1619 {
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]1620 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1621 &rec->type );
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1622 if( ret != 0 )
1623 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1624 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1625#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1626
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1627 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1628
1629 return( 0 );
1630}
1631
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1632#undef MAC_NONE
1633#undef MAC_PLAINTEXT
1634#undef MAC_CIPHERTEXT
1635
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1636/*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1637 * Fill the input message buffer by appending data to it.
1638 * The amount of data already fetched is in ssl->in_left.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1639 *
1640 * If we return 0, is it guaranteed that (at least) nb_want bytes are
1641 * available (from this read and/or a previous one). Otherwise, an error code
1642 * is returned (possibly EOF or WANT_READ).
1643 *
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1644 * With stream transport (TLS) on success ssl->in_left == nb_want, but
1645 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
1646 * since we always read a whole datagram at once.
1647 *
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]1648 * For DTLS, it is up to the caller to set ssl->next_record_offset when
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1649 * they're done reading a record.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1650 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1651int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1652{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1653 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1654 size_t len;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1655#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1656 size_t in_buf_len = ssl->in_buf_len;
1657#else
1658 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1659#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1660
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1661 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1662
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1663 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
1664 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1665 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]1666 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1667 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1668 }
1669
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1670 if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]1671 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1672 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1673 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]1674 }
1675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1676#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1677 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1679 uint32_t timeout;
1680
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1681 /*
1682 * The point is, we need to always read a full datagram at once, so we
1683 * sometimes read more then requested, and handle the additional data.
1684 * It could be the rest of the current record (while fetching the
1685 * header) and/or some other records in the same datagram.
1686 */
1687
1688 /*
1689 * Move to the next record in the already read datagram if applicable
1690 */
1691 if( ssl->next_record_offset != 0 )
1692 {
1693 if( ssl->in_left < ssl->next_record_offset )
1694 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1695 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1696 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1697 }
1698
1699 ssl->in_left -= ssl->next_record_offset;
1700
1701 if( ssl->in_left != 0 )
1702 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1703 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %"
1704 MBEDTLS_PRINTF_SIZET,
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1705 ssl->next_record_offset ) );
1706 memmove( ssl->in_hdr,
1707 ssl->in_hdr + ssl->next_record_offset,
1708 ssl->in_left );
1709 }
1710
1711 ssl->next_record_offset = 0;
1712 }
1713
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1714 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
1715 ", nb_want: %" MBEDTLS_PRINTF_SIZET,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1716 ssl->in_left, nb_want ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1717
1718 /*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1719 * Done if we already have enough data.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1720 */
1721 if( nb_want <= ssl->in_left)
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]1722 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1723 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1724 return( 0 );
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]1725 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1726
1727 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1728 * A record can't be split across datagrams. If we need to read but
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1729 * are not at the beginning of a new record, the caller did something
1730 * wrong.
1731 */
1732 if( ssl->in_left != 0 )
1733 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1734 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1735 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1736 }
1737
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1738 /*
1739 * Don't even try to read if time's out already.
1740 * This avoids by-passing the timer when repeatedly receiving messages
1741 * that will end up being dropped.
1742 */
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]1743 if( mbedtls_ssl_check_timer( ssl ) != 0 )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]1744 {
1745 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1746 ret = MBEDTLS_ERR_SSL_TIMEOUT;
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]1747 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1748 else
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1749 {
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1750 len = in_buf_len - ( ssl->in_hdr - ssl->in_buf );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1751
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1752 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1753 timeout = ssl->handshake->retransmit_timeout;
1754 else
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1755 timeout = ssl->conf->read_timeout;
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1756
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]1757 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %lu ms", (unsigned long) timeout ) );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1758
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1759 if( ssl->f_recv_timeout != NULL )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1760 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
1761 timeout );
1762 else
1763 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
1764
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1765 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1766
1767 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1768 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1769 }
1770
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1771 if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1772 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1773 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]1774 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1775
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1776 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]1777 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1778 if( ssl_double_retransmit_timeout( ssl ) != 0 )
1779 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1780 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1781 return( MBEDTLS_ERR_SSL_TIMEOUT );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1782 }
1783
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1784 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1785 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1786 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1787 return( ret );
1788 }
1789
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1790 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]1791 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1792#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1793 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1794 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1795 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]1796 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1797 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]1798 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
1799 ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1800 return( ret );
1801 }
1802
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1803 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1804 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1805#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1806 }
1807
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1808 if( ret < 0 )
1809 return( ret );
1810
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1811 ssl->in_left = ret;
1812 }
1813 else
1814#endif
1815 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1816 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
1817 ", nb_want: %" MBEDTLS_PRINTF_SIZET,
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1818 ssl->in_left, nb_want ) );
1819
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1820 while( ssl->in_left < nb_want )
1821 {
1822 len = nb_want - ssl->in_left;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]1823
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]1824 if( mbedtls_ssl_check_timer( ssl ) != 0 )
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]1825 ret = MBEDTLS_ERR_SSL_TIMEOUT;
1826 else
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1827 {
1828 if( ssl->f_recv_timeout != NULL )
1829 {
1830 ret = ssl->f_recv_timeout( ssl->p_bio,
1831 ssl->in_hdr + ssl->in_left, len,
1832 ssl->conf->read_timeout );
1833 }
1834 else
1835 {
1836 ret = ssl->f_recv( ssl->p_bio,
1837 ssl->in_hdr + ssl->in_left, len );
1838 }
1839 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1840
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1841 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
1842 ", nb_want: %" MBEDTLS_PRINTF_SIZET,
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1843 ssl->in_left, nb_want ) );
1844 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1845
1846 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1847 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1848
1849 if( ret < 0 )
1850 return( ret );
1851
makise-homuraaf9513b2020-08-24 18:26:27 +0300[diff] [blame]1852 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]1853 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1854 MBEDTLS_SSL_DEBUG_MSG( 1,
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1855 ( "f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " were requested",
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]1856 ret, len ) );
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]1857 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1858 }
1859
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1860 ssl->in_left += ret;
1861 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1862 }
1863
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1864 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1865
1866 return( 0 );
1867}
1868
1869/*
1870 * Flush any data not yet written
1871 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1872int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1873{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1874 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]1875 unsigned char *buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1877 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1878
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1879 if( ssl->f_send == NULL )
1880 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1881 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]1882 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1883 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1884 }
1885
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]1886 /* Avoid incrementing counter if data is flushed */
1887 if( ssl->out_left == 0 )
1888 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1889 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]1890 return( 0 );
1891 }
1892
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1893 while( ssl->out_left > 0 )
1894 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1895 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %" MBEDTLS_PRINTF_SIZET
1896 ", out_left: %" MBEDTLS_PRINTF_SIZET,
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]1897 mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]1899 buf = ssl->out_hdr - ssl->out_left;
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1900 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1901
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1902 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1903
1904 if( ret <= 0 )
1905 return( ret );
1906
makise-homuraaf9513b2020-08-24 18:26:27 +0300[diff] [blame]1907 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]1908 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1909 MBEDTLS_SSL_DEBUG_MSG( 1,
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1910 ( "f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " bytes were sent",
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]1911 ret, ssl->out_left ) );
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]1912 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1913 }
1914
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1915 ssl->out_left -= ret;
1916 }
1917
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]1918#if defined(MBEDTLS_SSL_PROTO_DTLS)
1919 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]1920 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]1921 ssl->out_hdr = ssl->out_buf;
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]1922 }
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]1923 else
1924#endif
1925 {
1926 ssl->out_hdr = ssl->out_buf + 8;
1927 }
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]1928 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]1929
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1930 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1931
1932 return( 0 );
1933}
1934
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1935/*
1936 * Functions to handle the DTLS retransmission state machine
1937 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1938#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1939/*
1940 * Append current handshake message to current outgoing flight
1941 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1942static int ssl_flight_append( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1943{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1944 mbedtls_ssl_flight_item *msg;
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]1945 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
1946 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
1947 ssl->out_msg, ssl->out_msglen );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1948
1949 /* Allocate space for current message */
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]1950 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1951 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1952 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1953 sizeof( mbedtls_ssl_flight_item ) ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]1954 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1955 }
1956
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]1957 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1958 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
1960 ssl->out_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1961 mbedtls_free( msg );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]1962 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1963 }
1964
1965 /* Copy current handshake message with headers */
1966 memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
1967 msg->len = ssl->out_msglen;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1968 msg->type = ssl->out_msgtype;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1969 msg->next = NULL;
1970
1971 /* Append to the current flight */
1972 if( ssl->handshake->flight == NULL )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1973 ssl->handshake->flight = msg;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1974 else
1975 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1976 mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1977 while( cur->next != NULL )
1978 cur = cur->next;
1979 cur->next = msg;
1980 }
1981
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]1982 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1983 return( 0 );
1984}
1985
1986/*
1987 * Free the current flight of handshake messages
1988 */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]1989void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1990{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1991 mbedtls_ssl_flight_item *cur = flight;
1992 mbedtls_ssl_flight_item *next;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]1993
1994 while( cur != NULL )
1995 {
1996 next = cur->next;
1997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1998 mbedtls_free( cur->p );
1999 mbedtls_free( cur );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2000
2001 cur = next;
2002 }
2003}
2004
2005/*
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2006 * Swap transform_out and out_ctr with the alternative ones
2007 */
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2008static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2009{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2010 mbedtls_ssl_transform *tmp_transform;
Jerry Yuae0b2e22021-10-08 15:21:19 +0800[diff] [blame]2011 unsigned char tmp_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN];
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2012
2013 if( ssl->transform_out == ssl->handshake->alt_transform_out )
2014 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2015 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2016 return( 0 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2017 }
2018
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2019 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2020
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2021 /* Swap transforms */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2022 tmp_transform = ssl->transform_out;
2023 ssl->transform_out = ssl->handshake->alt_transform_out;
2024 ssl->handshake->alt_transform_out = tmp_transform;
2025
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2026 /* Swap epoch + sequence_number */
Jerry Yud96a5c22021-09-29 17:46:51 +0800[diff] [blame]2027 memcpy( tmp_out_ctr, ssl->cur_out_ctr, sizeof( tmp_out_ctr ) );
2028 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr,
2029 sizeof( ssl->cur_out_ctr ) );
2030 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr,
2031 sizeof( ssl->handshake->alt_out_ctr ) );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2032
2033 /* Adjust to the newly activated transform */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]2034 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2035
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2036 return( 0 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2037}
2038
2039/*
2040 * Retransmit the current flight of messages.
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2041 */
2042int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
2043{
2044 int ret = 0;
2045
2046 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
2047
2048 ret = mbedtls_ssl_flight_transmit( ssl );
2049
2050 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
2051
2052 return( ret );
2053}
2054
2055/*
2056 * Transmit or retransmit the current flight of messages.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2057 *
2058 * Need to remember the current message in case flush_output returns
2059 * WANT_WRITE, causing us to exit this function and come back later.
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2060 * This function must be called until state is no longer SENDING.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2061 */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2062int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2063{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2064 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2065 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2066
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2067 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2068 {
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2069 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2070
2071 ssl->handshake->cur_msg = ssl->handshake->flight;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2072 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2073 ret = ssl_swap_epochs( ssl );
2074 if( ret != 0 )
2075 return( ret );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2076
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2077 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2078 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2079
2080 while( ssl->handshake->cur_msg != NULL )
2081 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2082 size_t max_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2083 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2084
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2085 int const is_finished =
2086 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
2087 cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
2088
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]2089 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
2090 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
2091
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2092 /* Swap epochs before sending Finished: we can't do it after
2093 * sending ChangeCipherSpec, in case write returns WANT_READ.
2094 * Must be done before copying, may change out_msg pointer */
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2095 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2096 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2097 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2098 ret = ssl_swap_epochs( ssl );
2099 if( ret != 0 )
2100 return( ret );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2101 }
2102
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2103 ret = ssl_get_remaining_payload_in_datagram( ssl );
2104 if( ret < 0 )
2105 return( ret );
2106 max_frag_len = (size_t) ret;
2107
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2108 /* CCS is copied as is, while HS messages may need fragmentation */
2109 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2110 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2111 if( max_frag_len == 0 )
2112 {
2113 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2114 return( ret );
2115
2116 continue;
2117 }
2118
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2119 memcpy( ssl->out_msg, cur->p, cur->len );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2120 ssl->out_msglen = cur->len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2121 ssl->out_msgtype = cur->type;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2122
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2123 /* Update position inside current message */
2124 ssl->handshake->cur_msg_p += cur->len;
2125 }
2126 else
2127 {
2128 const unsigned char * const p = ssl->handshake->cur_msg_p;
2129 const size_t hs_len = cur->len - 12;
2130 const size_t frag_off = p - ( cur->p + 12 );
2131 const size_t rem_len = hs_len - frag_off;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2132 size_t cur_hs_frag_len, max_hs_frag_len;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2133
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2134 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
Manuel Pégourié-Gonnarda1071a52018-08-20 11:56:14 +0200[diff] [blame]2135 {
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2136 if( is_finished )
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2137 {
2138 ret = ssl_swap_epochs( ssl );
2139 if( ret != 0 )
2140 return( ret );
2141 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2142
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2143 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2144 return( ret );
2145
2146 continue;
2147 }
2148 max_hs_frag_len = max_frag_len - 12;
2149
2150 cur_hs_frag_len = rem_len > max_hs_frag_len ?
2151 max_hs_frag_len : rem_len;
2152
2153 if( frag_off == 0 && cur_hs_frag_len != hs_len )
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2154 {
2155 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2156 (unsigned) cur_hs_frag_len,
2157 (unsigned) max_hs_frag_len ) );
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2158 }
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]2159
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2160 /* Messages are stored with handshake headers as if not fragmented,
2161 * copy beginning of headers then fill fragmentation fields.
2162 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
2163 memcpy( ssl->out_msg, cur->p, 6 );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2164
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]2165 ssl->out_msg[6] = MBEDTLS_BYTE_2( frag_off );
2166 ssl->out_msg[7] = MBEDTLS_BYTE_1( frag_off );
2167 ssl->out_msg[8] = MBEDTLS_BYTE_0( frag_off );
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2168
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]2169 ssl->out_msg[ 9] = MBEDTLS_BYTE_2( cur_hs_frag_len );
2170 ssl->out_msg[10] = MBEDTLS_BYTE_1( cur_hs_frag_len );
2171 ssl->out_msg[11] = MBEDTLS_BYTE_0( cur_hs_frag_len );
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2172
2173 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
2174
Hanno Becker3f7b9732018-08-28 09:53:25 +0100[diff] [blame]2175 /* Copy the handshake message content and set records fields */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2176 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
2177 ssl->out_msglen = cur_hs_frag_len + 12;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2178 ssl->out_msgtype = cur->type;
2179
2180 /* Update position inside current message */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2181 ssl->handshake->cur_msg_p += cur_hs_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2182 }
2183
2184 /* If done with the current message move to the next one if any */
2185 if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
2186 {
2187 if( cur->next != NULL )
2188 {
2189 ssl->handshake->cur_msg = cur->next;
2190 ssl->handshake->cur_msg_p = cur->next->p + 12;
2191 }
2192 else
2193 {
2194 ssl->handshake->cur_msg = NULL;
2195 ssl->handshake->cur_msg_p = NULL;
2196 }
2197 }
2198
2199 /* Actually send the message out */
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]2200 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2201 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2202 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2203 return( ret );
2204 }
2205 }
2206
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2207 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2208 return( ret );
2209
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2210 /* Update state and set timer */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2211 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
2212 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard23b7b702014-09-25 13:50:12 +0200[diff] [blame]2213 else
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2214 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2215 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2216 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2217 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2218
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2219 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2220
2221 return( 0 );
2222}
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2223
2224/*
2225 * To be called when the last message of an incoming flight is received.
