blob: 911a80c64bfedb73b5b09346744dc5f2320f33f1 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01002 * TLS shared functions
Paul Bakker5121ce52009-01-03 21:22:43 +00003 *
Bence Szépkúti1e148272020-08-07 13:07:28 +02004 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02005 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +000018 */
19/*
Paul Bakker5121ce52009-01-03 21:22:43 +000020 * http://www.ietf.org/rfc/rfc2246.txt
21 * http://www.ietf.org/rfc/rfc4346.txt
22 */
23
Gilles Peskinedb09ef62020-06-03 01:43:33 +020024#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020026#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000027
SimonBd5800b72016-04-26 07:43:27 +010028#if defined(MBEDTLS_PLATFORM_C)
29#include "mbedtls/platform.h"
30#else
31#include <stdlib.h>
32#define mbedtls_calloc calloc
33#define mbedtls_free free
SimonBd5800b72016-04-26 07:43:27 +010034#endif
35
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000036#include "mbedtls/ssl.h"
Chris Jones84a773f2021-03-05 18:38:47 +000037#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +000038#include "mbedtls/debug.h"
39#include "mbedtls/error.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050040#include "mbedtls/platform_util.h"
Hanno Beckera835da52019-05-16 12:39:07 +010041#include "mbedtls/version.h"
Paul Bakker0be444a2013-08-27 21:55:01 +020042
Rich Evans00ab4702015-02-06 13:43:58 +000043#include <string.h>
44
Andrzej Kurekd6db9be2019-01-10 05:27:10 -050045#if defined(MBEDTLS_USE_PSA_CRYPTO)
46#include "mbedtls/psa_util.h"
47#include "psa/crypto.h"
48#endif
49
Janos Follath23bdca02016-10-07 14:47:14 +010050#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000051#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +020052#endif
53
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +020054#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +010055
Hanno Beckera0e20d02019-05-15 14:03:01 +010056#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerf8542cf2019-04-09 15:22:03 +010057/* Top-level Connection ID API */
58
Hanno Becker8367ccc2019-05-14 11:30:10 +010059int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
60 size_t len,
61 int ignore_other_cid )
Hanno Beckerad4a1372019-05-03 13:06:44 +010062{
63 if( len > MBEDTLS_SSL_CID_IN_LEN_MAX )
64 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
65
Hanno Becker611ac772019-05-14 11:45:26 +010066 if( ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
67 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
68 {
69 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
70 }
71
72 conf->ignore_unexpected_cid = ignore_other_cid;
Hanno Beckerad4a1372019-05-03 13:06:44 +010073 conf->cid_len = len;
74 return( 0 );
75}
76
Hanno Beckerf8542cf2019-04-09 15:22:03 +010077int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
78 int enable,
79 unsigned char const *own_cid,
80 size_t own_cid_len )
81{
Hanno Becker76a79ab2019-05-03 14:38:32 +010082 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
83 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
84
Hanno Beckerca092242019-04-25 16:01:49 +010085 ssl->negotiate_cid = enable;
86 if( enable == MBEDTLS_SSL_CID_DISABLED )
87 {
88 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Disable use of CID extension." ) );
89 return( 0 );
90 }
91 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
Hanno Beckerad4a1372019-05-03 13:06:44 +010092 MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
Hanno Beckerca092242019-04-25 16:01:49 +010093
Hanno Beckerad4a1372019-05-03 13:06:44 +010094 if( own_cid_len != ssl->conf->cid_len )
Hanno Beckerca092242019-04-25 16:01:49 +010095 {
Hanno Beckerad4a1372019-05-03 13:06:44 +010096 MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
97 (unsigned) own_cid_len,
98 (unsigned) ssl->conf->cid_len ) );
Hanno Beckerca092242019-04-25 16:01:49 +010099 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
100 }
101
102 memcpy( ssl->own_cid, own_cid, own_cid_len );
Hanno Beckerb7ee0cf2019-04-30 14:07:31 +0100103 /* Truncation is not an issue here because
104 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
105 ssl->own_cid_len = (uint8_t) own_cid_len;
Hanno Beckerca092242019-04-25 16:01:49 +0100106
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100107 return( 0 );
108}
109
110int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
111 int *enabled,
112 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
113 size_t *peer_cid_len )
114{
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100115 *enabled = MBEDTLS_SSL_CID_DISABLED;
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100116
Hanno Becker76a79ab2019-05-03 14:38:32 +0100117 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
118 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
119 {
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100120 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Hanno Becker76a79ab2019-05-03 14:38:32 +0100121 }
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100122
Hanno Beckerc5f24222019-05-03 12:54:52 +0100123 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
124 * were used, but client and server requested the empty CID.
125 * This is indistinguishable from not using the CID extension
126 * in the first place. */
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100127 if( ssl->transform_in->in_cid_len == 0 &&
128 ssl->transform_in->out_cid_len == 0 )
129 {
130 return( 0 );
131 }
132
Hanno Becker615ef172019-05-22 16:50:35 +0100133 if( peer_cid_len != NULL )
134 {
135 *peer_cid_len = ssl->transform_in->out_cid_len;
136 if( peer_cid != NULL )
137 {
138 memcpy( peer_cid, ssl->transform_in->out_cid,
139 ssl->transform_in->out_cid_len );
140 }
141 }
Hanno Beckerb1f89cd2019-04-26 17:08:02 +0100142
143 *enabled = MBEDTLS_SSL_CID_ENABLED;
144
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100145 return( 0 );
146}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100147#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf8542cf2019-04-09 15:22:03 +0100148
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200149#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200150
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200151#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200152/*
153 * Convert max_fragment_length codes to length.
154 * RFC 6066 says:
155 * enum{
156 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
157 * } MaxFragmentLength;
158 * and we add 0 -> extension unused
159 */
Angus Grattond8213d02016-05-25 20:56:48 +1000160static unsigned int ssl_mfl_code_to_length( int mfl )
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200161{
Angus Grattond8213d02016-05-25 20:56:48 +1000162 switch( mfl )
163 {
164 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
165 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
166 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
167 return 512;
168 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
169 return 1024;
170 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
171 return 2048;
172 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
173 return 4096;
174 default:
175 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
176 }
177}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200178#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200179
Hanno Becker52055ae2019-02-06 14:30:46 +0000180int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
181 const mbedtls_ssl_session *src )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200182{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200183 mbedtls_ssl_session_free( dst );
184 memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200186#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker6d1986e2019-02-07 12:27:42 +0000187
188#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200189 if( src->peer_cert != NULL )
190 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000191 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker2292d1f2013-09-15 17:06:49 +0200192
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200193 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200194 if( dst->peer_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200195 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200196
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200197 mbedtls_x509_crt_init( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200198
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200199 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
Manuel Pégourié-Gonnard4d2a8eb2014-06-13 20:33:27 +0200200 src->peer_cert->raw.len ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200201 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200202 mbedtls_free( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200203 dst->peer_cert = NULL;
204 return( ret );
205 }
206 }
Hanno Becker6d1986e2019-02-07 12:27:42 +0000207#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker9198ad12019-02-05 17:00:50 +0000208 if( src->peer_cert_digest != NULL )
209 {
Hanno Becker9198ad12019-02-05 17:00:50 +0000210 dst->peer_cert_digest =
Hanno Beckeraccc5992019-02-25 10:06:59 +0000211 mbedtls_calloc( 1, src->peer_cert_digest_len );
Hanno Becker9198ad12019-02-05 17:00:50 +0000212 if( dst->peer_cert_digest == NULL )
213 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
214
215 memcpy( dst->peer_cert_digest, src->peer_cert_digest,
216 src->peer_cert_digest_len );
217 dst->peer_cert_digest_type = src->peer_cert_digest_type;
Hanno Beckeraccc5992019-02-25 10:06:59 +0000218 dst->peer_cert_digest_len = src->peer_cert_digest_len;
Hanno Becker9198ad12019-02-05 17:00:50 +0000219 }
220#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
221
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200222#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200223
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200224#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200225 if( src->ticket != NULL )
226 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200227 dst->ticket = mbedtls_calloc( 1, src->ticket_len );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200228 if( dst->ticket == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200229 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200230
231 memcpy( dst->ticket, src->ticket, src->ticket_len );
232 }
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200233#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200234
235 return( 0 );
236}
237
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500238#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
239static int resize_buffer( unsigned char **buffer, size_t len_new, size_t *len_old )
240{
241 unsigned char* resized_buffer = mbedtls_calloc( 1, len_new );
242 if( resized_buffer == NULL )
243 return -1;
244
245 /* We want to copy len_new bytes when downsizing the buffer, and
246 * len_old bytes when upsizing, so we choose the smaller of two sizes,
247 * to fit one buffer into another. Size checks, ensuring that no data is
248 * lost, are done outside of this function. */
249 memcpy( resized_buffer, *buffer,
250 ( len_new < *len_old ) ? len_new : *len_old );
251 mbedtls_platform_zeroize( *buffer, *len_old );
252 mbedtls_free( *buffer );
253
254 *buffer = resized_buffer;
255 *len_old = len_new;
256
257 return 0;
258}
Andrzej Kurek4a063792020-10-21 15:08:44 +0200259
260static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing,
Andrzej Kurek069fa962021-01-07 08:02:15 -0500261 size_t in_buf_new_len,
262 size_t out_buf_new_len )
Andrzej Kurek4a063792020-10-21 15:08:44 +0200263{
264 int modified = 0;
265 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
266 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
267 if( ssl->in_buf != NULL )
268 {
269 written_in = ssl->in_msg - ssl->in_buf;
270 iv_offset_in = ssl->in_iv - ssl->in_buf;
271 len_offset_in = ssl->in_len - ssl->in_buf;
272 if( downsizing ?
273 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
274 ssl->in_buf_len < in_buf_new_len )
275 {
276 if( resize_buffer( &ssl->in_buf, in_buf_new_len, &ssl->in_buf_len ) != 0 )
277 {
278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
279 }
280 else
281 {
Paul Elliottb7449902021-03-10 18:14:58 +0000282 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
283 in_buf_new_len ) );
Andrzej Kurek4a063792020-10-21 15:08:44 +0200284 modified = 1;
285 }
286 }
287 }
288
289 if( ssl->out_buf != NULL )
290 {
291 written_out = ssl->out_msg - ssl->out_buf;
292 iv_offset_out = ssl->out_iv - ssl->out_buf;
293 len_offset_out = ssl->out_len - ssl->out_buf;
294 if( downsizing ?
295 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
296 ssl->out_buf_len < out_buf_new_len )
297 {
298 if( resize_buffer( &ssl->out_buf, out_buf_new_len, &ssl->out_buf_len ) != 0 )
299 {
300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "output buffer resizing failed - out of memory" ) );
301 }
302 else
303 {
Paul Elliottb7449902021-03-10 18:14:58 +0000304 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
305 out_buf_new_len ) );
Andrzej Kurek4a063792020-10-21 15:08:44 +0200306 modified = 1;
307 }
308 }
309 }
310 if( modified )
311 {
312 /* Update pointers here to avoid doing it twice. */
313 mbedtls_ssl_reset_in_out_pointers( ssl );
314 /* Fields below might not be properly updated with record
315 * splitting or with CID, so they are manually updated here. */
316 ssl->out_msg = ssl->out_buf + written_out;
317 ssl->out_len = ssl->out_buf + len_offset_out;
318 ssl->out_iv = ssl->out_buf + iv_offset_out;
319
320 ssl->in_msg = ssl->in_buf + written_in;
321 ssl->in_len = ssl->in_buf + len_offset_in;
322 ssl->in_iv = ssl->in_buf + iv_offset_in;
323 }
324}
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500325#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200327#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurekc929a822019-01-14 03:51:11 -0500328#if defined(MBEDTLS_USE_PSA_CRYPTO)
k-stachowiak81053a52019-08-17 10:30:28 +0200329
330static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
Ronald Croncf56a0a2020-08-04 09:51:30 +0200331 psa_key_id_t key,
k-stachowiak81053a52019-08-17 10:30:28 +0200332 psa_algorithm_t alg,
333 const unsigned char* seed, size_t seed_length,
334 const unsigned char* label, size_t label_length,
335 size_t capacity )
336{
337 psa_status_t status;
338
339 status = psa_key_derivation_setup( derivation, alg );
340 if( status != PSA_SUCCESS )
341 return( status );
342
343 if( PSA_ALG_IS_TLS12_PRF( alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
344 {
345 status = psa_key_derivation_input_bytes( derivation,
346 PSA_KEY_DERIVATION_INPUT_SEED,
347 seed, seed_length );
348 if( status != PSA_SUCCESS )
349 return( status );
350
Ronald Croncf56a0a2020-08-04 09:51:30 +0200351 if( mbedtls_svc_key_id_is_null( key ) )
Gilles Peskine311f54d2019-09-23 18:19:22 +0200352 {
353 status = psa_key_derivation_input_bytes(
354 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
355 NULL, 0 );
356 }
357 else
358 {
359 status = psa_key_derivation_input_key(
Ronald Croncf56a0a2020-08-04 09:51:30 +0200360 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key );
Gilles Peskine311f54d2019-09-23 18:19:22 +0200361 }
k-stachowiak81053a52019-08-17 10:30:28 +0200362 if( status != PSA_SUCCESS )
363 return( status );
364
365 status = psa_key_derivation_input_bytes( derivation,
366 PSA_KEY_DERIVATION_INPUT_LABEL,
367 label, label_length );
368 if( status != PSA_SUCCESS )
369 return( status );
370 }
371 else
372 {
373 return( PSA_ERROR_NOT_SUPPORTED );
374 }
375
376 status = psa_key_derivation_set_capacity( derivation, capacity );
377 if( status != PSA_SUCCESS )
378 return( status );
379
380 return( PSA_SUCCESS );
381}
382
Andrzej Kurekc929a822019-01-14 03:51:11 -0500383static int tls_prf_generic( mbedtls_md_type_t md_type,
384 const unsigned char *secret, size_t slen,
385 const char *label,
386 const unsigned char *random, size_t rlen,
387 unsigned char *dstbuf, size_t dlen )
388{
389 psa_status_t status;
390 psa_algorithm_t alg;
Ronald Croncf56a0a2020-08-04 09:51:30 +0200391 psa_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
Janos Follathda6ac012019-08-16 13:47:29 +0100392 psa_key_derivation_operation_t derivation =
Janos Follath8dee8772019-07-30 12:53:32 +0100393 PSA_KEY_DERIVATION_OPERATION_INIT;
Andrzej Kurekc929a822019-01-14 03:51:11 -0500394
Andrzej Kurekc929a822019-01-14 03:51:11 -0500395 if( md_type == MBEDTLS_MD_SHA384 )
396 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
397 else
398 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
399
Gilles Peskine311f54d2019-09-23 18:19:22 +0200400 /* Normally a "secret" should be long enough to be impossible to
401 * find by brute force, and in particular should not be empty. But
402 * this PRF is also used to derive an IV, in particular in EAP-TLS,
403 * and for this use case it makes sense to have a 0-length "secret".
404 * Since the key API doesn't allow importing a key of length 0,
Ronald Croncf56a0a2020-08-04 09:51:30 +0200405 * keep master_key=0, which setup_psa_key_derivation() understands
Gilles Peskine311f54d2019-09-23 18:19:22 +0200406 * to mean a 0-length "secret" input. */
407 if( slen != 0 )
408 {
409 psa_key_attributes_t key_attributes = psa_key_attributes_init();
410 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
411 psa_set_key_algorithm( &key_attributes, alg );
412 psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500413
Ronald Croncf56a0a2020-08-04 09:51:30 +0200414 status = psa_import_key( &key_attributes, secret, slen, &master_key );
Gilles Peskine311f54d2019-09-23 18:19:22 +0200415 if( status != PSA_SUCCESS )
416 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
417 }
Andrzej Kurekc929a822019-01-14 03:51:11 -0500418
k-stachowiak81053a52019-08-17 10:30:28 +0200419 status = setup_psa_key_derivation( &derivation,
Ronald Croncf56a0a2020-08-04 09:51:30 +0200420 master_key, alg,
k-stachowiak81053a52019-08-17 10:30:28 +0200421 random, rlen,
422 (unsigned char const *) label,
423 (size_t) strlen( label ),
424 dlen );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500425 if( status != PSA_SUCCESS )
426 {
Janos Follathda6ac012019-08-16 13:47:29 +0100427 psa_key_derivation_abort( &derivation );
Ronald Croncf56a0a2020-08-04 09:51:30 +0200428 psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500429 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
430 }
431
Janos Follathda6ac012019-08-16 13:47:29 +0100432 status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500433 if( status != PSA_SUCCESS )
434 {
Janos Follathda6ac012019-08-16 13:47:29 +0100435 psa_key_derivation_abort( &derivation );
Ronald Croncf56a0a2020-08-04 09:51:30 +0200436 psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500437 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
438 }
439
Janos Follathda6ac012019-08-16 13:47:29 +0100440 status = psa_key_derivation_abort( &derivation );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500441 if( status != PSA_SUCCESS )
Andrzej Kurek70737ca2019-01-14 05:37:13 -0500442 {
Ronald Croncf56a0a2020-08-04 09:51:30 +0200443 psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500444 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Andrzej Kurek70737ca2019-01-14 05:37:13 -0500445 }
Andrzej Kurekc929a822019-01-14 03:51:11 -0500446
Ronald Croncf56a0a2020-08-04 09:51:30 +0200447 if( ! mbedtls_svc_key_id_is_null( master_key ) )
448 status = psa_destroy_key( master_key );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500449 if( status != PSA_SUCCESS )
450 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
451
Andrzej Kurek33171262019-01-15 03:25:18 -0500452 return( 0 );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500453}
454
455#else /* MBEDTLS_USE_PSA_CRYPTO */
456
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200457static int tls_prf_generic( mbedtls_md_type_t md_type,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100458 const unsigned char *secret, size_t slen,
459 const char *label,
460 const unsigned char *random, size_t rlen,
461 unsigned char *dstbuf, size_t dlen )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000462{
463 size_t nb;
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100464 size_t i, j, k, md_len;
Ron Eldor3b350852019-05-07 18:31:49 +0300465 unsigned char *tmp;
466 size_t tmp_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200467 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
468 const mbedtls_md_info_t *md_info;
469 mbedtls_md_context_t md_ctx;
Janos Follath865b3eb2019-12-16 11:46:15 +0000470 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100471
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200472 mbedtls_md_init( &md_ctx );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000473
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200474 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
475 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200477 md_len = mbedtls_md_get_size( md_info );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100478
Ron Eldor3b350852019-05-07 18:31:49 +0300479 tmp_len = md_len + strlen( label ) + rlen;
480 tmp = mbedtls_calloc( 1, tmp_len );
481 if( tmp == NULL )
482 {
483 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
484 goto exit;
485 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000486
487 nb = strlen( label );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100488 memcpy( tmp + md_len, label, nb );
489 memcpy( tmp + md_len + nb, random, rlen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000490 nb += rlen;
491
492 /*
493 * Compute P_<hash>(secret, label + random)[0..dlen]
494 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200495 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Ron Eldor3b350852019-05-07 18:31:49 +0300496 goto exit;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200498 mbedtls_md_hmac_starts( &md_ctx, secret, slen );
499 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
500 mbedtls_md_hmac_finish( &md_ctx, tmp );
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100501
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100502 for( i = 0; i < dlen; i += md_len )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000503 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200504 mbedtls_md_hmac_reset ( &md_ctx );
505 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
506 mbedtls_md_hmac_finish( &md_ctx, h_i );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100507
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200508 mbedtls_md_hmac_reset ( &md_ctx );
509 mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
510 mbedtls_md_hmac_finish( &md_ctx, tmp );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000511
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100512 k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000513
514 for( j = 0; j < k; j++ )
515 dstbuf[i + j] = h_i[j];
516 }
517
Ron Eldor3b350852019-05-07 18:31:49 +0300518exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200519 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100520
Ron Eldor3b350852019-05-07 18:31:49 +0300521 mbedtls_platform_zeroize( tmp, tmp_len );
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500522 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000523
Ron Eldor3b350852019-05-07 18:31:49 +0300524 mbedtls_free( tmp );
525
526 return( ret );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000527}
Andrzej Kurekc929a822019-01-14 03:51:11 -0500528#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200529#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100530static int tls_prf_sha256( const unsigned char *secret, size_t slen,
531 const char *label,
532 const unsigned char *random, size_t rlen,
533 unsigned char *dstbuf, size_t dlen )
534{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200535 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100536 label, random, rlen, dstbuf, dlen ) );
537}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200538#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000539
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200540#if defined(MBEDTLS_SHA384_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200541static int tls_prf_sha384( const unsigned char *secret, size_t slen,
542 const char *label,
543 const unsigned char *random, size_t rlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000544 unsigned char *dstbuf, size_t dlen )
545{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200546 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100547 label, random, rlen, dstbuf, dlen ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000548}
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200549#endif /* MBEDTLS_SHA384_C */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200550#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000551
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200552static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200553
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200554#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
555#if defined(MBEDTLS_SHA256_C)
556static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -0300557static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200558static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200559#endif
Paul Bakker769075d2012-11-24 11:26:46 +0100560
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200561#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200562static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -0300563static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200564static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakker769075d2012-11-24 11:26:46 +0100565#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200566#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000567
Manuel Pégourié-Gonnard45be3d82019-02-18 23:35:14 +0100568#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \
Hanno Becker7d0a5692018-10-23 15:26:22 +0100569 defined(MBEDTLS_USE_PSA_CRYPTO)
570static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
571{
572 if( ssl->conf->f_psk != NULL )
573 {
574 /* If we've used a callback to select the PSK,
575 * the static configuration is irrelevant. */
Ronald Croncf56a0a2020-08-04 09:51:30 +0200576 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
Hanno Becker7d0a5692018-10-23 15:26:22 +0100577 return( 1 );
578
579 return( 0 );
580 }
581
Ronald Croncf56a0a2020-08-04 09:51:30 +0200582 if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
Hanno Becker7d0a5692018-10-23 15:26:22 +0100583 return( 1 );
584
585 return( 0 );
586}
587#endif /* MBEDTLS_USE_PSA_CRYPTO &&
Manuel Pégourié-Gonnard45be3d82019-02-18 23:35:14 +0100588 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
Hanno Becker7d0a5692018-10-23 15:26:22 +0100589
Ron Eldorcf280092019-05-14 20:19:13 +0300590#if defined(MBEDTLS_SSL_EXPORT_KEYS)
591static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
592{
Ron Eldorcf280092019-05-14 20:19:13 +0300593#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200594#if defined(MBEDTLS_SHA384_C)
Ron Eldorcf280092019-05-14 20:19:13 +0300595 if( tls_prf == tls_prf_sha384 )
596 {
597 return( MBEDTLS_SSL_TLS_PRF_SHA384 );
598 }
599 else
600#endif
601#if defined(MBEDTLS_SHA256_C)
602 if( tls_prf == tls_prf_sha256 )
603 {
604 return( MBEDTLS_SSL_TLS_PRF_SHA256 );
605 }
606 else
607#endif
608#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
609 return( MBEDTLS_SSL_TLS_PRF_NONE );
610}
611#endif /* MBEDTLS_SSL_EXPORT_KEYS */
612
Ron Eldor51d3ab52019-05-12 14:54:30 +0300613int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
614 const unsigned char *secret, size_t slen,
615 const char *label,
616 const unsigned char *random, size_t rlen,
617 unsigned char *dstbuf, size_t dlen )
618{
619 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
620
621 switch( prf )
622 {
Ron Eldord2f25f72019-05-15 14:54:22 +0300623#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200624#if defined(MBEDTLS_SHA384_C)
Ron Eldor51d3ab52019-05-12 14:54:30 +0300625 case MBEDTLS_SSL_TLS_PRF_SHA384:
626 tls_prf = tls_prf_sha384;
627 break;
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200628#endif /* MBEDTLS_SHA384_C */
Ron Eldor51d3ab52019-05-12 14:54:30 +0300629#if defined(MBEDTLS_SHA256_C)
630 case MBEDTLS_SSL_TLS_PRF_SHA256:
631 tls_prf = tls_prf_sha256;
632 break;
Ron Eldord2f25f72019-05-15 14:54:22 +0300633#endif /* MBEDTLS_SHA256_C */
634#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Ron Eldor51d3ab52019-05-12 14:54:30 +0300635 default:
636 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
637 }
638
639 return( tls_prf( secret, slen, label, random, rlen, dstbuf, dlen ) );
640}
641
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200642/* Type for the TLS PRF */
643typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
644 const unsigned char *, size_t,
645 unsigned char *, size_t);
646
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +0200647/*
Manuel Pégourié-Gonnardcba40d92019-05-06 12:55:40 +0200648 * Populate a transform structure with session keys and all the other
649 * necessary information.
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +0200650 *
Manuel Pégourié-Gonnardcba40d92019-05-06 12:55:40 +0200651 * Parameters:
652 * - [in/out]: transform: structure to populate
653 * [in] must be just initialised with mbedtls_ssl_transform_init()
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200654 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200655 * - [in] ciphersuite
656 * - [in] master
657 * - [in] encrypt_then_mac
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200658 * - [in] compression
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200659 * - [in] tls_prf: pointer to PRF to use for key derivation
660 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200661 * - [in] minor_ver: SSL/TLS minor version
662 * - [in] endpoint: client or server
663 * - [in] ssl: optionally used for:
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200664 * - MBEDTLS_SSL_EXPORT_KEYS: ssl->conf->{f,p}_export_keys
665 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +0200666 */
Manuel Pégourié-Gonnardcba40d92019-05-06 12:55:40 +0200667static int ssl_populate_transform( mbedtls_ssl_transform *transform,
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200668 int ciphersuite,
669 const unsigned char master[48],
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000670#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200671#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
672 int encrypt_then_mac,
Jarno Lamsac84bd242019-08-16 12:06:56 +0300673#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000674#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200675 ssl_tls_prf_t tls_prf,
676 const unsigned char randbytes[64],
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200677 int minor_ver,
678 unsigned endpoint,
Mateusz Starzyke204dbf2021-03-15 17:57:20 +0100679 const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000680{
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200681 int ret = 0;
Hanno Beckercb1cc802018-11-17 22:27:38 +0000682#if defined(MBEDTLS_USE_PSA_CRYPTO)
683 int psa_fallthrough;
684#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000685 unsigned char keyblk[256];
686 unsigned char *key1;
687 unsigned char *key2;
Paul Bakker68884e32013-01-07 18:20:04 +0100688 unsigned char *mac_enc;
689 unsigned char *mac_dec;
sander-visser3888b032020-05-06 21:49:46 +0200690 size_t mac_key_len = 0;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200691 size_t iv_copy_len;
Hanno Becker88aaf652017-12-27 08:17:40 +0000692 unsigned keylen;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000693 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200694 const mbedtls_cipher_info_t *cipher_info;
695 const mbedtls_md_info_t *md_info;
Paul Bakker68884e32013-01-07 18:20:04 +0100696
Mateusz Starzyke204dbf2021-03-15 17:57:20 +0100697#if !defined(MBEDTLS_SSL_EXPORT_KEYS) && \
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200698 !defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +0200699 ssl = NULL; /* make sure we don't use it except for those cases */
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200700 (void) ssl;
701#endif
702
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +0200703 /*
704 * Some data just needs copying into the structure
705 */
Jaeden Amero2de07f12019-06-05 13:32:08 +0100706#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000707 defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200708 transform->encrypt_then_mac = encrypt_then_mac;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000709#endif
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200710 transform->minor_ver = minor_ver;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000711
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +0200712#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
713 memcpy( transform->randbytes, randbytes, sizeof( transform->randbytes ) );
714#endif
715
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200716 /*
717 * Get various info structures
718 */
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200719 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200720 if( ciphersuite_info == NULL )
721 {
722 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200723 ciphersuite ) );
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200724 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
725 }
726
Hanno Beckere694c3e2017-12-27 21:34:08 +0000727 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
Paul Bakker68884e32013-01-07 18:20:04 +0100728 if( cipher_info == NULL )
729 {
Paul Elliott9f352112020-12-09 14:55:45 +0000730 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
Hanno Beckere694c3e2017-12-27 21:34:08 +0000731 ciphersuite_info->cipher ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200732 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100733 }
734
Hanno Beckere694c3e2017-12-27 21:34:08 +0000735 md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
Paul Bakker68884e32013-01-07 18:20:04 +0100736 if( md_info == NULL )
737 {
Paul Elliott9f352112020-12-09 14:55:45 +0000738 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %u not found",
Paul Elliott3891caf2020-12-17 18:42:40 +0000739 (unsigned) ciphersuite_info->mac ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200740 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100741 }
742
Hanno Beckera0e20d02019-05-15 14:03:01 +0100743#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker4bf74652019-04-26 16:22:27 +0100744 /* Copy own and peer's CID if the use of the CID
745 * extension has been negotiated. */
746 if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
747 {
748 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
Hanno Becker8a7f9722019-04-30 13:52:29 +0100749
Hanno Becker05154c32019-05-03 15:23:51 +0100750 transform->in_cid_len = ssl->own_cid_len;
Hanno Becker05154c32019-05-03 15:23:51 +0100751 memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
Hanno Becker1c1f0462019-05-03 12:55:51 +0100752 MBEDTLS_SSL_DEBUG_BUF( 3, "Incoming CID", transform->in_cid,
Hanno Becker4bf74652019-04-26 16:22:27 +0100753 transform->in_cid_len );
Hanno Beckerd1f20352019-05-15 10:21:55 +0100754
755 transform->out_cid_len = ssl->handshake->peer_cid_len;
756 memcpy( transform->out_cid, ssl->handshake->peer_cid,
757 ssl->handshake->peer_cid_len );
758 MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
759 transform->out_cid_len );
Hanno Becker4bf74652019-04-26 16:22:27 +0100760 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100761#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker4bf74652019-04-26 16:22:27 +0100762
Paul Bakker5121ce52009-01-03 21:22:43 +0000763 /*
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200764 * Compute key block using the PRF
Paul Bakker5121ce52009-01-03 21:22:43 +0000765 */
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200766 ret = tls_prf( master, 48, "key expansion", randbytes, 64, keyblk, 256 );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100767 if( ret != 0 )
768 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200769 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100770 return( ret );
771 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000772
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200773 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
Manuel Pégourié-Gonnardd91efa42019-05-20 10:27:20 +0200774 mbedtls_ssl_get_ciphersuite_name( ciphersuite ) ) );
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200775 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", master, 48 );
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +0200776 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", randbytes, 64 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200777 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000778
Paul Bakker5121ce52009-01-03 21:22:43 +0000779 /*
780 * Determine the appropriate key, IV and MAC length.
