TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e694c3ef3e08c1951ae86b1031a8abcfebc27d67 / . / library / ssl_tls.c
blob: f0f38c0b2b99a7b7701d1b0bf8713e24320e922e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The SSL 3.0 specification was drafted by Netscape in 1996,
23 * and became an IETF standard in 1999.
24 *
25 * http://wp.netscape.com/eng/ssl3/
26 * http://www.ietf.org/rfc/rfc2246.txt
27 * http://www.ietf.org/rfc/rfc4346.txt
28 */
29
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]30#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]31#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]33#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]38#if defined(MBEDTLS_PLATFORM_C)
39#include "mbedtls/platform.h"
40#else
41#include <stdlib.h>
42#define mbedtls_calloc calloc
43#define mbedtls_free free
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]44#endif
45
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]46#include "mbedtls/debug.h"
47#include "mbedtls/ssl.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200[diff] [blame]48#include "mbedtls/ssl_internal.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]49#include "mbedtls/platform_util.h"
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]50
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]51#include <string.h>
52
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]53#if defined(MBEDTLS_USE_PSA_CRYPTO)
54#include "mbedtls/psa_util.h"
55#include "psa/crypto.h"
56#endif
57
Janos Follath23bdca02016-10-07 14:47:14 +0100[diff] [blame]58#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]59#include "mbedtls/oid.h"
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]60#endif
61
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]62#if defined(MBEDTLS_USE_PSA_CRYPTO)
63#include "mbedtls/psa_util.h"
64#endif
65
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]66static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]67static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]68
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]69/* Length of the "epoch" field in the record header */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]70static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]71{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]72#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]73 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]74 return( 2 );
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]75#else
76 ((void) ssl);
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]77#endif
78 return( 0 );
79}
80
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]81/*
82 * Start a timer.
83 * Passing millisecs = 0 cancels a running timer.
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]84 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]85static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]86{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]87 if( ssl->f_set_timer == NULL )
88 return;
89
90 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
91 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]92}
93
94/*
95 * Return -1 is timer is expired, 0 if it isn't.
96 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]97static int ssl_check_timer( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]98{
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]99 if( ssl->f_get_timer == NULL )
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]100 return( 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]101
102 if( ssl->f_get_timer( ssl->p_timer ) == 2 )
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]103 {
104 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]105 return( -1 );
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]106 }
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]107
108 return( 0 );
109}
Manuel Pégourié-Gonnarddb2858c2014-09-29 14:04:42 +0200[diff] [blame]110
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]111static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
112 mbedtls_ssl_transform *transform );
113static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
114 mbedtls_ssl_transform *transform );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]115
116#define SSL_DONT_FORCE_FLUSH 0
117#define SSL_FORCE_FLUSH 1
118
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]119#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]120
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]121/* Forward declarations for functions related to message buffering. */
122static void ssl_buffering_free( mbedtls_ssl_context *ssl );
123static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
124 uint8_t slot );
125static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
126static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
127static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
128static int ssl_buffer_message( mbedtls_ssl_context *ssl );
129static int ssl_buffer_future_record( mbedtls_ssl_context *ssl );
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]130static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
Hanno Beckerd5847772018-08-28 10:09:23 +0100[diff] [blame]131
Hanno Beckera67dee22018-08-22 10:05:20 +0100[diff] [blame]132static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]133static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]134{
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]135 size_t mtu = ssl_get_current_mtu( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]136
137 if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN )
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]138 return( mtu );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]139
140 return( MBEDTLS_SSL_OUT_BUFFER_LEN );
141}
142
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]143static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
144{
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]145 size_t const bytes_written = ssl->out_left;
146 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]147
148 /* Double-check that the write-index hasn't gone
149 * past what we can transmit in a single datagram. */
Hanno Becker11682cc2018-08-22 14:41:02 +0100[diff] [blame]150 if( bytes_written > mtu )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]151 {
152 /* Should never happen... */
153 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
154 }
155
156 return( (int) ( mtu - bytes_written ) );
157}
158
159static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
160{
161 int ret;
162 size_t remaining, expansion;
Andrzej Kurek748face2018-10-11 07:20:19 -0400[diff] [blame]163 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]164
165#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
166 const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
167
168 if( max_len > mfl )
169 max_len = mfl;
Hanno Beckerf4b010e2018-08-24 10:47:29 +0100[diff] [blame]170
171 /* By the standard (RFC 6066 Sect. 4), the MFL extension
172 * only limits the maximum record payload size, so in theory
173 * we would be allowed to pack multiple records of payload size
174 * MFL into a single datagram. However, this would mean that there's
175 * no way to explicitly communicate MTU restrictions to the peer.
176 *
177 * The following reduction of max_len makes sure that we never
178 * write datagrams larger than MFL + Record Expansion Overhead.
179 */
180 if( max_len <= ssl->out_left )
181 return( 0 );
182
183 max_len -= ssl->out_left;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]184#endif
185
186 ret = ssl_get_remaining_space_in_datagram( ssl );
187 if( ret < 0 )
188 return( ret );
189 remaining = (size_t) ret;
190
191 ret = mbedtls_ssl_get_record_expansion( ssl );
192 if( ret < 0 )
193 return( ret );
194 expansion = (size_t) ret;
195
196 if( remaining <= expansion )
197 return( 0 );
198
199 remaining -= expansion;
200 if( remaining >= max_len )
201 remaining = max_len;
202
203 return( (int) remaining );
204}
205
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]206/*
207 * Double the retransmit timeout value, within the allowed range,
208 * returning -1 if the maximum value has already been reached.
209 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]210static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]211{
212 uint32_t new_timeout;
213
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]214 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]215 return( -1 );
216
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]217 /* Implement the final paragraph of RFC 6347 section 4.1.1.1
218 * in the following way: after the initial transmission and a first
219 * retransmission, back off to a temporary estimated MTU of 508 bytes.
220 * This value is guaranteed to be deliverable (if not guaranteed to be
221 * delivered) of any compliant IPv4 (and IPv6) network, and should work
222 * on most non-IP stacks too. */
223 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]224 {
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]225 ssl->handshake->mtu = 508;
Andrzej Kurek6290dae2018-10-05 08:06:01 -0400[diff] [blame]226 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
227 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]228
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]229 new_timeout = 2 * ssl->handshake->retransmit_timeout;
230
231 /* Avoid arithmetic overflow and range overflow */
232 if( new_timeout < ssl->handshake->retransmit_timeout ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]233 new_timeout > ssl->conf->hs_timeout_max )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]234 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]235 new_timeout = ssl->conf->hs_timeout_max;
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]236 }
237
238 ssl->handshake->retransmit_timeout = new_timeout;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]239 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]240 ssl->handshake->retransmit_timeout ) );
241
242 return( 0 );
243}
244
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]245static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]246{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]247 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]248 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]249 ssl->handshake->retransmit_timeout ) );
250}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]251#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]252
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]253#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200[diff] [blame]254/*
255 * Convert max_fragment_length codes to length.
256 * RFC 6066 says:
257 * enum{
258 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
259 * } MaxFragmentLength;
260 * and we add 0 -> extension unused
261 */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]262static unsigned int ssl_mfl_code_to_length( int mfl )
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200[diff] [blame]263{
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]264 switch( mfl )
265 {
266 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
267 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
268 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
269 return 512;
270 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
271 return 1024;
272 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
273 return 2048;
274 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
275 return 4096;
276 default:
277 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
278 }
279}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]280#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +0200[diff] [blame]281
Hanno Becker52055ae2019-02-06 14:30:46 +0000[diff] [blame]282int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
283 const mbedtls_ssl_session *src )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]284{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]285 mbedtls_ssl_session_free( dst );
286 memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]287
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]288#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker6d1986e2019-02-07 12:27:42 +0000[diff] [blame]289
290#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]291 if( src->peer_cert != NULL )
292 {
Paul Bakker2292d1f2013-09-15 17:06:49 +0200[diff] [blame]293 int ret;
294
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]295 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]296 if( dst->peer_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]297 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]298
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]299 mbedtls_x509_crt_init( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]301 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
Manuel Pégourié-Gonnard4d2a8eb2014-06-13 20:33:27 +0200[diff] [blame]302 src->peer_cert->raw.len ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]303 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]304 mbedtls_free( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]305 dst->peer_cert = NULL;
306 return( ret );
307 }
308 }
Hanno Becker6d1986e2019-02-07 12:27:42 +0000[diff] [blame]309#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker9198ad12019-02-05 17:00:50 +0000[diff] [blame]310 if( src->peer_cert_digest != NULL )
311 {
Hanno Becker9198ad12019-02-05 17:00:50 +0000[diff] [blame]312 dst->peer_cert_digest =
Hanno Beckeraccc5992019-02-25 10:06:59 +0000[diff] [blame]313 mbedtls_calloc( 1, src->peer_cert_digest_len );
Hanno Becker9198ad12019-02-05 17:00:50 +0000[diff] [blame]314 if( dst->peer_cert_digest == NULL )
315 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
316
317 memcpy( dst->peer_cert_digest, src->peer_cert_digest,
318 src->peer_cert_digest_len );
319 dst->peer_cert_digest_type = src->peer_cert_digest_type;
Hanno Beckeraccc5992019-02-25 10:06:59 +0000[diff] [blame]320 dst->peer_cert_digest_len = src->peer_cert_digest_len;
Hanno Becker9198ad12019-02-05 17:00:50 +0000[diff] [blame]321 }
322#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]324#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]325
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]326#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]327 if( src->ticket != NULL )
328 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]329 dst->ticket = mbedtls_calloc( 1, src->ticket_len );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]330 if( dst->ticket == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]331 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]332
333 memcpy( dst->ticket, src->ticket, src->ticket_len );
334 }
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]335#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]336
337 return( 0 );
338}
339
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]340#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
341int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]342 const unsigned char *key_enc, const unsigned char *key_dec,
343 size_t keylen,
344 const unsigned char *iv_enc, const unsigned char *iv_dec,
345 size_t ivlen,
346 const unsigned char *mac_enc, const unsigned char *mac_dec,
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]347 size_t maclen ) = NULL;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]348int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
349int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
350int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
351int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
352int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
353#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]354
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355/*
356 * Key material generation
357 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]358#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]359static int ssl3_prf( const unsigned char *secret, size_t slen,
360 const char *label,
361 const unsigned char *random, size_t rlen,
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]362 unsigned char *dstbuf, size_t dlen )
363{
Andres Amaya Garcia33952502017-07-20 16:29:16 +0100[diff] [blame]364 int ret = 0;
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]365 size_t i;
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]366 mbedtls_md5_context md5;
367 mbedtls_sha1_context sha1;
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]368 unsigned char padding[16];
369 unsigned char sha1sum[20];
370 ((void)label);
371
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]372 mbedtls_md5_init( &md5 );
373 mbedtls_sha1_init( &sha1 );
Paul Bakker5b4af392014-06-26 12:09:34 +0200[diff] [blame]374
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]375 /*
376 * SSLv3:
377 * block =
378 * MD5( secret + SHA1( 'A' + secret + random ) ) +
379 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
380 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
381 * ...
382 */
383 for( i = 0; i < dlen / 16; i++ )
384 {
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]385 memset( padding, (unsigned char) ('A' + i), 1 + i );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]386
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]387 if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]388 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]389 if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]390 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]391 if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]392 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]393 if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]394 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]395 if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]396 goto exit;
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]397
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]398 if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]399 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]400 if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]401 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]402 if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]403 goto exit;
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]404 if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]405 goto exit;
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]406 }
407
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]408exit:
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]409 mbedtls_md5_free( &md5 );
410 mbedtls_sha1_free( &sha1 );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]411
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]412 mbedtls_platform_zeroize( padding, sizeof( padding ) );
413 mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]414
Andres Amaya Garcia1a607a12017-06-29 17:09:42 +0100[diff] [blame]415 return( ret );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]416}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]417#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]418
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]419#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]420static int tls1_prf( const unsigned char *secret, size_t slen,
421 const char *label,
422 const unsigned char *random, size_t rlen,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]423 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]424{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]425 size_t nb, hs;
426 size_t i, j, k;
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]427 const unsigned char *S1, *S2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]428 unsigned char tmp[128];
429 unsigned char h_i[20];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]430 const mbedtls_md_info_t *md_info;
431 mbedtls_md_context_t md_ctx;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]432 int ret;
433
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]434 mbedtls_md_init( &md_ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]435
436 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]437 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]438
439 hs = ( slen + 1 ) / 2;
440 S1 = secret;
441 S2 = secret + slen - hs;
442
443 nb = strlen( label );
444 memcpy( tmp + 20, label, nb );
445 memcpy( tmp + 20 + nb, random, rlen );
446 nb += rlen;
447
448 /*
449 * First compute P_md5(secret,label+random)[0..dlen]
450 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]451 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
452 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100[diff] [blame]453
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]454 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]455 return( ret );
456
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]457 mbedtls_md_hmac_starts( &md_ctx, S1, hs );
458 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
459 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460
461 for( i = 0; i < dlen; i += 16 )
462 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]463 mbedtls_md_hmac_reset ( &md_ctx );
464 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
465 mbedtls_md_hmac_finish( &md_ctx, h_i );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]466
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]467 mbedtls_md_hmac_reset ( &md_ctx );
468 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
469 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470
471 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
472
473 for( j = 0; j < k; j++ )
474 dstbuf[i + j] = h_i[j];
475 }
476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]477 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]478
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]479 /*
480 * XOR out with P_sha1(secret,label+random)[0..dlen]
481 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]482 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
483 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100[diff] [blame]484
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]485 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]486 return( ret );
487
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]488 mbedtls_md_hmac_starts( &md_ctx, S2, hs );
489 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
490 mbedtls_md_hmac_finish( &md_ctx, tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491
492 for( i = 0; i < dlen; i += 20 )
493 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]494 mbedtls_md_hmac_reset ( &md_ctx );
495 mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
496 mbedtls_md_hmac_finish( &md_ctx, h_i );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]498 mbedtls_md_hmac_reset ( &md_ctx );
499 mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
500 mbedtls_md_hmac_finish( &md_ctx, tmp );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
502 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
503
504 for( j = 0; j < k; j++ )
505 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
506 }
507
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]508 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]509
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]510 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
511 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]512
513 return( 0 );
514}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]515#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]518#if defined(MBEDTLS_USE_PSA_CRYPTO)
519static int tls_prf_generic( mbedtls_md_type_t md_type,
520 const unsigned char *secret, size_t slen,
521 const char *label,
522 const unsigned char *random, size_t rlen,
523 unsigned char *dstbuf, size_t dlen )
524{
525 psa_status_t status;
526 psa_algorithm_t alg;
527 psa_key_policy_t policy;
Andrzej Kurekac5dc342019-01-23 06:57:34 -0500[diff] [blame]528 psa_key_handle_t master_slot;
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]529 psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
530
Andrzej Kurek2f760752019-01-28 08:08:15 -0500[diff] [blame]531 if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS )
Andrzej Kurekac5dc342019-01-23 06:57:34 -0500[diff] [blame]532 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Andrzej Kurek2d4faa62019-01-29 03:14:15 -0500[diff] [blame]533
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]534 if( md_type == MBEDTLS_MD_SHA384 )
535 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
536 else
537 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
538
Andrzej Kurek2f760752019-01-28 08:08:15 -0500[diff] [blame]539 policy = psa_key_policy_init();
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]540 psa_key_policy_set_usage( &policy,
541 PSA_KEY_USAGE_DERIVE,
542 alg );
543 status = psa_set_key_policy( master_slot, &policy );
544 if( status != PSA_SUCCESS )
545 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
546
547 status = psa_import_key( master_slot, PSA_KEY_TYPE_DERIVE, secret, slen );
548 if( status != PSA_SUCCESS )
549 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
550
551 status = psa_key_derivation( &generator,
552 master_slot, alg,
553 random, rlen,
554 (unsigned char const *) label,
555 (size_t) strlen( label ),
556 dlen );
557 if( status != PSA_SUCCESS )
558 {
559 psa_generator_abort( &generator );
560 psa_destroy_key( master_slot );
561 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
562 }
563
564 status = psa_generator_read( &generator, dstbuf, dlen );
565 if( status != PSA_SUCCESS )
566 {
567 psa_generator_abort( &generator );
568 psa_destroy_key( master_slot );
569 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
570 }
571
572 status = psa_generator_abort( &generator );
573 if( status != PSA_SUCCESS )
Andrzej Kurek70737ca2019-01-14 05:37:13 -0500[diff] [blame]574 {
575 psa_destroy_key( master_slot );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]576 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Andrzej Kurek70737ca2019-01-14 05:37:13 -0500[diff] [blame]577 }
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]578
579 status = psa_destroy_key( master_slot );
580 if( status != PSA_SUCCESS )
581 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
582
Andrzej Kurek33171262019-01-15 03:25:18 -0500[diff] [blame]583 return( 0 );
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]584}
585
586#else /* MBEDTLS_USE_PSA_CRYPTO */
587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]588static int tls_prf_generic( mbedtls_md_type_t md_type,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]589 const unsigned char *secret, size_t slen,
590 const char *label,
591 const unsigned char *random, size_t rlen,
592 unsigned char *dstbuf, size_t dlen )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]593{
594 size_t nb;
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]595 size_t i, j, k, md_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]596 unsigned char tmp[128];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]597 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
598 const mbedtls_md_info_t *md_info;
599 mbedtls_md_context_t md_ctx;
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]600 int ret;
601
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]602 mbedtls_md_init( &md_ctx );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]603
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]604 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
605 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]606
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]607 md_len = mbedtls_md_get_size( md_info );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]608
609 if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]610 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]611
612 nb = strlen( label );
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]613 memcpy( tmp + md_len, label, nb );
614 memcpy( tmp + md_len + nb, random, rlen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]615 nb += rlen;
616
617 /*
618 * Compute P_<hash>(secret, label + random)[0..dlen]
619 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]620 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]621 return( ret );
622
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]623 mbedtls_md_hmac_starts( &md_ctx, secret, slen );
624 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
625 mbedtls_md_hmac_finish( &md_ctx, tmp );
Manuel Pégourié-Gonnard7da726b2015-03-24 18:08:19 +0100[diff] [blame]626
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]627 for( i = 0; i < dlen; i += md_len )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]628 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]629 mbedtls_md_hmac_reset ( &md_ctx );
630 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
631 mbedtls_md_hmac_finish( &md_ctx, h_i );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]632
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]633 mbedtls_md_hmac_reset ( &md_ctx );
634 mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
635 mbedtls_md_hmac_finish( &md_ctx, tmp );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]636
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]637 k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]638
639 for( j = 0; j < k; j++ )
640 dstbuf[i + j] = h_i[j];
641 }
642
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]643 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnardb7fcca32015-03-26 11:41:28 +0100[diff] [blame]644
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]645 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
646 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]647
648 return( 0 );
649}
Andrzej Kurekc929a822019-01-14 03:51:11 -0500[diff] [blame]650#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]651#if defined(MBEDTLS_SHA256_C)
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]652static int tls_prf_sha256( const unsigned char *secret, size_t slen,
653 const char *label,
654 const unsigned char *random, size_t rlen,
655 unsigned char *dstbuf, size_t dlen )
656{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]657 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]658 label, random, rlen, dstbuf, dlen ) );
659}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]660#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]661
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]662#if defined(MBEDTLS_SHA512_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]663static int tls_prf_sha384( const unsigned char *secret, size_t slen,
664 const char *label,
665 const unsigned char *random, size_t rlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]666 unsigned char *dstbuf, size_t dlen )
667{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]668 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
Manuel Pégourié-Gonnard6890c6b2015-03-26 11:11:49 +0100[diff] [blame]669 label, random, rlen, dstbuf, dlen ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]670}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671#endif /* MBEDTLS_SHA512_C */
672#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]673
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]674static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]676#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
677 defined(MBEDTLS_SSL_PROTO_TLS1_1)
678static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]679#endif
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]680
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]681#if defined(MBEDTLS_SSL_PROTO_SSL3)
682static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );
683static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]684#endif
685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
687static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );
688static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]689#endif
690
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]691#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
692#if defined(MBEDTLS_SHA256_C)
693static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
694static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * );
695static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]696#endif
Paul Bakker769075d2012-11-24 11:26:46 +0100[diff] [blame]697
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]698#if defined(MBEDTLS_SHA512_C)
699static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
700static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );
701static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
Paul Bakker769075d2012-11-24 11:26:46 +0100[diff] [blame]702#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]703#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]704
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]705#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) && \
706 defined(MBEDTLS_USE_PSA_CRYPTO)
707static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
708{
709 if( ssl->conf->f_psk != NULL )
710 {
711 /* If we've used a callback to select the PSK,
712 * the static configuration is irrelevant. */
713 if( ssl->handshake->psk_opaque != 0 )
714 return( 1 );
715
716 return( 0 );
717 }
718
719 if( ssl->conf->psk_opaque != 0 )
720 return( 1 );
721
722 return( 0 );
723}
724#endif /* MBEDTLS_USE_PSA_CRYPTO &&
725 MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
726
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]727int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728{
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]729 int ret = 0;
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]730#if defined(MBEDTLS_USE_PSA_CRYPTO)
731 int psa_fallthrough;
732#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]733 unsigned char tmp[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]734 unsigned char keyblk[256];
735 unsigned char *key1;
736 unsigned char *key2;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]737 unsigned char *mac_enc;
738 unsigned char *mac_dec;
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]739 size_t mac_key_len;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]740 size_t iv_copy_len;
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame]741 unsigned keylen;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]742 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]743 const mbedtls_cipher_info_t *cipher_info;
744 const mbedtls_md_info_t *md_info;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]745
Hanno Beckerf9ed7d52018-11-05 12:45:16 +0000[diff] [blame]746 /* cf. RFC 5246, Section 8.1:
747 * "The master secret is always exactly 48 bytes in length." */
748 size_t const master_secret_len = 48;
749
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]750#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
751 unsigned char session_hash[48];
752#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
753
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]754 mbedtls_ssl_session *session = ssl->session_negotiate;
755 mbedtls_ssl_transform *transform = ssl->transform_negotiate;
756 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]757
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]758 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]759
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]760
761 ciphersuite_info = handshake->ciphersuite_info;
762 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]763 if( cipher_info == NULL )
764 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]765 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]766 ciphersuite_info->cipher ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]767 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]768 }
769
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]770 md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]771 if( md_info == NULL )
772 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]773 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]774 ciphersuite_info->mac ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]775 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]776 }
777
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]779 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]780 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]781#if defined(MBEDTLS_SSL_PROTO_SSL3)
782 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]783 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]784 handshake->tls_prf = ssl3_prf;
785 handshake->calc_verify = ssl_calc_verify_ssl;
786 handshake->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]787 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]788 else
789#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]790#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
791 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]792 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]793 handshake->tls_prf = tls1_prf;
794 handshake->calc_verify = ssl_calc_verify_tls;
795 handshake->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]796 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]797 else
798#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]799#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
800#if defined(MBEDTLS_SHA512_C)
801 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]802 ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]803 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]804 handshake->tls_prf = tls_prf_sha384;
805 handshake->calc_verify = ssl_calc_verify_tls_sha384;
806 handshake->calc_finished = ssl_calc_finished_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]807 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]808 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]809#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]810#if defined(MBEDTLS_SHA256_C)
811 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]812 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]813 handshake->tls_prf = tls_prf_sha256;
814 handshake->calc_verify = ssl_calc_verify_tls_sha256;
815 handshake->calc_finished = ssl_calc_finished_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]816 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]817 else
818#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]819#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]820 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]821 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
822 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]823 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]824
825 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]826 * SSLv3:
827 * master =
828 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
829 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
830 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]831 *
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]832 * TLSv1+:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]833 * master = PRF( premaster, "master secret", randbytes )[0..47]
834 */
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]835 if( handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836 {
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]837 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
838 }
839 else
840 {
841 /* The label for the KDF used for key expansion.
842 * This is either "master secret" or "extended master secret"
843 * depending on whether the Extended Master Secret extension
844 * is used. */
845 char const *lbl = "master secret";
846
847 /* The salt for the KDF used for key expansion.
848 * - If the Extended Master Secret extension is not used,
849 * this is ClientHello.Random + ServerHello.Random
850 * (see Sect. 8.1 in RFC 5246).
851 * - If the Extended Master Secret extension is used,
852 * this is the transcript of the handshake so far.
853 * (see Sect. 4 in RFC 7627). */
854 unsigned char const *salt = handshake->randbytes;
855 size_t salt_len = 64;
856
857#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]858 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]859 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]860 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]861
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]862 lbl = "extended master secret";
863 salt = session_hash;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]864 ssl->handshake->calc_verify( ssl, session_hash );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]865#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
866 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]867 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]868#if defined(MBEDTLS_SHA512_C)
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]869 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
870 {
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]871 salt_len = 48;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]872 }
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]873 else
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]874#endif /* MBEDTLS_SHA512_C */
875 salt_len = 32;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]876 }
877 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]878#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]879 salt_len = 36;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]880
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]881 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, salt_len );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]882 }
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]883#endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */
884
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]885#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
886 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
887 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
888 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
889 ssl_use_opaque_psk( ssl ) == 1 )
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100[diff] [blame]890 {
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]891 /* Perform PSK-to-MS expansion in a single step. */
892 psa_status_t status;
893 psa_algorithm_t alg;
894 psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
Andrzej Kurek2349c4d2019-01-08 09:36:01 -0500[diff] [blame]895 psa_key_handle_t psk;
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]896
897 MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
898
899 psk = ssl->conf->psk_opaque;
900 if( ssl->handshake->psk_opaque != 0 )
901 psk = ssl->handshake->psk_opaque;
902
903 if( md_type == MBEDTLS_MD_SHA384 )
904 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
905 else
906 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
907
908 status = psa_key_derivation( &generator, psk, alg,
909 salt, salt_len,
910 (unsigned char const *) lbl,
911 (size_t) strlen( lbl ),
Hanno Beckerf9ed7d52018-11-05 12:45:16 +0000[diff] [blame]912 master_secret_len );
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]913 if( status != PSA_SUCCESS )
914 {
915 psa_generator_abort( &generator );
916 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
917 }
918
Hanno Beckerf9ed7d52018-11-05 12:45:16 +0000[diff] [blame]919 status = psa_generator_read( &generator, session->master,
920 master_secret_len );
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]921 if( status != PSA_SUCCESS )
922 {
923 psa_generator_abort( &generator );
924 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
925 }
926
927 status = psa_generator_abort( &generator );
928 if( status != PSA_SUCCESS )
929 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100[diff] [blame]930 }
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]931 else
932#endif
933 {
934 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
935 lbl, salt, salt_len,
Hanno Beckerf9ed7d52018-11-05 12:45:16 +0000[diff] [blame]936 session->master,
937 master_secret_len );
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]938 if( ret != 0 )
939 {
940 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
941 return( ret );
942 }
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]943
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]944 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret",
945 handshake->premaster,
946 handshake->pmslen );
Hanno Becker35b23c72018-10-23 12:10:41 +0100[diff] [blame]947
Hanno Becker7d0a5692018-10-23 15:26:22 +0100[diff] [blame]948 mbedtls_platform_zeroize( handshake->premaster,
949 sizeof(handshake->premaster) );
950 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]951 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]952
953 /*
954 * Swap the client and server random values.
955 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]956 memcpy( tmp, handshake->randbytes, 64 );
957 memcpy( handshake->randbytes, tmp + 32, 32 );
958 memcpy( handshake->randbytes + 32, tmp, 32 );
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]959 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]960
961 /*
962 * SSLv3:
963 * key block =
964 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
965 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
966 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
967 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
968 * ...
969 *
970 * TLSv1:
971 * key block = PRF( master, "key expansion", randbytes )
972 */
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100[diff] [blame]973 ret = handshake->tls_prf( session->master, 48, "key expansion",
974 handshake->randbytes, 64, keyblk, 256 );
975 if( ret != 0 )
976 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]977 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
Manuel Pégourié-Gonnarde9608182015-03-26 11:47:47 +0100[diff] [blame]978 return( ret );
979 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]980
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]981 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
982 mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
983 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
984 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
985 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]986
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]987 mbedtls_platform_zeroize( handshake->randbytes,
988 sizeof( handshake->randbytes ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]989
990 /*
991 * Determine the appropriate key, IV and MAC length.