2226 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2227void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2228{
2229 /* We won't need to resend that one any more */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]2230 mbedtls_ssl_flight_free( ssl->handshake->flight );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2231 ssl->handshake->flight = NULL;
2232 ssl->handshake->cur_msg = NULL;
2233
2234 /* The next incoming flight will start with this msg_seq */
2235 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
2236
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]2237 /* We don't want to remember CCS's across flight boundaries. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]2238 ssl->handshake->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]2239
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2240 /* Clear future message buffering structure. */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]2241 mbedtls_ssl_buffering_free( ssl );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2242
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]2243 /* Cancel timer */
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2244 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2245
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2246 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2247 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2248 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2249 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2250 }
2251 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2252 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2253}
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2254
2255/*
2256 * To be called when the last message of an outgoing flight is send.
2257 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2258void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2259{
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]2260 ssl_reset_retransmit_timeout( ssl );
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2261 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2262
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2263 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2264 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2265 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2266 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2267 }
2268 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2269 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2270}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2271#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2272
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2273/*
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2274 * Handshake layer functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2275 */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2276
2277/*
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2278 * Write (DTLS: or queue) current handshake (including CCS) message.
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2279 *
2280 * - fill in handshake headers
2281 * - update handshake checksum
2282 * - DTLS: save message for resending
2283 * - then pass to the record layer
2284 *
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2285 * DTLS: except for HelloRequest, messages are only queued, and will only be
2286 * actually sent when calling flight_transmit() or resend().
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2287 *
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2288 * Inputs:
2289 * - ssl->out_msglen: 4 + actual handshake message len
2290 * (4 is the size of handshake headers for TLS)
2291 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
2292 * - ssl->out_msg + 4: the handshake message body
2293 *
Manuel Pégourié-Gonnard065a2a32018-08-20 11:09:26 +0200[diff] [blame]2294 * Outputs, ie state before passing to flight_append() or write_record():
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2295 * - ssl->out_msglen: the length of the record contents
2296 * (including handshake headers but excluding record headers)
2297 * - ssl->out_msg: the record contents (handshake headers + content)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2298 */
Hanno Beckerf3cce8b2021-08-07 14:29:49 +0100[diff] [blame]2299int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
2300 int update_checksum )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2301{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2302 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2303 const size_t hs_len = ssl->out_msglen - 4;
2304 const unsigned char hs_type = ssl->out_msg[0];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2305
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2306 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
2307
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2308 /*
2309 * Sanity checks
2310 */
Hanno Beckerc83d2b32018-08-22 16:05:47 +0100[diff] [blame]2311 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2312 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2313 {
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2315 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2316 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2317
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2318 /* Whenever we send anything different from a
2319 * HelloRequest we should be in a handshake - double check. */
2320 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2321 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2322 ssl->handshake == NULL )
2323 {
2324 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2325 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2326 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2327
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2328#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2329 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2330 ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2331 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2332 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2333 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2334 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2335 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2336#endif
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2337
Hanno Beckerb50a2532018-08-06 11:52:54 +0100[diff] [blame]2338 /* Double-check that we did not exceed the bounds
2339 * of the outgoing record buffer.
2340 * This should never fail as the various message
2341 * writing functions must obey the bounds of the
2342 * outgoing record buffer, but better be safe.
2343 *
2344 * Note: We deliberately do not check for the MTU or MFL here.
2345 */
2346 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
2347 {
2348 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]2349 "size %" MBEDTLS_PRINTF_SIZET
2350 ", maximum %" MBEDTLS_PRINTF_SIZET,
Paul Elliott3891caf2020-12-17 18:42:40 +0000[diff] [blame]2351 ssl->out_msglen,
2352 (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
Hanno Beckerb50a2532018-08-06 11:52:54 +0100[diff] [blame]2353 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2354 }
2355
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2356 /*
2357 * Fill handshake headers
2358 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2359 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2360 {
Joe Subbianifbeb6922021-07-16 14:27:50 +0100[diff] [blame]2361 ssl->out_msg[1] = MBEDTLS_BYTE_2( hs_len );
2362 ssl->out_msg[2] = MBEDTLS_BYTE_1( hs_len );
2363 ssl->out_msg[3] = MBEDTLS_BYTE_0( hs_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2364
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2365 /*
2366 * DTLS has additional fields in the Handshake layer,
2367 * between the length field and the actual payload:
2368 * uint16 message_seq;
2369 * uint24 fragment_offset;
2370 * uint24 fragment_length;
2371 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2372#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2373 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2374 {
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2375 /* Make room for the additional DTLS fields */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2376 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]2377 {
2378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]2379 "size %" MBEDTLS_PRINTF_SIZET ", maximum %" MBEDTLS_PRINTF_SIZET,
Paul Elliott3891caf2020-12-17 18:42:40 +0000[diff] [blame]2380 hs_len,
2381 (size_t) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]2382 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2383 }
2384
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2385 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2386 ssl->out_msglen += 8;
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2387
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2388 /* Write message_seq and update it, except for HelloRequest */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2389 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2390 {
Joe Subbiani6dd73642021-07-19 11:56:54 +0100[diff] [blame]2391 MBEDTLS_PUT_UINT16_BE( ssl->handshake->out_msg_seq, ssl->out_msg, 4 );
Manuel Pégourié-Gonnardd9ba0d92014-09-02 18:30:26 +0200[diff] [blame]2392 ++( ssl->handshake->out_msg_seq );
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2393 }
2394 else
2395 {
2396 ssl->out_msg[4] = 0;
2397 ssl->out_msg[5] = 0;
2398 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2399
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2400 /* Handshake hashes are computed without fragmentation,
2401 * so set frag_offset = 0 and frag_len = hs_len for now */
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2402 memset( ssl->out_msg + 6, 0x00, 3 );
2403 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2404 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2405#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2406
Hanno Becker0207e532018-08-28 10:28:28 +0100[diff] [blame]2407 /* Update running hashes of handshake messages seen */
Hanno Beckerf3cce8b2021-08-07 14:29:49 +0100[diff] [blame]2408 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST && update_checksum != 0 )
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2409 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2410 }
2411
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2412 /* Either send now, or just save to be sent (and resent) later */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2413#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2414 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2415 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2416 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2417 {
2418 if( ( ret = ssl_flight_append( ssl ) ) != 0 )
2419 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2420 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2421 return( ret );
2422 }
2423 }
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2424 else
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2425#endif
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2426 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2427 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2428 {
2429 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2430 return( ret );
2431 }
2432 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2433
2434 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
2435
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2436 return( 0 );
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2437}
2438
2439/*
2440 * Record layer functions
2441 */
2442
2443/*
2444 * Write current record.
2445 *
2446 * Uses:
2447 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
2448 * - ssl->out_msglen: length of the record content (excl headers)
2449 * - ssl->out_msg: record content
2450 */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2451int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2452{
2453 int ret, done = 0;
2454 size_t len = ssl->out_msglen;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2455 uint8_t flush = force_flush;
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2456
2457 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2458
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2459 if( !done )
2460 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2461 unsigned i;
2462 size_t protected_record_size;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]2463#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2464 size_t out_buf_len = ssl->out_buf_len;
2465#else
2466 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
2467#endif
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2468 /* Skip writing the record content type to after the encryption,
2469 * as it may change when using the CID extension. */
Jerry Yu47413c22021-10-29 17:19:41 +0800[diff] [blame]2470 int minor_ver = ssl->minor_ver;
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]2471#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu1ca80f72021-11-08 10:30:54 +0800[diff] [blame]2472 /* TLS 1.3 still uses the TLS 1.2 version identifier
2473 * for backwards compatibility. */
Jerry Yu47413c22021-10-29 17:19:41 +0800[diff] [blame]2474 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
2475 minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]2476#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu47413c22021-10-29 17:19:41 +0800[diff] [blame]2477 mbedtls_ssl_write_version( ssl->major_ver, minor_ver,
2478 ssl->conf->transport, ssl->out_hdr + 1 );
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2479
Jerry Yuae0b2e22021-10-08 15:21:19 +0800[diff] [blame]2480 memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
Joe Subbiani6dd73642021-07-19 11:56:54 +0100[diff] [blame]2481 MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0);
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2482
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2483 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2484 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2485 mbedtls_record rec;
2486
2487 rec.buf = ssl->out_iv;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]2488 rec.buf_len = out_buf_len - ( ssl->out_iv - ssl->out_buf );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2489 rec.data_len = ssl->out_msglen;
2490 rec.data_offset = ssl->out_msg - rec.buf;
2491
Jerry Yud96a5c22021-09-29 17:46:51 +0800[diff] [blame]2492 memcpy( &rec.ctr[0], ssl->out_ctr, sizeof( rec.ctr ) );
Jerry Yu47413c22021-10-29 17:19:41 +0800[diff] [blame]2493 mbedtls_ssl_write_version( ssl->major_ver, minor_ver,
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2494 ssl->conf->transport, rec.ver );
2495 rec.type = ssl->out_msgtype;
2496
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2497#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]2498 /* The CID is set by mbedtls_ssl_encrypt_buf(). */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]2499 rec.cid_len = 0;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2500#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]2501
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]2502 if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec,
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2503 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2504 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2505 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2506 return( ret );
2507 }
2508
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2509 if( rec.data_offset != 0 )
2510 {
2511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2512 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2513 }
2514
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2515 /* Update the record content type and CID. */
2516 ssl->out_msgtype = rec.type;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2517#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID )
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]2518 memcpy( ssl->out_cid, rec.cid, rec.cid_len );
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2519#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker78f839d2019-03-14 12:56:23 +0000[diff] [blame]2520 ssl->out_msglen = len = rec.data_len;
Joe Subbiani6dd73642021-07-19 11:56:54 +0100[diff] [blame]2521 MBEDTLS_PUT_UINT16_BE( rec.data_len, ssl->out_len, 0 );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2522 }
2523
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]2524 protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2525
2526#if defined(MBEDTLS_SSL_PROTO_DTLS)
2527 /* In case of DTLS, double-check that we don't exceed
2528 * the remaining space in the datagram. */
2529 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2530 {
Hanno Becker554b0af2018-08-22 20:33:41 +0100[diff] [blame]2531 ret = ssl_get_remaining_space_in_datagram( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2532 if( ret < 0 )
2533 return( ret );
2534
2535 if( protected_record_size > (size_t) ret )
2536 {
2537 /* Should never happen */
2538 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2539 }
2540 }
2541#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2542
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2543 /* Now write the potentially updated record content type. */
2544 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2545
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]2546 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %u, "
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]2547 "version = [%u:%u], msglen = %" MBEDTLS_PRINTF_SIZET,
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]2548 ssl->out_hdr[0], ssl->out_hdr[1],
2549 ssl->out_hdr[2], len ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2550
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2551 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]2552 ssl->out_hdr, protected_record_size );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2553
2554 ssl->out_left += protected_record_size;
2555 ssl->out_hdr += protected_record_size;
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]2556 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2557
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]2558 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]2559 if( ++ssl->cur_out_ctr[i - 1] != 0 )
2560 break;
2561
2562 /* The loop goes to its end iff the counter is wrapping */
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]2563 if( i == mbedtls_ssl_ep_len( ssl ) )
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]2564 {
2565 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
2566 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2567 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2568 }
2569
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2570#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker47db8772018-08-21 13:32:13 +0100[diff] [blame]2571 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2572 flush == SSL_DONT_FORCE_FLUSH )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2573 {
Hanno Becker1f5a15d2018-08-21 13:31:31 +0100[diff] [blame]2574 size_t remaining;
2575 ret = ssl_get_remaining_payload_in_datagram( ssl );
2576 if( ret < 0 )
2577 {
2578 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
2579 ret );
2580 return( ret );
2581 }
2582
2583 remaining = (size_t) ret;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2584 if( remaining == 0 )
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]2585 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2586 flush = SSL_FORCE_FLUSH;
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]2587 }
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2588 else
2589 {
Hanno Becker513815a2018-08-20 11:56:09 +0100[diff] [blame]2590 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2591 }
2592 }
2593#endif /* MBEDTLS_SSL_PROTO_DTLS */
2594
2595 if( ( flush == SSL_FORCE_FLUSH ) &&
2596 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2597 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2598 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2599 return( ret );
2600 }
2601
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2602 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2603
2604 return( 0 );
2605}
2606
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2607#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2608
2609static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
2610{
2611 if( ssl->in_msglen < ssl->in_hslen ||
2612 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
2613 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
2614 {
2615 return( 1 );
2616 }
2617 return( 0 );
2618}
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2619
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2620static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2621{
2622 return( ( ssl->in_msg[9] << 16 ) |
2623 ( ssl->in_msg[10] << 8 ) |
2624 ssl->in_msg[11] );
2625}
2626
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2627static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2628{
2629 return( ( ssl->in_msg[6] << 16 ) |
2630 ( ssl->in_msg[7] << 8 ) |
2631 ssl->in_msg[8] );
2632}
2633
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2634static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2635{
2636 uint32_t msg_len, frag_off, frag_len;
2637
2638 msg_len = ssl_get_hs_total_len( ssl );
2639 frag_off = ssl_get_hs_frag_off( ssl );
2640 frag_len = ssl_get_hs_frag_len( ssl );
2641
2642 if( frag_off > msg_len )
2643 return( -1 );
2644
2645 if( frag_len > msg_len - frag_off )
2646 return( -1 );
2647
2648 if( frag_len + 12 > ssl->in_msglen )
2649 return( -1 );
2650
2651 return( 0 );
2652}
2653
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2654/*
2655 * Mark bits in bitmask (used for DTLS HS reassembly)
2656 */
2657static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
2658{
2659 unsigned int start_bits, end_bits;
2660
2661 start_bits = 8 - ( offset % 8 );
2662 if( start_bits != 8 )
2663 {
2664 size_t first_byte_idx = offset / 8;
2665
Manuel Pégourié-Gonnardac030522014-09-02 14:23:40 +0200[diff] [blame]2666 /* Special case */
2667 if( len <= start_bits )
2668 {
2669 for( ; len != 0; len-- )
2670 mask[first_byte_idx] |= 1 << ( start_bits - len );
2671
2672 /* Avoid potential issues with offset or len becoming invalid */
2673 return;
2674 }
2675
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2676 offset += start_bits; /* Now offset % 8 == 0 */
2677 len -= start_bits;
2678
2679 for( ; start_bits != 0; start_bits-- )
2680 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
2681 }
2682
2683 end_bits = len % 8;
2684 if( end_bits != 0 )
2685 {
2686 size_t last_byte_idx = ( offset + len ) / 8;
2687
2688 len -= end_bits; /* Now len % 8 == 0 */
2689
2690 for( ; end_bits != 0; end_bits-- )
2691 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
2692 }
2693
2694 memset( mask + offset / 8, 0xFF, len / 8 );
2695}
2696
2697/*
2698 * Check that bitmask is full
2699 */
2700static int ssl_bitmask_check( unsigned char *mask, size_t len )
2701{
2702 size_t i;
2703
2704 for( i = 0; i < len / 8; i++ )
2705 if( mask[i] != 0xFF )
2706 return( -1 );
2707
2708 for( i = 0; i < len % 8; i++ )
2709 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
2710 return( -1 );
2711
2712 return( 0 );
2713}
2714
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2715/* msg_len does not include the handshake header */
Hanno Becker65dc8852018-08-23 09:40:49 +0100[diff] [blame]2716static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]2717 unsigned add_bitmap )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2718{
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2719 size_t alloc_len;
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2720
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2721 alloc_len = 12; /* Handshake header */
2722 alloc_len += msg_len; /* Content buffer */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2723
Hanno Beckerd07df862018-08-16 09:14:58 +0100[diff] [blame]2724 if( add_bitmap )
2725 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2726
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]2727 return( alloc_len );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2728}
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2729
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2730#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2731
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2732static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]2733{
2734 return( ( ssl->in_msg[1] << 16 ) |
2735 ( ssl->in_msg[2] << 8 ) |
2736 ssl->in_msg[3] );
2737}
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2738
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2739int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2740{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2741 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2742 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]2743 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %" MBEDTLS_PRINTF_SIZET,
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2744 ssl->in_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2745 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2746 }
2747
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]2748 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2749
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2750 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]2751 " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" MBEDTLS_PRINTF_SIZET,
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2752 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2753
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2754#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2755 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2756 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2757 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2758 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2759
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2760 if( ssl_check_hs_header( ssl ) != 0 )
2761 {
2762 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
2763 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2764 }
2765
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2766 if( ssl->handshake != NULL &&
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]2767 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
2768 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
2769 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
2770 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2771 {
Hanno Becker9e1ec222018-08-15 15:54:43 +0100[diff] [blame]2772 if( recv_msg_seq > ssl->handshake->in_msg_seq )
2773 {
2774 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
2775 recv_msg_seq,
2776 ssl->handshake->in_msg_seq ) );
2777 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
2778 }
2779
Manuel Pégourié-Gonnardfc572dd2014-10-09 17:56:57 +0200[diff] [blame]2780 /* Retransmit only on last message from previous flight, to avoid
2781 * too many retransmissions.