781 */
Paul Bakker68884e32013-01-07 18:20:04 +0100782
Hanno Becker88aaf652017-12-27 08:17:40 +0000783 keylen = cipher_info->key_bitlen / 8;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200784
Hanno Becker8031d062018-01-03 15:32:31 +0000785#if defined(MBEDTLS_GCM_C) || \
786 defined(MBEDTLS_CCM_C) || \
787 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200788 if( cipher_info->mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200789 cipher_info->mode == MBEDTLS_MODE_CCM ||
790 cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000791 {
Hanno Beckerf704bef2018-11-16 15:21:18 +0000792 size_t explicit_ivlen;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200793
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200794 transform->maclen = 0;
Hanno Becker81c7b182017-11-09 18:39:33 +0000795 mac_key_len = 0;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000796 transform->taglen =
797 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200798
Hanno Becker447558d2020-05-28 07:36:33 +0100799 /* All modes haves 96-bit IVs, but the length of the static parts vary
800 * with mode and version:
801 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
802 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
Hanno Beckerf93c2d72020-05-28 07:39:43 +0100803 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
804 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
805 * sequence number).
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200806 */
Paul Bakker68884e32013-01-07 18:20:04 +0100807 transform->ivlen = 12;
Hanno Beckerf93c2d72020-05-28 07:39:43 +0100808#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
809 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
810 {
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200811 transform->fixed_ivlen = 12;
Hanno Beckerf93c2d72020-05-28 07:39:43 +0100812 }
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200813 else
Hanno Beckerf93c2d72020-05-28 07:39:43 +0100814#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
815 {
816 if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
817 transform->fixed_ivlen = 12;
818 else
819 transform->fixed_ivlen = 4;
820 }
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200821
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200822 /* Minimum length of encrypted record */
823 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000824 transform->minlen = explicit_ivlen + transform->taglen;
Paul Bakker68884e32013-01-07 18:20:04 +0100825 }
826 else
Hanno Becker8031d062018-01-03 15:32:31 +0000827#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000828#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Hanno Becker8031d062018-01-03 15:32:31 +0000829 if( cipher_info->mode == MBEDTLS_MODE_STREAM ||
830 cipher_info->mode == MBEDTLS_MODE_CBC )
Paul Bakker68884e32013-01-07 18:20:04 +0100831 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200832 /* Initialize HMAC contexts */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200833 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
834 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100835 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200836 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
Ron Eldore6992702019-05-07 18:27:13 +0300837 goto end;
Paul Bakker68884e32013-01-07 18:20:04 +0100838 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000839
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200840 /* Get MAC length */
Hanno Becker81c7b182017-11-09 18:39:33 +0000841 mac_key_len = mbedtls_md_get_size( md_info );
842 transform->maclen = mac_key_len;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200843
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200844 /* IV length */
Paul Bakker68884e32013-01-07 18:20:04 +0100845 transform->ivlen = cipher_info->iv_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000846
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200847 /* Minimum length */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200848 if( cipher_info->mode == MBEDTLS_MODE_STREAM )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200849 transform->minlen = transform->maclen;
850 else
Paul Bakker68884e32013-01-07 18:20:04 +0100851 {
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200852 /*
853 * GenericBlockCipher:
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100854 * 1. if EtM is in use: one block plus MAC
855 * otherwise: * first multiple of blocklen greater than maclen
TRodziewicz2abf03c2021-06-25 14:40:09 +0200856 * 2. IV
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200857 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200858#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +0200859 if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100860 {
861 transform->minlen = transform->maclen
862 + cipher_info->block_size;
863 }
864 else
865#endif
866 {
867 transform->minlen = transform->maclen
868 + cipher_info->block_size
869 - transform->maclen % cipher_info->block_size;
870 }
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200871
TRodziewicz0f82ec62021-05-12 17:49:18 +0200872#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
873 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200874 {
875 transform->minlen += transform->ivlen;
876 }
877 else
878#endif
879 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200880 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Ron Eldore6992702019-05-07 18:27:13 +0300881 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
882 goto end;
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200883 }
Paul Bakker68884e32013-01-07 18:20:04 +0100884 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000885 }
Hanno Becker8031d062018-01-03 15:32:31 +0000886 else
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000887#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Hanno Becker8031d062018-01-03 15:32:31 +0000888 {
889 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
890 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
891 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000892
Hanno Becker88aaf652017-12-27 08:17:40 +0000893 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
894 (unsigned) keylen,
895 (unsigned) transform->minlen,
896 (unsigned) transform->ivlen,
897 (unsigned) transform->maclen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000898
899 /*
900 * Finally setup the cipher contexts, IVs and MAC secrets.
901 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200902#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200903 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000904 {
Hanno Becker81c7b182017-11-09 18:39:33 +0000905 key1 = keyblk + mac_key_len * 2;
Hanno Becker88aaf652017-12-27 08:17:40 +0000906 key2 = keyblk + mac_key_len * 2 + keylen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000907
Paul Bakker68884e32013-01-07 18:20:04 +0100908 mac_enc = keyblk;
Hanno Becker81c7b182017-11-09 18:39:33 +0000909 mac_dec = keyblk + mac_key_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000910
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000911 /*
912 * This is not used in TLS v1.1.
913 */
Paul Bakker48916f92012-09-16 19:57:18 +0000914 iv_copy_len = ( transform->fixed_ivlen ) ?
915 transform->fixed_ivlen : transform->ivlen;
Hanno Becker88aaf652017-12-27 08:17:40 +0000916 memcpy( transform->iv_enc, key2 + keylen, iv_copy_len );
917 memcpy( transform->iv_dec, key2 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000918 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000919 }
920 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200921#endif /* MBEDTLS_SSL_CLI_C */
922#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +0200923 if( endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000924 {
Hanno Becker88aaf652017-12-27 08:17:40 +0000925 key1 = keyblk + mac_key_len * 2 + keylen;
Hanno Becker81c7b182017-11-09 18:39:33 +0000926 key2 = keyblk + mac_key_len * 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000927
Hanno Becker81c7b182017-11-09 18:39:33 +0000928 mac_enc = keyblk + mac_key_len;
Paul Bakker68884e32013-01-07 18:20:04 +0100929 mac_dec = keyblk;
Paul Bakker5121ce52009-01-03 21:22:43 +0000930
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000931 /*
932 * This is not used in TLS v1.1.
933 */
Paul Bakker48916f92012-09-16 19:57:18 +0000934 iv_copy_len = ( transform->fixed_ivlen ) ?
935 transform->fixed_ivlen : transform->ivlen;
Hanno Becker88aaf652017-12-27 08:17:40 +0000936 memcpy( transform->iv_dec, key1 + keylen, iv_copy_len );
937 memcpy( transform->iv_enc, key1 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000938 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000939 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100940 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200941#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100942 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200943 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Ron Eldore6992702019-05-07 18:27:13 +0300944 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
945 goto end;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100946 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000947
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200948#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
TRodziewicz0f82ec62021-05-12 17:49:18 +0200949#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
TRodziewicz345165c2021-07-06 13:42:11 +0200950 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
951 For AEAD-based ciphersuites, there is nothing to do here. */
952 if( mac_key_len != 0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100953 {
TRodziewicz345165c2021-07-06 13:42:11 +0200954 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
955 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
Paul Bakker68884e32013-01-07 18:20:04 +0100956 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200957#endif
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000958#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Paul Bakker68884e32013-01-07 18:20:04 +0100959
Hanno Beckerd56ed242018-01-03 15:32:51 +0000960 ((void) mac_dec);
961 ((void) mac_enc);
Paul Bakker05ef8352012-05-08 09:17:57 +0000962
Manuel Pégourié-Gonnard024b6df2015-10-19 13:52:53 +0200963#if defined(MBEDTLS_SSL_EXPORT_KEYS)
Hanno Becker7e6c1782021-06-08 09:24:55 +0100964 if( ssl->f_export_keys != NULL )
Robert Cragie4feb7ae2015-10-02 13:33:37 +0100965 {
Hanno Becker7e6c1782021-06-08 09:24:55 +0100966 ssl->f_export_keys( ssl->p_export_keys,
967 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
968 master, 48,
969 randbytes + 32,
970 randbytes,
971 tls_prf_get_type( tls_prf ) );
Ron Eldorf5cc10d2019-05-07 18:33:40 +0300972 }
Robert Cragie4feb7ae2015-10-02 13:33:37 +0100973#endif
974
Hanno Beckerf704bef2018-11-16 15:21:18 +0000975#if defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Beckercb1cc802018-11-17 22:27:38 +0000976
977 /* Only use PSA-based ciphers for TLS-1.2.
978 * That's relevant at least for TLS-1.0, where
979 * we assume that mbedtls_cipher_crypt() updates
980 * the structure field for the IV, which the PSA-based
981 * implementation currently doesn't. */
982#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
983 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Beckerf704bef2018-11-16 15:21:18 +0000984 {
Hanno Beckercb1cc802018-11-17 22:27:38 +0000985 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
Hanno Becker22bf1452019-04-05 11:21:08 +0100986 cipher_info, transform->taglen );
Hanno Beckercb1cc802018-11-17 22:27:38 +0000987 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
988 {
989 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
Ron Eldore6992702019-05-07 18:27:13 +0300990 goto end;
Hanno Beckercb1cc802018-11-17 22:27:38 +0000991 }
992
993 if( ret == 0 )
994 {
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100995 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based encryption cipher context" ) );
Hanno Beckercb1cc802018-11-17 22:27:38 +0000996 psa_fallthrough = 0;
997 }
998 else
999 {
1000 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );
1001 psa_fallthrough = 1;
1002 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001003 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001004 else
Hanno Beckercb1cc802018-11-17 22:27:38 +00001005 psa_fallthrough = 1;
1006#else
1007 psa_fallthrough = 1;
1008#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Beckerf704bef2018-11-16 15:21:18 +00001009
Hanno Beckercb1cc802018-11-17 22:27:38 +00001010 if( psa_fallthrough == 1 )
Hanno Beckerf704bef2018-11-16 15:21:18 +00001011#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001012 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001013 cipher_info ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001014 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001015 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001016 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001017 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001018
Hanno Beckerf704bef2018-11-16 15:21:18 +00001019#if defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Beckercb1cc802018-11-17 22:27:38 +00001020 /* Only use PSA-based ciphers for TLS-1.2.
1021 * That's relevant at least for TLS-1.0, where
1022 * we assume that mbedtls_cipher_crypt() updates
1023 * the structure field for the IV, which the PSA-based
1024 * implementation currently doesn't. */
1025#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1026 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Beckerf704bef2018-11-16 15:21:18 +00001027 {
Hanno Beckercb1cc802018-11-17 22:27:38 +00001028 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
Hanno Becker22bf1452019-04-05 11:21:08 +01001029 cipher_info, transform->taglen );
Hanno Beckercb1cc802018-11-17 22:27:38 +00001030 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
1031 {
1032 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001033 goto end;
Hanno Beckercb1cc802018-11-17 22:27:38 +00001034 }
1035
1036 if( ret == 0 )
1037 {
Hanno Becker4c8c7aa2019-04-10 09:25:41 +01001038 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based decryption cipher context" ) );
Hanno Beckercb1cc802018-11-17 22:27:38 +00001039 psa_fallthrough = 0;
1040 }
1041 else
1042 {
1043 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );
1044 psa_fallthrough = 1;
1045 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001046 }
Hanno Beckerf704bef2018-11-16 15:21:18 +00001047 else
Hanno Beckercb1cc802018-11-17 22:27:38 +00001048 psa_fallthrough = 1;
1049#else
1050 psa_fallthrough = 1;
1051#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Beckerf704bef2018-11-16 15:21:18 +00001052
Hanno Beckercb1cc802018-11-17 22:27:38 +00001053 if( psa_fallthrough == 1 )
Hanno Beckerf704bef2018-11-16 15:21:18 +00001054#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001055 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001056 cipher_info ) ) != 0 )
1057 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +02001058 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001059 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001060 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001062 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +02001063 cipher_info->key_bitlen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001064 MBEDTLS_ENCRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001065 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001066 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001067 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001068 }
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001069
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001070 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +02001071 cipher_info->key_bitlen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001072 MBEDTLS_DECRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001073 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001074 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001075 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001076 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001077
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001078#if defined(MBEDTLS_CIPHER_MODE_CBC)
1079 if( cipher_info->mode == MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001080 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001081 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
1082 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001083 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001084 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001085 goto end;
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001086 }
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001087
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001088 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
1089 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001090 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001091 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Ron Eldore6992702019-05-07 18:27:13 +03001092 goto end;
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001093 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001094 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001095#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +00001096
Paul Bakker5121ce52009-01-03 21:22:43 +00001097
Ron Eldore6992702019-05-07 18:27:13 +03001098end:
Ron Eldora9f9a732019-05-07 18:29:02 +03001099 mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
Ron Eldore6992702019-05-07 18:27:13 +03001100 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001101}
1102
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001103/*
TRodziewicz0f82ec62021-05-12 17:49:18 +02001104 * Set appropriate PRF function and other SSL / TLS1.2 functions
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001105 *
1106 * Inputs:
1107 * - SSL/TLS minor version
1108 * - hash associated with the ciphersuite (only used by TLS 1.2)
1109 *
Manuel Pégourié-Gonnard31d3ef12019-05-10 10:25:00 +02001110 * Outputs:
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001111 * - the tls_prf, calc_verify and calc_finished members of handshake structure
1112 */
1113static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
1114 int minor_ver,
1115 mbedtls_md_type_t hash )
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001116{
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001117#if !defined(MBEDTLS_SSL_PROTO_TLS1_2) || !defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001118 (void) hash;
1119#endif
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001120
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001121#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001122#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001123 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
1124 hash == MBEDTLS_MD_SHA384 )
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001125 {
1126 handshake->tls_prf = tls_prf_sha384;
1127 handshake->calc_verify = ssl_calc_verify_tls_sha384;
1128 handshake->calc_finished = ssl_calc_finished_tls_sha384;
1129 }
1130 else
1131#endif
1132#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001133 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001134 {
1135 handshake->tls_prf = tls_prf_sha256;
1136 handshake->calc_verify = ssl_calc_verify_tls_sha256;
1137 handshake->calc_finished = ssl_calc_finished_tls_sha256;
1138 }
1139 else
1140#endif
1141#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1142 {
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001143 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1144 }
1145
1146 return( 0 );
1147}
1148
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001149/*
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001150 * Compute master secret if needed
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001151 *
1152 * Parameters:
1153 * [in/out] handshake
1154 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001155 * (PSA-PSK) ciphersuite_info, psk_opaque
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001156 * [out] premaster (cleared)
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001157 * [out] master
1158 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
1159 * debug: conf->f_dbg, conf->p_dbg
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01001160 * EMS: passed to calc_verify (debug + session_negotiate)
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001161 * PSA-PSA: minor_ver, conf
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001162 */
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001163static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001164 unsigned char *master,
Manuel Pégourié-Gonnard0d56aaa2019-05-03 09:58:33 +02001165 const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001166{
Janos Follath865b3eb2019-12-16 11:46:15 +00001167 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001168
1169 /* cf. RFC 5246, Section 8.1:
1170 * "The master secret is always exactly 48 bytes in length." */
1171 size_t const master_secret_len = 48;
1172
1173#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1174 unsigned char session_hash[48];
1175#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1176
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001177 /* The label for the KDF used for key expansion.
1178 * This is either "master secret" or "extended master secret"
1179 * depending on whether the Extended Master Secret extension
1180 * is used. */
1181 char const *lbl = "master secret";
1182
1183 /* The salt for the KDF used for key expansion.
1184 * - If the Extended Master Secret extension is not used,
1185 * this is ClientHello.Random + ServerHello.Random
1186 * (see Sect. 8.1 in RFC 5246).
1187 * - If the Extended Master Secret extension is used,
1188 * this is the transcript of the handshake so far.
1189 * (see Sect. 4 in RFC 7627). */
1190 unsigned char const *salt = handshake->randbytes;
1191 size_t salt_len = 64;
1192
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001193#if !defined(MBEDTLS_DEBUG_C) && \
1194 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
1195 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
1196 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +02001197 ssl = NULL; /* make sure we don't use it except for those cases */
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001198 (void) ssl;
1199#endif
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001200
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001201 if( handshake->resume != 0 )
1202 {
1203 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001204 return( 0 );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001205 }
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001206
1207#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001208 if( handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001209 {
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001210 lbl = "extended master secret";
1211 salt = session_hash;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001212 handshake->calc_verify( ssl, session_hash, &salt_len );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001213
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +02001214 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash for extended master secret",
1215 session_hash, salt_len );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001216 }
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001217#endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */
1218
1219#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001220 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1221 if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001222 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001223 ssl_use_opaque_psk( ssl ) == 1 )
1224 {
1225 /* Perform PSK-to-MS expansion in a single step. */
1226 psa_status_t status;
1227 psa_algorithm_t alg;
Ronald Croncf56a0a2020-08-04 09:51:30 +02001228 psa_key_id_t psk;
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001229 psa_key_derivation_operation_t derivation =
1230 PSA_KEY_DERIVATION_OPERATION_INIT;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001231 mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001232
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001234
Guilhem Bryantc5285d82020-03-25 17:08:15 +00001235 psk = mbedtls_ssl_get_opaque_psk( ssl );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001236
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001237 if( hash_alg == MBEDTLS_MD_SHA384 )
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001238 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001239 else
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001240 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
1241
k-stachowiak81053a52019-08-17 10:30:28 +02001242 status = setup_psa_key_derivation( &derivation, psk, alg,
1243 salt, salt_len,
1244 (unsigned char const *) lbl,
1245 (size_t) strlen( lbl ),
1246 master_secret_len );
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001247 if( status != PSA_SUCCESS )
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001248 {
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001249 psa_key_derivation_abort( &derivation );
1250 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001251 }
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001252
1253 status = psa_key_derivation_output_bytes( &derivation,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001254 master,
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001255 master_secret_len );
1256 if( status != PSA_SUCCESS )
1257 {
1258 psa_key_derivation_abort( &derivation );
1259 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
1260 }
1261
1262 status = psa_key_derivation_abort( &derivation );
1263 if( status != PSA_SUCCESS )
1264 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
1265 }
1266 else
1267#endif
1268 {
1269 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
1270 lbl, salt, salt_len,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001271 master,
Manuel Pégourié-Gonnard85680c42019-05-03 09:16:16 +02001272 master_secret_len );
1273 if( ret != 0 )
1274 {
1275 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
1276 return( ret );
1277 }
1278
1279 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret",
1280 handshake->premaster,
1281 handshake->pmslen );
1282
1283 mbedtls_platform_zeroize( handshake->premaster,
1284 sizeof(handshake->premaster) );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001285 }
1286
1287 return( 0 );
1288}
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001289
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +02001290int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
1291{
Janos Follath865b3eb2019-12-16 11:46:15 +00001292 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001293 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
1294 ssl->handshake->ciphersuite_info;
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001295
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001296 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
1297
1298 /* Set PRF, calc_verify and calc_finished function pointers */
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001299 ret = ssl_set_handshake_prfs( ssl->handshake,
1300 ssl->minor_ver,
1301 ciphersuite_info->mac );
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001302 if( ret != 0 )
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001303 {
1304 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_set_handshake_prfs", ret );
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001305 return( ret );
Manuel Pégourié-Gonnard8d2805c2019-04-30 12:08:59 +02001306 }
Manuel Pégourié-Gonnard1b00c4f2019-04-30 11:54:22 +02001307
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001308 /* Compute master secret if needed */
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001309 ret = ssl_compute_master( ssl->handshake,
Manuel Pégourié-Gonnardde047ad2019-05-03 09:46:14 +02001310 ssl->session_negotiate->master,
1311 ssl );
Manuel Pégourié-Gonnard9951b712019-04-30 12:08:59 +02001312 if( ret != 0 )
1313 {
1314 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compute_master", ret );
1315 return( ret );
1316 }
1317
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001318 /* Swap the client and server random values:
1319 * - MS derivation wanted client+server (RFC 5246 8.1)
1320 * - key derivation wants server+client (RFC 5246 6.3) */
1321 {
1322 unsigned char tmp[64];
1323 memcpy( tmp, ssl->handshake->randbytes, 64 );
1324 memcpy( ssl->handshake->randbytes, tmp + 32, 32 );
1325 memcpy( ssl->handshake->randbytes + 32, tmp, 32 );
1326 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
1327 }
1328
1329 /* Populate transform structure */
Manuel Pégourié-Gonnardcba40d92019-05-06 12:55:40 +02001330 ret = ssl_populate_transform( ssl->transform_negotiate,
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +02001331 ssl->session_negotiate->ciphersuite,
1332 ssl->session_negotiate->master,
Hanno Beckerfd86ca82020-11-30 08:54:23 +00001333#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard6fa57bf2019-05-10 10:50:04 +02001334#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1335 ssl->session_negotiate->encrypt_then_mac,
Jarno Lamsac84bd242019-08-16 12:06:56 +03001336#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Hanno Beckerfd86ca82020-11-30 08:54:23 +00001337#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Manuel Pégourié-Gonnard9b108c22019-05-06 13:32:17 +02001338 ssl->handshake->tls_prf,
1339 ssl->handshake->randbytes,
Manuel Pégourié-Gonnardc864f6a2019-05-06 13:48:22 +02001340 ssl->minor_ver,
1341 ssl->conf->endpoint,
Manuel Pégourié-Gonnardcba40d92019-05-06 12:55:40 +02001342 ssl );
Manuel Pégourié-Gonnard040a9512019-05-06 12:05:58 +02001343 if( ret != 0 )
1344 {
1345 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_populate_transform", ret );
1346 return( ret );
1347 }
1348
1349 /* We no longer need Server/ClientHello.random values */
1350 mbedtls_platform_zeroize( ssl->handshake->randbytes,
1351 sizeof( ssl->handshake->randbytes ) );
1352
1353 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
1354
1355 return( 0 );
Manuel Pégourié-Gonnarde59ae232019-04-30 11:41:40 +02001356}
1357
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001358#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1359#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001360void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl,
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -03001361 unsigned char *hash,
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001362 size_t *hlen )
Paul Bakker380da532012-04-18 16:10:25 +00001363{
Andrzej Kurekeb342242019-01-29 09:14:33 -05001364#if defined(MBEDTLS_USE_PSA_CRYPTO)
1365 size_t hash_size;
1366 psa_status_t status;
1367 psa_hash_operation_t sha256_psa = psa_hash_operation_init();
1368
1369 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) );
1370 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
1371 if( status != PSA_SUCCESS )
1372 {
1373 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1374 return;
1375 }
1376
1377 status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size );
1378 if( status != PSA_SUCCESS )
1379 {
1380 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1381 return;
1382 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001383
1384 *hlen = 32;
1385 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001386 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1387#else
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001388 mbedtls_sha256_context sha256;
Paul Bakker380da532012-04-18 16:10:25 +00001389
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001390 mbedtls_sha256_init( &sha256 );
1391
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001392 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001393
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001394 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
TRodziewicz26371e42021-06-08 16:45:41 +02001395 mbedtls_sha256_finish( &sha256, hash );
Paul Bakker380da532012-04-18 16:10:25 +00001396
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001397 *hlen = 32;
1398
1399 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001400 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001401
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001402 mbedtls_sha256_free( &sha256 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001403#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker380da532012-04-18 16:10:25 +00001404 return;
1405}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001406#endif /* MBEDTLS_SHA256_C */
Paul Bakker380da532012-04-18 16:10:25 +00001407
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001408#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001409void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl,
Rodrigo Dias Correa2c424572020-11-10 01:38:00 -03001410 unsigned char *hash,
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001411 size_t *hlen )
Paul Bakker380da532012-04-18 16:10:25 +00001412{
Andrzej Kurekeb342242019-01-29 09:14:33 -05001413#if defined(MBEDTLS_USE_PSA_CRYPTO)
1414 size_t hash_size;
1415 psa_status_t status;
Andrzej Kurek972fba52019-01-30 03:29:12 -05001416 psa_hash_operation_t sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -05001417
1418 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) );
Andrzej Kurek972fba52019-01-30 03:29:12 -05001419 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001420 if( status != PSA_SUCCESS )
1421 {
1422 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1423 return;
1424 }
1425
Andrzej Kurek972fba52019-01-30 03:29:12 -05001426 status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001427 if( status != PSA_SUCCESS )
1428 {
1429 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1430 return;
1431 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001432
1433 *hlen = 48;
1434 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1436#else
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001437 mbedtls_sha512_context sha512;
Paul Bakker380da532012-04-18 16:10:25 +00001438
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02001439 mbedtls_sha512_init( &sha512 );
1440
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001441 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
Paul Bakker380da532012-04-18 16:10:25 +00001442
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001443 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
TRodziewicz26371e42021-06-08 16:45:41 +02001444 mbedtls_sha512_finish( &sha512, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +00001445
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02001446 *hlen = 48;
1447
1448 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001449 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001450
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02001451 mbedtls_sha512_free( &sha512 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05001452#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker5121ce52009-01-03 21:22:43 +00001453 return;
1454}
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02001455#endif /* MBEDTLS_SHA384_C */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001456#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001457
Gilles Peskineeccd8882020-03-10 12:19:08 +01001458#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001459int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001460{
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001461 unsigned char *p = ssl->handshake->premaster;
1462 unsigned char *end = p + sizeof( ssl->handshake->premaster );
Guilhem Bryantb5f04e42020-04-01 11:23:58 +01001463 const unsigned char *psk = NULL;
Guilhem Bryant61b0fe62020-03-27 11:12:12 +00001464 size_t psk_len = 0;
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001465
Guilhem Bryantc5285d82020-03-25 17:08:15 +00001466 if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
1467 == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001468 {
Guilhem Bryantc5285d82020-03-25 17:08:15 +00001469 /*
1470 * This should never happen because the existence of a PSK is always
1471 * checked before calling this function
1472 */
Guilhem Bryant82194c82020-03-26 17:04:31 +00001473 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Guilhem Bryant0c9b1952020-04-08 11:02:38 +01001474 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001475 }
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001476
1477 /*
1478 * PMS = struct {
1479 * opaque other_secret<0..2^16-1>;
1480 * opaque psk<0..2^16-1>;
1481 * };
1482 * with "other_secret" depending on the particular key exchange
1483 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001484#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1485 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001486 {
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001487 if( end - p < 2 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001488 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001489
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001490 *(p++) = (unsigned char)( psk_len >> 8 );
1491 *(p++) = (unsigned char)( psk_len );
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001492
1493 if( end < p || (size_t)( end - p ) < psk_len )
1494 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1495
1496 memset( p, 0, psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001497 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001498 }
1499 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001500#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
1501#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1502 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02001503 {
1504 /*
1505 * other_secret already set by the ClientKeyExchange message,
1506 * and is 48 bytes long
1507 */
Philippe Antoine747fd532018-05-30 09:13:21 +02001508 if( end - p < 2 )
1509 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1510
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02001511 *p++ = 0;
1512 *p++ = 48;
1513 p += 48;
1514 }
1515 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001516#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1517#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1518 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001519 {
Janos Follath865b3eb2019-12-16 11:46:15 +00001520 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +01001521 size_t len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001522
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +02001523 /* Write length only when we know the actual value */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001524 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +01001525 p + 2, end - ( p + 2 ), &len,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01001526 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001527 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001528 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001529 return( ret );
1530 }
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +02001531 *(p++) = (unsigned char)( len >> 8 );
1532 *(p++) = (unsigned char)( len );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001533 p += len;
1534
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001535 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001536 }
1537 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001538#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1539#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1540 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001541 {
Janos Follath865b3eb2019-12-16 11:46:15 +00001542 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001543 size_t zlen;
1544
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001545 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
Paul Bakker66d5d072014-06-17 16:39:18 +02001546 p + 2, end - ( p + 2 ),
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01001547 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001548 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001549 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001550 return( ret );
1551 }
1552
1553 *(p++) = (unsigned char)( zlen >> 8 );
1554 *(p++) = (unsigned char)( zlen );
1555 p += zlen;
1556
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05001557 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
1558 MBEDTLS_DEBUG_ECDH_Z );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001559 }
1560 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001561#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001562 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001563 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1564 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001565 }
1566
1567 /* opaque psk<0..2^16-1>; */
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001568 if( end - p < 2 )
1569 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +01001570
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001571 *(p++) = (unsigned char)( psk_len >> 8 );
1572 *(p++) = (unsigned char)( psk_len );
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +02001573
1574 if( end < p || (size_t)( end - p ) < psk_len )
1575 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1576
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01001577 memcpy( p, psk, psk_len );
1578 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001579
1580 ssl->handshake->pmslen = p - ssl->handshake->premaster;
1581
1582 return( 0 );
1583}
Gilles Peskineeccd8882020-03-10 12:19:08 +01001584#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001586#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
1587static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001588
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001589#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker786300f2020-02-05 10:46:40 +00001590int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001591{
1592 /* If renegotiation is not enforced, retransmit until we would reach max
1593 * timeout if we were using the usual handshake doubling scheme */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001594 if( ssl->conf->renego_max_records < 0 )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001595 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001596 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001597 unsigned char doublings = 1;
1598
1599 while( ratio != 0 )
1600 {
1601 ++doublings;
1602 ratio >>= 1;
1603 }
1604
1605 if( ++ssl->renego_records_seen > doublings )
1606 {
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +02001607 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +02001608 return( 0 );
1609 }
1610 }
1611
1612 return( ssl_write_hello_request( ssl ) );
1613}
1614#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001615#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +02001616
Hanno Beckerb9d44792019-02-08 07:19:04 +00001617#if defined(MBEDTLS_X509_CRT_PARSE_C)
1618static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
1619{
1620#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1621 if( session->peer_cert != NULL )
1622 {
1623 mbedtls_x509_crt_free( session->peer_cert );
1624 mbedtls_free( session->peer_cert );
1625 session->peer_cert = NULL;
1626 }
1627#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1628 if( session->peer_cert_digest != NULL )
1629 {
1630 /* Zeroization is not necessary. */
1631 mbedtls_free( session->peer_cert_digest );
1632 session->peer_cert_digest = NULL;
1633 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
1634 session->peer_cert_digest_len = 0;
1635 }
1636#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1637}
1638#endif /* MBEDTLS_X509_CRT_PARSE_C */
1639
Paul Bakker5121ce52009-01-03 21:22:43 +00001640/*
1641 * Handshake functions
1642 */
Gilles Peskineeccd8882020-03-10 12:19:08 +01001643#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskinef9828522017-05-03 12:28:43 +02001644/* No certificate support -> dummy functions */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001645int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00001646{
Hanno Beckere694c3e2017-12-27 21:34:08 +00001647 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1648 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00001649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001650 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001651
Hanno Becker7177a882019-02-05 13:36:46 +00001652 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001653 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001654 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001655 ssl->state++;
1656 return( 0 );
1657 }
1658
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001659 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1660 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001661}
1662
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001663int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001664{
Hanno Beckere694c3e2017-12-27 21:34:08 +00001665 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1666 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001668 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001669
Hanno Becker7177a882019-02-05 13:36:46 +00001670 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001671 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001672 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001673 ssl->state++;
1674 return( 0 );
1675 }
1676
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001677 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1678 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001679}
Gilles Peskinef9828522017-05-03 12:28:43 +02001680
Gilles Peskineeccd8882020-03-10 12:19:08 +01001681#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Gilles Peskinef9828522017-05-03 12:28:43 +02001682/* Some certificate support -> implement write and parse */
1683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001684int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001685{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001686 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001687 size_t i, n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001688 const mbedtls_x509_crt *crt;
Hanno Beckere694c3e2017-12-27 21:34:08 +00001689 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1690 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001691
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001692 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001693
Hanno Becker7177a882019-02-05 13:36:46 +00001694 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001695 {
Johan Pascal4f099262020-09-22 10:59:26 +02001696 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1697 ssl->state++;
1698 return( 0 );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001699 }
1700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001701#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001702 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +00001703 {
1704 if( ssl->client_auth == 0 )
1705 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001706 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001707 ssl->state++;
1708 return( 0 );
1709 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001710 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001711#endif /* MBEDTLS_SSL_CLI_C */
1712#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001713 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +00001714 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001715 if( mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001716 {
Hanno Becker9cfe6e92021-04-30 05:38:24 +01001717 /* Should never happen because we shouldn't have picked the
1718 * ciphersuite if we don't have a certificate. */
1719 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001720 }
1721 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01001722#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001723
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001724 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001725
1726 /*
1727 * 0 . 0 handshake type
1728 * 1 . 3 handshake length
1729 * 4 . 6 length of all certs
1730 * 7 . 9 length of cert. 1
1731 * 10 . n-1 peer certificate
1732 * n . n+2 length of cert. 2
1733 * n+3 . ... upper level cert, etc.
