TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ccc13d03c3b0f8c73031d4036075466c426f5eee / . / library / ssl_msg.c
blob: e739e2fb69081f3e62ca5b7725da5f90b309f491 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Hanno Beckerf1a38282020-02-05 16:14:29 +0000[diff] [blame]2 * Generic SSL/TLS messaging layer functions
3 * (record layer + retransmission state machine)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4 *
Hanno Beckerf1a38282020-02-05 16:14:29 +0000[diff] [blame]5 * Copyright (C) 2006-2020, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]19 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]20 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21 */
22/*
23 * The SSL 3.0 specification was drafted by Netscape in 1996,
24 * and became an IETF standard in 1999.
25 *
26 * http://wp.netscape.com/eng/ssl3/
27 * http://www.ietf.org/rfc/rfc2246.txt
28 * http://www.ietf.org/rfc/rfc4346.txt
29 */
30
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]33#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]35#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]37#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]39#if defined(MBEDTLS_PLATFORM_C)
40#include "mbedtls/platform.h"
41#else
42#include <stdlib.h>
43#define mbedtls_calloc calloc
44#define mbedtls_free free
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]45#endif
46
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]47#include "mbedtls/ssl.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200[diff] [blame]48#include "mbedtls/ssl_internal.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]49#include "mbedtls/debug.h"
50#include "mbedtls/error.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]51#include "mbedtls/platform_util.h"
Hanno Beckera835da52019-05-16 12:39:07 +0100[diff] [blame]52#include "mbedtls/version.h"
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]53
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]54#include <string.h>
55
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]56#if defined(MBEDTLS_USE_PSA_CRYPTO)
57#include "mbedtls/psa_util.h"
58#include "psa/crypto.h"
59#endif
60
Janos Follath23bdca02016-10-07 14:47:14 +0100[diff] [blame]61#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]62#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]63#endif
64
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]65static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]66
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]67/*
68 * Start a timer.
69 * Passing millisecs = 0 cancels a running timer.
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]70 */
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]71void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]72{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]73 if( ssl->f_set_timer == NULL )
74 return;
75
76 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
77 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]78}
79
80/*
81 * Return -1 is timer is expired, 0 if it isn't.
82 */
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]83int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]84{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]85 if( ssl->f_get_timer == NULL )
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]86 return( 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]87
88 if( ssl->f_get_timer( ssl->p_timer ) == 2 )
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]89 {
90 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]91 return( -1 );
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]92 }
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]93
94 return( 0 );
95}
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]96
Hanno Beckercfe45792019-07-03 16:13:00 +0100[diff] [blame]97#if defined(MBEDTLS_SSL_RECORD_CHECKING)
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]98static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
99 unsigned char *buf,
100 size_t len,
101 mbedtls_record *rec );
102
Hanno Beckercfe45792019-07-03 16:13:00 +0100[diff] [blame]103int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
104 unsigned char *buf,
105 size_t buflen )
106{
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]107 int ret = 0;
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]108 MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
109 MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
110
111 /* We don't support record checking in TLS because
112 * (a) there doesn't seem to be a usecase for it, and
113 * (b) In SSLv3 and TLS 1.0, CBC record decryption has state
114 * and we'd need to backup the transform here.
115 */
116 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
117 {
118 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
119 goto exit;
120 }
121#if defined(MBEDTLS_SSL_PROTO_DTLS)
122 else
123 {
irwir734f0cf2019-09-26 21:03:24 +0300[diff] [blame]124 mbedtls_record rec;
125
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]126 ret = ssl_parse_record_header( ssl, buf, buflen, &rec );
127 if( ret != 0 )
128 {
129 MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret );
130 goto exit;
131 }
132
133 if( ssl->transform_in != NULL )
134 {
135 ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec );
136 if( ret != 0 )
137 {
138 MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret );
139 goto exit;
140 }
141 }
142 }
143#endif /* MBEDTLS_SSL_PROTO_DTLS */
144
145exit:
146 /* On success, we have decrypted the buffer in-place, so make
147 * sure we don't leak any plaintext data. */
148 mbedtls_platform_zeroize( buf, buflen );
149
150 /* For the purpose of this API, treat messages with unexpected CID
151 * as well as such from future epochs as unexpected. */
152 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
153 ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
154 {
155 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
156 }
157
158 MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
159 return( ret );
Hanno Beckercfe45792019-07-03 16:13:00 +0100[diff] [blame]160}
161#endif /* MBEDTLS_SSL_RECORD_CHECKING */
162
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]163#define SSL_DONT_FORCE_FLUSH 0
164#define SSL_FORCE_FLUSH 1
165
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]166#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]167
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]168/* Forward declarations for functions related to message buffering. */
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]169static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
170 uint8_t slot );
171static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
172static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
173static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
174static int ssl_buffer_message( mbedtls_ssl_context *ssl );
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]175static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
176 mbedtls_record const *rec );
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]177static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]178
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]179static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]180{
Hanno Becker89490712020-02-05 10:50:12 +0000[diff] [blame]181 size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]182#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
183 size_t out_buf_len = ssl->out_buf_len;
184#else
185 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
186#endif
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]187
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]188 if( mtu != 0 && mtu < out_buf_len )
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]189 return( mtu );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]190
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]191 return( out_buf_len );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]192}
193
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]194static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
195{
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]196 size_t const bytes_written = ssl->out_left;
197 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]198
199 /* Double-check that the write-index hasn't gone
200 * past what we can transmit in a single datagram. */
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]201 if( bytes_written > mtu )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]202 {
203 /* Should never happen... */
204 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
205 }
206
207 return( (int) ( mtu - bytes_written ) );
208}
209
210static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
211{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]212 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]213 size_t remaining, expansion;
Andrzej Kurek748face2018-10-11 07:20:19 -0400[diff] [blame]214 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]215
216#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]217 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]218
219 if( max_len > mfl )
220 max_len = mfl;
Hanno Beckerf4b010e2018-08-24 10:47:29 +0100[diff] [blame]221
222 /* By the standard (RFC 6066 Sect. 4), the MFL extension
223 * only limits the maximum record payload size, so in theory
224 * we would be allowed to pack multiple records of payload size
225 * MFL into a single datagram. However, this would mean that there's
226 * no way to explicitly communicate MTU restrictions to the peer.
227 *
228 * The following reduction of max_len makes sure that we never
229 * write datagrams larger than MFL + Record Expansion Overhead.
230 */
231 if( max_len <= ssl->out_left )
232 return( 0 );
233
234 max_len -= ssl->out_left;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]235#endif
236
237 ret = ssl_get_remaining_space_in_datagram( ssl );
238 if( ret < 0 )
239 return( ret );
240 remaining = (size_t) ret;
241
242 ret = mbedtls_ssl_get_record_expansion( ssl );
243 if( ret < 0 )
244 return( ret );
245 expansion = (size_t) ret;
246
247 if( remaining <= expansion )
248 return( 0 );
249
250 remaining -= expansion;
251 if( remaining >= max_len )
252 remaining = max_len;
253
254 return( (int) remaining );
255}
256
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]257/*
258 * Double the retransmit timeout value, within the allowed range,
259 * returning -1 if the maximum value has already been reached.
260 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]261static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]262{
263 uint32_t new_timeout;
264
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]265 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]266 return( -1 );
267
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]268 /* Implement the final paragraph of RFC 6347 section 4.1.1.1
269 * in the following way: after the initial transmission and a first
270 * retransmission, back off to a temporary estimated MTU of 508 bytes.
271 * This value is guaranteed to be deliverable (if not guaranteed to be
272 * delivered) of any compliant IPv4 (and IPv6) network, and should work
273 * on most non-IP stacks too. */
274 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]275 {
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]276 ssl->handshake->mtu = 508;
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]277 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
278 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]279
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]280 new_timeout = 2 * ssl->handshake->retransmit_timeout;
281
282 /* Avoid arithmetic overflow and range overflow */
283 if( new_timeout < ssl->handshake->retransmit_timeout ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]284 new_timeout > ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]285 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]286 new_timeout = ssl->conf->hs_timeout_max;
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]287 }
288
289 ssl->handshake->retransmit_timeout = new_timeout;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]290 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]291 ssl->handshake->retransmit_timeout ) );
292
293 return( 0 );
294}
295
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]296static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]297{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]298 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]299 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]300 ssl->handshake->retransmit_timeout ) );
301}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]302#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]303
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]304#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
305int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]306 const unsigned char *key_enc, const unsigned char *key_dec,
307 size_t keylen,
308 const unsigned char *iv_enc, const unsigned char *iv_dec,
309 size_t ivlen,
310 const unsigned char *mac_enc, const unsigned char *mac_dec,
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]311 size_t maclen ) = NULL;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]312int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
313int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
314int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
315int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
316int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
317#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]318
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]319/* The function below is only used in the Lucky 13 counter-measure in
Hanno Beckerb2ca87d2018-10-18 15:43:13 +0100[diff] [blame]320 * mbedtls_ssl_decrypt_buf(). These are the defines that guard the call site. */
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]321#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) && \
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]322 ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
323 defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
324 defined(MBEDTLS_SSL_PROTO_TLS1_2) )
325/* This function makes sure every byte in the memory region is accessed
326 * (in ascending addresses order) */
327static void ssl_read_memory( unsigned char *p, size_t len )
328{
329 unsigned char acc = 0;
330 volatile unsigned char force;
331
332 for( ; len != 0; p++, len-- )
333 acc ^= *p;
334
335 force = acc;
336 (void) force;
337}
338#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */
339
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]340/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341 * Encryption/decryption functions
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]342 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]343
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame^]344#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || \
345 defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]346/* This functions transforms a (D)TLS plaintext fragment and a record content
347 * type into an instance of the (D)TLSInnerPlaintext structure. This is used
348 * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
349 * a record's content type.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]350 *
351 * struct {
352 * opaque content[DTLSPlaintext.length];
353 * ContentType real_type;
354 * uint8 zeros[length_of_padding];
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]355 * } (D)TLSInnerPlaintext;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]356 *
357 * Input:
358 * - `content`: The beginning of the buffer holding the
359 * plaintext to be wrapped.
360 * - `*content_size`: The length of the plaintext in Bytes.
361 * - `max_len`: The number of Bytes available starting from
362 * `content`. This must be `>= *content_size`.
363 * - `rec_type`: The desired record content type.
364 *
365 * Output:
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]366 * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
367 * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]368 *
369 * Returns:
370 * - `0` on success.
371 * - A negative error code if `max_len` didn't offer enough space
372 * for the expansion.
373 */
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]374static int ssl_build_inner_plaintext( unsigned char *content,
375 size_t *content_size,
376 size_t remaining,
377 uint8_t rec_type )
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]378{
379 size_t len = *content_size;
Hanno Beckerb9ec44f2019-05-13 15:31:17 +0100[diff] [blame]380 size_t pad = ( MBEDTLS_SSL_CID_PADDING_GRANULARITY -
381 ( len + 1 ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY ) %
382 MBEDTLS_SSL_CID_PADDING_GRANULARITY;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]383
384 /* Write real content type */
385 if( remaining == 0 )
386 return( -1 );
387 content[ len ] = rec_type;
388 len++;
389 remaining--;
390
391 if( remaining < pad )
392 return( -1 );
393 memset( content + len, 0, pad );
394 len += pad;
395 remaining -= pad;
396
397 *content_size = len;
398 return( 0 );
399}
400
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]401/* This function parses a (D)TLSInnerPlaintext structure.
402 * See ssl_build_inner_plaintext() for details. */
403static int ssl_parse_inner_plaintext( unsigned char const *content,
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]404 size_t *content_size,
405 uint8_t *rec_type )
406{
407 size_t remaining = *content_size;
408
409 /* Determine length of padding by skipping zeroes from the back. */
410 do
411 {
412 if( remaining == 0 )
413 return( -1 );
414 remaining--;
415 } while( content[ remaining ] == 0 );
416
417 *content_size = remaining;
418 *rec_type = content[ remaining ];
419
420 return( 0 );
421}
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame^]422#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID ||
423 MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]424
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]425/* `add_data` must have size 13 Bytes if the CID extension is disabled,
Hanno Beckerc4a190b2019-05-08 18:15:21 +0100[diff] [blame]426 * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]427static void ssl_extract_add_data_from_record( unsigned char* add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]428 size_t *add_data_len,
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]429 mbedtls_record *rec )
430{
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]431 /* Quoting RFC 5246 (TLS 1.2):
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]432 *
433 * additional_data = seq_num + TLSCompressed.type +
434 * TLSCompressed.version + TLSCompressed.length;
435 *
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]436 * For the CID extension, this is extended as follows
437 * (quoting draft-ietf-tls-dtls-connection-id-05,
438 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05):
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]439 *
440 * additional_data = seq_num + DTLSPlaintext.type +
441 * DTLSPlaintext.version +
Hanno Beckerd5aeab12019-05-20 14:50:53 +0100[diff] [blame]442 * cid +
443 * cid_length +
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]444 * length_of_DTLSInnerPlaintext;
445 */
446
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]447 memcpy( add_data, rec->ctr, sizeof( rec->ctr ) );
448 add_data[8] = rec->type;
Hanno Beckeredb24f82019-05-20 15:01:46 +0100[diff] [blame]449 memcpy( add_data + 9, rec->ver, sizeof( rec->ver ) );
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]450
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]451#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]452 if( rec->cid_len != 0 )
453 {
454 memcpy( add_data + 11, rec->cid, rec->cid_len );
455 add_data[11 + rec->cid_len + 0] = rec->cid_len;
456 add_data[11 + rec->cid_len + 1] = ( rec->data_len >> 8 ) & 0xFF;
457 add_data[11 + rec->cid_len + 2] = ( rec->data_len >> 0 ) & 0xFF;
458 *add_data_len = 13 + 1 + rec->cid_len;
459 }
460 else
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]461#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker95e4bbc2019-05-09 11:38:24 +0100[diff] [blame]462 {
463 add_data[11 + 0] = ( rec->data_len >> 8 ) & 0xFF;
464 add_data[11 + 1] = ( rec->data_len >> 0 ) & 0xFF;
465 *add_data_len = 13;
466 }
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]467}
468
Hanno Becker9d062f92020-02-07 10:26:36 +0000[diff] [blame]469#if defined(MBEDTLS_SSL_PROTO_SSL3)
470
471#define SSL3_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */
472
473/*
474 * SSLv3.0 MAC functions
475 */
476static void ssl_mac( mbedtls_md_context_t *md_ctx,
477 const unsigned char *secret,
478 const unsigned char *buf, size_t len,
479 const unsigned char *ctr, int type,
480 unsigned char out[SSL3_MAC_MAX_BYTES] )
481{
482 unsigned char header[11];
483 unsigned char padding[48];
484 int padlen;
485 int md_size = mbedtls_md_get_size( md_ctx->md_info );
486 int md_type = mbedtls_md_get_type( md_ctx->md_info );
487
488 /* Only MD5 and SHA-1 supported */
489 if( md_type == MBEDTLS_MD_MD5 )
490 padlen = 48;
491 else
492 padlen = 40;
493
494 memcpy( header, ctr, 8 );
495 header[ 8] = (unsigned char) type;
496 header[ 9] = (unsigned char)( len >> 8 );
497 header[10] = (unsigned char)( len );
498
499 memset( padding, 0x36, padlen );
500 mbedtls_md_starts( md_ctx );
501 mbedtls_md_update( md_ctx, secret, md_size );
502 mbedtls_md_update( md_ctx, padding, padlen );
503 mbedtls_md_update( md_ctx, header, 11 );
504 mbedtls_md_update( md_ctx, buf, len );
505 mbedtls_md_finish( md_ctx, out );
506
507 memset( padding, 0x5C, padlen );
508 mbedtls_md_starts( md_ctx );
509 mbedtls_md_update( md_ctx, secret, md_size );
510 mbedtls_md_update( md_ctx, padding, padlen );
511 mbedtls_md_update( md_ctx, out, md_size );
512 mbedtls_md_finish( md_ctx, out );
513}
514#endif /* MBEDTLS_SSL_PROTO_SSL3 */
515
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]516int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
517 mbedtls_ssl_transform *transform,
518 mbedtls_record *rec,
519 int (*f_rng)(void *, unsigned char *, size_t),
520 void *p_rng )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]521{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522 mbedtls_cipher_mode_t mode;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]523 int auth_done = 0;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]524 unsigned char * data;
Hanno Becker92fb4fa2019-05-20 14:54:26 +0100[diff] [blame]525 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]526 size_t add_data_len;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]527 size_t post_avail;
528
529 /* The SSL context is only used for debugging purposes! */
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]530#if !defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +0200[diff] [blame]531 ssl = NULL; /* make sure we don't use it except for debug */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]532 ((void) ssl);
533#endif
534
535 /* The PRNG is used for dynamic IV generation that's used
536 * for CBC transformations in TLS 1.1 and TLS 1.2. */
537#if !( defined(MBEDTLS_CIPHER_MODE_CBC) && \
538 ( defined(MBEDTLS_AES_C) || \
539 defined(MBEDTLS_ARIA_C) || \
540 defined(MBEDTLS_CAMELLIA_C) ) && \
541 ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) )
542 ((void) f_rng);
543 ((void) p_rng);
544#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]545
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]546 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]548 if( transform == NULL )
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]549 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) );
551 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
552 }
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]553 if( rec == NULL
554 || rec->buf == NULL
555 || rec->buf_len < rec->data_offset
556 || rec->buf_len - rec->data_offset < rec->data_len
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]557#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]558 || rec->cid_len != 0
559#endif
560 )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]561 {
562 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]563 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]564 }
565
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]566 data = rec->buf + rec->data_offset;
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]567 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]568 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]569 data, rec->data_len );
570
571 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc );
572
573 if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
574 {
575 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
576 (unsigned) rec->data_len,
577 MBEDTLS_SSL_OUT_CONTENT_LEN ) );
578 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
579 }
Manuel Pégourié-Gonnard60346be2014-11-21 11:38:37 +0100[diff] [blame]580
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame^]581#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
582 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
583 {
584 /*
585 * Wrap plaintext into TLSInnerPlaintext structure.
586 * See ssl_build_inner_plaintext() for more information.
587 *
588 * Note that this changes `rec->data_len`, and hence
589 * `post_avail` needs to be recalculated afterwards.
590 */
591 if( ssl_build_inner_plaintext( data,
592 &rec->data_len,
593 post_avail,
594 rec->type ) != 0 )
595 {
596 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
597 }
598
599 rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
600 }
601#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
602
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]603#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]604 /*
605 * Add CID information
606 */
607 rec->cid_len = transform->out_cid_len;
608 memcpy( rec->cid, transform->out_cid, transform->out_cid_len );
609 MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]610
611 if( rec->cid_len != 0 )
612 {
613 /*
Hanno Becker07dc97d2019-05-20 15:08:01 +0100[diff] [blame]614 * Wrap plaintext into DTLSInnerPlaintext structure.
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]615 * See ssl_build_inner_plaintext() for more information.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]616 *
Hanno Becker07dc97d2019-05-20 15:08:01 +0100[diff] [blame]617 * Note that this changes `rec->data_len`, and hence
618 * `post_avail` needs to be recalculated afterwards.