2782 * Besides, No sane server ever retransmits HelloVerifyRequest */
2783 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2784 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2785 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2786 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]2787 "message_seq = %u, start_of_flight = %u",
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2788 recv_msg_seq,
2789 ssl->handshake->in_flight_start_seq ) );
2790
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2791 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2792 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2793 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2794 return( ret );
2795 }
2796 }
2797 else
2798 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2799 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]2800 "message_seq = %u, expected = %u",
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2801 recv_msg_seq,
2802 ssl->handshake->in_msg_seq ) );
2803 }
2804
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]2805 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2806 }
2807 /* Wait until message completion to increment in_msg_seq */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2808
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2809 /* Message reassembly is handled alongside buffering of future
2810 * messages; the commonality is that both handshake fragments and
Hanno Becker83ab41c2018-08-28 17:19:38 +0100[diff] [blame]2811 * future messages cannot be forwarded immediately to the
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2812 * handshake logic layer. */
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2813 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2814 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2815 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2816 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2817 }
2818 }
2819 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2820#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2821 /* With TLS we don't handle fragmentation (for now) */
2822 if( ssl->in_msglen < ssl->in_hslen )
2823 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2824 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
2825 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2826 }
2827
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2828 return( 0 );
2829}
2830
2831void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
2832{
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2833 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2834
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2835 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]2836 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2837 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]2838 }
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2839
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2840 /* Handshake message is complete, increment counter */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2841#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2842 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2843 ssl->handshake != NULL )
2844 {
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2845 unsigned offset;
2846 mbedtls_ssl_hs_buffer *hs_buf;
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2847
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2848 /* Increment handshake sequence number */
2849 hs->in_msg_seq++;
2850
2851 /*
2852 * Clear up handshake buffering and reassembly structure.
2853 */
2854
2855 /* Free first entry */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]2856 ssl_buffering_free_slot( ssl, 0 );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2857
2858 /* Shift all other entries */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]2859 for( offset = 0, hs_buf = &hs->buffering.hs[0];
2860 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2861 offset++, hs_buf++ )
2862 {
2863 *hs_buf = *(hs_buf + 1);
2864 }
2865
2866 /* Create a fresh last entry */
2867 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2868 }
2869#endif
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2870}
2871
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]2872/*
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2873 * DTLS anti-replay: RFC 6347 4.1.2.6
2874 *
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]2875 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
2876 * Bit n is set iff record number in_window_top - n has been seen.
2877 *
2878 * Usually, in_window_top is the last record number seen and the lsb of
2879 * in_window is set. The only exception is the initial state (record number 0
2880 * not seen yet).
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2881 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2882#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker7e8e6a62020-02-05 10:45:48 +0000[diff] [blame]2883void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2884{
2885 ssl->in_window_top = 0;
2886 ssl->in_window = 0;
2887}
2888
2889static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
2890{
2891 return( ( (uint64_t) buf[0] << 40 ) |
2892 ( (uint64_t) buf[1] << 32 ) |
2893 ( (uint64_t) buf[2] << 24 ) |
2894 ( (uint64_t) buf[3] << 16 ) |
2895 ( (uint64_t) buf[4] << 8 ) |
2896 ( (uint64_t) buf[5] ) );
2897}
2898
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]2899static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr )
2900{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2901 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]2902 unsigned char *original_in_ctr;
2903
2904 // save original in_ctr
2905 original_in_ctr = ssl->in_ctr;
2906
2907 // use counter from record
2908 ssl->in_ctr = record_in_ctr;
2909
2910 ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl );
2911
2912 // restore the counter
2913 ssl->in_ctr = original_in_ctr;
2914
2915 return ret;
2916}
2917
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2918/*
2919 * Return 0 if sequence number is acceptable, -1 otherwise
2920 */
Hanno Becker0183d692019-07-12 08:50:37 +0100[diff] [blame]2921int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2922{
2923 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
2924 uint64_t bit;
2925
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2926 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]2927 return( 0 );
2928
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2929 if( rec_seqnum > ssl->in_window_top )
2930 return( 0 );
2931
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]2932 bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2933
2934 if( bit >= 64 )
2935 return( -1 );
2936
2937 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
2938 return( -1 );
2939
2940 return( 0 );
2941}
2942
2943/*
2944 * Update replay window on new validated record
2945 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2946void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2947{
2948 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
2949
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2950 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]2951 return;
2952
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2953 if( rec_seqnum > ssl->in_window_top )
2954 {
2955 /* Update window_top and the contents of the window */
2956 uint64_t shift = rec_seqnum - ssl->in_window_top;
2957
2958 if( shift >= 64 )
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]2959 ssl->in_window = 1;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2960 else
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]2961 {
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2962 ssl->in_window <<= shift;
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]2963 ssl->in_window |= 1;
2964 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2965
2966 ssl->in_window_top = rec_seqnum;
2967 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2968 else
2969 {
2970 /* Mark that number as seen in the current window */
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]2971 uint64_t bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2972
2973 if( bit < 64 ) /* Always true, but be extra sure */
2974 ssl->in_window |= (uint64_t) 1 << bit;
2975 }
2976}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2977#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]2978
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]2979#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]2980/*
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]2981 * Without any SSL context, check if a datagram looks like a ClientHello with
2982 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
Simon Butcher0789aed2015-09-11 17:15:17 +0100[diff] [blame]2983 * Both input and output include full DTLS headers.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]2984 *
2985 * - if cookie is valid, return 0
2986 * - if ClientHello looks superficially valid but cookie is not,
2987 * fill obuf and set olen, then
2988 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
2989 * - otherwise return a specific error code
2990 */
2991static int ssl_check_dtls_clihlo_cookie(
2992 mbedtls_ssl_cookie_write_t *f_cookie_write,
2993 mbedtls_ssl_cookie_check_t *f_cookie_check,
2994 void *p_cookie,
2995 const unsigned char *cli_id, size_t cli_id_len,
2996 const unsigned char *in, size_t in_len,
2997 unsigned char *obuf, size_t buf_len, size_t *olen )
2998{
2999 size_t sid_len, cookie_len;
3000 unsigned char *p;
3001
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3002 /*
3003 * Structure of ClientHello with record and handshake headers,
3004 * and expected values. We don't need to check a lot, more checks will be
3005 * done when actually parsing the ClientHello - skipping those checks
3006 * avoids code duplication and does not make cookie forging any easier.
3007 *
3008 * 0-0 ContentType type; copied, must be handshake
3009 * 1-2 ProtocolVersion version; copied
3010 * 3-4 uint16 epoch; copied, must be 0
3011 * 5-10 uint48 sequence_number; copied
3012 * 11-12 uint16 length; (ignored)
3013 *
3014 * 13-13 HandshakeType msg_type; (ignored)
3015 * 14-16 uint24 length; (ignored)
3016 * 17-18 uint16 message_seq; copied
3017 * 19-21 uint24 fragment_offset; copied, must be 0
3018 * 22-24 uint24 fragment_length; (ignored)
3019 *
3020 * 25-26 ProtocolVersion client_version; (ignored)
3021 * 27-58 Random random; (ignored)
3022 * 59-xx SessionID session_id; 1 byte len + sid_len content
3023 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
3024 * ...
3025 *
3026 * Minimum length is 61 bytes.
3027 */
3028 if( in_len < 61 ||
3029 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
3030 in[3] != 0 || in[4] != 0 ||
3031 in[19] != 0 || in[20] != 0 || in[21] != 0 )
3032 {
Hanno Becker90d59dd2021-06-24 11:17:13 +0100[diff] [blame]3033 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3034 }
3035
3036 sid_len = in[59];
3037 if( sid_len > in_len - 61 )
Hanno Becker90d59dd2021-06-24 11:17:13 +0100[diff] [blame]3038 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3039
3040 cookie_len = in[60 + sid_len];
3041 if( cookie_len > in_len - 60 )
Hanno Becker90d59dd2021-06-24 11:17:13 +0100[diff] [blame]3042 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3043
3044 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
3045 cli_id, cli_id_len ) == 0 )
3046 {
3047 /* Valid cookie */
3048 return( 0 );
3049 }
3050
3051 /*
3052 * If we get here, we've got an invalid cookie, let's prepare HVR.
3053 *
3054 * 0-0 ContentType type; copied
3055 * 1-2 ProtocolVersion version; copied
3056 * 3-4 uint16 epoch; copied
3057 * 5-10 uint48 sequence_number; copied
3058 * 11-12 uint16 length; olen - 13
3059 *
3060 * 13-13 HandshakeType msg_type; hello_verify_request
3061 * 14-16 uint24 length; olen - 25
3062 * 17-18 uint16 message_seq; copied
3063 * 19-21 uint24 fragment_offset; copied
3064 * 22-24 uint24 fragment_length; olen - 25
3065 *
3066 * 25-26 ProtocolVersion server_version; 0xfe 0xff
3067 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
3068 *
3069 * Minimum length is 28.
3070 */
3071 if( buf_len < 28 )
3072 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3073
3074 /* Copy most fields and adapt others */
3075 memcpy( obuf, in, 25 );
3076 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
3077 obuf[25] = 0xfe;
3078 obuf[26] = 0xff;
3079
3080 /* Generate and write actual cookie */
3081 p = obuf + 28;
3082 if( f_cookie_write( p_cookie,
3083 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
3084 {
3085 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3086 }
3087
3088 *olen = p - obuf;
3089
3090 /* Go back and fill length fields */
3091 obuf[27] = (unsigned char)( *olen - 28 );
3092
Joe Subbianifbeb6922021-07-16 14:27:50 +0100[diff] [blame]3093 obuf[14] = obuf[22] = MBEDTLS_BYTE_2( *olen - 25 );
3094 obuf[15] = obuf[23] = MBEDTLS_BYTE_1( *olen - 25 );
3095 obuf[16] = obuf[24] = MBEDTLS_BYTE_0( *olen - 25 );
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3096
Joe Subbiani6dd73642021-07-19 11:56:54 +0100[diff] [blame]3097 MBEDTLS_PUT_UINT16_BE( *olen - 13, obuf, 11 );
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3098
3099 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
3100}
3101
3102/*
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3103 * Handle possible client reconnect with the same UDP quadruplet
3104 * (RFC 6347 Section 4.2.8).
3105 *
3106 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
3107 * that looks like a ClientHello.
3108 *
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3109 * - if the input looks like a ClientHello without cookies,
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3110 * send back HelloVerifyRequest, then return 0
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3111 * - if the input looks like a ClientHello with a valid cookie,
3112 * reset the session of the current context, and
Manuel Pégourié-Gonnardbe619c12015-09-08 11:21:21 +0200[diff] [blame]3113 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3114 * - if anything goes wrong, return a specific error code
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3115 *
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3116 * This function is called (through ssl_check_client_reconnect()) when an
3117 * unexpected record is found in ssl_get_next_record(), which will discard the
3118 * record if we return 0, and bubble up the return value otherwise (this
3119 * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
3120 * errors, and is the right thing to do in both cases).
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3121 */
3122static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
3123{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3124 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3125 size_t len;
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3126
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3127 if( ssl->conf->f_cookie_write == NULL ||
3128 ssl->conf->f_cookie_check == NULL )
3129 {
3130 /* If we can't use cookies to verify reachability of the peer,
3131 * drop the record. */
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no cookie callbacks, "
3133 "can't check reconnect validity" ) );
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3134 return( 0 );
3135 }
3136
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3137 ret = ssl_check_dtls_clihlo_cookie(
3138 ssl->conf->f_cookie_write,
3139 ssl->conf->f_cookie_check,
3140 ssl->conf->p_cookie,
3141 ssl->cli_id, ssl->cli_id_len,
3142 ssl->in_buf, ssl->in_left,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3143 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3144
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3145 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
3146
3147 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3148 {
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3149 int send_ret;
3150 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) );
3151 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
3152 ssl->out_buf, len );
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]3153 /* Don't check write errors as we can't do anything here.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3154 * If the error is permanent we'll catch it later,
3155 * if it's not, then hopefully it'll work next time. */
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3156 send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len );
3157 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret );
3158 (void) send_ret;
3159
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3160 return( 0 );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3161 }
3162
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3163 if( ret == 0 )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3164 {
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3165 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) );
Hanno Becker43aefe22020-02-05 10:44:56 +0000[diff] [blame]3166 if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3167 {
3168 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
3169 return( ret );
3170 }
3171
3172 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3173 }
3174
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3175 return( ret );
3176}
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]3177#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3178
Hanno Beckerf661c9c2019-05-03 13:25:54 +0100[diff] [blame]3179static int ssl_check_record_type( uint8_t record_type )
3180{
3181 if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
3182 record_type != MBEDTLS_SSL_MSG_ALERT &&
3183 record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
3184 record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3185 {
3186 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3187 }
3188
3189 return( 0 );
3190}
3191
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3192/*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3193 * ContentType type;
3194 * ProtocolVersion version;
3195 * uint16 epoch; // DTLS only
3196 * uint48 sequence_number; // DTLS only
3197 * uint16 length;
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3198 *
3199 * Return 0 if header looks sane (and, for DTLS, the record is expected)
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]3200 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3201 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
3202 *
3203 * With DTLS, mbedtls_ssl_read_record() will:
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]3204 * 1. proceed with the record if this function returns 0
3205 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
3206 * 3. return CLIENT_RECONNECT if this function return that value
3207 * 4. drop the whole datagram if this function returns anything else.