1734 */
1735 i = 7;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001736 crt = mbedtls_ssl_own_cert( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00001737
Paul Bakker29087132010-03-21 21:03:34 +00001738 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001739 {
1740 n = crt->raw.len;
Angus Grattond8213d02016-05-25 20:56:48 +10001741 if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
Paul Bakker5121ce52009-01-03 21:22:43 +00001742 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00001743 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %" MBEDTLS_PRINTF_SIZET
1744 " > %" MBEDTLS_PRINTF_SIZET,
Paul Elliott3891caf2020-12-17 18:42:40 +00001745 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
Hanno Becker91e1cc32021-04-30 05:28:49 +01001746 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Paul Bakker5121ce52009-01-03 21:22:43 +00001747 }
1748
1749 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1750 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1751 ssl->out_msg[i + 2] = (unsigned char)( n );
1752
1753 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1754 i += n; crt = crt->next;
1755 }
1756
1757 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1758 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1759 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1760
1761 ssl->out_msglen = i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001762 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1763 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
Paul Bakker5121ce52009-01-03 21:22:43 +00001764
Paul Bakker5121ce52009-01-03 21:22:43 +00001765 ssl->state++;
1766
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02001767 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001768 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02001769 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001770 return( ret );
1771 }
1772
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001773 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001774
Paul Bakkered27a042013-04-18 22:46:23 +02001775 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001776}
1777
Hanno Becker84879e32019-01-31 07:44:03 +00001778#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
Hanno Becker177475a2019-02-05 17:02:46 +00001779
1780#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001781static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
1782 unsigned char *crt_buf,
1783 size_t crt_buf_len )
1784{
1785 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
1786
1787 if( peer_crt == NULL )
1788 return( -1 );
1789
1790 if( peer_crt->raw.len != crt_buf_len )
1791 return( -1 );
1792
k-stachowiak95b68ef2019-09-16 12:21:00 +02001793 return( memcmp( peer_crt->raw.p, crt_buf, peer_crt->raw.len ) );
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001794}
Hanno Becker177475a2019-02-05 17:02:46 +00001795#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1796static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
1797 unsigned char *crt_buf,
1798 size_t crt_buf_len )
1799{
Janos Follath865b3eb2019-12-16 11:46:15 +00001800 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker177475a2019-02-05 17:02:46 +00001801 unsigned char const * const peer_cert_digest =
1802 ssl->session->peer_cert_digest;
1803 mbedtls_md_type_t const peer_cert_digest_type =
1804 ssl->session->peer_cert_digest_type;
1805 mbedtls_md_info_t const * const digest_info =
1806 mbedtls_md_info_from_type( peer_cert_digest_type );
1807 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
1808 size_t digest_len;
1809
1810 if( peer_cert_digest == NULL || digest_info == NULL )
1811 return( -1 );
1812
1813 digest_len = mbedtls_md_get_size( digest_info );
1814 if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN )
1815 return( -1 );
1816
1817 ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest );
1818 if( ret != 0 )
1819 return( -1 );
1820
1821 return( memcmp( tmp_digest, peer_cert_digest, digest_len ) );
1822}
1823#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker84879e32019-01-31 07:44:03 +00001824#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001825
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02001826/*
1827 * Once the certificate message is read, parse it into a cert chain and
1828 * perform basic checks, but leave actual verification to the caller
1829 */
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001830static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
1831 mbedtls_x509_crt *chain )
Paul Bakker5121ce52009-01-03 21:22:43 +00001832{
Janos Follath865b3eb2019-12-16 11:46:15 +00001833 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001834#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
1835 int crt_cnt=0;
1836#endif
Paul Bakker23986e52011-04-24 08:57:21 +00001837 size_t i, n;
Gilles Peskine064a85c2017-05-10 10:46:40 +02001838 uint8_t alert;
Paul Bakker5121ce52009-01-03 21:22:43 +00001839
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001840 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001841 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001842 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001843 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1844 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001845 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001846 }
1847
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001848 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE )
1849 {
1850 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1851 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
1852 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1853 }
1854
1855 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001856 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001857 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001858 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1859 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001860 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001861 }
1862
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001863 i = mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00001864
Paul Bakker5121ce52009-01-03 21:22:43 +00001865 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001866 * Same message structure as in mbedtls_ssl_write_certificate()
Paul Bakker5121ce52009-01-03 21:22:43 +00001867 */
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00001868 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
Paul Bakker5121ce52009-01-03 21:22:43 +00001869
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +00001870 if( ssl->in_msg[i] != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001871 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00001872 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001873 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001874 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1875 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001876 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001877 }
1878
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001879 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
1880 i += 3;
1881
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001882 /* Iterate through and parse the CRTs in the provided chain. */
Paul Bakker5121ce52009-01-03 21:22:43 +00001883 while( i < ssl->in_hslen )
1884 {
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001885 /* Check that there's room for the next CRT's length fields. */
Philippe Antoine747fd532018-05-30 09:13:21 +02001886 if ( i + 3 > ssl->in_hslen ) {
1887 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +00001888 mbedtls_ssl_send_alert_message( ssl,
1889 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1890 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01001891 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Philippe Antoine747fd532018-05-30 09:13:21 +02001892 }
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001893 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
1894 * anything beyond 2**16 ~ 64K. */
Paul Bakker5121ce52009-01-03 21:22:43 +00001895 if( ssl->in_msg[i] != 0 )
1896 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001897 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +00001898 mbedtls_ssl_send_alert_message( ssl,
1899 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01001900 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT );
1901 return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001902 }
1903
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001904 /* Read length of the next CRT in the chain. */
Paul Bakker5121ce52009-01-03 21:22:43 +00001905 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1906 | (unsigned int) ssl->in_msg[i + 2];
1907 i += 3;
1908
1909 if( n < 128 || i + n > ssl->in_hslen )
1910 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001911 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +00001912 mbedtls_ssl_send_alert_message( ssl,
1913 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1914 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker9ed1ba52021-06-24 11:03:13 +01001915 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00001916 }
1917
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001918 /* Check if we're handling the first CRT in the chain. */
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001919#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
1920 if( crt_cnt++ == 0 &&
1921 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
1922 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001923 {
Hanno Becker46f34d02019-02-08 14:00:04 +00001924 /* During client-side renegotiation, check that the server's
1925 * end-CRTs hasn't changed compared to the initial handshake,
1926 * mitigating the triple handshake attack. On success, reuse
1927 * the original end-CRT instead of parsing it again. */
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001928 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Check that peer CRT hasn't changed during renegotiation" ) );
1929 if( ssl_check_peer_crt_unchanged( ssl,
1930 &ssl->in_msg[i],
1931 n ) != 0 )
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001932 {
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001933 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
1934 mbedtls_ssl_send_alert_message( ssl,
1935 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01001936 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
1937 return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001938 }
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001939
1940 /* Now we can safely free the original chain. */
1941 ssl_clear_peer_cert( ssl->session );
1942 }
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001943#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
1944
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001945 /* Parse the next certificate in the chain. */
Hanno Becker0056eab2019-02-08 14:39:16 +00001946#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001947 ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n );
Hanno Becker0056eab2019-02-08 14:39:16 +00001948#else
Hanno Becker353a6f02019-02-26 11:51:34 +00001949 /* If we don't need to store the CRT chain permanently, parse
Hanno Becker0056eab2019-02-08 14:39:16 +00001950 * it in-place from the input buffer instead of making a copy. */
1951 ret = mbedtls_x509_crt_parse_der_nocopy( chain, ssl->in_msg + i, n );
1952#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001953 switch( ret )
Paul Bakker5121ce52009-01-03 21:22:43 +00001954 {
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001955 case 0: /*ok*/
1956 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
1957 /* Ignore certificate with an unknown algorithm: maybe a
1958 prior certificate was already trusted. */
1959 break;
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001960
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001961 case MBEDTLS_ERR_X509_ALLOC_FAILED:
1962 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
1963 goto crt_parse_der_failed;
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001964
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001965 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
1966 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
1967 goto crt_parse_der_failed;
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001968
Hanno Beckerdef9bdc2019-01-30 14:46:46 +00001969 default:
1970 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
1971 crt_parse_der_failed:
1972 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
1973 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
1974 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001975 }
1976
1977 i += n;
1978 }
1979
Hanno Beckerc7bd7802019-02-05 15:37:23 +00001980 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", chain );
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02001981 return( 0 );
1982}
1983
Hanno Becker4a55f632019-02-05 12:49:06 +00001984#if defined(MBEDTLS_SSL_SRV_C)
1985static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
1986{
1987 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1988 return( -1 );
1989
TRodziewicz0f82ec62021-05-12 17:49:18 +02001990#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker4a55f632019-02-05 12:49:06 +00001991 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
1992 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
1993 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
1994 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
1995 {
1996 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1997 return( 0 );
1998 }
1999
2000 return( -1 );
TRodziewicz0f82ec62021-05-12 17:49:18 +02002001#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker4a55f632019-02-05 12:49:06 +00002002}
2003#endif /* MBEDTLS_SSL_SRV_C */
2004
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002005/* Check if a certificate message is expected.
2006 * Return either
2007 * - SSL_CERTIFICATE_EXPECTED, or
2008 * - SSL_CERTIFICATE_SKIP
2009 * indicating whether a Certificate message is expected or not.
2010 */
2011#define SSL_CERTIFICATE_EXPECTED 0
2012#define SSL_CERTIFICATE_SKIP 1
2013static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
2014 int authmode )
2015{
2016 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00002017 ssl->handshake->ciphersuite_info;
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002018
2019 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
2020 return( SSL_CERTIFICATE_SKIP );
2021
2022#if defined(MBEDTLS_SSL_SRV_C)
2023 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
2024 {
2025 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2026 return( SSL_CERTIFICATE_SKIP );
2027
2028 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
2029 {
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002030 ssl->session_negotiate->verify_result =
2031 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
2032 return( SSL_CERTIFICATE_SKIP );
2033 }
2034 }
Hanno Becker84d9d272019-03-01 08:10:46 +00002035#else
2036 ((void) authmode);
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002037#endif /* MBEDTLS_SSL_SRV_C */
2038
2039 return( SSL_CERTIFICATE_EXPECTED );
2040}
2041
Hanno Becker68636192019-02-05 14:36:34 +00002042static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
2043 int authmode,
2044 mbedtls_x509_crt *chain,
2045 void *rs_ctx )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002046{
Hanno Becker6bdfab22019-02-05 13:11:17 +00002047 int ret = 0;
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002048 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00002049 ssl->handshake->ciphersuite_info;
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002050 int have_ca_chain = 0;
Hanno Becker68636192019-02-05 14:36:34 +00002051
Hanno Becker8927c832019-04-03 12:52:50 +01002052 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
2053 void *p_vrfy;
2054
Hanno Becker68636192019-02-05 14:36:34 +00002055 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
2056 return( 0 );
2057
Hanno Becker8927c832019-04-03 12:52:50 +01002058 if( ssl->f_vrfy != NULL )
2059 {
Hanno Beckerefb440a2019-04-03 13:04:33 +01002060 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );
Hanno Becker8927c832019-04-03 12:52:50 +01002061 f_vrfy = ssl->f_vrfy;
2062 p_vrfy = ssl->p_vrfy;
2063 }
2064 else
2065 {
Hanno Beckerefb440a2019-04-03 13:04:33 +01002066 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );
Hanno Becker8927c832019-04-03 12:52:50 +01002067 f_vrfy = ssl->conf->f_vrfy;
2068 p_vrfy = ssl->conf->p_vrfy;
2069 }
2070
Hanno Becker68636192019-02-05 14:36:34 +00002071 /*
2072 * Main check: verify certificate
2073 */
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002074#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2075 if( ssl->conf->f_ca_cb != NULL )
2076 {
2077 ((void) rs_ctx);
2078 have_ca_chain = 1;
2079
2080 MBEDTLS_SSL_DEBUG_MSG( 3, ( "use CA callback for X.509 CRT verification" ) );
Jarno Lamsa9822c0d2019-04-01 16:59:48 +03002081 ret = mbedtls_x509_crt_verify_with_ca_cb(
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002082 chain,
2083 ssl->conf->f_ca_cb,
2084 ssl->conf->p_ca_cb,
2085 ssl->conf->cert_profile,
2086 ssl->hostname,
2087 &ssl->session_negotiate->verify_result,
Jaeden Amerofe710672019-04-16 15:03:12 +01002088 f_vrfy, p_vrfy );
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002089 }
2090 else
2091#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2092 {
2093 mbedtls_x509_crt *ca_chain;
2094 mbedtls_x509_crl *ca_crl;
2095
2096#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2097 if( ssl->handshake->sni_ca_chain != NULL )
2098 {
2099 ca_chain = ssl->handshake->sni_ca_chain;
2100 ca_crl = ssl->handshake->sni_ca_crl;
2101 }
2102 else
2103#endif
2104 {
2105 ca_chain = ssl->conf->ca_chain;
2106 ca_crl = ssl->conf->ca_crl;
2107 }
2108
2109 if( ca_chain != NULL )
2110 have_ca_chain = 1;
2111
2112 ret = mbedtls_x509_crt_verify_restartable(
2113 chain,
2114 ca_chain, ca_crl,
2115 ssl->conf->cert_profile,
2116 ssl->hostname,
2117 &ssl->session_negotiate->verify_result,
Jaeden Amerofe710672019-04-16 15:03:12 +01002118 f_vrfy, p_vrfy, rs_ctx );
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002119 }
Hanno Becker68636192019-02-05 14:36:34 +00002120
2121 if( ret != 0 )
2122 {
2123 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2124 }
2125
Gilles Peskineeccd8882020-03-10 12:19:08 +01002126#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Hanno Becker68636192019-02-05 14:36:34 +00002127 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2128 return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
2129#endif
2130
2131 /*
2132 * Secondary checks: always done, but change 'ret' only if it was 0
2133 */
2134
2135#if defined(MBEDTLS_ECP_C)
2136 {
2137 const mbedtls_pk_context *pk = &chain->pk;
2138
2139 /* If certificate uses an EC key, make sure the curve is OK */
2140 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
2141 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
2142 {
2143 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
2144
2145 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
2146 if( ret == 0 )
Hanno Becker9ed1ba52021-06-24 11:03:13 +01002147 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Hanno Becker68636192019-02-05 14:36:34 +00002148 }
2149 }
2150#endif /* MBEDTLS_ECP_C */
2151
2152 if( mbedtls_ssl_check_cert_usage( chain,
2153 ciphersuite_info,
2154 ! ssl->conf->endpoint,
2155 &ssl->session_negotiate->verify_result ) != 0 )
2156 {
2157 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
2158 if( ret == 0 )
Hanno Becker9ed1ba52021-06-24 11:03:13 +01002159 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Hanno Becker68636192019-02-05 14:36:34 +00002160 }
2161
2162 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
2163 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
2164 * with details encoded in the verification flags. All other kinds
2165 * of error codes, including those from the user provided f_vrfy
2166 * functions, are treated as fatal and lead to a failure of
2167 * ssl_parse_certificate even if verification was optional. */
2168 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
2169 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
Hanno Becker9ed1ba52021-06-24 11:03:13 +01002170 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
Hanno Becker68636192019-02-05 14:36:34 +00002171 {
2172 ret = 0;
2173 }
2174
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00002175 if( have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
Hanno Becker68636192019-02-05 14:36:34 +00002176 {
2177 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2178 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
2179 }
2180
2181 if( ret != 0 )
2182 {
2183 uint8_t alert;
2184
2185 /* The certificate may have been rejected for several reasons.
2186 Pick one and send the corresponding alert. Which alert to send
2187 may be a subject of debate in some cases. */
2188 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
2189 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
2190 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
2191 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
2192 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
2193 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2194 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
2195 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2196 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
2197 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2198 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
2199 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2200 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
2201 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2202 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
2203 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
2204 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
2205 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
2206 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
2207 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
2208 else
2209 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
2210 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2211 alert );
2212 }
2213
2214#if defined(MBEDTLS_DEBUG_C)
2215 if( ssl->session_negotiate->verify_result != 0 )
2216 {
Paul Elliott3891caf2020-12-17 18:42:40 +00002217 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Paul Elliott9f352112020-12-09 14:55:45 +00002218 (unsigned int) ssl->session_negotiate->verify_result ) );
Hanno Becker68636192019-02-05 14:36:34 +00002219 }
2220 else
2221 {
2222 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
2223 }
2224#endif /* MBEDTLS_DEBUG_C */
2225
2226 return( ret );
2227}
2228
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002229#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2230static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
2231 unsigned char *start, size_t len )
2232{
Janos Follath865b3eb2019-12-16 11:46:15 +00002233 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002234 /* Remember digest of the peer's end-CRT. */
2235 ssl->session_negotiate->peer_cert_digest =
2236 mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
2237 if( ssl->session_negotiate->peer_cert_digest == NULL )
2238 {
2239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
irwir40883e92019-09-21 17:55:33 +03002240 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) );
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002241 mbedtls_ssl_send_alert_message( ssl,
2242 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2243 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
2244
2245 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2246 }
2247
2248 ret = mbedtls_md( mbedtls_md_info_from_type(
2249 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
2250 start, len,
2251 ssl->session_negotiate->peer_cert_digest );
2252
2253 ssl->session_negotiate->peer_cert_digest_type =
2254 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
2255 ssl->session_negotiate->peer_cert_digest_len =
2256 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
2257
2258 return( ret );
2259}
2260
2261static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
2262 unsigned char *start, size_t len )
2263{
2264 unsigned char *end = start + len;
Janos Follath865b3eb2019-12-16 11:46:15 +00002265 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002266
2267 /* Make a copy of the peer's raw public key. */
2268 mbedtls_pk_init( &ssl->handshake->peer_pubkey );
2269 ret = mbedtls_pk_parse_subpubkey( &start, end,
2270 &ssl->handshake->peer_pubkey );
2271 if( ret != 0 )
2272 {
2273 /* We should have parsed the public key before. */
2274 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2275 }
2276
2277 return( 0 );
2278}
2279#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2280
Hanno Becker68636192019-02-05 14:36:34 +00002281int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
2282{
2283 int ret = 0;
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002284 int crt_expected;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002285#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2286 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
2287 ? ssl->handshake->sni_authmode
2288 : ssl->conf->authmode;
2289#else
Johan Pascal4f099262020-09-22 10:59:26 +02002290 const int authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002291#endif
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002292 void *rs_ctx = NULL;
Hanno Becker3dad3112019-02-05 17:19:52 +00002293 mbedtls_x509_crt *chain = NULL;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002294
2295 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2296
Hanno Becker28f2fcd2019-02-07 10:11:07 +00002297 crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
2298 if( crt_expected == SSL_CERTIFICATE_SKIP )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002299 {
2300 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Hanno Becker6bdfab22019-02-05 13:11:17 +00002301 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002302 }
2303
Gilles Peskineeccd8882020-03-10 12:19:08 +01002304#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002305 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02002306 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002307 {
Hanno Becker3dad3112019-02-05 17:19:52 +00002308 chain = ssl->handshake->ecrs_peer_cert;
2309 ssl->handshake->ecrs_peer_cert = NULL;
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002310 goto crt_verify;
2311 }
2312#endif
2313
Manuel Pégourié-Gonnard125af942018-09-11 11:08:12 +02002314 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002315 {
2316 /* mbedtls_ssl_read_record may have sent an alert already. We
2317 let it decide whether to alert. */
2318 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Hanno Becker3dad3112019-02-05 17:19:52 +00002319 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002320 }
2321
Hanno Becker4a55f632019-02-05 12:49:06 +00002322#if defined(MBEDTLS_SSL_SRV_C)
2323 if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 )
2324 {
2325 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
Hanno Becker4a55f632019-02-05 12:49:06 +00002326
irwird3085ab2020-04-21 22:26:05 +03002327 if( authmode != MBEDTLS_SSL_VERIFY_OPTIONAL )
Hanno Becker6bdfab22019-02-05 13:11:17 +00002328 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Hanno Becker4a55f632019-02-05 12:49:06 +00002329
Hanno Becker6bdfab22019-02-05 13:11:17 +00002330 goto exit;
Hanno Becker4a55f632019-02-05 12:49:06 +00002331 }
2332#endif /* MBEDTLS_SSL_SRV_C */
2333
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002334 /* Clear existing peer CRT structure in case we tried to
2335 * reuse a session but it failed, and allocate a new one. */
Hanno Becker7a955a02019-02-05 13:08:01 +00002336 ssl_clear_peer_cert( ssl->session_negotiate );
Hanno Becker3dad3112019-02-05 17:19:52 +00002337
2338 chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
2339 if( chain == NULL )
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002340 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00002341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002342 sizeof( mbedtls_x509_crt ) ) );
2343 mbedtls_ssl_send_alert_message( ssl,
2344 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2345 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Hanno Becker7a955a02019-02-05 13:08:01 +00002346
Hanno Becker3dad3112019-02-05 17:19:52 +00002347 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
2348 goto exit;
2349 }
2350 mbedtls_x509_crt_init( chain );
2351
2352 ret = ssl_parse_certificate_chain( ssl, chain );
Hanno Beckerc7bd7802019-02-05 15:37:23 +00002353 if( ret != 0 )
Hanno Becker3dad3112019-02-05 17:19:52 +00002354 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +02002355
Gilles Peskineeccd8882020-03-10 12:19:08 +01002356#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002357 if( ssl->handshake->ecrs_enabled)
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02002358 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +02002359
2360crt_verify:
2361 if( ssl->handshake->ecrs_enabled)
2362 rs_ctx = &ssl->handshake->ecrs_ctx;
2363#endif
2364
Hanno Becker68636192019-02-05 14:36:34 +00002365 ret = ssl_parse_certificate_verify( ssl, authmode,
Hanno Becker3dad3112019-02-05 17:19:52 +00002366 chain, rs_ctx );
Hanno Becker68636192019-02-05 14:36:34 +00002367 if( ret != 0 )
Hanno Becker3dad3112019-02-05 17:19:52 +00002368 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +00002369
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002370#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002371 {
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002372 unsigned char *crt_start, *pk_start;
2373 size_t crt_len, pk_len;
Hanno Becker3dad3112019-02-05 17:19:52 +00002374
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002375 /* We parse the CRT chain without copying, so
2376 * these pointers point into the input buffer,
2377 * and are hence still valid after freeing the
2378 * CRT chain. */
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002379
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002380 crt_start = chain->raw.p;
2381 crt_len = chain->raw.len;
Hanno Becker6bbd94c2019-02-05 17:02:28 +00002382
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002383 pk_start = chain->pk_raw.p;
2384 pk_len = chain->pk_raw.len;
2385
2386 /* Free the CRT structures before computing
2387 * digest and copying the peer's public key. */
2388 mbedtls_x509_crt_free( chain );
2389 mbedtls_free( chain );
2390 chain = NULL;
2391
2392 ret = ssl_remember_peer_crt_digest( ssl, crt_start, crt_len );
Hanno Beckera2747532019-02-06 16:19:04 +00002393 if( ret != 0 )
Hanno Beckera2747532019-02-06 16:19:04 +00002394 goto exit;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002395
2396 ret = ssl_remember_peer_pubkey( ssl, pk_start, pk_len );
2397 if( ret != 0 )
2398 goto exit;
Hanno Beckera2747532019-02-06 16:19:04 +00002399 }
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002400#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2401 /* Pass ownership to session structure. */
Hanno Becker3dad3112019-02-05 17:19:52 +00002402 ssl->session_negotiate->peer_cert = chain;
2403 chain = NULL;
Hanno Becker6b8fbab2019-02-08 14:59:05 +00002404#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker3dad3112019-02-05 17:19:52 +00002405
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002406 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002407
Hanno Becker6bdfab22019-02-05 13:11:17 +00002408exit:
2409
Hanno Becker3dad3112019-02-05 17:19:52 +00002410 if( ret == 0 )
2411 ssl->state++;
2412
Gilles Peskineeccd8882020-03-10 12:19:08 +01002413#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Hanno Becker3dad3112019-02-05 17:19:52 +00002414 if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
2415 {
2416 ssl->handshake->ecrs_peer_cert = chain;
2417 chain = NULL;
2418 }
2419#endif
2420
2421 if( chain != NULL )
2422 {
2423 mbedtls_x509_crt_free( chain );
2424 mbedtls_free( chain );
2425 }
2426
Paul Bakker5121ce52009-01-03 21:22:43 +00002427 return( ret );
2428}
Gilles Peskineeccd8882020-03-10 12:19:08 +01002429#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002430
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002431void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
2432 const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
Paul Bakker380da532012-04-18 16:10:25 +00002433{
Paul Bakkerfb08fd22013-08-27 15:06:26 +02002434 ((void) ciphersuite_info);
Paul Bakker769075d2012-11-24 11:26:46 +01002435
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002436#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002437#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002438 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002439 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2440 else
2441#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002442#if defined(MBEDTLS_SHA256_C)
2443 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
Paul Bakker48916f92012-09-16 19:57:18 +00002444 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002445 else
2446#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002447#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002448 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002449 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002450 return;
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002451 }
Paul Bakker380da532012-04-18 16:10:25 +00002452}
Paul Bakkerf7abd422013-04-16 13:15:56 +02002453
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002454void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002455{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002456#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2457#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002458#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2ad22972019-01-30 03:32:12 -05002459 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002460 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
2461#else
TRodziewicz26371e42021-06-08 16:45:41 +02002462 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002463#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002464#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002465#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002466#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2ad22972019-01-30 03:32:12 -05002467 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
Andrzej Kurek972fba52019-01-30 03:29:12 -05002468 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002469#else
TRodziewicz26371e42021-06-08 16:45:41 +02002470 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002471#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002472#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002473#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002474}
2475
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002476static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002477 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002478{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002479#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2480#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002481#if defined(MBEDTLS_USE_PSA_CRYPTO)
2482 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
2483#else
TRodziewicz26371e42021-06-08 16:45:41 +02002484 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002485#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002486#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002487#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002488#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002489 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002490#else
TRodziewicz26371e42021-06-08 16:45:41 +02002491 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker769075d2012-11-24 11:26:46 +01002492#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002493#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002494#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00002495}
2496
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002497#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2498#if defined(MBEDTLS_SHA256_C)
2499static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002500 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002501{
Andrzej Kurekeb342242019-01-29 09:14:33 -05002502#if defined(MBEDTLS_USE_PSA_CRYPTO)
2503 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
2504#else
TRodziewicz26371e42021-06-08 16:45:41 +02002505 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002506#endif
Paul Bakker380da532012-04-18 16:10:25 +00002507}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002508#endif
Paul Bakker380da532012-04-18 16:10:25 +00002509
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002510#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002511static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002512 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002513{
Andrzej Kurekeb342242019-01-29 09:14:33 -05002514#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002515 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002516#else
TRodziewicz26371e42021-06-08 16:45:41 +02002517 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002518#endif
Paul Bakker380da532012-04-18 16:10:25 +00002519}
Paul Bakker769075d2012-11-24 11:26:46 +01002520#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002521#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00002522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002523#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2524#if defined(MBEDTLS_SHA256_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +00002525static void ssl_calc_finished_tls_sha256(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002526 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002527{
2528 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002529 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002530 unsigned char padbuf[32];
Andrzej Kurekeb342242019-01-29 09:14:33 -05002531#if defined(MBEDTLS_USE_PSA_CRYPTO)
2532 size_t hash_size;
Jaeden Amero34973232019-02-20 10:32:28 +00002533 psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
Andrzej Kurekeb342242019-01-29 09:14:33 -05002534 psa_status_t status;
2535#else
2536 mbedtls_sha256_context sha256;
2537#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002538
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002539 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00002540 if( !session )
2541 session = ssl->session;
2542
Andrzej Kurekeb342242019-01-29 09:14:33 -05002543 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
2544 ? "client finished"
2545 : "server finished";
2546
2547#if defined(MBEDTLS_USE_PSA_CRYPTO)
2548 sha256_psa = psa_hash_operation_init();
2549
2550 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) );
2551
2552 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
2553 if( status != PSA_SUCCESS )
2554 {
2555 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
2556 return;
2557 }
2558
2559 status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size );
2560 if( status != PSA_SUCCESS )
2561 {
2562 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
2563 return;
2564 }
2565 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 );
2566#else
2567
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002568 mbedtls_sha256_init( &sha256 );
2569
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02002570 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002571
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002572 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002573
2574 /*
2575 * TLSv1.2:
2576 * hash = PRF( master, finished_label,
2577 * Hash( handshake ) )[0.11]
2578 */
2579
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002580#if !defined(MBEDTLS_SHA256_ALT)
2581 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02002582 sha256.state, sizeof( sha256.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002583#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002584
TRodziewicz26371e42021-06-08 16:45:41 +02002585 mbedtls_sha256_finish( &sha256, padbuf );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002586 mbedtls_sha256_free( &sha256 );
2587#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002588
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002589 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002590 padbuf, 32, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002592 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002593
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05002594 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002595
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002596 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002597}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002598#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002599
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002600#if defined(MBEDTLS_SHA384_C)
Rodrigo Dias Corread596ca82020-11-25 00:42:28 -03002601
Paul Bakkerca4ab492012-04-18 14:23:57 +00002602static void ssl_calc_finished_tls_sha384(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002603 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakkerca4ab492012-04-18 14:23:57 +00002604{
2605 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002606 const char *sender;
Rodrigo Dias Corread596ca82020-11-25 00:42:28 -03002607 unsigned char padbuf[48];
Andrzej Kurekeb342242019-01-29 09:14:33 -05002608#if defined(MBEDTLS_USE_PSA_CRYPTO)
2609 size_t hash_size;
Jaeden Amero34973232019-02-20 10:32:28 +00002610 psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
Andrzej Kurekeb342242019-01-29 09:14:33 -05002611 psa_status_t status;
2612#else
2613 mbedtls_sha512_context sha512;
2614#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00002615
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002616 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00002617 if( !session )
2618 session = ssl->session;
2619
Andrzej Kurekeb342242019-01-29 09:14:33 -05002620 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
2621 ? "client finished"
2622 : "server finished";
2623
2624#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002625 sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -05002626
2627 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) );
2628
Andrzej Kurek972fba52019-01-30 03:29:12 -05002629 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002630 if( status != PSA_SUCCESS )
2631 {
2632 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
2633 return;
2634 }
2635
Andrzej Kurek972fba52019-01-30 03:29:12 -05002636 status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002637 if( status != PSA_SUCCESS )
2638 {
2639 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
2640 return;
2641 }
2642 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 );
2643#else
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002644 mbedtls_sha512_init( &sha512 );
2645
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002646 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002647
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +02002648 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002649
2650 /*
2651 * TLSv1.2:
2652 * hash = PRF( master, finished_label,
2653 * Hash( handshake ) )[0.11]
2654 */
2655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002656#if !defined(MBEDTLS_SHA512_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +02002657 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
2658 sha512.state, sizeof( sha512.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002659#endif
TRodziewicz26371e42021-06-08 16:45:41 +02002660 mbedtls_sha512_finish( &sha512, padbuf );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002661
Andrzej Kurekeb342242019-01-29 09:14:33 -05002662 mbedtls_sha512_free( &sha512 );
2663#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00002664
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002665 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002666 padbuf, 48, buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002668 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002669
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05002670 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002671
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002672 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002673}
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002674#endif /* MBEDTLS_SHA384_C */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002675#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +00002676
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00002677void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00002678{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002679 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00002680
2681 /*
2682 * Free our handshake params
2683 */
Gilles Peskine9b562d52018-04-25 20:32:43 +02002684 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002685 mbedtls_free( ssl->handshake );
Paul Bakker48916f92012-09-16 19:57:18 +00002686 ssl->handshake = NULL;
2687
2688 /*
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002689 * Free the previous transform and swith in the current one
Paul Bakker48916f92012-09-16 19:57:18 +00002690 */
2691 if( ssl->transform )
2692 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002693 mbedtls_ssl_transform_free( ssl->transform );
2694 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00002695 }
2696 ssl->transform = ssl->transform_negotiate;
2697 ssl->transform_negotiate = NULL;
2698
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002699 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002700}
2701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002702void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002703{
2704 int resume = ssl->handshake->resume;
2705
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002706 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002708#if defined(MBEDTLS_SSL_RENEGOTIATION)
2709 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002710 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002711 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002712 ssl->renego_records_seen = 0;
2713 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002714#endif
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002715
2716 /*
2717 * Free the previous session and switch in the current one
2718 */
Paul Bakker0a597072012-09-25 21:55:46 +00002719 if( ssl->session )
2720 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002721#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard1a034732014-11-04 17:36:18 +01002722 /* RFC 7366 3.1: keep the EtM state */
2723 ssl->session_negotiate->encrypt_then_mac =
2724 ssl->session->encrypt_then_mac;
2725#endif
2726
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002727 mbedtls_ssl_session_free( ssl->session );
2728 mbedtls_free( ssl->session );
Paul Bakker0a597072012-09-25 21:55:46 +00002729 }
2730 ssl->session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00002731 ssl->session_negotiate = NULL;
2732
Paul Bakker0a597072012-09-25 21:55:46 +00002733 /*
2734 * Add cache entry
2735 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002736 if( ssl->conf->f_set_cache != NULL &&
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02002737 ssl->session->id_len != 0 &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02002738 resume == 0 )
2739 {
Hanno Beckerccdaf6e2021-04-15 09:26:17 +01002740 if( ssl->conf->f_set_cache( ssl->conf->p_cache,
2741 ssl->session->id,
2742 ssl->session->id_len,
2743 ssl->session ) != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002744 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02002745 }
Paul Bakker0a597072012-09-25 21:55:46 +00002746
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002747#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002748 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002749 ssl->handshake->flight != NULL )
2750 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002751 /* Cancel handshake timer */
Hanno Becker0f57a652020-02-05 10:37:26 +00002752 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +02002753
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002754 /* Keep last flight around in case we need to resend it:
2755 * we need the handshake and transform structures for that */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002756 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002757 }
2758 else
2759#endif
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00002760 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +02002761
Paul Bakker48916f92012-09-16 19:57:18 +00002762 ssl->state++;
2763
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002764 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00002765}
2766
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002767int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002768{
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002769 int ret, hash_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002770
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002771 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002772
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00002773 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_negotiate );
Paul Bakker92be97b2013-01-02 17:30:03 +01002774
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002775 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002776
Manuel Pégourié-Gonnard214a8482016-02-22 11:27:26 +01002777 /*
2778 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
2779 * may define some other value. Currently (early 2016), no defined
2780 * ciphersuite does this (and this is unlikely to change as activity has
2781 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
2782 */
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01002783 hash_len = 12;
Paul Bakker5121ce52009-01-03 21:22:43 +00002784
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002785#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00002786 ssl->verify_data_len = hash_len;
2787 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002788#endif
Paul Bakker48916f92012-09-16 19:57:18 +00002789
Paul Bakker5121ce52009-01-03 21:22:43 +00002790 ssl->out_msglen = 4 + hash_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002791 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2792 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
Paul Bakker5121ce52009-01-03 21:22:43 +00002793
2794 /*
2795 * In case of session resuming, invert the client and server
2796 * ChangeCipherSpec messages order.