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]619 */
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]620 if( ssl_build_inner_plaintext( data,
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]621 &rec->data_len,
622 post_avail,
623 rec->type ) != 0 )
624 {
625 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
626 }
627
628 rec->type = MBEDTLS_SSL_MSG_CID;
629 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]630#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]631
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]632 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
633
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]634 /*
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]635 * Add MAC before if needed
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]636 */
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]637#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]638 if( mode == MBEDTLS_MODE_STREAM ||
639 ( mode == MBEDTLS_MODE_CBC
640#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]641 && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]642#endif
643 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]644 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]645 if( post_avail < transform->maclen )
646 {
647 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
648 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
649 }
650
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]651#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]652 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]653 {
Hanno Becker9d062f92020-02-07 10:26:36 +0000[diff] [blame]654 unsigned char mac[SSL3_MAC_MAX_BYTES];
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]655 ssl_mac( &transform->md_ctx_enc, transform->mac_enc,
656 data, rec->data_len, rec->ctr, rec->type, mac );
657 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]658 }
659 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]660#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]661#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
662 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]663 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]664 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]665 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
666
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]667 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]668
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]669 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]670 add_data_len );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]671 mbedtls_md_hmac_update( &transform->md_ctx_enc,
672 data, rec->data_len );
673 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
674 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
675
676 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]677 }
678 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]679#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]680 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]681 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
682 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]683 }
684
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]685 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len,
686 transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]687
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]688 rec->data_len += transform->maclen;
689 post_avail -= transform->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]690 auth_done++;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]691 }
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]692#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]694 /*
695 * Encrypt
696 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]697#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
698 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]700 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]701 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]702 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]703 "including %d bytes of padding",
704 rec->data_len, 0 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]705
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]706 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
707 transform->iv_enc, transform->ivlen,
708 data, rec->data_len,
709 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]710 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]711 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]712 return( ret );
713 }
714
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]715 if( rec->data_len != olen )
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]716 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]717 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
718 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]719 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]721 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]722#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]723
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]724#if defined(MBEDTLS_GCM_C) || \
725 defined(MBEDTLS_CCM_C) || \
726 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]727 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]728 mode == MBEDTLS_MODE_CCM ||
729 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]730 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]731 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]732 unsigned char iv[12];
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]733 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]734
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]735 /* Check that there's space for both the authentication tag
736 * and the explicit IV before and after the record content. */
737 if( post_avail < transform->taglen ||
738 rec->data_offset < explicit_iv_len )
739 {
740 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
741 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
742 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]743
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]744 /*
745 * Generate IV
746 */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]747 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
748 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]749 /* GCM and CCM: fixed || explicit (=seqnum) */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]750 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]751 memcpy( iv + transform->fixed_ivlen, rec->ctr,
752 explicit_iv_len );
753 /* Prefix record content with explicit IV. */
754 memcpy( data - explicit_iv_len, rec->ctr, explicit_iv_len );
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]755 }
756 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
757 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]758 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]759 unsigned char i;
760
761 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
762
763 for( i = 0; i < 8; i++ )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]764 iv[i+4] ^= rec->ctr[i];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]765 }
766 else
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +0100[diff] [blame]767 {
768 /* Reminder if we ever add an AEAD mode with a different size */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]769 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
770 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +0100[diff] [blame]771 }
772
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]773 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Hanno Becker1f10d762019-04-26 13:34:37 +0100[diff] [blame]774
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]775 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
776 iv, transform->ivlen );
777 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]778 data - explicit_iv_len, explicit_iv_len );
779 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]780 add_data, add_data_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]781 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]782 "including 0 bytes of padding",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]783 rec->data_len ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]784
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]785 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]786 * Encrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]787 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]788
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]789 if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]790 iv, transform->ivlen,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]791 add_data, add_data_len, /* add data */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]792 data, rec->data_len, /* source */
793 data, &rec->data_len, /* destination */
794 data + rec->data_len, transform->taglen ) ) != 0 )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]795 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]796 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]797 return( ret );
798 }
799
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]800 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
801 data + rec->data_len, transform->taglen );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]802
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]803 rec->data_len += transform->taglen + explicit_iv_len;
804 rec->data_offset -= explicit_iv_len;
805 post_avail -= transform->taglen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]806 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]807 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]808 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]809#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
810#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]811 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]812 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]813 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]814 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]815 size_t padlen, i;
816 size_t olen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]817
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]818 /* Currently we're always using minimal padding
819 * (up to 255 bytes would be allowed). */
820 padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen;
821 if( padlen == transform->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]822 padlen = 0;
823
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]824 /* Check there's enough space in the buffer for the padding. */
825 if( post_avail < padlen + 1 )
826 {
827 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
828 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
829 }
830
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]831 for( i = 0; i <= padlen; i++ )
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]832 data[rec->data_len + i] = (unsigned char) padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]833
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]834 rec->data_len += padlen + 1;
835 post_avail -= padlen + 1;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]836
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]837#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]838 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]839 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
840 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]841 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]842 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]843 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]844 if( f_rng == NULL )
845 {
846 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) );
847 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
848 }
849
850 if( rec->data_offset < transform->ivlen )
851 {
852 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
853 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
854 }
855
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]856 /*
857 * Generate IV
858 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]859 ret = f_rng( p_rng, transform->iv_enc, transform->ivlen );
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]860 if( ret != 0 )
861 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]862
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]863 memcpy( data - transform->ivlen, transform->iv_enc,
864 transform->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]865
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]866 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]867#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]868
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]869 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]870 "including %d bytes of IV and %d bytes of padding",
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]871 rec->data_len, transform->ivlen,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]872 padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]873
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]874 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
875 transform->iv_enc,
876 transform->ivlen,
877 data, rec->data_len,
878 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]879 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]880 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]881 return( ret );
882 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]883
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]884 if( rec->data_len != olen )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]885 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]886 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
887 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]888 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]889
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]890#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]891 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]892 {
893 /*
894 * Save IV in SSL3 and TLS1
895 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]896 memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv,
897 transform->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]898 }
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]899 else
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]900#endif
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]901 {
902 data -= transform->ivlen;
903 rec->data_offset -= transform->ivlen;
904 rec->data_len += transform->ivlen;
905 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]906
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]907#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]908 if( auth_done == 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]909 {
Hanno Becker3d8c9072018-01-05 16:24:22 +0000[diff] [blame]910 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
911
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]912 /*
913 * MAC(MAC_write_key, seq_num +
914 * TLSCipherText.type +
915 * TLSCipherText.version +
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]916 * length_of( (IV +) ENC(...) ) +
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]917 * IV + // except for TLS 1.0
918 * ENC(content + padding + padding_length));
919 */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]920
921 if( post_avail < transform->maclen)
922 {
923 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
924 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
925 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]926
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]927 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Hanno Becker1f10d762019-04-26 13:34:37 +0100[diff] [blame]928
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]929 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]930 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]931 add_data_len );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]932
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]933 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]934 add_data_len );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]935 mbedtls_md_hmac_update( &transform->md_ctx_enc,
936 data, rec->data_len );
937 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
938 mbedtls_md_hmac_reset( &transform->md_ctx_enc );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]939
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]940 memcpy( data + rec->data_len, mac, transform->maclen );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]941
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]942 rec->data_len += transform->maclen;
943 post_avail -= transform->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]944 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]945 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]946#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]947 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]948 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]949#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]950 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]951 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]952 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
953 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]954 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]956 /* Make extra sure authentication was performed, exactly once */
957 if( auth_done != 1 )
958 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
960 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]961 }
962
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]963 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]964
965 return( 0 );
966}
967
Hanno Becker605949f2019-07-12 08:23:59 +0100[diff] [blame]968int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]969 mbedtls_ssl_transform *transform,
970 mbedtls_record *rec )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971{
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]972 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]973 mbedtls_cipher_mode_t mode;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]974 int ret, auth_done = 0;
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]975#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]976 size_t padlen = 0, correct = 1;
977#endif
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]978 unsigned char* data;
Hanno Becker92fb4fa2019-05-20 14:54:26 +0100[diff] [blame]979 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ];
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]980 size_t add_data_len;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]981
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]982#if !defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnarda7505d12019-05-07 10:17:56 +0200[diff] [blame]983 ssl = NULL; /* make sure we don't use it except for debug */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]984 ((void) ssl);
985#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]986
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]987 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]988 if( rec == NULL ||
989 rec->buf == NULL ||
990 rec->buf_len < rec->data_offset ||
991 rec->buf_len - rec->data_offset < rec->data_len )
992 {
993 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]994 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]995 }
996
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]997 data = rec->buf + rec->data_offset;
998 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]999
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1000#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1001 /*
1002 * Match record's CID with incoming CID.
1003 */
Hanno Becker938489a2019-05-08 13:02:22 +0100[diff] [blame]1004 if( rec->cid_len != transform->in_cid_len ||
1005 memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
1006 {
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]1007 return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
Hanno Becker938489a2019-05-08 13:02:22 +0100[diff] [blame]1008 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1009#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1010
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1011#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1012 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1013 {
1014 padlen = 0;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1015 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1016 transform->iv_dec,
1017 transform->ivlen,
1018 data, rec->data_len,
1019 data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1020 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1021 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1022 return( ret );
1023 }
1024
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1025 if( rec->data_len != olen )
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1026 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1027 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1028 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1029 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1030 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1031 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1032#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1033#if defined(MBEDTLS_GCM_C) || \
1034 defined(MBEDTLS_CCM_C) || \
1035 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1036 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1037 mode == MBEDTLS_MODE_CCM ||
1038 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1039 {
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1040 unsigned char iv[12];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1041 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1042
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1043 /*
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1044 * Prepare IV from explicit and implicit data.
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1045 */
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1046
1047 /* Check that there's enough space for the explicit IV
1048 * (at the beginning of the record) and the MAC (at the
1049 * end of the record). */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1050 if( rec->data_len < explicit_iv_len + transform->taglen )
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]1051 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1052 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1053 "+ taglen (%d)", rec->data_len,
1054 explicit_iv_len, transform->taglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1055 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]1056 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1057
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1058#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1059 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
1060 {
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1061 /* GCM and CCM: fixed || explicit */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1062
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1063 /* Fixed */
1064 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
1065 /* Explicit */
1066 memcpy( iv + transform->fixed_ivlen, data, 8 );
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1067 }
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1068 else
1069#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1070#if defined(MBEDTLS_CHACHAPOLY_C)
1071 if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1072 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]1073 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1074 unsigned char i;
1075
1076 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
1077
1078 for( i = 0; i < 8; i++ )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1079 iv[i+4] ^= rec->ctr[i];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1080 }
1081 else
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1082#endif /* MBEDTLS_CHACHAPOLY_C */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1083 {
1084 /* Reminder if we ever add an AEAD mode with a different size */
1085 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1086 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1087 }
1088
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1089 /* Group changes to data, data_len, and add_data, because
1090 * add_data depends on data_len. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1091 data += explicit_iv_len;
1092 rec->data_offset += explicit_iv_len;
1093 rec->data_len -= explicit_iv_len + transform->taglen;
1094
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1095 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1096 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1097 add_data, add_data_len );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1098
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1099 /* Because of the check above, we know that there are
1100 * explicit_iv_len Bytes preceeding data, and taglen
1101 * bytes following data + data_len. This justifies
Hanno Becker20016652019-07-10 11:44:13 +0100[diff] [blame]1102 * the debug message and the invocation of
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1103 * mbedtls_cipher_auth_decrypt() below. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1104
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1105 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1106 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len,
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1107 transform->taglen );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1108
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1109 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1110 * Decrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1111 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1112 if( ( ret = mbedtls_cipher_auth_decrypt( &transform->cipher_ctx_dec,
1113 iv, transform->ivlen,
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1114 add_data, add_data_len,
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1115 data, rec->data_len,
1116 data, &olen,
1117 data + rec->data_len,
1118 transform->taglen ) ) != 0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1119 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1120 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1121
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1122 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
1123 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1124
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1125 return( ret );
1126 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1127 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1128
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1129 /* Double-check that AEAD decryption doesn't change content length. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1130 if( olen != rec->data_len )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1131 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1133 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1134 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1135 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1136 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1137#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1138#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]1139 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1140 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1141 {
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1142 size_t minlen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1143
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1144 /*
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1145 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1146 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1147#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1148 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
1149 {
1150 /* The ciphertext is prefixed with the CBC IV. */
1151 minlen += transform->ivlen;
1152 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1153#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1154
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1155 /* Size considerations:
1156 *
1157 * - The CBC cipher text must not be empty and hence
1158 * at least of size transform->ivlen.
1159 *
1160 * Together with the potential IV-prefix, this explains
1161 * the first of the two checks below.
1162 *
1163 * - The record must contain a MAC, either in plain or
1164 * encrypted, depending on whether Encrypt-then-MAC
1165 * is used or not.
1166 * - If it is, the message contains the IV-prefix,
1167 * the CBC ciphertext, and the MAC.
1168 * - If it is not, the padded plaintext, and hence
1169 * the CBC ciphertext, has at least length maclen + 1
1170 * because there is at least the padding length byte.
1171 *
1172 * As the CBC ciphertext is not empty, both cases give the
1173 * lower bound minlen + maclen + 1 on the record size, which
1174 * we test for in the second check below.
1175 */
1176 if( rec->data_len < minlen + transform->ivlen ||
1177 rec->data_len < minlen + transform->maclen + 1 )
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1178 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1179 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1180 "+ 1 ) ( + expl IV )", rec->data_len,
1181 transform->ivlen,
1182 transform->maclen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1183 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1184 }
1185
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1186 /*
1187 * Authenticate before decrypt if enabled
1188 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1189#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1190 if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1191 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1192 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1193
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1194 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1195
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1196 /* Update data_len in tandem with add_data.
1197 *
1198 * The subtraction is safe because of the previous check
1199 * data_len >= minlen + maclen + 1.
1200 *
1201 * Afterwards, we know that data + data_len is followed by at
1202 * least maclen Bytes, which justifies the call to
1203 * mbedtls_ssl_safer_memcmp() below.
1204 *
1205 * Further, we still know that data_len > minlen */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1206 rec->data_len -= transform->maclen;
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1207 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]1208
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1209 /* Calculate expected MAC. */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1210 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
1211 add_data_len );
1212 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1213 add_data_len );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1214 mbedtls_md_hmac_update( &transform->md_ctx_dec,
1215 data, rec->data_len );
1216 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
1217 mbedtls_md_hmac_reset( &transform->md_ctx_dec );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]1218
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1219 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len,
1220 transform->maclen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1221 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1222 transform->maclen );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1223
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1224 /* Compare expected MAC with MAC at the end of the record. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1225 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
1226 transform->maclen ) != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1227 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1228 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1229 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1230 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1231 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1232 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1233#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1234
1235 /*
1236 * Check length sanity
1237 */
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1238
1239 /* We know from above that data_len > minlen >= 0,
1240 * so the following check in particular implies that
1241 * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1242 if( rec->data_len % transform->ivlen != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1243 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1244 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1245 rec->data_len, transform->ivlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1246 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1247 }
1248
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1249#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1250 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1251 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1252 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1253 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1254 {
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1255 /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1256 memcpy( transform->iv_dec, data, transform->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1257
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1258 data += transform->ivlen;
1259 rec->data_offset += transform->ivlen;
1260 rec->data_len -= transform->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1261 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1262#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1263
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1264 /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
1265
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1266 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1267 transform->iv_dec, transform->ivlen,
1268 data, rec->data_len, data, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1269 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1270 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1271 return( ret );
1272 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1273
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1274 /* Double-check that length hasn't changed during decryption. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1275 if( rec->data_len != olen )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1276 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1277 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1278 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1279 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1280
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1281#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1282 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1283 {
1284 /*
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1285 * Save IV in SSL3 and TLS1, where CBC decryption of consecutive
1286 * records is equivalent to CBC decryption of the concatenation
1287 * of the records; in other words, IVs are maintained across
1288 * record decryptions.
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1289 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1290 memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv,
1291 transform->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1292 }
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]1293#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1294
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1295 /* Safe since data_len >= minlen + maclen + 1, so after having
1296 * subtracted at most minlen and maclen up to this point,
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1297 * data_len > 0 (because of data_len % ivlen == 0, it's actually
1298 * >= ivlen ). */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1299 padlen = data[rec->data_len - 1];
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1300
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1301 if( auth_done == 1 )
1302 {
1303 correct *= ( rec->data_len >= padlen + 1 );
1304 padlen *= ( rec->data_len >= padlen + 1 );
1305 }
1306 else
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1307 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1308#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1309 if( rec->data_len < transform->maclen + padlen + 1 )
1310 {
1311 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1312 rec->data_len,
1313 transform->maclen,
1314 padlen + 1 ) );
1315 }
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]1316#endif
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1317
1318 correct *= ( rec->data_len >= transform->maclen + padlen + 1 );
1319 padlen *= ( rec->data_len >= transform->maclen + padlen + 1 );
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1320 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1321
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1322 padlen++;
1323
1324 /* Regardless of the validity of the padding,
1325 * we have data_len >= padlen here. */
1326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1327#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1328 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1329 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1330 if( padlen > transform->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1332#if defined(MBEDTLS_SSL_DEBUG_ALL)
1333 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1334 "should be no more than %d",
1335 padlen, transform->ivlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]1336#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]1337 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1338 }
1339 }
1340 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1341#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1342#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1343 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1344 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1345 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1346 /* The padding check involves a series of up to 256
1347 * consecutive memory reads at the end of the record
1348 * plaintext buffer. In order to hide the length and
1349 * validity of the padding, always perform exactly
1350 * `min(256,plaintext_len)` reads (but take into account
1351 * only the last `padlen` bytes for the padding check). */
1352 size_t pad_count = 0;
1353 size_t real_count = 0;
1354 volatile unsigned char* const check = data;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1355
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1356 /* Index of first padding byte; it has been ensured above
1357 * that the subtraction is safe. */
1358 size_t const padding_idx = rec->data_len - padlen;
1359 size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
1360 size_t const start_idx = rec->data_len - num_checks;
1361 size_t idx;
Paul Bakker956c9e02013-12-19 14:42:28 +0100[diff] [blame]1362
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1363 for( idx = start_idx; idx < rec->data_len; idx++ )
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]1364 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1365 real_count |= ( idx >= padding_idx );
1366 pad_count += real_count * ( check[idx] == padlen - 1 );
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]1367 }
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1368 correct &= ( pad_count == padlen );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1369
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1370#if defined(MBEDTLS_SSL_DEBUG_ALL)
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1371 if( padlen > 0 && correct == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]1373#endif
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1374 padlen &= correct * 0x1FF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1375 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1376 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1377#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1378 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1379 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1380 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1381 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1382 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1383
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1384 /* If the padding was found to be invalid, padlen == 0
1385 * and the subtraction is safe. If the padding was found valid,
1386 * padlen hasn't been changed and the previous assertion
1387 * data_len >= padlen still holds. */
1388 rec->data_len -= padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1389 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1390 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1391#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]1392 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1393 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1394 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1395 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]1396 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1397
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]1398#if defined(MBEDTLS_SSL_DEBUG_ALL)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1399 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1400 data, rec->data_len );
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]1401#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1402
1403 /*
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]1404 * Authenticate if not done yet.
1405 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1406 */
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]1407#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1408 if( auth_done == 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1409 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1410 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]1411
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1412 /* If the initial value of padlen was such that
1413 * data_len < maclen + padlen + 1, then padlen
1414 * got reset to 1, and the initial check
1415 * data_len >= minlen + maclen + 1
1416 * guarantees that at this point we still
1417 * have at least data_len >= maclen.
1418 *
1419 * If the initial value of padlen was such that
1420 * data_len >= maclen + padlen + 1, then we have
1421 * subtracted either padlen + 1 (if the padding was correct)
1422 * or 0 (if the padding was incorrect) since then,
1423 * hence data_len >= maclen in any case.
1424 */
1425 rec->data_len -= transform->maclen;
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1426 ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1427
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1428#if defined(MBEDTLS_SSL_PROTO_SSL3)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1429 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1430 {
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1431 ssl_mac( &transform->md_ctx_dec,
1432 transform->mac_dec,
1433 data, rec->data_len,
1434 rec->ctr, rec->type,
1435 mac_expect );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1436 }
1437 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1438#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1439#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1440 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1441 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1442 {
1443 /*
1444 * Process MAC and always update for padlen afterwards to make
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1445 * total time independent of padlen.
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1446 *
1447 * Known timing attacks:
1448 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1449 *
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1450 * To compensate for different timings for the MAC calculation
1451 * depending on how much padding was removed (which is determined
1452 * by padlen), process extra_run more blocks through the hash
1453 * function.