992 */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]993
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame]994 keylen = cipher_info->key_bitlen / 8;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]995
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]996 if( cipher_info->mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]997 cipher_info->mode == MBEDTLS_MODE_CCM ||
998 cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]999 {
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1000 size_t explicit_ivlen;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1001
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1002 transform->maclen = 0;
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1003 mac_key_len = 0;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]1004 transform->taglen =
1005 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1006
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1007 /* All modes haves 96-bit IVs;
1008 * GCM and CCM has 4 implicit and 8 explicit bytes
1009 * ChachaPoly has all 12 bytes implicit
1010 */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1011 transform->ivlen = 12;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1012 if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
1013 transform->fixed_ivlen = 12;
1014 else
1015 transform->fixed_ivlen = 4;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1016
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1017 /* Minimum length of encrypted record */
1018 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]1019 transform->minlen = explicit_ivlen + transform->taglen;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1020 }
1021 else
1022 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1023 /* Initialize HMAC contexts */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1024 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
1025 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1026 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1027 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1028 return( ret );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1029 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1030
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1031 /* Get MAC length */
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1032 mac_key_len = mbedtls_md_get_size( md_info );
1033 transform->maclen = mac_key_len;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1034
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1035#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1036 /*
1037 * If HMAC is to be truncated, we shall keep the leftmost bytes,
1038 * (rfc 6066 page 13 or rfc 2104 section 4),
1039 * so we only need to adjust the length here.
1040 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041 if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
Hanno Beckere89353a2017-11-20 16:36:41 +0000[diff] [blame]1042 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043 transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
Hanno Beckere89353a2017-11-20 16:36:41 +0000[diff] [blame]1044
1045#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
1046 /* Fall back to old, non-compliant version of the truncated
Hanno Becker563423f2017-11-21 17:20:17 +0000[diff] [blame]1047 * HMAC implementation which also truncates the key
1048 * (Mbed TLS versions from 1.3 to 2.6.0) */
Hanno Beckere89353a2017-11-20 16:36:41 +0000[diff] [blame]1049 mac_key_len = transform->maclen;
1050#endif
1051 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1052#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200[diff] [blame]1053
1054 /* IV length */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1055 transform->ivlen = cipher_info->iv_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1056
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1057 /* Minimum length */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1058 if( cipher_info->mode == MBEDTLS_MODE_STREAM )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1059 transform->minlen = transform->maclen;
1060 else
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1061 {
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1062 /*
1063 * GenericBlockCipher:
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]1064 * 1. if EtM is in use: one block plus MAC
1065 * otherwise: * first multiple of blocklen greater than maclen
1066 * 2. IV except for SSL3 and TLS 1.0
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1067 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1068#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1069 if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]1070 {
1071 transform->minlen = transform->maclen
1072 + cipher_info->block_size;
1073 }
1074 else
1075#endif
1076 {
1077 transform->minlen = transform->maclen
1078 + cipher_info->block_size
1079 - transform->maclen % cipher_info->block_size;
1080 }
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1081
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1082#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
1083 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1084 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1085 ; /* No need to adjust minlen */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1086 else
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1087#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1088#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1089 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
1090 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1091 {
1092 transform->minlen += transform->ivlen;
1093 }
1094 else
1095#endif
1096 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1097 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1098 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200[diff] [blame]1099 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1100 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101 }
1102
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame]1103 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
1104 (unsigned) keylen,
1105 (unsigned) transform->minlen,
1106 (unsigned) transform->ivlen,
1107 (unsigned) transform->maclen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1108
1109 /*
1110 * Finally setup the cipher contexts, IVs and MAC secrets.
1111 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1112#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1113 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1114 {
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1115 key1 = keyblk + mac_key_len * 2;
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame]1116 key2 = keyblk + mac_key_len * 2 + keylen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1117
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1118 mac_enc = keyblk;
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1119 mac_dec = keyblk + mac_key_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1120
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1121 /*
1122 * This is not used in TLS v1.1.
1123 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1124 iv_copy_len = ( transform->fixed_ivlen ) ?
1125 transform->fixed_ivlen : transform->ivlen;
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame]1126 memcpy( transform->iv_enc, key2 + keylen, iv_copy_len );
1127 memcpy( transform->iv_dec, key2 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1128 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1129 }
1130 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1131#endif /* MBEDTLS_SSL_CLI_C */
1132#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1133 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1134 {
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame]1135 key1 = keyblk + mac_key_len * 2 + keylen;
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1136 key2 = keyblk + mac_key_len * 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1137
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1138 mac_enc = keyblk + mac_key_len;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1139 mac_dec = keyblk;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1140
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1141 /*
1142 * This is not used in TLS v1.1.
1143 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1144 iv_copy_len = ( transform->fixed_ivlen ) ?
1145 transform->fixed_ivlen : transform->ivlen;
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame]1146 memcpy( transform->iv_dec, key1 + keylen, iv_copy_len );
1147 memcpy( transform->iv_enc, key1 + keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1148 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1149 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]1150 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1151#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]1152 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1154 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]1155 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1156
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1157#if defined(MBEDTLS_SSL_PROTO_SSL3)
1158 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1159 {
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1160 if( mac_key_len > sizeof transform->mac_enc )
Manuel Pégourié-Gonnard7cfdcb82014-01-18 18:22:55 +0100[diff] [blame]1161 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1163 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7cfdcb82014-01-18 18:22:55 +0100[diff] [blame]1164 }
1165
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1166 memcpy( transform->mac_enc, mac_enc, mac_key_len );
1167 memcpy( transform->mac_dec, mac_dec, mac_key_len );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1168 }
1169 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1170#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1171#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1172 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1173 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1174 {
Gilles Peskine039fd122018-03-19 19:06:08 +0100[diff] [blame]1175 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
1176 For AEAD-based ciphersuites, there is nothing to do here. */
1177 if( mac_key_len != 0 )
1178 {
1179 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
1180 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
1181 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1182 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1183 else
1184#endif
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1185 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1186 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1187 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1188 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1189
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1190#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
1191 if( mbedtls_ssl_hw_record_init != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1192 {
1193 int ret = 0;
1194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1195 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1196
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame]1197 if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, keylen,
Paul Bakker07eb38b2012-12-19 14:42:06 +0100[diff] [blame]1198 transform->iv_enc, transform->iv_dec,
1199 iv_copy_len,
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1200 mac_enc, mac_dec,
Hanno Becker81c7b182017-11-09 18:39:33 +0000[diff] [blame]1201 mac_key_len ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1202 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1203 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
1204 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1205 }
1206 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1207#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1208
Manuel Pégourié-Gonnard024b6df2015-10-19 13:52:53 +0200[diff] [blame]1209#if defined(MBEDTLS_SSL_EXPORT_KEYS)
1210 if( ssl->conf->f_export_keys != NULL )
Robert Cragie4feb7ae2015-10-02 13:33:37 +0100[diff] [blame]1211 {
Manuel Pégourié-Gonnard024b6df2015-10-19 13:52:53 +0200[diff] [blame]1212 ssl->conf->f_export_keys( ssl->conf->p_export_keys,
1213 session->master, keyblk,
Hanno Becker88aaf652017-12-27 08:17:40 +0000[diff] [blame]1214 mac_key_len, keylen,
Robert Cragie4feb7ae2015-10-02 13:33:37 +0100[diff] [blame]1215 iv_copy_len );
1216 }
1217#endif
1218
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1219#if defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1220
1221 /* Only use PSA-based ciphers for TLS-1.2.
1222 * That's relevant at least for TLS-1.0, where
1223 * we assume that mbedtls_cipher_crypt() updates
1224 * the structure field for the IV, which the PSA-based
1225 * implementation currently doesn't. */
1226#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1227 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1228 {
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1229 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
1230 cipher_info, taglen );
1231 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
1232 {
1233 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
1234 return( ret );
1235 }
1236
1237 if( ret == 0 )
1238 {
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100[diff] [blame]1239 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based encryption cipher context" ) );
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1240 psa_fallthrough = 0;
1241 }
1242 else
1243 {
1244 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );
1245 psa_fallthrough = 1;
1246 }
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1247 }
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1248 else
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1249 psa_fallthrough = 1;
1250#else
1251 psa_fallthrough = 1;
1252#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1253
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1254 if( psa_fallthrough == 1 )
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1255#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +0200[diff] [blame]1256 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1257 cipher_info ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1258 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +0200[diff] [blame]1259 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1260 return( ret );
1261 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1262
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1263#if defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1264 /* Only use PSA-based ciphers for TLS-1.2.
1265 * That's relevant at least for TLS-1.0, where
1266 * we assume that mbedtls_cipher_crypt() updates
1267 * the structure field for the IV, which the PSA-based
1268 * implementation currently doesn't. */
1269#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1270 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1271 {
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1272 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
1273 cipher_info, taglen );
1274 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
1275 {
1276 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
1277 return( ret );
1278 }
1279
1280 if( ret == 0 )
1281 {
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100[diff] [blame]1282 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based decryption cipher context" ) );
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1283 psa_fallthrough = 0;
1284 }
1285 else
1286 {
1287 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );
1288 psa_fallthrough = 1;
1289 }
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1290 }
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1291 else
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1292 psa_fallthrough = 1;
1293#else
1294 psa_fallthrough = 1;
1295#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1296
Hanno Beckercb1cc802018-11-17 22:27:38 +0000[diff] [blame]1297 if( psa_fallthrough == 1 )
Hanno Beckerf704bef2018-11-16 15:21:18 +0000[diff] [blame]1298#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +0200[diff] [blame]1299 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1300 cipher_info ) ) != 0 )
1301 {
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +0200[diff] [blame]1302 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1303 return( ret );
1304 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1305
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1306 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +0200[diff] [blame]1307 cipher_info->key_bitlen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1308 MBEDTLS_ENCRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1309 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1310 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1311 return( ret );
1312 }
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1313
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1314 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +0200[diff] [blame]1315 cipher_info->key_bitlen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1316 MBEDTLS_DECRYPT ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1317 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1318 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1319 return( ret );
1320 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1321
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1322#if defined(MBEDTLS_CIPHER_MODE_CBC)
1323 if( cipher_info->mode == MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1324 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1325 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
1326 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +0200[diff] [blame]1327 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1328 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1329 return( ret );
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +0200[diff] [blame]1330 }
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1332 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
1333 MBEDTLS_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1334 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1335 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200[diff] [blame]1336 return( ret );
1337 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1338 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1339#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]1341 mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1343#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1344 // Initialize compression
1345 //
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1346 if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1347 {
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1348 if( ssl->compress_buf == NULL )
1349 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1350 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1351 ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1352 if( ssl->compress_buf == NULL )
1353 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]1354 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1355 MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]1356 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]1357 }
1358 }
1359
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1360 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1361
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1362 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
1363 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1364
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1365 if( deflateInit( &transform->ctx_deflate,
1366 Z_DEFAULT_COMPRESSION ) != Z_OK ||
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1367 inflateInit( &transform->ctx_inflate ) != Z_OK )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1368 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1369 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
1370 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1371 }
1372 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1373#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1374
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1375 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1376
1377 return( 0 );
1378}
1379
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1380#if defined(MBEDTLS_SSL_PROTO_SSL3)
1381void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1382{
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1383 mbedtls_md5_context md5;
1384 mbedtls_sha1_context sha1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1385 unsigned char pad_1[48];
1386 unsigned char pad_2[48];
1387
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1388 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1389
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]1390 mbedtls_md5_init( &md5 );
1391 mbedtls_sha1_init( &sha1 );
1392
1393 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
1394 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1395
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1396 memset( pad_1, 0x36, 48 );
1397 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1398
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1399 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
1400 mbedtls_md5_update_ret( &md5, pad_1, 48 );
1401 mbedtls_md5_finish_ret( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1402
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1403 mbedtls_md5_starts_ret( &md5 );
1404 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
1405 mbedtls_md5_update_ret( &md5, pad_2, 48 );
1406 mbedtls_md5_update_ret( &md5, hash, 16 );
1407 mbedtls_md5_finish_ret( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1408
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1409 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
1410 mbedtls_sha1_update_ret( &sha1, pad_1, 40 );
1411 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1412
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1413 mbedtls_sha1_starts_ret( &sha1 );
1414 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
1415 mbedtls_sha1_update_ret( &sha1, pad_2, 40 );
1416 mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );
1417 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1418
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1419 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
1420 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1421
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1422 mbedtls_md5_free( &md5 );
1423 mbedtls_sha1_free( &sha1 );
Paul Bakker5b4af392014-06-26 12:09:34 +0200[diff] [blame]1424
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1425 return;
1426}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1427#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1428
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1429#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
1430void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1431{
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1432 mbedtls_md5_context md5;
1433 mbedtls_sha1_context sha1;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1434
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1436
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]1437 mbedtls_md5_init( &md5 );
1438 mbedtls_sha1_init( &sha1 );
1439
1440 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
1441 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1442
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1443 mbedtls_md5_finish_ret( &md5, hash );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1444 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1445
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1446 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
1447 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1448
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1449 mbedtls_md5_free( &md5 );
1450 mbedtls_sha1_free( &sha1 );
Paul Bakker5b4af392014-06-26 12:09:34 +0200[diff] [blame]1451
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1452 return;
1453}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1454#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1455
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1456#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1457#if defined(MBEDTLS_SHA256_C)
1458void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1459{
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1460#if defined(MBEDTLS_USE_PSA_CRYPTO)
1461 size_t hash_size;
1462 psa_status_t status;
1463 psa_hash_operation_t sha256_psa = psa_hash_operation_init();
1464
1465 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) );
1466 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
1467 if( status != PSA_SUCCESS )
1468 {
1469 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1470 return;
1471 }
1472
1473 status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size );
1474 if( status != PSA_SUCCESS )
1475 {
1476 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1477 return;
1478 }
1479 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 32 );
1480 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1481#else
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1482 mbedtls_sha256_context sha256;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1483
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]1484 mbedtls_sha256_init( &sha256 );
1485
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1486 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1487
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]1488 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1489 mbedtls_sha256_finish_ret( &sha256, hash );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1490
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
1492 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1493
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1494 mbedtls_sha256_free( &sha256 );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1495#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1496 return;
1497}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1498#endif /* MBEDTLS_SHA256_C */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1499
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1500#if defined(MBEDTLS_SHA512_C)
1501void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1502{
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1503#if defined(MBEDTLS_USE_PSA_CRYPTO)
1504 size_t hash_size;
1505 psa_status_t status;
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]1506 psa_hash_operation_t sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1507
1508 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) );
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]1509 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1510 if( status != PSA_SUCCESS )
1511 {
1512 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1513 return;
1514 }
1515
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]1516 status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1517 if( status != PSA_SUCCESS )
1518 {
1519 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1520 return;
1521 }
1522 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 48 );
1523 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1524#else
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1525 mbedtls_sha512_context sha512;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1526
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]1527 mbedtls_sha512_init( &sha512 );
1528
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1529 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1530
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1531 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]1532 mbedtls_sha512_finish_ret( &sha512, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1533
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1534 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
1535 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1536
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]1537 mbedtls_sha512_free( &sha512 );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]1538#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1539 return;
1540}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1541#endif /* MBEDTLS_SHA512_C */
1542#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1543
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1544#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1545int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1546{
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1547 unsigned char *p = ssl->handshake->premaster;
1548 unsigned char *end = p + sizeof( ssl->handshake->premaster );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]1549 const unsigned char *psk = ssl->conf->psk;
1550 size_t psk_len = ssl->conf->psk_len;
1551
1552 /* If the psk callback was called, use its result */
1553 if( ssl->handshake->psk != NULL )
1554 {
1555 psk = ssl->handshake->psk;
1556 psk_len = ssl->handshake->psk_len;
1557 }
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1558
1559 /*
1560 * PMS = struct {
1561 * opaque other_secret<0..2^16-1>;
1562 * opaque psk<0..2^16-1>;
1563 * };
1564 * with "other_secret" depending on the particular key exchange
1565 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1566#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1567 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1568 {
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +0200[diff] [blame]1569 if( end - p < 2 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1570 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1571
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]1572 *(p++) = (unsigned char)( psk_len >> 8 );
1573 *(p++) = (unsigned char)( psk_len );
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +0200[diff] [blame]1574
1575 if( end < p || (size_t)( end - p ) < psk_len )
1576 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1577
1578 memset( p, 0, psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]1579 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1580 }
1581 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1582#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
1583#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1584 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1585 {
1586 /*
1587 * other_secret already set by the ClientKeyExchange message,
1588 * and is 48 bytes long
1589 */
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1590 if( end - p < 2 )
1591 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1592
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1593 *p++ = 0;
1594 *p++ = 48;
1595 p += 48;
1596 }
1597 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1598#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1599#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1600 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1601 {
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +0200[diff] [blame]1602 int ret;
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +0100[diff] [blame]1603 size_t len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1604
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +0200[diff] [blame]1605 /* Write length only when we know the actual value */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1606 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +0100[diff] [blame]1607 p + 2, end - ( p + 2 ), &len,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]1608 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1609 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1610 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1611 return( ret );
1612 }
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +0200[diff] [blame]1613 *(p++) = (unsigned char)( len >> 8 );
1614 *(p++) = (unsigned char)( len );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1615 p += len;
1616
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1617 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1618 }
1619 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1620#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1621#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1622 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1623 {
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +0200[diff] [blame]1624 int ret;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1625 size_t zlen;
1626
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1627 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1628 p + 2, end - ( p + 2 ),
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]1629 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1630 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1631 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1632 return( ret );
1633 }
1634
1635 *(p++) = (unsigned char)( zlen >> 8 );
1636 *(p++) = (unsigned char)( zlen );
1637 p += zlen;
1638
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]1639 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
1640 MBEDTLS_DEBUG_ECDH_Z );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1641 }
1642 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1643#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1644 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1645 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1646 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1647 }
1648
1649 /* opaque psk<0..2^16-1>; */
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +0200[diff] [blame]1650 if( end - p < 2 )
1651 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +0100[diff] [blame]1652
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]1653 *(p++) = (unsigned char)( psk_len >> 8 );
1654 *(p++) = (unsigned char)( psk_len );
Manuel Pégourié-Gonnardbc5e5082015-10-21 12:35:29 +0200[diff] [blame]1655
1656 if( end < p || (size_t)( end - p ) < psk_len )
1657 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1658
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]1659 memcpy( p, psk, psk_len );
1660 p += psk_len;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1661
1662 ssl->handshake->pmslen = p - ssl->handshake->premaster;
1663
1664 return( 0 );
1665}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1666#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]1667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1668#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1669/*
1670 * SSLv3.0 MAC functions
1671 */
Manuel Pégourié-Gonnardb053efb2017-12-19 10:03:46 +0100[diff] [blame]1672#define SSL_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]1673static void ssl_mac( mbedtls_md_context_t *md_ctx,
1674 const unsigned char *secret,
1675 const unsigned char *buf, size_t len,
1676 const unsigned char *ctr, int type,
Manuel Pégourié-Gonnardb053efb2017-12-19 10:03:46 +0100[diff] [blame]1677 unsigned char out[SSL_MAC_MAX_BYTES] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678{
1679 unsigned char header[11];
1680 unsigned char padding[48];
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +0200[diff] [blame]1681 int padlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1682 int md_size = mbedtls_md_get_size( md_ctx->md_info );
1683 int md_type = mbedtls_md_get_type( md_ctx->md_info );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1684
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +0200[diff] [blame]1685 /* Only MD5 and SHA-1 supported */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1686 if( md_type == MBEDTLS_MD_MD5 )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1687 padlen = 48;
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +0200[diff] [blame]1688 else
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1689 padlen = 40;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1690
1691 memcpy( header, ctr, 8 );
1692 header[ 8] = (unsigned char) type;
1693 header[ 9] = (unsigned char)( len >> 8 );
1694 header[10] = (unsigned char)( len );
1695
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1696 memset( padding, 0x36, padlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1697 mbedtls_md_starts( md_ctx );
1698 mbedtls_md_update( md_ctx, secret, md_size );
1699 mbedtls_md_update( md_ctx, padding, padlen );
1700 mbedtls_md_update( md_ctx, header, 11 );
1701 mbedtls_md_update( md_ctx, buf, len );
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]1702 mbedtls_md_finish( md_ctx, out );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1703
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1704 memset( padding, 0x5C, padlen );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1705 mbedtls_md_starts( md_ctx );
1706 mbedtls_md_update( md_ctx, secret, md_size );
1707 mbedtls_md_update( md_ctx, padding, padlen );
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]1708 mbedtls_md_update( md_ctx, out, md_size );
1709 mbedtls_md_finish( md_ctx, out );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]1710}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1711#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]1712
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1713#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
1714 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]1715 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C)) )
Manuel Pégourié-Gonnard8408a942015-04-09 12:14:31 +0200[diff] [blame]1716#define SSL_SOME_MODES_USE_MAC
Manuel Pégourié-Gonnard8e4b3372014-11-17 15:06:13 +0100[diff] [blame]1717#endif
1718
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]1719/* The function below is only used in the Lucky 13 counter-measure in
1720 * ssl_decrypt_buf(). These are the defines that guard the call site. */
1721#if defined(SSL_SOME_MODES_USE_MAC) && \
1722 ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
1723 defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1724 defined(MBEDTLS_SSL_PROTO_TLS1_2) )
1725/* This function makes sure every byte in the memory region is accessed
1726 * (in ascending addresses order) */
1727static void ssl_read_memory( unsigned char *p, size_t len )
1728{
1729 unsigned char acc = 0;
1730 volatile unsigned char force;
1731
1732 for( ; len != 0; p++, len-- )
1733 acc ^= *p;
1734
1735 force = acc;
1736 (void) force;
1737}
1738#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */
1739
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1740/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1741 * Encryption/decryption functions
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]1742 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1743static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1744{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1745 mbedtls_cipher_mode_t mode;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1746 int auth_done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1748 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1749
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1750 if( ssl->session_out == NULL || ssl->transform_out == NULL )
1751 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1752 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1753 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1754 }
1755
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1756 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1757
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1758 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
Manuel Pégourié-Gonnard60346be2014-11-21 11:38:37 +0100[diff] [blame]1759 ssl->out_msg, ssl->out_msglen );
1760
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1761 /*
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1762 * Add MAC before if needed
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1763 */
Manuel Pégourié-Gonnard8408a942015-04-09 12:14:31 +0200[diff] [blame]1764#if defined(SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1765 if( mode == MBEDTLS_MODE_STREAM ||
1766 ( mode == MBEDTLS_MODE_CBC
1767#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1768 && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1769#endif
1770 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1771 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1772#if defined(MBEDTLS_SSL_PROTO_SSL3)
1773 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1774 {
Manuel Pégourié-Gonnardb053efb2017-12-19 10:03:46 +0100[diff] [blame]1775 unsigned char mac[SSL_MAC_MAX_BYTES];
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]1776
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1777 ssl_mac( &ssl->transform_out->md_ctx_enc,
1778 ssl->transform_out->mac_enc,
1779 ssl->out_msg, ssl->out_msglen,
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]1780 ssl->out_ctr, ssl->out_msgtype,
1781 mac );
1782
1783 memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1784 }
1785 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1786#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1787#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1788 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1789 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1790 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1791 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
1792
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1793 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
1794 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
1795 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
1796 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1797 ssl->out_msg, ssl->out_msglen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1798 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1799 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1800
1801 memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1802 }
1803 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1804#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1805 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1806 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1807 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1808 }
1809
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1810 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1811 ssl->out_msg + ssl->out_msglen,
1812 ssl->transform_out->maclen );
1813
1814 ssl->out_msglen += ssl->transform_out->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1815 auth_done++;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]1816 }
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +0200[diff] [blame]1817#endif /* AEAD not the only option */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1818
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]1819 /*
1820 * Encrypt
1821 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1822#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1823 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1824 {
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1825 int ret;
1826 size_t olen = 0;
1827
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1828 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1829 "including %d bytes of padding",
1830 ssl->out_msglen, 0 ) );
1831
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1832 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1833 ssl->transform_out->iv_enc,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +0200[diff] [blame]1834 ssl->transform_out->ivlen,
1835 ssl->out_msg, ssl->out_msglen,
1836 ssl->out_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]1837 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1838 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1839 return( ret );
1840 }
1841
1842 if( ssl->out_msglen != olen )
1843 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1844 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1845 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]1846 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1847 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1848 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1849#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1850#if defined(MBEDTLS_GCM_C) || \
1851 defined(MBEDTLS_CCM_C) || \
1852 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1853 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1854 mode == MBEDTLS_MODE_CCM ||
1855 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1856 {
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +0200[diff] [blame]1857 int ret;
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1858 size_t enc_msglen, olen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1859 unsigned char *enc_msg;
1860 unsigned char add_data[13];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1861 unsigned char iv[12];
1862 mbedtls_ssl_transform *transform = ssl->transform_out;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1863 size_t explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1864
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1865 /*
1866 * Prepare additional authenticated data
1867 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1868 memcpy( add_data, ssl->out_ctr, 8 );
1869 add_data[8] = ssl->out_msgtype;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1870 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1871 ssl->conf->transport, add_data + 9 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1872 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1873 add_data[12] = ssl->out_msglen & 0xFF;
1874
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1875 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1876
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1877 /*
1878 * Generate IV
1879 */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1880 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
1881 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]1882 /* GCM and CCM: fixed || explicit (=seqnum) */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1883 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
1884 memcpy( iv + transform->fixed_ivlen, ssl->out_ctr, 8 );
1885 memcpy( ssl->out_iv, ssl->out_ctr, 8 );
1886
1887 }
1888 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
1889 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]1890 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1891 unsigned char i;
1892
1893 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
1894
1895 for( i = 0; i < 8; i++ )
1896 iv[i+4] ^= ssl->out_ctr[i];
1897 }
1898 else
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +0100[diff] [blame]1899 {
1900 /* Reminder if we ever add an AEAD mode with a different size */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1902 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +0100[diff] [blame]1903 }
1904
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1905 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
1906 iv, transform->ivlen );
1907 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
1908 ssl->out_iv, explicit_ivlen );
Manuel Pégourié-Gonnard226d5da2013-09-05 13:19:22 +0200[diff] [blame]1909
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1910 /*
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1911 * Fix message length with added IV
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1912 */
1913 enc_msg = ssl->out_msg;
1914 enc_msglen = ssl->out_msglen;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1915 ssl->out_msglen += explicit_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1916
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1917 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1918 "including 0 bytes of padding",
1919 ssl->out_msglen ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1920
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1921 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1922 * Encrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1923 */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]1924 if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
1925 iv, transform->ivlen,
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1926 add_data, 13,
1927 enc_msg, enc_msglen,
1928 enc_msg, &olen,
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]1929 enc_msg + enc_msglen,
1930 ssl->transform_out->taglen ) ) != 0 )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1931 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1932 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1933 return( ret );
1934 }
1935
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]1936 if( olen != enc_msglen )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1937 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1938 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1939 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]1940 }
1941
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]1942 ssl->out_msglen += ssl->transform_out->taglen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]1943 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1944
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]1945 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen,
1946 ssl->transform_out->taglen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1947 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1948 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1949#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1950#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]1951 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1952 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953 {
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]1954 int ret;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1955 unsigned char *enc_msg;
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]1956 size_t enc_msglen, padlen, olen = 0, i;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1957
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1958 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1959 ssl->transform_out->ivlen;
1960 if( padlen == ssl->transform_out->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1961 padlen = 0;
1962
1963 for( i = 0; i <= padlen; i++ )
1964 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1965