2797 */
Paul Bakker0a597072012-09-25 21:55:46 +00002798 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002799 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002800#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002801 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002802 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002803#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002804#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002805 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002806 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002807#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002808 }
2809 else
2810 ssl->state++;
2811
Paul Bakker48916f92012-09-16 19:57:18 +00002812 /*
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02002813 * Switch to our negotiated transform and session parameters for outbound
2814 * data.
Paul Bakker48916f92012-09-16 19:57:18 +00002815 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002816 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +01002817
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002818#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002819 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002820 {
2821 unsigned char i;
2822
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002823 /* Remember current epoch settings for resending */
2824 ssl->handshake->alt_transform_out = ssl->transform_out;
Hanno Becker19859472018-08-06 09:40:20 +01002825 memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002826
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002827 /* Set sequence_number to zero */
Hanno Becker19859472018-08-06 09:40:20 +01002828 memset( ssl->cur_out_ctr + 2, 0, 6 );
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002829
2830 /* Increment epoch */
2831 for( i = 2; i > 0; i-- )
Hanno Becker19859472018-08-06 09:40:20 +01002832 if( ++ssl->cur_out_ctr[i - 1] != 0 )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002833 break;
2834
2835 /* The loop goes to its end iff the counter is wrapping */
2836 if( i == 0 )
2837 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002838 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
2839 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002840 }
2841 }
2842 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002843#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker19859472018-08-06 09:40:20 +01002844 memset( ssl->cur_out_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002845
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002846 ssl->transform_out = ssl->transform_negotiate;
2847 ssl->session_out = ssl->session_negotiate;
2848
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002849#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002850 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002851 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02002852#endif
2853
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02002854 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002855 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02002856 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002857 return( ret );
2858 }
2859
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02002860#if defined(MBEDTLS_SSL_PROTO_DTLS)
2861 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2862 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
2863 {
2864 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
2865 return( ret );
2866 }
2867#endif
2868
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002869 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002870
2871 return( 0 );
2872}
2873
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00002874#define SSL_MAX_HASH_LEN 12
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00002875
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002876int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00002877{
Janos Follath865b3eb2019-12-16 11:46:15 +00002878 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +02002879 unsigned int hash_len;
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +00002880 unsigned char buf[SSL_MAX_HASH_LEN];
Paul Bakker5121ce52009-01-03 21:22:43 +00002881
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002882 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002883
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002884 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002885
Hanno Becker327c93b2018-08-15 13:56:18 +01002886 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002887 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002888 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002889 return( ret );
2890 }
2891
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002892 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00002893 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002894 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002895 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2896 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002897 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002898 }
2899
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01002900 hash_len = 12;
Paul Bakker5121ce52009-01-03 21:22:43 +00002901
Hanno Beckera0ca87e2021-06-24 10:27:37 +01002902 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED )
2903 {
2904 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2905 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2906 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2907 }
2908
2909 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
Paul Bakker5121ce52009-01-03 21:22:43 +00002910 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002911 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002912 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2913 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckera0ca87e2021-06-24 10:27:37 +01002914 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +00002915 }
2916
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002917 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
Manuel Pégourié-Gonnard4abc3272014-09-10 12:02:46 +00002918 buf, hash_len ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002919 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002921 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman43fcb8d2021-06-28 21:49:15 +01002922 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
2923 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002924 }
2925
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002926#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00002927 ssl->verify_data_len = hash_len;
2928 memcpy( ssl->peer_verify_data, buf, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002929#endif
Paul Bakker48916f92012-09-16 19:57:18 +00002930
Paul Bakker0a597072012-09-25 21:55:46 +00002931 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002932 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002933#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002934 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002935 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002936#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002937#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002938 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002939 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002940#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002941 }
2942 else
2943 ssl->state++;
2944
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002945#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002946 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002947 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002948#endif
2949
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002950 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002951
2952 return( 0 );
2953}
2954
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002955static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002956{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002957 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002958
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002959#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2960#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002961#if defined(MBEDTLS_USE_PSA_CRYPTO)
2962 handshake->fin_sha256_psa = psa_hash_operation_init();
2963 psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
2964#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002965 mbedtls_sha256_init( &handshake->fin_sha256 );
TRodziewicz26371e42021-06-08 16:45:41 +02002966 mbedtls_sha256_starts( &handshake->fin_sha256, 0 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002967#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002968#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02002969#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05002970#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05002971 handshake->fin_sha384_psa = psa_hash_operation_init();
2972 psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
Andrzej Kurekeb342242019-01-29 09:14:33 -05002973#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002974 mbedtls_sha512_init( &handshake->fin_sha512 );
TRodziewicz26371e42021-06-08 16:45:41 +02002975 mbedtls_sha512_starts( &handshake->fin_sha512, 1 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002976#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05002977#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002978#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002979
2980 handshake->update_checksum = ssl_update_checksum_start;
Hanno Becker7e5437a2017-04-28 17:15:26 +01002981
2982#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +01002983 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +01002984 mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
2985#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002986
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002987#if defined(MBEDTLS_DHM_C)
2988 mbedtls_dhm_init( &handshake->dhm_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002989#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002990#if defined(MBEDTLS_ECDH_C)
2991 mbedtls_ecdh_init( &handshake->ecdh_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02002992#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02002993#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02002994 mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02002995#if defined(MBEDTLS_SSL_CLI_C)
2996 handshake->ecjpake_cache = NULL;
2997 handshake->ecjpake_cache_len = 0;
2998#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02002999#endif
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02003000
Gilles Peskineeccd8882020-03-10 12:19:08 +01003001#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +02003002 mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02003003#endif
3004
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02003005#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3006 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
3007#endif
Hanno Becker75173122019-02-06 16:18:31 +00003008
3009#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
3010 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3011 mbedtls_pk_init( &handshake->peer_pubkey );
3012#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003013}
3014
Hanno Beckera18d1322018-01-03 14:27:32 +00003015void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003016{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003017 memset( transform, 0, sizeof(mbedtls_ssl_transform) );
Paul Bakker84bbeb52014-07-01 14:53:22 +02003018
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003019 mbedtls_cipher_init( &transform->cipher_ctx_enc );
3020 mbedtls_cipher_init( &transform->cipher_ctx_dec );
Paul Bakker84bbeb52014-07-01 14:53:22 +02003021
Hanno Beckerfd86ca82020-11-30 08:54:23 +00003022#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003023 mbedtls_md_init( &transform->md_ctx_enc );
3024 mbedtls_md_init( &transform->md_ctx_dec );
Hanno Beckerd56ed242018-01-03 15:32:51 +00003025#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003026}
3027
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003028void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003029{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003030 memset( session, 0, sizeof(mbedtls_ssl_session) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003031}
3032
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003033static int ssl_handshake_init( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00003034{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003035 /* Clear old handshake information if present */
Paul Bakker48916f92012-09-16 19:57:18 +00003036 if( ssl->transform_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003037 mbedtls_ssl_transform_free( ssl->transform_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003038 if( ssl->session_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003039 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003040 if( ssl->handshake )
Gilles Peskine9b562d52018-04-25 20:32:43 +02003041 mbedtls_ssl_handshake_free( ssl );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003042
3043 /*
3044 * Either the pointers are now NULL or cleared properly and can be freed.
3045 * Now allocate missing structures.
3046 */
3047 if( ssl->transform_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003048 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003049 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003050 }
Paul Bakker48916f92012-09-16 19:57:18 +00003051
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003052 if( ssl->session_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003053 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003054 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003055 }
Paul Bakker48916f92012-09-16 19:57:18 +00003056
Paul Bakker82788fb2014-10-20 13:59:19 +02003057 if( ssl->handshake == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003058 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003059 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003060 }
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05003061#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3062 /* If the buffers are too small - reallocate */
Andrzej Kurek8ea68722020-04-03 06:40:47 -04003063
Andrzej Kurek4a063792020-10-21 15:08:44 +02003064 handle_buffer_resizing( ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
3065 MBEDTLS_SSL_OUT_BUFFER_LEN );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05003066#endif
Paul Bakker48916f92012-09-16 19:57:18 +00003067
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003068 /* All pointers should exist and can be directly freed without issue */
Paul Bakker48916f92012-09-16 19:57:18 +00003069 if( ssl->handshake == NULL ||
3070 ssl->transform_negotiate == NULL ||
3071 ssl->session_negotiate == NULL )
3072 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02003073 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003074
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003075 mbedtls_free( ssl->handshake );
3076 mbedtls_free( ssl->transform_negotiate );
3077 mbedtls_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003078
3079 ssl->handshake = NULL;
3080 ssl->transform_negotiate = NULL;
3081 ssl->session_negotiate = NULL;
3082
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003083 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker48916f92012-09-16 19:57:18 +00003084 }
3085
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003086 /* Initialize structures */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003087 mbedtls_ssl_session_init( ssl->session_negotiate );
Hanno Beckera18d1322018-01-03 14:27:32 +00003088 mbedtls_ssl_transform_init( ssl->transform_negotiate );
Paul Bakker968afaa2014-07-09 11:09:24 +02003089 ssl_handshake_params_init( ssl->handshake );
3090
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003091#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02003092 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3093 {
3094 ssl->handshake->alt_transform_out = ssl->transform_out;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003095
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02003096 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
3097 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
3098 else
3099 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003100
Hanno Becker0f57a652020-02-05 10:37:26 +00003101 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +02003102 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003103#endif
3104
Paul Bakker48916f92012-09-16 19:57:18 +00003105 return( 0 );
3106}
3107
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02003108#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003109/* Dummy cookie callbacks for defaults */
3110static int ssl_cookie_write_dummy( void *ctx,
3111 unsigned char **p, unsigned char *end,
3112 const unsigned char *cli_id, size_t cli_id_len )
3113{
3114 ((void) ctx);
3115 ((void) p);
3116 ((void) end);
3117 ((void) cli_id);
3118 ((void) cli_id_len);
3119
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003120 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003121}
3122
3123static int ssl_cookie_check_dummy( void *ctx,
3124 const unsigned char *cookie, size_t cookie_len,
3125 const unsigned char *cli_id, size_t cli_id_len )
3126{
3127 ((void) ctx);
3128 ((void) cookie);
3129 ((void) cookie_len);
3130 ((void) cli_id);
3131 ((void) cli_id_len);
3132
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003133 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003134}
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02003135#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +02003136
Paul Bakker5121ce52009-01-03 21:22:43 +00003137/*
3138 * Initialize an SSL context
3139 */
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02003140void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
3141{
3142 memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
3143}
3144
Jerry Yu60835a82021-08-04 10:13:52 +08003145static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
3146{
3147#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
3148 if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
3149 {
3150 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3151 {
3152 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported" ) );
3153 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3154 }
3155 MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) );
3156 return( 0 );
3157 }
3158#endif
3159
3160#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3161 if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
3162 {
3163 MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls12 only." ) );
3164 return( 0 );
3165 }
3166#endif
3167
3168#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
3169 if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) )
3170 {
3171 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) );
3172 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3173 }
3174#endif
3175
3176 MBEDTLS_SSL_DEBUG_MSG( 1, ( "The SSL configuration is invalid." ) );
3177 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
3178}
3179
3180static int ssl_conf_check(const mbedtls_ssl_context *ssl)
3181{
3182 int ret;
3183 ret = ssl_conf_version_check( ssl );
3184 if( ret != 0 )
3185 return( ret );
3186
3187 /* Space for further checks */
3188
3189 return( 0 );
3190}
3191
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +02003192/*
3193 * Setup an SSL context
3194 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +01003195
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +02003196int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +02003197 const mbedtls_ssl_config *conf )
Paul Bakker5121ce52009-01-03 21:22:43 +00003198{
Janos Follath865b3eb2019-12-16 11:46:15 +00003199 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Darryl Greenb33cc762019-11-28 14:29:44 +00003200 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
3201 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
Paul Bakker5121ce52009-01-03 21:22:43 +00003202
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +02003203 ssl->conf = conf;
Paul Bakker62f2dee2012-09-28 07:31:51 +00003204
Jerry Yu60835a82021-08-04 10:13:52 +08003205 if( ( ret = ssl_conf_check( ssl ) ) != 0 )
3206 return( ret );
3207
Paul Bakker62f2dee2012-09-28 07:31:51 +00003208 /*
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +01003209 * Prepare base structures
Paul Bakker62f2dee2012-09-28 07:31:51 +00003210 */
k-stachowiakc9a5f022018-07-24 13:53:31 +02003211
3212 /* Set to NULL in case of an error condition */
3213 ssl->out_buf = NULL;
k-stachowiaka47911c2018-07-04 17:41:58 +02003214
Darryl Greenb33cc762019-11-28 14:29:44 +00003215#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3216 ssl->in_buf_len = in_buf_len;
3217#endif
3218 ssl->in_buf = mbedtls_calloc( 1, in_buf_len );
Angus Grattond8213d02016-05-25 20:56:48 +10003219 if( ssl->in_buf == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00003220 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00003221 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len ) );
k-stachowiak9f7798e2018-07-31 16:52:32 +02003222 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02003223 goto error;
Angus Grattond8213d02016-05-25 20:56:48 +10003224 }
3225
Darryl Greenb33cc762019-11-28 14:29:44 +00003226#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3227 ssl->out_buf_len = out_buf_len;
3228#endif
3229 ssl->out_buf = mbedtls_calloc( 1, out_buf_len );
Angus Grattond8213d02016-05-25 20:56:48 +10003230 if( ssl->out_buf == NULL )
3231 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00003232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len ) );
k-stachowiak9f7798e2018-07-31 16:52:32 +02003233 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +02003234 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +00003235 }
3236
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00003237 mbedtls_ssl_reset_in_out_pointers( ssl );
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02003238
Johan Pascalb62bb512015-12-03 21:56:45 +01003239#if defined(MBEDTLS_SSL_DTLS_SRTP)
Ron Eldor3adb9922017-12-21 10:15:08 +02003240 memset( &ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info) );
Johan Pascalb62bb512015-12-03 21:56:45 +01003241#endif
3242
Paul Bakker48916f92012-09-16 19:57:18 +00003243 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
k-stachowiaka47911c2018-07-04 17:41:58 +02003244 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +00003245
3246 return( 0 );
k-stachowiaka47911c2018-07-04 17:41:58 +02003247
3248error:
3249 mbedtls_free( ssl->in_buf );
3250 mbedtls_free( ssl->out_buf );
3251
3252 ssl->conf = NULL;
3253
Darryl Greenb33cc762019-11-28 14:29:44 +00003254#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3255 ssl->in_buf_len = 0;
3256 ssl->out_buf_len = 0;
3257#endif
k-stachowiaka47911c2018-07-04 17:41:58 +02003258 ssl->in_buf = NULL;
3259 ssl->out_buf = NULL;
3260
3261 ssl->in_hdr = NULL;
3262 ssl->in_ctr = NULL;
3263 ssl->in_len = NULL;
3264 ssl->in_iv = NULL;
3265 ssl->in_msg = NULL;
3266
3267 ssl->out_hdr = NULL;
3268 ssl->out_ctr = NULL;
3269 ssl->out_len = NULL;
3270 ssl->out_iv = NULL;
3271 ssl->out_msg = NULL;
3272
k-stachowiak9f7798e2018-07-31 16:52:32 +02003273 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003274}
3275
3276/*
Paul Bakker7eb013f2011-10-06 12:37:39 +00003277 * Reset an initialized and used SSL context for re-use while retaining
3278 * all application-set variables, function pointers and data.
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003279 *
3280 * If partial is non-zero, keep data in the input buffer and client ID.
3281 * (Use when a DTLS client reconnects from the same port.)
Paul Bakker7eb013f2011-10-06 12:37:39 +00003282 */
Hanno Becker43aefe22020-02-05 10:44:56 +00003283int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
Paul Bakker7eb013f2011-10-06 12:37:39 +00003284{
Janos Follath865b3eb2019-12-16 11:46:15 +00003285 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Darryl Greenb33cc762019-11-28 14:29:44 +00003286#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3287 size_t in_buf_len = ssl->in_buf_len;
3288 size_t out_buf_len = ssl->out_buf_len;
3289#else
3290 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
3291 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
3292#endif
Paul Bakker48916f92012-09-16 19:57:18 +00003293
Hanno Becker7e772132018-08-10 12:38:21 +01003294#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || \
3295 !defined(MBEDTLS_SSL_SRV_C)
3296 ((void) partial);
3297#endif
3298
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003299 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003300
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003301 /* Cancel any possibly running timer */
Hanno Becker0f57a652020-02-05 10:37:26 +00003302 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003303
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003304#if defined(MBEDTLS_SSL_RENEGOTIATION)
3305 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003306 ssl->renego_records_seen = 0;
Paul Bakker48916f92012-09-16 19:57:18 +00003307
3308 ssl->verify_data_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003309 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
3310 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003311#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003312 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +00003313
Paul Bakker7eb013f2011-10-06 12:37:39 +00003314 ssl->in_offt = NULL;
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00003315 mbedtls_ssl_reset_in_out_pointers( ssl );
Paul Bakker7eb013f2011-10-06 12:37:39 +00003316
3317 ssl->in_msgtype = 0;
3318 ssl->in_msglen = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003319#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02003320 ssl->next_record_offset = 0;
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +02003321 ssl->in_epoch = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +02003322#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003323#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker7e8e6a62020-02-05 10:45:48 +00003324 mbedtls_ssl_dtls_replay_reset( ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +02003325#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +00003326
3327 ssl->in_hslen = 0;
3328 ssl->nb_zero = 0;
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003329
3330 ssl->keep_current_message = 0;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003331
3332 ssl->out_msgtype = 0;
3333 ssl->out_msglen = 0;
3334 ssl->out_left = 0;
3335
Hanno Becker19859472018-08-06 09:40:20 +01003336 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
3337
Paul Bakker48916f92012-09-16 19:57:18 +00003338 ssl->transform_in = NULL;
3339 ssl->transform_out = NULL;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003340
Hanno Becker78640902018-08-13 16:35:15 +01003341 ssl->session_in = NULL;
3342 ssl->session_out = NULL;
3343
Darryl Greenb33cc762019-11-28 14:29:44 +00003344 memset( ssl->out_buf, 0, out_buf_len );
Hanno Becker4ccbf062018-08-10 11:20:38 +01003345
3346#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003347 if( partial == 0 )
Hanno Becker4ccbf062018-08-10 11:20:38 +01003348#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3349 {
3350 ssl->in_left = 0;
Darryl Greenb33cc762019-11-28 14:29:44 +00003351 memset( ssl->in_buf, 0, in_buf_len );
Hanno Becker4ccbf062018-08-10 11:20:38 +01003352 }
Paul Bakker05ef8352012-05-08 09:17:57 +00003353
Paul Bakker48916f92012-09-16 19:57:18 +00003354 if( ssl->transform )
Paul Bakker2770fbd2012-07-03 13:30:23 +00003355 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003356 mbedtls_ssl_transform_free( ssl->transform );
3357 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00003358 ssl->transform = NULL;
Paul Bakker2770fbd2012-07-03 13:30:23 +00003359 }
Paul Bakker48916f92012-09-16 19:57:18 +00003360
Paul Bakkerc0463502013-02-14 11:19:38 +01003361 if( ssl->session )
3362 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003363 mbedtls_ssl_session_free( ssl->session );
3364 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01003365 ssl->session = NULL;
3366 }
3367
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003368#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02003369 ssl->alpn_chosen = NULL;
3370#endif
3371
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02003372#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Hanno Becker4ccbf062018-08-10 11:20:38 +01003373#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003374 if( partial == 0 )
Hanno Becker4ccbf062018-08-10 11:20:38 +01003375#endif
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003376 {
3377 mbedtls_free( ssl->cli_id );
3378 ssl->cli_id = NULL;
3379 ssl->cli_id_len = 0;
3380 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02003381#endif
3382
Paul Bakker48916f92012-09-16 19:57:18 +00003383 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3384 return( ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +00003385
3386 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +00003387}
3388
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003389/*
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003390 * Reset an initialized and used SSL context for re-use while retaining
3391 * all application-set variables, function pointers and data.