1454 *
1455 * The formula in the paper is
1456 * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
1457 * where L1 is the size of the header plus the decrypted message
1458 * plus CBC padding and L2 is the size of the header plus the
1459 * decrypted message. This is for an underlying hash function
1460 * with 64-byte blocks.
1461 * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
1462 * correctly. We round down instead of up, so -56 is the correct
1463 * value for our calculations instead of -55.
1464 *
Gilles Peskine1bd9d582018-06-04 11:58:44 +0200[diff] [blame]1465 * Repeat the formula rather than defining a block_size variable.
1466 * This avoids requiring division by a variable at runtime
1467 * (which would be marginally less efficient and would require
1468 * linking an extra division function in some builds).
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1469 */
1470 size_t j, extra_run = 0;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1471 unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1472
1473 /*
1474 * The next two sizes are the minimum and maximum values of
1475 * in_msglen over all padlen values.
1476 *
1477 * They're independent of padlen, since we previously did
Hanno Beckerd96a6522019-07-10 13:55:25 +0100[diff] [blame]1478 * data_len -= padlen.
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1479 *
1480 * Note that max_len + maclen is never more than the buffer
1481 * length, as we previously did in_msglen -= maclen too.
1482 */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1483 const size_t max_len = rec->data_len + padlen;
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1484 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
1485
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1486 memset( tmp, 0, sizeof( tmp ) );
1487
1488 switch( mbedtls_md_get_type( transform->md_ctx_dec.md_info ) )
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1489 {
Gilles Peskined0e55a42018-06-04 12:03:30 +0200[diff] [blame]1490#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
1491 defined(MBEDTLS_SHA256_C)
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1492 case MBEDTLS_MD_MD5:
1493 case MBEDTLS_MD_SHA1:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1494 case MBEDTLS_MD_SHA256:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1495 /* 8 bytes of message size, 64-byte compression blocks */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1496 extra_run =
1497 ( add_data_len + rec->data_len + padlen + 8 ) / 64 -
1498 ( add_data_len + rec->data_len + 8 ) / 64;
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1499 break;
1500#endif
Gilles Peskinea7fe25d2018-06-04 12:01:18 +0200[diff] [blame]1501#if defined(MBEDTLS_SHA512_C)
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1502 case MBEDTLS_MD_SHA384:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1503 /* 16 bytes of message size, 128-byte compression blocks */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1504 extra_run =
1505 ( add_data_len + rec->data_len + padlen + 16 ) / 128 -
1506 ( add_data_len + rec->data_len + 16 ) / 128;
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1507 break;
1508#endif
1509 default:
Gilles Peskine5c389842018-06-04 12:02:43 +0200[diff] [blame]1510 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]1511 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1512 }
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1513
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1514 extra_run &= correct * 0xFF;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1515
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]1516 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1517 add_data_len );
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1518 mbedtls_md_hmac_update( &transform->md_ctx_dec, data,
1519 rec->data_len );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1520 /* Make sure we access everything even when padlen > 0. This
1521 * makes the synchronisation requirements for just-in-time
1522 * Prime+Probe attacks much tighter and hopefully impractical. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1523 ssl_read_memory( data + rec->data_len, padlen );
1524 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1525
1526 /* Call mbedtls_md_process at least once due to cache attacks
1527 * that observe whether md_process() was called of not */
Manuel Pégourié-Gonnard47fede02015-04-29 01:35:48 +0200[diff] [blame]1528 for( j = 0; j < extra_run + 1; j++ )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1529 mbedtls_md_process( &transform->md_ctx_dec, tmp );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1530
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1531 mbedtls_md_hmac_reset( &transform->md_ctx_dec );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1532
1533 /* Make sure we access all the memory that could contain the MAC,
1534 * before we check it in the next code block. This makes the
1535 * synchronisation requirements for just-in-time Prime+Probe
1536 * attacks much tighter and hopefully impractical. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1537 ssl_read_memory( data + min_len,
1538 max_len - min_len + transform->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1539 }
1540 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1541#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1542 MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1543 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1545 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1546 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1547
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1548#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1549 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
1550 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, transform->maclen );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1551#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1552
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]1553 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
1554 transform->maclen ) != 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1555 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1556#if defined(MBEDTLS_SSL_DEBUG_ALL)
1557 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]1558#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1559 correct = 0;
1560 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1561 auth_done++;
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1562 }
Hanno Beckerdd3ab132018-10-17 14:43:14 +0100[diff] [blame]1563
1564 /*
1565 * Finally check the correct flag
1566 */
1567 if( correct == 0 )
1568 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Hanno Becker52344c22018-01-03 15:24:20 +0000[diff] [blame]1569#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1570
1571 /* Make extra sure authentication was performed, exactly once */
1572 if( auth_done != 1 )
1573 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1575 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1576 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1577
Hanno Beckerccc13d02020-05-04 12:30:04 +0100[diff] [blame^]1578#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
1579 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
1580 {
1581 /* Remove inner padding and infer true content type. */
1582 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1583 &rec->type );
1584
1585 if( ret != 0 )
1586 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1587 }
1588#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1589
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1590#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1591 if( rec->cid_len != 0 )
1592 {
Hanno Becker581bc1b2020-05-04 12:20:03 +0100[diff] [blame]1593 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1594 &rec->type );
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1595 if( ret != 0 )
1596 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1597 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1598#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker8b3eb5a2019-04-29 17:31:37 +0100[diff] [blame]1599
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1600 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1601
1602 return( 0 );
1603}
1604
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1605#undef MAC_NONE
1606#undef MAC_PLAINTEXT
1607#undef MAC_CIPHERTEXT
1608
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1609#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1610/*
1611 * Compression/decompression functions
1612 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1613static int ssl_compress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1614{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1615 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1616 unsigned char *msg_post = ssl->out_msg;
Andrzej Kurek5462e022018-04-20 07:58:53 -0400[diff] [blame]1617 ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1618 size_t len_pre = ssl->out_msglen;
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1619 unsigned char *msg_pre = ssl->compress_buf;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1620#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1621 size_t out_buf_len = ssl->out_buf_len;
1622#else
1623 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1624#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1625
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1626 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1627
Paul Bakkerabf2f8f2013-06-30 14:57:46 +0200[diff] [blame]1628 if( len_pre == 0 )
1629 return( 0 );
1630
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1631 memcpy( msg_pre, ssl->out_msg, len_pre );
1632
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1633 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1634 ssl->out_msglen ) );
1635
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1636 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1637 ssl->out_msg, ssl->out_msglen );
1638
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1639 ssl->transform_out->ctx_deflate.next_in = msg_pre;
1640 ssl->transform_out->ctx_deflate.avail_in = len_pre;
1641 ssl->transform_out->ctx_deflate.next_out = msg_post;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1642 ssl->transform_out->ctx_deflate.avail_out = out_buf_len - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1643
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1644 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1645 if( ret != Z_OK )
1646 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1647 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1648 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1649 }
1650
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1651 ssl->out_msglen = out_buf_len -
Andrzej Kurek5462e022018-04-20 07:58:53 -0400[diff] [blame]1652 ssl->transform_out->ctx_deflate.avail_out - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1654 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1655 ssl->out_msglen ) );
1656
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1657 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1658 ssl->out_msg, ssl->out_msglen );
1659
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1660 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1661
1662 return( 0 );
1663}
1664
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1665static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1666{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1667 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1668 unsigned char *msg_post = ssl->in_msg;
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]1669 ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1670 size_t len_pre = ssl->in_msglen;
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1671 unsigned char *msg_pre = ssl->compress_buf;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1672#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1673 size_t in_buf_len = ssl->in_buf_len;
1674#else
1675 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1676#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1678 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1679
Paul Bakkerabf2f8f2013-06-30 14:57:46 +0200[diff] [blame]1680 if( len_pre == 0 )
1681 return( 0 );
1682
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1683 memcpy( msg_pre, ssl->in_msg, len_pre );
1684
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1685 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1686 ssl->in_msglen ) );
1687
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1688 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1689 ssl->in_msg, ssl->in_msglen );
1690
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1691 ssl->transform_in->ctx_inflate.next_in = msg_pre;
1692 ssl->transform_in->ctx_inflate.avail_in = len_pre;
1693 ssl->transform_in->ctx_inflate.next_out = msg_post;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1694 ssl->transform_in->ctx_inflate.avail_out = in_buf_len - header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1695
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1696 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1697 if( ret != Z_OK )
1698 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1699 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1700 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1701 }
1702
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1703 ssl->in_msglen = in_buf_len -
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]1704 ssl->transform_in->ctx_inflate.avail_out - header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1705
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1706 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1707 ssl->in_msglen ) );
1708
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1709 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1710 ssl->in_msg, ssl->in_msglen );
1711
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1712 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1713
1714 return( 0 );
1715}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1716#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1717
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1718/*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1719 * Fill the input message buffer by appending data to it.
1720 * The amount of data already fetched is in ssl->in_left.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1721 *
1722 * If we return 0, is it guaranteed that (at least) nb_want bytes are
1723 * available (from this read and/or a previous one). Otherwise, an error code
1724 * is returned (possibly EOF or WANT_READ).
1725 *
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1726 * With stream transport (TLS) on success ssl->in_left == nb_want, but
1727 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
1728 * since we always read a whole datagram at once.
1729 *
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]1730 * For DTLS, it is up to the caller to set ssl->next_record_offset when
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1731 * they're done reading a record.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1732 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1733int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1734{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1735 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1736 size_t len;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1737#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1738 size_t in_buf_len = ssl->in_buf_len;
1739#else
1740 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1741#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1742
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1743 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1744
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1745 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
1746 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]1748 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1749 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1750 }
1751
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1752 if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]1753 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1754 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1755 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]1756 }
1757
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1758#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1759 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1760 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1761 uint32_t timeout;
1762
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]1763 /* Just to be sure */
1764 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
1765 {
1766 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
1767 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
1768 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1769 }
1770
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1771 /*
1772 * The point is, we need to always read a full datagram at once, so we
1773 * sometimes read more then requested, and handle the additional data.
1774 * It could be the rest of the current record (while fetching the
1775 * header) and/or some other records in the same datagram.
1776 */
1777
1778 /*
1779 * Move to the next record in the already read datagram if applicable
1780 */
1781 if( ssl->next_record_offset != 0 )
1782 {
1783 if( ssl->in_left < ssl->next_record_offset )
1784 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1785 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1786 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1787 }
1788
1789 ssl->in_left -= ssl->next_record_offset;
1790
1791 if( ssl->in_left != 0 )
1792 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1793 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1794 ssl->next_record_offset ) );
1795 memmove( ssl->in_hdr,
1796 ssl->in_hdr + ssl->next_record_offset,
1797 ssl->in_left );
1798 }
1799
1800 ssl->next_record_offset = 0;
1801 }
1802
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1803 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1804 ssl->in_left, nb_want ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1805
1806 /*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1807 * Done if we already have enough data.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1808 */
1809 if( nb_want <= ssl->in_left)
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]1810 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1811 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1812 return( 0 );
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]1813 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1814
1815 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1816 * A record can't be split across datagrams. If we need to read but
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1817 * are not at the beginning of a new record, the caller did something
1818 * wrong.
1819 */
1820 if( ssl->in_left != 0 )
1821 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1822 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1823 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1824 }
1825
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1826 /*
1827 * Don't even try to read if time's out already.
1828 * This avoids by-passing the timer when repeatedly receiving messages
1829 * that will end up being dropped.
1830 */
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]1831 if( mbedtls_ssl_check_timer( ssl ) != 0 )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]1832 {
1833 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1834 ret = MBEDTLS_ERR_SSL_TIMEOUT;
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]1835 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1836 else
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1837 {
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]1838 len = in_buf_len - ( ssl->in_hdr - ssl->in_buf );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1839
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1840 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1841 timeout = ssl->handshake->retransmit_timeout;
1842 else
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1843 timeout = ssl->conf->read_timeout;
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1844
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1845 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1846
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1847 if( ssl->f_recv_timeout != NULL )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1848 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
1849 timeout );
1850 else
1851 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
1852
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1853 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1854
1855 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1856 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1857 }
1858
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1859 if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]1860 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1861 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]1862 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1863
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1864 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]1865 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1866 if( ssl_double_retransmit_timeout( ssl ) != 0 )
1867 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1868 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1869 return( MBEDTLS_ERR_SSL_TIMEOUT );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1870 }
1871
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1872 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1873 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1874 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]1875 return( ret );
1876 }
1877
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1878 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]1879 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1880#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1881 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1882 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1883 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]1884 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1885 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]1886 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
1887 ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1888 return( ret );
1889 }
1890
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]1891 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]1892 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1893#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]1894 }
1895
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1896 if( ret < 0 )
1897 return( ret );
1898
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1899 ssl->in_left = ret;
1900 }
1901 else
1902#endif
1903 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1904 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]1905 ssl->in_left, nb_want ) );
1906
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1907 while( ssl->in_left < nb_want )
1908 {
1909 len = nb_want - ssl->in_left;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]1910
Hanno Becker7876d122020-02-05 10:39:31 +0000[diff] [blame]1911 if( mbedtls_ssl_check_timer( ssl ) != 0 )
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]1912 ret = MBEDTLS_ERR_SSL_TIMEOUT;
1913 else
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1914 {
1915 if( ssl->f_recv_timeout != NULL )
1916 {
1917 ret = ssl->f_recv_timeout( ssl->p_bio,
1918 ssl->in_hdr + ssl->in_left, len,
1919 ssl->conf->read_timeout );
1920 }
1921 else
1922 {
1923 ret = ssl->f_recv( ssl->p_bio,
1924 ssl->in_hdr + ssl->in_left, len );
1925 }
1926 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1927
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1928 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]1929 ssl->in_left, nb_want ) );
1930 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1931
1932 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1933 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1934
1935 if( ret < 0 )
1936 return( ret );
1937
mohammad160352aecb92018-03-28 23:41:40 -0700[diff] [blame]1938 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]1939 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1940 MBEDTLS_SSL_DEBUG_MSG( 1,
1941 ( "f_recv returned %d bytes but only %lu were requested",
mohammad160319d392b2018-04-02 07:25:26 -0700[diff] [blame]1942 ret, (unsigned long)len ) );
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]1943 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1944 }
1945
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]1946 ssl->in_left += ret;
1947 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1948 }
1949
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1950 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1951
1952 return( 0 );
1953}
1954
1955/*
1956 * Flush any data not yet written
1957 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1958int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1959{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1960 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]1961 unsigned char *buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1962
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1963 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1964
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1965 if( ssl->f_send == NULL )
1966 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1967 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]1968 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1969 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1970 }
1971
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]1972 /* Avoid incrementing counter if data is flushed */
1973 if( ssl->out_left == 0 )
1974 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1975 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]1976 return( 0 );
1977 }
1978
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1979 while( ssl->out_left > 0 )
1980 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1981 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]1982 mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1983
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]1984 buf = ssl->out_hdr - ssl->out_left;
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]1985 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1986
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1987 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1988
1989 if( ret <= 0 )
1990 return( ret );
1991
mohammad160352aecb92018-03-28 23:41:40 -0700[diff] [blame]1992 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]1993 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1994 MBEDTLS_SSL_DEBUG_MSG( 1,
1995 ( "f_send returned %d bytes but only %lu bytes were sent",
mohammad160319d392b2018-04-02 07:25:26 -0700[diff] [blame]1996 ret, (unsigned long)ssl->out_left ) );
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]1997 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1998 }
1999
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2000 ssl->out_left -= ret;
2001 }
2002
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2003#if defined(MBEDTLS_SSL_PROTO_DTLS)
2004 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]2005 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2006 ssl->out_hdr = ssl->out_buf;
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]2007 }
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2008 else
2009#endif
2010 {
2011 ssl->out_hdr = ssl->out_buf + 8;
2012 }
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]2013 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]2014
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2015 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016
2017 return( 0 );
2018}
2019
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2020/*
2021 * Functions to handle the DTLS retransmission state machine
2022 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2023#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2024/*
2025 * Append current handshake message to current outgoing flight
2026 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2027static int ssl_flight_append( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2028{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2029 mbedtls_ssl_flight_item *msg;
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]2030 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
2031 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
2032 ssl->out_msg, ssl->out_msglen );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2033
2034 /* Allocate space for current message */
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]2035 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2036 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]2037 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2038 sizeof( mbedtls_ssl_flight_item ) ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]2039 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2040 }
2041
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]2042 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2043 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]2044 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2045 mbedtls_free( msg );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]2046 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2047 }
2048
2049 /* Copy current handshake message with headers */
2050 memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
2051 msg->len = ssl->out_msglen;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2052 msg->type = ssl->out_msgtype;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2053 msg->next = NULL;
2054
2055 /* Append to the current flight */
2056 if( ssl->handshake->flight == NULL )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2057 ssl->handshake->flight = msg;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2058 else
2059 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2060 mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2061 while( cur->next != NULL )
2062 cur = cur->next;
2063 cur->next = msg;
2064 }
2065
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]2066 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2067 return( 0 );
2068}
2069
2070/*
2071 * Free the current flight of handshake messages
2072 */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]2073void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2074{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2075 mbedtls_ssl_flight_item *cur = flight;
2076 mbedtls_ssl_flight_item *next;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2077
2078 while( cur != NULL )
2079 {
2080 next = cur->next;
2081
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2082 mbedtls_free( cur->p );
2083 mbedtls_free( cur );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2084
2085 cur = next;
2086 }
2087}
2088
2089/*
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2090 * Swap transform_out and out_ctr with the alternative ones
2091 */
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2092static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2093{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2094 mbedtls_ssl_transform *tmp_transform;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2095 unsigned char tmp_out_ctr[8];
2096
2097 if( ssl->transform_out == ssl->handshake->alt_transform_out )
2098 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2099 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2100 return( 0 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2101 }
2102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2103 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2104
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2105 /* Swap transforms */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2106 tmp_transform = ssl->transform_out;
2107 ssl->transform_out = ssl->handshake->alt_transform_out;
2108 ssl->handshake->alt_transform_out = tmp_transform;
2109
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2110 /* Swap epoch + sequence_number */
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]2111 memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 );
2112 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2113 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2114
2115 /* Adjust to the newly activated transform */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]2116 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2117
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2118#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2119 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2120 {
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2121 int ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND );
2122 if( ret != 0 )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2123 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2124 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
2125 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2126 }
2127 }
2128#endif
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2129
2130 return( 0 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2131}
2132
2133/*
2134 * Retransmit the current flight of messages.
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2135 */
2136int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
2137{
2138 int ret = 0;
2139
2140 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
2141
2142 ret = mbedtls_ssl_flight_transmit( ssl );
2143
2144 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
2145
2146 return( ret );
2147}
2148
2149/*
2150 * Transmit or retransmit the current flight of messages.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2151 *
2152 * Need to remember the current message in case flush_output returns
2153 * WANT_WRITE, causing us to exit this function and come back later.
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2154 * This function must be called until state is no longer SENDING.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2155 */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2156int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2157{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2158 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2159 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2160
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2161 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2162 {
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2163 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2164
2165 ssl->handshake->cur_msg = ssl->handshake->flight;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2166 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2167 ret = ssl_swap_epochs( ssl );
2168 if( ret != 0 )
2169 return( ret );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2170
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2171 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2172 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2173
2174 while( ssl->handshake->cur_msg != NULL )
2175 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2176 size_t max_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2177 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2178
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2179 int const is_finished =
2180 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
2181 cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
2182
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]2183 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
2184 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
2185
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2186 /* Swap epochs before sending Finished: we can't do it after
2187 * sending ChangeCipherSpec, in case write returns WANT_READ.