1966 ssl->out_msglen += padlen + 1;
1967
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1968 enc_msglen = ssl->out_msglen;
1969 enc_msg = ssl->out_msg;
1970
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1971#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1972 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1973 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1974 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1975 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1976 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1977 {
1978 /*
1979 * Generate IV
1980 */
Manuel Pégourié-Gonnardea356662015-08-27 12:02:40 +0200[diff] [blame]1981 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1982 ssl->transform_out->ivlen );
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1983 if( ret != 0 )
1984 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1985
Paul Bakker92be97b2013-01-02 17:30:03 +0100[diff] [blame]1986 memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1987 ssl->transform_out->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1988
1989 /*
1990 * Fix pointer positions and message length with added IV
1991 */
Paul Bakker92be97b2013-01-02 17:30:03 +0100[diff] [blame]1992 enc_msg = ssl->out_msg;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1993 enc_msglen = ssl->out_msglen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1994 ssl->out_msglen += ssl->transform_out->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1995 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1996#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1998 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1999 "including %d bytes of IV and %d bytes of padding",
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]2000 ssl->out_msglen, ssl->transform_out->ivlen,
2001 padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2002
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2003 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2004 ssl->transform_out->iv_enc,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +0200[diff] [blame]2005 ssl->transform_out->ivlen,
2006 enc_msg, enc_msglen,
2007 enc_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2008 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2009 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2010 return( ret );
2011 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2012
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2013 if( enc_msglen != olen )
2014 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2015 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2016 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2017 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2018
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2019#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
2020 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2021 {
2022 /*
2023 * Save IV in SSL3 and TLS1
2024 */
2025 memcpy( ssl->transform_out->iv_enc,
2026 ssl->transform_out->cipher_ctx_enc.iv,
2027 ssl->transform_out->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2028 }
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2029#endif
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2030
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2031#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2032 if( auth_done == 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2033 {
Hanno Becker3d8c9072018-01-05 16:24:22 +0000[diff] [blame]2034 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
2035
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2036 /*
2037 * MAC(MAC_write_key, seq_num +
2038 * TLSCipherText.type +
2039 * TLSCipherText.version +
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]2040 * length_of( (IV +) ENC(...) ) +
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2041 * IV + // except for TLS 1.0
2042 * ENC(content + padding + padding_length));
2043 */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2044 unsigned char pseudo_hdr[13];
2045
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2046 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2047
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2048 memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 );
2049 memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]2050 pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
2051 pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF );
2052
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2053 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2054
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2055 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
2056 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2057 ssl->out_iv, ssl->out_msglen );
Hanno Becker3d8c9072018-01-05 16:24:22 +0000[diff] [blame]2058 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2059 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2060
Hanno Becker3d8c9072018-01-05 16:24:22 +0000[diff] [blame]2061 memcpy( ssl->out_iv + ssl->out_msglen, mac,
2062 ssl->transform_out->maclen );
2063
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2064 ssl->out_msglen += ssl->transform_out->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2065 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2066 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2067#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2068 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2069 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2070#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]2071 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2072 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2073 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2074 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2075 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2076
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2077 /* Make extra sure authentication was performed, exactly once */
2078 if( auth_done != 1 )
2079 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2080 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2081 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2082 }
2083
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2084 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2085
2086 return( 0 );
2087}
2088
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2089static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2090{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2091 mbedtls_cipher_mode_t mode;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2092 int auth_done = 0;
Manuel Pégourié-Gonnard8408a942015-04-09 12:14:31 +0200[diff] [blame]2093#if defined(SSL_SOME_MODES_USE_MAC)
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]2094 size_t padlen = 0, correct = 1;
2095#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2096
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2097 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2098
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2099 if( ssl->session_in == NULL || ssl->transform_in == NULL )
2100 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2101 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2102 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2103 }
2104
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2105 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2106
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2107 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2108 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2109 MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2110 ssl->in_msglen, ssl->transform_in->minlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2111 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2112 }
2113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2114#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
2115 if( mode == MBEDTLS_MODE_STREAM )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2116 {
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]2117 int ret;
2118 size_t olen = 0;
2119
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2120 padlen = 0;
2121
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2122 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2123 ssl->transform_in->iv_dec,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +0200[diff] [blame]2124 ssl->transform_in->ivlen,
2125 ssl->in_msg, ssl->in_msglen,
2126 ssl->in_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2127 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2128 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]2129 return( ret );
2130 }
2131
2132 if( ssl->in_msglen != olen )
2133 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2134 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2135 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200[diff] [blame]2136 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2137 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2138 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2139#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2140#if defined(MBEDTLS_GCM_C) || \
2141 defined(MBEDTLS_CCM_C) || \
2142 defined(MBEDTLS_CHACHAPOLY_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2143 if( mode == MBEDTLS_MODE_GCM ||
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2144 mode == MBEDTLS_MODE_CCM ||
2145 mode == MBEDTLS_MODE_CHACHAPOLY )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2146 {
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +0200[diff] [blame]2147 int ret;
2148 size_t dec_msglen, olen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2149 unsigned char *dec_msg;
2150 unsigned char *dec_msg_result;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2151 unsigned char add_data[13];
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2152 unsigned char iv[12];
2153 mbedtls_ssl_transform *transform = ssl->transform_in;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2154 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2155
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2156 /*
2157 * Compute and update sizes
2158 */
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]2159 if( ssl->in_msglen < explicit_iv_len + transform->taglen )
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]2160 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2161 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]2162 "+ taglen (%d)", ssl->in_msglen,
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]2163 explicit_iv_len, ssl->transform_in->taglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2164 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]2165 }
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]2166 dec_msglen = ssl->in_msglen - explicit_iv_len - transform->taglen;
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +0200[diff] [blame]2167
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2168 dec_msg = ssl->in_msg;
2169 dec_msg_result = ssl->in_msg;
2170 ssl->in_msglen = dec_msglen;
2171
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2172 /*
2173 * Prepare additional authenticated data
2174 */
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2175 memcpy( add_data, ssl->in_ctr, 8 );
2176 add_data[8] = ssl->in_msgtype;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2177 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2178 ssl->conf->transport, add_data + 9 );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2179 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
2180 add_data[12] = ssl->in_msglen & 0xFF;
2181
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2182 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2183
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2184 /*
2185 * Prepare IV
2186 */
2187 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
2188 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]2189 /* GCM and CCM: fixed || explicit (transmitted) */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2190 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
2191 memcpy( iv + transform->fixed_ivlen, ssl->in_iv, 8 );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2192
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2193 }
2194 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
2195 {
Manuel Pégourié-Gonnard8744a022018-07-11 12:30:40 +0200[diff] [blame]2196 /* ChachaPoly: fixed XOR sequence number */
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2197 unsigned char i;
2198
2199 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
2200
2201 for( i = 0; i < 8; i++ )
2202 iv[i+4] ^= ssl->in_ctr[i];
2203 }
2204 else
2205 {
2206 /* Reminder if we ever add an AEAD mode with a different size */
2207 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2208 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2209 }
2210
2211 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]2212 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen,
2213 transform->taglen );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2214
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]2215 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]2216 * Decrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]2217 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2218 if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2219 iv, transform->ivlen,
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]2220 add_data, 13,
2221 dec_msg, dec_msglen,
2222 dec_msg_result, &olen,
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]2223 dec_msg + dec_msglen,
2224 ssl->transform_in->taglen ) ) != 0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2225 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2226 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]2227
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2228 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
2229 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]2230
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]2231 return( ret );
2232 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2233 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2234
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +0200[diff] [blame]2235 if( olen != dec_msglen )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]2236 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2237 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2238 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +0200[diff] [blame]2239 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2240 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2241 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2242#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
2243#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]2244 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2245 if( mode == MBEDTLS_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2246 {
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2247 /*
2248 * Decrypt and check the padding
2249 */
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2250 int ret;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2251 unsigned char *dec_msg;
2252 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2253 size_t dec_msglen;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2254 size_t minlen = 0;
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2255 size_t olen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2256
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2257 /*
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2258 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2259 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2260#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
2261 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2262 minlen += ssl->transform_in->ivlen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2263#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2264
2265 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
2266 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
2267 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2268 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]2269 "+ 1 ) ( + expl IV )", ssl->in_msglen,
2270 ssl->transform_in->ivlen,
2271 ssl->transform_in->maclen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2272 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2273 }
2274
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2275 dec_msglen = ssl->in_msglen;
2276 dec_msg = ssl->in_msg;
2277 dec_msg_result = ssl->in_msg;
2278
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2279 /*
2280 * Authenticate before decrypt if enabled
2281 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2282#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2283 if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2284 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2285 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]2286 unsigned char pseudo_hdr[13];
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2287
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2288 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2289
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2290 dec_msglen -= ssl->transform_in->maclen;
2291 ssl->in_msglen -= ssl->transform_in->maclen;
2292
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]2293 memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 );
2294 memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 );
2295 pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
2296 pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF );
2297
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2298 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +0100[diff] [blame]2299
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2300 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
2301 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2302 ssl->in_iv, ssl->in_msglen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2303 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2304 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2305
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2306 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2307 ssl->transform_in->maclen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2308 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2309 ssl->transform_in->maclen );
2310
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2311 if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect,
2312 ssl->transform_in->maclen ) != 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2313 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2315
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2316 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2317 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2318 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2319 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2320#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2321
2322 /*
2323 * Check length sanity
2324 */
2325 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
2326 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2327 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2328 ssl->in_msglen, ssl->transform_in->ivlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2329 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2330 }
2331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2332#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2333 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2334 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2335 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2336 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2337 {
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2338 unsigned char i;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2339 dec_msglen -= ssl->transform_in->ivlen;
2340 ssl->in_msglen -= ssl->transform_in->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2341
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2342 for( i = 0; i < ssl->transform_in->ivlen; i++ )
Paul Bakker92be97b2013-01-02 17:30:03 +0100[diff] [blame]2343 ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2344 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2345#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2346
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2347 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2348 ssl->transform_in->iv_dec,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +0200[diff] [blame]2349 ssl->transform_in->ivlen,
2350 dec_msg, dec_msglen,
2351 dec_msg_result, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +0200[diff] [blame]2352 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2353 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2354 return( ret );
2355 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2356
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2357 if( dec_msglen != olen )
2358 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2360 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2361 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200[diff] [blame]2362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2363#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
2364 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2365 {
2366 /*
2367 * Save IV in SSL3 and TLS1
2368 */
2369 memcpy( ssl->transform_in->iv_dec,
2370 ssl->transform_in->cipher_ctx_dec.iv,
2371 ssl->transform_in->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2372 }
Paul Bakkercca5b812013-08-31 17:40:26 +0200[diff] [blame]2373#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2374
2375 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2376
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2377 if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2378 auth_done == 0 )
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2379 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2380#if defined(MBEDTLS_SSL_DEBUG_ALL)
2381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2382 ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]2383#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2384 padlen = 0;
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2385 correct = 0;
2386 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2387
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2388#if defined(MBEDTLS_SSL_PROTO_SSL3)
2389 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2390 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2391 if( padlen > ssl->transform_in->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2392 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2393#if defined(MBEDTLS_SSL_DEBUG_ALL)
2394 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2395 "should be no more than %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2396 padlen, ssl->transform_in->ivlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]2397#endif
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2398 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2399 }
2400 }
2401 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2402#endif /* MBEDTLS_SSL_PROTO_SSL3 */
2403#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2404 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2405 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2406 {
2407 /*
Paul Bakker45829992013-01-03 14:52:21 +0100[diff] [blame]2408 * TLSv1+: always check the padding up to the first failure
2409 * and fake check up to 256 bytes of padding
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2410 */
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]2411 size_t pad_count = 0, real_count = 1;
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2412 size_t padding_idx = ssl->in_msglen - padlen;
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2413 size_t i;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2414
Paul Bakker956c9e02013-12-19 14:42:28 +0100[diff] [blame]2415 /*
2416 * Padding is guaranteed to be incorrect if:
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2417 * 1. padlen > ssl->in_msglen
Paul Bakker956c9e02013-12-19 14:42:28 +0100[diff] [blame]2418 *
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2419 * 2. padding_idx > MBEDTLS_SSL_IN_CONTENT_LEN +
Paul Bakker61885c72014-04-25 12:59:03 +0200[diff] [blame]2420 * ssl->transform_in->maclen
Paul Bakker956c9e02013-12-19 14:42:28 +0100[diff] [blame]2421 *
2422 * In both cases we reset padding_idx to a safe value (0) to
2423 * prevent out-of-buffer reads.
2424 */
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2425 correct &= ( padlen <= ssl->in_msglen );
2426 correct &= ( padding_idx <= MBEDTLS_SSL_IN_CONTENT_LEN +
Paul Bakker61885c72014-04-25 12:59:03 +0200[diff] [blame]2427 ssl->transform_in->maclen );
Paul Bakker956c9e02013-12-19 14:42:28 +0100[diff] [blame]2428
2429 padding_idx *= correct;
2430
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2431 for( i = 0; i < 256; i++ )
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]2432 {
Angus Grattonb512bc12018-06-19 15:57:50 +1000[diff] [blame]2433 real_count &= ( i < padlen );
Paul Bakkerca9c87e2013-09-25 18:52:37 +0200[diff] [blame]2434 pad_count += real_count *
2435 ( ssl->in_msg[padding_idx + i] == padlen - 1 );
2436 }
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2437
2438 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2439
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2440#if defined(MBEDTLS_SSL_DEBUG_ALL)
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2441 if( padlen > 0 && correct == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2442 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +0100[diff] [blame]2443#endif
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2444 padlen &= correct * 0x1FF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2445 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2446 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2447#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2448 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2449 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2450 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2451 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2452 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2453
2454 ssl->in_msglen -= padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2455 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2456 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2457#endif /* MBEDTLS_CIPHER_MODE_CBC &&
Markku-Juhani O. Saarinenc06e1012017-12-07 11:51:13 +0000[diff] [blame]2458 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2459 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2460 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2461 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200[diff] [blame]2462 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2463
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]2464#if defined(MBEDTLS_SSL_DEBUG_ALL)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2465 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2466 ssl->in_msg, ssl->in_msglen );
Manuel Pégourié-Gonnard6a25cfa2018-07-10 11:15:36 +0200[diff] [blame]2467#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2468
2469 /*
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2470 * Authenticate if not done yet.
2471 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2472 */
Manuel Pégourié-Gonnard8408a942015-04-09 12:14:31 +0200[diff] [blame]2473#if defined(SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2474 if( auth_done == 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2475 {
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2476 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
Paul Bakker1e5369c2013-12-19 16:40:57 +0100[diff] [blame]2477
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +0100[diff] [blame]2478 ssl->in_msglen -= ssl->transform_in->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2479
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]2480 ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
2481 ssl->in_len[1] = (unsigned char)( ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2482
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2483#if defined(MBEDTLS_SSL_PROTO_SSL3)
2484 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2485 {
2486 ssl_mac( &ssl->transform_in->md_ctx_dec,
2487 ssl->transform_in->mac_dec,
2488 ssl->in_msg, ssl->in_msglen,
Manuel Pégourié-Gonnard464147c2017-12-18 18:04:59 +0100[diff] [blame]2489 ssl->in_ctr, ssl->in_msgtype,
2490 mac_expect );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2491 }
2492 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2493#endif /* MBEDTLS_SSL_PROTO_SSL3 */
2494#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2495 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2496 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2497 {
2498 /*
2499 * Process MAC and always update for padlen afterwards to make
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2500 * total time independent of padlen.
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2501 *
2502 * Known timing attacks:
2503 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
2504 *
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2505 * To compensate for different timings for the MAC calculation
2506 * depending on how much padding was removed (which is determined
2507 * by padlen), process extra_run more blocks through the hash
2508 * function.
2509 *
2510 * The formula in the paper is
2511 * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
2512 * where L1 is the size of the header plus the decrypted message
2513 * plus CBC padding and L2 is the size of the header plus the
2514 * decrypted message. This is for an underlying hash function
2515 * with 64-byte blocks.
2516 * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
2517 * correctly. We round down instead of up, so -56 is the correct
2518 * value for our calculations instead of -55.
2519 *
Gilles Peskine1bd9d582018-06-04 11:58:44 +0200[diff] [blame]2520 * Repeat the formula rather than defining a block_size variable.
2521 * This avoids requiring division by a variable at runtime
2522 * (which would be marginally less efficient and would require
2523 * linking an extra division function in some builds).
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2524 */
2525 size_t j, extra_run = 0;
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2526
2527 /*
2528 * The next two sizes are the minimum and maximum values of
2529 * in_msglen over all padlen values.
2530 *
2531 * They're independent of padlen, since we previously did
2532 * in_msglen -= padlen.
2533 *
2534 * Note that max_len + maclen is never more than the buffer
2535 * length, as we previously did in_msglen -= maclen too.
2536 */
2537 const size_t max_len = ssl->in_msglen + padlen;
2538 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
2539
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]2540 switch( ssl->handshake->ciphersuite_info->mac )
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2541 {
Gilles Peskined0e55a42018-06-04 12:03:30 +0200[diff] [blame]2542#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
2543 defined(MBEDTLS_SHA256_C)
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2544 case MBEDTLS_MD_MD5:
2545 case MBEDTLS_MD_SHA1:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2546 case MBEDTLS_MD_SHA256:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2547 /* 8 bytes of message size, 64-byte compression blocks */
2548 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
2549 ( 13 + ssl->in_msglen + 8 ) / 64;
2550 break;
2551#endif
Gilles Peskinea7fe25d2018-06-04 12:01:18 +0200[diff] [blame]2552#if defined(MBEDTLS_SHA512_C)
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2553 case MBEDTLS_MD_SHA384:
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2554 /* 16 bytes of message size, 128-byte compression blocks */
2555 extra_run = ( 13 + ssl->in_msglen + padlen + 16 ) / 128 -
2556 ( 13 + ssl->in_msglen + 16 ) / 128;
2557 break;
2558#endif
2559 default:
Gilles Peskine5c389842018-06-04 12:02:43 +0200[diff] [blame]2560 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Gilles Peskine20b44082018-05-29 14:06:49 +0200[diff] [blame]2561 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2562 }
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2563
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2564 extra_run &= correct * 0xFF;
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2565
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2566 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 );
2567 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 );
2568 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 );
2569 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2570 ssl->in_msglen );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2571 /* Make sure we access everything even when padlen > 0. This
2572 * makes the synchronisation requirements for just-in-time
2573 * Prime+Probe attacks much tighter and hopefully impractical. */
2574 ssl_read_memory( ssl->in_msg + ssl->in_msglen, padlen );
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2575 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2576
2577 /* Call mbedtls_md_process at least once due to cache attacks
2578 * that observe whether md_process() was called of not */
Manuel Pégourié-Gonnard47fede02015-04-29 01:35:48 +0200[diff] [blame]2579 for( j = 0; j < extra_run + 1; j++ )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2580 mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2581
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2582 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2583
2584 /* Make sure we access all the memory that could contain the MAC,
2585 * before we check it in the next code block. This makes the
2586 * synchronisation requirements for just-in-time Prime+Probe
2587 * attacks much tighter and hopefully impractical. */
2588 ssl_read_memory( ssl->in_msg + min_len,
2589 max_len - min_len + ssl->transform_in->maclen );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2590 }
2591 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2592#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2593 MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2594 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2595 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2596 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2597 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2598
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2599#if defined(MBEDTLS_SSL_DEBUG_ALL)
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2600 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
2601 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_msg + ssl->in_msglen,
2602 ssl->transform_in->maclen );
Manuel Pégourié-Gonnard7b420302018-06-28 10:38:35 +0200[diff] [blame]2603#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2604
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]2605 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect,
2606 ssl->transform_in->maclen ) != 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2607 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2608#if defined(MBEDTLS_SSL_DEBUG_ALL)
2609 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]2610#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2611 correct = 0;
2612 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2613 auth_done++;
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +0200[diff] [blame]2614 }
Hanno Beckerdd3ab132018-10-17 14:43:14 +0100[diff] [blame]2615
2616 /*
2617 * Finally check the correct flag
2618 */
2619 if( correct == 0 )
2620 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard8408a942015-04-09 12:14:31 +0200[diff] [blame]2621#endif /* SSL_SOME_MODES_USE_MAC */
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2622
2623 /* Make extra sure authentication was performed, exactly once */
2624 if( auth_done != 1 )
2625 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2626 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2627 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +0100[diff] [blame]2628 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2629
2630 if( ssl->in_msglen == 0 )
2631 {
Angus Gratton34817922018-06-19 15:58:22 +1000[diff] [blame]2632#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2633 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
2634 && ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
2635 {
2636 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
2637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
2638 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2639 }
2640#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2641
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2642 ssl->nb_zero++;
2643
2644 /*
2645 * Three or more empty messages may be a DoS attack
2646 * (excessive CPU consumption).
2647 */
2648 if( ssl->nb_zero > 3 )
2649 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2650 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2651 "messages, possible DoS attack" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2652 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2653 }
2654 }
2655 else
2656 ssl->nb_zero = 0;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2657
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2658#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2659 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]2660 {
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]2661 ; /* in_ctr read from peer, not maintained internally */
Manuel Pégourié-Gonnardea22ce52014-09-24 09:46:10 +0200[diff] [blame]2662 }
2663 else
2664#endif
2665 {
Manuel Pégourié-Gonnard2e58e8e2018-06-18 11:16:43 +0200[diff] [blame]2666 unsigned char i;
Manuel Pégourié-Gonnardea22ce52014-09-24 09:46:10 +0200[diff] [blame]2667 for( i = 8; i > ssl_ep_len( ssl ); i-- )
2668 if( ++ssl->in_ctr[i - 1] != 0 )
2669 break;
2670
2671 /* The loop goes to its end iff the counter is wrapping */
2672 if( i == ssl_ep_len( ssl ) )
2673 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2674 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
2675 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnardea22ce52014-09-24 09:46:10 +0200[diff] [blame]2676 }
Manuel Pégourié-Gonnard83cdffc2014-03-10 21:20:29 +0100[diff] [blame]2677 }
2678
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2679 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2680
2681 return( 0 );
2682}
2683
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2684#undef MAC_NONE
2685#undef MAC_PLAINTEXT
2686#undef MAC_CIPHERTEXT
2687
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2688#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2689/*
2690 * Compression/decompression functions
2691 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2692static int ssl_compress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2693{
2694 int ret;
2695 unsigned char *msg_post = ssl->out_msg;
Andrzej Kurek5462e022018-04-20 07:58:53 -0400[diff] [blame]2696 ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2697 size_t len_pre = ssl->out_msglen;
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]2698 unsigned char *msg_pre = ssl->compress_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2699
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2700 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2701
Paul Bakkerabf2f8f2013-06-30 14:57:46 +0200[diff] [blame]2702 if( len_pre == 0 )
2703 return( 0 );
2704
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2705 memcpy( msg_pre, ssl->out_msg, len_pre );
2706
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2707 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2708 ssl->out_msglen ) );
2709
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2710 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2711 ssl->out_msg, ssl->out_msglen );
2712
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2713 ssl->transform_out->ctx_deflate.next_in = msg_pre;
2714 ssl->transform_out->ctx_deflate.avail_in = len_pre;
2715 ssl->transform_out->ctx_deflate.next_out = msg_post;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2716 ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2717
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2718 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2719 if( ret != Z_OK )
2720 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2721 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
2722 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2723 }
2724
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2725 ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
Andrzej Kurek5462e022018-04-20 07:58:53 -0400[diff] [blame]2726 ssl->transform_out->ctx_deflate.avail_out - bytes_written;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2727
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2728 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2729 ssl->out_msglen ) );
2730
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2731 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2732 ssl->out_msg, ssl->out_msglen );
2733
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2734 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2735
2736 return( 0 );
2737}
2738
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2739static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2740{
2741 int ret;
2742 unsigned char *msg_post = ssl->in_msg;
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]2743 ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2744 size_t len_pre = ssl->in_msglen;
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]2745 unsigned char *msg_pre = ssl->compress_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2746
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2747 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2748
Paul Bakkerabf2f8f2013-06-30 14:57:46 +0200[diff] [blame]2749 if( len_pre == 0 )
2750 return( 0 );
2751
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2752 memcpy( msg_pre, ssl->in_msg, len_pre );
2753
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2755 ssl->in_msglen ) );
2756
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2757 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2758 ssl->in_msg, ssl->in_msglen );
2759
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2760 ssl->transform_in->ctx_inflate.next_in = msg_pre;
2761 ssl->transform_in->ctx_inflate.avail_in = len_pre;
2762 ssl->transform_in->ctx_inflate.next_out = msg_post;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2763 ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]2764 header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2765
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2766 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2767 if( ret != Z_OK )
2768 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2769 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
2770 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2771 }
2772
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2773 ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
Andrzej Kureka9ceef82018-04-24 06:32:44 -0400[diff] [blame]2774 ssl->transform_in->ctx_inflate.avail_out - header_bytes;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2775
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2776 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2777 ssl->in_msglen ) );
2778
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2779 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2780 ssl->in_msg, ssl->in_msglen );
2781
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2782 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2783
2784 return( 0 );
2785}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2786#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2787
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2788#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2789static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2790
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2791#if defined(MBEDTLS_SSL_PROTO_DTLS)
2792static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2793{
2794 /* If renegotiation is not enforced, retransmit until we would reach max
2795 * timeout if we were using the usual handshake doubling scheme */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2796 if( ssl->conf->renego_max_records < 0 )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2797 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2798 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2799 unsigned char doublings = 1;
2800
2801 while( ratio != 0 )
2802 {
2803 ++doublings;
2804 ratio >>= 1;
2805 }
2806
2807 if( ++ssl->renego_records_seen > doublings )
2808 {
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]2809 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2810 return( 0 );
2811 }
2812 }
2813
2814 return( ssl_write_hello_request( ssl ) );
2815}
2816#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2817#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]2818
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2819/*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2820 * Fill the input message buffer by appending data to it.
2821 * The amount of data already fetched is in ssl->in_left.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2822 *
2823 * If we return 0, is it guaranteed that (at least) nb_want bytes are
2824 * available (from this read and/or a previous one). Otherwise, an error code
2825 * is returned (possibly EOF or WANT_READ).
2826 *
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2827 * With stream transport (TLS) on success ssl->in_left == nb_want, but
2828 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
2829 * since we always read a whole datagram at once.
2830 *
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]2831 * For DTLS, it is up to the caller to set ssl->next_record_offset when
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2832 * they're done reading a record.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2833 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2834int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2835{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2836 int ret;
2837 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2838
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2839 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2840
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]2841 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
2842 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]2844 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2845 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]2846 }
2847
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2848 if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]2849 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2850 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
2851 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]2852 }
2853
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2854#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2855 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2856 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2857 uint32_t timeout;
2858
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]2859 /* Just to be sure */
2860 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
2861 {
2862 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
2863 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
2864 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2865 }
2866
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2867 /*
2868 * The point is, we need to always read a full datagram at once, so we
2869 * sometimes read more then requested, and handle the additional data.
2870 * It could be the rest of the current record (while fetching the
2871 * header) and/or some other records in the same datagram.
2872 */
2873
2874 /*
2875 * Move to the next record in the already read datagram if applicable
2876 */
2877 if( ssl->next_record_offset != 0 )
2878 {
2879 if( ssl->in_left < ssl->next_record_offset )
2880 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2881 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2882 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2883 }
2884
2885 ssl->in_left -= ssl->next_record_offset;
2886
2887 if( ssl->in_left != 0 )
2888 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2889 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2890 ssl->next_record_offset ) );
2891 memmove( ssl->in_hdr,
2892 ssl->in_hdr + ssl->next_record_offset,
2893 ssl->in_left );
2894 }
2895
2896 ssl->next_record_offset = 0;
2897 }
2898
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2899 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2900 ssl->in_left, nb_want ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2901
2902 /*
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]2903 * Done if we already have enough data.
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2904 */
2905 if( nb_want <= ssl->in_left)
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2906 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2907 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2908 return( 0 );
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]2909 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2910
2911 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]2912 * A record can't be split across datagrams. If we need to read but
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2913 * are not at the beginning of a new record, the caller did something
2914 * wrong.
2915 */
2916 if( ssl->in_left != 0 )
2917 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2918 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2919 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2920 }
2921
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2922 /*
2923 * Don't even try to read if time's out already.
2924 * This avoids by-passing the timer when repeatedly receiving messages
2925 * that will end up being dropped.