3208 * Point 2 is needed when the peer is resending, and we have already received
3209 * the first record from a datagram but are still waiting for the others.
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3210 */
Hanno Becker331de3d2019-07-12 11:10:16 +0100[diff] [blame]3211static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3212 unsigned char *buf,
3213 size_t len,
3214 mbedtls_record *rec )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3215{
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]3216 int major_ver, minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3217
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3218 size_t const rec_hdr_type_offset = 0;
3219 size_t const rec_hdr_type_len = 1;
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3220
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3221 size_t const rec_hdr_version_offset = rec_hdr_type_offset +
3222 rec_hdr_type_len;
3223 size_t const rec_hdr_version_len = 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3224
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3225 size_t const rec_hdr_ctr_len = 8;
3226#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckerf5466252019-07-25 10:13:02 +0100[diff] [blame]3227 uint32_t rec_epoch;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3228 size_t const rec_hdr_ctr_offset = rec_hdr_version_offset +
3229 rec_hdr_version_len;
3230
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3231#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3232 size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset +
3233 rec_hdr_ctr_len;
Hanno Beckerf5466252019-07-25 10:13:02 +0100[diff] [blame]3234 size_t rec_hdr_cid_len = 0;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3235#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3236#endif /* MBEDTLS_SSL_PROTO_DTLS */
3237
3238 size_t rec_hdr_len_offset; /* To be determined */
3239 size_t const rec_hdr_len_len = 2;
3240
3241 /*
3242 * Check minimum lengths for record header.
3243 */
3244
3245#if defined(MBEDTLS_SSL_PROTO_DTLS)
3246 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3247 {
3248 rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len;
3249 }
3250 else
3251#endif /* MBEDTLS_SSL_PROTO_DTLS */
3252 {
3253 rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len;
3254 }
3255
3256 if( len < rec_hdr_len_offset + rec_hdr_len_len )
3257 {
3258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header of length %u",
3259 (unsigned) len,
3260 (unsigned)( rec_hdr_len_len + rec_hdr_len_len ) ) );
3261 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3262 }
3263
3264 /*
3265 * Parse and validate record content type
3266 */
3267
3268 rec->type = buf[ rec_hdr_type_offset ];
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3269
3270 /* Check record content type */
3271#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3272 rec->cid_len = 0;
3273
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3274 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3275 ssl->conf->cid_len != 0 &&
3276 rec->type == MBEDTLS_SSL_MSG_CID )
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3277 {
3278 /* Shift pointers to account for record header including CID
3279 * struct {
3280 * ContentType special_type = tls12_cid;
3281 * ProtocolVersion version;
3282 * uint16 epoch;
3283 * uint48 sequence_number;
Hanno Becker8e55b0f2019-05-23 17:03:19 +0100[diff] [blame]3284 * opaque cid[cid_length]; // Additional field compared to
3285 * // default DTLS record format
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3286 * uint16 length;
3287 * opaque enc_content[DTLSCiphertext.length];
3288 * } DTLSCiphertext;
3289 */
3290
3291 /* So far, we only support static CID lengths
3292 * fixed in the configuration. */
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3293 rec_hdr_cid_len = ssl->conf->cid_len;
3294 rec_hdr_len_offset += rec_hdr_cid_len;
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3295
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3296 if( len < rec_hdr_len_offset + rec_hdr_len_len )
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3297 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header including CID, length %u",
3299 (unsigned) len,
3300 (unsigned)( rec_hdr_len_offset + rec_hdr_len_len ) ) );
Hanno Becker59be60e2019-07-10 14:53:43 +0100[diff] [blame]3301 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3302 }
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3303
Manuel Pégourié-Gonnard7e821b52019-08-02 10:17:15 +0200[diff] [blame]3304 /* configured CID len is guaranteed at most 255, see
3305 * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */
3306 rec->cid_len = (uint8_t) rec_hdr_cid_len;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3307 memcpy( rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len );
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3308 }
3309 else
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3310#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]3311 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3312 if( ssl_check_record_type( rec->type ) )
3313 {
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]3314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type %u",
3315 (unsigned) rec->type ) );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3316 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3317 }
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]3318 }
3319
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3320 /*
3321 * Parse and validate record version
3322 */
3323
Hanno Beckerd0b66d02019-07-26 08:07:03 +0100[diff] [blame]3324 rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
3325 rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3326 mbedtls_ssl_read_version( &major_ver, &minor_ver,
3327 ssl->conf->transport,
Hanno Beckerd0b66d02019-07-26 08:07:03 +0100[diff] [blame]3328 &rec->ver[0] );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3329
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]3330 if( major_ver != ssl->major_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3331 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3332 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
3333 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3334 }
3335
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3336 if( minor_ver > ssl->conf->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3337 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3338 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
3339 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3340 }
3341
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3342 /*
3343 * Parse/Copy record sequence number.
3344 */
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3345
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3346#if defined(MBEDTLS_SSL_PROTO_DTLS)
3347 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]3348 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3349 /* Copy explicit record sequence number from input buffer. */
3350 memcpy( &rec->ctr[0], buf + rec_hdr_ctr_offset,
3351 rec_hdr_ctr_len );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]3352 }
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3353 else
3354#endif /* MBEDTLS_SSL_PROTO_DTLS */
3355 {
3356 /* Copy implicit record sequence number from SSL context structure. */
3357 memcpy( &rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len );
3358 }
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3359
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3360 /*
3361 * Parse record length.
3362 */
3363
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3364 rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
Hanno Becker9eca2762019-07-25 10:16:37 +0100[diff] [blame]3365 rec->data_len = ( (size_t) buf[ rec_hdr_len_offset + 0 ] << 8 ) |
3366 ( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3367 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3368
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]3369 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %u, "
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]3370 "version = [%d:%d], msglen = %" MBEDTLS_PRINTF_SIZET,
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3371 rec->type,
3372 major_ver, minor_ver, rec->data_len ) );
3373
3374 rec->buf = buf;
3375 rec->buf_len = rec->data_offset + rec->data_len;
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3376
Hanno Beckerd417cc92019-07-26 08:20:27 +0100[diff] [blame]3377 if( rec->data_len == 0 )
3378 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3379
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3380 /*
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]3381 * DTLS-related tests.
3382 * Check epoch before checking length constraint because
3383 * the latter varies with the epoch. E.g., if a ChangeCipherSpec
3384 * message gets duplicated before the corresponding Finished message,
3385 * the second ChangeCipherSpec should be discarded because it belongs
3386 * to an old epoch, but not because its length is shorter than
3387 * the minimum record length for packets using the new record transform.
3388 * Note that these two kinds of failures are handled differently,
3389 * as an unexpected record is silently skipped but an invalid
3390 * record leads to the entire datagram being dropped.
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3391 */
3392#if defined(MBEDTLS_SSL_PROTO_DTLS)
3393 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3394 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3395 rec_epoch = ( rec->ctr[0] << 8 ) | rec->ctr[1];
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3396
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3397 /* Check that the datagram is large enough to contain a record
3398 * of the advertised length. */
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3399 if( len < rec->data_offset + rec->data_len )
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3400 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram of length %u too small to contain record of advertised length %u.",
3402 (unsigned) len,
3403 (unsigned)( rec->data_offset + rec->data_len ) ) );
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3404 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3405 }
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3406
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3407 /* Records from other, non-matching epochs are silently discarded.
3408 * (The case of same-port Client reconnects must be considered in
3409 * the caller). */
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3410 if( rec_epoch != ssl->in_epoch )
3411 {
3412 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]3413 "expected %u, received %lu",
3414 ssl->in_epoch, (unsigned long) rec_epoch ) );
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3415
Hanno Becker552f7472019-07-19 10:59:12 +0100[diff] [blame]3416 /* Records from the next epoch are considered for buffering
3417 * (concretely: early Finished messages). */
3418 if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3419 {
Hanno Becker552f7472019-07-19 10:59:12 +0100[diff] [blame]3420 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
3421 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3422 }
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]3423
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3424 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3425 }
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3426#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3427 /* For records from the correct epoch, check whether their
3428 * sequence number has been seen before. */
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]3429 else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl,
3430 &rec->ctr[0] ) != 0 )
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3431 {
3432 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
3433 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3434 }
3435#endif
3436 }
3437#endif /* MBEDTLS_SSL_PROTO_DTLS */
3438
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3439 return( 0 );
3440}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3441
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3442
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3443#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3444static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
3445{
3446 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
3447
3448 /*
3449 * Check for an epoch 0 ClientHello. We can't use in_msg here to
3450 * access the first byte of record content (handshake type), as we
3451 * have an active transform (possibly iv_len != 0), so use the
3452 * fact that the record header len is 13 instead.
3453 */
3454 if( rec_epoch == 0 &&
3455 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
3456 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3457 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3458 ssl->in_left > 13 &&
3459 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
3460 {
3461 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
3462 "from the same port" ) );
3463 return( ssl_handle_possible_reconnect( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3464 }
3465
3466 return( 0 );
3467}
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3468#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3469
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3470/*
Manuel Pégourié-Gonnardc40b6852020-01-03 12:18:49 +0100[diff] [blame]3471 * If applicable, decrypt record content
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3472 */
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3473static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
3474 mbedtls_record *rec )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3475{
3476 int ret, done = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]3477
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3478 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3479 rec->buf, rec->buf_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3480
Ronald Cron7e38cba2021-11-24 12:43:39 +0100[diff] [blame]3481 /*
3482 * In TLS 1.3, always treat ChangeCipherSpec records
3483 * as unencrypted. The only thing we do with them is
3484 * check the length and content and ignore them.
3485 */
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]3486#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Ronald Cron7e38cba2021-11-24 12:43:39 +0100[diff] [blame]3487 if( ssl->transform_in != NULL &&
3488 ssl->transform_in->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
3489 {
3490 if( rec->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
3491 done = 1;
3492 }
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]3493#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Ronald Cron7e38cba2021-11-24 12:43:39 +0100[diff] [blame]3494
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3495 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3496 {
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3497 unsigned char const old_msg_type = rec->type;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3498
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]3499 if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3500 rec ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3501 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3502 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3503
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3504#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3505 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
3506 ssl->conf->ignore_unexpected_cid
3507 == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
3508 {
Hanno Beckere8d6afd2019-05-24 10:11:06 +0100[diff] [blame]3509 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
Hanno Becker16ded982019-05-08 13:02:55 +0100[diff] [blame]3510 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3511 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3512#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker16ded982019-05-08 13:02:55 +0100[diff] [blame]3513
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3514 return( ret );
3515 }
3516
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3517 if( old_msg_type != rec->type )
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3518 {
3519 MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d",
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3520 old_msg_type, rec->type ) );
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3521 }
3522
Hanno Becker1c0c37f2018-08-07 14:29:29 +0100[diff] [blame]3523 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3524 rec->buf + rec->data_offset, rec->data_len );
Hanno Becker1c0c37f2018-08-07 14:29:29 +0100[diff] [blame]3525
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3526#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3527 /* We have already checked the record content type
3528 * in ssl_parse_record_header(), failing or silently
3529 * dropping the record in the case of an unknown type.
3530 *
3531 * Since with the use of CIDs, the record content type
3532 * might change during decryption, re-check the record
3533 * content type, but treat a failure as fatal this time. */
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3534 if( ssl_check_record_type( rec->type ) )
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3535 {
3536 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
3537 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3538 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3539#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3540
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3541 if( rec->data_len == 0 )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3542 {
3543#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3544 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3545 && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3546 {
3547 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
3548 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
3549 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3550 }
3551#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3552
3553 ssl->nb_zero++;
3554
3555 /*
3556 * Three or more empty messages may be a DoS attack
3557 * (excessive CPU consumption).
3558 */
3559 if( ssl->nb_zero > 3 )
3560 {
3561 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
Hanno Becker6e7700d2019-05-08 10:38:32 +0100[diff] [blame]3562 "messages, possible DoS attack" ) );
3563 /* Treat the records as if they were not properly authenticated,
3564 * thereby failing the connection if we see more than allowed
3565 * by the configured bad MAC threshold. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3566 return( MBEDTLS_ERR_SSL_INVALID_MAC );
3567 }
3568 }
3569 else
3570 ssl->nb_zero = 0;
3571
3572#if defined(MBEDTLS_SSL_PROTO_DTLS)
3573 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3574 {
3575 ; /* in_ctr read from peer, not maintained internally */
3576 }
3577 else
3578#endif
3579 {
3580 unsigned i;
Jerry Yuae0b2e22021-10-08 15:21:19 +0800[diff] [blame]3581 for( i = MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
3582 i > mbedtls_ssl_ep_len( ssl ); i-- )
3583 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3584 if( ++ssl->in_ctr[i - 1] != 0 )
3585 break;
Jerry Yuae0b2e22021-10-08 15:21:19 +0800[diff] [blame]3586 }
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3587
3588 /* The loop goes to its end iff the counter is wrapping */
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]3589 if( i == mbedtls_ssl_ep_len( ssl ) )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3590 {
3591 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
3592 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3593 }
3594 }
3595
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3596 }
3597
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3598#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3599 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3600 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3601 mbedtls_ssl_dtls_replay_update( ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3602 }
3603#endif
3604
Hanno Beckerd96e10b2019-07-09 17:30:02 +0100[diff] [blame]3605 /* Check actual (decrypted) record content length against
3606 * configured maximum. */
3607 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
3608 {
3609 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3610 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3611 }
3612
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3613 return( 0 );
3614}
3615
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3616/*
3617 * Read a record.