2188 * Must be done before copying, may change out_msg pointer */
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2189 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2190 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2191 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2192 ret = ssl_swap_epochs( ssl );
2193 if( ret != 0 )
2194 return( ret );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]2195 }
2196
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2197 ret = ssl_get_remaining_payload_in_datagram( ssl );
2198 if( ret < 0 )
2199 return( ret );
2200 max_frag_len = (size_t) ret;
2201
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2202 /* CCS is copied as is, while HS messages may need fragmentation */
2203 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2204 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2205 if( max_frag_len == 0 )
2206 {
2207 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2208 return( ret );
2209
2210 continue;
2211 }
2212
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2213 memcpy( ssl->out_msg, cur->p, cur->len );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2214 ssl->out_msglen = cur->len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2215 ssl->out_msgtype = cur->type;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2216
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2217 /* Update position inside current message */
2218 ssl->handshake->cur_msg_p += cur->len;
2219 }
2220 else
2221 {
2222 const unsigned char * const p = ssl->handshake->cur_msg_p;
2223 const size_t hs_len = cur->len - 12;
2224 const size_t frag_off = p - ( cur->p + 12 );
2225 const size_t rem_len = hs_len - frag_off;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2226 size_t cur_hs_frag_len, max_hs_frag_len;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2227
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2228 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
Manuel Pégourié-Gonnarda1071a52018-08-20 11:56:14 +0200[diff] [blame]2229 {
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]2230 if( is_finished )
Manuel Pégourié-Gonnarde07bc202020-02-26 09:53:42 +0100[diff] [blame]2231 {
2232 ret = ssl_swap_epochs( ssl );
2233 if( ret != 0 )
2234 return( ret );
2235 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2236
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2237 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2238 return( ret );
2239
2240 continue;
2241 }
2242 max_hs_frag_len = max_frag_len - 12;
2243
2244 cur_hs_frag_len = rem_len > max_hs_frag_len ?
2245 max_hs_frag_len : rem_len;
2246
2247 if( frag_off == 0 && cur_hs_frag_len != hs_len )
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2248 {
2249 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2250 (unsigned) cur_hs_frag_len,
2251 (unsigned) max_hs_frag_len ) );
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]2252 }
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]2253
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2254 /* Messages are stored with handshake headers as if not fragmented,
2255 * copy beginning of headers then fill fragmentation fields.
2256 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
2257 memcpy( ssl->out_msg, cur->p, 6 );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2258
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2259 ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
2260 ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
2261 ssl->out_msg[8] = ( ( frag_off ) & 0xff );
2262
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2263 ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
2264 ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
2265 ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2266
2267 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
2268
Hanno Becker3f7b9732018-08-28 09:53:25 +0100[diff] [blame]2269 /* Copy the handshake message content and set records fields */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2270 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
2271 ssl->out_msglen = cur_hs_frag_len + 12;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2272 ssl->out_msgtype = cur->type;
2273
2274 /* Update position inside current message */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2275 ssl->handshake->cur_msg_p += cur_hs_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2276 }
2277
2278 /* If done with the current message move to the next one if any */
2279 if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
2280 {
2281 if( cur->next != NULL )
2282 {
2283 ssl->handshake->cur_msg = cur->next;
2284 ssl->handshake->cur_msg_p = cur->next->p + 12;
2285 }
2286 else
2287 {
2288 ssl->handshake->cur_msg = NULL;
2289 ssl->handshake->cur_msg_p = NULL;
2290 }
2291 }
2292
2293 /* Actually send the message out */
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]2294 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2295 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2296 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2297 return( ret );
2298 }
2299 }
2300
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2301 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2302 return( ret );
2303
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]2304 /* Update state and set timer */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2305 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
2306 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard23b7b702014-09-25 13:50:12 +0200[diff] [blame]2307 else
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2308 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2309 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2310 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2311 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2312
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2313 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2314
2315 return( 0 );
2316}
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2317
2318/*
2319 * To be called when the last message of an incoming flight is received.
2320 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2321void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2322{
2323 /* We won't need to resend that one any more */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]2324 mbedtls_ssl_flight_free( ssl->handshake->flight );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2325 ssl->handshake->flight = NULL;
2326 ssl->handshake->cur_msg = NULL;
2327
2328 /* The next incoming flight will start with this msg_seq */
2329 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
2330
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]2331 /* We don't want to remember CCS's across flight boundaries. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]2332 ssl->handshake->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]2333
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2334 /* Clear future message buffering structure. */
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]2335 mbedtls_ssl_buffering_free( ssl );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2336
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]2337 /* Cancel timer */
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2338 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2339
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2340 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2341 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2342 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2343 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2344 }
2345 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2346 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2347}
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2348
2349/*
2350 * To be called when the last message of an outgoing flight is send.
2351 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2352void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2353{
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]2354 ssl_reset_retransmit_timeout( ssl );
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]2355 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2356
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2357 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2358 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2359 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2360 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2361 }
2362 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2363 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]2364}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2365#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2366
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2367/*
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2368 * Handshake layer functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2369 */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2370
2371/*
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2372 * Write (DTLS: or queue) current handshake (including CCS) message.
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2373 *
2374 * - fill in handshake headers
2375 * - update handshake checksum
2376 * - DTLS: save message for resending
2377 * - then pass to the record layer
2378 *
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2379 * DTLS: except for HelloRequest, messages are only queued, and will only be
2380 * actually sent when calling flight_transmit() or resend().
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2381 *
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2382 * Inputs:
2383 * - ssl->out_msglen: 4 + actual handshake message len
2384 * (4 is the size of handshake headers for TLS)
2385 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
2386 * - ssl->out_msg + 4: the handshake message body
2387 *
Manuel Pégourié-Gonnard065a2a32018-08-20 11:09:26 +0200[diff] [blame]2388 * Outputs, ie state before passing to flight_append() or write_record():
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2389 * - ssl->out_msglen: the length of the record contents
2390 * (including handshake headers but excluding record headers)
2391 * - ssl->out_msg: the record contents (handshake headers + content)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2392 */
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2393int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2394{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2395 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2396 const size_t hs_len = ssl->out_msglen - 4;
2397 const unsigned char hs_type = ssl->out_msg[0];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2398
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2399 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
2400
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2401 /*
2402 * Sanity checks
2403 */
Hanno Beckerc83d2b32018-08-22 16:05:47 +0100[diff] [blame]2404 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2405 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2406 {
Hanno Beckerc83d2b32018-08-22 16:05:47 +0100[diff] [blame]2407 /* In SSLv3, the client might send a NoCertificate alert. */
2408#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
2409 if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
2410 ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
2411 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
2412#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
2413 {
2414 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2415 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2416 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2417 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2418
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2419 /* Whenever we send anything different from a
2420 * HelloRequest we should be in a handshake - double check. */
2421 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2422 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2423 ssl->handshake == NULL )
2424 {
2425 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2426 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2427 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2428
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2429#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2430 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2431 ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2432 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2433 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2434 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2435 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2436 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2437#endif
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2438
Hanno Beckerb50a2532018-08-06 11:52:54 +0100[diff] [blame]2439 /* Double-check that we did not exceed the bounds
2440 * of the outgoing record buffer.
2441 * This should never fail as the various message
2442 * writing functions must obey the bounds of the
2443 * outgoing record buffer, but better be safe.
2444 *
2445 * Note: We deliberately do not check for the MTU or MFL here.
2446 */
2447 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
2448 {
2449 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
2450 "size %u, maximum %u",
2451 (unsigned) ssl->out_msglen,
2452 (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
2453 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2454 }
2455
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2456 /*
2457 * Fill handshake headers
2458 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2459 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2460 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2461 ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
2462 ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );
2463 ssl->out_msg[3] = (unsigned char)( hs_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2464
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2465 /*
2466 * DTLS has additional fields in the Handshake layer,
2467 * between the length field and the actual payload:
2468 * uint16 message_seq;
2469 * uint24 fragment_offset;
2470 * uint24 fragment_length;
2471 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2472#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2473 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2474 {
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2475 /* Make room for the additional DTLS fields */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2476 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]2477 {
2478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
2479 "size %u, maximum %u",
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2480 (unsigned) ( hs_len ),
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2481 (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]2482 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2483 }
2484
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2485 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2486 ssl->out_msglen += 8;
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2487
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2488 /* Write message_seq and update it, except for HelloRequest */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2489 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2490 {
Manuel Pégourié-Gonnardd9ba0d92014-09-02 18:30:26 +0200[diff] [blame]2491 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
2492 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
2493 ++( ssl->handshake->out_msg_seq );
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2494 }
2495 else
2496 {
2497 ssl->out_msg[4] = 0;
2498 ssl->out_msg[5] = 0;
2499 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2500
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2501 /* Handshake hashes are computed without fragmentation,
2502 * so set frag_offset = 0 and frag_len = hs_len for now */
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]2503 memset( ssl->out_msg + 6, 0x00, 3 );
2504 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2505 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2506#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2507
Hanno Becker0207e532018-08-28 10:28:28 +0100[diff] [blame]2508 /* Update running hashes of handshake messages seen */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]2509 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
2510 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2511 }
2512
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2513 /* Either send now, or just save to be sent (and resent) later */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2514#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2515 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2516 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2517 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2518 {
2519 if( ( ret = ssl_flight_append( ssl ) ) != 0 )
2520 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2521 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2522 return( ret );
2523 }
2524 }
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2525 else
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2526#endif
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2527 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2528 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2529 {
2530 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2531 return( ret );
2532 }
2533 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2534
2535 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
2536
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2537 return( 0 );
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2538}
2539
2540/*
2541 * Record layer functions
2542 */
2543
2544/*
2545 * Write current record.
2546 *
2547 * Uses:
2548 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
2549 * - ssl->out_msglen: length of the record content (excl headers)
2550 * - ssl->out_msg: record content
2551 */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2552int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2553{
2554 int ret, done = 0;
2555 size_t len = ssl->out_msglen;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2556 uint8_t flush = force_flush;
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]2557
2558 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]2559
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2560#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2561 if( ssl->transform_out != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2562 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2563 {
2564 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
2565 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2566 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2567 return( ret );
2568 }
2569
2570 len = ssl->out_msglen;
2571 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2572#endif /*MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2573
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2574#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2575 if( mbedtls_ssl_hw_record_write != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2576 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2577 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2578
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2579 ret = mbedtls_ssl_hw_record_write( ssl );
2580 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2581 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2582 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
2583 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2584 }
Paul Bakkerc7878112012-12-19 14:41:14 +0100[diff] [blame]2585
2586 if( ret == 0 )
2587 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2588 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2589#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2590 if( !done )
2591 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2592 unsigned i;
2593 size_t protected_record_size;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]2594#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2595 size_t out_buf_len = ssl->out_buf_len;
2596#else
2597 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
2598#endif
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2599 /* Skip writing the record content type to after the encryption,
2600 * as it may change when using the CID extension. */
2601
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2602 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2603 ssl->conf->transport, ssl->out_hdr + 1 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]2604
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]2605 memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]2606 ssl->out_len[0] = (unsigned char)( len >> 8 );
2607 ssl->out_len[1] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2608
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2609 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2610 {
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2611 mbedtls_record rec;
2612
2613 rec.buf = ssl->out_iv;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]2614 rec.buf_len = out_buf_len - ( ssl->out_iv - ssl->out_buf );
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2615 rec.data_len = ssl->out_msglen;
2616 rec.data_offset = ssl->out_msg - rec.buf;
2617
2618 memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
2619 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2620 ssl->conf->transport, rec.ver );
2621 rec.type = ssl->out_msgtype;
2622
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2623#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker43c24b82019-05-01 09:45:57 +0100[diff] [blame]2624 /* The CID is set by mbedtls_ssl_encrypt_buf(). */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]2625 rec.cid_len = 0;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2626#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckercab87e62019-04-29 13:52:53 +0100[diff] [blame]2627
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]2628 if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec,
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2629 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2630 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2631 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2632 return( ret );
2633 }
2634
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2635 if( rec.data_offset != 0 )
2636 {
2637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2638 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2639 }
2640
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2641 /* Update the record content type and CID. */
2642 ssl->out_msgtype = rec.type;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2643#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID )
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]2644 memcpy( ssl->out_cid, rec.cid, rec.cid_len );
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2645#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker78f839d2019-03-14 12:56:23 +0000[diff] [blame]2646 ssl->out_msglen = len = rec.data_len;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000[diff] [blame]2647 ssl->out_len[0] = (unsigned char)( rec.data_len >> 8 );
2648 ssl->out_len[1] = (unsigned char)( rec.data_len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2649 }
2650
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]2651 protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2652
2653#if defined(MBEDTLS_SSL_PROTO_DTLS)
2654 /* In case of DTLS, double-check that we don't exceed
2655 * the remaining space in the datagram. */
2656 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2657 {
Hanno Becker554b0af2018-08-22 20:33:41 +0100[diff] [blame]2658 ret = ssl_get_remaining_space_in_datagram( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2659 if( ret < 0 )
2660 return( ret );
2661
2662 if( protected_record_size > (size_t) ret )
2663 {
2664 /* Should never happen */
2665 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2666 }
2667 }
2668#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2669
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]2670 /* Now write the potentially updated record content type. */
2671 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2673 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]2674 "version = [%d:%d], msglen = %d",
2675 ssl->out_hdr[0], ssl->out_hdr[1],
2676 ssl->out_hdr[2], len ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2678 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]2679 ssl->out_hdr, protected_record_size );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2680
2681 ssl->out_left += protected_record_size;
2682 ssl->out_hdr += protected_record_size;
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]2683 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]2684
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]2685 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]2686 if( ++ssl->cur_out_ctr[i - 1] != 0 )
2687 break;
2688
2689 /* The loop goes to its end iff the counter is wrapping */
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]2690 if( i == mbedtls_ssl_ep_len( ssl ) )
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]2691 {
2692 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
2693 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2694 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2695 }
2696
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2697#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker47db8772018-08-21 13:32:13 +0100[diff] [blame]2698 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2699 flush == SSL_DONT_FORCE_FLUSH )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2700 {
Hanno Becker1f5a15d2018-08-21 13:31:31 +0100[diff] [blame]2701 size_t remaining;
2702 ret = ssl_get_remaining_payload_in_datagram( ssl );
2703 if( ret < 0 )
2704 {
2705 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
2706 ret );
2707 return( ret );
2708 }
2709
2710 remaining = (size_t) ret;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2711 if( remaining == 0 )
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]2712 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2713 flush = SSL_FORCE_FLUSH;
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]2714 }
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2715 else
2716 {
Hanno Becker513815a2018-08-20 11:56:09 +0100[diff] [blame]2717 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]2718 }
2719 }
2720#endif /* MBEDTLS_SSL_PROTO_DTLS */
2721
2722 if( ( flush == SSL_FORCE_FLUSH ) &&
2723 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2724 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2725 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2726 return( ret );
2727 }
2728
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2729 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2730
2731 return( 0 );
2732}
2733
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2734#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2735
2736static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
2737{
2738 if( ssl->in_msglen < ssl->in_hslen ||
2739 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
2740 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
2741 {
2742 return( 1 );
2743 }
2744 return( 0 );
2745}
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2746
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2747static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2748{
2749 return( ( ssl->in_msg[9] << 16 ) |
2750 ( ssl->in_msg[10] << 8 ) |
2751 ssl->in_msg[11] );
2752}
2753
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2754static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2755{
2756 return( ( ssl->in_msg[6] << 16 ) |
2757 ( ssl->in_msg[7] << 8 ) |
2758 ssl->in_msg[8] );
2759}
2760
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2761static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2762{
2763 uint32_t msg_len, frag_off, frag_len;
2764
2765 msg_len = ssl_get_hs_total_len( ssl );
2766 frag_off = ssl_get_hs_frag_off( ssl );
2767 frag_len = ssl_get_hs_frag_len( ssl );
2768
2769 if( frag_off > msg_len )
2770 return( -1 );
2771
2772 if( frag_len > msg_len - frag_off )
2773 return( -1 );
2774
2775 if( frag_len + 12 > ssl->in_msglen )
2776 return( -1 );
2777
2778 return( 0 );
2779}
2780
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2781/*
2782 * Mark bits in bitmask (used for DTLS HS reassembly)
2783 */
2784static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
2785{
2786 unsigned int start_bits, end_bits;
2787
2788 start_bits = 8 - ( offset % 8 );
2789 if( start_bits != 8 )
2790 {
2791 size_t first_byte_idx = offset / 8;
2792
Manuel Pégourié-Gonnardac030522014-09-02 14:23:40 +0200[diff] [blame]2793 /* Special case */
2794 if( len <= start_bits )
2795 {
2796 for( ; len != 0; len-- )
2797 mask[first_byte_idx] |= 1 << ( start_bits - len );
2798
2799 /* Avoid potential issues with offset or len becoming invalid */
2800 return;
2801 }
2802
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2803 offset += start_bits; /* Now offset % 8 == 0 */
2804 len -= start_bits;
2805
2806 for( ; start_bits != 0; start_bits-- )
2807 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
2808 }
2809
2810 end_bits = len % 8;
2811 if( end_bits != 0 )
2812 {
2813 size_t last_byte_idx = ( offset + len ) / 8;
2814
2815 len -= end_bits; /* Now len % 8 == 0 */
2816
2817 for( ; end_bits != 0; end_bits-- )
2818 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
2819 }
2820
2821 memset( mask + offset / 8, 0xFF, len / 8 );
2822}
2823
2824/*
2825 * Check that bitmask is full
2826 */
2827static int ssl_bitmask_check( unsigned char *mask, size_t len )
2828{
2829 size_t i;
2830
2831 for( i = 0; i < len / 8; i++ )
2832 if( mask[i] != 0xFF )
2833 return( -1 );
2834
2835 for( i = 0; i < len % 8; i++ )
2836 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
2837 return( -1 );
2838
2839 return( 0 );
2840}
2841
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2842/* msg_len does not include the handshake header */
Hanno Becker65dc8852018-08-23 09:40:49 +0100[diff] [blame]2843static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]2844 unsigned add_bitmap )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2845{
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2846 size_t alloc_len;
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2847
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2848 alloc_len = 12; /* Handshake header */
2849 alloc_len += msg_len; /* Content buffer */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2850
Hanno Beckerd07df862018-08-16 09:14:58 +0100[diff] [blame]2851 if( add_bitmap )
2852 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2853
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]2854 return( alloc_len );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2855}
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]2856
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2857#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2858
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]2859static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]2860{
2861 return( ( ssl->in_msg[1] << 16 ) |
2862 ( ssl->in_msg[2] << 8 ) |
2863 ssl->in_msg[3] );
2864}
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2865
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2866int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2867{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2868 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2869 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2870 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2871 ssl->in_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2872 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]2873 }
2874
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]2875 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2876
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2877 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2878 " %d, type = %d, hslen = %d",
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]2879 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2880
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2881#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2882 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2883 {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2884 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2885 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2886
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]2887 if( ssl_check_hs_header( ssl ) != 0 )
2888 {
2889 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
2890 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2891 }
2892
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2893 if( ssl->handshake != NULL &&
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]2894 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
2895 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
2896 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
2897 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2898 {
Hanno Becker9e1ec222018-08-15 15:54:43 +0100[diff] [blame]2899 if( recv_msg_seq > ssl->handshake->in_msg_seq )
2900 {
2901 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
2902 recv_msg_seq,
2903 ssl->handshake->in_msg_seq ) );
2904 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
2905 }
2906
Manuel Pégourié-Gonnardfc572dd2014-10-09 17:56:57 +0200[diff] [blame]2907 /* Retransmit only on last message from previous flight, to avoid
2908 * too many retransmissions.