2926 */
2927 if( ssl_check_timer( ssl ) != 0 )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]2928 {
2929 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]2930 ret = MBEDTLS_ERR_SSL_TIMEOUT;
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]2931 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2932 else
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2933 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2934 len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2935
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2936 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2937 timeout = ssl->handshake->retransmit_timeout;
2938 else
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2939 timeout = ssl->conf->read_timeout;
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2940
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2941 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2942
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]2943 if( ssl->f_recv_timeout != NULL )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2944 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
2945 timeout );
2946 else
2947 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
2948
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2949 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2950
2951 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2952 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2953 }
2954
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]2955 if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2956 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2957 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]2958 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2959
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2960 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]2961 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2962 if( ssl_double_retransmit_timeout( ssl ) != 0 )
2963 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2964 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]2965 return( MBEDTLS_ERR_SSL_TIMEOUT );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2966 }
2967
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2968 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2969 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2970 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]2971 return( ret );
2972 }
2973
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]2974 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]2975 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2976#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2977 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2978 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]2979 {
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]2980 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]2981 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2982 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]2983 return( ret );
2984 }
2985
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]2986 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]2987 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2988#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]2989 }
2990
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2991 if( ret < 0 )
2992 return( ret );
2993
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]2994 ssl->in_left = ret;
2995 }
2996 else
2997#endif
2998 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2999 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]3000 ssl->in_left, nb_want ) );
3001
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]3002 while( ssl->in_left < nb_want )
3003 {
3004 len = nb_want - ssl->in_left;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]3005
3006 if( ssl_check_timer( ssl ) != 0 )
3007 ret = MBEDTLS_ERR_SSL_TIMEOUT;
3008 else
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]3009 {
3010 if( ssl->f_recv_timeout != NULL )
3011 {
3012 ret = ssl->f_recv_timeout( ssl->p_bio,
3013 ssl->in_hdr + ssl->in_left, len,
3014 ssl->conf->read_timeout );
3015 }
3016 else
3017 {
3018 ret = ssl->f_recv( ssl->p_bio,
3019 ssl->in_hdr + ssl->in_left, len );
3020 }
3021 }
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]3022
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3023 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
Manuel Pégourié-Gonnard07617332015-06-24 23:00:03 +0200[diff] [blame]3024 ssl->in_left, nb_want ) );
3025 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]3026
3027 if( ret == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3028 return( MBEDTLS_ERR_SSL_CONN_EOF );
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]3029
3030 if( ret < 0 )
3031 return( ret );
3032
mohammad160352aecb92018-03-28 23:41:40 -0700[diff] [blame]3033 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]3034 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]3035 MBEDTLS_SSL_DEBUG_MSG( 1,
3036 ( "f_recv returned %d bytes but only %lu were requested",
mohammad160319d392b2018-04-02 07:25:26 -0700[diff] [blame]3037 ret, (unsigned long)len ) );
mohammad16035bd15cb2018-02-28 04:30:59 -0800[diff] [blame]3038 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3039 }
3040
Manuel Pégourié-Gonnardfe98ace2014-03-24 13:13:01 +0100[diff] [blame]3041 ssl->in_left += ret;
3042 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3043 }
3044
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3045 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3046
3047 return( 0 );
3048}
3049
3050/*
3051 * Flush any data not yet written
3052 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3053int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3054{
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]3055 int ret;
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]3056 unsigned char *buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3057
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3058 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3059
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]3060 if( ssl->f_send == NULL )
3061 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3062 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
Manuel Pégourié-Gonnard1b511f92015-05-06 15:54:23 +0100[diff] [blame]3063 "or mbedtls_ssl_set_bio()" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3064 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]3065 }
3066
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]3067 /* Avoid incrementing counter if data is flushed */
3068 if( ssl->out_left == 0 )
3069 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3070 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]3071 return( 0 );
3072 }
3073
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3074 while( ssl->out_left > 0 )
3075 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3076 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
3077 mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3078
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3079 buf = ssl->out_hdr - ssl->out_left;
Manuel Pégourié-Gonnarde6bdc442014-09-17 11:34:57 +0200[diff] [blame]3080 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]3081
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3082 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3083
3084 if( ret <= 0 )
3085 return( ret );
3086
mohammad160352aecb92018-03-28 23:41:40 -0700[diff] [blame]3087 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]3088 {
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]3089 MBEDTLS_SSL_DEBUG_MSG( 1,
3090 ( "f_send returned %d bytes but only %lu bytes were sent",
mohammad160319d392b2018-04-02 07:25:26 -0700[diff] [blame]3091 ret, (unsigned long)ssl->out_left ) );
mohammad16034bbaeb42018-02-22 04:29:04 -0800[diff] [blame]3092 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3093 }
3094
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3095 ssl->out_left -= ret;
3096 }
3097
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3098#if defined(MBEDTLS_SSL_PROTO_DTLS)
3099 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]3100 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3101 ssl->out_hdr = ssl->out_buf;
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]3102 }
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3103 else
3104#endif
3105 {
3106 ssl->out_hdr = ssl->out_buf + 8;
3107 }
3108 ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]3109
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3110 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3111
3112 return( 0 );
3113}
3114
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3115/*
3116 * Functions to handle the DTLS retransmission state machine
3117 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3118#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3119/*
3120 * Append current handshake message to current outgoing flight
3121 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3122static int ssl_flight_append( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3123{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3124 mbedtls_ssl_flight_item *msg;
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]3125 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
3126 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
3127 ssl->out_msg, ssl->out_msglen );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3128
3129 /* Allocate space for current message */
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]3130 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3131 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]3132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3133 sizeof( mbedtls_ssl_flight_item ) ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]3134 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3135 }
3136
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]3137 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3138 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]3139 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3140 mbedtls_free( msg );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]3141 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3142 }
3143
3144 /* Copy current handshake message with headers */
3145 memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
3146 msg->len = ssl->out_msglen;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3147 msg->type = ssl->out_msgtype;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3148 msg->next = NULL;
3149
3150 /* Append to the current flight */
3151 if( ssl->handshake->flight == NULL )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3152 ssl->handshake->flight = msg;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3153 else
3154 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3155 mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3156 while( cur->next != NULL )
3157 cur = cur->next;
3158 cur->next = msg;
3159 }
3160
Hanno Becker3b235902018-08-06 09:54:53 +0100[diff] [blame]3161 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3162 return( 0 );
3163}
3164
3165/*
3166 * Free the current flight of handshake messages
3167 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3168static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3169{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3170 mbedtls_ssl_flight_item *cur = flight;
3171 mbedtls_ssl_flight_item *next;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3172
3173 while( cur != NULL )
3174 {
3175 next = cur->next;
3176
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3177 mbedtls_free( cur->p );
3178 mbedtls_free( cur );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3179
3180 cur = next;
3181 }
3182}
3183
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3184#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3185static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3186#endif
3187
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3188/*
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3189 * Swap transform_out and out_ctr with the alternative ones
3190 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3191static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3192{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3193 mbedtls_ssl_transform *tmp_transform;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3194 unsigned char tmp_out_ctr[8];
3195
3196 if( ssl->transform_out == ssl->handshake->alt_transform_out )
3197 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3198 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3199 return;
3200 }
3201
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3202 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3203
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3204 /* Swap transforms */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3205 tmp_transform = ssl->transform_out;
3206 ssl->transform_out = ssl->handshake->alt_transform_out;
3207 ssl->handshake->alt_transform_out = tmp_transform;
3208
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3209 /* Swap epoch + sequence_number */
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]3210 memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 );
3211 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3212 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3213
3214 /* Adjust to the newly activated transform */
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]3215 ssl_update_out_pointers( ssl, ssl->transform_out );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3216
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3217#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3218 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3219 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3220 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3221 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3222 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
3223 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3224 }
3225 }
3226#endif
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3227}
3228
3229/*
3230 * Retransmit the current flight of messages.
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3231 */
3232int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
3233{
3234 int ret = 0;
3235
3236 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
3237
3238 ret = mbedtls_ssl_flight_transmit( ssl );
3239
3240 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
3241
3242 return( ret );
3243}
3244
3245/*
3246 * Transmit or retransmit the current flight of messages.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3247 *
3248 * Need to remember the current message in case flush_output returns
3249 * WANT_WRITE, causing us to exit this function and come back later.
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3250 * This function must be called until state is no longer SENDING.
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3251 */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3252int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3253{
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3254 int ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3255 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3256
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3257 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3258 {
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]3259 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3260
3261 ssl->handshake->cur_msg = ssl->handshake->flight;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3262 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3263 ssl_swap_epochs( ssl );
3264
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3265 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3266 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3267
3268 while( ssl->handshake->cur_msg != NULL )
3269 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3270 size_t max_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3271 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3272
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]3273 int const is_finished =
3274 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
3275 cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
3276
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]3277 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
3278 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
3279
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3280 /* Swap epochs before sending Finished: we can't do it after
3281 * sending ChangeCipherSpec, in case write returns WANT_READ.
3282 * Must be done before copying, may change out_msg pointer */
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]3283 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3284 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3285 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
Manuel Pégourié-Gonnardc715aed2014-09-19 21:39:13 +0200[diff] [blame]3286 ssl_swap_epochs( ssl );
3287 }
3288
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3289 ret = ssl_get_remaining_payload_in_datagram( ssl );
3290 if( ret < 0 )
3291 return( ret );
3292 max_frag_len = (size_t) ret;
3293
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3294 /* CCS is copied as is, while HS messages may need fragmentation */
3295 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
3296 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3297 if( max_frag_len == 0 )
3298 {
3299 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3300 return( ret );
3301
3302 continue;
3303 }
3304
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3305 memcpy( ssl->out_msg, cur->p, cur->len );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3306 ssl->out_msglen = cur->len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3307 ssl->out_msgtype = cur->type;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3308
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3309 /* Update position inside current message */
3310 ssl->handshake->cur_msg_p += cur->len;
3311 }
3312 else
3313 {
3314 const unsigned char * const p = ssl->handshake->cur_msg_p;
3315 const size_t hs_len = cur->len - 12;
3316 const size_t frag_off = p - ( cur->p + 12 );
3317 const size_t rem_len = hs_len - frag_off;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3318 size_t cur_hs_frag_len, max_hs_frag_len;
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3319
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]3320 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
Manuel Pégourié-Gonnarda1071a52018-08-20 11:56:14 +0200[diff] [blame]3321 {
Hanno Beckere1dcb032018-08-17 16:47:58 +0100[diff] [blame]3322 if( is_finished )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3323 ssl_swap_epochs( ssl );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3324
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3325 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3326 return( ret );
3327
3328 continue;
3329 }
3330 max_hs_frag_len = max_frag_len - 12;
3331
3332 cur_hs_frag_len = rem_len > max_hs_frag_len ?
3333 max_hs_frag_len : rem_len;
3334
3335 if( frag_off == 0 && cur_hs_frag_len != hs_len )
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]3336 {
3337 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3338 (unsigned) cur_hs_frag_len,
3339 (unsigned) max_hs_frag_len ) );
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]3340 }
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]3341
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3342 /* Messages are stored with handshake headers as if not fragmented,
3343 * copy beginning of headers then fill fragmentation fields.
3344 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
3345 memcpy( ssl->out_msg, cur->p, 6 );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3346
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3347 ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
3348 ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
3349 ssl->out_msg[8] = ( ( frag_off ) & 0xff );
3350
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3351 ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
3352 ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
3353 ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3354
3355 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
3356
Hanno Becker3f7b9732018-08-28 09:53:25 +0100[diff] [blame]3357 /* Copy the handshake message content and set records fields */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3358 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
3359 ssl->out_msglen = cur_hs_frag_len + 12;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3360 ssl->out_msgtype = cur->type;
3361
3362 /* Update position inside current message */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3363 ssl->handshake->cur_msg_p += cur_hs_frag_len;
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3364 }
3365
3366 /* If done with the current message move to the next one if any */
3367 if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
3368 {
3369 if( cur->next != NULL )
3370 {
3371 ssl->handshake->cur_msg = cur->next;
3372 ssl->handshake->cur_msg_p = cur->next->p + 12;
3373 }
3374 else
3375 {
3376 ssl->handshake->cur_msg = NULL;
3377 ssl->handshake->cur_msg_p = NULL;
3378 }
3379 }
3380
3381 /* Actually send the message out */
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]3382 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3383 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3384 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3385 return( ret );
3386 }
3387 }
3388
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3389 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3390 return( ret );
3391
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200[diff] [blame]3392 /* Update state and set timer */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3393 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
3394 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard23b7b702014-09-25 13:50:12 +0200[diff] [blame]3395 else
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]3396 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3397 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard4e2f2452014-10-02 16:51:56 +0200[diff] [blame]3398 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
3399 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3400
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3401 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3402
3403 return( 0 );
3404}
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3405
3406/*
3407 * To be called when the last message of an incoming flight is received.
3408 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3409void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3410{
3411 /* We won't need to resend that one any more */
3412 ssl_flight_free( ssl->handshake->flight );
3413 ssl->handshake->flight = NULL;
3414 ssl->handshake->cur_msg = NULL;
3415
3416 /* The next incoming flight will start with this msg_seq */
3417 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
3418
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3419 /* We don't want to remember CCS's across flight boundaries. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]3420 ssl->handshake->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]3421
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]3422 /* Clear future message buffering structure. */
3423 ssl_buffering_free( ssl );
3424
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]3425 /* Cancel timer */
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3426 ssl_set_timer( ssl, 0 );
3427
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3428 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3429 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3430 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3431 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3432 }
3433 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3434 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3435}
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3436
3437/*
3438 * To be called when the last message of an outgoing flight is send.
3439 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3440void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3441{
Manuel Pégourié-Gonnard6c1fa3a2014-10-01 16:58:16 +0200[diff] [blame]3442 ssl_reset_retransmit_timeout( ssl );
Manuel Pégourié-Gonnard0ac247f2014-09-30 22:21:31 +0200[diff] [blame]3443 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3444
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3445 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3446 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3447 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3448 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3449 }
3450 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3451 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3452}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3453#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3454
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3455/*
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3456 * Handshake layer functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3457 */
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3458
3459/*
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3460 * Write (DTLS: or queue) current handshake (including CCS) message.
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3461 *
3462 * - fill in handshake headers
3463 * - update handshake checksum
3464 * - DTLS: save message for resending
3465 * - then pass to the record layer
3466 *
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3467 * DTLS: except for HelloRequest, messages are only queued, and will only be
3468 * actually sent when calling flight_transmit() or resend().
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3469 *
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3470 * Inputs:
3471 * - ssl->out_msglen: 4 + actual handshake message len
3472 * (4 is the size of handshake headers for TLS)
3473 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
3474 * - ssl->out_msg + 4: the handshake message body
3475 *
Manuel Pégourié-Gonnard065a2a32018-08-20 11:09:26 +0200[diff] [blame]3476 * Outputs, ie state before passing to flight_append() or write_record():
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3477 * - ssl->out_msglen: the length of the record contents
3478 * (including handshake headers but excluding record headers)
3479 * - ssl->out_msg: the record contents (handshake headers + content)
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3480 */
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3481int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3482{
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3483 int ret;
3484 const size_t hs_len = ssl->out_msglen - 4;
3485 const unsigned char hs_type = ssl->out_msg[0];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3486
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3487 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
3488
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3489 /*
3490 * Sanity checks
3491 */
Hanno Beckerc83d2b32018-08-22 16:05:47 +0100[diff] [blame]3492 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3493 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
3494 {
Hanno Beckerc83d2b32018-08-22 16:05:47 +0100[diff] [blame]3495 /* In SSLv3, the client might send a NoCertificate alert. */
3496#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
3497 if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
3498 ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
3499 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
3500#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
3501 {
3502 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3503 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3504 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3505 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3506
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]3507 /* Whenever we send anything different from a
3508 * HelloRequest we should be in a handshake - double check. */
3509 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3510 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3511 ssl->handshake == NULL )
3512 {
3513 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3514 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3515 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3517#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3518 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3519 ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3520 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3521 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3523 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3524 }
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3525#endif
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3526
Hanno Beckerb50a2532018-08-06 11:52:54 +0100[diff] [blame]3527 /* Double-check that we did not exceed the bounds
3528 * of the outgoing record buffer.
3529 * This should never fail as the various message
3530 * writing functions must obey the bounds of the
3531 * outgoing record buffer, but better be safe.
3532 *
3533 * Note: We deliberately do not check for the MTU or MFL here.
3534 */
3535 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
3536 {
3537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
3538 "size %u, maximum %u",
3539 (unsigned) ssl->out_msglen,
3540 (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
3541 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3542 }
3543
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3544 /*
3545 * Fill handshake headers
3546 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3547 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3548 {
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3549 ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
3550 ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );
3551 ssl->out_msg[3] = (unsigned char)( hs_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3552
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3553 /*
3554 * DTLS has additional fields in the Handshake layer,
3555 * between the length field and the actual payload:
3556 * uint16 message_seq;
3557 * uint24 fragment_offset;
3558 * uint24 fragment_length;
3559 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3560#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3561 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3562 {
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]3563 /* Make room for the additional DTLS fields */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3564 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]3565 {
3566 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
3567 "size %u, maximum %u",
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3568 (unsigned) ( hs_len ),
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3569 (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
Hanno Becker9648f8b2017-09-18 10:55:54 +0100[diff] [blame]3570 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3571 }
3572
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3573 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3574 ssl->out_msglen += 8;
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3575
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3576 /* Write message_seq and update it, except for HelloRequest */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3577 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3578 {
Manuel Pégourié-Gonnardd9ba0d92014-09-02 18:30:26 +0200[diff] [blame]3579 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
3580 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
3581 ++( ssl->handshake->out_msg_seq );
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3582 }
3583 else
3584 {
3585 ssl->out_msg[4] = 0;
3586 ssl->out_msg[5] = 0;
3587 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]3588
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3589 /* Handshake hashes are computed without fragmentation,
3590 * so set frag_offset = 0 and frag_len = hs_len for now */
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]3591 memset( ssl->out_msg + 6, 0x00, 3 );
3592 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3593 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3594#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3595
Hanno Becker0207e532018-08-28 10:28:28 +0100[diff] [blame]3596 /* Update running hashes of handshake messages seen */
Manuel Pégourié-Gonnard9c3a8ca2017-09-13 09:54:27 +0200[diff] [blame]3597 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
3598 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3599 }
3600
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3601 /* Either send now, or just save to be sent (and resent) later */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3602#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3603 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]3604 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3605 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3606 {
3607 if( ( ret = ssl_flight_append( ssl ) ) != 0 )
3608 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3609 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3610 return( ret );
3611 }
3612 }
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3613 else
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3614#endif
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3615 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3616 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3617 {
3618 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3619 return( ret );
3620 }
3621 }
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3622
3623 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
3624
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3625 return( 0 );
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3626}
3627
3628/*
3629 * Record layer functions
3630 */
3631
3632/*
3633 * Write current record.
3634 *
3635 * Uses:
3636 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
3637 * - ssl->out_msglen: length of the record content (excl headers)
3638 * - ssl->out_msg: record content
3639 */
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3640int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3641{
3642 int ret, done = 0;
3643 size_t len = ssl->out_msglen;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3644 uint8_t flush = force_flush;
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3645
3646 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]3647
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3648#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3649 if( ssl->transform_out != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3650 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]3651 {
3652 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
3653 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3654 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]3655 return( ret );
3656 }
3657
3658 len = ssl->out_msglen;
3659 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3660#endif /*MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]3661
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3662#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3663 if( mbedtls_ssl_hw_record_write != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3664 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3665 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3666
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3667 ret = mbedtls_ssl_hw_record_write( ssl );
3668 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3669 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3670 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
3671 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3672 }
Paul Bakkerc7878112012-12-19 14:41:14 +0100[diff] [blame]3673
3674 if( ret == 0 )
3675 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3676 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3677#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3678 if( !done )
3679 {
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3680 unsigned i;
3681 size_t protected_record_size;
3682
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3683 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3684 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3685 ssl->conf->transport, ssl->out_hdr + 1 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]3686
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]3687 memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]3688 ssl->out_len[0] = (unsigned char)( len >> 8 );
3689 ssl->out_len[1] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3690
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3691 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3692 {
3693 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
3694 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3695 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3696 return( ret );
3697 }
3698
3699 len = ssl->out_msglen;
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]3700 ssl->out_len[0] = (unsigned char)( len >> 8 );
3701 ssl->out_len[1] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3702 }
3703
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3704 protected_record_size = len + mbedtls_ssl_hdr_len( ssl );
3705
3706#if defined(MBEDTLS_SSL_PROTO_DTLS)
3707 /* In case of DTLS, double-check that we don't exceed
3708 * the remaining space in the datagram. */
3709 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3710 {
Hanno Becker554b0af2018-08-22 20:33:41 +0100[diff] [blame]3711 ret = ssl_get_remaining_space_in_datagram( ssl );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3712 if( ret < 0 )
3713 return( ret );
3714
3715 if( protected_record_size > (size_t) ret )
3716 {
3717 /* Should never happen */
3718 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3719 }
3720 }
3721#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3722
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3723 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]3724 "version = [%d:%d], msglen = %d",
3725 ssl->out_hdr[0], ssl->out_hdr[1],
3726 ssl->out_hdr[2], len ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3727
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3728 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
Hanno Beckerecbdf1c2018-08-28 09:53:54 +0100[diff] [blame]3729 ssl->out_hdr, protected_record_size );
Hanno Becker2b1e3542018-08-06 11:19:13 +0100[diff] [blame]3730
3731 ssl->out_left += protected_record_size;
3732 ssl->out_hdr += protected_record_size;
3733 ssl_update_out_pointers( ssl, ssl->transform_out );
3734
Hanno Becker04484622018-08-06 09:49:38 +0100[diff] [blame]3735 for( i = 8; i > ssl_ep_len( ssl ); i-- )
3736 if( ++ssl->cur_out_ctr[i - 1] != 0 )
3737 break;
3738
3739 /* The loop goes to its end iff the counter is wrapping */
3740 if( i == ssl_ep_len( ssl ) )
3741 {
3742 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
3743 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3744 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3745 }
3746
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3747#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker47db8772018-08-21 13:32:13 +0100[diff] [blame]3748 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3749 flush == SSL_DONT_FORCE_FLUSH )
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3750 {
Hanno Becker1f5a15d2018-08-21 13:31:31 +0100[diff] [blame]3751 size_t remaining;
3752 ret = ssl_get_remaining_payload_in_datagram( ssl );
3753 if( ret < 0 )
3754 {
3755 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
3756 ret );
3757 return( ret );
3758 }
3759
3760 remaining = (size_t) ret;
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3761 if( remaining == 0 )
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]3762 {
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3763 flush = SSL_FORCE_FLUSH;
Hanno Beckerf0da6672018-08-28 09:55:10 +0100[diff] [blame]3764 }
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3765 else
3766 {
Hanno Becker513815a2018-08-20 11:56:09 +0100[diff] [blame]3767 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]3768 }
3769 }
3770#endif /* MBEDTLS_SSL_PROTO_DTLS */
3771
3772 if( ( flush == SSL_FORCE_FLUSH ) &&
3773 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3774 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3775 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3776 return( ret );
3777 }
3778
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3779 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3780
3781 return( 0 );
3782}
3783
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3784#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]3785
3786static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
3787{
3788 if( ssl->in_msglen < ssl->in_hslen ||
3789 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
3790 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
3791 {
3792 return( 1 );
3793 }
3794 return( 0 );
3795}
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]3796
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]3797static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]3798{
3799 return( ( ssl->in_msg[9] << 16 ) |
3800 ( ssl->in_msg[10] << 8 ) |
3801 ssl->in_msg[11] );
3802}
3803
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]3804static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]3805{
3806 return( ( ssl->in_msg[6] << 16 ) |
3807 ( ssl->in_msg[7] << 8 ) |
3808 ssl->in_msg[8] );
3809}
3810
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]3811static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]3812{
3813 uint32_t msg_len, frag_off, frag_len;
3814
3815 msg_len = ssl_get_hs_total_len( ssl );
3816 frag_off = ssl_get_hs_frag_off( ssl );
3817 frag_len = ssl_get_hs_frag_len( ssl );
3818
3819 if( frag_off > msg_len )
3820 return( -1 );
3821
3822 if( frag_len > msg_len - frag_off )
3823 return( -1 );
3824
3825 if( frag_len + 12 > ssl->in_msglen )
3826 return( -1 );
3827
3828 return( 0 );
3829}
3830
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3831/*
3832 * Mark bits in bitmask (used for DTLS HS reassembly)
3833 */
3834static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
3835{
3836 unsigned int start_bits, end_bits;
3837
3838 start_bits = 8 - ( offset % 8 );
3839 if( start_bits != 8 )
3840 {
3841 size_t first_byte_idx = offset / 8;
3842
Manuel Pégourié-Gonnardac030522014-09-02 14:23:40 +0200[diff] [blame]3843 /* Special case */
3844 if( len <= start_bits )
3845 {
3846 for( ; len != 0; len-- )
3847 mask[first_byte_idx] |= 1 << ( start_bits - len );
3848
3849 /* Avoid potential issues with offset or len becoming invalid */
3850 return;
3851 }
3852
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3853 offset += start_bits; /* Now offset % 8 == 0 */
3854 len -= start_bits;
3855
3856 for( ; start_bits != 0; start_bits-- )
3857 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
3858 }
3859
3860 end_bits = len % 8;
3861 if( end_bits != 0 )
3862 {
3863 size_t last_byte_idx = ( offset + len ) / 8;
3864
3865 len -= end_bits; /* Now len % 8 == 0 */
3866
3867 for( ; end_bits != 0; end_bits-- )
3868 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
3869 }
3870
3871 memset( mask + offset / 8, 0xFF, len / 8 );
3872}
3873
3874/*
3875 * Check that bitmask is full
3876 */
3877static int ssl_bitmask_check( unsigned char *mask, size_t len )
3878{
3879 size_t i;
3880
3881 for( i = 0; i < len / 8; i++ )
3882 if( mask[i] != 0xFF )
3883 return( -1 );
3884
3885 for( i = 0; i < len % 8; i++ )
3886 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
3887 return( -1 );
3888
3889 return( 0 );
3890}
3891
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]3892/* msg_len does not include the handshake header */
Hanno Becker65dc8852018-08-23 09:40:49 +0100[diff] [blame]3893static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]3894 unsigned add_bitmap )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3895{
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]3896 size_t alloc_len;
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3897
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]3898 alloc_len = 12; /* Handshake header */
3899 alloc_len += msg_len; /* Content buffer */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3900
Hanno Beckerd07df862018-08-16 09:14:58 +0100[diff] [blame]3901 if( add_bitmap )
3902 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3903
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]3904 return( alloc_len );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3905}
Hanno Becker56e205e2018-08-16 09:06:12 +0100[diff] [blame]3906
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3907#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3908
Hanno Beckercd9dcda2018-08-28 17:18:56 +0100[diff] [blame]3909static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]3910{
3911 return( ( ssl->in_msg[1] << 16 ) |
3912 ( ssl->in_msg[2] << 8 ) |
3913 ssl->in_msg[3] );
3914}
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]3915
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3916int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3917{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3918 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]3919 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]3921 ssl->in_msglen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3922 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Manuel Pégourié-Gonnard9d1d7192014-09-03 11:01:14 +0200[diff] [blame]3923 }
3924
Hanno Becker12555c62018-08-16 12:47:53 +0100[diff] [blame]3925 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3926
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3927 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3928 " %d, type = %d, hslen = %d",
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]3929 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3930
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3931#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3932 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]3933 {
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3934 int ret;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3935 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3936
Hanno Becker44650b72018-08-16 12:51:11 +0100[diff] [blame]3937 if( ssl_check_hs_header( ssl ) != 0 )
3938 {
3939 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
3940 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3941 }
3942
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3943 if( ssl->handshake != NULL &&
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]3944 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
3945 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
3946 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3947 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3948 {
Hanno Becker9e1ec222018-08-15 15:54:43 +0100[diff] [blame]3949 if( recv_msg_seq > ssl->handshake->in_msg_seq )
3950 {
3951 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
3952 recv_msg_seq,
3953 ssl->handshake->in_msg_seq ) );
3954 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3955 }
3956
Manuel Pégourié-Gonnardfc572dd2014-10-09 17:56:57 +0200[diff] [blame]3957 /* Retransmit only on last message from previous flight, to avoid
3958 * too many retransmissions.
3959 * Besides, No sane server ever retransmits HelloVerifyRequest */
3960 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3961 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]3962 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3963 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]3964 "message_seq = %d, start_of_flight = %d",
3965 recv_msg_seq,
3966 ssl->handshake->in_flight_start_seq ) );
3967
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3968 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]3969 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3970 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]3971 return( ret );
3972 }
3973 }
3974 else
3975 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3976 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
Manuel Pégourié-Gonnard6a2bdfa2014-09-19 21:18:23 +0200[diff] [blame]3977 "message_seq = %d, expected = %d",
3978 recv_msg_seq,
3979 ssl->handshake->in_msg_seq ) );
3980 }
3981
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]3982 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]3983 }
3984 /* Wait until message completion to increment in_msg_seq */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3985
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]3986 /* Message reassembly is handled alongside buffering of future
3987 * messages; the commonality is that both handshake fragments and
Hanno Becker83ab41c2018-08-28 17:19:38 +0100[diff] [blame]3988 * future messages cannot be forwarded immediately to the
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]3989 * handshake logic layer. */
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]3990 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3991 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3992 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
Hanno Becker6d97ef52018-08-16 13:09:04 +0100[diff] [blame]3993 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3994 }
3995 }
3996 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3997#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnarded79a4b2014-08-20 10:43:01 +0200[diff] [blame]3998 /* With TLS we don't handle fragmentation (for now) */
3999 if( ssl->in_msglen < ssl->in_hslen )
4000 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4001 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
4002 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4003 }
4004
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4005 return( 0 );
4006}
4007
4008void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
4009{
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4010 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4011
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4012 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]4013 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4014 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Manuel Pégourié-Gonnard14bf7062015-06-23 14:07:13 +0200[diff] [blame]4015 }
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4016
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]4017 /* Handshake message is complete, increment counter */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4018#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4019 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]4020 ssl->handshake != NULL )
4021 {
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4022 unsigned offset;
4023 mbedtls_ssl_hs_buffer *hs_buf;
Hanno Beckere25e3b72018-08-16 09:30:53 +0100[diff] [blame]4024
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4025 /* Increment handshake sequence number */
4026 hs->in_msg_seq++;
4027
4028 /*
4029 * Clear up handshake buffering and reassembly structure.