3618 *
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]3619 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
3620 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
3621 *
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3622 */
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]3623
3624/* Helper functions for mbedtls_ssl_read_record(). */
3625static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3626static int ssl_get_next_record( mbedtls_ssl_context *ssl );
3627static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
Hanno Becker4162b112018-08-15 14:05:04 +0100[diff] [blame]3628
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3629int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]3630 unsigned update_hs_digest )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3631{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3632 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3633
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3634 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3635
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3636 if( ssl->keep_current_message == 0 )
3637 {
3638 do {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3639
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]3640 ret = ssl_consume_current_message( ssl );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]3641 if( ret != 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3642 return( ret );
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]3643
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3644 if( ssl_record_is_in_progress( ssl ) == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3645 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3646#if defined(MBEDTLS_SSL_PROTO_DTLS)
3647 int have_buffered = 0;
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3648
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3649 /* We only check for buffered messages if the
3650 * current datagram is fully consumed. */
3651 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]3652 ssl_next_record_is_in_datagram( ssl ) == 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3653 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3654 if( ssl_load_buffered_message( ssl ) == 0 )
3655 have_buffered = 1;
3656 }
3657
3658 if( have_buffered == 0 )
3659#endif /* MBEDTLS_SSL_PROTO_DTLS */
3660 {
3661 ret = ssl_get_next_record( ssl );
3662 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
3663 continue;
3664
3665 if( ret != 0 )
3666 {
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]3667 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3668 return( ret );
3669 }
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3670 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3671 }
3672
3673 ret = mbedtls_ssl_handle_message_type( ssl );
3674
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3675#if defined(MBEDTLS_SSL_PROTO_DTLS)
3676 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
3677 {
3678 /* Buffer future message */
3679 ret = ssl_buffer_message( ssl );
3680 if( ret != 0 )
3681 return( ret );
3682
3683 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
3684 }
3685#endif /* MBEDTLS_SSL_PROTO_DTLS */
3686
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]3687 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||
3688 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3689
3690 if( 0 != ret )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3691 {
Hanno Becker05c4fc82017-11-09 14:34:06 +0000[diff] [blame]3692 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3693 return( ret );
3694 }
3695
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3696 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]3697 update_hs_digest == 1 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3698 {
3699 mbedtls_ssl_update_handshake_status( ssl );
3700 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3701 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3702 else
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3703 {
Hanno Becker02f59072018-08-15 14:00:24 +0100[diff] [blame]3704 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3705 ssl->keep_current_message = 0;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3706 }
3707
3708 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
3709
3710 return( 0 );
3711}
3712
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3713#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]3714static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3715{
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3716 if( ssl->in_left > ssl->next_record_offset )
3717 return( 1 );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3718
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3719 return( 0 );
3720}
3721
3722static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
3723{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3724 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3725 mbedtls_ssl_hs_buffer * hs_buf;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3726 int ret = 0;
3727
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3728 if( hs == NULL )
3729 return( -1 );
3730
Hanno Beckere00ae372018-08-20 09:39:42 +0100[diff] [blame]3731 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
3732
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3733 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
3734 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
3735 {
3736 /* Check if we have seen a ChangeCipherSpec before.
3737 * If yes, synthesize a CCS record. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]3738 if( !hs->buffering.seen_ccs )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3739 {
3740 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
3741 ret = -1;
Hanno Becker0d4b3762018-08-20 09:36:59 +0100[diff] [blame]3742 goto exit;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3743 }
3744
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]3745 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3746 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
3747 ssl->in_msglen = 1;
3748 ssl->in_msg[0] = 1;
3749
3750 /* As long as they are equal, the exact value doesn't matter. */
3751 ssl->in_left = 0;
3752 ssl->next_record_offset = 0;
3753
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]3754 hs->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3755 goto exit;
3756 }
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3757
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]3758#if defined(MBEDTLS_DEBUG_C)
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3759 /* Debug only */
3760 {
3761 unsigned offset;
3762 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
3763 {
3764 hs_buf = &hs->buffering.hs[offset];
3765 if( hs_buf->is_valid == 1 )
3766 {
3767 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
3768 hs->in_msg_seq + offset,
Hanno Beckera591c482018-08-28 17:20:00 +0100[diff] [blame]3769 hs_buf->is_complete ? "fully" : "partially" ) );
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3770 }
3771 }
3772 }
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]3773#endif /* MBEDTLS_DEBUG_C */
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3774
3775 /* Check if we have buffered and/or fully reassembled the
3776 * next handshake message. */
3777 hs_buf = &hs->buffering.hs[0];
3778 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
3779 {
3780 /* Synthesize a record containing the buffered HS message. */
3781 size_t msg_len = ( hs_buf->data[1] << 16 ) |
3782 ( hs_buf->data[2] << 8 ) |
3783 hs_buf->data[3];
3784
3785 /* Double-check that we haven't accidentally buffered
3786 * a message that doesn't fit into the input buffer. */
3787 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
3788 {
3789 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3790 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3791 }
3792
3793 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
3794 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
3795 hs_buf->data, msg_len + 12 );
3796
3797 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3798 ssl->in_hslen = msg_len + 12;
3799 ssl->in_msglen = msg_len + 12;
3800 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
3801
3802 ret = 0;
3803 goto exit;
3804 }
3805 else
3806 {
3807 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
3808 hs->in_msg_seq ) );
3809 }
3810
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3811 ret = -1;
3812
3813exit:
3814
3815 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
3816 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3817}
3818
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3819static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
3820 size_t desired )
3821{
3822 int offset;
3823 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]3824 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
3825 (unsigned) desired ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3826
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]3827 /* Get rid of future records epoch first, if such exist. */
3828 ssl_free_buffered_record( ssl );
3829
3830 /* Check if we have enough space available now. */
3831 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3832 hs->buffering.total_bytes_buffered ) )
3833 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]3834 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]3835 return( 0 );
3836 }
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3837
Hanno Becker4f432ad2018-08-28 10:02:32 +0100[diff] [blame]3838 /* We don't have enough space to buffer the next expected handshake
3839 * message. Remove buffers used for future messages to gain space,
3840 * starting with the most distant one. */
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3841 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
3842 offset >= 0; offset-- )
3843 {
3844 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
3845 offset ) );
3846
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]3847 ssl_buffering_free_slot( ssl, (uint8_t) offset );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3848
3849 /* Check if we have enough space available now. */
3850 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3851 hs->buffering.total_bytes_buffered ) )
3852 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]3853 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3854 return( 0 );
3855 }
3856 }
3857
3858 return( -1 );
3859}
3860
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3861static int ssl_buffer_message( mbedtls_ssl_context *ssl )
3862{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3863 int ret = 0;
3864 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3865
3866 if( hs == NULL )
3867 return( 0 );
3868
3869 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
3870
3871 switch( ssl->in_msgtype )
3872 {
3873 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
3874 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]3875
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]3876 hs->buffering.seen_ccs = 1;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3877 break;
3878
3879 case MBEDTLS_SSL_MSG_HANDSHAKE:
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3880 {
3881 unsigned recv_msg_seq_offset;
3882 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
3883 mbedtls_ssl_hs_buffer *hs_buf;
3884 size_t msg_len = ssl->in_hslen - 12;
3885
3886 /* We should never receive an old handshake
3887 * message - double-check nonetheless. */
3888 if( recv_msg_seq < ssl->handshake->in_msg_seq )
3889 {
3890 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3891 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3892 }
3893
3894 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
3895 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
3896 {
3897 /* Silently ignore -- message too far in the future */
3898 MBEDTLS_SSL_DEBUG_MSG( 2,
3899 ( "Ignore future HS message with sequence number %u, "
3900 "buffering window %u - %u",
3901 recv_msg_seq, ssl->handshake->in_msg_seq,
3902 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
3903
3904 goto exit;
3905 }
3906
3907 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
3908 recv_msg_seq, recv_msg_seq_offset ) );
3909
3910 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
3911
3912 /* Check if the buffering for this seq nr has already commenced. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]3913 if( !hs_buf->is_valid )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3914 {
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]3915 size_t reassembly_buf_sz;
3916
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3917 hs_buf->is_fragmented =
3918 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
3919
3920 /* We copy the message back into the input buffer
3921 * after reassembly, so check that it's not too large.
3922 * This is an implementation-specific limitation
3923 * and not one from the standard, hence it is not
3924 * checked in ssl_check_hs_header(). */
Hanno Becker96a6c692018-08-21 15:56:03 +0100[diff] [blame]3925 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3926 {
3927 /* Ignore message */
3928 goto exit;
3929 }
3930
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]3931 /* Check if we have enough space to buffer the message. */
3932 if( hs->buffering.total_bytes_buffered >
3933 MBEDTLS_SSL_DTLS_MAX_BUFFERING )
3934 {
3935 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3936 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3937 }
3938
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]3939 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
3940 hs_buf->is_fragmented );
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]3941
3942 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3943 hs->buffering.total_bytes_buffered ) )
3944 {
3945 if( recv_msg_seq_offset > 0 )
3946 {
3947 /* If we can't buffer a future message because
3948 * of space limitations -- ignore. */
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]3949 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
3950 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
3951 " (already %" MBEDTLS_PRINTF_SIZET
3952 " bytes buffered) -- ignore\n",
Paul Elliott3891caf2020-12-17 18:42:40 +0000[diff] [blame]3953 msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]3954 hs->buffering.total_bytes_buffered ) );
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]3955 goto exit;
3956 }
Hanno Beckere1801392018-08-21 16:51:05 +0100[diff] [blame]3957 else
3958 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]3959 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
3960 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
3961 " (already %" MBEDTLS_PRINTF_SIZET
3962 " bytes buffered) -- attempt to make space by freeing buffered future messages\n",
Paul Elliott3891caf2020-12-17 18:42:40 +0000[diff] [blame]3963 msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]3964 hs->buffering.total_bytes_buffered ) );
Hanno Beckere1801392018-08-21 16:51:05 +0100[diff] [blame]3965 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]3966
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3967 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]3968 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]3969 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %" MBEDTLS_PRINTF_SIZET
3970 " (%" MBEDTLS_PRINTF_SIZET " with bitmap) would exceed"
3971 " the compile-time limit %" MBEDTLS_PRINTF_SIZET
3972 " (already %" MBEDTLS_PRINTF_SIZET
3973 " bytes buffered) -- fail\n",
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]3974 msg_len,
3975 reassembly_buf_sz,
Paul Elliott3891caf2020-12-17 18:42:40 +0000[diff] [blame]3976 (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]3977 hs->buffering.total_bytes_buffered ) );
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]3978 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3979 goto exit;
3980 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]3981 }
3982
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]3983 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %" MBEDTLS_PRINTF_SIZET,
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]3984 msg_len ) );
3985
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]3986 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
3987 if( hs_buf->data == NULL )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3988 {
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]3989 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3990 goto exit;
3991 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]3992 hs_buf->data_len = reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3993
3994 /* Prepare final header: copy msg_type, length and message_seq,
3995 * then add standardised fragment_offset and fragment_length */
3996 memcpy( hs_buf->data, ssl->in_msg, 6 );
3997 memset( hs_buf->data + 6, 0, 3 );
3998 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
3999
4000 hs_buf->is_valid = 1;
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4001
4002 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4003 }
4004 else
4005 {
4006 /* Make sure msg_type and length are consistent */
4007 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
4008 {
4009 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
4010 /* Ignore */
4011 goto exit;
4012 }
4013 }
4014
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4015 if( !hs_buf->is_complete )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4016 {
4017 size_t frag_len, frag_off;
4018 unsigned char * const msg = hs_buf->data + 12;
4019
4020 /*
4021 * Check and copy current fragment
4022 */
4023
4024 /* Validation of header fields already done in
4025 * mbedtls_ssl_prepare_handshake_record(). */
4026 frag_off = ssl_get_hs_frag_off( ssl );
4027 frag_len = ssl_get_hs_frag_len( ssl );
4028
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]4029 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %" MBEDTLS_PRINTF_SIZET
4030 ", length = %" MBEDTLS_PRINTF_SIZET,
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4031 frag_off, frag_len ) );
4032 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
4033
4034 if( hs_buf->is_fragmented )
4035 {
4036 unsigned char * const bitmask = msg + msg_len;
4037 ssl_bitmask_set( bitmask, frag_off, frag_len );
4038 hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
4039 msg_len ) == 0 );
4040 }
4041 else
4042 {
4043 hs_buf->is_complete = 1;
4044 }
4045
4046 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
4047 hs_buf->is_complete ? "" : "not yet " ) );
4048 }
4049
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4050 break;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4051 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4052
4053 default:
Hanno Becker360bef32018-08-28 10:04:33 +0100[diff] [blame]4054 /* We don't buffer other types of messages. */
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4055 break;
4056 }
4057
4058exit:
4059
4060 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
4061 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4062}
4063#endif /* MBEDTLS_SSL_PROTO_DTLS */
4064
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4065static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4066{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4067 /*
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4068 * Consume last content-layer message and potentially
4069 * update in_msglen which keeps track of the contents'
4070 * consumption state.
4071 *
4072 * (1) Handshake messages:
4073 * Remove last handshake message, move content
4074 * and adapt in_msglen.
4075 *
4076 * (2) Alert messages:
4077 * Consume whole record content, in_msglen = 0.
4078 *
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4079 * (3) Change cipher spec:
4080 * Consume whole record content, in_msglen = 0.
4081 *
4082 * (4) Application data:
4083 * Don't do anything - the record layer provides
4084 * the application data as a stream transport
4085 * and consumes through mbedtls_ssl_read only.
4086 *
4087 */
4088
4089 /* Case (1): Handshake messages */
4090 if( ssl->in_hslen != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4091 {
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]4092 /* Hard assertion to be sure that no application data
4093 * is in flight, as corrupting ssl->in_msglen during
4094 * ssl->in_offt != NULL is fatal. */
4095 if( ssl->in_offt != NULL )
4096 {
4097 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4098 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4099 }
4100
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4101 /*
4102 * Get next Handshake message in the current record
4103 */
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4104
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4105 /* Notes:
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]4106 * (1) in_hslen is not necessarily the size of the
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4107 * current handshake content: If DTLS handshake
4108 * fragmentation is used, that's the fragment
4109 * size instead. Using the total handshake message
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]4110 * size here is faulty and should be changed at
4111 * some point.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4112 * (2) While it doesn't seem to cause problems, one
4113 * has to be very careful not to assume that in_hslen
4114 * is always <= in_msglen in a sensible communication.
4115 * Again, it's wrong for DTLS handshake fragmentation.
4116 * The following check is therefore mandatory, and
4117 * should not be treated as a silently corrected assertion.