2909 * Besides, No sane server ever retransmits HelloVerifyRequest */
2910 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2911 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2912 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2913 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2914 "message_seq = %d, start_of_flight = %d",
2915 recv_msg_seq,
2916 ssl->handshake->in_flight_start_seq ) );
2917
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2918 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2919 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2920 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2921 return( ret );
2922 }
2923 }
2924 else
2925 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2926 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2927 "message_seq = %d, expected = %d",
2928 recv_msg_seq,
2929 ssl->handshake->in_msg_seq ) );
2930 }
2931
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]2932 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2933 }
2934 /* Wait until message completion to increment in_msg_seq */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2935
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2936 /* Message reassembly is handled alongside buffering of future
2937 * messages; the commonality is that both handshake fragments and
Hanno Becker83ab41c2018-08-28 17:19:38 +0100[diff] [blame]2938 * future messages cannot be forwarded immediately to the
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2939 * handshake logic layer. */
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2940 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2941 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2942 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]2943 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2944 }
2945 }
2946 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2947#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]2948 /* With TLS we don't handle fragmentation (for now) */
2949 if( ssl->in_msglen < ssl->in_hslen )
2950 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
2952 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2953 }
2954
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2955 return( 0 );
2956}
2957
2958void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
2959{
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2960 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2961
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2962 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]2963 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2964 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]2965 }
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2966
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2967 /* Handshake message is complete, increment counter */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2968#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2969 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2970 ssl->handshake != NULL )
2971 {
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2972 unsigned offset;
2973 mbedtls_ssl_hs_buffer *hs_buf;
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]2974
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2975 /* Increment handshake sequence number */
2976 hs->in_msg_seq++;
2977
2978 /*
2979 * Clear up handshake buffering and reassembly structure.
2980 */
2981
2982 /* Free first entry */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]2983 ssl_buffering_free_slot( ssl, 0 );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2984
2985 /* Shift all other entries */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]2986 for( offset = 0, hs_buf = &hs->buffering.hs[0];
2987 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]2988 offset++, hs_buf++ )
2989 {
2990 *hs_buf = *(hs_buf + 1);
2991 }
2992
2993 /* Create a fresh last entry */
2994 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]2995 }
2996#endif
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]2997}
2998
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]2999/*
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3000 * DTLS anti-replay: RFC 6347 4.1.2.6
3001 *
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3002 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
3003 * Bit n is set iff record number in_window_top - n has been seen.
3004 *
3005 * Usually, in_window_top is the last record number seen and the lsb of
3006 * in_window is set. The only exception is the initial state (record number 0
3007 * not seen yet).
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3008 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3009#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker7e8e6a62020-02-05 10:45:48 +0000[diff] [blame]3010void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3011{
3012 ssl->in_window_top = 0;
3013 ssl->in_window = 0;
3014}
3015
3016static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
3017{
3018 return( ( (uint64_t) buf[0] << 40 ) |
3019 ( (uint64_t) buf[1] << 32 ) |
3020 ( (uint64_t) buf[2] << 24 ) |
3021 ( (uint64_t) buf[3] << 16 ) |
3022 ( (uint64_t) buf[4] << 8 ) |
3023 ( (uint64_t) buf[5] ) );
3024}
3025
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]3026static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr )
3027{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3028 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]3029 unsigned char *original_in_ctr;
3030
3031 // save original in_ctr
3032 original_in_ctr = ssl->in_ctr;
3033
3034 // use counter from record
3035 ssl->in_ctr = record_in_ctr;
3036
3037 ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl );
3038
3039 // restore the counter
3040 ssl->in_ctr = original_in_ctr;
3041
3042 return ret;
3043}
3044
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3045/*
3046 * Return 0 if sequence number is acceptable, -1 otherwise
3047 */
Hanno Becker0183d692019-07-12 08:50:37 +0100[diff] [blame]3048int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3049{
3050 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3051 uint64_t bit;
3052
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3053 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3054 return( 0 );
3055
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3056 if( rec_seqnum > ssl->in_window_top )
3057 return( 0 );
3058
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3059 bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3060
3061 if( bit >= 64 )
3062 return( -1 );
3063
3064 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
3065 return( -1 );
3066
3067 return( 0 );
3068}
3069
3070/*
3071 * Update replay window on new validated record
3072 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3073void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3074{
3075 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3076
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3077 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3078 return;
3079
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3080 if( rec_seqnum > ssl->in_window_top )
3081 {
3082 /* Update window_top and the contents of the window */
3083 uint64_t shift = rec_seqnum - ssl->in_window_top;
3084
3085 if( shift >= 64 )
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3086 ssl->in_window = 1;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3087 else
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3088 {
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3089 ssl->in_window <<= shift;
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3090 ssl->in_window |= 1;
3091 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3092
3093 ssl->in_window_top = rec_seqnum;
3094 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3095 else
3096 {
3097 /* Mark that number as seen in the current window */
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]3098 uint64_t bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3099
3100 if( bit < 64 ) /* Always true, but be extra sure */
3101 ssl->in_window |= (uint64_t) 1 << bit;
3102 }
3103}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3104#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3105
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]3106#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3107/*
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3108 * Without any SSL context, check if a datagram looks like a ClientHello with
3109 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
Simon Butcher0789aed2015-09-11 17:15:17 +0100[diff] [blame]3110 * Both input and output include full DTLS headers.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3111 *
3112 * - if cookie is valid, return 0
3113 * - if ClientHello looks superficially valid but cookie is not,
3114 * fill obuf and set olen, then
3115 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3116 * - otherwise return a specific error code
3117 */
3118static int ssl_check_dtls_clihlo_cookie(
3119 mbedtls_ssl_cookie_write_t *f_cookie_write,
3120 mbedtls_ssl_cookie_check_t *f_cookie_check,
3121 void *p_cookie,
3122 const unsigned char *cli_id, size_t cli_id_len,
3123 const unsigned char *in, size_t in_len,
3124 unsigned char *obuf, size_t buf_len, size_t *olen )
3125{
3126 size_t sid_len, cookie_len;
3127 unsigned char *p;
3128
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3129 /*
3130 * Structure of ClientHello with record and handshake headers,
3131 * and expected values. We don't need to check a lot, more checks will be
3132 * done when actually parsing the ClientHello - skipping those checks
3133 * avoids code duplication and does not make cookie forging any easier.
3134 *
3135 * 0-0 ContentType type; copied, must be handshake
3136 * 1-2 ProtocolVersion version; copied
3137 * 3-4 uint16 epoch; copied, must be 0
3138 * 5-10 uint48 sequence_number; copied
3139 * 11-12 uint16 length; (ignored)
3140 *
3141 * 13-13 HandshakeType msg_type; (ignored)
3142 * 14-16 uint24 length; (ignored)
3143 * 17-18 uint16 message_seq; copied
3144 * 19-21 uint24 fragment_offset; copied, must be 0
3145 * 22-24 uint24 fragment_length; (ignored)
3146 *
3147 * 25-26 ProtocolVersion client_version; (ignored)
3148 * 27-58 Random random; (ignored)
3149 * 59-xx SessionID session_id; 1 byte len + sid_len content
3150 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
3151 * ...
3152 *
3153 * Minimum length is 61 bytes.
3154 */
3155 if( in_len < 61 ||
3156 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
3157 in[3] != 0 || in[4] != 0 ||
3158 in[19] != 0 || in[20] != 0 || in[21] != 0 )
3159 {
3160 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3161 }
3162
3163 sid_len = in[59];
3164 if( sid_len > in_len - 61 )
3165 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3166
3167 cookie_len = in[60 + sid_len];
3168 if( cookie_len > in_len - 60 )
3169 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3170
3171 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
3172 cli_id, cli_id_len ) == 0 )
3173 {
3174 /* Valid cookie */
3175 return( 0 );
3176 }
3177
3178 /*
3179 * If we get here, we've got an invalid cookie, let's prepare HVR.
3180 *
3181 * 0-0 ContentType type; copied
3182 * 1-2 ProtocolVersion version; copied
3183 * 3-4 uint16 epoch; copied
3184 * 5-10 uint48 sequence_number; copied
3185 * 11-12 uint16 length; olen - 13
3186 *
3187 * 13-13 HandshakeType msg_type; hello_verify_request
3188 * 14-16 uint24 length; olen - 25
3189 * 17-18 uint16 message_seq; copied
3190 * 19-21 uint24 fragment_offset; copied
3191 * 22-24 uint24 fragment_length; olen - 25
3192 *
3193 * 25-26 ProtocolVersion server_version; 0xfe 0xff
3194 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
3195 *
3196 * Minimum length is 28.
3197 */
3198 if( buf_len < 28 )
3199 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3200
3201 /* Copy most fields and adapt others */
3202 memcpy( obuf, in, 25 );
3203 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
3204 obuf[25] = 0xfe;
3205 obuf[26] = 0xff;
3206
3207 /* Generate and write actual cookie */
3208 p = obuf + 28;
3209 if( f_cookie_write( p_cookie,
3210 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
3211 {
3212 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3213 }
3214
3215 *olen = p - obuf;
3216
3217 /* Go back and fill length fields */
3218 obuf[27] = (unsigned char)( *olen - 28 );
3219
3220 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
3221 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
3222 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
3223
3224 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
3225 obuf[12] = (unsigned char)( ( *olen - 13 ) );
3226
3227 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
3228}
3229
3230/*
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3231 * Handle possible client reconnect with the same UDP quadruplet
3232 * (RFC 6347 Section 4.2.8).
3233 *
3234 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
3235 * that looks like a ClientHello.
3236 *
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3237 * - if the input looks like a ClientHello without cookies,
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3238 * send back HelloVerifyRequest, then return 0
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3239 * - if the input looks like a ClientHello with a valid cookie,
3240 * reset the session of the current context, and
Manuel Pégourié-Gonnardbe619c12015-09-08 11:21:21 +0200[diff] [blame]3241 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3242 * - if anything goes wrong, return a specific error code
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3243 *
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3244 * This function is called (through ssl_check_client_reconnect()) when an
3245 * unexpected record is found in ssl_get_next_record(), which will discard the
3246 * record if we return 0, and bubble up the return value otherwise (this
3247 * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
3248 * errors, and is the right thing to do in both cases).
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3249 */
3250static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
3251{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3252 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3253 size_t len;
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3254
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3255 if( ssl->conf->f_cookie_write == NULL ||
3256 ssl->conf->f_cookie_check == NULL )
3257 {
3258 /* If we can't use cookies to verify reachability of the peer,
3259 * drop the record. */
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3260 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no cookie callbacks, "
3261 "can't check reconnect validity" ) );
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3262 return( 0 );
3263 }
3264
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3265 ret = ssl_check_dtls_clihlo_cookie(
3266 ssl->conf->f_cookie_write,
3267 ssl->conf->f_cookie_check,
3268 ssl->conf->p_cookie,
3269 ssl->cli_id, ssl->cli_id_len,
3270 ssl->in_buf, ssl->in_left,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3271 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3272
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3273 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
3274
3275 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3276 {
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3277 int send_ret;
3278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) );
3279 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
3280 ssl->out_buf, len );
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]3281 /* Don't check write errors as we can't do anything here.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3282 * If the error is permanent we'll catch it later,
3283 * if it's not, then hopefully it'll work next time. */
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3284 send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len );
3285 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret );
3286 (void) send_ret;
3287
Manuel Pégourié-Gonnard824655c2020-03-11 12:51:42 +0100[diff] [blame]3288 return( 0 );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3289 }
3290
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3291 if( ret == 0 )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3292 {
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]3293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) );
Hanno Becker43aefe22020-02-05 10:44:56 +0000[diff] [blame]3294 if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]3295 {
3296 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
3297 return( ret );
3298 }
3299
3300 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3301 }
3302
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3303 return( ret );
3304}
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]3305#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]3306
Hanno Beckerf661c9c2019-05-03 13:25:54 +0100[diff] [blame]3307static int ssl_check_record_type( uint8_t record_type )
3308{
3309 if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
3310 record_type != MBEDTLS_SSL_MSG_ALERT &&
3311 record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
3312 record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3313 {
3314 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3315 }
3316
3317 return( 0 );
3318}
3319
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]3320/*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3321 * ContentType type;
3322 * ProtocolVersion version;
3323 * uint16 epoch; // DTLS only
3324 * uint48 sequence_number; // DTLS only
3325 * uint16 length;
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3326 *
3327 * Return 0 if header looks sane (and, for DTLS, the record is expected)
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]3328 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3329 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
3330 *
3331 * With DTLS, mbedtls_ssl_read_record() will:
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]3332 * 1. proceed with the record if this function returns 0
3333 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
3334 * 3. return CLIENT_RECONNECT if this function return that value
3335 * 4. drop the whole datagram if this function returns anything else.
3336 * Point 2 is needed when the peer is resending, and we have already received
3337 * the first record from a datagram but are still waiting for the others.
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3338 */
Hanno Becker331de3d2019-07-12 11:10:16 +0100[diff] [blame]3339static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3340 unsigned char *buf,
3341 size_t len,
3342 mbedtls_record *rec )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3343{
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]3344 int major_ver, minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3345
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3346 size_t const rec_hdr_type_offset = 0;
3347 size_t const rec_hdr_type_len = 1;
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3348
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3349 size_t const rec_hdr_version_offset = rec_hdr_type_offset +
3350 rec_hdr_type_len;
3351 size_t const rec_hdr_version_len = 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3352
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3353 size_t const rec_hdr_ctr_len = 8;
3354#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckerf5466252019-07-25 10:13:02 +0100[diff] [blame]3355 uint32_t rec_epoch;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3356 size_t const rec_hdr_ctr_offset = rec_hdr_version_offset +
3357 rec_hdr_version_len;
3358
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3359#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3360 size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset +
3361 rec_hdr_ctr_len;
Hanno Beckerf5466252019-07-25 10:13:02 +0100[diff] [blame]3362 size_t rec_hdr_cid_len = 0;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3363#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3364#endif /* MBEDTLS_SSL_PROTO_DTLS */
3365
3366 size_t rec_hdr_len_offset; /* To be determined */
3367 size_t const rec_hdr_len_len = 2;
3368
3369 /*
3370 * Check minimum lengths for record header.
3371 */
3372
3373#if defined(MBEDTLS_SSL_PROTO_DTLS)
3374 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3375 {
3376 rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len;
3377 }
3378 else
3379#endif /* MBEDTLS_SSL_PROTO_DTLS */
3380 {
3381 rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len;
3382 }
3383
3384 if( len < rec_hdr_len_offset + rec_hdr_len_len )
3385 {
3386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header of length %u",
3387 (unsigned) len,
3388 (unsigned)( rec_hdr_len_len + rec_hdr_len_len ) ) );
3389 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3390 }
3391
3392 /*
3393 * Parse and validate record content type
3394 */
3395
3396 rec->type = buf[ rec_hdr_type_offset ];
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3397
3398 /* Check record content type */
3399#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3400 rec->cid_len = 0;
3401
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3402 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3403 ssl->conf->cid_len != 0 &&
3404 rec->type == MBEDTLS_SSL_MSG_CID )
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3405 {
3406 /* Shift pointers to account for record header including CID
3407 * struct {
3408 * ContentType special_type = tls12_cid;
3409 * ProtocolVersion version;
3410 * uint16 epoch;
3411 * uint48 sequence_number;
Hanno Becker8e55b0f2019-05-23 17:03:19 +0100[diff] [blame]3412 * opaque cid[cid_length]; // Additional field compared to
3413 * // default DTLS record format
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3414 * uint16 length;
3415 * opaque enc_content[DTLSCiphertext.length];
3416 * } DTLSCiphertext;
3417 */
3418
3419 /* So far, we only support static CID lengths
3420 * fixed in the configuration. */
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3421 rec_hdr_cid_len = ssl->conf->cid_len;
3422 rec_hdr_len_offset += rec_hdr_cid_len;
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3423
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3424 if( len < rec_hdr_len_offset + rec_hdr_len_len )
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3425 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header including CID, length %u",
3427 (unsigned) len,
3428 (unsigned)( rec_hdr_len_offset + rec_hdr_len_len ) ) );
Hanno Becker59be60e2019-07-10 14:53:43 +0100[diff] [blame]3429 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Hanno Beckere538d822019-07-10 14:50:10 +0100[diff] [blame]3430 }
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3431
Manuel Pégourié-Gonnard7e821b52019-08-02 10:17:15 +0200[diff] [blame]3432 /* configured CID len is guaranteed at most 255, see
3433 * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */
3434 rec->cid_len = (uint8_t) rec_hdr_cid_len;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3435 memcpy( rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len );
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3436 }
3437 else
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3438#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]3439 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3440 if( ssl_check_record_type( rec->type ) )
3441 {
Hanno Becker54229812019-07-12 14:40:00 +0100[diff] [blame]3442 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type %u",
3443 (unsigned) rec->type ) );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3444 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3445 }
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]3446 }
3447
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3448 /*
3449 * Parse and validate record version
3450 */
3451
Hanno Beckerd0b66d02019-07-26 08:07:03 +0100[diff] [blame]3452 rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
3453 rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3454 mbedtls_ssl_read_version( &major_ver, &minor_ver,
3455 ssl->conf->transport,
Hanno Beckerd0b66d02019-07-26 08:07:03 +0100[diff] [blame]3456 &rec->ver[0] );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3457
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]3458 if( major_ver != ssl->major_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3459 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3460 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
3461 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3462 }
3463
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3464 if( minor_ver > ssl->conf->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3465 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
3467 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3468 }
3469
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3470 /*
3471 * Parse/Copy record sequence number.
3472 */
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3473
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3474#if defined(MBEDTLS_SSL_PROTO_DTLS)
3475 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]3476 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3477 /* Copy explicit record sequence number from input buffer. */
3478 memcpy( &rec->ctr[0], buf + rec_hdr_ctr_offset,
3479 rec_hdr_ctr_len );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]3480 }
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3481 else
3482#endif /* MBEDTLS_SSL_PROTO_DTLS */
3483 {
3484 /* Copy implicit record sequence number from SSL context structure. */
3485 memcpy( &rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len );
3486 }
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3487
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3488 /*
3489 * Parse record length.
3490 */
3491
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3492 rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
Hanno Becker9eca2762019-07-25 10:16:37 +0100[diff] [blame]3493 rec->data_len = ( (size_t) buf[ rec_hdr_len_offset + 0 ] << 8 ) |
3494 ( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 );
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3495 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3496
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3497 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
Hanno Becker92d30f52019-05-23 17:03:44 +0100[diff] [blame]3498 "version = [%d:%d], msglen = %d",
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3499 rec->type,
3500 major_ver, minor_ver, rec->data_len ) );
3501
3502 rec->buf = buf;
3503 rec->buf_len = rec->data_offset + rec->data_len;
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]3504
Hanno Beckerd417cc92019-07-26 08:20:27 +0100[diff] [blame]3505 if( rec->data_len == 0 )
3506 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3507
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3508 /*
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]3509 * DTLS-related tests.
3510 * Check epoch before checking length constraint because
3511 * the latter varies with the epoch. E.g., if a ChangeCipherSpec
3512 * message gets duplicated before the corresponding Finished message,
3513 * the second ChangeCipherSpec should be discarded because it belongs
3514 * to an old epoch, but not because its length is shorter than
3515 * the minimum record length for packets using the new record transform.
3516 * Note that these two kinds of failures are handled differently,
3517 * as an unexpected record is silently skipped but an invalid
3518 * record leads to the entire datagram being dropped.
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3519 */
3520#if defined(MBEDTLS_SSL_PROTO_DTLS)
3521 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3522 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3523 rec_epoch = ( rec->ctr[0] << 8 ) | rec->ctr[1];
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3524
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3525 /* Check that the datagram is large enough to contain a record
3526 * of the advertised length. */
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3527 if( len < rec->data_offset + rec->data_len )
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3528 {
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]3529 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram of length %u too small to contain record of advertised length %u.",
3530 (unsigned) len,
3531 (unsigned)( rec->data_offset + rec->data_len ) ) );
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]3532 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3533 }
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3534
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3535 /* Records from other, non-matching epochs are silently discarded.