4030 */
4031
4032 /* Free first entry */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]4033 ssl_buffering_free_slot( ssl, 0 );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4034
4035 /* Shift all other entries */
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]4036 for( offset = 0, hs_buf = &hs->buffering.hs[0];
4037 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]4038 offset++, hs_buf++ )
4039 {
4040 *hs_buf = *(hs_buf + 1);
4041 }
4042
4043 /* Create a fresh last entry */
4044 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]4045 }
4046#endif
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]4047}
4048
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4049/*
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4050 * DTLS anti-replay: RFC 6347 4.1.2.6
4051 *
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4052 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
4053 * Bit n is set iff record number in_window_top - n has been seen.
4054 *
4055 * Usually, in_window_top is the last record number seen and the lsb of
4056 * in_window is set. The only exception is the initial state (record number 0
4057 * not seen yet).
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4058 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4059#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4060static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4061{
4062 ssl->in_window_top = 0;
4063 ssl->in_window = 0;
4064}
4065
4066static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
4067{
4068 return( ( (uint64_t) buf[0] << 40 ) |
4069 ( (uint64_t) buf[1] << 32 ) |
4070 ( (uint64_t) buf[2] << 24 ) |
4071 ( (uint64_t) buf[3] << 16 ) |
4072 ( (uint64_t) buf[4] << 8 ) |
4073 ( (uint64_t) buf[5] ) );
4074}
4075
4076/*
4077 * Return 0 if sequence number is acceptable, -1 otherwise
4078 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4079int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4080{
4081 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
4082 uint64_t bit;
4083
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4084 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4085 return( 0 );
4086
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4087 if( rec_seqnum > ssl->in_window_top )
4088 return( 0 );
4089
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4090 bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4091
4092 if( bit >= 64 )
4093 return( -1 );
4094
4095 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
4096 return( -1 );
4097
4098 return( 0 );
4099}
4100
4101/*
4102 * Update replay window on new validated record
4103 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4104void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4105{
4106 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
4107
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4108 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4109 return;
4110
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4111 if( rec_seqnum > ssl->in_window_top )
4112 {
4113 /* Update window_top and the contents of the window */
4114 uint64_t shift = rec_seqnum - ssl->in_window_top;
4115
4116 if( shift >= 64 )
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4117 ssl->in_window = 1;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4118 else
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4119 {
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4120 ssl->in_window <<= shift;
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4121 ssl->in_window |= 1;
4122 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4123
4124 ssl->in_window_top = rec_seqnum;
4125 }
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4126 else
4127 {
4128 /* Mark that number as seen in the current window */
Manuel Pégourié-Gonnard4956fd72014-09-24 11:13:44 +0200[diff] [blame]4129 uint64_t bit = ssl->in_window_top - rec_seqnum;
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4130
4131 if( bit < 64 ) /* Always true, but be extra sure */
4132 ssl->in_window |= (uint64_t) 1 << bit;
4133 }
4134}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4135#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4136
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]4137#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4138/* Forward declaration */
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]4139static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
4140
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4141/*
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4142 * Without any SSL context, check if a datagram looks like a ClientHello with
4143 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
Simon Butcher0789aed2015-09-11 17:15:17 +0100[diff] [blame]4144 * Both input and output include full DTLS headers.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4145 *
4146 * - if cookie is valid, return 0
4147 * - if ClientHello looks superficially valid but cookie is not,
4148 * fill obuf and set olen, then
4149 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
4150 * - otherwise return a specific error code
4151 */
4152static int ssl_check_dtls_clihlo_cookie(
4153 mbedtls_ssl_cookie_write_t *f_cookie_write,
4154 mbedtls_ssl_cookie_check_t *f_cookie_check,
4155 void *p_cookie,
4156 const unsigned char *cli_id, size_t cli_id_len,
4157 const unsigned char *in, size_t in_len,
4158 unsigned char *obuf, size_t buf_len, size_t *olen )
4159{
4160 size_t sid_len, cookie_len;
4161 unsigned char *p;
4162
4163 if( f_cookie_write == NULL || f_cookie_check == NULL )
4164 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4165
4166 /*
4167 * Structure of ClientHello with record and handshake headers,
4168 * and expected values. We don't need to check a lot, more checks will be
4169 * done when actually parsing the ClientHello - skipping those checks
4170 * avoids code duplication and does not make cookie forging any easier.
4171 *
4172 * 0-0 ContentType type; copied, must be handshake
4173 * 1-2 ProtocolVersion version; copied
4174 * 3-4 uint16 epoch; copied, must be 0
4175 * 5-10 uint48 sequence_number; copied
4176 * 11-12 uint16 length; (ignored)
4177 *
4178 * 13-13 HandshakeType msg_type; (ignored)
4179 * 14-16 uint24 length; (ignored)
4180 * 17-18 uint16 message_seq; copied
4181 * 19-21 uint24 fragment_offset; copied, must be 0
4182 * 22-24 uint24 fragment_length; (ignored)
4183 *
4184 * 25-26 ProtocolVersion client_version; (ignored)
4185 * 27-58 Random random; (ignored)
4186 * 59-xx SessionID session_id; 1 byte len + sid_len content
4187 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
4188 * ...
4189 *
4190 * Minimum length is 61 bytes.
4191 */
4192 if( in_len < 61 ||
4193 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
4194 in[3] != 0 || in[4] != 0 ||
4195 in[19] != 0 || in[20] != 0 || in[21] != 0 )
4196 {
4197 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4198 }
4199
4200 sid_len = in[59];
4201 if( sid_len > in_len - 61 )
4202 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4203
4204 cookie_len = in[60 + sid_len];
4205 if( cookie_len > in_len - 60 )
4206 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4207
4208 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
4209 cli_id, cli_id_len ) == 0 )
4210 {
4211 /* Valid cookie */
4212 return( 0 );
4213 }
4214
4215 /*
4216 * If we get here, we've got an invalid cookie, let's prepare HVR.
4217 *
4218 * 0-0 ContentType type; copied
4219 * 1-2 ProtocolVersion version; copied
4220 * 3-4 uint16 epoch; copied
4221 * 5-10 uint48 sequence_number; copied
4222 * 11-12 uint16 length; olen - 13
4223 *
4224 * 13-13 HandshakeType msg_type; hello_verify_request
4225 * 14-16 uint24 length; olen - 25
4226 * 17-18 uint16 message_seq; copied
4227 * 19-21 uint24 fragment_offset; copied
4228 * 22-24 uint24 fragment_length; olen - 25
4229 *
4230 * 25-26 ProtocolVersion server_version; 0xfe 0xff
4231 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
4232 *
4233 * Minimum length is 28.
4234 */
4235 if( buf_len < 28 )
4236 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
4237
4238 /* Copy most fields and adapt others */
4239 memcpy( obuf, in, 25 );
4240 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
4241 obuf[25] = 0xfe;
4242 obuf[26] = 0xff;
4243
4244 /* Generate and write actual cookie */
4245 p = obuf + 28;
4246 if( f_cookie_write( p_cookie,
4247 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
4248 {
4249 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4250 }
4251
4252 *olen = p - obuf;
4253
4254 /* Go back and fill length fields */
4255 obuf[27] = (unsigned char)( *olen - 28 );
4256
4257 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
4258 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
4259 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
4260
4261 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
4262 obuf[12] = (unsigned char)( ( *olen - 13 ) );
4263
4264 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
4265}
4266
4267/*
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4268 * Handle possible client reconnect with the same UDP quadruplet
4269 * (RFC 6347 Section 4.2.8).
4270 *
4271 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
4272 * that looks like a ClientHello.
4273 *
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4274 * - if the input looks like a ClientHello without cookies,
4275 * send back HelloVerifyRequest, then
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4276 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4277 * - if the input looks like a ClientHello with a valid cookie,
4278 * reset the session of the current context, and
Manuel Pégourié-Gonnardbe619c12015-09-08 11:21:21 +0200[diff] [blame]4279 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4280 * - if anything goes wrong, return a specific error code
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4281 *
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4282 * mbedtls_ssl_read_record() will ignore the record if anything else than
Simon Butcherd0bf6a32015-09-11 17:34:49 +0100[diff] [blame]4283 * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
4284 * cannot not return 0.
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4285 */
4286static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
4287{
4288 int ret;
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4289 size_t len;
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4290
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4291 ret = ssl_check_dtls_clihlo_cookie(
4292 ssl->conf->f_cookie_write,
4293 ssl->conf->f_cookie_check,
4294 ssl->conf->p_cookie,
4295 ssl->cli_id, ssl->cli_id_len,
4296 ssl->in_buf, ssl->in_left,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4297 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4298
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4299 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
4300
4301 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4302 {
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]4303 /* Don't check write errors as we can't do anything here.
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4304 * If the error is permanent we'll catch it later,
4305 * if it's not, then hopefully it'll work next time. */
4306 (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
4307
4308 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4309 }
4310
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4311 if( ret == 0 )
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4312 {
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +0200[diff] [blame]4313 /* Got a valid cookie, partially reset context */
4314 if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
4315 {
4316 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
4317 return( ret );
4318 }
4319
4320 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4321 }
4322
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4323 return( ret );
4324}
Manuel Pégourié-Gonnardddfe5d22015-09-09 12:46:16 +0200[diff] [blame]4325#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard11331fc2015-09-08 10:30:55 +0200[diff] [blame]4326
Manuel Pégourié-Gonnard7a7e1402014-09-24 10:52:58 +0200[diff] [blame]4327/*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4328 * ContentType type;
4329 * ProtocolVersion version;
4330 * uint16 epoch; // DTLS only
4331 * uint48 sequence_number; // DTLS only
4332 * uint16 length;
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4333 *
4334 * Return 0 if header looks sane (and, for DTLS, the record is expected)
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]4335 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4336 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
4337 *
4338 * With DTLS, mbedtls_ssl_read_record() will:
Simon Butcher207990d2015-12-16 01:51:30 +0000[diff] [blame]4339 * 1. proceed with the record if this function returns 0
4340 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
4341 * 3. return CLIENT_RECONNECT if this function return that value
4342 * 4. drop the whole datagram if this function returns anything else.
4343 * Point 2 is needed when the peer is resending, and we have already received
4344 * the first record from a datagram but are still waiting for the others.
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4345 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4346static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4347{
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]4348 int major_ver, minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4349
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4350 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]4351
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4352 ssl->in_msgtype = ssl->in_hdr[0];
Manuel Pégourié-Gonnard507e1e42014-02-13 11:17:34 +0100[diff] [blame]4353 ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4354 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4355
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4356 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4357 "version = [%d:%d], msglen = %d",
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4358 ssl->in_msgtype,
4359 major_ver, minor_ver, ssl->in_msglen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4360
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4361 /* Check record type */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4362 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
4363 ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
4364 ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
4365 ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4366 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4367 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
Andres Amaya Garcia2fad94b2017-06-26 15:11:59 +0100[diff] [blame]4368
4369#if defined(MBEDTLS_SSL_PROTO_DTLS)
Andres Amaya Garcia01692532017-06-28 09:26:46 +0100[diff] [blame]4370 /* Silently ignore invalid DTLS records as recommended by RFC 6347
4371 * Section 4.1.2.7 */
Andres Amaya Garcia2fad94b2017-06-26 15:11:59 +0100[diff] [blame]4372 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4373#endif /* MBEDTLS_SSL_PROTO_DTLS */
4374 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4375 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
4376
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4377 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4378 }
4379
4380 /* Check version */
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]4381 if( major_ver != ssl->major_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4382 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4383 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
4384 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4385 }
4386
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4387 if( minor_ver > ssl->conf->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4388 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4389 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
4390 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4391 }
4392
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4393 /* Check length against the size of our buffer */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4394 if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
Manuel Pégourié-Gonnardedcbe542014-08-11 19:27:24 +0200[diff] [blame]4395 - (size_t)( ssl->in_msg - ssl->in_buf ) )
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]4396 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4397 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4398 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker1a1fbba2014-04-30 14:38:05 +0200[diff] [blame]4399 }
4400
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4401 /*
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4402 * DTLS-related tests.
4403 * Check epoch before checking length constraint because
4404 * the latter varies with the epoch. E.g., if a ChangeCipherSpec
4405 * message gets duplicated before the corresponding Finished message,
4406 * the second ChangeCipherSpec should be discarded because it belongs
4407 * to an old epoch, but not because its length is shorter than
4408 * the minimum record length for packets using the new record transform.
4409 * Note that these two kinds of failures are handled differently,
4410 * as an unexpected record is silently skipped but an invalid
4411 * record leads to the entire datagram being dropped.
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4412 */
4413#if defined(MBEDTLS_SSL_PROTO_DTLS)
4414 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4415 {
4416 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
4417
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4418 /* Check epoch (and sequence number) with DTLS */
4419 if( rec_epoch != ssl->in_epoch )
4420 {
4421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
4422 "expected %d, received %d",
4423 ssl->in_epoch, rec_epoch ) );
4424
4425#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
4426 /*
4427 * Check for an epoch 0 ClientHello. We can't use in_msg here to
4428 * access the first byte of record content (handshake type), as we
4429 * have an active transform (possibly iv_len != 0), so use the
4430 * fact that the record header len is 13 instead.
4431 */
4432 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4433 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
4434 rec_epoch == 0 &&
4435 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
4436 ssl->in_left > 13 &&
4437 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
4438 {
4439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
4440 "from the same port" ) );
4441 return( ssl_handle_possible_reconnect( ssl ) );
4442 }
4443 else
4444#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4445 {
4446 /* Consider buffering the record. */
4447 if( rec_epoch == (unsigned int) ssl->in_epoch + 1 )
4448 {
4449 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
4450 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4451 }
4452
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4453 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]4454 }
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4455 }
4456
4457#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4458 /* Replay detection only works for the current epoch */
4459 if( rec_epoch == ssl->in_epoch &&
4460 mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
4461 {
4462 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
4463 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4464 }
4465#endif
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4466
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4467 /* Drop unexpected ApplicationData records,
4468 * except at the beginning of renegotiations */
4469 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
4470 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
4471#if defined(MBEDTLS_SSL_RENEGOTIATION)
4472 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
4473 ssl->state == MBEDTLS_SSL_SERVER_HELLO )
4474#endif
4475 )
4476 {
4477 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
4478 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4479 }
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]4480 }
4481#endif /* MBEDTLS_SSL_PROTO_DTLS */
4482
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4483
4484 /* Check length against bounds of the current transform and version */
4485 if( ssl->transform_in == NULL )
4486 {
4487 if( ssl->in_msglen < 1 ||
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4488 ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4489 {
4490 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4491 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4492 }
4493 }
4494 else
4495 {
4496 if( ssl->in_msglen < ssl->transform_in->minlen )
4497 {
4498 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4499 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4500 }
4501
4502#if defined(MBEDTLS_SSL_PROTO_SSL3)
4503 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4504 ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4505 {
4506 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4507 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4508 }
4509#endif
4510#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
4511 defined(MBEDTLS_SSL_PROTO_TLS1_2)
4512 /*
4513 * TLS encrypted messages can have up to 256 bytes of padding
4514 */
4515 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
4516 ssl->in_msglen > ssl->transform_in->minlen +
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4517 MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]4518 {
4519 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4520 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4521 }
4522#endif
4523 }
4524
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4525 return( 0 );
4526}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4527
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4528/*
4529 * If applicable, decrypt (and decompress) record content
4530 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4531static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4532{
4533 int ret, done = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]4534
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4535 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
4536 ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4537
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4538#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
4539 if( mbedtls_ssl_hw_record_read != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]4540 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4541 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]4542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4543 ret = mbedtls_ssl_hw_record_read( ssl );
4544 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]4545 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4546 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
4547 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]4548 }
Paul Bakkerc7878112012-12-19 14:41:14 +0100[diff] [blame]4549
4550 if( ret == 0 )
4551 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]4552 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4553#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]4554 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4555 {
4556 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
4557 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4558 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4559 return( ret );
4560 }
4561
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4562 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4563 ssl->in_msg, ssl->in_msglen );
4564
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]4565 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4566 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4567 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4568 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4569 }
4570 }
4571
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4572#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]4573 if( ssl->transform_in != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4574 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4575 {
4576 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
4577 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4578 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4579 return( ret );
4580 }
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4581 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4582#endif /* MBEDTLS_ZLIB_SUPPORT */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]4583
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4584#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4585 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]4586 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4587 mbedtls_ssl_dtls_replay_update( ssl );
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]4588 }
4589#endif
4590
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4591 return( 0 );
4592}
4593
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4594static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]4595
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4596/*
4597 * Read a record.
4598 *
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]4599 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
4600 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
4601 *
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4602 */
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]4603
4604/* Helper functions for mbedtls_ssl_read_record(). */
4605static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4606static int ssl_get_next_record( mbedtls_ssl_context *ssl );
4607static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
Hanno Becker4162b112018-08-15 14:05:04 +0100[diff] [blame]4608
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]4609int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]4610 unsigned update_hs_digest )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4611{
4612 int ret;
4613
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4614 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]4615
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4616 if( ssl->keep_current_message == 0 )
4617 {
4618 do {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4619
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]4620 ret = ssl_consume_current_message( ssl );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4621 if( ret != 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4622 return( ret );
Hanno Becker26994592018-08-15 14:14:59 +0100[diff] [blame]4623
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4624 if( ssl_record_is_in_progress( ssl ) == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4625 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4626#if defined(MBEDTLS_SSL_PROTO_DTLS)
4627 int have_buffered = 0;
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4628
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4629 /* We only check for buffered messages if the
4630 * current datagram is fully consumed. */
4631 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]4632 ssl_next_record_is_in_datagram( ssl ) == 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4633 {
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4634 if( ssl_load_buffered_message( ssl ) == 0 )
4635 have_buffered = 1;
4636 }
4637
4638 if( have_buffered == 0 )
4639#endif /* MBEDTLS_SSL_PROTO_DTLS */
4640 {
4641 ret = ssl_get_next_record( ssl );
4642 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
4643 continue;
4644
4645 if( ret != 0 )
4646 {
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]4647 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4648 return( ret );
4649 }
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]4650 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4651 }
4652
4653 ret = mbedtls_ssl_handle_message_type( ssl );
4654
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4655#if defined(MBEDTLS_SSL_PROTO_DTLS)
4656 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4657 {
4658 /* Buffer future message */
4659 ret = ssl_buffer_message( ssl );
4660 if( ret != 0 )
4661 return( ret );
4662
4663 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
4664 }
4665#endif /* MBEDTLS_SSL_PROTO_DTLS */
4666
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]4667 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||
4668 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4669
4670 if( 0 != ret )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4671 {
Hanno Becker05c4fc82017-11-09 14:34:06 +0000[diff] [blame]4672 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4673 return( ret );
4674 }
4675
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]4676 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
Hanno Becker3a0aad12018-08-20 09:44:02 +0100[diff] [blame]4677 update_hs_digest == 1 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4678 {
4679 mbedtls_ssl_update_handshake_status( ssl );
4680 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4681 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4682 else
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4683 {
Hanno Becker02f59072018-08-15 14:00:24 +0100[diff] [blame]4684 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]4685 ssl->keep_current_message = 0;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4686 }
4687
4688 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
4689
4690 return( 0 );
4691}
4692
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4693#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]4694static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4695{
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4696 if( ssl->in_left > ssl->next_record_offset )
4697 return( 1 );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4698
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4699 return( 0 );
4700}
4701
4702static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
4703{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4704 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4705 mbedtls_ssl_hs_buffer * hs_buf;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4706 int ret = 0;
4707
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4708 if( hs == NULL )
4709 return( -1 );
4710
Hanno Beckere00ae372018-08-20 09:39:42 +0100[diff] [blame]4711 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
4712
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4713 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
4714 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4715 {
4716 /* Check if we have seen a ChangeCipherSpec before.
4717 * If yes, synthesize a CCS record. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4718 if( !hs->buffering.seen_ccs )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4719 {
4720 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
4721 ret = -1;
Hanno Becker0d4b3762018-08-20 09:36:59 +0100[diff] [blame]4722 goto exit;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4723 }
4724
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]4725 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4726 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
4727 ssl->in_msglen = 1;
4728 ssl->in_msg[0] = 1;
4729
4730 /* As long as they are equal, the exact value doesn't matter. */
4731 ssl->in_left = 0;
4732 ssl->next_record_offset = 0;
4733
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]4734 hs->buffering.seen_ccs = 0;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4735 goto exit;
4736 }
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4737
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]4738#if defined(MBEDTLS_DEBUG_C)
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4739 /* Debug only */
4740 {
4741 unsigned offset;
4742 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
4743 {
4744 hs_buf = &hs->buffering.hs[offset];
4745 if( hs_buf->is_valid == 1 )
4746 {
4747 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
4748 hs->in_msg_seq + offset,
Hanno Beckera591c482018-08-28 17:20:00 +0100[diff] [blame]4749 hs_buf->is_complete ? "fully" : "partially" ) );
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4750 }
4751 }
4752 }
Hanno Beckerb8f50142018-08-28 10:01:34 +0100[diff] [blame]4753#endif /* MBEDTLS_DEBUG_C */
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4754
4755 /* Check if we have buffered and/or fully reassembled the
4756 * next handshake message. */
4757 hs_buf = &hs->buffering.hs[0];
4758 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
4759 {
4760 /* Synthesize a record containing the buffered HS message. */
4761 size_t msg_len = ( hs_buf->data[1] << 16 ) |
4762 ( hs_buf->data[2] << 8 ) |
4763 hs_buf->data[3];
4764
4765 /* Double-check that we haven't accidentally buffered
4766 * a message that doesn't fit into the input buffer. */
4767 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
4768 {
4769 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4770 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4771 }
4772
4773 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
4774 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
4775 hs_buf->data, msg_len + 12 );
4776
4777 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4778 ssl->in_hslen = msg_len + 12;
4779 ssl->in_msglen = msg_len + 12;
4780 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
4781
4782 ret = 0;
4783 goto exit;
4784 }
4785 else
4786 {
4787 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
4788 hs->in_msg_seq ) );
4789 }
4790
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4791 ret = -1;
4792
4793exit:
4794
4795 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
4796 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4797}
4798
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4799static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
4800 size_t desired )
4801{
4802 int offset;
4803 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4804 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
4805 (unsigned) desired ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4806
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4807 /* Get rid of future records epoch first, if such exist. */
4808 ssl_free_buffered_record( ssl );
4809
4810 /* Check if we have enough space available now. */
4811 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4812 hs->buffering.total_bytes_buffered ) )
4813 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4814 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]4815 return( 0 );
4816 }
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4817
Hanno Becker4f432ad2018-08-28 10:02:32 +0100[diff] [blame]4818 /* We don't have enough space to buffer the next expected handshake
4819 * message. Remove buffers used for future messages to gain space,
4820 * starting with the most distant one. */
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4821 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
4822 offset >= 0; offset-- )
4823 {
4824 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
4825 offset ) );
4826
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]4827 ssl_buffering_free_slot( ssl, (uint8_t) offset );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4828
4829 /* Check if we have enough space available now. */
4830 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4831 hs->buffering.total_bytes_buffered ) )
4832 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4833 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4834 return( 0 );
4835 }
4836 }
4837
4838 return( -1 );
4839}
4840
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]4841static int ssl_buffer_message( mbedtls_ssl_context *ssl )
4842{
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4843 int ret = 0;
4844 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4845
4846 if( hs == NULL )
4847 return( 0 );
4848
4849 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
4850
4851 switch( ssl->in_msgtype )
4852 {
4853 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
4854 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]4855
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100[diff] [blame]4856 hs->buffering.seen_ccs = 1;
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]4857 break;
4858
4859 case MBEDTLS_SSL_MSG_HANDSHAKE:
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4860 {
4861 unsigned recv_msg_seq_offset;
4862 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
4863 mbedtls_ssl_hs_buffer *hs_buf;
4864 size_t msg_len = ssl->in_hslen - 12;
4865
4866 /* We should never receive an old handshake
4867 * message - double-check nonetheless. */
4868 if( recv_msg_seq < ssl->handshake->in_msg_seq )
4869 {
4870 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4871 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4872 }
4873
4874 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
4875 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
4876 {
4877 /* Silently ignore -- message too far in the future */
4878 MBEDTLS_SSL_DEBUG_MSG( 2,
4879 ( "Ignore future HS message with sequence number %u, "
4880 "buffering window %u - %u",
4881 recv_msg_seq, ssl->handshake->in_msg_seq,
4882 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
4883
4884 goto exit;
4885 }
4886
4887 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
4888 recv_msg_seq, recv_msg_seq_offset ) );
4889
4890 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
4891
4892 /* Check if the buffering for this seq nr has already commenced. */
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4893 if( !hs_buf->is_valid )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4894 {
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4895 size_t reassembly_buf_sz;
4896
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4897 hs_buf->is_fragmented =
4898 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
4899
4900 /* We copy the message back into the input buffer
4901 * after reassembly, so check that it's not too large.
4902 * This is an implementation-specific limitation
4903 * and not one from the standard, hence it is not
4904 * checked in ssl_check_hs_header(). */
Hanno Becker96a6c692018-08-21 15:56:03 +0100[diff] [blame]4905 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4906 {
4907 /* Ignore message */
4908 goto exit;
4909 }
4910
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4911 /* Check if we have enough space to buffer the message. */
4912 if( hs->buffering.total_bytes_buffered >
4913 MBEDTLS_SSL_DTLS_MAX_BUFFERING )
4914 {
4915 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4916 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4917 }
4918
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4919 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
4920 hs_buf->is_fragmented );
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4921
4922 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4923 hs->buffering.total_bytes_buffered ) )
4924 {
4925 if( recv_msg_seq_offset > 0 )
4926 {
4927 /* If we can't buffer a future message because
4928 * of space limitations -- ignore. */
4929 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
4930 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4931 (unsigned) hs->buffering.total_bytes_buffered ) );
4932 goto exit;
4933 }
Hanno Beckere1801392018-08-21 16:51:05 +0100[diff] [blame]4934 else
4935 {
4936 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
4937 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4938 (unsigned) hs->buffering.total_bytes_buffered ) );
4939 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4940
Hanno Beckera02b0b42018-08-21 17:20:27 +0100[diff] [blame]4941 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]4942 {
Hanno Becker6e12c1e2018-08-24 14:39:15 +0100[diff] [blame]4943 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
4944 (unsigned) msg_len,
4945 (unsigned) reassembly_buf_sz,
4946 MBEDTLS_SSL_DTLS_MAX_BUFFERING,
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4947 (unsigned) hs->buffering.total_bytes_buffered ) );
Hanno Becker55e9e2a2018-08-21 16:07:55 +0100[diff] [blame]4948 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4949 goto exit;
4950 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4951 }
4952
4953 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
4954 msg_len ) );
4955
Hanno Becker2a97b0e2018-08-21 15:47:49 +0100[diff] [blame]4956 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
4957 if( hs_buf->data == NULL )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4958 {
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4959 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4960 goto exit;
4961 }
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4962 hs_buf->data_len = reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4963
4964 /* Prepare final header: copy msg_type, length and message_seq,
4965 * then add standardised fragment_offset and fragment_length */
4966 memcpy( hs_buf->data, ssl->in_msg, 6 );
4967 memset( hs_buf->data + 6, 0, 3 );
4968 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
4969
4970 hs_buf->is_valid = 1;
Hanno Beckere0b150f2018-08-21 15:51:03 +0100[diff] [blame]4971
4972 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4973 }
4974 else
4975 {
4976 /* Make sure msg_type and length are consistent */
4977 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
4978 {
4979 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
4980 /* Ignore */
4981 goto exit;
4982 }
4983 }
4984
Hanno Becker4422bbb2018-08-20 09:40:19 +0100[diff] [blame]4985 if( !hs_buf->is_complete )
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]4986 {
4987 size_t frag_len, frag_off;
4988 unsigned char * const msg = hs_buf->data + 12;
4989
4990 /*
4991 * Check and copy current fragment
4992 */
4993
4994 /* Validation of header fields already done in
4995 * mbedtls_ssl_prepare_handshake_record(). */
4996 frag_off = ssl_get_hs_frag_off( ssl );
4997 frag_len = ssl_get_hs_frag_len( ssl );
4998
4999 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
5000 frag_off, frag_len ) );
5001 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
5002
5003 if( hs_buf->is_fragmented )
5004 {
5005 unsigned char * const bitmask = msg + msg_len;
5006 ssl_bitmask_set( bitmask, frag_off, frag_len );
5007 hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
5008 msg_len ) == 0 );
5009 }
5010 else
5011 {
5012 hs_buf->is_complete = 1;
5013 }
5014
5015 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
5016 hs_buf->is_complete ? "" : "not yet " ) );
5017 }
5018
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5019 break;
Hanno Becker37f95322018-08-16 13:55:32 +0100[diff] [blame]5020 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5021
5022 default:
Hanno Becker360bef32018-08-28 10:04:33 +0100[diff] [blame]5023 /* We don't buffer other types of messages. */
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5024 break;
5025 }
5026
5027exit:
5028
5029 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
5030 return( ret );
Hanno Becker40f50842018-08-15 14:48:01 +0100[diff] [blame]5031}
5032#endif /* MBEDTLS_SSL_PROTO_DTLS */
5033
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]5034static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5035{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5036 /*
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5037 * Consume last content-layer message and potentially
5038 * update in_msglen which keeps track of the contents'
5039 * consumption state.