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]4118 * Additionally, ssl->in_hslen might be arbitrarily out of
4119 * bounds after handling a DTLS message with an unexpected
4120 * sequence number, see mbedtls_ssl_prepare_handshake_record.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4121 */
4122 if( ssl->in_hslen < ssl->in_msglen )
4123 {
4124 ssl->in_msglen -= ssl->in_hslen;
4125 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
4126 ssl->in_msglen );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4127
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4128 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
4129 ssl->in_msg, ssl->in_msglen );
4130 }
4131 else
4132 {
4133 ssl->in_msglen = 0;
4134 }
Manuel Pégourié-Gonnard4a175362014-09-09 17:45:31 +0200[diff] [blame]4135
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4136 ssl->in_hslen = 0;
4137 }
4138 /* Case (4): Application data */
4139 else if( ssl->in_offt != NULL )
4140 {
4141 return( 0 );
4142 }
4143 /* Everything else (CCS & Alerts) */
4144 else
4145 {
4146 ssl->in_msglen = 0;
4147 }
4148
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4149 return( 0 );
4150}
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4151
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4152static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
4153{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4154 if( ssl->in_msglen > 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4155 return( 1 );
4156
4157 return( 0 );
4158}
4159
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4160#if defined(MBEDTLS_SSL_PROTO_DTLS)
4161
4162static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
4163{
4164 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4165 if( hs == NULL )
4166 return;
4167
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4168 if( hs->buffering.future_record.data != NULL )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4169 {
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4170 hs->buffering.total_bytes_buffered -=
4171 hs->buffering.future_record.len;
4172
4173 mbedtls_free( hs->buffering.future_record.data );
4174 hs->buffering.future_record.data = NULL;
4175 }
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4176}
4177
4178static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
4179{
4180 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4181 unsigned char * rec;
4182 size_t rec_len;
4183 unsigned rec_epoch;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]4184#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4185 size_t in_buf_len = ssl->in_buf_len;
4186#else
4187 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
4188#endif
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4189 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4190 return( 0 );
4191
4192 if( hs == NULL )
4193 return( 0 );
4194
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4195 rec = hs->buffering.future_record.data;
4196 rec_len = hs->buffering.future_record.len;
4197 rec_epoch = hs->buffering.future_record.epoch;
4198
4199 if( rec == NULL )
4200 return( 0 );
4201
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]4202 /* Only consider loading future records if the
4203 * input buffer is empty. */
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]4204 if( ssl_next_record_is_in_datagram( ssl ) == 1 )
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]4205 return( 0 );
4206
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4207 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
4208
4209 if( rec_epoch != ssl->in_epoch )
4210 {
4211 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
4212 goto exit;
4213 }
4214
4215 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
4216
4217 /* Double-check that the record is not too large */
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]4218 if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4219 {
4220 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4221 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4222 }
4223
4224 memcpy( ssl->in_hdr, rec, rec_len );
4225 ssl->in_left = rec_len;
4226 ssl->next_record_offset = 0;
4227
4228 ssl_free_buffered_record( ssl );
4229
4230exit:
4231 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
4232 return( 0 );
4233}
4234
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4235static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
4236 mbedtls_record const *rec )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4237{
4238 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4239
4240 /* Don't buffer future records outside handshakes. */
4241 if( hs == NULL )
4242 return( 0 );
4243
4244 /* Only buffer handshake records (we are only interested
4245 * in Finished messages). */
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4246 if( rec->type != MBEDTLS_SSL_MSG_HANDSHAKE )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4247 return( 0 );
4248
4249 /* Don't buffer more than one future epoch record. */
4250 if( hs->buffering.future_record.data != NULL )
4251 return( 0 );
4252
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4253 /* Don't buffer record if there's not enough buffering space remaining. */
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4254 if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4255 hs->buffering.total_bytes_buffered ) )
4256 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]4257 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %" MBEDTLS_PRINTF_SIZET
4258 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
4259 " (already %" MBEDTLS_PRINTF_SIZET
4260 " bytes buffered) -- ignore\n",
Paul Elliott3891caf2020-12-17 18:42:40 +0000[diff] [blame]4261 rec->buf_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]4262 hs->buffering.total_bytes_buffered ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4263 return( 0 );
4264 }
4265
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4266 /* Buffer record */
4267 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]4268 ssl->in_epoch + 1U ) );
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4269 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4270
4271 /* ssl_parse_record_header() only considers records
4272 * of the next epoch as candidates for buffering. */
4273 hs->buffering.future_record.epoch = ssl->in_epoch + 1;
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4274 hs->buffering.future_record.len = rec->buf_len;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4275
4276 hs->buffering.future_record.data =
4277 mbedtls_calloc( 1, hs->buffering.future_record.len );
4278 if( hs->buffering.future_record.data == NULL )
4279 {
4280 /* If we run out of RAM trying to buffer a
4281 * record from the next epoch, just ignore. */
4282 return( 0 );
4283 }
4284
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4285 memcpy( hs->buffering.future_record.data, rec->buf, rec->buf_len );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4286
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4287 hs->buffering.total_bytes_buffered += rec->buf_len;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4288 return( 0 );
4289}
4290
4291#endif /* MBEDTLS_SSL_PROTO_DTLS */
4292
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4293static int ssl_get_next_record( mbedtls_ssl_context *ssl )
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4294{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4295 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]4296 mbedtls_record rec;
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4297
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4298#if defined(MBEDTLS_SSL_PROTO_DTLS)
4299 /* We might have buffered a future record; if so,
4300 * and if the epoch matches now, load it.
4301 * On success, this call will set ssl->in_left to
4302 * the length of the buffered record, so that
4303 * the calls to ssl_fetch_input() below will
4304 * essentially be no-ops. */
4305 ret = ssl_load_buffered_record( ssl );
4306 if( ret != 0 )
4307 return( ret );
4308#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4309
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]4310 /* Ensure that we have enough space available for the default form
4311 * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,
4312 * with no space for CIDs counted in). */
4313 ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) );
4314 if( ret != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4315 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4316 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4317 return( ret );
4318 }
4319
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]4320 ret = ssl_parse_record_header( ssl, ssl->in_hdr, ssl->in_left, &rec );
4321 if( ret != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4322 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4323#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4324 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4325 {
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4326 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4327 {
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4328 ret = ssl_buffer_future_record( ssl, &rec );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4329 if( ret != 0 )
4330 return( ret );
4331
4332 /* Fall through to handling of unexpected records */
4333 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
4334 }
4335
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4336 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
4337 {
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4338#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Hanno Beckerd8bf8ce2019-07-12 09:23:47 +0100[diff] [blame]4339 /* Reset in pointers to default state for TLS/DTLS records,
4340 * assuming no CID and no offset between record content and
4341 * record plaintext. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4342 mbedtls_ssl_update_in_pointers( ssl );
Hanno Beckerd8bf8ce2019-07-12 09:23:47 +0100[diff] [blame]4343
Hanno Becker7ae20e02019-07-12 08:33:49 +0100[diff] [blame]4344 /* Setup internal message pointers from record structure. */
4345 ssl->in_msgtype = rec.type;
4346#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4347 ssl->in_len = ssl->in_cid + rec.cid_len;
4348#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4349 ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
4350 ssl->in_msglen = rec.data_len;
4351
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4352 ret = ssl_check_client_reconnect( ssl );
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]4353 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_client_reconnect", ret );
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4354 if( ret != 0 )
4355 return( ret );
4356#endif
4357
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4358 /* Skip unexpected record (but not whole datagram) */
Hanno Becker4acada32019-07-11 12:48:53 +0100[diff] [blame]4359 ssl->next_record_offset = rec.buf_len;
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4360
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4361 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
4362 "(header)" ) );
4363 }
4364 else
4365 {
4366 /* Skip invalid record and the rest of the datagram */
4367 ssl->next_record_offset = 0;
4368 ssl->in_left = 0;
4369
4370 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
4371 "(header)" ) );
4372 }
4373
4374 /* Get next record */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4375 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4376 }
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4377 else
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4378#endif
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4379 {
4380 return( ret );
4381 }
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4382 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4383
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4384#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4385 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]4386 {
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4387 /* Remember offset of next record within datagram. */
Hanno Beckerf50da502019-07-11 12:50:10 +0100[diff] [blame]4388 ssl->next_record_offset = rec.buf_len;
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]4389 if( ssl->next_record_offset < ssl->in_left )
4390 {
4391 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
4392 }
4393 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4394 else
4395#endif
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4396 {
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]4397 /*
4398 * Fetch record contents from underlying transport.
4399 */
Hanno Beckera3175662019-07-11 12:50:29 +0100[diff] [blame]4400 ret = mbedtls_ssl_fetch_input( ssl, rec.buf_len );
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4401 if( ret != 0 )
4402 {
4403 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4404 return( ret );
4405 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4406
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4407 ssl->in_left = 0;
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4408 }
4409
4410 /*
4411 * Decrypt record contents.
4412 */
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4413
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]4414 if( ( ret = ssl_prepare_record_content( ssl, &rec ) ) != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4415 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4416#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4417 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4418 {
4419 /* Silently discard invalid records */
Hanno Becker82e2a392019-05-03 16:36:59 +0100[diff] [blame]4420 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4421 {
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]4422 /* Except when waiting for Finished as a bad mac here
4423 * probably means something went wrong in the handshake
4424 * (eg wrong psk used, mitm downgrade attempt, etc.) */
4425 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
4426 ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
4427 {
4428#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4429 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4430 {
4431 mbedtls_ssl_send_alert_message( ssl,
4432 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4433 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4434 }
4435#endif
4436 return( ret );
4437 }
4438
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4439 if( ssl->conf->badmac_limit != 0 &&
4440 ++ssl->badmac_seen >= ssl->conf->badmac_limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]4441 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4442 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
4443 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]4444 }
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]4445
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4446 /* As above, invalid records cause
4447 * dismissal of the whole datagram. */
4448
4449 ssl->next_record_offset = 0;
4450 ssl->in_left = 0;
4451
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4453 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4454 }
4455
4456 return( ret );
4457 }
4458 else
4459#endif
4460 {
4461 /* Error out (and send alert) on invalid records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4462#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4463 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4464 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4465 mbedtls_ssl_send_alert_message( ssl,
4466 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4467 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4468 }
4469#endif
4470 return( ret );
4471 }
4472 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4473
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4474
4475 /* Reset in pointers to default state for TLS/DTLS records,
4476 * assuming no CID and no offset between record content and
4477 * record plaintext. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4478 mbedtls_ssl_update_in_pointers( ssl );
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4479#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4480 ssl->in_len = ssl->in_cid + rec.cid_len;
4481#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
irwir89af51f2019-09-26 21:04:56 +0300[diff] [blame]4482 ssl->in_iv = ssl->in_len + 2;
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4483
Hanno Becker8685c822019-07-12 09:37:30 +0100[diff] [blame]4484 /* The record content type may change during decryption,
4485 * so re-read it. */
4486 ssl->in_msgtype = rec.type;
4487 /* Also update the input buffer, because unfortunately
4488 * the server-side ssl_parse_client_hello() reparses the
4489 * record header when receiving a ClientHello initiating
4490 * a renegotiation. */
4491 ssl->in_hdr[0] = rec.type;
4492 ssl->in_msg = rec.buf + rec.data_offset;
4493 ssl->in_msglen = rec.data_len;
Joe Subbiani6dd73642021-07-19 11:56:54 +0100[diff] [blame]4494 MBEDTLS_PUT_UINT16_BE( rec.data_len, ssl->in_len, 0 );
Hanno Becker8685c822019-07-12 09:37:30 +0100[diff] [blame]4495
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4496 return( 0 );
4497}
4498
4499int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
4500{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4501 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4502
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]4503 /*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4504 * Handle particular types of records
4505 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4506 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4507 {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4508 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
4509 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4510 return( ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4511 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4512 }
4513
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4514 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4515 {
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4516 if( ssl->in_msglen != 1 )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4517 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]4518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %" MBEDTLS_PRINTF_SIZET,
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4519 ssl->in_msglen ) );
4520 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4521 }
4522
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4523 if( ssl->in_msg[0] != 1 )
4524 {
4525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
4526 ssl->in_msg[0] ) );
4527 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4528 }
4529
4530#if defined(MBEDTLS_SSL_PROTO_DTLS)
4531 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4532 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
4533 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4534 {
4535 if( ssl->handshake == NULL )
4536 {
4537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
4538 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4539 }
4540
4541 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
4542 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4543 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4544#endif
Ronald Cron7e38cba2021-11-24 12:43:39 +0100[diff] [blame]4545
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]4546#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Ronald Cron7e38cba2021-11-24 12:43:39 +0100[diff] [blame]4547 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
4548 {
4549#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
4550 MBEDTLS_SSL_DEBUG_MSG( 1,
4551 ( "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode" ) );
4552 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
4553#else
4554 MBEDTLS_SSL_DEBUG_MSG( 1,
4555 ( "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" ) );
4556 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4557#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
4558 }
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]4559#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4560 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4561
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4562 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4563 {
Angus Gratton1a7a17e2018-06-20 15:43:50 +1000[diff] [blame]4564 if( ssl->in_msglen != 2 )
4565 {
4566 /* Note: Standard allows for more than one 2 byte alert
4567 to be packed in a single message, but Mbed TLS doesn't
4568 currently support this. */
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]4569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %" MBEDTLS_PRINTF_SIZET,
Angus Gratton1a7a17e2018-06-20 15:43:50 +1000[diff] [blame]4570 ssl->in_msglen ) );
4571 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4572 }
4573
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]4574 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%u:%u]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4575 ssl->in_msg[0], ssl->in_msg[1] ) );
4576
4577 /*
Simon Butcher459a9502015-10-27 16:09:03 +0000[diff] [blame]4578 * Ignore non-fatal alerts, except close_notify and no_renegotiation
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4579 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4580 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4581 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4582 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4583 ssl->in_msg[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4584 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4585 }
4586
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4587 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4588 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4589 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4590 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
4591 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4592 }
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]4593
4594#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
4595 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4596 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
4597 {
Mateusz Starzykf5c53512021-04-15 13:28:52 +0200[diff] [blame]4598 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a no renegotiation alert" ) );
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]4599 /* Will be handled when trying to parse ServerHello */
4600 return( 0 );
4601 }
4602#endif
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]4603 /* Silently ignore: fetch new message */
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4604 return MBEDTLS_ERR_SSL_NON_FATAL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4605 }
4606
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4607#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4608 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4609 {
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4610 /* Drop unexpected ApplicationData records,
4611 * except at the beginning of renegotiations */
4612 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
4613 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
4614#if defined(MBEDTLS_SSL_RENEGOTIATION)
4615 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
4616 ssl->state == MBEDTLS_SSL_SERVER_HELLO )
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4617#endif
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4618 )
4619 {
4620 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
4621 return( MBEDTLS_ERR_SSL_NON_FATAL );
4622 }
4623
4624 if( ssl->handshake != NULL &&
4625 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
4626 {
Hanno Beckerce5f5fd2020-02-05 10:47:44 +0000[diff] [blame]4627 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4628 }
4629 }
Hanno Becker4a4af9f2019-05-08 16:26:21 +0100[diff] [blame]4630#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4631
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4632 return( 0 );
4633}
4634
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4635int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]4636{
irwir6c0da642019-09-26 21:07:41 +0300[diff] [blame]4637 return( mbedtls_ssl_send_alert_message( ssl,
4638 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4639 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]4640}
4641
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4642int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4643 unsigned char level,
4644 unsigned char message )
4645{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4646 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4647
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]4648 if( ssl == NULL || ssl->conf == NULL )
4649 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4650
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4651 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4652 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4654 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4655 ssl->out_msglen = 2;
4656 ssl->out_msg[0] = level;
4657 ssl->out_msg[1] = message;
4658
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]4659 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4660 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4661 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4662 return( ret );
4663 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4664 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4665
4666 return( 0 );
4667}
4668
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4669int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4670{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4671 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4673 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4674
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4675 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4676 ssl->out_msglen = 1;
4677 ssl->out_msg[0] = 1;
4678
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4679 ssl->state++;
4680
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]4681 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4682 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]4683 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4684 return( ret );
4685 }
4686
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4687 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4688
4689 return( 0 );
4690}
4691
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4692int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4693{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4694 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4695
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4696 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4697
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]4698 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4699 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4700 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4701 return( ret );
4702 }
4703
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4704 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4705 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4706 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4707 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4708 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4709 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4710 }
4711
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4712 /* CCS records are only accepted if they have length 1 and content '1',
4713 * so we don't need to check this here. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4714
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4715 /*
4716 * Switch to our negotiated transform and session parameters for inbound
4717 * data.