3536 * (The case of same-port Client reconnects must be considered in
3537 * the caller). */
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3538 if( rec_epoch != ssl->in_epoch )
3539 {
3540 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
3541 "expected %d, received %d",
3542 ssl->in_epoch, rec_epoch ) );
3543
Hanno Becker552f7472019-07-19 10:59:12 +0100[diff] [blame]3544 /* Records from the next epoch are considered for buffering
3545 * (concretely: early Finished messages). */
3546 if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3547 {
Hanno Becker552f7472019-07-19 10:59:12 +0100[diff] [blame]3548 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
3549 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3550 }
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]3551
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3552 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3553 }
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3554#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker37cfe732019-07-10 17:20:01 +0100[diff] [blame]3555 /* For records from the correct epoch, check whether their
3556 * sequence number has been seen before. */
Arto Kinnunen7f8089b2019-10-29 11:13:33 +0200[diff] [blame]3557 else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl,
3558 &rec->ctr[0] ) != 0 )
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]3559 {
3560 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
3561 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3562 }
3563#endif
3564 }
3565#endif /* MBEDTLS_SSL_PROTO_DTLS */
3566
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3567 return( 0 );
3568}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3569
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3570
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3571#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3572static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
3573{
3574 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
3575
3576 /*
3577 * Check for an epoch 0 ClientHello. We can't use in_msg here to
3578 * access the first byte of record content (handshake type), as we
3579 * have an active transform (possibly iv_len != 0), so use the
3580 * fact that the record header len is 13 instead.
3581 */
3582 if( rec_epoch == 0 &&
3583 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
3584 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3585 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3586 ssl->in_left > 13 &&
3587 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
3588 {
3589 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
3590 "from the same port" ) );
3591 return( ssl_handle_possible_reconnect( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3592 }
3593
3594 return( 0 );
3595}
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]3596#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3597
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3598/*
Manuel Pégourié-Gonnardc40b6852020-01-03 12:18:49 +0100[diff] [blame]3599 * If applicable, decrypt record content
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3600 */
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3601static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
3602 mbedtls_record *rec )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3603{
3604 int ret, done = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]3605
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3606 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3607 rec->buf, rec->buf_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3608
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3609#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3610 if( mbedtls_ssl_hw_record_read != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3611 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3612 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3613
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3614 ret = mbedtls_ssl_hw_record_read( ssl );
3615 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3616 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3617 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
3618 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3619 }
Paul Bakkerc7878112012-12-19 14:41:14 +0100[diff] [blame]3620
3621 if( ret == 0 )
3622 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3623 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3624#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3625 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3626 {
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3627 unsigned char const old_msg_type = rec->type;
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3628
Hanno Beckera18d1322018-01-03 14:27:32 +0000[diff] [blame]3629 if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]3630 rec ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3631 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3632 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3633
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3634#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3635 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
3636 ssl->conf->ignore_unexpected_cid
3637 == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
3638 {
Hanno Beckere8d6afd2019-05-24 10:11:06 +0100[diff] [blame]3639 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
Hanno Becker16ded982019-05-08 13:02:55 +0100[diff] [blame]3640 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
Hanno Becker8367ccc2019-05-14 11:30:10 +0100[diff] [blame]3641 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3642#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker16ded982019-05-08 13:02:55 +0100[diff] [blame]3643
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3644 return( ret );
3645 }
3646
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3647 if( old_msg_type != rec->type )
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3648 {
3649 MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d",
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3650 old_msg_type, rec->type ) );
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3651 }
3652
Hanno Becker1c0c37f2018-08-07 14:29:29 +0100[diff] [blame]3653 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3654 rec->buf + rec->data_offset, rec->data_len );
Hanno Becker1c0c37f2018-08-07 14:29:29 +0100[diff] [blame]3655
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3656#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3657 /* We have already checked the record content type
3658 * in ssl_parse_record_header(), failing or silently
3659 * dropping the record in the case of an unknown type.
3660 *
3661 * Since with the use of CIDs, the record content type
3662 * might change during decryption, re-check the record
3663 * content type, but treat a failure as fatal this time. */
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3664 if( ssl_check_record_type( rec->type ) )
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3665 {
3666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
3667 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3668 }
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3669#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker6430faf2019-05-08 11:57:13 +0100[diff] [blame]3670
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3671 if( rec->data_len == 0 )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3672 {
3673#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3674 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
Hanno Becker58ef0bf2019-07-12 09:35:58 +0100[diff] [blame]3675 && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3676 {
3677 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
3678 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
3679 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3680 }
3681#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3682
3683 ssl->nb_zero++;
3684
3685 /*
3686 * Three or more empty messages may be a DoS attack
3687 * (excessive CPU consumption).
3688 */
3689 if( ssl->nb_zero > 3 )
3690 {
3691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
Hanno Becker6e7700d2019-05-08 10:38:32 +0100[diff] [blame]3692 "messages, possible DoS attack" ) );
3693 /* Treat the records as if they were not properly authenticated,
3694 * thereby failing the connection if we see more than allowed
3695 * by the configured bad MAC threshold. */
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3696 return( MBEDTLS_ERR_SSL_INVALID_MAC );
3697 }
3698 }
3699 else
3700 ssl->nb_zero = 0;
3701
3702#if defined(MBEDTLS_SSL_PROTO_DTLS)
3703 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3704 {
3705 ; /* in_ctr read from peer, not maintained internally */
3706 }
3707 else
3708#endif
3709 {
3710 unsigned i;
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]3711 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3712 if( ++ssl->in_ctr[i - 1] != 0 )
3713 break;
3714
3715 /* The loop goes to its end iff the counter is wrapping */
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]3716 if( i == mbedtls_ssl_ep_len( ssl ) )
Hanno Becker2e24c3b2017-12-27 21:28:58 +0000[diff] [blame]3717 {
3718 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
3719 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3720 }
3721 }
3722
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3723 }
3724
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3725#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3726 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3727 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3728 mbedtls_ssl_dtls_replay_update( ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3729 }
3730#endif
3731
Hanno Beckerd96e10b2019-07-09 17:30:02 +0100[diff] [blame]3732 /* Check actual (decrypted) record content length against
3733 * configured maximum. */
3734 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
3735 {
3736 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3737 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3738 }
3739
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3740 return( 0 );
3741}
3742
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3743/*
3744 * Read a record.
3745 *
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]3746 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
3747 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
3748 *
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3749 */
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]3750
3751/* Helper functions for mbedtls_ssl_read_record(). */
3752static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3753static int ssl_get_next_record( mbedtls_ssl_context *ssl );
3754static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
Hanno Becker4162b112018-08-15 14:05:04 +0100[diff] [blame]3755
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3756int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]3757 unsigned update_hs_digest )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3758{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3759 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3760
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3761 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]3762
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3763 if( ssl->keep_current_message == 0 )
3764 {
3765 do {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3766
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]3767 ret = ssl_consume_current_message( ssl );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]3768 if( ret != 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3769 return( ret );
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]3770
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3771 if( ssl_record_is_in_progress( ssl ) == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3772 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3773#if defined(MBEDTLS_SSL_PROTO_DTLS)
3774 int have_buffered = 0;
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3775
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3776 /* We only check for buffered messages if the
3777 * current datagram is fully consumed. */
3778 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]3779 ssl_next_record_is_in_datagram( ssl ) == 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3780 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3781 if( ssl_load_buffered_message( ssl ) == 0 )
3782 have_buffered = 1;
3783 }
3784
3785 if( have_buffered == 0 )
3786#endif /* MBEDTLS_SSL_PROTO_DTLS */
3787 {
3788 ret = ssl_get_next_record( ssl );
3789 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
3790 continue;
3791
3792 if( ret != 0 )
3793 {
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]3794 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3795 return( ret );
3796 }
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]3797 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3798 }
3799
3800 ret = mbedtls_ssl_handle_message_type( ssl );
3801
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3802#if defined(MBEDTLS_SSL_PROTO_DTLS)
3803 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
3804 {
3805 /* Buffer future message */
3806 ret = ssl_buffer_message( ssl );
3807 if( ret != 0 )
3808 return( ret );
3809
3810 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
3811 }
3812#endif /* MBEDTLS_SSL_PROTO_DTLS */
3813
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]3814 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||
3815 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3816
3817 if( 0 != ret )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3818 {
Hanno Becker05c4fc82017-11-09 14:34:06 +0000[diff] [blame]3819 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3820 return( ret );
3821 }
3822
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3823 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]3824 update_hs_digest == 1 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3825 {
3826 mbedtls_ssl_update_handshake_status( ssl );
3827 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3828 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3829 else
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3830 {
Hanno Becker02f59072018-08-15 14:00:24 +0100[diff] [blame]3831 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3832 ssl->keep_current_message = 0;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3833 }
3834
3835 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
3836
3837 return( 0 );
3838}
3839
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3840#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]3841static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3842{
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3843 if( ssl->in_left > ssl->next_record_offset )
3844 return( 1 );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3845
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3846 return( 0 );
3847}
3848
3849static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
3850{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3851 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3852 mbedtls_ssl_hs_buffer * hs_buf;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3853 int ret = 0;
3854
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3855 if( hs == NULL )
3856 return( -1 );
3857
Hanno Beckere00ae372018-08-20 09:39:42 +0100[diff] [blame]3858 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
3859
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3860 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
3861 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
3862 {
3863 /* Check if we have seen a ChangeCipherSpec before.
3864 * If yes, synthesize a CCS record. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]3865 if( !hs->buffering.seen_ccs )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3866 {
3867 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
3868 ret = -1;
Hanno Becker0d4b3762018-08-20 09:36:59 +0100[diff] [blame]3869 goto exit;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3870 }
3871
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]3872 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3873 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
3874 ssl->in_msglen = 1;
3875 ssl->in_msg[0] = 1;
3876
3877 /* As long as they are equal, the exact value doesn't matter. */
3878 ssl->in_left = 0;
3879 ssl->next_record_offset = 0;
3880
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]3881 hs->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3882 goto exit;
3883 }
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3884
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]3885#if defined(MBEDTLS_DEBUG_C)
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3886 /* Debug only */
3887 {
3888 unsigned offset;
3889 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
3890 {
3891 hs_buf = &hs->buffering.hs[offset];
3892 if( hs_buf->is_valid == 1 )
3893 {
3894 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
3895 hs->in_msg_seq + offset,
Hanno Beckera591c482018-08-28 17:20:00 +0100[diff] [blame]3896 hs_buf->is_complete ? "fully" : "partially" ) );
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3897 }
3898 }
3899 }
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]3900#endif /* MBEDTLS_DEBUG_C */
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]3901
3902 /* Check if we have buffered and/or fully reassembled the
3903 * next handshake message. */
3904 hs_buf = &hs->buffering.hs[0];
3905 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
3906 {
3907 /* Synthesize a record containing the buffered HS message. */
3908 size_t msg_len = ( hs_buf->data[1] << 16 ) |
3909 ( hs_buf->data[2] << 8 ) |
3910 hs_buf->data[3];
3911
3912 /* Double-check that we haven't accidentally buffered
3913 * a message that doesn't fit into the input buffer. */
3914 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
3915 {
3916 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3917 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3918 }
3919
3920 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
3921 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
3922 hs_buf->data, msg_len + 12 );
3923
3924 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3925 ssl->in_hslen = msg_len + 12;
3926 ssl->in_msglen = msg_len + 12;
3927 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
3928
3929 ret = 0;
3930 goto exit;
3931 }
3932 else
3933 {
3934 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
3935 hs->in_msg_seq ) );
3936 }
3937
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3938 ret = -1;
3939
3940exit:
3941
3942 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
3943 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3944}
3945
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3946static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
3947 size_t desired )
3948{
3949 int offset;
3950 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]3951 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
3952 (unsigned) desired ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3953
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]3954 /* Get rid of future records epoch first, if such exist. */
3955 ssl_free_buffered_record( ssl );
3956
3957 /* Check if we have enough space available now. */
3958 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3959 hs->buffering.total_bytes_buffered ) )
3960 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]3961 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]3962 return( 0 );
3963 }
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3964
Hanno Becker4f432ad2018-08-28 10:02:32 +0100[diff] [blame]3965 /* We don't have enough space to buffer the next expected handshake
3966 * message. Remove buffers used for future messages to gain space,
3967 * starting with the most distant one. */
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3968 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
3969 offset >= 0; offset-- )
3970 {
3971 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
3972 offset ) );
3973
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]3974 ssl_buffering_free_slot( ssl, (uint8_t) offset );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3975
3976 /* Check if we have enough space available now. */
3977 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3978 hs->buffering.total_bytes_buffered ) )
3979 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]3980 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]3981 return( 0 );
3982 }
3983 }
3984
3985 return( -1 );
3986}
3987
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]3988static int ssl_buffer_message( mbedtls_ssl_context *ssl )
3989{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3990 int ret = 0;
3991 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3992
3993 if( hs == NULL )
3994 return( 0 );
3995
3996 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
3997
3998 switch( ssl->in_msgtype )
3999 {
4000 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
4001 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4002
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]4003 hs->buffering.seen_ccs = 1;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4004 break;
4005
4006 case MBEDTLS_SSL_MSG_HANDSHAKE:
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4007 {
4008 unsigned recv_msg_seq_offset;
4009 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
4010 mbedtls_ssl_hs_buffer *hs_buf;
4011 size_t msg_len = ssl->in_hslen - 12;
4012
4013 /* We should never receive an old handshake
4014 * message - double-check nonetheless. */
4015 if( recv_msg_seq < ssl->handshake->in_msg_seq )
4016 {
4017 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4018 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4019 }
4020
4021 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
4022 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
4023 {
4024 /* Silently ignore -- message too far in the future */
4025 MBEDTLS_SSL_DEBUG_MSG( 2,
4026 ( "Ignore future HS message with sequence number %u, "
4027 "buffering window %u - %u",
4028 recv_msg_seq, ssl->handshake->in_msg_seq,
4029 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
4030
4031 goto exit;
4032 }
4033
4034 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
4035 recv_msg_seq, recv_msg_seq_offset ) );
4036
4037 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
4038
4039 /* Check if the buffering for this seq nr has already commenced. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4040 if( !hs_buf->is_valid )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4041 {
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4042 size_t reassembly_buf_sz;
4043
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4044 hs_buf->is_fragmented =
4045 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
4046
4047 /* We copy the message back into the input buffer
4048 * after reassembly, so check that it's not too large.
4049 * This is an implementation-specific limitation
4050 * and not one from the standard, hence it is not
4051 * checked in ssl_check_hs_header(). */
Hanno Becker96a6c692018-08-21 15:56:03 +0100[diff] [blame]4052 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4053 {
4054 /* Ignore message */
4055 goto exit;
4056 }
4057
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4058 /* Check if we have enough space to buffer the message. */
4059 if( hs->buffering.total_bytes_buffered >
4060 MBEDTLS_SSL_DTLS_MAX_BUFFERING )
4061 {
4062 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4063 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4064 }
4065
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4066 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
4067 hs_buf->is_fragmented );
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4068
4069 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4070 hs->buffering.total_bytes_buffered ) )
4071 {
4072 if( recv_msg_seq_offset > 0 )
4073 {
4074 /* If we can't buffer a future message because
4075 * of space limitations -- ignore. */
4076 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
4077 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4078 (unsigned) hs->buffering.total_bytes_buffered ) );
4079 goto exit;
4080 }
Hanno Beckere1801392018-08-21 16:51:05 +0100[diff] [blame]4081 else
4082 {
4083 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
4084 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4085 (unsigned) hs->buffering.total_bytes_buffered ) );
4086 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4087
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4088 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]4089 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4090 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
4091 (unsigned) msg_len,
4092 (unsigned) reassembly_buf_sz,
4093 MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4094 (unsigned) hs->buffering.total_bytes_buffered ) );
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]4095 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4096 goto exit;
4097 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4098 }
4099
4100 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
4101 msg_len ) );
4102
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4103 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
4104 if( hs_buf->data == NULL )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4105 {
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4106 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4107 goto exit;
4108 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4109 hs_buf->data_len = reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4110
4111 /* Prepare final header: copy msg_type, length and message_seq,
4112 * then add standardised fragment_offset and fragment_length */
4113 memcpy( hs_buf->data, ssl->in_msg, 6 );
4114 memset( hs_buf->data + 6, 0, 3 );
4115 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
4116
4117 hs_buf->is_valid = 1;
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4118
4119 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4120 }
4121 else
4122 {
4123 /* Make sure msg_type and length are consistent */
4124 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
4125 {
4126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
4127 /* Ignore */
4128 goto exit;
4129 }
4130 }
4131
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4132 if( !hs_buf->is_complete )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4133 {
4134 size_t frag_len, frag_off;
4135 unsigned char * const msg = hs_buf->data + 12;
4136
4137 /*
4138 * Check and copy current fragment
4139 */
4140
4141 /* Validation of header fields already done in
4142 * mbedtls_ssl_prepare_handshake_record(). */
4143 frag_off = ssl_get_hs_frag_off( ssl );
4144 frag_len = ssl_get_hs_frag_len( ssl );
4145
4146 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
4147 frag_off, frag_len ) );
4148 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
4149
4150 if( hs_buf->is_fragmented )
4151 {
4152 unsigned char * const bitmask = msg + msg_len;
4153 ssl_bitmask_set( bitmask, frag_off, frag_len );
4154 hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
4155 msg_len ) == 0 );
4156 }
4157 else
4158 {
4159 hs_buf->is_complete = 1;
4160 }
4161
4162 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
4163 hs_buf->is_complete ? "" : "not yet " ) );
4164 }
4165
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4166 break;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4167 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4168
4169 default:
Hanno Becker360bef32018-08-28 10:04:33 +0100[diff] [blame]4170 /* We don't buffer other types of messages. */
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4171 break;
4172 }
4173
4174exit:
4175
4176 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
4177 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4178}
4179#endif /* MBEDTLS_SSL_PROTO_DTLS */
4180
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4181static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4182{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4183 /*
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4184 * Consume last content-layer message and potentially
4185 * update in_msglen which keeps track of the contents'
4186 * consumption state.
4187 *
4188 * (1) Handshake messages:
4189 * Remove last handshake message, move content
4190 * and adapt in_msglen.
4191 *
4192 * (2) Alert messages:
4193 * Consume whole record content, in_msglen = 0.
4194 *
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4195 * (3) Change cipher spec:
4196 * Consume whole record content, in_msglen = 0.
4197 *
4198 * (4) Application data:
4199 * Don't do anything - the record layer provides
4200 * the application data as a stream transport
4201 * and consumes through mbedtls_ssl_read only.
4202 *
4203 */
4204
4205 /* Case (1): Handshake messages */
4206 if( ssl->in_hslen != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4207 {
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]4208 /* Hard assertion to be sure that no application data
4209 * is in flight, as corrupting ssl->in_msglen during
4210 * ssl->in_offt != NULL is fatal. */
4211 if( ssl->in_offt != NULL )
4212 {
4213 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4214 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4215 }
4216
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4217 /*
4218 * Get next Handshake message in the current record
4219 */
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4220
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4221 /* Notes:
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]4222 * (1) in_hslen is not necessarily the size of the
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4223 * current handshake content: If DTLS handshake
4224 * fragmentation is used, that's the fragment
4225 * size instead. Using the total handshake message
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]4226 * size here is faulty and should be changed at
4227 * some point.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4228 * (2) While it doesn't seem to cause problems, one
4229 * has to be very careful not to assume that in_hslen
4230 * is always <= in_msglen in a sensible communication.
4231 * Again, it's wrong for DTLS handshake fragmentation.
4232 * The following check is therefore mandatory, and
4233 * should not be treated as a silently corrected assertion.