3392 */
3393int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
3394{
Hanno Becker43aefe22020-02-05 10:44:56 +00003395 return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +02003396}
3397
3398/*
Paul Bakker5121ce52009-01-03 21:22:43 +00003399 * SSL set accessors
3400 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003401void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
Paul Bakker5121ce52009-01-03 21:22:43 +00003402{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003403 conf->endpoint = endpoint;
Paul Bakker5121ce52009-01-03 21:22:43 +00003404}
3405
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02003406void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01003407{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003408 conf->transport = transport;
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01003409}
3410
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003411#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003412void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02003413{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003414 conf->anti_replay = mode;
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +02003415}
3416#endif
3417
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003418void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02003419{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003420 conf->badmac_limit = limit;
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02003421}
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02003422
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003423#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker04da1892018-08-14 13:22:10 +01003424
Hanno Becker1841b0a2018-08-24 11:13:57 +01003425void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
3426 unsigned allow_packing )
Hanno Becker04da1892018-08-14 13:22:10 +01003427{
3428 ssl->disable_datagram_packing = !allow_packing;
3429}
3430
3431void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
3432 uint32_t min, uint32_t max )
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02003433{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003434 conf->hs_timeout_min = min;
3435 conf->hs_timeout_max = max;
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +02003436}
3437#endif
3438
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003439void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
Paul Bakker5121ce52009-01-03 21:22:43 +00003440{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003441 conf->authmode = authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +00003442}
3443
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003444#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003445void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02003446 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003447 void *p_vrfy )
3448{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003449 conf->f_vrfy = f_vrfy;
3450 conf->p_vrfy = p_vrfy;
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003451}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003452#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003453
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003454void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
Paul Bakkera3d195c2011-11-27 21:07:34 +00003455 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +00003456 void *p_rng )
3457{
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01003458 conf->f_rng = f_rng;
3459 conf->p_rng = p_rng;
Paul Bakker5121ce52009-01-03 21:22:43 +00003460}
3461
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003462void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardfd474232015-06-23 16:34:24 +02003463 void (*f_dbg)(void *, int, const char *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +00003464 void *p_dbg )
3465{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003466 conf->f_dbg = f_dbg;
3467 conf->p_dbg = p_dbg;
Paul Bakker5121ce52009-01-03 21:22:43 +00003468}
3469
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003470void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02003471 void *p_bio,
Simon Butchere846b512016-03-01 17:31:49 +00003472 mbedtls_ssl_send_t *f_send,
3473 mbedtls_ssl_recv_t *f_recv,
3474 mbedtls_ssl_recv_timeout_t *f_recv_timeout )
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02003475{
3476 ssl->p_bio = p_bio;
3477 ssl->f_send = f_send;
3478 ssl->f_recv = f_recv;
3479 ssl->f_recv_timeout = f_recv_timeout;
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01003480}
3481
Manuel Pégourié-Gonnard6e7aaca2018-08-20 10:37:23 +02003482#if defined(MBEDTLS_SSL_PROTO_DTLS)
3483void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
3484{
3485 ssl->mtu = mtu;
3486}
3487#endif
3488
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003489void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +01003490{
3491 conf->read_timeout = timeout;
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +02003492}
3493
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02003494void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
3495 void *p_timer,
Simon Butchere846b512016-03-01 17:31:49 +00003496 mbedtls_ssl_set_timer_t *f_set_timer,
3497 mbedtls_ssl_get_timer_t *f_get_timer )
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02003498{
3499 ssl->p_timer = p_timer;
3500 ssl->f_set_timer = f_set_timer;
3501 ssl->f_get_timer = f_get_timer;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +02003502
3503 /* Make sure we start with no timer running */
Hanno Becker0f57a652020-02-05 10:37:26 +00003504 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +02003505}
3506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003507#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003508void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
Hanno Beckera637ff62021-04-15 08:42:48 +01003509 void *p_cache,
3510 mbedtls_ssl_cache_get_t *f_get_cache,
3511 mbedtls_ssl_cache_set_t *f_set_cache )
Paul Bakker5121ce52009-01-03 21:22:43 +00003512{
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +01003513 conf->p_cache = p_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003514 conf->f_get_cache = f_get_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003515 conf->f_set_cache = f_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +00003516}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003517#endif /* MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00003518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003519#if defined(MBEDTLS_SSL_CLI_C)
3520int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
Paul Bakker5121ce52009-01-03 21:22:43 +00003521{
Janos Follath865b3eb2019-12-16 11:46:15 +00003522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003523
3524 if( ssl == NULL ||
3525 session == NULL ||
3526 ssl->session_negotiate == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02003527 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003528 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003529 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003530 }
3531
Hanno Beckere810bbc2021-05-14 16:01:05 +01003532 if( ssl->handshake->resume == 1 )
3533 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3534
Hanno Becker52055ae2019-02-06 14:30:46 +00003535 if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
3536 session ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003537 return( ret );
3538
Paul Bakker0a597072012-09-25 21:55:46 +00003539 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003540
3541 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003542}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003543#endif /* MBEDTLS_SSL_CLI_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00003544
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +01003545void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
3546 const int *ciphersuites )
3547{
Hanno Beckerd60b6c62021-04-29 12:04:11 +01003548 conf->ciphersuite_list = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +00003549}
3550
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003551#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +02003552void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
Nicholas Wilson2088e2e2015-09-08 16:53:18 +01003553 const mbedtls_x509_crt_profile *profile )
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +02003554{
3555 conf->cert_profile = profile;
3556}
3557
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003558/* Append a new keycert entry to a (possibly empty) list */
3559static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
3560 mbedtls_x509_crt *cert,
3561 mbedtls_pk_context *key )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003562{
niisato8ee24222018-06-25 19:05:48 +09003563 mbedtls_ssl_key_cert *new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003564
niisato8ee24222018-06-25 19:05:48 +09003565 new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
3566 if( new_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003567 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003568
niisato8ee24222018-06-25 19:05:48 +09003569 new_cert->cert = cert;
3570 new_cert->key = key;
3571 new_cert->next = NULL;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003572
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003573 /* Update head is the list was null, else add to the end */
3574 if( *head == NULL )
Paul Bakker0333b972013-11-04 17:08:28 +01003575 {
niisato8ee24222018-06-25 19:05:48 +09003576 *head = new_cert;
Paul Bakker0333b972013-11-04 17:08:28 +01003577 }
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003578 else
3579 {
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003580 mbedtls_ssl_key_cert *cur = *head;
3581 while( cur->next != NULL )
3582 cur = cur->next;
niisato8ee24222018-06-25 19:05:48 +09003583 cur->next = new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003584 }
3585
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003586 return( 0 );
3587}
3588
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003589int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +02003590 mbedtls_x509_crt *own_cert,
3591 mbedtls_pk_context *pk_key )
3592{
Manuel Pégourié-Gonnard17a40cd2015-05-10 23:17:17 +02003593 return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003594}
3595
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003596void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01003597 mbedtls_x509_crt *ca_chain,
3598 mbedtls_x509_crl *ca_crl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003599{
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01003600 conf->ca_chain = ca_chain;
3601 conf->ca_crl = ca_crl;
Hanno Becker5adaad92019-03-27 16:54:37 +00003602
3603#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3604 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
3605 * cannot be used together. */
3606 conf->f_ca_cb = NULL;
3607 conf->p_ca_cb = NULL;
3608#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Paul Bakker5121ce52009-01-03 21:22:43 +00003609}
Hanno Becker5adaad92019-03-27 16:54:37 +00003610
3611#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3612void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
Hanno Beckerafd0b0a2019-03-27 16:55:01 +00003613 mbedtls_x509_crt_ca_cb_t f_ca_cb,
Hanno Becker5adaad92019-03-27 16:54:37 +00003614 void *p_ca_cb )
3615{
3616 conf->f_ca_cb = f_ca_cb;
3617 conf->p_ca_cb = p_ca_cb;
3618
3619 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
3620 * cannot be used together. */
3621 conf->ca_chain = NULL;
3622 conf->ca_crl = NULL;
3623}
3624#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003625#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +00003626
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02003627#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3628int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
3629 mbedtls_x509_crt *own_cert,
3630 mbedtls_pk_context *pk_key )
3631{
3632 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
3633 own_cert, pk_key ) );
3634}
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +02003635
3636void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
3637 mbedtls_x509_crt *ca_chain,
3638 mbedtls_x509_crl *ca_crl )
3639{
3640 ssl->handshake->sni_ca_chain = ca_chain;
3641 ssl->handshake->sni_ca_crl = ca_crl;
3642}
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +02003643
3644void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
3645 int authmode )
3646{
3647 ssl->handshake->sni_authmode = authmode;
3648}
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +02003649#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3650
Hanno Becker8927c832019-04-03 12:52:50 +01003651#if defined(MBEDTLS_X509_CRT_PARSE_C)
3652void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
3653 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3654 void *p_vrfy )
3655{
3656 ssl->f_vrfy = f_vrfy;
3657 ssl->p_vrfy = p_vrfy;
3658}
3659#endif
3660
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02003661#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02003662/*
3663 * Set EC J-PAKE password for current handshake
3664 */
3665int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
3666 const unsigned char *pw,
3667 size_t pw_len )
3668{
3669 mbedtls_ecjpake_role role;
3670
Janos Follath8eb64132016-06-03 15:40:57 +01003671 if( ssl->handshake == NULL || ssl->conf == NULL )
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02003672 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3673
3674 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
3675 role = MBEDTLS_ECJPAKE_SERVER;
3676 else
3677 role = MBEDTLS_ECJPAKE_CLIENT;
3678
3679 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
3680 role,
3681 MBEDTLS_MD_SHA256,
3682 MBEDTLS_ECP_DP_SECP256R1,
3683 pw, pw_len ) );
3684}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02003685#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +02003686
Gilles Peskineeccd8882020-03-10 12:19:08 +01003687#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003688
Hanno Becker2ed3dce2021-04-19 21:59:14 +01003689static int ssl_conf_psk_is_configured( mbedtls_ssl_config const *conf )
3690{
3691#if defined(MBEDTLS_USE_PSA_CRYPTO)
3692 if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
3693 return( 1 );
3694#endif /* MBEDTLS_USE_PSA_CRYPTO */
3695
3696 if( conf->psk != NULL )
3697 return( 1 );
3698
3699 return( 0 );
3700}
3701
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003702static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
3703{
3704 /* Remove reference to existing PSK, if any. */
3705#if defined(MBEDTLS_USE_PSA_CRYPTO)
Ronald Croncf56a0a2020-08-04 09:51:30 +02003706 if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003707 {
3708 /* The maintenance of the PSK key slot is the
3709 * user's responsibility. */
Ronald Croncf56a0a2020-08-04 09:51:30 +02003710 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003711 }
Hanno Beckera63ac3f2018-11-05 12:47:16 +00003712 /* This and the following branch should never
3713 * be taken simultaenously as we maintain the
3714 * invariant that raw and opaque PSKs are never
3715 * configured simultaneously. As a safeguard,
3716 * though, `else` is omitted here. */
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003717#endif /* MBEDTLS_USE_PSA_CRYPTO */
3718 if( conf->psk != NULL )
3719 {
3720 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
3721
3722 mbedtls_free( conf->psk );
3723 conf->psk = NULL;
3724 conf->psk_len = 0;
3725 }
3726
3727 /* Remove reference to PSK identity, if any. */
3728 if( conf->psk_identity != NULL )
3729 {
3730 mbedtls_free( conf->psk_identity );
3731 conf->psk_identity = NULL;
3732 conf->psk_identity_len = 0;
3733 }
3734}
3735
Hanno Becker7390c712018-11-15 13:33:04 +00003736/* This function assumes that PSK identity in the SSL config is unset.
3737 * It checks that the provided identity is well-formed and attempts
3738 * to make a copy of it in the SSL config.
3739 * On failure, the PSK identity in the config remains unset. */
3740static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
3741 unsigned char const *psk_identity,
3742 size_t psk_identity_len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003743{
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02003744 /* Identity len will be encoded on two bytes */
Hanno Becker7390c712018-11-15 13:33:04 +00003745 if( psk_identity == NULL ||
3746 ( psk_identity_len >> 16 ) != 0 ||
Angus Grattond8213d02016-05-25 20:56:48 +10003747 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02003748 {
3749 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3750 }
3751
Hanno Becker7390c712018-11-15 13:33:04 +00003752 conf->psk_identity = mbedtls_calloc( 1, psk_identity_len );
3753 if( conf->psk_identity == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003754 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker6db455e2013-09-18 17:29:31 +02003755
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01003756 conf->psk_identity_len = psk_identity_len;
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +01003757 memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
Paul Bakker5ad403f2013-09-18 21:21:30 +02003758
3759 return( 0 );
Paul Bakker6db455e2013-09-18 17:29:31 +02003760}
3761
Hanno Becker7390c712018-11-15 13:33:04 +00003762int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
3763 const unsigned char *psk, size_t psk_len,
3764 const unsigned char *psk_identity, size_t psk_identity_len )
3765{
Janos Follath865b3eb2019-12-16 11:46:15 +00003766 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01003767
3768 /* We currently only support one PSK, raw or opaque. */
3769 if( ssl_conf_psk_is_configured( conf ) )
3770 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Hanno Becker7390c712018-11-15 13:33:04 +00003771
3772 /* Check and set raw PSK */
Piotr Nowicki9926eaf2019-11-20 14:54:36 +01003773 if( psk == NULL )
Hanno Becker7390c712018-11-15 13:33:04 +00003774 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Piotr Nowicki9926eaf2019-11-20 14:54:36 +01003775 if( psk_len == 0 )
3776 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3777 if( psk_len > MBEDTLS_PSK_MAX_LEN )
3778 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3779
Hanno Becker7390c712018-11-15 13:33:04 +00003780 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
3781 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3782 conf->psk_len = psk_len;
3783 memcpy( conf->psk, psk, conf->psk_len );
3784
3785 /* Check and set PSK Identity */
3786 ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len );
3787 if( ret != 0 )
3788 ssl_conf_remove_psk( conf );
3789
3790 return( ret );
3791}
3792
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003793static void ssl_remove_psk( mbedtls_ssl_context *ssl )
3794{
3795#if defined(MBEDTLS_USE_PSA_CRYPTO)
Ronald Croncf56a0a2020-08-04 09:51:30 +02003796 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003797 {
Ronald Croncf56a0a2020-08-04 09:51:30 +02003798 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003799 }
3800 else
3801#endif /* MBEDTLS_USE_PSA_CRYPTO */
3802 if( ssl->handshake->psk != NULL )
3803 {
3804 mbedtls_platform_zeroize( ssl->handshake->psk,
3805 ssl->handshake->psk_len );
3806 mbedtls_free( ssl->handshake->psk );
3807 ssl->handshake->psk_len = 0;
3808 }
3809}
3810
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01003811int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
3812 const unsigned char *psk, size_t psk_len )
3813{
3814 if( psk == NULL || ssl->handshake == NULL )
3815 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3816
3817 if( psk_len > MBEDTLS_PSK_MAX_LEN )
3818 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3819
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003820 ssl_remove_psk( ssl );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01003821
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003822 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003823 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01003824
3825 ssl->handshake->psk_len = psk_len;
3826 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
3827
3828 return( 0 );
3829}
3830
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003831#if defined(MBEDTLS_USE_PSA_CRYPTO)
3832int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
Ronald Croncf56a0a2020-08-04 09:51:30 +02003833 psa_key_id_t psk,
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003834 const unsigned char *psk_identity,
3835 size_t psk_identity_len )
3836{
Janos Follath865b3eb2019-12-16 11:46:15 +00003837 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker2ed3dce2021-04-19 21:59:14 +01003838
3839 /* We currently only support one PSK, raw or opaque. */
3840 if( ssl_conf_psk_is_configured( conf ) )
3841 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003842
Hanno Becker7390c712018-11-15 13:33:04 +00003843 /* Check and set opaque PSK */
Ronald Croncf56a0a2020-08-04 09:51:30 +02003844 if( mbedtls_svc_key_id_is_null( psk ) )
Hanno Becker7390c712018-11-15 13:33:04 +00003845 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Ronald Croncf56a0a2020-08-04 09:51:30 +02003846 conf->psk_opaque = psk;
Hanno Becker7390c712018-11-15 13:33:04 +00003847
3848 /* Check and set PSK Identity */
3849 ret = ssl_conf_set_psk_identity( conf, psk_identity,
3850 psk_identity_len );
3851 if( ret != 0 )
3852 ssl_conf_remove_psk( conf );
3853
3854 return( ret );
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003855}
3856
3857int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
Ronald Croncf56a0a2020-08-04 09:51:30 +02003858 psa_key_id_t psk )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003859{
Ronald Croncf56a0a2020-08-04 09:51:30 +02003860 if( ( mbedtls_svc_key_id_is_null( psk ) ) ||
Ronald Cronc26f8d42020-09-01 10:51:51 +02003861 ( ssl->handshake == NULL ) )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003862 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3863
3864 ssl_remove_psk( ssl );
Ronald Croncf56a0a2020-08-04 09:51:30 +02003865 ssl->handshake->psk_opaque = psk;
Hanno Beckerd20a8ca2018-10-22 15:31:26 +01003866 return( 0 );
3867}
3868#endif /* MBEDTLS_USE_PSA_CRYPTO */
3869
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003870void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003871 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
Paul Bakker6db455e2013-09-18 17:29:31 +02003872 size_t),
3873 void *p_psk )
3874{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003875 conf->f_psk = f_psk;
3876 conf->p_psk = p_psk;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003877}
Gilles Peskineeccd8882020-03-10 12:19:08 +01003878#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakker43b7e352011-01-18 15:27:19 +00003879
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +02003880#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Hanno Beckera90658f2017-10-04 15:29:08 +01003881int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
3882 const unsigned char *dhm_P, size_t P_len,
3883 const unsigned char *dhm_G, size_t G_len )
3884{
Janos Follath865b3eb2019-12-16 11:46:15 +00003885 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckera90658f2017-10-04 15:29:08 +01003886
3887 if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
3888 ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
3889 {
3890 mbedtls_mpi_free( &conf->dhm_P );
3891 mbedtls_mpi_free( &conf->dhm_G );
3892 return( ret );
3893 }
3894
3895 return( 0 );
3896}
Paul Bakker5121ce52009-01-03 21:22:43 +00003897
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003898int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
Paul Bakker1b57b062011-01-06 15:48:19 +00003899{
Janos Follath865b3eb2019-12-16 11:46:15 +00003900 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker1b57b062011-01-06 15:48:19 +00003901
Gilles Peskinee5702482021-06-11 21:59:08 +02003902 if( ( ret = mbedtls_dhm_get_value( dhm_ctx, MBEDTLS_DHM_PARAM_P,
3903 &conf->dhm_P ) ) != 0 ||
3904 ( ret = mbedtls_dhm_get_value( dhm_ctx, MBEDTLS_DHM_PARAM_G,
3905 &conf->dhm_G ) ) != 0 )
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +01003906 {
3907 mbedtls_mpi_free( &conf->dhm_P );
3908 mbedtls_mpi_free( &conf->dhm_G );
Paul Bakker1b57b062011-01-06 15:48:19 +00003909 return( ret );
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +01003910 }
Paul Bakker1b57b062011-01-06 15:48:19 +00003911
3912 return( 0 );
3913}
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +02003914#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
Paul Bakker1b57b062011-01-06 15:48:19 +00003915
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +02003916#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
3917/*
3918 * Set the minimum length for Diffie-Hellman parameters
3919 */
3920void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
3921 unsigned int bitlen )
3922{
3923 conf->dhm_min_bitlen = bitlen;
3924}
3925#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
3926
Gilles Peskineeccd8882020-03-10 12:19:08 +01003927#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02003928/*
3929 * Set allowed/preferred hashes for handshake signatures
3930 */
3931void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
3932 const int *hashes )
3933{
3934 conf->sig_hashes = hashes;
3935}
Gilles Peskineeccd8882020-03-10 12:19:08 +01003936#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +02003937
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02003938#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01003939/*
3940 * Set the allowed elliptic curves
3941 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003942void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003943 const mbedtls_ecp_group_id *curve_list )
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01003944{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02003945 conf->curve_list = curve_list;
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01003946}
Hanno Becker947194e2017-04-07 13:25:49 +01003947#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01003948
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01003949#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003950int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +00003951{
Hanno Becker947194e2017-04-07 13:25:49 +01003952 /* Initialize to suppress unnecessary compiler warning */
3953 size_t hostname_len = 0;
3954
3955 /* Check if new hostname is valid before
3956 * making any change to current one */
Hanno Becker947194e2017-04-07 13:25:49 +01003957 if( hostname != NULL )
3958 {
3959 hostname_len = strlen( hostname );
3960
3961 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
3962 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3963 }
3964
3965 /* Now it's clear that we will overwrite the old hostname,
3966 * so we can free it safely */
3967
3968 if( ssl->hostname != NULL )
3969 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05003970 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Hanno Becker947194e2017-04-07 13:25:49 +01003971 mbedtls_free( ssl->hostname );
3972 }
3973
3974 /* Passing NULL as hostname shall clear the old one */
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +01003975
Paul Bakker5121ce52009-01-03 21:22:43 +00003976 if( hostname == NULL )
Hanno Becker947194e2017-04-07 13:25:49 +01003977 {
3978 ssl->hostname = NULL;
3979 }
3980 else
3981 {
3982 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
Hanno Becker947194e2017-04-07 13:25:49 +01003983 if( ssl->hostname == NULL )
3984 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker75c1a6f2013-08-19 14:25:29 +02003985
Hanno Becker947194e2017-04-07 13:25:49 +01003986 memcpy( ssl->hostname, hostname, hostname_len );
Paul Bakker75c1a6f2013-08-19 14:25:29 +02003987
Hanno Becker947194e2017-04-07 13:25:49 +01003988 ssl->hostname[hostname_len] = '\0';
3989 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003990
3991 return( 0 );
3992}
Hanno Becker1a9a51c2017-04-07 13:02:16 +01003993#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00003994
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +01003995#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02003996void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003997 int (*f_sni)(void *, mbedtls_ssl_context *,
Paul Bakker5701cdc2012-09-27 21:49:42 +00003998 const unsigned char *, size_t),
3999 void *p_sni )
4000{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004001 conf->f_sni = f_sni;
4002 conf->p_sni = p_sni;
Paul Bakker5701cdc2012-09-27 21:49:42 +00004003}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004004#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +00004005
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004006#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004007int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004008{
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004009 size_t cur_len, tot_len;
4010 const char **p;
4011
4012 /*
Brian J Murray1903fb32016-11-06 04:45:15 -08004013 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
4014 * MUST NOT be truncated."
4015 * We check lengths now rather than later.
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004016 */
4017 tot_len = 0;
4018 for( p = protos; *p != NULL; p++ )
4019 {
4020 cur_len = strlen( *p );
4021 tot_len += cur_len;
4022
Ronald Cron8216dd32020-04-23 16:41:44 +02004023 if( ( cur_len == 0 ) ||
4024 ( cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN ) ||
4025 ( tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004026 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004027 }
4028
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004029 conf->alpn_list = protos;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004030
4031 return( 0 );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004032}
4033
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004034const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004035{
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004036 return( ssl->alpn_chosen );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004037}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004038#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004039
Johan Pascalb62bb512015-12-03 21:56:45 +01004040#if defined(MBEDTLS_SSL_DTLS_SRTP)
Ron Eldoref72faf2018-07-12 11:54:20 +03004041void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf,
4042 int support_mki_value )
Ron Eldor591f1622018-01-22 12:30:04 +02004043{
4044 conf->dtls_srtp_mki_support = support_mki_value;
4045}
4046
Ron Eldoref72faf2018-07-12 11:54:20 +03004047int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
4048 unsigned char *mki_value,
Johan Pascalf6417ec2020-09-22 15:15:19 +02004049 uint16_t mki_len )
Ron Eldor591f1622018-01-22 12:30:04 +02004050{
Johan Pascal5ef72d22020-10-28 17:05:47 +01004051 if( mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH )
Ron Eldora9788042018-12-05 11:04:31 +02004052 {
Johan Pascald576fdb2020-09-22 10:39:53 +02004053 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Ron Eldora9788042018-12-05 11:04:31 +02004054 }
Ron Eldor591f1622018-01-22 12:30:04 +02004055
4056 if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED )
Ron Eldora9788042018-12-05 11:04:31 +02004057 {
Johan Pascald576fdb2020-09-22 10:39:53 +02004058 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Ron Eldora9788042018-12-05 11:04:31 +02004059 }
Ron Eldor591f1622018-01-22 12:30:04 +02004060
4061 memcpy( ssl->dtls_srtp_info.mki_value, mki_value, mki_len );
4062 ssl->dtls_srtp_info.mki_len = mki_len;
Ron Eldora9788042018-12-05 11:04:31 +02004063 return( 0 );
Ron Eldor591f1622018-01-22 12:30:04 +02004064}
4065
Ron Eldoref72faf2018-07-12 11:54:20 +03004066int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
Johan Pascal253d0262020-09-22 13:04:45 +02004067 const mbedtls_ssl_srtp_profile *profiles )
Johan Pascalb62bb512015-12-03 21:56:45 +01004068{
Johan Pascal253d0262020-09-22 13:04:45 +02004069 const mbedtls_ssl_srtp_profile *p;
4070 size_t list_size = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +01004071
Johan Pascal253d0262020-09-22 13:04:45 +02004072 /* check the profiles list: all entry must be valid,
4073 * its size cannot be more than the total number of supported profiles, currently 4 */
Johan Pascald387aa02020-09-23 18:47:56 +02004074 for( p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
4075 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
4076 p++ )
Johan Pascald576fdb2020-09-22 10:39:53 +02004077 {
Johan Pascal5ef72d22020-10-28 17:05:47 +01004078 if( mbedtls_ssl_check_srtp_profile_value( *p ) != MBEDTLS_TLS_SRTP_UNSET )
Johan Pascald576fdb2020-09-22 10:39:53 +02004079 {
Johan Pascal76fdf1d2020-10-22 23:31:00 +02004080 list_size++;
4081 }
4082 else
4083 {
4084 /* unsupported value, stop parsing and set the size to an error value */
4085 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
Johan Pascalb62bb512015-12-03 21:56:45 +01004086 }
4087 }
4088
Johan Pascal5ef72d22020-10-28 17:05:47 +01004089 if( list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH )
Johan Pascald387aa02020-09-23 18:47:56 +02004090 {
Johan Pascal253d0262020-09-22 13:04:45 +02004091 conf->dtls_srtp_profile_list = NULL;
4092 conf->dtls_srtp_profile_list_len = 0;
4093 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4094 }
4095
Johan Pascal9bc97ca2020-09-21 23:44:45 +02004096 conf->dtls_srtp_profile_list = profiles;
Johan Pascal253d0262020-09-22 13:04:45 +02004097 conf->dtls_srtp_profile_list_len = list_size;
Johan Pascalb62bb512015-12-03 21:56:45 +01004098
4099 return( 0 );
4100}
4101
Johan Pascal5ef72d22020-10-28 17:05:47 +01004102void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl,
4103 mbedtls_dtls_srtp_info *dtls_srtp_info )
Johan Pascalb62bb512015-12-03 21:56:45 +01004104{
Johan Pascal2258a4f2020-10-28 13:53:09 +01004105 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
4106 /* do not copy the mki value if there is no chosen profile */
Johan Pascal5ef72d22020-10-28 17:05:47 +01004107 if( dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET )
Johan Pascal0dbcd1d2020-10-28 11:03:07 +01004108 {
Johan Pascal2258a4f2020-10-28 13:53:09 +01004109 dtls_srtp_info->mki_len = 0;
Johan Pascal0dbcd1d2020-10-28 11:03:07 +01004110 }
Johan Pascal2258a4f2020-10-28 13:53:09 +01004111 else
4112 {
4113 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
Johan Pascal5ef72d22020-10-28 17:05:47 +01004114 memcpy( dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
4115 ssl->dtls_srtp_info.mki_len );
Johan Pascal2258a4f2020-10-28 13:53:09 +01004116 }
Johan Pascalb62bb512015-12-03 21:56:45 +01004117}
Johan Pascalb62bb512015-12-03 21:56:45 +01004118#endif /* MBEDTLS_SSL_DTLS_SRTP */
4119
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02004120void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker490ecc82011-10-06 13:04:09 +00004121{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004122 conf->max_major_ver = major;
4123 conf->max_minor_ver = minor;
Paul Bakker490ecc82011-10-06 13:04:09 +00004124}
4125
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +02004126void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker1d29fb52012-09-28 13:28:45 +00004127{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004128 conf->min_major_ver = major;
4129 conf->min_minor_ver = minor;
Paul Bakker1d29fb52012-09-28 13:28:45 +00004130}
4131
Janos Follath088ce432017-04-10 12:42:31 +01004132#if defined(MBEDTLS_SSL_SRV_C)
4133void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
4134 char cert_req_ca_list )
4135{
4136 conf->cert_req_ca_list = cert_req_ca_list;
4137}
4138#endif
4139
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004140#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004141void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01004142{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004143 conf->encrypt_then_mac = etm;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01004144}
4145#endif
4146
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004147#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004148void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02004149{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004150 conf->extended_ms = ems;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02004151}
4152#endif
4153
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004154#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004155int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004156{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004157 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
Angus Grattond8213d02016-05-25 20:56:48 +10004158 ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004159 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004160 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004161 }
4162
Manuel Pégourié-Gonnard6bf89d62015-05-05 17:01:57 +01004163 conf->mfl_code = mfl_code;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004164
4165 return( 0 );
4166}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004167#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004168
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004169void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
Paul Bakker48916f92012-09-16 19:57:18 +00004170{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004171 conf->allow_legacy_renegotiation = allow_legacy;
Paul Bakker48916f92012-09-16 19:57:18 +00004172}
4173
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004174#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004175void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004176{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004177 conf->disable_renegotiation = renegotiation;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004178}
4179
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004180void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02004181{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004182 conf->renego_max_records = max_records;
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02004183}
4184
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02004185void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004186 const unsigned char period[8] )
4187{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +02004188 memcpy( conf->renego_period, period, 8 );
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004189}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004190#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +00004191
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004192#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004193#if defined(MBEDTLS_SSL_CLI_C)
4194void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004195{
Manuel Pégourié-Gonnard2b494452015-05-06 10:05:11 +01004196 conf->session_tickets = use_tickets;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004197}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004198#endif
Paul Bakker606b4ba2013-08-14 16:52:14 +02004199
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004200#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +02004201void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
4202 mbedtls_ssl_ticket_write_t *f_ticket_write,
4203 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
4204 void *p_ticket )
Paul Bakker606b4ba2013-08-14 16:52:14 +02004205{
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +02004206 conf->f_ticket_write = f_ticket_write;
4207 conf->f_ticket_parse = f_ticket_parse;
4208 conf->p_ticket = p_ticket;
Paul Bakker606b4ba2013-08-14 16:52:14 +02004209}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02004210#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004211#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004212
Robert Cragie4feb7ae2015-10-02 13:33:37 +01004213#if defined(MBEDTLS_SSL_EXPORT_KEYS)
Hanno Becker7e6c1782021-06-08 09:24:55 +01004214void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl,
4215 mbedtls_ssl_export_keys_t *f_export_keys,
4216 void *p_export_keys )
Robert Cragie4feb7ae2015-10-02 13:33:37 +01004217{
Hanno Becker7e6c1782021-06-08 09:24:55 +01004218 ssl->f_export_keys = f_export_keys;
4219 ssl->p_export_keys = p_export_keys;
Ron Eldorf5cc10d2019-05-07 18:33:40 +03004220}
Robert Cragie4feb7ae2015-10-02 13:33:37 +01004221#endif
4222
Gilles Peskineb74a1c72018-04-24 13:09:22 +02004223#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004224void mbedtls_ssl_conf_async_private_cb(
4225 mbedtls_ssl_config *conf,
4226 mbedtls_ssl_async_sign_t *f_async_sign,
4227 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
4228 mbedtls_ssl_async_resume_t *f_async_resume,
4229 mbedtls_ssl_async_cancel_t *f_async_cancel,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004230 void *async_config_data )
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004231{
4232 conf->f_async_sign_start = f_async_sign;
4233 conf->f_async_decrypt_start = f_async_decrypt;
4234 conf->f_async_resume = f_async_resume;
4235 conf->f_async_cancel = f_async_cancel;
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004236 conf->p_async_config_data = async_config_data;
4237}
4238
Gilles Peskine8f97af72018-04-26 11:46:10 +02004239void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
4240{
4241 return( conf->p_async_config_data );
4242}
4243
Gilles Peskine1febfef2018-04-30 11:54:39 +02004244void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004245{
4246 if( ssl->handshake == NULL )
4247 return( NULL );
4248 else
4249 return( ssl->handshake->user_async_ctx );
4250}
4251
Gilles Peskine1febfef2018-04-30 11:54:39 +02004252void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02004253 void *ctx )
4254{
4255 if( ssl->handshake != NULL )
4256 ssl->handshake->user_async_ctx = ctx;
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004257}
Gilles Peskineb74a1c72018-04-24 13:09:22 +02004258#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine8bf79f62018-01-05 21:11:53 +01004259
Paul Bakker5121ce52009-01-03 21:22:43 +00004260/*
4261 * SSL get accessors
4262 */
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02004263uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00004264{
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +00004265 if( ssl->session != NULL )
4266 return( ssl->session->verify_result );
4267
4268 if( ssl->session_negotiate != NULL )
4269 return( ssl->session_negotiate->verify_result );
4270
Manuel Pégourié-Gonnard6ab9b002015-05-14 11:25:04 +02004271 return( 0xFFFFFFFF );
Paul Bakker5121ce52009-01-03 21:22:43 +00004272}
4273
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004274const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +00004275{
Paul Bakker926c8e42013-03-06 10:23:34 +01004276 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004277 return( NULL );
Paul Bakker926c8e42013-03-06 10:23:34 +01004278
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004279 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +00004280}
4281
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004282const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
Paul Bakker43ca69c2011-01-15 17:35:19 +00004283{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004284#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004285 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01004286 {
4287 switch( ssl->minor_ver )
4288 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004289 case MBEDTLS_SSL_MINOR_VERSION_3:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01004290 return( "DTLSv1.2" );
4291
4292 default:
4293 return( "unknown (DTLS)" );
4294 }
4295 }
4296#endif
4297
Paul Bakker43ca69c2011-01-15 17:35:19 +00004298 switch( ssl->minor_ver )
4299 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004300 case MBEDTLS_SSL_MINOR_VERSION_3:
Paul Bakker1ef83d62012-04-11 12:09:53 +00004301 return( "TLSv1.2" );
4302
Paul Bakker43ca69c2011-01-15 17:35:19 +00004303 default:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +01004304 return( "unknown" );
Paul Bakker43ca69c2011-01-15 17:35:19 +00004305 }
Paul Bakker43ca69c2011-01-15 17:35:19 +00004306}
4307
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004308#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Andrzej Kurek90c6e842020-04-03 05:25:29 -04004309size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl )
4310{
David Horstmann95d516f2021-05-04 18:36:56 +01004311 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
Andrzej Kurek90c6e842020-04-03 05:25:29 -04004312 size_t read_mfl;
4313
4314 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
4315 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
4316 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE )
4317 {
4318 return ssl_mfl_code_to_length( ssl->conf->mfl_code );
4319 }
4320
4321 /* Check if a smaller max length was negotiated */
4322 if( ssl->session_out != NULL )
4323 {
4324 read_mfl = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
4325 if( read_mfl < max_len )
4326 {
4327 max_len = read_mfl;
4328 }
4329 }
4330
4331 // During a handshake, use the value being negotiated
4332 if( ssl->session_negotiate != NULL )
4333 {
4334 read_mfl = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
4335 if( read_mfl < max_len )
4336 {
4337 max_len = read_mfl;
4338 }
4339 }
4340
4341 return( max_len );
4342}
4343
4344size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004345{
4346 size_t max_len;
4347
4348 /*
4349 * Assume mfl_code is correct since it was checked when set
4350 */
Angus Grattond8213d02016-05-25 20:56:48 +10004351 max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004352
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02004353 /* Check if a smaller max length was negotiated */
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004354 if( ssl->session_out != NULL &&
Angus Grattond8213d02016-05-25 20:56:48 +10004355 ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004356 {
Angus Grattond8213d02016-05-25 20:56:48 +10004357 max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004358 }
4359
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +02004360 /* During a handshake, use the value being negotiated */
4361 if( ssl->session_negotiate != NULL &&
4362 ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
4363 {
4364 max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
4365 }
4366
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004367 return( max_len );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +02004368}
4369#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4370
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004371#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker89490712020-02-05 10:50:12 +00004372size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004373{
Andrzej Kurekef43ce62018-10-09 08:24:12 -04004374 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
4375 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
4376 ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
4377 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
4378 return ( 0 );
4379
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004380 if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
4381 return( ssl->mtu );
4382
4383 if( ssl->mtu == 0 )
4384 return( ssl->handshake->mtu );
4385
4386 return( ssl->mtu < ssl->handshake->mtu ?