4718 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4719 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4720 ssl->transform_in = ssl->transform_negotiate;
4721 ssl->session_in = ssl->session_negotiate;
4722
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4723#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4724 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4725 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4726#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker7e8e6a62020-02-05 10:45:48 +0000[diff] [blame]4727 mbedtls_ssl_dtls_replay_reset( ssl );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4728#endif
4729
4730 /* Increment epoch */
4731 if( ++ssl->in_epoch == 0 )
4732 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4733 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4734 /* This is highly unlikely to happen for legitimate reasons, so
4735 treat it as an attack and don't send an alert. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4736 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4737 }
4738 }
4739 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4740#endif /* MBEDTLS_SSL_PROTO_DTLS */
Jerry Yufd320e92021-10-08 21:52:41 +0800[diff] [blame]4741 memset( ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4742
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4743 mbedtls_ssl_update_in_pointers( ssl );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4744
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4745 ssl->state++;
4746
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4747 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4748
4749 return( 0 );
4750}
4751
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4752/* Once ssl->out_hdr as the address of the beginning of the
4753 * next outgoing record is set, deduce the other pointers.
4754 *
4755 * Note: For TLS, we save the implicit record sequence number
4756 * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
4757 * and the caller has to make sure there's space for this.
4758 */
4759
Hanno Beckerc0eefa82020-05-28 07:17:36 +0100[diff] [blame]4760static size_t ssl_transform_get_explicit_iv_len(
4761 mbedtls_ssl_transform const *transform )
4762{
TRodziewiczef73f012021-05-13 14:53:36 +0200[diff] [blame]4763 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Beckerc0eefa82020-05-28 07:17:36 +0100[diff] [blame]4764 return( 0 );
4765
4766 return( transform->ivlen - transform->fixed_ivlen );
4767}
4768
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4769void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
4770 mbedtls_ssl_transform *transform )
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4771{
4772#if defined(MBEDTLS_SSL_PROTO_DTLS)
4773 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4774 {
4775 ssl->out_ctr = ssl->out_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4776#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Jerry Yuae0b2e22021-10-08 15:21:19 +0800[diff] [blame]4777 ssl->out_cid = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4778 ssl->out_len = ssl->out_cid;
4779 if( transform != NULL )
4780 ssl->out_len += transform->out_cid_len;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4781#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Jerry Yuae0b2e22021-10-08 15:21:19 +0800[diff] [blame]4782 ssl->out_len = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4783#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4784 ssl->out_iv = ssl->out_len + 2;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4785 }
4786 else
4787#endif
4788 {
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4789 ssl->out_len = ssl->out_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4790#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker4c3eb7c2019-05-08 16:43:21 +0100[diff] [blame]4791 ssl->out_cid = ssl->out_len;
4792#endif
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4793 ssl->out_iv = ssl->out_hdr + 5;
4794 }
4795
Hanno Beckerc0eefa82020-05-28 07:17:36 +0100[diff] [blame]4796 ssl->out_msg = ssl->out_iv;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4797 /* Adjust out_msg to make space for explicit IV, if used. */
Hanno Beckerc0eefa82020-05-28 07:17:36 +0100[diff] [blame]4798 if( transform != NULL )
4799 ssl->out_msg += ssl_transform_get_explicit_iv_len( transform );
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4800}
4801
4802/* Once ssl->in_hdr as the address of the beginning of the
4803 * next incoming record is set, deduce the other pointers.
4804 *
4805 * Note: For TLS, we save the implicit record sequence number
4806 * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
4807 * and the caller has to make sure there's space for this.
4808 */
4809
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4810void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl )
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4811{
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]4812 /* This function sets the pointers to match the case
4813 * of unprotected TLS/DTLS records, with both ssl->in_iv
4814 * and ssl->in_msg pointing to the beginning of the record
4815 * content.
4816 *
4817 * When decrypting a protected record, ssl->in_msg
4818 * will be shifted to point to the beginning of the
4819 * record plaintext.
4820 */
4821
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4822#if defined(MBEDTLS_SSL_PROTO_DTLS)
4823 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4824 {
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4825 /* This sets the header pointers to match records
4826 * without CID. When we receive a record containing
4827 * a CID, the fields are shifted accordingly in
4828 * ssl_parse_record_header(). */
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4829 ssl->in_ctr = ssl->in_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4830#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Jerry Yuae0b2e22021-10-08 15:21:19 +0800[diff] [blame]4831 ssl->in_cid = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4832 ssl->in_len = ssl->in_cid; /* Default: no CID */
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4833#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Jerry Yuae0b2e22021-10-08 15:21:19 +0800[diff] [blame]4834 ssl->in_len = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4835#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4836 ssl->in_iv = ssl->in_len + 2;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4837 }
4838 else
4839#endif
4840 {
Jerry Yuae0b2e22021-10-08 15:21:19 +0800[diff] [blame]4841 ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4842 ssl->in_len = ssl->in_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4843#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker4c3eb7c2019-05-08 16:43:21 +0100[diff] [blame]4844 ssl->in_cid = ssl->in_len;
4845#endif
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4846 ssl->in_iv = ssl->in_hdr + 5;
4847 }
4848
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]4849 /* This will be adjusted at record decryption time. */
4850 ssl->in_msg = ssl->in_iv;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4851}
4852
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4853/*
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +0200[diff] [blame]4854 * Setup an SSL context
4855 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]4856
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4857void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]4858{
4859 /* Set the incoming and outgoing record pointers. */
4860#if defined(MBEDTLS_SSL_PROTO_DTLS)
4861 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4862 {
4863 ssl->out_hdr = ssl->out_buf;
4864 ssl->in_hdr = ssl->in_buf;
4865 }
4866 else
4867#endif /* MBEDTLS_SSL_PROTO_DTLS */
4868 {
Hanno Becker12078f42021-03-02 15:28:41 +0000[diff] [blame]4869 ssl->out_ctr = ssl->out_buf;
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]4870 ssl->out_hdr = ssl->out_buf + 8;
4871 ssl->in_hdr = ssl->in_buf + 8;
4872 }
4873
4874 /* Derive other internal pointers. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4875 mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
4876 mbedtls_ssl_update_in_pointers ( ssl );
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]4877}
4878
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4879/*
4880 * SSL get accessors
4881 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4882size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4883{
4884 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
4885}
4886
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]4887int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
4888{
4889 /*
4890 * Case A: We're currently holding back
4891 * a message for further processing.
4892 */
4893
4894 if( ssl->keep_current_message == 1 )
4895 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]4896 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]4897 return( 1 );
4898 }
4899
4900 /*
4901 * Case B: Further records are pending in the current datagram.
4902 */
4903
4904#if defined(MBEDTLS_SSL_PROTO_DTLS)
4905 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4906 ssl->in_left > ssl->next_record_offset )
4907 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]4908 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]4909 return( 1 );
4910 }
4911#endif /* MBEDTLS_SSL_PROTO_DTLS */
4912
4913 /*
4914 * Case C: A handshake message is being processed.
4915 */
4916
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]4917 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
4918 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]4919 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]4920 return( 1 );
4921 }
4922
4923 /*
4924 * Case D: An application data message is being processed
4925 */
4926 if( ssl->in_offt != NULL )
4927 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]4928 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]4929 return( 1 );
4930 }
4931
4932 /*
4933 * In all other cases, the rest of the message can be dropped.
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]4934 * As in ssl_get_next_record, this needs to be adapted if
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]4935 * we implement support for multiple alerts in single records.
4936 */
4937
4938 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
4939 return( 0 );
4940}
4941
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]4942
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4943int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]4944{
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]4945 size_t transform_expansion = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4946 const mbedtls_ssl_transform *transform = ssl->transform_out;
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]4947 unsigned block_size;
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]4948
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]4949 size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl );
4950
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]4951 if( transform == NULL )
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]4952 return( (int) out_hdr_len );
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]4953
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4954 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]4955 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4956 case MBEDTLS_MODE_GCM:
4957 case MBEDTLS_MODE_CCM:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]4958 case MBEDTLS_MODE_CHACHAPOLY:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4959 case MBEDTLS_MODE_STREAM:
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]4960 transform_expansion = transform->minlen;
4961 break;
4962
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4963 case MBEDTLS_MODE_CBC:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]4964
4965 block_size = mbedtls_cipher_get_block_size(
4966 &transform->cipher_ctx_enc );
4967
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]4968 /* Expansion due to the addition of the MAC. */
4969 transform_expansion += transform->maclen;
4970
4971 /* Expansion due to the addition of CBC padding;
4972 * Theoretically up to 256 bytes, but we never use
4973 * more than the block size of the underlying cipher. */
4974 transform_expansion += block_size;
4975
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]4976 /* For TLS 1.2 or higher, an explicit IV is added
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]4977 * after the record header. */
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]4978#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]4979 transform_expansion += block_size;
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]4980#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]4981
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]4982 break;
4983
4984 default:
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]4985 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4986 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]4987 }
4988
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4989#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker6cbad552019-05-08 15:40:11 +0100[diff] [blame]4990 if( transform->out_cid_len != 0 )
4991 transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4992#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker6cbad552019-05-08 15:40:11 +0100[diff] [blame]4993
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]4994 return( (int)( out_hdr_len + transform_expansion ) );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]4995}
4996
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4997#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]4998/*
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]4999 * Check record counters and renegotiate if they're above the limit.
5000 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5001static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5002{
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]5003 size_t ep_len = mbedtls_ssl_ep_len( ssl );
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5004 int in_ctr_cmp;
5005 int out_ctr_cmp;
5006
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5007 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
5008 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5009 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5010 {
5011 return( 0 );
5012 }
5013
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5014 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
Jerry Yud9a94fe2021-09-28 18:58:59 +0800[diff] [blame]5015 &ssl->conf->renego_period[ep_len],
Jerry Yuae0b2e22021-10-08 15:21:19 +0800[diff] [blame]5016 MBEDTLS_SSL_SEQUENCE_NUMBER_LEN - ep_len );
Jerry Yud9a94fe2021-09-28 18:58:59 +0800[diff] [blame]5017 out_ctr_cmp = memcmp( &ssl->cur_out_ctr[ep_len],
5018 &ssl->conf->renego_period[ep_len],
5019 sizeof( ssl->cur_out_ctr ) - ep_len );
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5020
5021 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5022 {
5023 return( 0 );
5024 }
5025
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]5026 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5027 return( mbedtls_ssl_renegotiate( ssl ) );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5028}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5029#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5030
Hanno Beckerb03f88f2020-11-24 06:41:37 +0000[diff] [blame]5031/* This function is called from mbedtls_ssl_read() when a handshake message is
Hanno Beckerf26cc722021-04-21 07:30:13 +0100[diff] [blame]5032 * received after the initial handshake. In this context, handshake messages
Hanno Beckerb03f88f2020-11-24 06:41:37 +0000[diff] [blame]5033 * may only be sent for the purpose of initiating renegotiations.
5034 *
5035 * This function is introduced as a separate helper since the handling
5036 * of post-handshake handshake messages changes significantly in TLS 1.3,
5037 * and having a helper function allows to distinguish between TLS <= 1.2 and
5038 * TLS 1.3 in the future without bloating the logic of mbedtls_ssl_read().
5039 */
Hanno Beckercad3dba2020-11-24 06:57:13 +0000[diff] [blame]5040static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl )
Hanno Beckerb03f88f2020-11-24 06:41:37 +0000[diff] [blame]5041{
Hanno Beckerfae12cf2021-04-21 07:20:20 +0100[diff] [blame]5042 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerb03f88f2020-11-24 06:41:37 +0000[diff] [blame]5043
5044 /*
5045 * - For client-side, expect SERVER_HELLO_REQUEST.
5046 * - For server-side, expect CLIENT_HELLO.
5047 * - Fail (TLS) or silently drop record (DTLS) in other cases.
5048 */
5049
5050#if defined(MBEDTLS_SSL_CLI_C)
5051 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
5052 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
5053 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
5054 {
5055 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
5056
5057 /* With DTLS, drop the packet (probably from last handshake) */
5058#if defined(MBEDTLS_SSL_PROTO_DTLS)
5059 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5060 {
5061 return( 0 );
5062 }
5063#endif
5064 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5065 }
5066#endif /* MBEDTLS_SSL_CLI_C */
5067
5068#if defined(MBEDTLS_SSL_SRV_C)
5069 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5070 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
5071 {
5072 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
5073
5074 /* With DTLS, drop the packet (probably from last handshake) */
5075#if defined(MBEDTLS_SSL_PROTO_DTLS)
5076 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5077 {
5078 return( 0 );
5079 }
5080#endif
5081 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5082 }
5083#endif /* MBEDTLS_SSL_SRV_C */
5084
5085#if defined(MBEDTLS_SSL_RENEGOTIATION)
5086 /* Determine whether renegotiation attempt should be accepted */
5087 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5088 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
5089 ssl->conf->allow_legacy_renegotiation ==
5090 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
5091 {
5092 /*
5093 * Accept renegotiation request
5094 */
5095
5096 /* DTLS clients need to know renego is server-initiated */
5097#if defined(MBEDTLS_SSL_PROTO_DTLS)
5098 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5099 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5100 {
5101 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
5102 }
5103#endif
5104 ret = mbedtls_ssl_start_renegotiation( ssl );
5105 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5106 ret != 0 )
5107 {
5108 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation",
5109 ret );
5110 return( ret );
5111 }
5112 }
5113 else
5114#endif /* MBEDTLS_SSL_RENEGOTIATION */
5115 {
5116 /*
5117 * Refuse renegotiation
5118 */
5119
5120 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
5121
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]5122#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]5123 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5124 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5125 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
Hanno Beckerb03f88f2020-11-24 06:41:37 +0000[diff] [blame]5126 {
TRodziewicz345165c2021-07-06 13:42:11 +0200[diff] [blame]5127 return( ret );
Hanno Beckerb03f88f2020-11-24 06:41:37 +0000[diff] [blame]5128 }
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]5129#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Beckerb03f88f2020-11-24 06:41:37 +0000[diff] [blame]5130 }
5131
5132 return( 0 );
5133}
5134
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5135/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5136 * Receive application data decrypted from the SSL layer
5137 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5138int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5139{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5140 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]5141 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5142
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5143 if( ssl == NULL || ssl->conf == NULL )
5144 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5145
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5146 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5147
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5148#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5149 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5150 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5151 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5152 return( ret );
5153
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5154 if( ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5155 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5156 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]5157 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5158 return( ret );
5159 }
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5160 }
5161#endif
5162
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5163 /*
5164 * Check if renegotiation is necessary and/or handshake is
5165 * in process. If yes, perform/continue, and fall through
5166 * if an unexpected packet is received while the client
5167 * is waiting for the ServerHello.