5040 *
5041 * (1) Handshake messages:
5042 * Remove last handshake message, move content
5043 * and adapt in_msglen.
5044 *
5045 * (2) Alert messages:
5046 * Consume whole record content, in_msglen = 0.
5047 *
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5048 * (3) Change cipher spec:
5049 * Consume whole record content, in_msglen = 0.
5050 *
5051 * (4) Application data:
5052 * Don't do anything - the record layer provides
5053 * the application data as a stream transport
5054 * and consumes through mbedtls_ssl_read only.
5055 *
5056 */
5057
5058 /* Case (1): Handshake messages */
5059 if( ssl->in_hslen != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5060 {
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]5061 /* Hard assertion to be sure that no application data
5062 * is in flight, as corrupting ssl->in_msglen during
5063 * ssl->in_offt != NULL is fatal. */
5064 if( ssl->in_offt != NULL )
5065 {
5066 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5067 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5068 }
5069
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5070 /*
5071 * Get next Handshake message in the current record
5072 */
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5073
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5074 /* Notes:
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]5075 * (1) in_hslen is not necessarily the size of the
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5076 * current handshake content: If DTLS handshake
5077 * fragmentation is used, that's the fragment
5078 * size instead. Using the total handshake message
Hanno Beckere72489d2017-10-23 13:23:50 +0100[diff] [blame]5079 * size here is faulty and should be changed at
5080 * some point.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5081 * (2) While it doesn't seem to cause problems, one
5082 * has to be very careful not to assume that in_hslen
5083 * is always <= in_msglen in a sensible communication.
5084 * Again, it's wrong for DTLS handshake fragmentation.
5085 * The following check is therefore mandatory, and
5086 * should not be treated as a silently corrected assertion.
Hanno Beckerbb9dd0c2017-06-08 11:55:34 +0100[diff] [blame]5087 * Additionally, ssl->in_hslen might be arbitrarily out of
5088 * bounds after handling a DTLS message with an unexpected
5089 * sequence number, see mbedtls_ssl_prepare_handshake_record.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5090 */
5091 if( ssl->in_hslen < ssl->in_msglen )
5092 {
5093 ssl->in_msglen -= ssl->in_hslen;
5094 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
5095 ssl->in_msglen );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5096
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5097 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
5098 ssl->in_msg, ssl->in_msglen );
5099 }
5100 else
5101 {
5102 ssl->in_msglen = 0;
5103 }
Manuel Pégourié-Gonnard4a175362014-09-09 17:45:31 +0200[diff] [blame]5104
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5105 ssl->in_hslen = 0;
5106 }
5107 /* Case (4): Application data */
5108 else if( ssl->in_offt != NULL )
5109 {
5110 return( 0 );
5111 }
5112 /* Everything else (CCS & Alerts) */
5113 else
5114 {
5115 ssl->in_msglen = 0;
5116 }
5117
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]5118 return( 0 );
5119}
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5120
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]5121static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
5122{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5123 if( ssl->in_msglen > 0 )
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]5124 return( 1 );
5125
5126 return( 0 );
5127}
5128
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5129#if defined(MBEDTLS_SSL_PROTO_DTLS)
5130
5131static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
5132{
5133 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5134 if( hs == NULL )
5135 return;
5136
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5137 if( hs->buffering.future_record.data != NULL )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5138 {
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5139 hs->buffering.total_bytes_buffered -=
5140 hs->buffering.future_record.len;
5141
5142 mbedtls_free( hs->buffering.future_record.data );
5143 hs->buffering.future_record.data = NULL;
5144 }
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5145}
5146
5147static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
5148{
5149 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5150 unsigned char * rec;
5151 size_t rec_len;
5152 unsigned rec_epoch;
5153
5154 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5155 return( 0 );
5156
5157 if( hs == NULL )
5158 return( 0 );
5159
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5160 rec = hs->buffering.future_record.data;
5161 rec_len = hs->buffering.future_record.len;
5162 rec_epoch = hs->buffering.future_record.epoch;
5163
5164 if( rec == NULL )
5165 return( 0 );
5166
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]5167 /* Only consider loading future records if the
5168 * input buffer is empty. */
Hanno Beckeref7afdf2018-08-28 17:16:31 +0100[diff] [blame]5169 if( ssl_next_record_is_in_datagram( ssl ) == 1 )
Hanno Becker4cb782d2018-08-20 11:19:05 +0100[diff] [blame]5170 return( 0 );
5171
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5172 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
5173
5174 if( rec_epoch != ssl->in_epoch )
5175 {
5176 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
5177 goto exit;
5178 }
5179
5180 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
5181
5182 /* Double-check that the record is not too large */
5183 if( rec_len > MBEDTLS_SSL_IN_BUFFER_LEN -
5184 (size_t)( ssl->in_hdr - ssl->in_buf ) )
5185 {
5186 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5187 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5188 }
5189
5190 memcpy( ssl->in_hdr, rec, rec_len );
5191 ssl->in_left = rec_len;
5192 ssl->next_record_offset = 0;
5193
5194 ssl_free_buffered_record( ssl );
5195
5196exit:
5197 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
5198 return( 0 );
5199}
5200
5201static int ssl_buffer_future_record( mbedtls_ssl_context *ssl )
5202{
5203 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5204 size_t const rec_hdr_len = 13;
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5205 size_t const total_buf_sz = rec_hdr_len + ssl->in_msglen;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5206
5207 /* Don't buffer future records outside handshakes. */
5208 if( hs == NULL )
5209 return( 0 );
5210
5211 /* Only buffer handshake records (we are only interested
5212 * in Finished messages). */
5213 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
5214 return( 0 );
5215
5216 /* Don't buffer more than one future epoch record. */
5217 if( hs->buffering.future_record.data != NULL )
5218 return( 0 );
5219
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5220 /* Don't buffer record if there's not enough buffering space remaining. */
5221 if( total_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
5222 hs->buffering.total_bytes_buffered ) )
5223 {
5224 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
5225 (unsigned) total_buf_sz, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
5226 (unsigned) hs->buffering.total_bytes_buffered ) );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5227 return( 0 );
5228 }
5229
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5230 /* Buffer record */
5231 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
5232 ssl->in_epoch + 1 ) );
5233 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", ssl->in_hdr,
5234 rec_hdr_len + ssl->in_msglen );
5235
5236 /* ssl_parse_record_header() only considers records
5237 * of the next epoch as candidates for buffering. */
5238 hs->buffering.future_record.epoch = ssl->in_epoch + 1;
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5239 hs->buffering.future_record.len = total_buf_sz;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5240
5241 hs->buffering.future_record.data =
5242 mbedtls_calloc( 1, hs->buffering.future_record.len );
5243 if( hs->buffering.future_record.data == NULL )
5244 {
5245 /* If we run out of RAM trying to buffer a
5246 * record from the next epoch, just ignore. */
5247 return( 0 );
5248 }
5249
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5250 memcpy( hs->buffering.future_record.data, ssl->in_hdr, total_buf_sz );
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5251
Hanno Becker01315ea2018-08-21 17:22:17 +0100[diff] [blame]5252 hs->buffering.total_bytes_buffered += total_buf_sz;
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5253 return( 0 );
5254}
5255
5256#endif /* MBEDTLS_SSL_PROTO_DTLS */
5257
Hanno Beckere74d5562018-08-15 14:26:08 +0100[diff] [blame]5258static int ssl_get_next_record( mbedtls_ssl_context *ssl )
Hanno Becker1097b342018-08-15 14:09:41 +0100[diff] [blame]5259{
5260 int ret;
5261
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5262#if defined(MBEDTLS_SSL_PROTO_DTLS)
5263 /* We might have buffered a future record; if so,
5264 * and if the epoch matches now, load it.
5265 * On success, this call will set ssl->in_left to
5266 * the length of the buffered record, so that
5267 * the calls to ssl_fetch_input() below will
5268 * essentially be no-ops. */
5269 ret = ssl_load_buffered_record( ssl );
5270 if( ret != 0 )
5271 return( ret );
5272#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5273
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5274 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5275 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5276 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5277 return( ret );
5278 }
5279
5280 if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5281 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5282#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardbe619c12015-09-08 11:21:21 +0200[diff] [blame]5283 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5284 ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5285 {
Hanno Becker5f066e72018-08-16 14:56:31 +0100[diff] [blame]5286 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
5287 {
5288 ret = ssl_buffer_future_record( ssl );
5289 if( ret != 0 )
5290 return( ret );
5291
5292 /* Fall through to handling of unexpected records */
5293 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
5294 }
5295
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]5296 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
5297 {
5298 /* Skip unexpected record (but not whole datagram) */
5299 ssl->next_record_offset = ssl->in_msglen
5300 + mbedtls_ssl_hdr_len( ssl );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5301
Manuel Pégourié-Gonnarde2e25e72015-12-03 16:13:17 +0100[diff] [blame]5302 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
5303 "(header)" ) );
5304 }
5305 else
5306 {
5307 /* Skip invalid record and the rest of the datagram */
5308 ssl->next_record_offset = 0;
5309 ssl->in_left = 0;
5310
5311 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
5312 "(header)" ) );
5313 }
5314
5315 /* Get next record */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5316 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5317 }
5318#endif
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5319 return( ret );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5320 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5321
5322 /*
5323 * Read and optionally decrypt the message contents
5324 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5325 if( ( ret = mbedtls_ssl_fetch_input( ssl,
5326 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5327 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5328 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5329 return( ret );
5330 }
5331
5332 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5333#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5334 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]5335 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5336 ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
Hanno Beckere65ce782017-05-22 14:47:48 +0100[diff] [blame]5337 if( ssl->next_record_offset < ssl->in_left )
5338 {
5339 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
5340 }
5341 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5342 else
5343#endif
5344 ssl->in_left = 0;
5345
5346 if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5347 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5348#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5349 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5350 {
5351 /* Silently discard invalid records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5352 if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD ||
5353 ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5354 {
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]5355 /* Except when waiting for Finished as a bad mac here
5356 * probably means something went wrong in the handshake
5357 * (eg wrong psk used, mitm downgrade attempt, etc.) */
5358 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
5359 ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
5360 {
5361#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
5362 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
5363 {
5364 mbedtls_ssl_send_alert_message( ssl,
5365 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5366 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
5367 }
5368#endif
5369 return( ret );
5370 }
5371
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5372#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5373 if( ssl->conf->badmac_limit != 0 &&
5374 ++ssl->badmac_seen >= ssl->conf->badmac_limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]5375 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5376 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
5377 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]5378 }
5379#endif
5380
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]5381 /* As above, invalid records cause
5382 * dismissal of the whole datagram. */
5383
5384 ssl->next_record_offset = 0;
5385 ssl->in_left = 0;
5386
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5387 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5388 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5389 }
5390
5391 return( ret );
5392 }
5393 else
5394#endif
5395 {
5396 /* Error out (and send alert) on invalid records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5397#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
5398 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5399 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5400 mbedtls_ssl_send_alert_message( ssl,
5401 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5402 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5403 }
5404#endif
5405 return( ret );
5406 }
5407 }
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5408
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5409 return( 0 );
5410}
5411
5412int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
5413{
5414 int ret;
5415
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]5416 /*
Manuel Pégourié-Gonnard167a3762014-09-08 16:14:10 +0200[diff] [blame]5417 * Handle particular types of records
5418 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5419 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5420 {
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5421 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
5422 {
Manuel Pégourié-Gonnarda59543a2014-02-18 11:33:49 +0100[diff] [blame]5423 return( ret );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5424 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5425 }
5426
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]5427 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5428 {
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]5429 if( ssl->in_msglen != 1 )
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5430 {
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]5431 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
5432 ssl->in_msglen ) );
5433 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5434 }
5435
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]5436 if( ssl->in_msg[0] != 1 )
5437 {
5438 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
5439 ssl->in_msg[0] ) );
5440 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
5441 }
5442
5443#if defined(MBEDTLS_SSL_PROTO_DTLS)
5444 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5445 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
5446 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
5447 {
5448 if( ssl->handshake == NULL )
5449 {
5450 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
5451 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
5452 }
5453
5454 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
5455 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
5456 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5457#endif
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]5458 }
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100[diff] [blame]5459
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5460 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5461 {
Angus Gratton1a7a17e2018-06-20 15:43:50 +1000[diff] [blame]5462 if( ssl->in_msglen != 2 )
5463 {
5464 /* Note: Standard allows for more than one 2 byte alert
5465 to be packed in a single message, but Mbed TLS doesn't
5466 currently support this. */
5467 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
5468 ssl->in_msglen ) );
5469 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
5470 }
5471
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5472 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5473 ssl->in_msg[0], ssl->in_msg[1] ) );
5474
5475 /*
Simon Butcher459a9502015-10-27 16:09:03 +0000[diff] [blame]5476 * Ignore non-fatal alerts, except close_notify and no_renegotiation
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5477 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5478 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5479 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5480 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]5481 ssl->in_msg[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5482 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5483 }
5484
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5485 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5486 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5487 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5488 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
5489 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5490 }
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]5491
5492#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
5493 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5494 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
5495 {
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]5496 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
Manuel Pégourié-Gonnardfbdf06c2015-10-23 11:13:28 +0200[diff] [blame]5497 /* Will be handled when trying to parse ServerHello */
5498 return( 0 );
5499 }
5500#endif
5501
5502#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
5503 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
5504 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5505 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5506 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
5507 {
5508 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
5509 /* Will be handled in mbedtls_ssl_parse_certificate() */
5510 return( 0 );
5511 }
5512#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
5513
5514 /* Silently ignore: fetch new message */
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5515 return MBEDTLS_ERR_SSL_NON_FATAL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5516 }
5517
Hanno Beckerc76c6192017-06-06 10:03:17 +0100[diff] [blame]5518#if defined(MBEDTLS_SSL_PROTO_DTLS)
5519 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5520 ssl->handshake != NULL &&
5521 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5522 {
5523 ssl_handshake_wrapup_free_hs_transform( ssl );
5524 }
5525#endif
5526
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5527 return( 0 );
5528}
5529
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5530int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5531{
5532 int ret;
5533
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5534 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5535 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5536 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]5537 {
5538 return( ret );
5539 }
5540
5541 return( 0 );
5542}
5543
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5544int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5545 unsigned char level,
5546 unsigned char message )
5547{
5548 int ret;
5549
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]5550 if( ssl == NULL || ssl->conf == NULL )
5551 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5552
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5553 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5554 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5555
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5556 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5557 ssl->out_msglen = 2;
5558 ssl->out_msg[0] = level;
5559 ssl->out_msg[1] = message;
5560
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]5561 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5562 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5563 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5564 return( ret );
5565 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5566 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]5567
5568 return( 0 );
5569}
5570
Hanno Beckerb9d44792019-02-08 07:19:04 +0000[diff] [blame]5571#if defined(MBEDTLS_X509_CRT_PARSE_C)
5572static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
5573{
5574#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
5575 if( session->peer_cert != NULL )
5576 {
5577 mbedtls_x509_crt_free( session->peer_cert );
5578 mbedtls_free( session->peer_cert );
5579 session->peer_cert = NULL;
5580 }
5581#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5582 if( session->peer_cert_digest != NULL )
5583 {
5584 /* Zeroization is not necessary. */
5585 mbedtls_free( session->peer_cert_digest );
5586 session->peer_cert_digest = NULL;
5587 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
5588 session->peer_cert_digest_len = 0;
5589 }
5590#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5591}
5592#endif /* MBEDTLS_X509_CRT_PARSE_C */
5593
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5594/*
5595 * Handshake functions
5596 */
Hanno Becker21489932019-02-05 13:20:55 +0000[diff] [blame]5597#if !defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]5598/* No certificate support -> dummy functions */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5599int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5600{
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]5601 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
5602 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5603
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5604 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5605
Hanno Becker7177a882019-02-05 13:36:46 +0000[diff] [blame]5606 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]5607 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5608 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]5609 ssl->state++;
5610 return( 0 );
5611 }
5612
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5613 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5614 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5615}
5616
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5617int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5618{
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]5619 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
5620 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5621
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5622 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5623
Hanno Becker7177a882019-02-05 13:36:46 +0000[diff] [blame]5624 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5625 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5626 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5627 ssl->state++;
5628 return( 0 );
5629 }
5630
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5631 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5632 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5633}
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]5634
Hanno Becker21489932019-02-05 13:20:55 +0000[diff] [blame]5635#else /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]5636/* Some certificate support -> implement write and parse */
5637
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5638int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5639{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5640 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5641 size_t i, n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5642 const mbedtls_x509_crt *crt;
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]5643 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
5644 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5645
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5646 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5647
Hanno Becker7177a882019-02-05 13:36:46 +0000[diff] [blame]5648 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5649 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5650 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]5651 ssl->state++;
5652 return( 0 );
5653 }
5654
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5655#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5656 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5657 {
5658 if( ssl->client_auth == 0 )
5659 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5660 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5661 ssl->state++;
5662 return( 0 );
5663 }
5664
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5665#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5666 /*
5667 * If using SSLv3 and got no cert, send an Alert message
5668 * (otherwise an empty Certificate message will be sent).
5669 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5670 if( mbedtls_ssl_own_cert( ssl ) == NULL &&
5671 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5672 {
5673 ssl->out_msglen = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5674 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
5675 ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
5676 ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5678 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5679 goto write_msg;
5680 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5681#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5682 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5683#endif /* MBEDTLS_SSL_CLI_C */
5684#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]5685 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5686 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5687 if( mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5688 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5689 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
5690 return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5691 }
5692 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]5693#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5694
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5695 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5696
5697 /*
5698 * 0 . 0 handshake type
5699 * 1 . 3 handshake length
5700 * 4 . 6 length of all certs
5701 * 7 . 9 length of cert. 1
5702 * 10 . n-1 peer certificate
5703 * n . n+2 length of cert. 2
5704 * n+3 . ... upper level cert, etc.
5705 */
5706 i = 7;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5707 crt = mbedtls_ssl_own_cert( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5708
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]5709 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5710 {
5711 n = crt->raw.len;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]5712 if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5713 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5714 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]5715 i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5716 return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5717 }
5718
5719 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
5720 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
5721 ssl->out_msg[i + 2] = (unsigned char)( n );
5722
5723 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
5724 i += n; crt = crt->next;
5725 }
5726
5727 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
5728 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
5729 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
5730
5731 ssl->out_msglen = i;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5732 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
5733 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5734
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +0200[diff] [blame]5735#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5736write_msg:
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]5737#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5738
5739 ssl->state++;
5740
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]5741 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5742 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]5743 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5744 return( ret );
5745 }
5746
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5747 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5748
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]5749 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5750}
5751
Hanno Becker84879e32019-01-31 07:44:03 +0000[diff] [blame]5752#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
Hanno Becker177475a2019-02-05 17:02:46 +0000[diff] [blame]5753
5754#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5755static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
5756 unsigned char *crt_buf,
5757 size_t crt_buf_len )
5758{
5759 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
5760
5761 if( peer_crt == NULL )
5762 return( -1 );
5763
5764 if( peer_crt->raw.len != crt_buf_len )
5765 return( -1 );
5766
Hanno Becker46f34d02019-02-08 14:00:04 +0000[diff] [blame]5767 return( memcmp( peer_crt->raw.p, crt_buf, crt_buf_len ) );
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5768}
Hanno Becker177475a2019-02-05 17:02:46 +0000[diff] [blame]5769#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5770static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
5771 unsigned char *crt_buf,
5772 size_t crt_buf_len )
5773{
5774 int ret;
5775 unsigned char const * const peer_cert_digest =
5776 ssl->session->peer_cert_digest;
5777 mbedtls_md_type_t const peer_cert_digest_type =
5778 ssl->session->peer_cert_digest_type;
5779 mbedtls_md_info_t const * const digest_info =
5780 mbedtls_md_info_from_type( peer_cert_digest_type );
5781 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
5782 size_t digest_len;
5783
5784 if( peer_cert_digest == NULL || digest_info == NULL )
5785 return( -1 );
5786
5787 digest_len = mbedtls_md_get_size( digest_info );
5788 if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN )
5789 return( -1 );
5790
5791 ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest );
5792 if( ret != 0 )
5793 return( -1 );
5794
5795 return( memcmp( tmp_digest, peer_cert_digest, digest_len ) );
5796}
5797#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker84879e32019-01-31 07:44:03 +0000[diff] [blame]5798#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5799
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]5800/*
5801 * Once the certificate message is read, parse it into a cert chain and
5802 * perform basic checks, but leave actual verification to the caller
5803 */
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5804static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
5805 mbedtls_x509_crt *chain )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5806{
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5807 int ret;
5808#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
5809 int crt_cnt=0;
5810#endif
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]5811 size_t i, n;
Gilles Peskine064a85c2017-05-10 10:46:40 +0200[diff] [blame]5812 uint8_t alert;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5813
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5814 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5815 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5816 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5817 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5818 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5819 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5820 }
5821
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5822 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||
5823 ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5824 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5825 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5826 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5827 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5828 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5829 }
5830
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5831 i = mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +0000[diff] [blame]5832
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5833 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5834 * Same message structure as in mbedtls_ssl_write_certificate()
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5835 */
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +0000[diff] [blame]5836 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5837
Manuel Pégourié-Gonnardf49a7da2014-09-10 13:30:43 +0000[diff] [blame]5838 if( ssl->in_msg[i] != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5839 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5840 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5841 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5842 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5843 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5844 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5845 }
5846
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5847 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
5848 i += 3;
5849
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5850 /* Iterate through and parse the CRTs in the provided chain. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5851 while( i < ssl->in_hslen )
5852 {
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5853 /* Check that there's room for the next CRT's length fields. */
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]5854 if ( i + 3 > ssl->in_hslen ) {
5855 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +0000[diff] [blame]5856 mbedtls_ssl_send_alert_message( ssl,
5857 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5858 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]5859 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
5860 }
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5861 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
5862 * anything beyond 2**16 ~ 64K. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5863 if( ssl->in_msg[i] != 0 )
5864 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5865 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +0000[diff] [blame]5866 mbedtls_ssl_send_alert_message( ssl,
5867 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5868 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5869 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5870 }
5871
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5872 /* Read length of the next CRT in the chain. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5873 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
5874 | (unsigned int) ssl->in_msg[i + 2];
5875 i += 3;
5876
5877 if( n < 128 || i + n > ssl->in_hslen )
5878 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5879 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Hanno Beckere2734e22019-01-31 07:44:17 +0000[diff] [blame]5880 mbedtls_ssl_send_alert_message( ssl,
5881 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5882 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5883 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5884 }
5885
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5886 /* Check if we're handling the first CRT in the chain. */
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5887#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
5888 if( crt_cnt++ == 0 &&
5889 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
5890 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5891 {
Hanno Becker46f34d02019-02-08 14:00:04 +0000[diff] [blame]5892 /* During client-side renegotiation, check that the server's
5893 * end-CRTs hasn't changed compared to the initial handshake,
5894 * mitigating the triple handshake attack. On success, reuse
5895 * the original end-CRT instead of parsing it again. */
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5896 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Check that peer CRT hasn't changed during renegotiation" ) );
5897 if( ssl_check_peer_crt_unchanged( ssl,
5898 &ssl->in_msg[i],
5899 n ) != 0 )
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5900 {
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
5902 mbedtls_ssl_send_alert_message( ssl,
5903 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5904 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
5905 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5906 }
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5907
5908 /* Now we can safely free the original chain. */
5909 ssl_clear_peer_cert( ssl->session );
5910 }
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5911#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
5912
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5913 /* Parse the next certificate in the chain. */
Hanno Becker0056eab2019-02-08 14:39:16 +0000[diff] [blame]5914#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5915 ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n );
Hanno Becker0056eab2019-02-08 14:39:16 +0000[diff] [blame]5916#else
Hanno Becker353a6f02019-02-26 11:51:34 +0000[diff] [blame]5917 /* If we don't need to store the CRT chain permanently, parse
Hanno Becker0056eab2019-02-08 14:39:16 +0000[diff] [blame]5918 * it in-place from the input buffer instead of making a copy. */
5919 ret = mbedtls_x509_crt_parse_der_nocopy( chain, ssl->in_msg + i, n );
5920#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5921 switch( ret )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5922 {
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5923 case 0: /*ok*/
5924 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
5925 /* Ignore certificate with an unknown algorithm: maybe a
5926 prior certificate was already trusted. */
5927 break;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5928
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5929 case MBEDTLS_ERR_X509_ALLOC_FAILED:
5930 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
5931 goto crt_parse_der_failed;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5932
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5933 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
5934 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
5935 goto crt_parse_der_failed;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5936
Hanno Beckerdef9bdc2019-01-30 14:46:46 +0000[diff] [blame]5937 default:
5938 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
5939 crt_parse_der_failed:
5940 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
5941 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
5942 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]5943 }
5944
5945 i += n;
5946 }
5947
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]5948 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", chain );
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]5949 return( 0 );
5950}
5951
Hanno Becker4a55f632019-02-05 12:49:06 +0000[diff] [blame]5952#if defined(MBEDTLS_SSL_SRV_C)
5953static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
5954{
5955 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5956 return( -1 );
5957
5958#if defined(MBEDTLS_SSL_PROTO_SSL3)
5959 /*
5960 * Check if the client sent an empty certificate
5961 */
5962 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
5963 {
5964 if( ssl->in_msglen == 2 &&
5965 ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
5966 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5967 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
5968 {
5969 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
5970 return( 0 );
5971 }
5972
5973 return( -1 );
5974 }
5975#endif /* MBEDTLS_SSL_PROTO_SSL3 */
5976
5977#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
5978 defined(MBEDTLS_SSL_PROTO_TLS1_2)
5979 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
5980 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
5981 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
5982 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
5983 {
5984 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
5985 return( 0 );
5986 }
5987
5988 return( -1 );
5989#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
5990 MBEDTLS_SSL_PROTO_TLS1_2 */
5991}
5992#endif /* MBEDTLS_SSL_SRV_C */
5993
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]5994/* Check if a certificate message is expected.
5995 * Return either
5996 * - SSL_CERTIFICATE_EXPECTED, or
5997 * - SSL_CERTIFICATE_SKIP
5998 * indicating whether a Certificate message is expected or not.