4387 ssl->mtu : ssl->handshake->mtu );
4388}
4389#endif /* MBEDTLS_SSL_PROTO_DTLS */
4390
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004391int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
4392{
4393 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
4394
Manuel Pégourié-Gonnard000281e2018-08-21 11:20:58 +02004395#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
4396 !defined(MBEDTLS_SSL_PROTO_DTLS)
4397 (void) ssl;
4398#endif
4399
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004400#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Andrzej Kurek90c6e842020-04-03 05:25:29 -04004401 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004402
4403 if( max_len > mfl )
4404 max_len = mfl;
4405#endif
4406
4407#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker89490712020-02-05 10:50:12 +00004408 if( mbedtls_ssl_get_current_mtu( ssl ) != 0 )
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004409 {
Hanno Becker89490712020-02-05 10:50:12 +00004410 const size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004411 const int ret = mbedtls_ssl_get_record_expansion( ssl );
4412 const size_t overhead = (size_t) ret;
4413
4414 if( ret < 0 )
4415 return( ret );
4416
4417 if( mtu <= overhead )
4418 {
4419 MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
4420 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4421 }
4422
4423 if( max_len > mtu - overhead )
4424 max_len = mtu - overhead;
4425 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +02004426#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004427
Hanno Becker0defedb2018-08-10 12:35:02 +01004428#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
4429 !defined(MBEDTLS_SSL_PROTO_DTLS)
4430 ((void) ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +02004431#endif
4432
4433 return( (int) max_len );
4434}
4435
Hanno Becker2d8e99b2021-04-21 06:19:50 +01004436int mbedtls_ssl_get_max_in_record_payload( const mbedtls_ssl_context *ssl )
4437{
4438 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
4439
4440#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4441 (void) ssl;
4442#endif
4443
4444#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4445 const size_t mfl = mbedtls_ssl_get_input_max_frag_len( ssl );
4446
4447 if( max_len > mfl )
4448 max_len = mfl;
4449#endif
4450
4451 return( (int) max_len );
4452}
4453
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004454#if defined(MBEDTLS_X509_CRT_PARSE_C)
4455const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
Paul Bakkerb0550d92012-10-30 07:51:03 +00004456{
4457 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004458 return( NULL );
Paul Bakkerb0550d92012-10-30 07:51:03 +00004459
Hanno Beckere6824572019-02-07 13:18:46 +00004460#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004461 return( ssl->session->peer_cert );
Hanno Beckere6824572019-02-07 13:18:46 +00004462#else
4463 return( NULL );
4464#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakkerb0550d92012-10-30 07:51:03 +00004465}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004466#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +00004467
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004468#if defined(MBEDTLS_SSL_CLI_C)
Hanno Beckerf852b1c2019-02-05 11:42:30 +00004469int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
4470 mbedtls_ssl_session *dst )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004471{
Hanno Beckere810bbc2021-05-14 16:01:05 +01004472 int ret;
4473
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004474 if( ssl == NULL ||
4475 dst == NULL ||
4476 ssl->session == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004477 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004478 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004479 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004480 }
4481
Hanno Beckere810bbc2021-05-14 16:01:05 +01004482 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
4483 * idempotent: Each session can only be exported once.
4484 *
4485 * (This is in preparation for TLS 1.3 support where we will
4486 * need the ability to export multiple sessions (aka tickets),
4487 * which will be achieved by calling mbedtls_ssl_get_session()
4488 * multiple times until it fails.)
4489 *
4490 * Check whether we have already exported the current session,
4491 * and fail if so.
4492 */
4493 if( ssl->session->exported == 1 )
4494 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4495
4496 ret = mbedtls_ssl_session_copy( dst, ssl->session );
4497 if( ret != 0 )
4498 return( ret );
4499
4500 /* Remember that we've exported the session. */
4501 ssl->session->exported = 1;
4502 return( 0 );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004503}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004504#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004505
Paul Bakker5121ce52009-01-03 21:22:43 +00004506/*
Hanno Beckera835da52019-05-16 12:39:07 +01004507 * Define ticket header determining Mbed TLS version
4508 * and structure of the ticket.
4509 */
4510
Hanno Becker94ef3b32019-05-16 12:50:45 +01004511/*
Hanno Becker50b59662019-05-28 14:30:45 +01004512 * Define bitflag determining compile-time settings influencing
4513 * structure of serialized SSL sessions.
Hanno Becker94ef3b32019-05-16 12:50:45 +01004514 */
4515
Hanno Becker50b59662019-05-28 14:30:45 +01004516#if defined(MBEDTLS_HAVE_TIME)
Hanno Becker3e088662019-05-29 11:10:18 +01004517#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
Hanno Becker50b59662019-05-28 14:30:45 +01004518#else
Hanno Becker3e088662019-05-29 11:10:18 +01004519#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004520#endif /* MBEDTLS_HAVE_TIME */
4521
4522#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker3e088662019-05-29 11:10:18 +01004523#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004524#else
Hanno Becker3e088662019-05-29 11:10:18 +01004525#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004526#endif /* MBEDTLS_X509_CRT_PARSE_C */
4527
4528#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
Hanno Becker3e088662019-05-29 11:10:18 +01004529#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004530#else
Hanno Becker3e088662019-05-29 11:10:18 +01004531#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004532#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
4533
4534#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Hanno Becker3e088662019-05-29 11:10:18 +01004535#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004536#else
Hanno Becker3e088662019-05-29 11:10:18 +01004537#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004538#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4539
Hanno Becker94ef3b32019-05-16 12:50:45 +01004540#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker3e088662019-05-29 11:10:18 +01004541#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
Hanno Becker94ef3b32019-05-16 12:50:45 +01004542#else
Hanno Becker3e088662019-05-29 11:10:18 +01004543#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
Hanno Becker94ef3b32019-05-16 12:50:45 +01004544#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
4545
Hanno Becker94ef3b32019-05-16 12:50:45 +01004546#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4547#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
4548#else
4549#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
4550#endif /* MBEDTLS_SSL_SESSION_TICKETS */
4551
Hanno Becker3e088662019-05-29 11:10:18 +01004552#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
4553#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
4554#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
4555#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
Hanno Becker37bdbe62021-08-01 05:38:58 +01004556#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
4557#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
Hanno Becker3e088662019-05-29 11:10:18 +01004558
Hanno Becker50b59662019-05-28 14:30:45 +01004559#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
Hanno Becker3e088662019-05-29 11:10:18 +01004560 ( (uint16_t) ( \
4561 ( SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT ) | \
4562 ( SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT ) | \
4563 ( SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT ) | \
4564 ( SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT ) | \
Hanno Becker3e088662019-05-29 11:10:18 +01004565 ( SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT ) | \
Hanno Beckerbe34e8e2019-06-04 09:43:16 +01004566 ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT ) ) )
Hanno Becker94ef3b32019-05-16 12:50:45 +01004567
Hanno Beckerf8787072019-05-16 12:41:07 +01004568static unsigned char ssl_serialized_session_header[] = {
Hanno Becker94ef3b32019-05-16 12:50:45 +01004569 MBEDTLS_VERSION_MAJOR,
4570 MBEDTLS_VERSION_MINOR,
4571 MBEDTLS_VERSION_PATCH,
Hanno Becker50b59662019-05-28 14:30:45 +01004572 ( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 8 ) & 0xFF,
4573 ( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 0 ) & 0xFF,
Hanno Beckerf8787072019-05-16 12:41:07 +01004574};
Hanno Beckera835da52019-05-16 12:39:07 +01004575
4576/*
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004577 * Serialize a session in the following format:
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004578 * (in the presentation language of TLS, RFC 8446 section 3)
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004579 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004580 * struct {
Hanno Beckerdc28b6c2019-05-29 11:08:00 +01004581 *
Hanno Beckerdce50972021-08-01 05:39:23 +01004582 * opaque mbedtls_version[3]; // library version: major, minor, patch
4583 * opaque session_format[2]; // library-version specific 16-bit field
4584 * // determining the format of the remaining
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004585 * // serialized data.
Hanno Beckerdc28b6c2019-05-29 11:08:00 +01004586 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004587 * Note: When updating the format, remember to keep
4588 * these version+format bytes.
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004589 *
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004590 * // In this version, `session_format` determines
4591 * // the setting of those compile-time
4592 * // configuration options which influence
4593 * // the structure of mbedtls_ssl_session.
4594 *
Hanno Beckerfa0d61e2021-08-02 08:56:14 +01004595 * uint8_t minor_ver; // Protocol-version. Possible values:
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004596 * // - TLS 1.2 (MBEDTLS_SSL_MINOR_VERSION_3)
4597 *
4598 * select (serialized_session.minor_ver) {
4599 *
4600 * case MBEDTLS_SSL_MINOR_VERSION_3: // TLS 1.2
4601 * serialized_session_tls12 data;
4602 *
4603 * };
4604 *
4605 * } serialized_session;
4606 *
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004607 */
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004608
4609#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4610/* Serialization of TLS 1.2 sessions:
4611 *
4612 * struct {
4613 * uint64 start_time;
4614 * uint8 ciphersuite[2]; // defined by the standard
4615 * uint8 compression; // 0 or 1
4616 * uint8 session_id_len; // at most 32
4617 * opaque session_id[32];
4618 * opaque master[48]; // fixed length in the standard
4619 * uint32 verify_result;
4620 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
4621 * opaque ticket<0..2^24-1>; // length 0 means no ticket
4622 * uint32 ticket_lifetime;
4623 * uint8 mfl_code; // up to 255 according to standard
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004624 * uint8 encrypt_then_mac; // 0 or 1
4625 * } serialized_session_tls12;
4626 *
4627 */
4628static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
4629 unsigned char *buf,
4630 size_t buf_len )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004631{
4632 unsigned char *p = buf;
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004633 size_t used = 0;
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004634
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004635#if defined(MBEDTLS_HAVE_TIME)
4636 uint64_t start;
4637#endif
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004638#if defined(MBEDTLS_X509_CRT_PARSE_C)
4639#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4640 size_t cert_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004641#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4642#endif /* MBEDTLS_X509_CRT_PARSE_C */
4643
Hanno Beckera835da52019-05-16 12:39:07 +01004644 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004645 * Time
4646 */
4647#if defined(MBEDTLS_HAVE_TIME)
4648 used += 8;
4649
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004650 if( used <= buf_len )
4651 {
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004652 start = (uint64_t) session->start;
4653
4654 *p++ = (unsigned char)( ( start >> 56 ) & 0xFF );
4655 *p++ = (unsigned char)( ( start >> 48 ) & 0xFF );
4656 *p++ = (unsigned char)( ( start >> 40 ) & 0xFF );
4657 *p++ = (unsigned char)( ( start >> 32 ) & 0xFF );
4658 *p++ = (unsigned char)( ( start >> 24 ) & 0xFF );
4659 *p++ = (unsigned char)( ( start >> 16 ) & 0xFF );
4660 *p++ = (unsigned char)( ( start >> 8 ) & 0xFF );
4661 *p++ = (unsigned char)( ( start ) & 0xFF );
4662 }
4663#endif /* MBEDTLS_HAVE_TIME */
4664
4665 /*
4666 * Basic mandatory fields
4667 */
4668 used += 2 /* ciphersuite */
4669 + 1 /* compression */
4670 + 1 /* id_len */
4671 + sizeof( session->id )
4672 + sizeof( session->master )
4673 + 4; /* verify_result */
4674
4675 if( used <= buf_len )
4676 {
4677 *p++ = (unsigned char)( ( session->ciphersuite >> 8 ) & 0xFF );
4678 *p++ = (unsigned char)( ( session->ciphersuite ) & 0xFF );
4679
4680 *p++ = (unsigned char)( session->compression & 0xFF );
4681
4682 *p++ = (unsigned char)( session->id_len & 0xFF );
4683 memcpy( p, session->id, 32 );
4684 p += 32;
4685
4686 memcpy( p, session->master, 48 );
4687 p += 48;
4688
4689 *p++ = (unsigned char)( ( session->verify_result >> 24 ) & 0xFF );
4690 *p++ = (unsigned char)( ( session->verify_result >> 16 ) & 0xFF );
4691 *p++ = (unsigned char)( ( session->verify_result >> 8 ) & 0xFF );
4692 *p++ = (unsigned char)( ( session->verify_result ) & 0xFF );
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004693 }
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004694
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004695 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004696 * Peer's end-entity certificate
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004697 */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004698#if defined(MBEDTLS_X509_CRT_PARSE_C)
4699#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4700 if( session->peer_cert == NULL )
4701 cert_len = 0;
4702 else
4703 cert_len = session->peer_cert->raw.len;
4704
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004705 used += 3 + cert_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004706
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004707 if( used <= buf_len )
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004708 {
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004709 *p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF );
4710 *p++ = (unsigned char)( ( cert_len >> 8 ) & 0xFF );
4711 *p++ = (unsigned char)( ( cert_len ) & 0xFF );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004712
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004713 if( session->peer_cert != NULL )
4714 {
4715 memcpy( p, session->peer_cert->raw.p, cert_len );
4716 p += cert_len;
4717 }
4718 }
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004719#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004720 if( session->peer_cert_digest != NULL )
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004721 {
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004722 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
4723 if( used <= buf_len )
4724 {
4725 *p++ = (unsigned char) session->peer_cert_digest_type;
4726 *p++ = (unsigned char) session->peer_cert_digest_len;
4727 memcpy( p, session->peer_cert_digest,
4728 session->peer_cert_digest_len );
4729 p += session->peer_cert_digest_len;
4730 }
4731 }
4732 else
4733 {
4734 used += 2;
4735 if( used <= buf_len )
4736 {
4737 *p++ = (unsigned char) MBEDTLS_MD_NONE;
4738 *p++ = 0;
4739 }
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004740 }
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004741#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4742#endif /* MBEDTLS_X509_CRT_PARSE_C */
4743
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004744 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004745 * Session ticket if any, plus associated data
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004746 */
4747#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004748 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004749
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004750 if( used <= buf_len )
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004751 {
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004752 *p++ = (unsigned char)( ( session->ticket_len >> 16 ) & 0xFF );
4753 *p++ = (unsigned char)( ( session->ticket_len >> 8 ) & 0xFF );
4754 *p++ = (unsigned char)( ( session->ticket_len ) & 0xFF );
4755
4756 if( session->ticket != NULL )
4757 {
4758 memcpy( p, session->ticket, session->ticket_len );
4759 p += session->ticket_len;
4760 }
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004761
4762 *p++ = (unsigned char)( ( session->ticket_lifetime >> 24 ) & 0xFF );
4763 *p++ = (unsigned char)( ( session->ticket_lifetime >> 16 ) & 0xFF );
4764 *p++ = (unsigned char)( ( session->ticket_lifetime >> 8 ) & 0xFF );
4765 *p++ = (unsigned char)( ( session->ticket_lifetime ) & 0xFF );
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004766 }
4767#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
4768
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004769 /*
4770 * Misc extension-related info
4771 */
4772#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4773 used += 1;
4774
4775 if( used <= buf_len )
4776 *p++ = session->mfl_code;
4777#endif
4778
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004779#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4780 used += 1;
4781
4782 if( used <= buf_len )
4783 *p++ = (unsigned char)( ( session->encrypt_then_mac ) & 0xFF );
4784#endif
4785
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004786 return( used );
4787}
4788#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004789
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004790static int ssl_session_save( const mbedtls_ssl_session *session,
4791 unsigned char omit_header,
4792 unsigned char *buf,
4793 size_t buf_len,
4794 size_t *olen )
4795{
4796 unsigned char *p = buf;
4797 size_t used = 0;
4798
4799 if( !omit_header )
4800 {
4801 /*
4802 * Add Mbed TLS version identifier
4803 */
4804
4805 used += sizeof( ssl_serialized_session_header );
4806
4807 if( used <= buf_len )
4808 {
4809 memcpy( p, ssl_serialized_session_header,
4810 sizeof( ssl_serialized_session_header ) );
4811 p += sizeof( ssl_serialized_session_header );
4812 }
4813 }
4814
4815 /*
4816 * TLS version identifier
4817 */
4818 used += 1;
4819 if( used <= buf_len )
4820 {
4821 *p++ = session->minor_ver;
4822 }
4823
4824 /* Forward to version-specific serialization routine. */
4825 switch( session->minor_ver )
4826 {
4827#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4828 case MBEDTLS_SSL_MINOR_VERSION_3:
4829 {
4830 size_t remaining_len = used <= buf_len ? buf_len - used : 0;
4831 used += ssl_session_save_tls12( session, p, remaining_len );
4832 break;
4833 }
4834#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4835
4836 default:
4837 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4838 }
4839
4840 *olen = used;
Manuel Pégourié-Gonnard26f982f2019-05-21 11:01:32 +02004841 if( used > buf_len )
4842 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004843
4844 return( 0 );
4845}
4846
4847/*
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02004848 * Public wrapper for ssl_session_save()
4849 */
4850int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
4851 unsigned char *buf,
4852 size_t buf_len,
4853 size_t *olen )
4854{
4855 return( ssl_session_save( session, 0, buf, buf_len, olen ) );
4856}
4857
4858/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02004859 * Deserialize session, see mbedtls_ssl_session_save() for format.
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02004860 *
4861 * This internal version is wrapped by a public function that cleans up in
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02004862 * case of error, and has an extra option omit_header.
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004863 */
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004864static int ssl_session_load_tls12( mbedtls_ssl_session *session,
4865 const unsigned char *buf,
4866 size_t len )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004867{
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004868#if defined(MBEDTLS_HAVE_TIME)
4869 uint64_t start;
4870#endif
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004871#if defined(MBEDTLS_X509_CRT_PARSE_C)
4872#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4873 size_t cert_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004874#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4875#endif /* MBEDTLS_X509_CRT_PARSE_C */
4876
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01004877 const unsigned char *p = buf;
4878 const unsigned char * const end = buf + len;
Hanno Beckera835da52019-05-16 12:39:07 +01004879
4880 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004881 * Time
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004882 */
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004883#if defined(MBEDTLS_HAVE_TIME)
4884 if( 8 > (size_t)( end - p ) )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004885 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4886
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004887 start = ( (uint64_t) p[0] << 56 ) |
4888 ( (uint64_t) p[1] << 48 ) |
4889 ( (uint64_t) p[2] << 40 ) |
4890 ( (uint64_t) p[3] << 32 ) |
4891 ( (uint64_t) p[4] << 24 ) |
4892 ( (uint64_t) p[5] << 16 ) |
4893 ( (uint64_t) p[6] << 8 ) |
4894 ( (uint64_t) p[7] );
4895 p += 8;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004896
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004897 session->start = (time_t) start;
4898#endif /* MBEDTLS_HAVE_TIME */
4899
4900 /*
4901 * Basic mandatory fields
4902 */
4903 if( 2 + 1 + 1 + 32 + 48 + 4 > (size_t)( end - p ) )
4904 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4905
4906 session->ciphersuite = ( p[0] << 8 ) | p[1];
4907 p += 2;
4908
4909 session->compression = *p++;
4910
4911 session->id_len = *p++;
4912 memcpy( session->id, p, 32 );
4913 p += 32;
4914
4915 memcpy( session->master, p, 48 );
4916 p += 48;
4917
4918 session->verify_result = ( (uint32_t) p[0] << 24 ) |
4919 ( (uint32_t) p[1] << 16 ) |
4920 ( (uint32_t) p[2] << 8 ) |
4921 ( (uint32_t) p[3] );
4922 p += 4;
4923
4924 /* Immediately clear invalid pointer values that have been read, in case
4925 * we exit early before we replaced them with valid ones. */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004926#if defined(MBEDTLS_X509_CRT_PARSE_C)
4927#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4928 session->peer_cert = NULL;
4929#else
4930 session->peer_cert_digest = NULL;
4931#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4932#endif /* MBEDTLS_X509_CRT_PARSE_C */
4933#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4934 session->ticket = NULL;
4935#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
4936
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02004937 /*
4938 * Peer certificate
4939 */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004940#if defined(MBEDTLS_X509_CRT_PARSE_C)
4941#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4942 /* Deserialize CRT from the end of the ticket. */
4943 if( 3 > (size_t)( end - p ) )
4944 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4945
4946 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
4947 p += 3;
4948
4949 if( cert_len != 0 )
4950 {
Janos Follath865b3eb2019-12-16 11:46:15 +00004951 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004952
4953 if( cert_len > (size_t)( end - p ) )
4954 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4955
4956 session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
4957
4958 if( session->peer_cert == NULL )
4959 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
4960
4961 mbedtls_x509_crt_init( session->peer_cert );
4962
4963 if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
4964 p, cert_len ) ) != 0 )
4965 {
4966 mbedtls_x509_crt_free( session->peer_cert );
4967 mbedtls_free( session->peer_cert );
4968 session->peer_cert = NULL;
4969 return( ret );
4970 }
4971
4972 p += cert_len;
4973 }
4974#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4975 /* Deserialize CRT digest from the end of the ticket. */
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004976 if( 2 > (size_t)( end - p ) )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004977 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4978
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004979 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
4980 session->peer_cert_digest_len = (size_t) *p++;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004981
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004982 if( session->peer_cert_digest_len != 0 )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004983 {
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004984 const mbedtls_md_info_t *md_info =
4985 mbedtls_md_info_from_type( session->peer_cert_digest_type );
4986 if( md_info == NULL )
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004987 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004988 if( session->peer_cert_digest_len != mbedtls_md_get_size( md_info ) )
4989 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004990
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004991 if( session->peer_cert_digest_len > (size_t)( end - p ) )
4992 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4993
4994 session->peer_cert_digest =
4995 mbedtls_calloc( 1, session->peer_cert_digest_len );
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02004996 if( session->peer_cert_digest == NULL )
4997 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
4998
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02004999 memcpy( session->peer_cert_digest, p,
5000 session->peer_cert_digest_len );
5001 p += session->peer_cert_digest_len;
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005002 }
5003#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5004#endif /* MBEDTLS_X509_CRT_PARSE_C */
5005
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005006 /*
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005007 * Session ticket and associated data
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005008 */
5009#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
5010 if( 3 > (size_t)( end - p ) )
5011 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5012
5013 session->ticket_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
5014 p += 3;
5015
5016 if( session->ticket_len != 0 )
5017 {
5018 if( session->ticket_len > (size_t)( end - p ) )
5019 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5020
5021 session->ticket = mbedtls_calloc( 1, session->ticket_len );
5022 if( session->ticket == NULL )
5023 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5024
5025 memcpy( session->ticket, p, session->ticket_len );
5026 p += session->ticket_len;
5027 }
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005028
5029 if( 4 > (size_t)( end - p ) )
5030 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5031
5032 session->ticket_lifetime = ( (uint32_t) p[0] << 24 ) |
5033 ( (uint32_t) p[1] << 16 ) |
5034 ( (uint32_t) p[2] << 8 ) |
5035 ( (uint32_t) p[3] );
5036 p += 4;
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005037#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
5038
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005039 /*
5040 * Misc extension-related info
5041 */
5042#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
5043 if( 1 > (size_t)( end - p ) )
5044 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5045
5046 session->mfl_code = *p++;
5047#endif
5048
Manuel Pégourié-Gonnardf743c032019-05-24 12:06:29 +02005049#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5050 if( 1 > (size_t)( end - p ) )
5051 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5052
5053 session->encrypt_then_mac = *p++;
5054#endif
5055
Manuel Pégourié-Gonnard35eb8022019-05-16 11:11:08 +02005056 /* Done, should have consumed entire buffer */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005057 if( p != end )
5058 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5059
5060 return( 0 );
5061}
5062
Hanno Beckerfadbdbb2021-07-23 06:25:48 +01005063static int ssl_session_load( mbedtls_ssl_session *session,
5064 unsigned char omit_header,
5065 const unsigned char *buf,
5066 size_t len )
5067{
5068 const unsigned char *p = buf;
5069 const unsigned char * const end = buf + len;
5070
5071 if( !omit_header )
5072 {
5073 /*
5074 * Check Mbed TLS version identifier
5075 */
5076
5077 if( (size_t)( end - p ) < sizeof( ssl_serialized_session_header ) )
5078 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5079
5080 if( memcmp( p, ssl_serialized_session_header,
5081 sizeof( ssl_serialized_session_header ) ) != 0 )
5082 {
5083 return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
5084 }
5085 p += sizeof( ssl_serialized_session_header );
5086 }
5087
5088 /*
5089 * TLS version identifier
5090 */
5091 if( 1 > (size_t)( end - p ) )
5092 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5093 session->minor_ver = *p++;
5094
5095 /* Dispatch according to TLS version. */
5096 switch( session->minor_ver )
5097 {
5098#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5099 case MBEDTLS_SSL_MINOR_VERSION_3: /* TLS 1.2 */
5100 {
5101 size_t remaining_len = ( end - p );
5102 return( ssl_session_load_tls12( session, p, remaining_len ) );
5103 }
5104#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5105
5106 default:
5107 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5108 }
5109}
5110
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +02005111/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02005112 * Deserialize session: public wrapper for error cleaning
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02005113 */
5114int mbedtls_ssl_session_load( mbedtls_ssl_session *session,
5115 const unsigned char *buf,
5116 size_t len )
5117{
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005118 int ret = ssl_session_load( session, 0, buf, len );
Manuel Pégourié-Gonnarda3d831b2019-05-23 12:28:45 +02005119
5120 if( ret != 0 )
5121 mbedtls_ssl_session_free( session );
5122
5123 return( ret );
5124}
5125
5126/*
Paul Bakker1961b702013-01-25 14:49:24 +01005127 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +00005128 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005129int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00005130{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005131 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +00005132
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02005133 if( ssl == NULL || ssl->conf == NULL )
5134 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5135
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005136#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005137 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005138 ret = mbedtls_ssl_handshake_client_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00005139#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005140#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005141 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005142 ret = mbedtls_ssl_handshake_server_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00005143#endif
5144
Paul Bakker1961b702013-01-25 14:49:24 +01005145 return( ret );
5146}
5147
5148/*
5149 * Perform the SSL handshake
5150 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005151int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
Paul Bakker1961b702013-01-25 14:49:24 +01005152{
5153 int ret = 0;
5154
Hanno Beckera817ea42020-10-20 15:20:23 +01005155 /* Sanity checks */
5156
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02005157 if( ssl == NULL || ssl->conf == NULL )
5158 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5159
Hanno Beckera817ea42020-10-20 15:20:23 +01005160#if defined(MBEDTLS_SSL_PROTO_DTLS)
5161 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5162 ( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) )
5163 {
5164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
5165 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
5166 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5167 }
5168#endif /* MBEDTLS_SSL_PROTO_DTLS */
5169
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005170 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
Paul Bakker1961b702013-01-25 14:49:24 +01005171
Hanno Beckera817ea42020-10-20 15:20:23 +01005172 /* Main handshake loop */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005173 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker1961b702013-01-25 14:49:24 +01005174 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005175 ret = mbedtls_ssl_handshake_step( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01005176
5177 if( ret != 0 )
5178 break;
5179 }
5180
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005181 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005182
5183 return( ret );
5184}
5185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005186#if defined(MBEDTLS_SSL_RENEGOTIATION)
5187#if defined(MBEDTLS_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00005188/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005189 * Write HelloRequest to request renegotiation on server
Paul Bakker48916f92012-09-16 19:57:18 +00005190 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005191static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005192{
Janos Follath865b3eb2019-12-16 11:46:15 +00005193 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005195 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005196
5197 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005198 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
5199 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005200
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02005201 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005202 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02005203 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005204 return( ret );
5205 }
5206
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005207 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005208
5209 return( 0 );
5210}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005211#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005212
5213/*
5214 * Actually renegotiate current connection, triggered by either:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005215 * - any side: calling mbedtls_ssl_renegotiate(),
5216 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
5217 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
Manuel Pégourié-Gonnard55e4ff22014-08-19 11:16:35 +02005218 * the initial handshake is completed.