5168 *
5169 * (There is no equivalent to the last condition on
5170 * the server-side as it is not treated as within
5171 * a handshake while waiting for the ClientHello
5172 * after a renegotiation request.)
5173 */
5174
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5175#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5176 ret = ssl_check_ctr_renegotiate( ssl );
5177 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5178 ret != 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5179 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5180 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5181 return( ret );
5182 }
5183#endif
5184
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5185 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5186 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5187 ret = mbedtls_ssl_handshake( ssl );
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5188 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5189 ret != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5190 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5191 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5192 return( ret );
5193 }
5194 }
5195
Hanno Beckere41158b2017-10-23 13:30:32 +0100[diff] [blame]5196 /* Loop as long as no application data record is available */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5197 while( ssl->in_offt == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5198 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5199 /* Start timer if not already running */
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]5200 if( ssl->f_get_timer != NULL &&
5201 ssl->f_get_timer( ssl->p_timer ) == -1 )
5202 {
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]5203 mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout );
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]5204 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5205
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]5206 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5207 {
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5208 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5209 return( 0 );
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]5210
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5211 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5212 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5213 }
5214
5215 if( ssl->in_msglen == 0 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5216 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5217 {
5218 /*
5219 * OpenSSL sends empty messages to randomize the IV
5220 */
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]5221 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5222 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5223 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]5224 return( 0 );
5225
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5226 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5227 return( ret );
5228 }
5229 }
5230
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5231 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5232 {
Hanno Beckerb03f88f2020-11-24 06:41:37 +0000[diff] [blame]5233 ret = ssl_handle_hs_message_post_handshake( ssl );
5234 if( ret != 0)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5235 {
Hanno Beckerb03f88f2020-11-24 06:41:37 +0000[diff] [blame]5236 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_handle_hs_message_post_handshake",
5237 ret );
5238 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5239 }
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5240
Hanno Beckerf26cc722021-04-21 07:30:13 +0100[diff] [blame]5241 /* At this point, we don't know whether the renegotiation triggered
5242 * by the post-handshake message has been completed or not. The cases
5243 * to consider are the following:
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5244 * 1) The renegotiation is complete. In this case, no new record
5245 * has been read yet.
5246 * 2) The renegotiation is incomplete because the client received
5247 * an application data record while awaiting the ServerHello.
5248 * 3) The renegotiation is incomplete because the client received
5249 * a non-handshake, non-application data message while awaiting
5250 * the ServerHello.
Hanno Beckerf26cc722021-04-21 07:30:13 +0100[diff] [blame]5251 *
5252 * In each of these cases, looping will be the proper action:
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5253 * - For 1), the next iteration will read a new record and check
5254 * if it's application data.
5255 * - For 2), the loop condition isn't satisfied as application data
5256 * is present, hence continue is the same as break
5257 * - For 3), the loop condition is satisfied and read_record
5258 * will re-deliver the message that was held back by the client
5259 * when expecting the ServerHello.
5260 */
Hanno Beckerf26cc722021-04-21 07:30:13 +0100[diff] [blame]5261
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5262 continue;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5263 }
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]5264#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5265 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]5266 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5267 if( ssl->conf->renego_max_records >= 0 )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]5268 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5269 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5270 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5271 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5272 "but not honored by client" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5273 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5274 }
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]5275 }
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]5276 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5277#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5278
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5279 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
5280 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5281 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5282 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]5283 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5284 }
5285
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5286 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5287 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5288 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
5289 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5290 }
5291
5292 ssl->in_offt = ssl->in_msg;
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5293
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5294 /* We're going to return something now, cancel timer,
5295 * except if handshake (renegotiation) is in progress */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5296 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]5297 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5298
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]5299#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5300 /* If we requested renego but received AppData, resend HelloRequest.
5301 * Do it now, after setting in_offt, to avoid taking this branch
5302 * again if ssl_write_hello_request() returns WANT_WRITE */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5303#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5304 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5305 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5306 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]5307 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5308 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]5309 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
5310 ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5311 return( ret );
5312 }
5313 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5314#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5315#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5316 }
5317
5318 n = ( len < ssl->in_msglen )
5319 ? len : ssl->in_msglen;
5320
5321 memcpy( buf, ssl->in_offt, n );
5322 ssl->in_msglen -= n;
5323
gabor-mezei-arma3214132020-07-15 10:55:00 +0200[diff] [blame]5324 /* Zeroising the plaintext buffer to erase unused application data
5325 from the memory. */
5326 mbedtls_platform_zeroize( ssl->in_offt, n );
5327
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5328 if( ssl->in_msglen == 0 )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5329 {
5330 /* all bytes consumed */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5331 ssl->in_offt = NULL;
Hanno Beckerbdf39052017-06-09 10:42:03 +0100[diff] [blame]5332 ssl->keep_current_message = 0;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5333 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5334 else
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5335 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5336 /* more data available */
5337 ssl->in_offt += n;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5338 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5339
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5340 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5341
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]5342 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5343}
5344
5345/*
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5346 * Send application data to be encrypted by the SSL layer, taking care of max
5347 * fragment length and buffer size.
5348 *
5349 * According to RFC 5246 Section 6.2.1:
5350 *
5351 * Zero-length fragments of Application data MAY be sent as they are
5352 * potentially useful as a traffic analysis countermeasure.
5353 *
5354 * Therefore, it is possible that the input message length is 0 and the
5355 * corresponding return code is 0 on success.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5356 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5357static int ssl_write_real( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5358 const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5359{
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]5360 int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
5361 const size_t max_len = (size_t) ret;
5362
5363 if( ret < 0 )
5364 {
5365 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
5366 return( ret );
5367 }
5368
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5369 if( len > max_len )
5370 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5371#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5372 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5373 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5374 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]5375 "maximum fragment length: %" MBEDTLS_PRINTF_SIZET
5376 " > %" MBEDTLS_PRINTF_SIZET,
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5377 len, max_len ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5378 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5379 }
5380 else
5381#endif
5382 len = max_len;
5383 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5384
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5385 if( ssl->out_left != 0 )
5386 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5387 /*
5388 * The user has previously tried to send the data and
5389 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
5390 * written. In this case, we expect the high-level write function
5391 * (e.g. mbedtls_ssl_write()) to be called with the same parameters
5392 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5393 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5394 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5395 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5396 return( ret );
5397 }
5398 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5399 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]5400 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5401 /*
5402 * The user is trying to send a message the first time, so we need to
5403 * copy the data into the internal buffers and setup the data structure
5404 * to keep track of partial writes
5405 */
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5406 ssl->out_msglen = len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5407 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5408 memcpy( ssl->out_msg, buf, len );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5409
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]5410 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5411 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5412 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5413 return( ret );
5414 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5415 }
5416
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5417 return( (int) len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5418}
5419
5420/*
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5421 * Write application data (public-facing wrapper)
5422 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5423int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5424{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5425 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5426
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5427 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5428
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5429 if( ssl == NULL || ssl->conf == NULL )
5430 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5431
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5432#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5433 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
5434 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5435 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5436 return( ret );
5437 }
5438#endif
5439
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5440 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5441 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5442 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5443 {
Manuel Pégourié-Gonnard151dc772015-05-14 13:55:51 +0200[diff] [blame]5444 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5445 return( ret );
5446 }
5447 }
5448
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5449 ret = ssl_write_real( ssl, buf, len );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5450
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5451 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5452
5453 return( ret );
5454}
5455
5456/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5457 * Notify the peer that the connection is being closed
5458 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5459int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5460{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5461 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5462
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5463 if( ssl == NULL || ssl->conf == NULL )
5464 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5465
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5466 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5467
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]5468 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5469 return( mbedtls_ssl_flush_output( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5470
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5471 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5472 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5473 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5474 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5475 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5476 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5477 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5478 return( ret );
5479 }
5480 }
5481
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5482 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5483
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]5484 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5485}
5486
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5487void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5488{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]5489 if( transform == NULL )
5490 return;
5491
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5492 mbedtls_cipher_free( &transform->cipher_ctx_enc );
5493 mbedtls_cipher_free( &transform->cipher_ctx_dec );
Manuel Pégourié-Gonnardf71e5872013-09-23 17:12:43 +0200[diff] [blame]5494
Przemyslaw Stekiel8f80fb92022-01-11 08:28:13 +0100[diff] [blame]5495#if defined(MBEDTLS_USE_PSA_CRYPTO)
Przemyslaw Stekielce37d112022-01-13 14:53:52 +0100[diff] [blame]5496 psa_destroy_key( transform->psa_key_enc );
5497 psa_destroy_key( transform->psa_key_dec );
Przemyslaw Stekiel8f80fb92022-01-11 08:28:13 +0100[diff] [blame]5498#endif
5499
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000[diff] [blame]5500#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5501 mbedtls_md_free( &transform->md_ctx_enc );
5502 mbedtls_md_free( &transform->md_ctx_dec );
Hanno Beckerd56ed242018-01-03 15:32:51 +0000[diff] [blame]5503#endif
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]5504
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]5505 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5506}
5507
Jerry Yuc7875b52021-09-05 21:05:50 +0800[diff] [blame]5508void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl,
5509 mbedtls_ssl_transform *transform )
5510{
Jerry Yuc7875b52021-09-05 21:05:50 +0800[diff] [blame]5511 ssl->transform_in = transform;
Jerry Yufd320e92021-10-08 21:52:41 +0800[diff] [blame]5512 memset( ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
Jerry Yuc7875b52021-09-05 21:05:50 +0800[diff] [blame]5513}
5514
5515void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
5516 mbedtls_ssl_transform *transform )
5517{
5518 ssl->transform_out = transform;
Jerry Yufd320e92021-10-08 21:52:41 +0800[diff] [blame]5519 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
Jerry Yuc7875b52021-09-05 21:05:50 +0800[diff] [blame]5520}
5521
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5522#if defined(MBEDTLS_SSL_PROTO_DTLS)
5523
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]5524void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl )
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5525{
5526 unsigned offset;
5527 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5528
5529 if( hs == NULL )
5530 return;
5531
Hanno Becker283f5ef2018-08-24 09:34:47 +0100[diff] [blame]5532 ssl_free_buffered_record( ssl );
5533
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5534 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5535 ssl_buffering_free_slot( ssl, offset );
5536}
5537
5538static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
5539 uint8_t slot )
5540{
5541 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5542 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]5543
5544 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
5545 return;
5546
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5547 if( hs_buf->is_valid == 1 )
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5548 {
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5549 hs->buffering.total_bytes_buffered -= hs_buf->data_len;
Hanno Becker805f2e12018-10-12 16:31:41 +0100[diff] [blame]5550 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5551 mbedtls_free( hs_buf->data );
5552 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5553 }
5554}
5555
5556#endif /* MBEDTLS_SSL_PROTO_DTLS */
5557
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5558/*
5559 * Convert version numbers to/from wire format
5560 * and, for DTLS, to/from TLS equivalent.
5561 *
5562 * For TLS this is the identity.
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]5563 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5564 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
5565 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5566void mbedtls_ssl_write_version( int major, int minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5567 unsigned char ver[2] )
5568{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5569#if defined(MBEDTLS_SSL_PROTO_DTLS)
5570 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5571 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5572 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5573 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5574
5575 ver[0] = (unsigned char)( 255 - ( major - 2 ) );
5576 ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
5577 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5578 else
5579#else
5580 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5581#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5582 {
5583 ver[0] = (unsigned char) major;
5584 ver[1] = (unsigned char) minor;
5585 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5586}
5587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5588void mbedtls_ssl_read_version( int *major, int *minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5589 const unsigned char ver[2] )
5590{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5591#if defined(MBEDTLS_SSL_PROTO_DTLS)
5592 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5593 {
5594 *major = 255 - ver[0] + 2;
5595 *minor = 255 - ver[1] + 1;
5596
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5597 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5598 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5599 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5600 else
5601#else
5602 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5603#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5604 {
5605 *major = ver[0];
5606 *minor = ver[1];
5607 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5608}
5609
Jerry Yue7047812021-09-13 19:26:39 +0800[diff] [blame]5610/*
Jerry Yu3bf1f972021-09-22 21:37:18 +0800[diff] [blame]5611 * Send pending fatal alert.
5612 * 0, No alert message.
5613 * !0, if mbedtls_ssl_send_alert_message() returned in error, the error code it
5614 * returned, ssl->alert_reason otherwise.
Jerry Yue7047812021-09-13 19:26:39 +0800[diff] [blame]5615 */
5616int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl )
5617{
5618 int ret;
5619
Jerry Yubbd5a3f2021-09-18 20:50:22 +0800[diff] [blame]5620 /* No pending alert, return success*/
5621 if( ssl->send_alert == 0 )
5622 return( 0 );
Jerry Yu394ece62021-09-14 22:17:21 +0800[diff] [blame]5623
Jerry Yubbd5a3f2021-09-18 20:50:22 +0800[diff] [blame]5624 ret = mbedtls_ssl_send_alert_message( ssl,
5625 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5626 ssl->alert_type );
5627
Jerry Yu3bf1f972021-09-22 21:37:18 +0800[diff] [blame]5628 /* If mbedtls_ssl_send_alert_message() returned with MBEDTLS_ERR_SSL_WANT_WRITE,
5629 * do not clear the alert to be able to send it later.
Jerry Yubbd5a3f2021-09-18 20:50:22 +0800[diff] [blame]5630 */
5631 if( ret != MBEDTLS_ERR_SSL_WANT_WRITE )
5632 {
5633 ssl->send_alert = 0;
Jerry Yue7047812021-09-13 19:26:39 +0800[diff] [blame]5634 }
Jerry Yubbd5a3f2021-09-18 20:50:22 +0800[diff] [blame]5635
5636 if( ret != 0 )
Jerry Yubbd5a3f2021-09-18 20:50:22 +0800[diff] [blame]5637 return( ret );
Jerry Yubbd5a3f2021-09-18 20:50:22 +0800[diff] [blame]5638
Jerry Yubbd5a3f2021-09-18 20:50:22 +0800[diff] [blame]5639 return( ssl->alert_reason );
Jerry Yue7047812021-09-13 19:26:39 +0800[diff] [blame]5640}
5641
Jerry Yu394ece62021-09-14 22:17:21 +0800[diff] [blame]5642/*
5643 * Set pending fatal alert flag.
5644 */
5645void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl,
5646 unsigned char alert_type,
5647 int alert_reason )
5648{
5649 ssl->send_alert = 1;
5650 ssl->alert_type = alert_type;
5651 ssl->alert_reason = alert_reason;
5652}
5653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5654#endif /* MBEDTLS_SSL_TLS_C */