5999 */
6000#define SSL_CERTIFICATE_EXPECTED 0
6001#define SSL_CERTIFICATE_SKIP 1
6002static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
6003 int authmode )
6004{
6005 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]6006 ssl->handshake->ciphersuite_info;
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]6007
6008 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
6009 return( SSL_CERTIFICATE_SKIP );
6010
6011#if defined(MBEDTLS_SSL_SRV_C)
6012 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
6013 {
6014 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
6015 return( SSL_CERTIFICATE_SKIP );
6016
6017 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
6018 {
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]6019 ssl->session_negotiate->verify_result =
6020 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
6021 return( SSL_CERTIFICATE_SKIP );
6022 }
6023 }
Hanno Becker84d9d272019-03-01 08:10:46 +0000[diff] [blame]6024#else
6025 ((void) authmode);
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]6026#endif /* MBEDTLS_SSL_SRV_C */
6027
6028 return( SSL_CERTIFICATE_EXPECTED );
6029}
6030
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6031static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
6032 int authmode,
6033 mbedtls_x509_crt *chain,
6034 void *rs_ctx )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6035{
Hanno Becker6bdfab22019-02-05 13:11:17 +0000[diff] [blame]6036 int ret = 0;
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]6037 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame^]6038 ssl->handshake->ciphersuite_info;
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6039 int have_ca_chain = 0;
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6040
Hanno Becker8927c832019-04-03 12:52:50 +0100[diff] [blame]6041 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
6042 void *p_vrfy;
6043
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6044 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
6045 return( 0 );
6046
Hanno Becker8927c832019-04-03 12:52:50 +0100[diff] [blame]6047 if( ssl->f_vrfy != NULL )
6048 {
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]6049 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );
Hanno Becker8927c832019-04-03 12:52:50 +0100[diff] [blame]6050 f_vrfy = ssl->f_vrfy;
6051 p_vrfy = ssl->p_vrfy;
6052 }
6053 else
6054 {
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]6055 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );
Hanno Becker8927c832019-04-03 12:52:50 +0100[diff] [blame]6056 f_vrfy = ssl->conf->f_vrfy;
6057 p_vrfy = ssl->conf->p_vrfy;
6058 }
6059
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6060 /*
6061 * Main check: verify certificate
6062 */
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6063#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
6064 if( ssl->conf->f_ca_cb != NULL )
6065 {
6066 ((void) rs_ctx);
6067 have_ca_chain = 1;
6068
6069 MBEDTLS_SSL_DEBUG_MSG( 3, ( "use CA callback for X.509 CRT verification" ) );
Jarno Lamsa9822c0d2019-04-01 16:59:48 +0300[diff] [blame]6070 ret = mbedtls_x509_crt_verify_with_ca_cb(
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6071 chain,
6072 ssl->conf->f_ca_cb,
6073 ssl->conf->p_ca_cb,
6074 ssl->conf->cert_profile,
6075 ssl->hostname,
6076 &ssl->session_negotiate->verify_result,
Jaeden Amerofe710672019-04-16 15:03:12 +0100[diff] [blame]6077 f_vrfy, p_vrfy );
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6078 }
6079 else
6080#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
6081 {
6082 mbedtls_x509_crt *ca_chain;
6083 mbedtls_x509_crl *ca_crl;
6084
6085#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
6086 if( ssl->handshake->sni_ca_chain != NULL )
6087 {
6088 ca_chain = ssl->handshake->sni_ca_chain;
6089 ca_crl = ssl->handshake->sni_ca_crl;
6090 }
6091 else
6092#endif
6093 {
6094 ca_chain = ssl->conf->ca_chain;
6095 ca_crl = ssl->conf->ca_crl;
6096 }
6097
6098 if( ca_chain != NULL )
6099 have_ca_chain = 1;
6100
6101 ret = mbedtls_x509_crt_verify_restartable(
6102 chain,
6103 ca_chain, ca_crl,
6104 ssl->conf->cert_profile,
6105 ssl->hostname,
6106 &ssl->session_negotiate->verify_result,
Jaeden Amerofe710672019-04-16 15:03:12 +0100[diff] [blame]6107 f_vrfy, p_vrfy, rs_ctx );
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6108 }
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6109
6110 if( ret != 0 )
6111 {
6112 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
6113 }
6114
6115#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6116 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
6117 return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
6118#endif
6119
6120 /*
6121 * Secondary checks: always done, but change 'ret' only if it was 0
6122 */
6123
6124#if defined(MBEDTLS_ECP_C)
6125 {
6126 const mbedtls_pk_context *pk = &chain->pk;
6127
6128 /* If certificate uses an EC key, make sure the curve is OK */
6129 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
6130 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
6131 {
6132 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
6133
6134 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
6135 if( ret == 0 )
6136 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
6137 }
6138 }
6139#endif /* MBEDTLS_ECP_C */
6140
6141 if( mbedtls_ssl_check_cert_usage( chain,
6142 ciphersuite_info,
6143 ! ssl->conf->endpoint,
6144 &ssl->session_negotiate->verify_result ) != 0 )
6145 {
6146 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
6147 if( ret == 0 )
6148 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
6149 }
6150
6151 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
6152 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
6153 * with details encoded in the verification flags. All other kinds
6154 * of error codes, including those from the user provided f_vrfy
6155 * functions, are treated as fatal and lead to a failure of
6156 * ssl_parse_certificate even if verification was optional. */
6157 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
6158 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
6159 ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
6160 {
6161 ret = 0;
6162 }
6163
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]6164 if( have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6165 {
6166 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
6167 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
6168 }
6169
6170 if( ret != 0 )
6171 {
6172 uint8_t alert;
6173
6174 /* The certificate may have been rejected for several reasons.
6175 Pick one and send the corresponding alert. Which alert to send
6176 may be a subject of debate in some cases. */
6177 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
6178 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
6179 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
6180 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
6181 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
6182 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6183 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
6184 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6185 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
6186 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6187 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
6188 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6189 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
6190 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
6191 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
6192 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
6193 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
6194 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
6195 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
6196 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
6197 else
6198 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
6199 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6200 alert );
6201 }
6202
6203#if defined(MBEDTLS_DEBUG_C)
6204 if( ssl->session_negotiate->verify_result != 0 )
6205 {
6206 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
6207 ssl->session_negotiate->verify_result ) );
6208 }
6209 else
6210 {
6211 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
6212 }
6213#endif /* MBEDTLS_DEBUG_C */
6214
6215 return( ret );
6216}
6217
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6218#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
6219static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
6220 unsigned char *start, size_t len )
6221{
6222 int ret;
6223 /* Remember digest of the peer's end-CRT. */
6224 ssl->session_negotiate->peer_cert_digest =
6225 mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
6226 if( ssl->session_negotiate->peer_cert_digest == NULL )
6227 {
6228 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
6229 sizeof( MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) ) );
6230 mbedtls_ssl_send_alert_message( ssl,
6231 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6232 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
6233
6234 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
6235 }
6236
6237 ret = mbedtls_md( mbedtls_md_info_from_type(
6238 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
6239 start, len,
6240 ssl->session_negotiate->peer_cert_digest );
6241
6242 ssl->session_negotiate->peer_cert_digest_type =
6243 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
6244 ssl->session_negotiate->peer_cert_digest_len =
6245 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
6246
6247 return( ret );
6248}
6249
6250static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
6251 unsigned char *start, size_t len )
6252{
6253 unsigned char *end = start + len;
6254 int ret;
6255
6256 /* Make a copy of the peer's raw public key. */
6257 mbedtls_pk_init( &ssl->handshake->peer_pubkey );
6258 ret = mbedtls_pk_parse_subpubkey( &start, end,
6259 &ssl->handshake->peer_pubkey );
6260 if( ret != 0 )
6261 {
6262 /* We should have parsed the public key before. */
6263 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
6264 }
6265
6266 return( 0 );
6267}
6268#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
6269
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6270int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
6271{
6272 int ret = 0;
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]6273 int crt_expected;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6274#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
6275 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
6276 ? ssl->handshake->sni_authmode
6277 : ssl->conf->authmode;
6278#else
6279 const int authmode = ssl->conf->authmode;
6280#endif
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6281 void *rs_ctx = NULL;
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6282 mbedtls_x509_crt *chain = NULL;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6283
6284 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
6285
Hanno Becker28f2fcd2019-02-07 10:11:07 +0000[diff] [blame]6286 crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
6287 if( crt_expected == SSL_CERTIFICATE_SKIP )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6288 {
6289 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
Hanno Becker6bdfab22019-02-05 13:11:17 +0000[diff] [blame]6290 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6291 }
6292
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6293#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6294 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]6295 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6296 {
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6297 chain = ssl->handshake->ecrs_peer_cert;
6298 ssl->handshake->ecrs_peer_cert = NULL;
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6299 goto crt_verify;
6300 }
6301#endif
6302
Manuel Pégourié-Gonnard125af942018-09-11 11:08:12 +0200[diff] [blame]6303 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6304 {
6305 /* mbedtls_ssl_read_record may have sent an alert already. We
6306 let it decide whether to alert. */
6307 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6308 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6309 }
6310
Hanno Becker4a55f632019-02-05 12:49:06 +0000[diff] [blame]6311#if defined(MBEDTLS_SSL_SRV_C)
6312 if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 )
6313 {
6314 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
Hanno Becker4a55f632019-02-05 12:49:06 +0000[diff] [blame]6315
6316 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
Hanno Becker6bdfab22019-02-05 13:11:17 +0000[diff] [blame]6317 ret = 0;
6318 else
6319 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Hanno Becker4a55f632019-02-05 12:49:06 +0000[diff] [blame]6320
Hanno Becker6bdfab22019-02-05 13:11:17 +0000[diff] [blame]6321 goto exit;
Hanno Becker4a55f632019-02-05 12:49:06 +0000[diff] [blame]6322 }
6323#endif /* MBEDTLS_SSL_SRV_C */
6324
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]6325 /* Clear existing peer CRT structure in case we tried to
6326 * reuse a session but it failed, and allocate a new one. */
Hanno Becker7a955a02019-02-05 13:08:01 +0000[diff] [blame]6327 ssl_clear_peer_cert( ssl->session_negotiate );
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6328
6329 chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
6330 if( chain == NULL )
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]6331 {
6332 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
6333 sizeof( mbedtls_x509_crt ) ) );
6334 mbedtls_ssl_send_alert_message( ssl,
6335 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6336 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Hanno Becker7a955a02019-02-05 13:08:01 +0000[diff] [blame]6337
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6338 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
6339 goto exit;
6340 }
6341 mbedtls_x509_crt_init( chain );
6342
6343 ret = ssl_parse_certificate_chain( ssl, chain );
Hanno Beckerc7bd7802019-02-05 15:37:23 +0000[diff] [blame]6344 if( ret != 0 )
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6345 goto exit;
Manuel Pégourié-Gonnardfed37ed2017-08-15 13:27:41 +0200[diff] [blame]6346
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6347#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6348 if( ssl->handshake->ecrs_enabled)
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]6349 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6350
6351crt_verify:
6352 if( ssl->handshake->ecrs_enabled)
6353 rs_ctx = &ssl->handshake->ecrs_ctx;
6354#endif
6355
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6356 ret = ssl_parse_certificate_verify( ssl, authmode,
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6357 chain, rs_ctx );
Hanno Becker68636192019-02-05 14:36:34 +0000[diff] [blame]6358 if( ret != 0 )
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6359 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6360
Hanno Becker6bbd94c2019-02-05 17:02:28 +0000[diff] [blame]6361#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Becker6bbd94c2019-02-05 17:02:28 +0000[diff] [blame]6362 {
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6363 unsigned char *crt_start, *pk_start;
6364 size_t crt_len, pk_len;
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6365
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6366 /* We parse the CRT chain without copying, so
6367 * these pointers point into the input buffer,
6368 * and are hence still valid after freeing the
6369 * CRT chain. */
Hanno Becker6bbd94c2019-02-05 17:02:28 +0000[diff] [blame]6370
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6371 crt_start = chain->raw.p;
6372 crt_len = chain->raw.len;
Hanno Becker6bbd94c2019-02-05 17:02:28 +0000[diff] [blame]6373
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6374 pk_start = chain->pk_raw.p;
6375 pk_len = chain->pk_raw.len;
6376
6377 /* Free the CRT structures before computing
6378 * digest and copying the peer's public key. */
6379 mbedtls_x509_crt_free( chain );
6380 mbedtls_free( chain );
6381 chain = NULL;
6382
6383 ret = ssl_remember_peer_crt_digest( ssl, crt_start, crt_len );
Hanno Beckera2747532019-02-06 16:19:04 +0000[diff] [blame]6384 if( ret != 0 )
Hanno Beckera2747532019-02-06 16:19:04 +0000[diff] [blame]6385 goto exit;
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6386
6387 ret = ssl_remember_peer_pubkey( ssl, pk_start, pk_len );
6388 if( ret != 0 )
6389 goto exit;
Hanno Beckera2747532019-02-06 16:19:04 +0000[diff] [blame]6390 }
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6391#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
6392 /* Pass ownership to session structure. */
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6393 ssl->session_negotiate->peer_cert = chain;
6394 chain = NULL;
Hanno Becker6b8fbab2019-02-08 14:59:05 +0000[diff] [blame]6395#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6396
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6397 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6398
Hanno Becker6bdfab22019-02-05 13:11:17 +0000[diff] [blame]6399exit:
6400
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]6401 if( ret == 0 )
6402 ssl->state++;
6403
6404#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6405 if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
6406 {
6407 ssl->handshake->ecrs_peer_cert = chain;
6408 chain = NULL;
6409 }
6410#endif
6411
6412 if( chain != NULL )
6413 {
6414 mbedtls_x509_crt_free( chain );
6415 mbedtls_free( chain );
6416 }
6417
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6418 return( ret );
6419}
Hanno Becker21489932019-02-05 13:20:55 +0000[diff] [blame]6420#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6421
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6422int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6423{
6424 int ret;
6425
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6426 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6427
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6428 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6429 ssl->out_msglen = 1;
6430 ssl->out_msg[0] = 1;
6431
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6432 ssl->state++;
6433
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]6434 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6435 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]6436 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6437 return( ret );
6438 }
6439
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6440 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6441
6442 return( 0 );
6443}
6444
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6445int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6446{
6447 int ret;
6448
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6449 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6450
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]6451 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6452 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6453 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6454 return( ret );
6455 }
6456
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6457 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6458 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6459 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]6460 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6461 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6462 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6463 }
6464
Hanno Beckere678eaa2018-08-21 14:57:46 +0100[diff] [blame]6465 /* CCS records are only accepted if they have length 1 and content '1',
6466 * so we don't need to check this here. */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6467
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6468 /*
6469 * Switch to our negotiated transform and session parameters for inbound
6470 * data.
6471 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6472 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6473 ssl->transform_in = ssl->transform_negotiate;
6474 ssl->session_in = ssl->session_negotiate;
6475
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6476#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]6477 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6478 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6479#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6480 ssl_dtls_replay_reset( ssl );
6481#endif
6482
6483 /* Increment epoch */
6484 if( ++ssl->in_epoch == 0 )
6485 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6486 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]6487 /* This is highly unlikely to happen for legitimate reasons, so
6488 treat it as an attack and don't send an alert. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6489 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6490 }
6491 }
6492 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6493#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6494 memset( ssl->in_ctr, 0, 8 );
6495
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]6496 ssl_update_in_pointers( ssl, ssl->transform_negotiate );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6498#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
6499 if( mbedtls_ssl_hw_record_activate != NULL )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6500 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6501 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6502 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6503 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]6504 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6505 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6506 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6507 }
6508 }
6509#endif
6510
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6511 ssl->state++;
6512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6513 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6514
6515 return( 0 );
6516}
6517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6518void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
6519 const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6520{
Paul Bakkerfb08fd22013-08-27 15:06:26 +0200[diff] [blame]6521 ((void) ciphersuite_info);
Paul Bakker769075d2012-11-24 11:26:46 +0100[diff] [blame]6522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6523#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6524 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6525 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6526 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6527 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6528#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6529#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6530#if defined(MBEDTLS_SHA512_C)
6531 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6532 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
6533 else
6534#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6535#if defined(MBEDTLS_SHA256_C)
6536 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6537 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6538 else
6539#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6540#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200[diff] [blame]6541 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6542 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6543 return;
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200[diff] [blame]6544 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6545}
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]6546
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6547void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]6548{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6549#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6550 defined(MBEDTLS_SSL_PROTO_TLS1_1)
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6551 mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 );
6552 mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]6553#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6554#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6555#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6556#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2ad22972019-01-30 03:32:12 -0500[diff] [blame]6557 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6558 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
6559#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6560 mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]6561#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6562#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6563#if defined(MBEDTLS_SHA512_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6564#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2ad22972019-01-30 03:32:12 -0500[diff] [blame]6565 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6566 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6567#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6568 mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]6569#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6570#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6571#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]6572}
6573
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6574static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6575 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6576{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6577#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6578 defined(MBEDTLS_SSL_PROTO_TLS1_1)
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6579 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
6580 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6581#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6582#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6583#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6584#if defined(MBEDTLS_USE_PSA_CRYPTO)
6585 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
6586#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6587 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6588#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6589#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6590#if defined(MBEDTLS_SHA512_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6591#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6592 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6593#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6594 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker769075d2012-11-24 11:26:46 +0100[diff] [blame]6595#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6596#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6597#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6598}
6599
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6600#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6601 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6602static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6603 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6604{
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6605 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
6606 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6607}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6608#endif
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6609
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6610#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6611#if defined(MBEDTLS_SHA256_C)
6612static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6613 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6614{
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6615#if defined(MBEDTLS_USE_PSA_CRYPTO)
6616 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
6617#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6618 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6619#endif
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6620}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]6621#endif
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6622
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6623#if defined(MBEDTLS_SHA512_C)
6624static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6625 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6626{
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6627#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6628 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6629#else
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6630 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6631#endif
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6632}
Paul Bakker769075d2012-11-24 11:26:46 +0100[diff] [blame]6633#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6634#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]6635
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6636#if defined(MBEDTLS_SSL_PROTO_SSL3)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6637static void ssl_calc_finished_ssl(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6638 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6639{
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6640 const char *sender;
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6641 mbedtls_md5_context md5;
6642 mbedtls_sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6643
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6644 unsigned char padbuf[48];
6645 unsigned char md5sum[16];
6646 unsigned char sha1sum[20];
6647
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6648 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6649 if( !session )
6650 session = ssl->session;
6651
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6652 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6653
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6654 mbedtls_md5_init( &md5 );
6655 mbedtls_sha1_init( &sha1 );
6656
6657 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
6658 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6659
6660 /*
6661 * SSLv3:
6662 * hash =
6663 * MD5( master + pad2 +
6664 * MD5( handshake + sender + master + pad1 ) )
6665 * + SHA1( master + pad2 +
6666 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6667 */
6668
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6669#if !defined(MBEDTLS_MD5_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6670 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
6671 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6672#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6673
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6674#if !defined(MBEDTLS_SHA1_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6675 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
6676 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6677#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6678
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6679 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6680 : "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6681
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6682 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6683
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6684 mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );
6685 mbedtls_md5_update_ret( &md5, session->master, 48 );
6686 mbedtls_md5_update_ret( &md5, padbuf, 48 );
6687 mbedtls_md5_finish_ret( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6688
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6689 mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );
6690 mbedtls_sha1_update_ret( &sha1, session->master, 48 );
6691 mbedtls_sha1_update_ret( &sha1, padbuf, 40 );
6692 mbedtls_sha1_finish_ret( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6693
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6694 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6695
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6696 mbedtls_md5_starts_ret( &md5 );
6697 mbedtls_md5_update_ret( &md5, session->master, 48 );
6698 mbedtls_md5_update_ret( &md5, padbuf, 48 );
6699 mbedtls_md5_update_ret( &md5, md5sum, 16 );
6700 mbedtls_md5_finish_ret( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6701
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6702 mbedtls_sha1_starts_ret( &sha1 );
6703 mbedtls_sha1_update_ret( &sha1, session->master, 48 );
6704 mbedtls_sha1_update_ret( &sha1, padbuf , 40 );
6705 mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );
6706 mbedtls_sha1_finish_ret( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6708 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6709
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6710 mbedtls_md5_free( &md5 );
6711 mbedtls_sha1_free( &sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6712
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]6713 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
6714 mbedtls_platform_zeroize( md5sum, sizeof( md5sum ) );
6715 mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6716
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6717 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6718}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6719#endif /* MBEDTLS_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6720
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6721#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6722static void ssl_calc_finished_tls(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6723 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6724{
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6725 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6726 const char *sender;
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6727 mbedtls_md5_context md5;
6728 mbedtls_sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6729 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6730
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6731 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6732 if( !session )
6733 session = ssl->session;
6734
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6735 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6736
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6737 mbedtls_md5_init( &md5 );
6738 mbedtls_sha1_init( &sha1 );
6739
6740 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
6741 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6742
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6743 /*
6744 * TLSv1:
6745 * hash = PRF( master, finished_label,
6746 * MD5( handshake ) + SHA1( handshake ) )[0..11]
6747 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6748
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6749#if !defined(MBEDTLS_MD5_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6750 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
6751 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6752#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6753
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6754#if !defined(MBEDTLS_SHA1_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6755 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
6756 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6757#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6758
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6759 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6760 ? "client finished"
6761 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6762
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6763 mbedtls_md5_finish_ret( &md5, padbuf );
6764 mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6765
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6766 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6767 padbuf, 36, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6768
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6769 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6770
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6771 mbedtls_md5_free( &md5 );
6772 mbedtls_sha1_free( &sha1 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6773
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]6774 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6775
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6776 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6777}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6778#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6779
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6780#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6781#if defined(MBEDTLS_SHA256_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6782static void ssl_calc_finished_tls_sha256(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6783 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6784{
6785 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6786 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6787 unsigned char padbuf[32];
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6788#if defined(MBEDTLS_USE_PSA_CRYPTO)
6789 size_t hash_size;
Jaeden Amero34973232019-02-20 10:32:28 +0000[diff] [blame]6790 psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6791 psa_status_t status;
6792#else
6793 mbedtls_sha256_context sha256;
6794#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6795
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6796 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6797 if( !session )
6798 session = ssl->session;
6799
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6800 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
6801 ? "client finished"
6802 : "server finished";
6803
6804#if defined(MBEDTLS_USE_PSA_CRYPTO)
6805 sha256_psa = psa_hash_operation_init();
6806
6807 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) );
6808
6809 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
6810 if( status != PSA_SUCCESS )
6811 {
6812 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
6813 return;
6814 }
6815
6816 status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size );
6817 if( status != PSA_SUCCESS )
6818 {
6819 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
6820 return;
6821 }
6822 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 );
6823#else
6824
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6825 mbedtls_sha256_init( &sha256 );
6826
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6827 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6828
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6829 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6830
6831 /*
6832 * TLSv1.2:
6833 * hash = PRF( master, finished_label,
6834 * Hash( handshake ) )[0.11]
6835 */
6836
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6837#if !defined(MBEDTLS_SHA256_ALT)
6838 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6839 sha256.state, sizeof( sha256.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6840#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6841
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6842 mbedtls_sha256_finish_ret( &sha256, padbuf );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6843 mbedtls_sha256_free( &sha256 );
6844#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6845
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6846 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6847 padbuf, 32, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6848
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6849 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6850
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]6851 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6852
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6853 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6854}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6855#endif /* MBEDTLS_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]6856
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6857#if defined(MBEDTLS_SHA512_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6858static void ssl_calc_finished_tls_sha384(
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6859 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6860{
6861 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]6862 const char *sender;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6863 unsigned char padbuf[48];
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6864#if defined(MBEDTLS_USE_PSA_CRYPTO)
6865 size_t hash_size;
Jaeden Amero34973232019-02-20 10:32:28 +0000[diff] [blame]6866 psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6867 psa_status_t status;
6868#else
6869 mbedtls_sha512_context sha512;
6870#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6871
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6872 mbedtls_ssl_session *session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6873 if( !session )
6874 session = ssl->session;
6875
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6876 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
6877 ? "client finished"
6878 : "server finished";
6879
6880#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6881 sha384_psa = psa_hash_operation_init();
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6882
6883 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) );
6884
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6885 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6886 if( status != PSA_SUCCESS )
6887 {
6888 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
6889 return;
6890 }
6891
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]6892 status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6893 if( status != PSA_SUCCESS )
6894 {
6895 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
6896 return;
6897 }
6898 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 );
6899#else
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6900 mbedtls_sha512_init( &sha512 );
6901
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6902 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6903
Manuel Pégourié-Gonnard001f2b62015-07-06 16:21:13 +0200[diff] [blame]6904 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6905
6906 /*
6907 * TLSv1.2:
6908 * hash = PRF( master, finished_label,
6909 * Hash( handshake ) )[0.11]
6910 */
6911
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6912#if !defined(MBEDTLS_SHA512_ALT)
Manuel Pégourié-Gonnardc0bf01e2015-07-06 16:11:18 +0200[diff] [blame]6913 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
6914 sha512.state, sizeof( sha512.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]6915#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6916
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]6917 mbedtls_sha512_finish_ret( &sha512, padbuf );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]6918 mbedtls_sha512_free( &sha512 );
6919#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6920
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]6921 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6922 padbuf, 48, buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6923
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6924 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6925
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]6926 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6927
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6928 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6929}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6930#endif /* MBEDTLS_SHA512_C */
6931#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]6932
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6933static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6934{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6935 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6936
6937 /*
6938 * Free our handshake params
6939 */
Gilles Peskine9b562d52018-04-25 20:32:43 +0200[diff] [blame]6940 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6941 mbedtls_free( ssl->handshake );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6942 ssl->handshake = NULL;
6943
6944 /*
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6945 * Free the previous transform and swith in the current one
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6946 */
6947 if( ssl->transform )
6948 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6949 mbedtls_ssl_transform_free( ssl->transform );
6950 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6951 }
6952 ssl->transform = ssl->transform_negotiate;
6953 ssl->transform_negotiate = NULL;
6954
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6955 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6956}
6957
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6958void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6959{
6960 int resume = ssl->handshake->resume;
6961
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6962 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6963
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6964#if defined(MBEDTLS_SSL_RENEGOTIATION)
6965 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6966 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6967 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6968 ssl->renego_records_seen = 0;
6969 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]6970#endif
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]6971
6972 /*
6973 * Free the previous session and switch in the current one
6974 */
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]6975 if( ssl->session )
6976 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6977#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard1a034732014-11-04 17:36:18 +0100[diff] [blame]6978 /* RFC 7366 3.1: keep the EtM state */
6979 ssl->session_negotiate->encrypt_then_mac =
6980 ssl->session->encrypt_then_mac;
6981#endif
6982
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6983 mbedtls_ssl_session_free( ssl->session );
6984 mbedtls_free( ssl->session );
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]6985 }
6986 ssl->session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]6987 ssl->session_negotiate = NULL;
6988
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]6989 /*
6990 * Add cache entry
6991 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]6992 if( ssl->conf->f_set_cache != NULL &&
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]6993 ssl->session->id_len != 0 &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]6994 resume == 0 )
6995 {
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +0100[diff] [blame]6996 if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6997 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]6998 }
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]6999
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7000#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7001 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]7002 ssl->handshake->flight != NULL )
7003 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]7004 /* Cancel handshake timer */
7005 ssl_set_timer( ssl, 0 );
7006
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]7007 /* Keep last flight around in case we need to resend it:
7008 * we need the handshake and transform structures for that */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7009 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]7010 }
7011 else
7012#endif
7013 ssl_handshake_wrapup_free_hs_transform( ssl );
7014
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7015 ssl->state++;
7016
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7017 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7018}
7019
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7020int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]7021{
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7022 int ret, hash_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]7023
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7024 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]7025
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]7026 ssl_update_out_pointers( ssl, ssl->transform_negotiate );
Paul Bakker92be97b2013-01-02 17:30:03 +0100[diff] [blame]7027
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7028 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]7029
Manuel Pégourié-Gonnard214a8482016-02-22 11:27:26 +0100[diff] [blame]7030 /*
7031 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
7032 * may define some other value. Currently (early 2016), no defined
7033 * ciphersuite does this (and this is unlikely to change as activity has
7034 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
7035 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7036 hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7037
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7038#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7039 ssl->verify_data_len = hash_len;
7040 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]7041#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7042
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7043 ssl->out_msglen = 4 + hash_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7044 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7045 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7046
7047 /*
7048 * In case of session resuming, invert the client and server
7049 * ChangeCipherSpec messages order.
7050 */
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]7051 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7052 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7053#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7054 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7055 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]7056#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7057#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7058 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7059 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]7060#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7061 }
7062 else
7063 ssl->state++;
7064
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7065 /*
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]7066 * Switch to our negotiated transform and session parameters for outbound
7067 * data.