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005219 * If the handshake doesn't complete due to waiting for I/O, it will continue
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005220 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005221 */
Hanno Becker40cdaa12020-02-05 10:48:27 +00005222int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00005223{
Janos Follath865b3eb2019-12-16 11:46:15 +00005224 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker48916f92012-09-16 19:57:18 +00005225
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005226 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005227
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005228 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
5229 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +00005230
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02005231 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
5232 * the ServerHello will have message_seq = 1" */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005233#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005234 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005235 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02005236 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005237 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +02005238 ssl->handshake->out_msg_seq = 1;
5239 else
5240 ssl->handshake->in_msg_seq = 1;
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +02005241 }
5242#endif
5243
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005244 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
5245 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
Paul Bakker48916f92012-09-16 19:57:18 +00005246
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005247 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00005248 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005249 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker48916f92012-09-16 19:57:18 +00005250 return( ret );
5251 }
5252
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005253 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005254
5255 return( 0 );
5256}
5257
5258/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005259 * Renegotiate current connection on client,
5260 * or request renegotiation on server
5261 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005262int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005263{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005264 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005265
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +02005266 if( ssl == NULL || ssl->conf == NULL )
5267 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5268
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005269#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005270 /* On server, just send the request */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02005271 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005272 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005273 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5274 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005275
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005276 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02005277
5278 /* Did we already try/start sending HelloRequest? */
5279 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005280 return( mbedtls_ssl_flush_output( ssl ) );
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02005281
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005282 return( ssl_write_hello_request( ssl ) );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005283 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005284#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005285
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005286#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005287 /*
5288 * On client, either start the renegotiation process or,
5289 * if already in progress, continue the handshake
5290 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005291 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005292 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005293 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5294 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005295
Hanno Becker40cdaa12020-02-05 10:48:27 +00005296 if( ( ret = mbedtls_ssl_start_renegotiation( ssl ) ) != 0 )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005297 {
Hanno Becker40cdaa12020-02-05 10:48:27 +00005298 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005299 return( ret );
5300 }
5301 }
5302 else
5303 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005304 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005305 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005306 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005307 return( ret );
5308 }
5309 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005310#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01005311
Paul Bakker37ce0ff2013-10-31 14:32:04 +01005312 return( ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005313}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005314#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01005315
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005316#if defined(MBEDTLS_X509_CRT_PARSE_C)
5317static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005318{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005319 mbedtls_ssl_key_cert *cur = key_cert, *next;
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005320
5321 while( cur != NULL )
5322 {
5323 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005324 mbedtls_free( cur );
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005325 cur = next;
5326 }
5327}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005328#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005329
Gilles Peskine9b562d52018-04-25 20:32:43 +02005330void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00005331{
Gilles Peskine9b562d52018-04-25 20:32:43 +02005332 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
5333
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005334 if( handshake == NULL )
5335 return;
5336
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02005337#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
5338 if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
5339 {
Gilles Peskine8f97af72018-04-26 11:46:10 +02005340 ssl->conf->f_async_cancel( ssl );
Gilles Peskinedf13d5c2018-04-25 20:39:48 +02005341 handshake->async_in_progress = 0;
5342 }
5343#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
5344
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005345#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5346#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05005347#if defined(MBEDTLS_USE_PSA_CRYPTO)
5348 psa_hash_abort( &handshake->fin_sha256_psa );
5349#else
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005350 mbedtls_sha256_free( &handshake->fin_sha256 );
5351#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05005352#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02005353#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -05005354#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -05005355 psa_hash_abort( &handshake->fin_sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -05005356#else
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005357 mbedtls_sha512_free( &handshake->fin_sha512 );
5358#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -05005359#endif
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +02005360#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5361
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005362#if defined(MBEDTLS_DHM_C)
5363 mbedtls_dhm_free( &handshake->dhm_ctx );
Paul Bakker48916f92012-09-16 19:57:18 +00005364#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005365#if defined(MBEDTLS_ECDH_C)
5366 mbedtls_ecdh_free( &handshake->ecdh_ctx );
Paul Bakker61d113b2013-07-04 11:51:43 +02005367#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02005368#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02005369 mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +02005370#if defined(MBEDTLS_SSL_CLI_C)
5371 mbedtls_free( handshake->ecjpake_cache );
5372 handshake->ecjpake_cache = NULL;
5373 handshake->ecjpake_cache_len = 0;
5374#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +02005375#endif
Paul Bakker61d113b2013-07-04 11:51:43 +02005376
Janos Follath4ae5c292016-02-10 11:27:43 +00005377#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
5378 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakker9af723c2014-05-01 13:03:14 +02005379 /* explicit void pointer cast for buggy MS compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005380 mbedtls_free( (void *) handshake->curves );
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02005381#endif
5382
Gilles Peskineeccd8882020-03-10 12:19:08 +01005383#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01005384 if( handshake->psk != NULL )
5385 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05005386 mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +01005387 mbedtls_free( handshake->psk );
5388 }
5389#endif
5390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005391#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
5392 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02005393 /*
5394 * Free only the linked list wrapper, not the keys themselves
5395 * since the belong to the SNI callback
5396 */
5397 if( handshake->sni_key_cert != NULL )
5398 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005399 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02005400
5401 while( cur != NULL )
5402 {
5403 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005404 mbedtls_free( cur );
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02005405 cur = next;
5406 }
5407 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005408#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005409
Gilles Peskineeccd8882020-03-10 12:19:08 +01005410#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +02005411 mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
Hanno Becker3dad3112019-02-05 17:19:52 +00005412 if( handshake->ecrs_peer_cert != NULL )
5413 {
5414 mbedtls_x509_crt_free( handshake->ecrs_peer_cert );
5415 mbedtls_free( handshake->ecrs_peer_cert );
5416 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02005417#endif
5418
Hanno Becker75173122019-02-06 16:18:31 +00005419#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
5420 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
5421 mbedtls_pk_free( &handshake->peer_pubkey );
5422#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5423
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005424#if defined(MBEDTLS_SSL_PROTO_DTLS)
5425 mbedtls_free( handshake->verify_cookie );
Hanno Becker533ab5f2020-02-05 10:49:13 +00005426 mbedtls_ssl_flight_free( handshake->flight );
5427 mbedtls_ssl_buffering_free( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02005428#endif
5429
Hanno Becker4a63ed42019-01-08 11:39:35 +00005430#if defined(MBEDTLS_ECDH_C) && \
5431 defined(MBEDTLS_USE_PSA_CRYPTO)
5432 psa_destroy_key( handshake->ecdh_psa_privkey );
5433#endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
5434
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05005435 mbedtls_platform_zeroize( handshake,
5436 sizeof( mbedtls_ssl_handshake_params ) );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05005437
5438#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5439 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
5440 * processes datagrams and the fact that a datagram is allowed to have
5441 * several records in it, it is possible that the I/O buffers are not
5442 * empty at this stage */
Andrzej Kurek4a063792020-10-21 15:08:44 +02005443 handle_buffer_resizing( ssl, 1, mbedtls_ssl_get_input_buflen( ssl ),
5444 mbedtls_ssl_get_output_buflen( ssl ) );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05005445#endif
Paul Bakker48916f92012-09-16 19:57:18 +00005446}
5447
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005448void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
Paul Bakker48916f92012-09-16 19:57:18 +00005449{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005450 if( session == NULL )
5451 return;
5452
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005453#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker1294a0b2019-02-05 12:38:15 +00005454 ssl_clear_peer_cert( session );
Paul Bakkered27a042013-04-18 22:46:23 +02005455#endif
Paul Bakker0a597072012-09-25 21:55:46 +00005456
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +02005457#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02005458 mbedtls_free( session->ticket );
Paul Bakkera503a632013-08-14 13:48:06 +02005459#endif
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +02005460
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05005461 mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005462}
5463
Manuel Pégourié-Gonnard5c0e3772019-07-23 16:13:17 +02005464#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005465
5466#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5467#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
5468#else
5469#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
5470#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5471
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005472#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005473
5474#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5475#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
5476#else
5477#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
5478#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5479
5480#if defined(MBEDTLS_SSL_ALPN)
5481#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
5482#else
5483#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
5484#endif /* MBEDTLS_SSL_ALPN */
5485
5486#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
5487#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
5488#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
5489#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
5490
5491#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
5492 ( (uint32_t) ( \
5493 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT ) | \
5494 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT ) | \
5495 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT ) | \
5496 ( SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT ) | \
5497 0u ) )
5498
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005499static unsigned char ssl_serialized_context_header[] = {
5500 MBEDTLS_VERSION_MAJOR,
5501 MBEDTLS_VERSION_MINOR,
5502 MBEDTLS_VERSION_PATCH,
5503 ( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 8 ) & 0xFF,
5504 ( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 0 ) & 0xFF,
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005505 ( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 16 ) & 0xFF,
5506 ( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 8 ) & 0xFF,
5507 ( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 0 ) & 0xFF,
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005508};
5509
Paul Bakker5121ce52009-01-03 21:22:43 +00005510/*
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005511 * Serialize a full SSL context
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02005512 *
5513 * The format of the serialized data is:
5514 * (in the presentation language of TLS, RFC 8446 section 3)
5515 *
5516 * // header
5517 * opaque mbedtls_version[3]; // major, minor, patch
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005518 * opaque context_format[5]; // version-specific field determining
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02005519 * // the format of the remaining
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005520 * // serialized data.
Manuel Pégourié-Gonnard4e9370b2019-07-23 16:31:16 +02005521 * Note: When updating the format, remember to keep these
5522 * version+format bytes. (We may make their size part of the API.)
Manuel Pégourié-Gonnard00400c22019-07-10 14:58:45 +02005523 *
5524 * // session sub-structure
5525 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
5526 * // transform sub-structure
5527 * uint8 random[64]; // ServerHello.random+ClientHello.random
5528 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
5529 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
5530 * // fields from ssl_context
5531 * uint32 badmac_seen; // DTLS: number of records with failing MAC
5532 * uint64 in_window_top; // DTLS: last validated record seq_num
5533 * uint64 in_window; // DTLS: bitmask for replay protection
5534 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
5535 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
5536 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
5537 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
5538 *
5539 * Note that many fields of the ssl_context or sub-structures are not
5540 * serialized, as they fall in one of the following categories:
5541 *
5542 * 1. forced value (eg in_left must be 0)
5543 * 2. pointer to dynamically-allocated memory (eg session, transform)
5544 * 3. value can be re-derived from other data (eg session keys from MS)
5545 * 4. value was temporary (eg content of input buffer)
5546 * 5. value will be provided by the user again (eg I/O callbacks and context)
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005547 */
5548int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
5549 unsigned char *buf,
5550 size_t buf_len,
5551 size_t *olen )
5552{
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005553 unsigned char *p = buf;
5554 size_t used = 0;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005555 size_t session_len;
5556 int ret = 0;
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005557
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02005558 /*
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005559 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
5560 * this function's documentation.
5561 *
5562 * These are due to assumptions/limitations in the implementation. Some of
5563 * them are likely to stay (no handshake in progress) some might go away
5564 * (only DTLS) but are currently used to simplify the implementation.
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02005565 */
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005566 /* The initial handshake must be over */
5567 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005568 {
5569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Initial handshake isn't over" ) );
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02005570 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005571 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005572 if( ssl->handshake != NULL )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005573 {
5574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Handshake isn't completed" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005575 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005576 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005577 /* Double-check that sub-structures are indeed ready */
5578 if( ssl->transform == NULL || ssl->session == NULL )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005579 {
5580 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Serialised structures aren't ready" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005581 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005582 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005583 /* There must be no pending incoming or outgoing data */
5584 if( mbedtls_ssl_check_pending( ssl ) != 0 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005585 {
5586 MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending incoming data" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005587 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005588 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005589 if( ssl->out_left != 0 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005590 {
5591 MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending outgoing data" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005592 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005593 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005594 /* Protocol must be DLTS, not TLS */
5595 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005596 {
5597 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only DTLS is supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005598 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005599 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005600 /* Version must be 1.2 */
5601 if( ssl->major_ver != MBEDTLS_SSL_MAJOR_VERSION_3 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005602 {
5603 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005604 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005605 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005606 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005607 {
5608 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005609 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005610 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005611 /* We must be using an AEAD ciphersuite */
5612 if( mbedtls_ssl_transform_uses_aead( ssl->transform ) != 1 )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005613 {
5614 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only AEAD ciphersuites supported" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005615 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005616 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005617 /* Renegotiation must not be enabled */
5618#if defined(MBEDTLS_SSL_RENEGOTIATION)
5619 if( ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED )
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005620 {
5621 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Renegotiation must not be enabled" ) );
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005622 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Jarno Lamsa8c51b7c2019-08-21 13:45:05 +03005623 }
Manuel Pégourié-Gonnarde4588692019-07-29 12:28:52 +02005624#endif
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005625
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005626 /*
5627 * Version and format identifier
5628 */
5629 used += sizeof( ssl_serialized_context_header );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005630
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005631 if( used <= buf_len )
5632 {
5633 memcpy( p, ssl_serialized_context_header,
5634 sizeof( ssl_serialized_context_header ) );
5635 p += sizeof( ssl_serialized_context_header );
5636 }
5637
5638 /*
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005639 * Session (length + data)
5640 */
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005641 ret = ssl_session_save( ssl->session, 1, NULL, 0, &session_len );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005642 if( ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL )
5643 return( ret );
5644
5645 used += 4 + session_len;
5646 if( used <= buf_len )
5647 {
5648 *p++ = (unsigned char)( ( session_len >> 24 ) & 0xFF );
5649 *p++ = (unsigned char)( ( session_len >> 16 ) & 0xFF );
5650 *p++ = (unsigned char)( ( session_len >> 8 ) & 0xFF );
5651 *p++ = (unsigned char)( ( session_len ) & 0xFF );
5652
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005653 ret = ssl_session_save( ssl->session, 1,
5654 p, session_len, &session_len );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005655 if( ret != 0 )
5656 return( ret );
5657
5658 p += session_len;
5659 }
5660
5661 /*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005662 * Transform
5663 */
5664 used += sizeof( ssl->transform->randbytes );
5665 if( used <= buf_len )
5666 {
5667 memcpy( p, ssl->transform->randbytes,
5668 sizeof( ssl->transform->randbytes ) );
5669 p += sizeof( ssl->transform->randbytes );
5670 }
5671
5672#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5673 used += 2 + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
5674 if( used <= buf_len )
5675 {
5676 *p++ = ssl->transform->in_cid_len;
5677 memcpy( p, ssl->transform->in_cid, ssl->transform->in_cid_len );
5678 p += ssl->transform->in_cid_len;
5679
5680 *p++ = ssl->transform->out_cid_len;
5681 memcpy( p, ssl->transform->out_cid, ssl->transform->out_cid_len );
5682 p += ssl->transform->out_cid_len;
5683 }
5684#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5685
5686 /*
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005687 * Saved fields from top-level ssl_context structure
5688 */
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005689 used += 4;
5690 if( used <= buf_len )
5691 {
5692 *p++ = (unsigned char)( ( ssl->badmac_seen >> 24 ) & 0xFF );
5693 *p++ = (unsigned char)( ( ssl->badmac_seen >> 16 ) & 0xFF );
5694 *p++ = (unsigned char)( ( ssl->badmac_seen >> 8 ) & 0xFF );
5695 *p++ = (unsigned char)( ( ssl->badmac_seen ) & 0xFF );
5696 }
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005697
5698#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5699 used += 16;
5700 if( used <= buf_len )
5701 {
5702 *p++ = (unsigned char)( ( ssl->in_window_top >> 56 ) & 0xFF );
5703 *p++ = (unsigned char)( ( ssl->in_window_top >> 48 ) & 0xFF );
5704 *p++ = (unsigned char)( ( ssl->in_window_top >> 40 ) & 0xFF );
5705 *p++ = (unsigned char)( ( ssl->in_window_top >> 32 ) & 0xFF );
5706 *p++ = (unsigned char)( ( ssl->in_window_top >> 24 ) & 0xFF );
5707 *p++ = (unsigned char)( ( ssl->in_window_top >> 16 ) & 0xFF );
5708 *p++ = (unsigned char)( ( ssl->in_window_top >> 8 ) & 0xFF );
5709 *p++ = (unsigned char)( ( ssl->in_window_top ) & 0xFF );
5710
5711 *p++ = (unsigned char)( ( ssl->in_window >> 56 ) & 0xFF );
5712 *p++ = (unsigned char)( ( ssl->in_window >> 48 ) & 0xFF );
5713 *p++ = (unsigned char)( ( ssl->in_window >> 40 ) & 0xFF );
5714 *p++ = (unsigned char)( ( ssl->in_window >> 32 ) & 0xFF );
5715 *p++ = (unsigned char)( ( ssl->in_window >> 24 ) & 0xFF );
5716 *p++ = (unsigned char)( ( ssl->in_window >> 16 ) & 0xFF );
5717 *p++ = (unsigned char)( ( ssl->in_window >> 8 ) & 0xFF );
5718 *p++ = (unsigned char)( ( ssl->in_window ) & 0xFF );
5719 }
5720#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5721
5722#if defined(MBEDTLS_SSL_PROTO_DTLS)
5723 used += 1;
5724 if( used <= buf_len )
5725 {
5726 *p++ = ssl->disable_datagram_packing;
5727 }
5728#endif /* MBEDTLS_SSL_PROTO_DTLS */
5729
5730 used += 8;
5731 if( used <= buf_len )
5732 {
5733 memcpy( p, ssl->cur_out_ctr, 8 );
5734 p += 8;
5735 }
5736
5737#if defined(MBEDTLS_SSL_PROTO_DTLS)
5738 used += 2;
5739 if( used <= buf_len )
5740 {
5741 *p++ = (unsigned char)( ( ssl->mtu >> 8 ) & 0xFF );
5742 *p++ = (unsigned char)( ( ssl->mtu ) & 0xFF );
5743 }
5744#endif /* MBEDTLS_SSL_PROTO_DTLS */
5745
5746#if defined(MBEDTLS_SSL_ALPN)
5747 {
5748 const uint8_t alpn_len = ssl->alpn_chosen
Manuel Pégourié-Gonnardf041f4e2019-07-24 00:58:27 +02005749 ? (uint8_t) strlen( ssl->alpn_chosen )
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005750 : 0;
5751
5752 used += 1 + alpn_len;
5753 if( used <= buf_len )
5754 {
5755 *p++ = alpn_len;
5756
5757 if( ssl->alpn_chosen != NULL )
5758 {
5759 memcpy( p, ssl->alpn_chosen, alpn_len );
5760 p += alpn_len;
5761 }
5762 }
5763 }
5764#endif /* MBEDTLS_SSL_ALPN */
5765
5766 /*
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005767 * Done
5768 */
5769 *olen = used;
5770
5771 if( used > buf_len )
5772 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005773
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005774 MBEDTLS_SSL_DEBUG_BUF( 4, "saved context", buf, used );
5775
Hanno Becker43aefe22020-02-05 10:44:56 +00005776 return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005777}
5778
5779/*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005780 * Helper to get TLS 1.2 PRF from ciphersuite
5781 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
5782 */
5783typedef int (*tls_prf_fn)( const unsigned char *secret, size_t slen,
5784 const char *label,
5785 const unsigned char *random, size_t rlen,
5786 unsigned char *dstbuf, size_t dlen );
5787static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id )
5788{
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02005789#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005790 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
5791 mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
5792
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02005793 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
5794 return( tls_prf_sha384 );
Jarno Lamsab7b486c2019-08-21 15:30:44 +03005795#else
5796 (void) ciphersuite_id;
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02005797#endif
5798 return( tls_prf_sha256 );
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005799}
5800
5801/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02005802 * Deserialize context, see mbedtls_ssl_context_save() for format.
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005803 *
5804 * This internal version is wrapped by a public function that cleans up in
5805 * case of error.
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005806 */
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005807static int ssl_context_load( mbedtls_ssl_context *ssl,
5808 const unsigned char *buf,
5809 size_t len )
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02005810{
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005811 const unsigned char *p = buf;
5812 const unsigned char * const end = buf + len;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005813 size_t session_len;
Janos Follath865b3eb2019-12-16 11:46:15 +00005814 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005815
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02005816 /*
5817 * The context should have been freshly setup or reset.
5818 * Give the user an error in case of obvious misuse.
Manuel Pégourié-Gonnard4ca930f2019-07-26 16:31:53 +02005819 * (Checking session is useful because it won't be NULL if we're
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02005820 * renegotiating, or if the user mistakenly loaded a session first.)
5821 */
5822 if( ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
5823 ssl->session != NULL )
5824 {
5825 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5826 }
5827
5828 /*
5829 * We can't check that the config matches the initial one, but we can at
5830 * least check it matches the requirements for serializing.