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]4234 * Additionally, ssl->in_hslen might be arbitrarily out of
4235 * bounds after handling a DTLS message with an unexpected
4236 * sequence number, see mbedtls_ssl_prepare_handshake_record.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4237 */
4238 if( ssl->in_hslen < ssl->in_msglen )
4239 {
4240 ssl->in_msglen -= ssl->in_hslen;
4241 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
4242 ssl->in_msglen );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4243
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4244 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
4245 ssl->in_msg, ssl->in_msglen );
4246 }
4247 else
4248 {
4249 ssl->in_msglen = 0;
4250 }
Manuel Pégourié-Gonnard4a175362014-09-09 17:45:31 +0200[diff] [blame]4251
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4252 ssl->in_hslen = 0;
4253 }
4254 /* Case (4): Application data */
4255 else if( ssl->in_offt != NULL )
4256 {
4257 return( 0 );
4258 }
4259 /* Everything else (CCS & Alerts) */
4260 else
4261 {
4262 ssl->in_msglen = 0;
4263 }
4264
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4265 return( 0 );
4266}
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4267
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4268static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
4269{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4270 if( ssl->in_msglen > 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4271 return( 1 );
4272
4273 return( 0 );
4274}
4275
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4276#if defined(MBEDTLS_SSL_PROTO_DTLS)
4277
4278static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
4279{
4280 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4281 if( hs == NULL )
4282 return;
4283
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4284 if( hs->buffering.future_record.data != NULL )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4285 {
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4286 hs->buffering.total_bytes_buffered -=
4287 hs->buffering.future_record.len;
4288
4289 mbedtls_free( hs->buffering.future_record.data );
4290 hs->buffering.future_record.data = NULL;
4291 }
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4292}
4293
4294static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
4295{
4296 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4297 unsigned char * rec;
4298 size_t rec_len;
4299 unsigned rec_epoch;
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]4300#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4301 size_t in_buf_len = ssl->in_buf_len;
4302#else
4303 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
4304#endif
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4305 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4306 return( 0 );
4307
4308 if( hs == NULL )
4309 return( 0 );
4310
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4311 rec = hs->buffering.future_record.data;
4312 rec_len = hs->buffering.future_record.len;
4313 rec_epoch = hs->buffering.future_record.epoch;
4314
4315 if( rec == NULL )
4316 return( 0 );
4317
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]4318 /* Only consider loading future records if the
4319 * input buffer is empty. */
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]4320 if( ssl_next_record_is_in_datagram( ssl ) == 1 )
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]4321 return( 0 );
4322
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4323 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
4324
4325 if( rec_epoch != ssl->in_epoch )
4326 {
4327 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
4328 goto exit;
4329 }
4330
4331 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
4332
4333 /* Double-check that the record is not too large */
Darryl Greenb33cc762019-11-28 14:29:44 +0000[diff] [blame]4334 if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4335 {
4336 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4337 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4338 }
4339
4340 memcpy( ssl->in_hdr, rec, rec_len );
4341 ssl->in_left = rec_len;
4342 ssl->next_record_offset = 0;
4343
4344 ssl_free_buffered_record( ssl );
4345
4346exit:
4347 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
4348 return( 0 );
4349}
4350
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4351static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
4352 mbedtls_record const *rec )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4353{
4354 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4355
4356 /* Don't buffer future records outside handshakes. */
4357 if( hs == NULL )
4358 return( 0 );
4359
4360 /* Only buffer handshake records (we are only interested
4361 * in Finished messages). */
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4362 if( rec->type != MBEDTLS_SSL_MSG_HANDSHAKE )
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4363 return( 0 );
4364
4365 /* Don't buffer more than one future epoch record. */
4366 if( hs->buffering.future_record.data != NULL )
4367 return( 0 );
4368
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4369 /* Don't buffer record if there's not enough buffering space remaining. */
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4370 if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4371 hs->buffering.total_bytes_buffered ) )
4372 {
4373 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4374 (unsigned) rec->buf_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4375 (unsigned) hs->buffering.total_bytes_buffered ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4376 return( 0 );
4377 }
4378
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4379 /* Buffer record */
4380 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
4381 ssl->in_epoch + 1 ) );
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4382 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4383
4384 /* ssl_parse_record_header() only considers records
4385 * of the next epoch as candidates for buffering. */
4386 hs->buffering.future_record.epoch = ssl->in_epoch + 1;
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4387 hs->buffering.future_record.len = rec->buf_len;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4388
4389 hs->buffering.future_record.data =
4390 mbedtls_calloc( 1, hs->buffering.future_record.len );
4391 if( hs->buffering.future_record.data == NULL )
4392 {
4393 /* If we run out of RAM trying to buffer a
4394 * record from the next epoch, just ignore. */
4395 return( 0 );
4396 }
4397
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4398 memcpy( hs->buffering.future_record.data, rec->buf, rec->buf_len );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4399
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4400 hs->buffering.total_bytes_buffered += rec->buf_len;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4401 return( 0 );
4402}
4403
4404#endif /* MBEDTLS_SSL_PROTO_DTLS */
4405
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4406static int ssl_get_next_record( mbedtls_ssl_context *ssl )
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4407{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4408 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]4409 mbedtls_record rec;
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4410
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4411#if defined(MBEDTLS_SSL_PROTO_DTLS)
4412 /* We might have buffered a future record; if so,
4413 * and if the epoch matches now, load it.
4414 * On success, this call will set ssl->in_left to
4415 * the length of the buffered record, so that
4416 * the calls to ssl_fetch_input() below will
4417 * essentially be no-ops. */
4418 ret = ssl_load_buffered_record( ssl );
4419 if( ret != 0 )
4420 return( ret );
4421#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4422
Hanno Beckerca59c2b2019-05-08 12:03:28 +0100[diff] [blame]4423 /* Ensure that we have enough space available for the default form
4424 * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,
4425 * with no space for CIDs counted in). */
4426 ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) );
4427 if( ret != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4428 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4429 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4430 return( ret );
4431 }
4432
Hanno Beckere5e7e782019-07-11 12:29:35 +0100[diff] [blame]4433 ret = ssl_parse_record_header( ssl, ssl->in_hdr, ssl->in_left, &rec );
4434 if( ret != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4435 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4436#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4437 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4438 {
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4439 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4440 {
Hanno Becker519f15d2019-07-11 12:43:20 +0100[diff] [blame]4441 ret = ssl_buffer_future_record( ssl, &rec );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4442 if( ret != 0 )
4443 return( ret );
4444
4445 /* Fall through to handling of unexpected records */
4446 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
4447 }
4448
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4449 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
4450 {
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4451#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Hanno Beckerd8bf8ce2019-07-12 09:23:47 +0100[diff] [blame]4452 /* Reset in pointers to default state for TLS/DTLS records,
4453 * assuming no CID and no offset between record content and
4454 * record plaintext. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4455 mbedtls_ssl_update_in_pointers( ssl );
Hanno Beckerd8bf8ce2019-07-12 09:23:47 +0100[diff] [blame]4456
Hanno Becker7ae20e02019-07-12 08:33:49 +0100[diff] [blame]4457 /* Setup internal message pointers from record structure. */
4458 ssl->in_msgtype = rec.type;
4459#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4460 ssl->in_len = ssl->in_cid + rec.cid_len;
4461#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4462 ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
4463 ssl->in_msglen = rec.data_len;
4464
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4465 ret = ssl_check_client_reconnect( ssl );
Manuel Pégourié-Gonnard243d70f2020-03-31 12:07:47 +0200[diff] [blame]4466 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_client_reconnect", ret );
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4467 if( ret != 0 )
4468 return( ret );
4469#endif
4470
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4471 /* Skip unexpected record (but not whole datagram) */
Hanno Becker4acada32019-07-11 12:48:53 +0100[diff] [blame]4472 ssl->next_record_offset = rec.buf_len;
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4473
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4474 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
4475 "(header)" ) );
4476 }
4477 else
4478 {
4479 /* Skip invalid record and the rest of the datagram */
4480 ssl->next_record_offset = 0;
4481 ssl->in_left = 0;
4482
4483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
4484 "(header)" ) );
4485 }
4486
4487 /* Get next record */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4488 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4489 }
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4490 else
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4491#endif
Hanno Becker2fddd372019-07-10 14:37:41 +0100[diff] [blame]4492 {
4493 return( ret );
4494 }
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4495 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4496
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4497#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4498 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]4499 {
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4500 /* Remember offset of next record within datagram. */
Hanno Beckerf50da502019-07-11 12:50:10 +0100[diff] [blame]4501 ssl->next_record_offset = rec.buf_len;
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]4502 if( ssl->next_record_offset < ssl->in_left )
4503 {
4504 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
4505 }
4506 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4507 else
4508#endif
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4509 {
Hanno Becker955a5c92019-07-10 17:12:07 +0100[diff] [blame]4510 /*
4511 * Fetch record contents from underlying transport.
4512 */
Hanno Beckera3175662019-07-11 12:50:29 +0100[diff] [blame]4513 ret = mbedtls_ssl_fetch_input( ssl, rec.buf_len );
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4514 if( ret != 0 )
4515 {
4516 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4517 return( ret );
4518 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4519
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4520 ssl->in_left = 0;
Hanno Beckera8814792019-07-10 15:01:45 +0100[diff] [blame]4521 }
4522
4523 /*
4524 * Decrypt record contents.
4525 */
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4526
Hanno Beckerfdf66042019-07-11 13:07:45 +0100[diff] [blame]4527 if( ( ret = ssl_prepare_record_content( ssl, &rec ) ) != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4528 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4529#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4530 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4531 {
4532 /* Silently discard invalid records */
Hanno Becker82e2a392019-05-03 16:36:59 +0100[diff] [blame]4533 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4534 {
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]4535 /* Except when waiting for Finished as a bad mac here
4536 * probably means something went wrong in the handshake
4537 * (eg wrong psk used, mitm downgrade attempt, etc.) */
4538 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
4539 ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
4540 {
4541#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4542 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4543 {
4544 mbedtls_ssl_send_alert_message( ssl,
4545 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4546 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4547 }
4548#endif
4549 return( ret );
4550 }
4551
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4552#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4553 if( ssl->conf->badmac_limit != 0 &&
4554 ++ssl->badmac_seen >= ssl->conf->badmac_limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]4555 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
4557 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]4558 }
4559#endif
4560
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]4561 /* As above, invalid records cause
4562 * dismissal of the whole datagram. */
4563
4564 ssl->next_record_offset = 0;
4565 ssl->in_left = 0;
4566
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4567 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4568 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4569 }
4570
4571 return( ret );
4572 }
4573 else
4574#endif
4575 {
4576 /* Error out (and send alert) on invalid records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4577#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4578 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4579 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4580 mbedtls_ssl_send_alert_message( ssl,
4581 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4582 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4583 }
4584#endif
4585 return( ret );
4586 }
4587 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4588
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4589
4590 /* Reset in pointers to default state for TLS/DTLS records,
4591 * assuming no CID and no offset between record content and
4592 * record plaintext. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4593 mbedtls_ssl_update_in_pointers( ssl );
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4594#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4595 ssl->in_len = ssl->in_cid + rec.cid_len;
4596#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
irwir89af51f2019-09-26 21:04:56 +0300[diff] [blame]4597 ssl->in_iv = ssl->in_len + 2;
Hanno Becker44d89b22019-07-12 09:40:44 +0100[diff] [blame]4598
Hanno Becker8685c822019-07-12 09:37:30 +0100[diff] [blame]4599 /* The record content type may change during decryption,
4600 * so re-read it. */
4601 ssl->in_msgtype = rec.type;
4602 /* Also update the input buffer, because unfortunately
4603 * the server-side ssl_parse_client_hello() reparses the
4604 * record header when receiving a ClientHello initiating
4605 * a renegotiation. */
4606 ssl->in_hdr[0] = rec.type;
4607 ssl->in_msg = rec.buf + rec.data_offset;
4608 ssl->in_msglen = rec.data_len;
4609 ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 );
4610 ssl->in_len[1] = (unsigned char)( rec.data_len );
4611
Manuel Pégourié-Gonnardc40b6852020-01-03 12:18:49 +0100[diff] [blame]4612#if defined(MBEDTLS_ZLIB_SUPPORT)
4613 if( ssl->transform_in != NULL &&
4614 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
4615 {
4616 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
4617 {
4618 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
4619 return( ret );
4620 }
4621
4622 /* Check actual (decompress) record content length against
4623 * configured maximum. */
4624 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
4625 {
4626 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4627 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4628 }
4629 }
4630#endif /* MBEDTLS_ZLIB_SUPPORT */
4631
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4632 return( 0 );
4633}
4634
4635int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
4636{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4637 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4638
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]4639 /*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4640 * Handle particular types of records
4641 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4642 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4643 {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4644 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
4645 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4646 return( ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4647 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4648 }
4649
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4650 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4651 {
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4652 if( ssl->in_msglen != 1 )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4653 {
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4654 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
4655 ssl->in_msglen ) );
4656 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4657 }
4658
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4659 if( ssl->in_msg[0] != 1 )
4660 {
4661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
4662 ssl->in_msg[0] ) );
4663 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4664 }
4665
4666#if defined(MBEDTLS_SSL_PROTO_DTLS)
4667 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4668 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
4669 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4670 {
4671 if( ssl->handshake == NULL )
4672 {
4673 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
4674 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4675 }
4676
4677 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
4678 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4679 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4680#endif
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4681 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4683 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4684 {
Angus Gratton1a7a17e2018-06-20 15:43:50 +1000[diff] [blame]4685 if( ssl->in_msglen != 2 )
4686 {
4687 /* Note: Standard allows for more than one 2 byte alert
4688 to be packed in a single message, but Mbed TLS doesn't
4689 currently support this. */
4690 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
4691 ssl->in_msglen ) );
4692 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4693 }
4694
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4695 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4696 ssl->in_msg[0], ssl->in_msg[1] ) );
4697
4698 /*
Simon Butcher459a9502015-10-27 16:09:03 +0000[diff] [blame]4699 * Ignore non-fatal alerts, except close_notify and no_renegotiation
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4700 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4701 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4702 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4703 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4704 ssl->in_msg[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4705 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4706 }
4707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4708 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4709 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4710 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4711 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
4712 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4713 }
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]4714
4715#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
4716 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4717 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
4718 {
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4719 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]4720 /* Will be handled when trying to parse ServerHello */
4721 return( 0 );
4722 }
4723#endif
4724
4725#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
4726 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
4727 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4728 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4729 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
4730 {
4731 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
4732 /* Will be handled in mbedtls_ssl_parse_certificate() */
4733 return( 0 );
4734 }
4735#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
4736
4737 /* Silently ignore: fetch new message */
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4738 return MBEDTLS_ERR_SSL_NON_FATAL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4739 }
4740
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4741#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4742 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4743 {
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4744 /* Drop unexpected ApplicationData records,
4745 * except at the beginning of renegotiations */
4746 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
4747 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
4748#if defined(MBEDTLS_SSL_RENEGOTIATION)
4749 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
4750 ssl->state == MBEDTLS_SSL_SERVER_HELLO )
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4751#endif
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4752 )
4753 {
4754 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
4755 return( MBEDTLS_ERR_SSL_NON_FATAL );
4756 }
4757
4758 if( ssl->handshake != NULL &&
4759 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
4760 {
Hanno Beckerce5f5fd2020-02-05 10:47:44 +0000[diff] [blame]4761 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
Hanno Becker37ae9522019-05-03 16:54:26 +0100[diff] [blame]4762 }
4763 }
Hanno Becker4a4af9f2019-05-08 16:26:21 +0100[diff] [blame]4764#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]4765
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4766 return( 0 );
4767}
4768
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4769int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]4770{
irwir6c0da642019-09-26 21:07:41 +0300[diff] [blame]4771 return( mbedtls_ssl_send_alert_message( ssl,
4772 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4773 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]4774}
4775
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4776int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4777 unsigned char level,
4778 unsigned char message )
4779{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4780 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4781
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]4782 if( ssl == NULL || ssl->conf == NULL )
4783 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4784
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4785 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4786 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4787
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4788 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4789 ssl->out_msglen = 2;
4790 ssl->out_msg[0] = level;
4791 ssl->out_msg[1] = message;
4792
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]4793 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4794 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4795 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4796 return( ret );
4797 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4798 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]4799
4800 return( 0 );
4801}
4802
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4803int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4804{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4805 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4806
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4807 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4808
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4809 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4810 ssl->out_msglen = 1;
4811 ssl->out_msg[0] = 1;
4812
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4813 ssl->state++;
4814
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]4815 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4816 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]4817 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4818 return( ret );
4819 }
4820
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4821 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4822
4823 return( 0 );
4824}
4825
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4826int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4827{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4828 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4829
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4830 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4831
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]4832 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4833 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4834 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4835 return( ret );
4836 }
4837
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4838 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4839 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4840 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4841 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4842 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4843 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4844 }
4845
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4846 /* CCS records are only accepted if they have length 1 and content '1',
4847 * so we don't need to check this here. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4848
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4849 /*
4850 * Switch to our negotiated transform and session parameters for inbound
4851 * data.
4852 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4853 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4854 ssl->transform_in = ssl->transform_negotiate;
4855 ssl->session_in = ssl->session_negotiate;
4856
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4857#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4858 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4859 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4860#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker7e8e6a62020-02-05 10:45:48 +0000[diff] [blame]4861 mbedtls_ssl_dtls_replay_reset( ssl );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4862#endif
4863
4864 /* Increment epoch */
4865 if( ++ssl->in_epoch == 0 )
4866 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4867 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4868 /* This is highly unlikely to happen for legitimate reasons, so
4869 treat it as an attack and don't send an alert. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4870 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4871 }
4872 }
4873 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4874#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4875 memset( ssl->in_ctr, 0, 8 );
4876
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4877 mbedtls_ssl_update_in_pointers( ssl );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4878
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4879#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
4880 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4881 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4882 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4883 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4884 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4885 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4886 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4887 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4888 }
4889 }
4890#endif
4891
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4892 ssl->state++;
4893
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4894 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4895
4896 return( 0 );
4897}
4898
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4899/* Once ssl->out_hdr as the address of the beginning of the
4900 * next outgoing record is set, deduce the other pointers.
4901 *
4902 * Note: For TLS, we save the implicit record sequence number
4903 * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
4904 * and the caller has to make sure there's space for this.
4905 */
4906
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4907void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
4908 mbedtls_ssl_transform *transform )
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4909{
4910#if defined(MBEDTLS_SSL_PROTO_DTLS)
4911 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4912 {
4913 ssl->out_ctr = ssl->out_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4914#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4915 ssl->out_cid = ssl->out_ctr + 8;
4916 ssl->out_len = ssl->out_cid;
4917 if( transform != NULL )
4918 ssl->out_len += transform->out_cid_len;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4919#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4920 ssl->out_len = ssl->out_ctr + 8;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4921#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4922 ssl->out_iv = ssl->out_len + 2;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4923 }
4924 else
4925#endif
4926 {
4927 ssl->out_ctr = ssl->out_hdr - 8;
4928 ssl->out_len = ssl->out_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4929#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker4c3eb7c2019-05-08 16:43:21 +0100[diff] [blame]4930 ssl->out_cid = ssl->out_len;
4931#endif
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4932 ssl->out_iv = ssl->out_hdr + 5;
4933 }
4934
4935 /* Adjust out_msg to make space for explicit IV, if used. */
4936 if( transform != NULL &&
4937 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
4938 {
4939 ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
4940 }
4941 else
4942 ssl->out_msg = ssl->out_iv;
4943}
4944
4945/* Once ssl->in_hdr as the address of the beginning of the
4946 * next incoming record is set, deduce the other pointers.
4947 *
4948 * Note: For TLS, we save the implicit record sequence number
4949 * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
4950 * and the caller has to make sure there's space for this.
4951 */
4952
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]4953void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl )
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4954{
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]4955 /* This function sets the pointers to match the case
4956 * of unprotected TLS/DTLS records, with both ssl->in_iv
4957 * and ssl->in_msg pointing to the beginning of the record
4958 * content.
4959 *
4960 * When decrypting a protected record, ssl->in_msg
4961 * will be shifted to point to the beginning of the
4962 * record plaintext.