5831 */
5832 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
5833 ssl->conf->max_major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
5834 ssl->conf->min_major_ver > MBEDTLS_SSL_MAJOR_VERSION_3 ||
5835 ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ||
5836 ssl->conf->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 ||
5837#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02005838 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02005839#endif
Manuel Pégourié-Gonnard9a96fd72019-07-23 17:11:24 +02005840 0 )
Manuel Pégourié-Gonnard0ff76402019-07-11 09:56:30 +02005841 {
5842 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5843 }
5844
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005845 MBEDTLS_SSL_DEBUG_BUF( 4, "context to load", buf, len );
5846
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02005847 /*
5848 * Check version identifier
5849 */
5850 if( (size_t)( end - p ) < sizeof( ssl_serialized_context_header ) )
5851 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5852
5853 if( memcmp( p, ssl_serialized_context_header,
5854 sizeof( ssl_serialized_context_header ) ) != 0 )
5855 {
5856 return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
5857 }
5858 p += sizeof( ssl_serialized_context_header );
5859
5860 /*
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005861 * Session
5862 */
5863 if( (size_t)( end - p ) < 4 )
5864 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5865
5866 session_len = ( (size_t) p[0] << 24 ) |
5867 ( (size_t) p[1] << 16 ) |
5868 ( (size_t) p[2] << 8 ) |
5869 ( (size_t) p[3] );
5870 p += 4;
5871
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005872 /* This has been allocated by ssl_handshake_init(), called by
Hanno Becker43aefe22020-02-05 10:44:56 +00005873 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005874 ssl->session = ssl->session_negotiate;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005875 ssl->session_in = ssl->session;
5876 ssl->session_out = ssl->session;
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005877 ssl->session_negotiate = NULL;
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005878
5879 if( (size_t)( end - p ) < session_len )
5880 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5881
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005882 ret = ssl_session_load( ssl->session, 1, p, session_len );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005883 if( ret != 0 )
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005884 {
5885 mbedtls_ssl_session_free( ssl->session );
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005886 return( ret );
Manuel Pégourié-Gonnard45ac1f02019-07-23 16:52:45 +02005887 }
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02005888
5889 p += session_len;
5890
5891 /*
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005892 * Transform
5893 */
5894
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005895 /* This has been allocated by ssl_handshake_init(), called by
Hanno Becker43aefe22020-02-05 10:44:56 +00005896 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005897 ssl->transform = ssl->transform_negotiate;
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005898 ssl->transform_in = ssl->transform;
5899 ssl->transform_out = ssl->transform;
Manuel Pégourié-Gonnard142ba732019-07-23 14:43:30 +02005900 ssl->transform_negotiate = NULL;
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005901
5902 /* Read random bytes and populate structure */
5903 if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) )
5904 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5905
5906 ret = ssl_populate_transform( ssl->transform,
5907 ssl->session->ciphersuite,
5908 ssl->session->master,
Hanno Beckerfd86ca82020-11-30 08:54:23 +00005909#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005910#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5911 ssl->session->encrypt_then_mac,
5912#endif
Hanno Beckerfd86ca82020-11-30 08:54:23 +00005913#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005914 ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
5915 p, /* currently pointing to randbytes */
5916 MBEDTLS_SSL_MINOR_VERSION_3, /* (D)TLS 1.2 is forced */
5917 ssl->conf->endpoint,
5918 ssl );
5919 if( ret != 0 )
5920 return( ret );
5921
5922 p += sizeof( ssl->transform->randbytes );
5923
5924#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5925 /* Read connection IDs and store them */
5926 if( (size_t)( end - p ) < 1 )
5927 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5928
5929 ssl->transform->in_cid_len = *p++;
5930
Manuel Pégourié-Gonnard5ea13b82019-07-23 15:02:54 +02005931 if( (size_t)( end - p ) < ssl->transform->in_cid_len + 1u )
Manuel Pégourié-Gonnardc2a7b892019-07-15 09:04:11 +02005932 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5933
5934 memcpy( ssl->transform->in_cid, p, ssl->transform->in_cid_len );
5935 p += ssl->transform->in_cid_len;
5936
5937 ssl->transform->out_cid_len = *p++;
5938
5939 if( (size_t)( end - p ) < ssl->transform->out_cid_len )
5940 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5941
5942 memcpy( ssl->transform->out_cid, p, ssl->transform->out_cid_len );
5943 p += ssl->transform->out_cid_len;
5944#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5945
5946 /*
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005947 * Saved fields from top-level ssl_context structure
5948 */
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005949 if( (size_t)( end - p ) < 4 )
5950 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5951
5952 ssl->badmac_seen = ( (uint32_t) p[0] << 24 ) |
5953 ( (uint32_t) p[1] << 16 ) |
5954 ( (uint32_t) p[2] << 8 ) |
5955 ( (uint32_t) p[3] );
5956 p += 4;
Manuel Pégourié-Gonnardc86c5df2019-07-15 11:23:03 +02005957
5958#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5959 if( (size_t)( end - p ) < 16 )
5960 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5961
5962 ssl->in_window_top = ( (uint64_t) p[0] << 56 ) |
5963 ( (uint64_t) p[1] << 48 ) |
5964 ( (uint64_t) p[2] << 40 ) |
5965 ( (uint64_t) p[3] << 32 ) |
5966 ( (uint64_t) p[4] << 24 ) |
5967 ( (uint64_t) p[5] << 16 ) |
5968 ( (uint64_t) p[6] << 8 ) |
5969 ( (uint64_t) p[7] );
5970 p += 8;
5971
5972 ssl->in_window = ( (uint64_t) p[0] << 56 ) |
5973 ( (uint64_t) p[1] << 48 ) |
5974 ( (uint64_t) p[2] << 40 ) |
5975 ( (uint64_t) p[3] << 32 ) |
5976 ( (uint64_t) p[4] << 24 ) |
5977 ( (uint64_t) p[5] << 16 ) |
5978 ( (uint64_t) p[6] << 8 ) |
5979 ( (uint64_t) p[7] );
5980 p += 8;
5981#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5982
5983#if defined(MBEDTLS_SSL_PROTO_DTLS)
5984 if( (size_t)( end - p ) < 1 )
5985 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5986
5987 ssl->disable_datagram_packing = *p++;
5988#endif /* MBEDTLS_SSL_PROTO_DTLS */
5989
5990 if( (size_t)( end - p ) < 8 )
5991 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5992
5993 memcpy( ssl->cur_out_ctr, p, 8 );
5994 p += 8;
5995
5996#if defined(MBEDTLS_SSL_PROTO_DTLS)
5997 if( (size_t)( end - p ) < 2 )
5998 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5999
6000 ssl->mtu = ( p[0] << 8 ) | p[1];
6001 p += 2;
6002#endif /* MBEDTLS_SSL_PROTO_DTLS */
6003
6004#if defined(MBEDTLS_SSL_ALPN)
6005 {
6006 uint8_t alpn_len;
6007 const char **cur;
6008
6009 if( (size_t)( end - p ) < 1 )
6010 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6011
6012 alpn_len = *p++;
6013
6014 if( alpn_len != 0 && ssl->conf->alpn_list != NULL )
6015 {
6016 /* alpn_chosen should point to an item in the configured list */
6017 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
6018 {
6019 if( strlen( *cur ) == alpn_len &&
6020 memcmp( p, cur, alpn_len ) == 0 )
6021 {
6022 ssl->alpn_chosen = *cur;
6023 break;
6024 }
6025 }
6026 }
6027
6028 /* can only happen on conf mismatch */
6029 if( alpn_len != 0 && ssl->alpn_chosen == NULL )
6030 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6031
6032 p += alpn_len;
6033 }
6034#endif /* MBEDTLS_SSL_ALPN */
6035
6036 /*
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02006037 * Forced fields from top-level ssl_context structure
6038 *
6039 * Most of them already set to the correct value by mbedtls_ssl_init() and
6040 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
6041 */
6042 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
6043
6044 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
6045 ssl->minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
6046
Hanno Becker361b10d2019-08-30 10:42:49 +01006047 /* Adjust pointers for header fields of outgoing records to
6048 * the given transform, accounting for explicit IV and CID. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00006049 mbedtls_ssl_update_out_pointers( ssl, ssl->transform );
Hanno Becker361b10d2019-08-30 10:42:49 +01006050
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02006051#if defined(MBEDTLS_SSL_PROTO_DTLS)
6052 ssl->in_epoch = 1;
6053#endif
6054
6055 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
6056 * which we don't want - otherwise we'd end up freeing the wrong transform
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00006057 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
6058 * inappropriately. */
Manuel Pégourié-Gonnard0eb3eac2019-07-15 11:53:51 +02006059 if( ssl->handshake != NULL )
6060 {
6061 mbedtls_ssl_handshake_free( ssl );
6062 mbedtls_free( ssl->handshake );
6063 ssl->handshake = NULL;
6064 }
6065
6066 /*
Manuel Pégourié-Gonnard4c90e852019-07-11 10:58:10 +02006067 * Done - should have consumed entire buffer
6068 */
6069 if( p != end )
6070 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardac87e282019-05-28 13:02:16 +02006071
6072 return( 0 );
6073}
6074
6075/*
Manuel Pégourié-Gonnardb9dfc9f2019-07-12 10:50:19 +02006076 * Deserialize context: public wrapper for error cleaning
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006077 */
6078int mbedtls_ssl_context_load( mbedtls_ssl_context *context,
6079 const unsigned char *buf,
6080 size_t len )
6081{
6082 int ret = ssl_context_load( context, buf, len );
6083
6084 if( ret != 0 )
6085 mbedtls_ssl_free( context );
6086
6087 return( ret );
6088}
Manuel Pégourié-Gonnard5c0e3772019-07-23 16:13:17 +02006089#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
Manuel Pégourié-Gonnard4b7e6b92019-07-11 12:50:53 +02006090
6091/*
Paul Bakker5121ce52009-01-03 21:22:43 +00006092 * Free an SSL context
6093 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006094void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00006095{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02006096 if( ssl == NULL )
6097 return;
6098
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006099 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006100
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +01006101 if( ssl->out_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00006102 {
sander-visserb8aa2072020-05-06 22:05:13 +02006103#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
6104 size_t out_buf_len = ssl->out_buf_len;
6105#else
6106 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
6107#endif
6108
Darryl Greenb33cc762019-11-28 14:29:44 +00006109 mbedtls_platform_zeroize( ssl->out_buf, out_buf_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006110 mbedtls_free( ssl->out_buf );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05006111 ssl->out_buf = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00006112 }
6113
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +01006114 if( ssl->in_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00006115 {
sander-visserb8aa2072020-05-06 22:05:13 +02006116#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
6117 size_t in_buf_len = ssl->in_buf_len;
6118#else
6119 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
6120#endif
6121
Darryl Greenb33cc762019-11-28 14:29:44 +00006122 mbedtls_platform_zeroize( ssl->in_buf, in_buf_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006123 mbedtls_free( ssl->in_buf );
Andrzej Kurek0afa2a12020-03-03 10:39:58 -05006124 ssl->in_buf = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00006125 }
6126
Paul Bakker48916f92012-09-16 19:57:18 +00006127 if( ssl->transform )
6128 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006129 mbedtls_ssl_transform_free( ssl->transform );
6130 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00006131 }
6132
6133 if( ssl->handshake )
6134 {
Gilles Peskine9b562d52018-04-25 20:32:43 +02006135 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006136 mbedtls_ssl_transform_free( ssl->transform_negotiate );
6137 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +00006138
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006139 mbedtls_free( ssl->handshake );
6140 mbedtls_free( ssl->transform_negotiate );
6141 mbedtls_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +00006142 }
6143
Paul Bakkerc0463502013-02-14 11:19:38 +01006144 if( ssl->session )
6145 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006146 mbedtls_ssl_session_free( ssl->session );
6147 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01006148 }
6149
Manuel Pégourié-Gonnard55fab2d2015-05-11 16:15:19 +02006150#if defined(MBEDTLS_X509_CRT_PARSE_C)
Paul Bakker66d5d072014-06-17 16:39:18 +02006151 if( ssl->hostname != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00006152 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006153 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006154 mbedtls_free( ssl->hostname );
Paul Bakker5121ce52009-01-03 21:22:43 +00006155 }
Paul Bakker0be444a2013-08-27 21:55:01 +02006156#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00006157
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02006158#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006159 mbedtls_free( ssl->cli_id );
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +02006160#endif
6161
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006162 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +00006163
Paul Bakker86f04f42013-02-14 11:20:09 +01006164 /* Actually clear after last debug message */
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006165 mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00006166}
6167
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006168/*
6169 * Initialze mbedtls_ssl_config
6170 */
6171void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
6172{
6173 memset( conf, 0, sizeof( mbedtls_ssl_config ) );
6174}
6175
Gilles Peskineeccd8882020-03-10 12:19:08 +01006176#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskineae270bf2021-06-02 00:05:29 +02006177/* The selection should be the same as mbedtls_x509_crt_profile_default in
Gilles Peskinea28f0f52021-06-02 15:29:38 +02006178 * x509_crt.c. Here, the order matters. Currently we favor stronger hashes,
6179 * for no fundamental reason.
Gilles Peskineae270bf2021-06-02 00:05:29 +02006180 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
6181 * about this list. */
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006182static int ssl_preset_default_hashes[] = {
6183#if defined(MBEDTLS_SHA512_C)
6184 MBEDTLS_MD_SHA512,
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006185#endif
6186#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006187 MBEDTLS_MD_SHA384,
6188#endif
6189#if defined(MBEDTLS_SHA256_C)
6190 MBEDTLS_MD_SHA256,
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006191#endif
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006192 MBEDTLS_MD_NONE
6193};
Simon Butcherc97b6972015-12-27 23:48:17 +00006194#endif
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006195
Gilles Peskineae270bf2021-06-02 00:05:29 +02006196#if defined(MBEDTLS_ECP_C)
6197/* The selection should be the same as mbedtls_x509_crt_profile_default in
6198 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
Gilles Peskineb1940a72021-06-02 15:18:12 +02006199 * curves with a lower resource usage come first.
Gilles Peskineae270bf2021-06-02 00:05:29 +02006200 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
Gilles Peskineb1940a72021-06-02 15:18:12 +02006201 * about this list.
6202 */
Gilles Peskineae270bf2021-06-02 00:05:29 +02006203static mbedtls_ecp_group_id ssl_preset_default_curves[] = {
Gilles Peskineae270bf2021-06-02 00:05:29 +02006204#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
Gilles Peskineae270bf2021-06-02 00:05:29 +02006205 MBEDTLS_ECP_DP_CURVE25519,
6206#endif
6207#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
6208 MBEDTLS_ECP_DP_SECP256R1,
6209#endif
Gilles Peskineb1940a72021-06-02 15:18:12 +02006210#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
6211 MBEDTLS_ECP_DP_SECP384R1,
6212#endif
6213#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
6214 MBEDTLS_ECP_DP_CURVE448,
6215#endif
6216#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
6217 MBEDTLS_ECP_DP_SECP521R1,
6218#endif
Gilles Peskineae270bf2021-06-02 00:05:29 +02006219#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
6220 MBEDTLS_ECP_DP_BP256R1,
6221#endif
Gilles Peskineb1940a72021-06-02 15:18:12 +02006222#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
6223 MBEDTLS_ECP_DP_BP384R1,
6224#endif
6225#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
6226 MBEDTLS_ECP_DP_BP512R1,
6227#endif
Gilles Peskineae270bf2021-06-02 00:05:29 +02006228 MBEDTLS_ECP_DP_NONE
6229};
6230#endif
6231
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006232static int ssl_preset_suiteb_ciphersuites[] = {
6233 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6234 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
6235 0
6236};
6237
Gilles Peskineeccd8882020-03-10 12:19:08 +01006238#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006239static int ssl_preset_suiteb_hashes[] = {
6240 MBEDTLS_MD_SHA256,
6241 MBEDTLS_MD_SHA384,
6242 MBEDTLS_MD_NONE
6243};
6244#endif
6245
6246#if defined(MBEDTLS_ECP_C)
6247static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
Jaeden Amerod4311042019-06-03 08:27:16 +01006248#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006249 MBEDTLS_ECP_DP_SECP256R1,
Jaeden Amerod4311042019-06-03 08:27:16 +01006250#endif
6251#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006252 MBEDTLS_ECP_DP_SECP384R1,
Jaeden Amerod4311042019-06-03 08:27:16 +01006253#endif
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006254 MBEDTLS_ECP_DP_NONE
6255};
6256#endif
6257
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006258/*
Tillmann Karras588ad502015-09-25 04:27:22 +02006259 * Load default in mbedtls_ssl_config
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006260 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02006261int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006262 int endpoint, int transport, int preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006263{
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +02006264#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Janos Follath865b3eb2019-12-16 11:46:15 +00006265 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +02006266#endif
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006267
Manuel Pégourié-Gonnard0de074f2015-05-14 12:58:01 +02006268 /* Use the functions here so that they are covered in tests,
6269 * but otherwise access member directly for efficiency */
6270 mbedtls_ssl_conf_endpoint( conf, endpoint );
6271 mbedtls_ssl_conf_transport( conf, transport );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006272
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006273 /*
6274 * Things that are common to all presets
6275 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +02006276#if defined(MBEDTLS_SSL_CLI_C)
6277 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
6278 {
6279 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
6280#if defined(MBEDTLS_SSL_SESSION_TICKETS)
6281 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
6282#endif
6283 }
6284#endif
6285
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006286#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
6287 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
6288#endif
6289
6290#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6291 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
6292#endif
6293
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02006294#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006295 conf->f_cookie_write = ssl_cookie_write_dummy;
6296 conf->f_cookie_check = ssl_cookie_check_dummy;
6297#endif
6298
6299#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
6300 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
6301#endif
6302
Janos Follath088ce432017-04-10 12:42:31 +01006303#if defined(MBEDTLS_SSL_SRV_C)
6304 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
TRodziewicz3946f792021-06-14 12:11:18 +02006305 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
Janos Follath088ce432017-04-10 12:42:31 +01006306#endif
6307
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006308#if defined(MBEDTLS_SSL_PROTO_DTLS)
6309 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
6310 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
6311#endif
6312
6313#if defined(MBEDTLS_SSL_RENEGOTIATION)
6314 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
Andres AG2196c7f2016-12-15 17:01:16 +00006315 memset( conf->renego_period, 0x00, 2 );
6316 memset( conf->renego_period + 2, 0xFF, 6 );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006317#endif
6318
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006319#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
6320 if( endpoint == MBEDTLS_SSL_IS_SERVER )
6321 {
Hanno Becker00d0a682017-10-04 13:14:29 +01006322 const unsigned char dhm_p[] =
6323 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
6324 const unsigned char dhm_g[] =
6325 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
6326
Hanno Beckera90658f2017-10-04 15:29:08 +01006327 if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
6328 dhm_p, sizeof( dhm_p ),
6329 dhm_g, sizeof( dhm_g ) ) ) != 0 )
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006330 {
6331 return( ret );
6332 }
6333 }
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +02006334#endif
6335
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006336 /*
6337 * Preset-specific defaults
6338 */
6339 switch( preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006340 {
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006341 /*
6342 * NSA Suite B
6343 */
6344 case MBEDTLS_SSL_PRESET_SUITEB:
6345 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
6346 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
6347 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
6348 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
6349
Hanno Beckerd60b6c62021-04-29 12:04:11 +01006350 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006351
6352#if defined(MBEDTLS_X509_CRT_PARSE_C)
6353 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006354#endif
6355
Gilles Peskineeccd8882020-03-10 12:19:08 +01006356#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006357 conf->sig_hashes = ssl_preset_suiteb_hashes;
6358#endif
6359
6360#if defined(MBEDTLS_ECP_C)
6361 conf->curve_list = ssl_preset_suiteb_curves;
6362#endif
Manuel Pégourié-Gonnardc98204e2015-08-11 04:21:01 +02006363 break;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006364
6365 /*
6366 * Default
6367 */
6368 default:
Ron Eldor5e9f14d2017-05-28 10:46:38 +03006369 conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
6370 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
6371 MBEDTLS_SSL_MIN_MAJOR_VERSION :
6372 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
6373 conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
6374 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
6375 MBEDTLS_SSL_MIN_MINOR_VERSION :
6376 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006377 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
6378 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
6379
6380#if defined(MBEDTLS_SSL_PROTO_DTLS)
6381 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
TRodziewiczef73f012021-05-13 14:53:36 +02006382 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006383#endif
Hanno Beckerd60b6c62021-04-29 12:04:11 +01006384 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006385
6386#if defined(MBEDTLS_X509_CRT_PARSE_C)
6387 conf->cert_profile = &mbedtls_x509_crt_profile_default;
6388#endif
6389
Gilles Peskineeccd8882020-03-10 12:19:08 +01006390#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +01006391 conf->sig_hashes = ssl_preset_default_hashes;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006392#endif
6393
6394#if defined(MBEDTLS_ECP_C)
Gilles Peskineae270bf2021-06-02 00:05:29 +02006395 conf->curve_list = ssl_preset_default_curves;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +02006396#endif
6397
6398#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
6399 conf->dhm_min_bitlen = 1024;
6400#endif
6401 }
6402
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006403 return( 0 );
6404}
6405
6406/*
6407 * Free mbedtls_ssl_config
6408 */
6409void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
6410{
6411#if defined(MBEDTLS_DHM_C)
6412 mbedtls_mpi_free( &conf->dhm_P );
6413 mbedtls_mpi_free( &conf->dhm_G );
6414#endif
6415
Gilles Peskineeccd8882020-03-10 12:19:08 +01006416#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006417 if( conf->psk != NULL )
6418 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006419 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006420 mbedtls_free( conf->psk );
Azim Khan27e8a122018-03-21 14:24:11 +00006421 conf->psk = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006422 conf->psk_len = 0;
junyeonLEE316b1622017-12-20 16:29:30 +09006423 }
6424
6425 if( conf->psk_identity != NULL )
6426 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006427 mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
junyeonLEE316b1622017-12-20 16:29:30 +09006428 mbedtls_free( conf->psk_identity );
Azim Khan27e8a122018-03-21 14:24:11 +00006429 conf->psk_identity = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006430 conf->psk_identity_len = 0;
6431 }
6432#endif
6433
6434#if defined(MBEDTLS_X509_CRT_PARSE_C)
6435 ssl_key_cert_free( conf->key_cert );
6436#endif
6437
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05006438 mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +02006439}
6440
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +02006441#if defined(MBEDTLS_PK_C) && \
6442 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006443/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006444 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006445 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006446unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006447{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006448#if defined(MBEDTLS_RSA_C)
6449 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
6450 return( MBEDTLS_SSL_SIG_RSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006451#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006452#if defined(MBEDTLS_ECDSA_C)
6453 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
6454 return( MBEDTLS_SSL_SIG_ECDSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006455#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006456 return( MBEDTLS_SSL_SIG_ANON );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02006457}
6458
Hanno Becker7e5437a2017-04-28 17:15:26 +01006459unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
6460{
6461 switch( type ) {
6462 case MBEDTLS_PK_RSA:
6463 return( MBEDTLS_SSL_SIG_RSA );
6464 case MBEDTLS_PK_ECDSA:
6465 case MBEDTLS_PK_ECKEY:
6466 return( MBEDTLS_SSL_SIG_ECDSA );
6467 default:
6468 return( MBEDTLS_SSL_SIG_ANON );
6469 }
6470}
6471
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006472mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006473{
6474 switch( sig )
6475 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006476#if defined(MBEDTLS_RSA_C)
6477 case MBEDTLS_SSL_SIG_RSA:
6478 return( MBEDTLS_PK_RSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006479#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006480#if defined(MBEDTLS_ECDSA_C)
6481 case MBEDTLS_SSL_SIG_ECDSA:
6482 return( MBEDTLS_PK_ECDSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006483#endif
6484 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006485 return( MBEDTLS_PK_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006486 }
6487}
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +02006488#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006489
Hanno Becker7e5437a2017-04-28 17:15:26 +01006490#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +01006491 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +01006492
6493/* Find an entry in a signature-hash set matching a given hash algorithm. */
6494mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
6495 mbedtls_pk_type_t sig_alg )
6496{
6497 switch( sig_alg )
6498 {
6499 case MBEDTLS_PK_RSA:
6500 return( set->rsa );
6501 case MBEDTLS_PK_ECDSA:
6502 return( set->ecdsa );
6503 default:
6504 return( MBEDTLS_MD_NONE );
6505 }
6506}
6507
6508/* Add a signature-hash-pair to a signature-hash set */
6509void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
6510 mbedtls_pk_type_t sig_alg,
6511 mbedtls_md_type_t md_alg )
6512{
6513 switch( sig_alg )
6514 {
6515 case MBEDTLS_PK_RSA:
6516 if( set->rsa == MBEDTLS_MD_NONE )
6517 set->rsa = md_alg;
6518 break;
6519
6520 case MBEDTLS_PK_ECDSA:
6521 if( set->ecdsa == MBEDTLS_MD_NONE )
6522 set->ecdsa = md_alg;
6523 break;
6524
6525 default:
6526 break;
6527 }
6528}
6529
6530/* Allow exactly one hash algorithm for each signature. */
6531void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
6532 mbedtls_md_type_t md_alg )
6533{
6534 set->rsa = md_alg;
6535 set->ecdsa = md_alg;
6536}
6537
6538#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
Gilles Peskineeccd8882020-03-10 12:19:08 +01006539 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +01006540
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02006541/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006542 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02006543 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006544mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006545{
6546 switch( hash )
6547 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006548#if defined(MBEDTLS_MD5_C)
6549 case MBEDTLS_SSL_HASH_MD5:
6550 return( MBEDTLS_MD_MD5 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006551#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006552#if defined(MBEDTLS_SHA1_C)
6553 case MBEDTLS_SSL_HASH_SHA1:
6554 return( MBEDTLS_MD_SHA1 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006555#endif
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006556#if defined(MBEDTLS_SHA224_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006557 case MBEDTLS_SSL_HASH_SHA224:
6558 return( MBEDTLS_MD_SHA224 );
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006559#endif
6560#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006561 case MBEDTLS_SSL_HASH_SHA256:
6562 return( MBEDTLS_MD_SHA256 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006563#endif
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006564#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006565 case MBEDTLS_SSL_HASH_SHA384:
6566 return( MBEDTLS_MD_SHA384 );
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006567#endif
6568#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006569 case MBEDTLS_SSL_HASH_SHA512:
6570 return( MBEDTLS_MD_SHA512 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006571#endif
6572 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006573 return( MBEDTLS_MD_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02006574 }
6575}
6576
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006577/*
6578 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
6579 */
6580unsigned char mbedtls_ssl_hash_from_md_alg( int md )
6581{
6582 switch( md )
6583 {
6584#if defined(MBEDTLS_MD5_C)
6585 case MBEDTLS_MD_MD5:
6586 return( MBEDTLS_SSL_HASH_MD5 );
6587#endif
6588#if defined(MBEDTLS_SHA1_C)
6589 case MBEDTLS_MD_SHA1:
6590 return( MBEDTLS_SSL_HASH_SHA1 );
6591#endif
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006592#if defined(MBEDTLS_SHA224_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006593 case MBEDTLS_MD_SHA224:
6594 return( MBEDTLS_SSL_HASH_SHA224 );
Mateusz Starzyke3c48b42021-04-19 16:46:28 +02006595#endif
6596#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006597 case MBEDTLS_MD_SHA256:
6598 return( MBEDTLS_SSL_HASH_SHA256 );
6599#endif
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006600#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006601 case MBEDTLS_MD_SHA384:
6602 return( MBEDTLS_SSL_HASH_SHA384 );
Mateusz Starzyk3352a532021-04-06 14:28:22 +02006603#endif
6604#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006605 case MBEDTLS_MD_SHA512:
6606 return( MBEDTLS_SSL_HASH_SHA512 );
6607#endif
6608 default:
6609 return( MBEDTLS_SSL_HASH_NONE );
6610 }
6611}
6612
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02006613#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006614/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006615 * Check if a curve proposed by the peer is in our list.
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006616 * Return 0 if we're willing to use it, -1 otherwise.
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006617 */
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006618int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006619{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006620 const mbedtls_ecp_group_id *gid;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006621
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006622 if( ssl->conf->curve_list == NULL )
6623 return( -1 );
6624
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02006625 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006626 if( *gid == grp_id )
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006627 return( 0 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006628
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02006629 return( -1 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01006630}
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02006631#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006632
Gilles Peskineeccd8882020-03-10 12:19:08 +01006633#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006634/*
6635 * Check if a hash proposed by the peer is in our list.
6636 * Return 0 if we're willing to use it, -1 otherwise.
6637 */
6638int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
6639 mbedtls_md_type_t md )
6640{
6641 const int *cur;
6642
6643 if( ssl->conf->sig_hashes == NULL )
6644 return( -1 );
6645
6646 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
6647 if( *cur == (int) md )
6648 return( 0 );
6649
6650 return( -1 );
6651}
Gilles Peskineeccd8882020-03-10 12:19:08 +01006652#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02006653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006654#if defined(MBEDTLS_X509_CRT_PARSE_C)
6655int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
6656 const mbedtls_ssl_ciphersuite_t *ciphersuite,
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006657 int cert_endpoint,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +02006658 uint32_t *flags )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006659{
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006660 int ret = 0;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006661 int usage = 0;
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006662 const char *ext_oid;
6663 size_t ext_len;
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006664
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006665 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006666 {
6667 /* Server part of the key exchange */
6668 switch( ciphersuite->key_exchange )
6669 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006670 case MBEDTLS_KEY_EXCHANGE_RSA:
6671 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01006672 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006673 break;
6674
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006675 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
6676 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
6677 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
6678 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006679 break;
6680
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006681 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
6682 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01006683 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006684 break;
6685
6686 /* Don't use default: we want warnings when adding new values */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006687 case MBEDTLS_KEY_EXCHANGE_NONE:
6688 case MBEDTLS_KEY_EXCHANGE_PSK:
6689 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
6690 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +02006691 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006692 usage = 0;
6693 }
6694 }
6695 else
6696 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006697 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
6698 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006699 }
6700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006701 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006702 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01006703 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006704 ret = -1;
6705 }
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006706
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006707 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006708 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006709 ext_oid = MBEDTLS_OID_SERVER_AUTH;
6710 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006711 }
6712 else
6713 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006714 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
6715 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006716 }
6717
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006718 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006719 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +01006720 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006721 ret = -1;
6722 }
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02006723
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +01006724 return( ret );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02006725}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006726#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard3a306b92014-04-29 15:11:17 +02006727
Simon Butcher99000142016-10-13 17:21:01 +01006728int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
6729{
6730#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6731 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Becker541af852021-05-14 16:49:01 +01006732 return( -1 );
Simon Butcher99000142016-10-13 17:21:01 +01006733
6734 switch( md )
6735 {
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +02006736#if defined(MBEDTLS_SHA384_C)
Simon Butcher99000142016-10-13 17:21:01 +01006737 case MBEDTLS_SSL_HASH_SHA384:
6738 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
6739 break;
6740#endif
6741#if defined(MBEDTLS_SHA256_C)
6742 case MBEDTLS_SSL_HASH_SHA256:
6743 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
6744 break;
6745#endif
6746 default:
Hanno Becker541af852021-05-14 16:49:01 +01006747 return( -1 );
Simon Butcher99000142016-10-13 17:21:01 +01006748 }
6749
6750 return 0;
6751#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
6752 (void) ssl;
6753 (void) md;
6754
Hanno Becker541af852021-05-14 16:49:01 +01006755 return( -1 );
Simon Butcher99000142016-10-13 17:21:01 +01006756#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6757}
6758
TRodziewicz0f82ec62021-05-12 17:49:18 +02006759#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006760
6761#if defined(MBEDTLS_USE_PSA_CRYPTO)
6762int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
6763 unsigned char *hash, size_t *hashlen,
6764 unsigned char *data, size_t data_len,
6765 mbedtls_md_type_t md_alg )
6766{
Andrzej Kurek814feff2019-01-14 04:35:19 -05006767 psa_status_t status;
Jaeden Amero34973232019-02-20 10:32:28 +00006768 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006769 psa_algorithm_t hash_alg = mbedtls_psa_translate_md( md_alg );
6770
Hanno Becker4c8c7aa2019-04-10 09:25:41 +01006771 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform PSA-based computation of digest of ServerKeyExchange" ) );
Andrzej Kurek814feff2019-01-14 04:35:19 -05006772
6773 if( ( status = psa_hash_setup( &hash_operation,
6774 hash_alg ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006775 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05006776 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_setup", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006777 goto exit;
6778 }
6779
Andrzej Kurek814feff2019-01-14 04:35:19 -05006780 if( ( status = psa_hash_update( &hash_operation, ssl->handshake->randbytes,
6781 64 ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006782 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05006783 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006784 goto exit;
6785 }
6786
Andrzej Kurek814feff2019-01-14 04:35:19 -05006787 if( ( status = psa_hash_update( &hash_operation,
6788 data, data_len ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006789 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05006790 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006791 goto exit;
6792 }
6793
Andrzej Kurek814feff2019-01-14 04:35:19 -05006794 if( ( status = psa_hash_finish( &hash_operation, hash, MBEDTLS_MD_MAX_SIZE,
6795 hashlen ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006796 {
Andrzej Kurek814feff2019-01-14 04:35:19 -05006797 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006798 goto exit;
6799 }
6800
6801exit:
Andrzej Kurek814feff2019-01-14 04:35:19 -05006802 if( status != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006803 {
6804 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6805 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Andrzej Kurek814feff2019-01-14 04:35:19 -05006806 switch( status )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006807 {
6808 case PSA_ERROR_NOT_SUPPORTED:
6809 return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
Andrzej Kurek814feff2019-01-14 04:35:19 -05006810 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006811 case PSA_ERROR_BUFFER_TOO_SMALL:
6812 return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
6813 case PSA_ERROR_INSUFFICIENT_MEMORY:
6814 return( MBEDTLS_ERR_MD_ALLOC_FAILED );
6815 default:
TRodziewiczb579ccd2021-04-13 14:28:28 +02006816 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006817 }
6818 }
6819 return( 0 );
6820}
6821
6822#else
6823
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006824int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +02006825 unsigned char *hash, size_t *hashlen,
6826 unsigned char *data, size_t data_len,
6827 mbedtls_md_type_t md_alg )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006828{
6829 int ret = 0;
6830 mbedtls_md_context_t ctx;
6831 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
Gilles Peskineca1d7422018-04-24 11:53:22 +02006832 *hashlen = mbedtls_md_get_size( md_info );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006833
Hanno Becker4c8c7aa2019-04-10 09:25:41 +01006834 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform mbedtls-based computation of digest of ServerKeyExchange" ) );
Andrzej Kurek814feff2019-01-14 04:35:19 -05006835
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006836 mbedtls_md_init( &ctx );
6837
6838 /*
6839 * digitally-signed struct {
6840 * opaque client_random[32];
6841 * opaque server_random[32];
6842 * ServerDHParams params;
6843 * };
6844 */
6845 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
6846 {
6847 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
6848 goto exit;
6849 }
6850 if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
6851 {
6852 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
6853 goto exit;
6854 }
6855 if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
6856 {
6857 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
6858 goto exit;
6859 }
6860 if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
6861 {
6862 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
6863 goto exit;
6864 }
Gilles Peskineca1d7422018-04-24 11:53:22 +02006865 if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006866 {
6867 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
6868 goto exit;
6869 }
6870
6871exit:
6872 mbedtls_md_free( &ctx );
6873
6874 if( ret != 0 )
6875 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6876 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
6877
6878 return( ret );
6879}
Andrzej Kurekd6db9be2019-01-10 05:27:10 -05006880#endif /* MBEDTLS_USE_PSA_CRYPTO */
6881
TRodziewicz0f82ec62021-05-12 17:49:18 +02006882#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01006883
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02006884#endif /* MBEDTLS_SSL_TLS_C */