4963 */
4964
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4965#if defined(MBEDTLS_SSL_PROTO_DTLS)
4966 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4967 {
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4968 /* This sets the header pointers to match records
4969 * without CID. When we receive a record containing
4970 * a CID, the fields are shifted accordingly in
4971 * ssl_parse_record_header(). */
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4972 ssl->in_ctr = ssl->in_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4973#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4974 ssl->in_cid = ssl->in_ctr + 8;
4975 ssl->in_len = ssl->in_cid; /* Default: no CID */
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4976#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4977 ssl->in_len = ssl->in_ctr + 8;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4978#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckerf9c6a4b2019-05-03 14:34:53 +0100[diff] [blame]4979 ssl->in_iv = ssl->in_len + 2;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4980 }
4981 else
4982#endif
4983 {
4984 ssl->in_ctr = ssl->in_hdr - 8;
4985 ssl->in_len = ssl->in_hdr + 3;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]4986#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker4c3eb7c2019-05-08 16:43:21 +0100[diff] [blame]4987 ssl->in_cid = ssl->in_len;
4988#endif
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4989 ssl->in_iv = ssl->in_hdr + 5;
4990 }
4991
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]4992 /* This will be adjusted at record decryption time. */
4993 ssl->in_msg = ssl->in_iv;
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]4994}
4995
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4996/*
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +0200[diff] [blame]4997 * Setup an SSL context
4998 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]4999
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]5000void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]5001{
5002 /* Set the incoming and outgoing record pointers. */
5003#if defined(MBEDTLS_SSL_PROTO_DTLS)
5004 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5005 {
5006 ssl->out_hdr = ssl->out_buf;
5007 ssl->in_hdr = ssl->in_buf;
5008 }
5009 else
5010#endif /* MBEDTLS_SSL_PROTO_DTLS */
5011 {
5012 ssl->out_hdr = ssl->out_buf + 8;
5013 ssl->in_hdr = ssl->in_buf + 8;
5014 }
5015
5016 /* Derive other internal pointers. */
Hanno Becker3e6f8ab2020-02-05 10:40:57 +0000[diff] [blame]5017 mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
5018 mbedtls_ssl_update_in_pointers ( ssl );
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]5019}
5020
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5021/*
5022 * SSL get accessors
5023 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5024size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5025{
5026 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
5027}
5028
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5029int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
5030{
5031 /*
5032 * Case A: We're currently holding back
5033 * a message for further processing.
5034 */
5035
5036 if( ssl->keep_current_message == 1 )
5037 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5038 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5039 return( 1 );
5040 }
5041
5042 /*
5043 * Case B: Further records are pending in the current datagram.
5044 */
5045
5046#if defined(MBEDTLS_SSL_PROTO_DTLS)
5047 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5048 ssl->in_left > ssl->next_record_offset )
5049 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5050 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5051 return( 1 );
5052 }
5053#endif /* MBEDTLS_SSL_PROTO_DTLS */
5054
5055 /*
5056 * Case C: A handshake message is being processed.
5057 */
5058
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5059 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
5060 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5061 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5062 return( 1 );
5063 }
5064
5065 /*
5066 * Case D: An application data message is being processed
5067 */
5068 if( ssl->in_offt != NULL )
5069 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]5070 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5071 return( 1 );
5072 }
5073
5074 /*
5075 * In all other cases, the rest of the message can be dropped.
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]5076 * As in ssl_get_next_record, this needs to be adapted if
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]5077 * we implement support for multiple alerts in single records.
5078 */
5079
5080 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
5081 return( 0 );
5082}
5083
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]5084
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5085int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5086{
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5087 size_t transform_expansion = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5088 const mbedtls_ssl_transform *transform = ssl->transform_out;
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5089 unsigned block_size;
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5090
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]5091 size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl );
5092
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]5093 if( transform == NULL )
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]5094 return( (int) out_hdr_len );
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]5095
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5096#if defined(MBEDTLS_ZLIB_SUPPORT)
5097 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
5098 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5099#endif
5100
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5101 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5102 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5103 case MBEDTLS_MODE_GCM:
5104 case MBEDTLS_MODE_CCM:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5105 case MBEDTLS_MODE_CHACHAPOLY:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5106 case MBEDTLS_MODE_STREAM:
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5107 transform_expansion = transform->minlen;
5108 break;
5109
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5110 case MBEDTLS_MODE_CBC:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5111
5112 block_size = mbedtls_cipher_get_block_size(
5113 &transform->cipher_ctx_enc );
5114
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5115 /* Expansion due to the addition of the MAC. */
5116 transform_expansion += transform->maclen;
5117
5118 /* Expansion due to the addition of CBC padding;
5119 * Theoretically up to 256 bytes, but we never use
5120 * more than the block size of the underlying cipher. */
5121 transform_expansion += block_size;
5122
5123 /* For TLS 1.1 or higher, an explicit IV is added
5124 * after the record header. */
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5125#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
5126 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5127 transform_expansion += block_size;
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]5128#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]5129
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5130 break;
5131
5132 default:
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]5133 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5134 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5135 }
5136
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]5137#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker6cbad552019-05-08 15:40:11 +0100[diff] [blame]5138 if( transform->out_cid_len != 0 )
5139 transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]5140#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker6cbad552019-05-08 15:40:11 +0100[diff] [blame]5141
Hanno Becker5903de42019-05-03 14:46:38 +0100[diff] [blame]5142 return( (int)( out_hdr_len + transform_expansion ) );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]5143}
5144
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5145#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]5146/*
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5147 * Check record counters and renegotiate if they're above the limit.
5148 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5149static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5150{
Hanno Beckerdd772292020-02-05 10:38:31 +0000[diff] [blame]5151 size_t ep_len = mbedtls_ssl_ep_len( ssl );
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5152 int in_ctr_cmp;
5153 int out_ctr_cmp;
5154
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5155 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
5156 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5157 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5158 {
5159 return( 0 );
5160 }
5161
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5162 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
5163 ssl->conf->renego_period + ep_len, 8 - ep_len );
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]5164 out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]5165 ssl->conf->renego_period + ep_len, 8 - ep_len );
5166
5167 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5168 {
5169 return( 0 );
5170 }
5171
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]5172 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5173 return( mbedtls_ssl_renegotiate( ssl ) );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5174}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5175#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5176
5177/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5178 * Receive application data decrypted from the SSL layer
5179 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5180int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5181{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5182 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]5183 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5184
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5185 if( ssl == NULL || ssl->conf == NULL )
5186 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5187
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5188 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5189
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5190#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5191 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5192 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5193 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5194 return( ret );
5195
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5196 if( ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5197 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5198 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]5199 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5200 return( ret );
5201 }
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5202 }
5203#endif
5204
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5205 /*
5206 * Check if renegotiation is necessary and/or handshake is
5207 * in process. If yes, perform/continue, and fall through
5208 * if an unexpected packet is received while the client
5209 * is waiting for the ServerHello.
5210 *
5211 * (There is no equivalent to the last condition on
5212 * the server-side as it is not treated as within
5213 * a handshake while waiting for the ClientHello
5214 * after a renegotiation request.)
5215 */
5216
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5217#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5218 ret = ssl_check_ctr_renegotiate( ssl );
5219 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5220 ret != 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5221 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5222 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]5223 return( ret );
5224 }
5225#endif
5226
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5227 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5228 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5229 ret = mbedtls_ssl_handshake( ssl );
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5230 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5231 ret != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5232 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5233 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5234 return( ret );
5235 }
5236 }
5237
Hanno Beckere41158b2017-10-23 13:30:32 +0100[diff] [blame]5238 /* Loop as long as no application data record is available */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5239 while( ssl->in_offt == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5240 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5241 /* Start timer if not already running */
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]5242 if( ssl->f_get_timer != NULL &&
5243 ssl->f_get_timer( ssl->p_timer ) == -1 )
5244 {
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]5245 mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout );
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]5246 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5247
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]5248 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5249 {
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5250 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5251 return( 0 );
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]5252
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5253 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5254 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5255 }
5256
5257 if( ssl->in_msglen == 0 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5258 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5259 {
5260 /*
5261 * OpenSSL sends empty messages to randomize the IV
5262 */
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]5263 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5264 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5265 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]5266 return( 0 );
5267
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5268 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5269 return( ret );
5270 }
5271 }
5272
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5273 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5274 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5276
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5277 /*
5278 * - For client-side, expect SERVER_HELLO_REQUEST.
5279 * - For server-side, expect CLIENT_HELLO.
5280 * - Fail (TLS) or silently drop record (DTLS) in other cases.
5281 */
5282
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5283#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5284 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5285 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5286 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5287 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5288 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5289
5290 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5291#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5292 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5293 {
5294 continue;
5295 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5296#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5297 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5298 }
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5299#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5300
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5301#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5302 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5303 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5304 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5305 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5306
5307 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5308#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5309 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5310 {
5311 continue;
5312 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5313#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5314 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5315 }
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5316#endif /* MBEDTLS_SSL_SRV_C */
5317
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]5318#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5319 /* Determine whether renegotiation attempt should be accepted */
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5320 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5321 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
5322 ssl->conf->allow_legacy_renegotiation ==
5323 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
5324 {
5325 /*
5326 * Accept renegotiation request
5327 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5328
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5329 /* DTLS clients need to know renego is server-initiated */
5330#if defined(MBEDTLS_SSL_PROTO_DTLS)
5331 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5332 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5333 {
5334 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
5335 }
5336#endif
Hanno Becker40cdaa12020-02-05 10:48:27 +0000[diff] [blame]5337 ret = mbedtls_ssl_start_renegotiation( ssl );
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5338 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5339 ret != 0 )
5340 {
Hanno Becker40cdaa12020-02-05 10:48:27 +0000[diff] [blame]5341 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation",
5342 ret );
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]5343 return( ret );
5344 }
5345 }
5346 else
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]5347#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5348 {
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5349 /*
5350 * Refuse renegotiation
5351 */
5352
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5353 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5354
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5355#if defined(MBEDTLS_SSL_PROTO_SSL3)
5356 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5357 {
Gilles Peskine92e44262017-05-10 17:27:49 +0200[diff] [blame]5358 /* SSLv3 does not have a "no_renegotiation" warning, so
5359 we send a fatal alert and abort the connection. */
5360 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5361 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
5362 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5363 }
5364 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5365#endif /* MBEDTLS_SSL_PROTO_SSL3 */
5366#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
5367 defined(MBEDTLS_SSL_PROTO_TLS1_2)
5368 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5369 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5370 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5371 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5372 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5373 {
5374 return( ret );
5375 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5376 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]5377 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5378#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
5379 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]5380 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5382 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]5383 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5384 }
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5385
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5386 /* At this point, we don't know whether the renegotiation has been
5387 * completed or not. The cases to consider are the following:
5388 * 1) The renegotiation is complete. In this case, no new record
5389 * has been read yet.
5390 * 2) The renegotiation is incomplete because the client received
5391 * an application data record while awaiting the ServerHello.
5392 * 3) The renegotiation is incomplete because the client received
5393 * a non-handshake, non-application data message while awaiting
5394 * the ServerHello.
5395 * In each of these case, looping will be the proper action:
5396 * - For 1), the next iteration will read a new record and check
5397 * if it's application data.
5398 * - For 2), the loop condition isn't satisfied as application data
5399 * is present, hence continue is the same as break
5400 * - For 3), the loop condition is satisfied and read_record
5401 * will re-deliver the message that was held back by the client
5402 * when expecting the ServerHello.
5403 */
5404 continue;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5405 }
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]5406#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5407 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]5408 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5409 if( ssl->conf->renego_max_records >= 0 )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]5410 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5411 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5412 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5413 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5414 "but not honored by client" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5415 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]5416 }
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]5417 }
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]5418 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5419#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5420
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5421 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
5422 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5423 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5424 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]5425 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]5426 }
5427
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5428 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5429 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
5431 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5432 }
5433
5434 ssl->in_offt = ssl->in_msg;
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]5435
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5436 /* We're going to return something now, cancel timer,
5437 * except if handshake (renegotiation) is in progress */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5438 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Hanno Becker0f57a652020-02-05 10:37:26 +0000[diff] [blame]5439 mbedtls_ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5440
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]5441#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5442 /* If we requested renego but received AppData, resend HelloRequest.
5443 * Do it now, after setting in_offt, to avoid taking this branch
5444 * again if ssl_write_hello_request() returns WANT_WRITE */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5445#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5446 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5447 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5448 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]5449 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5450 {
Hanno Becker786300f2020-02-05 10:46:40 +0000[diff] [blame]5451 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
5452 ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]5453 return( ret );
5454 }
5455 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5456#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5457#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5458 }
5459
5460 n = ( len < ssl->in_msglen )
5461 ? len : ssl->in_msglen;
5462
5463 memcpy( buf, ssl->in_offt, n );
5464 ssl->in_msglen -= n;
5465
5466 if( ssl->in_msglen == 0 )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5467 {
5468 /* all bytes consumed */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5469 ssl->in_offt = NULL;
Hanno Beckerbdf39052017-06-09 10:42:03 +0100[diff] [blame]5470 ssl->keep_current_message = 0;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5471 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5472 else
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5473 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5474 /* more data available */
5475 ssl->in_offt += n;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5476 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5477
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5478 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5479
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]5480 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5481}
5482
5483/*
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5484 * Send application data to be encrypted by the SSL layer, taking care of max
5485 * fragment length and buffer size.
5486 *
5487 * According to RFC 5246 Section 6.2.1:
5488 *
5489 * Zero-length fragments of Application data MAY be sent as they are
5490 * potentially useful as a traffic analysis countermeasure.
5491 *
5492 * Therefore, it is possible that the input message length is 0 and the
5493 * corresponding return code is 0 on success.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5494 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5495static int ssl_write_real( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5496 const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5497{
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]5498 int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
5499 const size_t max_len = (size_t) ret;
5500
5501 if( ret < 0 )
5502 {
5503 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
5504 return( ret );
5505 }
5506
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5507 if( len > max_len )
5508 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5509#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5510 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5511 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5513 "maximum fragment length: %d > %d",
5514 len, max_len ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5515 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5516 }
5517 else
5518#endif
5519 len = max_len;
5520 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5521
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5522 if( ssl->out_left != 0 )
5523 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5524 /*
5525 * The user has previously tried to send the data and
5526 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
5527 * written. In this case, we expect the high-level write function
5528 * (e.g. mbedtls_ssl_write()) to be called with the same parameters
5529 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5530 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5531 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5532 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5533 return( ret );
5534 }
5535 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5536 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]5537 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]5538 /*
5539 * The user is trying to send a message the first time, so we need to
5540 * copy the data into the internal buffers and setup the data structure
5541 * to keep track of partial writes
5542 */
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5543 ssl->out_msglen = len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5544 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5545 memcpy( ssl->out_msg, buf, len );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5546
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]5547 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5548 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5549 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]5550 return( ret );
5551 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5552 }
5553
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]5554 return( (int) len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5555}
5556
5557/*
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5558 * Write application data, doing 1/n-1 splitting if necessary.
5559 *
5560 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]5561 * then the caller will call us again with the same arguments, so
Hanno Becker2b187c42017-09-18 14:58:11 +0100[diff] [blame]5562 * remember whether we already did the split or not.
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5563 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5564#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5565static int ssl_write_split( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5566 const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5567{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5568 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5569
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +0100[diff] [blame]5570 if( ssl->conf->cbc_record_splitting ==
5571 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]5572 len <= 1 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5573 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
5574 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
5575 != MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5576 {
5577 return( ssl_write_real( ssl, buf, len ) );
5578 }
5579
5580 if( ssl->split_done == 0 )
5581 {
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]5582 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5583 return( ret );
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]5584 ssl->split_done = 1;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5585 }
5586
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]5587 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
5588 return( ret );
5589 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5590
5591 return( ret + 1 );
5592}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5593#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]5594
5595/*
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5596 * Write application data (public-facing wrapper)
5597 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5598int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5599{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5600 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5601
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5602 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5603
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5604 if( ssl == NULL || ssl->conf == NULL )
5605 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5606
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5607#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5608 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
5609 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5610 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5611 return( ret );
5612 }
5613#endif
5614
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5615 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5616 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5617 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5618 {
Manuel Pégourié-Gonnard151dc772015-05-14 13:55:51 +0200[diff] [blame]5619 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5620 return( ret );
5621 }
5622 }
5623
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5624#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5625 ret = ssl_write_split( ssl, buf, len );
5626#else
5627 ret = ssl_write_real( ssl, buf, len );
5628#endif
5629
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]5630 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]5631
5632 return( ret );
5633}
5634
5635/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5636 * Notify the peer that the connection is being closed
5637 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5638int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5639{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]5640 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5641
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5642 if( ssl == NULL || ssl->conf == NULL )
5643 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5644
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5645 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5646
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]5647 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5648 return( mbedtls_ssl_flush_output( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5650 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5651 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5652 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5653 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5654 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5655 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5656 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5657 return( ret );
5658 }
5659 }
5660
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5661 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5662
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]5663 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5664}
5665
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5666void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5667{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]5668 if( transform == NULL )
5669 return;
5670
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5671#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5672 deflateEnd( &transform->ctx_deflate );
5673 inflateEnd( &transform->ctx_inflate );
5674#endif
5675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5676 mbedtls_cipher_free( &transform->cipher_ctx_enc );
5677 mbedtls_cipher_free( &transform->cipher_ctx_dec );
Manuel Pégourié-Gonnardf71e5872013-09-23 17:12:43 +0200[diff] [blame]5678
Hanno Beckerd56ed242018-01-03 15:32:51 +0000[diff] [blame]5679#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5680 mbedtls_md_free( &transform->md_ctx_enc );
5681 mbedtls_md_free( &transform->md_ctx_dec );
Hanno Beckerd56ed242018-01-03 15:32:51 +0000[diff] [blame]5682#endif
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]5683
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]5684 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]5685}
5686
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5687#if defined(MBEDTLS_SSL_PROTO_DTLS)
5688
Hanno Becker533ab5f2020-02-05 10:49:13 +0000[diff] [blame]5689void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl )
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5690{
5691 unsigned offset;
5692 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5693
5694 if( hs == NULL )
5695 return;
5696
Hanno Becker283f5ef2018-08-24 09:34:47 +0100[diff] [blame]5697 ssl_free_buffered_record( ssl );
5698
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5699 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5700 ssl_buffering_free_slot( ssl, offset );
5701}
5702
5703static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
5704 uint8_t slot )
5705{
5706 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5707 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]5708
5709 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
5710 return;
5711
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5712 if( hs_buf->is_valid == 1 )
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5713 {
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5714 hs->buffering.total_bytes_buffered -= hs_buf->data_len;
Hanno Becker805f2e12018-10-12 16:31:41 +0100[diff] [blame]5715 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]5716 mbedtls_free( hs_buf->data );
5717 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]5718 }
5719}
5720
5721#endif /* MBEDTLS_SSL_PROTO_DTLS */
5722
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5723/*
5724 * Convert version numbers to/from wire format
5725 * and, for DTLS, to/from TLS equivalent.
5726 *
5727 * For TLS this is the identity.
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]5728 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5729 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
5730 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
5731 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5732void mbedtls_ssl_write_version( int major, int minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5733 unsigned char ver[2] )
5734{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5735#if defined(MBEDTLS_SSL_PROTO_DTLS)
5736 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5737 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5738 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5739 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5740
5741 ver[0] = (unsigned char)( 255 - ( major - 2 ) );
5742 ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
5743 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5744 else
5745#else
5746 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5747#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5748 {
5749 ver[0] = (unsigned char) major;
5750 ver[1] = (unsigned char) minor;
5751 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5752}
5753
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5754void mbedtls_ssl_read_version( int *major, int *minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5755 const unsigned char ver[2] )
5756{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5757#if defined(MBEDTLS_SSL_PROTO_DTLS)
5758 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5759 {
5760 *major = 255 - ver[0] + 2;
5761 *minor = 255 - ver[1] + 1;
5762
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5763 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5764 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5765 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5766 else
5767#else
5768 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5769#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]5770 {
5771 *major = ver[0];
5772 *minor = ver[1];
5773 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]5774}
5775
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5776#endif /* MBEDTLS_SSL_TLS_C */