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7068 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7069 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
Manuel Pégourié-Gonnard5afb1672014-02-16 18:33:22 +0100[diff] [blame]7070
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7071#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7072 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7073 {
7074 unsigned char i;
7075
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7076 /* Remember current epoch settings for resending */
7077 ssl->handshake->alt_transform_out = ssl->transform_out;
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]7078 memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7079
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7080 /* Set sequence_number to zero */
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]7081 memset( ssl->cur_out_ctr + 2, 0, 6 );
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7082
7083 /* Increment epoch */
7084 for( i = 2; i > 0; i-- )
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]7085 if( ++ssl->cur_out_ctr[i - 1] != 0 )
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7086 break;
7087
7088 /* The loop goes to its end iff the counter is wrapping */
7089 if( i == 0 )
7090 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7091 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
7092 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7093 }
7094 }
7095 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7096#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]7097 memset( ssl->cur_out_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7098
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7099 ssl->transform_out = ssl->transform_negotiate;
7100 ssl->session_out = ssl->session_negotiate;
7101
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7102#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
7103 if( mbedtls_ssl_hw_record_activate != NULL )
Paul Bakker07eb38b2012-12-19 14:42:06 +0100[diff] [blame]7104 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7105 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
Paul Bakker07eb38b2012-12-19 14:42:06 +0100[diff] [blame]7106 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7107 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
7108 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker07eb38b2012-12-19 14:42:06 +0100[diff] [blame]7109 }
7110 }
7111#endif
7112
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7113#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7114 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7115 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]7116#endif
7117
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]7118 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7119 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]7120 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7121 return( ret );
7122 }
7123
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]7124#if defined(MBEDTLS_SSL_PROTO_DTLS)
7125 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
7126 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
7127 {
7128 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
7129 return( ret );
7130 }
7131#endif
7132
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7133 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7134
7135 return( 0 );
7136}
7137
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7138#if defined(MBEDTLS_SSL_PROTO_SSL3)
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +0000[diff] [blame]7139#define SSL_MAX_HASH_LEN 36
7140#else
7141#define SSL_MAX_HASH_LEN 12
7142#endif
7143
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7144int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7145{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]7146 int ret;
Manuel Pégourié-Gonnard879a4f92014-07-11 22:31:12 +0200[diff] [blame]7147 unsigned int hash_len;
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +0000[diff] [blame]7148 unsigned char buf[SSL_MAX_HASH_LEN];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7149
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7150 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7151
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7152 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7153
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]7154 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7155 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7156 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7157 return( ret );
7158 }
7159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7160 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7161 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]7163 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7164 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7165 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7166 }
7167
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +0000[diff] [blame]7168 /* There is currently no ciphersuite using another length with TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7169#if defined(MBEDTLS_SSL_PROTO_SSL3)
7170 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnardca6440b2014-09-10 12:39:54 +0000[diff] [blame]7171 hash_len = 36;
7172 else
7173#endif
7174 hash_len = 12;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7175
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7176 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||
7177 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7178 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7179 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]7180 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7181 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7182 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7183 }
7184
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7185 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
Manuel Pégourié-Gonnard4abc3272014-09-10 12:02:46 +0000[diff] [blame]7186 buf, hash_len ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7187 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7188 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]7189 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7190 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7191 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7192 }
7193
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7194#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7195 ssl->verify_data_len = hash_len;
7196 memcpy( ssl->peer_verify_data, buf, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]7197#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7198
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]7199 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7200 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7201#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7202 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7203 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]7204#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7205#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7206 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7207 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100[diff] [blame]7208#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7209 }
7210 else
7211 ssl->state++;
7212
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7213#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7214 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7215 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7216#endif
7217
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7218 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7219
7220 return( 0 );
7221}
7222
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7223static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7224{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7225 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7226
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7227#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
7228 defined(MBEDTLS_SSL_PROTO_TLS1_1)
7229 mbedtls_md5_init( &handshake->fin_md5 );
7230 mbedtls_sha1_init( &handshake->fin_sha1 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]7231 mbedtls_md5_starts_ret( &handshake->fin_md5 );
7232 mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7233#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7234#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
7235#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]7236#if defined(MBEDTLS_USE_PSA_CRYPTO)
7237 handshake->fin_sha256_psa = psa_hash_operation_init();
7238 psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
7239#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7240 mbedtls_sha256_init( &handshake->fin_sha256 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]7241 mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7242#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]7243#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7244#if defined(MBEDTLS_SHA512_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]7245#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]7246 handshake->fin_sha384_psa = psa_hash_operation_init();
7247 psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]7248#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7249 mbedtls_sha512_init( &handshake->fin_sha512 );
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]7250 mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7251#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]7252#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7253#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7254
7255 handshake->update_checksum = ssl_update_checksum_start;
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]7256
7257#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
7258 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7259 mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
7260#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7261
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7262#if defined(MBEDTLS_DHM_C)
7263 mbedtls_dhm_init( &handshake->dhm_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7264#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7265#if defined(MBEDTLS_ECDH_C)
7266 mbedtls_ecdh_init( &handshake->ecdh_ctx );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7267#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]7268#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200[diff] [blame]7269 mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200[diff] [blame]7270#if defined(MBEDTLS_SSL_CLI_C)
7271 handshake->ecjpake_cache = NULL;
7272 handshake->ecjpake_cache_len = 0;
7273#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200[diff] [blame]7274#endif
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]7275
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7276#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +0200[diff] [blame]7277 mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7278#endif
7279
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]7280#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7281 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
7282#endif
Hanno Becker75173122019-02-06 16:18:31 +0000[diff] [blame]7283
7284#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
7285 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7286 mbedtls_pk_init( &handshake->peer_pubkey );
7287#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7288}
7289
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7290static void ssl_transform_init( mbedtls_ssl_transform *transform )
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7291{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7292 memset( transform, 0, sizeof(mbedtls_ssl_transform) );
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]7293
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7294 mbedtls_cipher_init( &transform->cipher_ctx_enc );
7295 mbedtls_cipher_init( &transform->cipher_ctx_dec );
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]7296
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7297 mbedtls_md_init( &transform->md_ctx_enc );
7298 mbedtls_md_init( &transform->md_ctx_dec );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7299}
7300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7301void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7302{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7303 memset( session, 0, sizeof(mbedtls_ssl_session) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7304}
7305
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7306static int ssl_handshake_init( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7307{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7308 /* Clear old handshake information if present */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7309 if( ssl->transform_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7310 mbedtls_ssl_transform_free( ssl->transform_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7311 if( ssl->session_negotiate )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7312 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7313 if( ssl->handshake )
Gilles Peskine9b562d52018-04-25 20:32:43 +0200[diff] [blame]7314 mbedtls_ssl_handshake_free( ssl );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7315
7316 /*
7317 * Either the pointers are now NULL or cleared properly and can be freed.
7318 * Now allocate missing structures.
7319 */
7320 if( ssl->transform_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7321 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]7322 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7323 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7324
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7325 if( ssl->session_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7326 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]7327 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7328 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7329
Paul Bakker82788fb2014-10-20 13:59:19 +0200[diff] [blame]7330 if( ssl->handshake == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7331 {
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]7332 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]7333 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7334
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7335 /* All pointers should exist and can be directly freed without issue */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7336 if( ssl->handshake == NULL ||
7337 ssl->transform_negotiate == NULL ||
7338 ssl->session_negotiate == NULL )
7339 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]7340 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7341
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7342 mbedtls_free( ssl->handshake );
7343 mbedtls_free( ssl->transform_negotiate );
7344 mbedtls_free( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7345
7346 ssl->handshake = NULL;
7347 ssl->transform_negotiate = NULL;
7348 ssl->session_negotiate = NULL;
7349
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]7350 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7351 }
7352
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7353 /* Initialize structures */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7354 mbedtls_ssl_session_init( ssl->session_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]7355 ssl_transform_init( ssl->transform_negotiate );
Paul Bakker968afaa2014-07-09 11:09:24 +0200[diff] [blame]7356 ssl_handshake_params_init( ssl->handshake );
7357
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7358#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +0200[diff] [blame]7359 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7360 {
7361 ssl->handshake->alt_transform_out = ssl->transform_out;
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7362
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +0200[diff] [blame]7363 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
7364 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
7365 else
7366 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]7367
7368 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard06939ce2015-05-11 11:25:46 +0200[diff] [blame]7369 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]7370#endif
7371
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7372 return( 0 );
7373}
7374
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +0200[diff] [blame]7375#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]7376/* Dummy cookie callbacks for defaults */
7377static int ssl_cookie_write_dummy( void *ctx,
7378 unsigned char **p, unsigned char *end,
7379 const unsigned char *cli_id, size_t cli_id_len )
7380{
7381 ((void) ctx);
7382 ((void) p);
7383 ((void) end);
7384 ((void) cli_id);
7385 ((void) cli_id_len);
7386
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7387 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]7388}
7389
7390static int ssl_cookie_check_dummy( void *ctx,
7391 const unsigned char *cookie, size_t cookie_len,
7392 const unsigned char *cli_id, size_t cli_id_len )
7393{
7394 ((void) ctx);
7395 ((void) cookie);
7396 ((void) cookie_len);
7397 ((void) cli_id);
7398 ((void) cli_id_len);
7399
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7400 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]7401}
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +0200[diff] [blame]7402#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]7403
Hanno Becker5aa4e2c2018-08-06 09:26:08 +0100[diff] [blame]7404/* Once ssl->out_hdr as the address of the beginning of the
7405 * next outgoing record is set, deduce the other pointers.
7406 *
7407 * Note: For TLS, we save the implicit record sequence number
7408 * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
7409 * and the caller has to make sure there's space for this.
7410 */
7411
7412static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
7413 mbedtls_ssl_transform *transform )
7414{
7415#if defined(MBEDTLS_SSL_PROTO_DTLS)
7416 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7417 {
7418 ssl->out_ctr = ssl->out_hdr + 3;
7419 ssl->out_len = ssl->out_hdr + 11;
7420 ssl->out_iv = ssl->out_hdr + 13;
7421 }
7422 else
7423#endif
7424 {
7425 ssl->out_ctr = ssl->out_hdr - 8;
7426 ssl->out_len = ssl->out_hdr + 3;
7427 ssl->out_iv = ssl->out_hdr + 5;
7428 }
7429
7430 /* Adjust out_msg to make space for explicit IV, if used. */
7431 if( transform != NULL &&
7432 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
7433 {
7434 ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
7435 }
7436 else
7437 ssl->out_msg = ssl->out_iv;
7438}
7439
7440/* Once ssl->in_hdr as the address of the beginning of the
7441 * next incoming record is set, deduce the other pointers.
7442 *
7443 * Note: For TLS, we save the implicit record sequence number
7444 * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
7445 * and the caller has to make sure there's space for this.
7446 */
7447
7448static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
7449 mbedtls_ssl_transform *transform )
7450{
7451#if defined(MBEDTLS_SSL_PROTO_DTLS)
7452 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7453 {
7454 ssl->in_ctr = ssl->in_hdr + 3;
7455 ssl->in_len = ssl->in_hdr + 11;
7456 ssl->in_iv = ssl->in_hdr + 13;
7457 }
7458 else
7459#endif
7460 {
7461 ssl->in_ctr = ssl->in_hdr - 8;
7462 ssl->in_len = ssl->in_hdr + 3;
7463 ssl->in_iv = ssl->in_hdr + 5;
7464 }
7465
7466 /* Offset in_msg from in_iv to allow space for explicit IV, if used. */
7467 if( transform != NULL &&
7468 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
7469 {
7470 ssl->in_msg = ssl->in_iv + transform->ivlen - transform->fixed_ivlen;
7471 }
7472 else
7473 ssl->in_msg = ssl->in_iv;
7474}
7475
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7476/*
7477 * Initialize an SSL context
7478 */
Manuel Pégourié-Gonnard41d479e2015-04-29 00:48:22 +0200[diff] [blame]7479void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
7480{
7481 memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
7482}
7483
7484/*
7485 * Setup an SSL context
7486 */
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]7487
7488static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
7489{
7490 /* Set the incoming and outgoing record pointers. */
7491#if defined(MBEDTLS_SSL_PROTO_DTLS)
7492 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7493 {
7494 ssl->out_hdr = ssl->out_buf;
7495 ssl->in_hdr = ssl->in_buf;
7496 }
7497 else
7498#endif /* MBEDTLS_SSL_PROTO_DTLS */
7499 {
7500 ssl->out_hdr = ssl->out_buf + 8;
7501 ssl->in_hdr = ssl->in_buf + 8;
7502 }
7503
7504 /* Derive other internal pointers. */
7505 ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
7506 ssl_update_in_pointers ( ssl, NULL /* no transform enabled */ );
7507}
7508
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +0200[diff] [blame]7509int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]7510 const mbedtls_ssl_config *conf )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7511{
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7512 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7513
Manuel Pégourié-Gonnarddef0bbe2015-05-04 14:56:36 +0200[diff] [blame]7514 ssl->conf = conf;
Paul Bakker62f2dee2012-09-28 07:31:51 +0000[diff] [blame]7515
7516 /*
Manuel Pégourié-Gonnard06193482014-02-14 08:39:32 +0100[diff] [blame]7517 * Prepare base structures
Paul Bakker62f2dee2012-09-28 07:31:51 +0000[diff] [blame]7518 */
k-stachowiakc9a5f022018-07-24 13:53:31 +0200[diff] [blame]7519
7520 /* Set to NULL in case of an error condition */
7521 ssl->out_buf = NULL;
k-stachowiaka47911c2018-07-04 17:41:58 +0200[diff] [blame]7522
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]7523 ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
7524 if( ssl->in_buf == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7525 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]7526 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
k-stachowiak9f7798e2018-07-31 16:52:32 +0200[diff] [blame]7527 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +0200[diff] [blame]7528 goto error;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]7529 }
7530
7531 ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
7532 if( ssl->out_buf == NULL )
7533 {
7534 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
k-stachowiak9f7798e2018-07-31 16:52:32 +0200[diff] [blame]7535 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
k-stachowiaka47911c2018-07-04 17:41:58 +0200[diff] [blame]7536 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7537 }
7538
Hanno Becker2a43f6f2018-08-10 11:12:52 +0100[diff] [blame]7539 ssl_reset_in_out_pointers( ssl );
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +0200[diff] [blame]7540
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7541 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
k-stachowiaka47911c2018-07-04 17:41:58 +0200[diff] [blame]7542 goto error;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7543
7544 return( 0 );
k-stachowiaka47911c2018-07-04 17:41:58 +0200[diff] [blame]7545
7546error:
7547 mbedtls_free( ssl->in_buf );
7548 mbedtls_free( ssl->out_buf );
7549
7550 ssl->conf = NULL;
7551
7552 ssl->in_buf = NULL;
7553 ssl->out_buf = NULL;
7554
7555 ssl->in_hdr = NULL;
7556 ssl->in_ctr = NULL;
7557 ssl->in_len = NULL;
7558 ssl->in_iv = NULL;
7559 ssl->in_msg = NULL;
7560
7561 ssl->out_hdr = NULL;
7562 ssl->out_ctr = NULL;
7563 ssl->out_len = NULL;
7564 ssl->out_iv = NULL;
7565 ssl->out_msg = NULL;
7566
k-stachowiak9f7798e2018-07-31 16:52:32 +0200[diff] [blame]7567 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7568}
7569
7570/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7571 * Reset an initialized and used SSL context for re-use while retaining
7572 * all application-set variables, function pointers and data.
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7573 *
7574 * If partial is non-zero, keep data in the input buffer and client ID.
7575 * (Use when a DTLS client reconnects from the same port.)
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7576 */
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7577static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7578{
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7579 int ret;
7580
Hanno Becker7e772132018-08-10 12:38:21 +0100[diff] [blame]7581#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || \
7582 !defined(MBEDTLS_SSL_SRV_C)
7583 ((void) partial);
7584#endif
7585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7586 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]7587
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]7588 /* Cancel any possibly running timer */
7589 ssl_set_timer( ssl, 0 );
7590
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7591#if defined(MBEDTLS_SSL_RENEGOTIATION)
7592 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]7593 ssl->renego_records_seen = 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7594
7595 ssl->verify_data_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7596 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
7597 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]7598#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7599 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7600
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7601 ssl->in_offt = NULL;
Hanno Beckerf29d4702018-08-10 11:31:15 +0100[diff] [blame]7602 ssl_reset_in_out_pointers( ssl );
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7603
7604 ssl->in_msgtype = 0;
7605 ssl->in_msglen = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7606#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]7607 ssl->next_record_offset = 0;
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]7608 ssl->in_epoch = 0;
Manuel Pégourié-Gonnardb2f3be82014-07-10 17:54:52 +0200[diff] [blame]7609#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7610#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]7611 ssl_dtls_replay_reset( ssl );
7612#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7613
7614 ssl->in_hslen = 0;
7615 ssl->nb_zero = 0;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]7616
7617 ssl->keep_current_message = 0;
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7618
7619 ssl->out_msgtype = 0;
7620 ssl->out_msglen = 0;
7621 ssl->out_left = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7622#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
7623 if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]7624 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]7625#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7626
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]7627 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
7628
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7629 ssl->transform_in = NULL;
7630 ssl->transform_out = NULL;
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7631
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]7632 ssl->session_in = NULL;
7633 ssl->session_out = NULL;
7634
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]7635 memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
Hanno Becker4ccbf062018-08-10 11:20:38 +0100[diff] [blame]7636
7637#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7638 if( partial == 0 )
Hanno Becker4ccbf062018-08-10 11:20:38 +0100[diff] [blame]7639#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
7640 {
7641 ssl->in_left = 0;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]7642 memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
Hanno Becker4ccbf062018-08-10 11:20:38 +0100[diff] [blame]7643 }
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]7644
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7645#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
7646 if( mbedtls_ssl_hw_record_reset != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]7647 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7648 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
7649 if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7650 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7651 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
7652 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7653 }
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]7654 }
7655#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7656
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7657 if( ssl->transform )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7658 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7659 mbedtls_ssl_transform_free( ssl->transform );
7660 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7661 ssl->transform = NULL;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7662 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7663
Paul Bakkerc0463502013-02-14 11:19:38 +0100[diff] [blame]7664 if( ssl->session )
7665 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7666 mbedtls_ssl_session_free( ssl->session );
7667 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +0100[diff] [blame]7668 ssl->session = NULL;
7669 }
7670
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7671#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]7672 ssl->alpn_chosen = NULL;
7673#endif
7674
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +0200[diff] [blame]7675#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Hanno Becker4ccbf062018-08-10 11:20:38 +0100[diff] [blame]7676#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7677 if( partial == 0 )
Hanno Becker4ccbf062018-08-10 11:20:38 +0100[diff] [blame]7678#endif
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7679 {
7680 mbedtls_free( ssl->cli_id );
7681 ssl->cli_id = NULL;
7682 ssl->cli_id_len = 0;
7683 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]7684#endif
7685
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]7686 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
7687 return( ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]7688
7689 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]7690}
7691
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]7692/*
Manuel Pégourié-Gonnard3f09b6d2015-09-08 11:58:14 +0200[diff] [blame]7693 * Reset an initialized and used SSL context for re-use while retaining
7694 * all application-set variables, function pointers and data.
7695 */
7696int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
7697{
7698 return( ssl_session_reset_int( ssl, 0 ) );
7699}
7700
7701/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7702 * SSL set accessors
7703 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7704void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7705{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7706 conf->endpoint = endpoint;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7707}
7708
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +0200[diff] [blame]7709void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +0100[diff] [blame]7710{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7711 conf->transport = transport;
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +0100[diff] [blame]7712}
7713
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7714#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7715void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]7716{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7717 conf->anti_replay = mode;
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]7718}
7719#endif
7720
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7721#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7722void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]7723{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7724 conf->badmac_limit = limit;
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +0200[diff] [blame]7725}
7726#endif
7727
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7728#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]7729
Hanno Becker1841b0a2018-08-24 11:13:57 +0100[diff] [blame]7730void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
7731 unsigned allow_packing )
Hanno Becker04da1892018-08-14 13:22:10 +0100[diff] [blame]7732{
7733 ssl->disable_datagram_packing = !allow_packing;
7734}
7735
7736void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
7737 uint32_t min, uint32_t max )
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +0200[diff] [blame]7738{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7739 conf->hs_timeout_min = min;
7740 conf->hs_timeout_max = max;
Manuel Pégourié-Gonnard905dd242014-10-01 12:03:55 +0200[diff] [blame]7741}
7742#endif
7743
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7744void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7745{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7746 conf->authmode = authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7747}
7748
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7749#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7750void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]7751 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]7752 void *p_vrfy )
7753{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7754 conf->f_vrfy = f_vrfy;
7755 conf->p_vrfy = p_vrfy;
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]7756}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7757#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]7758
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7759void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]7760 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7761 void *p_rng )
7762{
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]7763 conf->f_rng = f_rng;
7764 conf->p_rng = p_rng;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7765}
7766
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7767void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardfd474232015-06-23 16:34:24 +0200[diff] [blame]7768 void (*f_dbg)(void *, int, const char *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7769 void *p_dbg )
7770{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7771 conf->f_dbg = f_dbg;
7772 conf->p_dbg = p_dbg;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7773}
7774
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7775void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +0200[diff] [blame]7776 void *p_bio,
Simon Butchere846b512016-03-01 17:31:49 +0000[diff] [blame]7777 mbedtls_ssl_send_t *f_send,
7778 mbedtls_ssl_recv_t *f_recv,
7779 mbedtls_ssl_recv_timeout_t *f_recv_timeout )
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +0200[diff] [blame]7780{
7781 ssl->p_bio = p_bio;
7782 ssl->f_send = f_send;
7783 ssl->f_recv = f_recv;
7784 ssl->f_recv_timeout = f_recv_timeout;
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +0100[diff] [blame]7785}
7786
Manuel Pégourié-Gonnard6e7aaca2018-08-20 10:37:23 +0200[diff] [blame]7787#if defined(MBEDTLS_SSL_PROTO_DTLS)
7788void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
7789{
7790 ssl->mtu = mtu;
7791}
7792#endif
7793
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7794void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
Manuel Pégourié-Gonnard97fd52c2015-05-06 15:38:52 +0100[diff] [blame]7795{
7796 conf->read_timeout = timeout;
Manuel Pégourié-Gonnard8fa6dfd2014-09-17 10:47:43 +0200[diff] [blame]7797}
7798
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]7799void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
7800 void *p_timer,
Simon Butchere846b512016-03-01 17:31:49 +0000[diff] [blame]7801 mbedtls_ssl_set_timer_t *f_set_timer,
7802 mbedtls_ssl_get_timer_t *f_get_timer )
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]7803{
7804 ssl->p_timer = p_timer;
7805 ssl->f_set_timer = f_set_timer;
7806 ssl->f_get_timer = f_get_timer;
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]7807
7808 /* Make sure we start with no timer running */
7809 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard2e012912015-05-12 20:55:41 +0200[diff] [blame]7810}
7811
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7812#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7813void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +0100[diff] [blame]7814 void *p_cache,
7815 int (*f_get_cache)(void *, mbedtls_ssl_session *),
7816 int (*f_set_cache)(void *, const mbedtls_ssl_session *) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7817{
Manuel Pégourié-Gonnard5cb33082015-05-06 18:06:26 +0100[diff] [blame]7818 conf->p_cache = p_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7819 conf->f_get_cache = f_get_cache;
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7820 conf->f_set_cache = f_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7821}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7822#endif /* MBEDTLS_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7823
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7824#if defined(MBEDTLS_SSL_CLI_C)
7825int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7826{
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]7827 int ret;
7828
7829 if( ssl == NULL ||
7830 session == NULL ||
7831 ssl->session_negotiate == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]7832 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]7833 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7834 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]7835 }
7836
Hanno Becker52055ae2019-02-06 14:30:46 +0000[diff] [blame]7837 if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
7838 session ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]7839 return( ret );
7840
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]7841 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200[diff] [blame]7842
7843 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7844}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7845#endif /* MBEDTLS_SSL_CLI_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7846
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7847void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7848 const int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7849{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7850 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
7851 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
7852 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
7853 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]7854}
7855
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7856void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]7857 const int *ciphersuites,
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]7858 int major, int minor )
7859{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7860 if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]7861 return;
7862
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7863 if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]7864 return;
7865
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]7866 conf->ciphersuite_list[minor] = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7867}
7868
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7869#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +0200[diff] [blame]7870void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
Nicholas Wilson2088e2e2015-09-08 16:53:18 +0100[diff] [blame]7871 const mbedtls_x509_crt_profile *profile )
Manuel Pégourié-Gonnard6e3ee3a2015-06-17 10:58:20 +0200[diff] [blame]7872{
7873 conf->cert_profile = profile;
7874}
7875
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]7876/* Append a new keycert entry to a (possibly empty) list */
7877static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
7878 mbedtls_x509_crt *cert,
7879 mbedtls_pk_context *key )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7880{
niisato8ee24222018-06-25 19:05:48 +0900[diff] [blame]7881 mbedtls_ssl_key_cert *new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7882
niisato8ee24222018-06-25 19:05:48 +0900[diff] [blame]7883 new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
7884 if( new_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]7885 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7886
niisato8ee24222018-06-25 19:05:48 +0900[diff] [blame]7887 new_cert->cert = cert;
7888 new_cert->key = key;
7889 new_cert->next = NULL;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7890
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]7891 /* Update head is the list was null, else add to the end */
7892 if( *head == NULL )
Paul Bakker0333b972013-11-04 17:08:28 +0100[diff] [blame]7893 {
niisato8ee24222018-06-25 19:05:48 +0900[diff] [blame]7894 *head = new_cert;
Paul Bakker0333b972013-11-04 17:08:28 +0100[diff] [blame]7895 }
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7896 else
7897 {
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]7898 mbedtls_ssl_key_cert *cur = *head;
7899 while( cur->next != NULL )
7900 cur = cur->next;
niisato8ee24222018-06-25 19:05:48 +0900[diff] [blame]7901 cur->next = new_cert;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7902 }
7903
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]7904 return( 0 );
7905}
7906
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7907int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]7908 mbedtls_x509_crt *own_cert,
7909 mbedtls_pk_context *pk_key )
7910{
Manuel Pégourié-Gonnard17a40cd2015-05-10 23:17:17 +0200[diff] [blame]7911 return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]7912}
7913
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]7914void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +0100[diff] [blame]7915 mbedtls_x509_crt *ca_chain,
7916 mbedtls_x509_crl *ca_crl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7917{
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +0100[diff] [blame]7918 conf->ca_chain = ca_chain;
7919 conf->ca_crl = ca_crl;
Hanno Becker5adaad92019-03-27 16:54:37 +0000[diff] [blame]7920
7921#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
7922 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
7923 * cannot be used together. */
7924 conf->f_ca_cb = NULL;
7925 conf->p_ca_cb = NULL;
7926#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7927}
Hanno Becker5adaad92019-03-27 16:54:37 +0000[diff] [blame]7928
7929#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
7930void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
Hanno Beckerafd0b0a2019-03-27 16:55:01 +0000[diff] [blame]7931 mbedtls_x509_crt_ca_cb_t f_ca_cb,
Hanno Becker5adaad92019-03-27 16:54:37 +0000[diff] [blame]7932 void *p_ca_cb )
7933{
7934 conf->f_ca_cb = f_ca_cb;
7935 conf->p_ca_cb = p_ca_cb;
7936
7937 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
7938 * cannot be used together. */
7939 conf->ca_chain = NULL;
7940 conf->ca_crl = NULL;
7941}
7942#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7943#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +0000[diff] [blame]7944
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +0200[diff] [blame]7945#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7946int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
7947 mbedtls_x509_crt *own_cert,
7948 mbedtls_pk_context *pk_key )
7949{
7950 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
7951 own_cert, pk_key ) );
7952}
Manuel Pégourié-Gonnard22bfa4b2015-05-11 08:46:37 +0200[diff] [blame]7953
7954void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
7955 mbedtls_x509_crt *ca_chain,
7956 mbedtls_x509_crl *ca_crl )
7957{
7958 ssl->handshake->sni_ca_chain = ca_chain;
7959 ssl->handshake->sni_ca_crl = ca_crl;
7960}
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]7961
7962void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
7963 int authmode )
7964{
7965 ssl->handshake->sni_authmode = authmode;
7966}
Manuel Pégourié-Gonnard1af6c852015-05-10 23:10:37 +0200[diff] [blame]7967#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
7968
Hanno Becker8927c832019-04-03 12:52:50 +0100[diff] [blame]7969#if defined(MBEDTLS_X509_CRT_PARSE_C)
7970void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
7971 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
7972 void *p_vrfy )
7973{
7974 ssl->f_vrfy = f_vrfy;
7975 ssl->p_vrfy = p_vrfy;
7976}
7977#endif
7978
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]7979#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +0200[diff] [blame]7980/*
7981 * Set EC J-PAKE password for current handshake
7982 */
7983int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
7984 const unsigned char *pw,
7985 size_t pw_len )
7986{
7987 mbedtls_ecjpake_role role;
7988
Janos Follath8eb64132016-06-03 15:40:57 +0100[diff] [blame]7989 if( ssl->handshake == NULL || ssl->conf == NULL )
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +0200[diff] [blame]7990 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7991
7992 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
7993 role = MBEDTLS_ECJPAKE_SERVER;
7994 else
7995 role = MBEDTLS_ECJPAKE_CLIENT;
7996
7997 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
7998 role,
7999 MBEDTLS_MD_SHA256,
8000 MBEDTLS_ECP_DP_SECP256R1,
8001 pw, pw_len ) );
8002}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]8003#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7002f4a2015-09-15 12:43:43 +0200[diff] [blame]8004
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8005#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8006
8007static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
8008{
8009 /* Remove reference to existing PSK, if any. */
8010#if defined(MBEDTLS_USE_PSA_CRYPTO)
8011 if( conf->psk_opaque != 0 )
8012 {
8013 /* The maintenance of the PSK key slot is the
8014 * user's responsibility. */
8015 conf->psk_opaque = 0;
8016 }
Hanno Beckera63ac3f2018-11-05 12:47:16 +0000[diff] [blame]8017 /* This and the following branch should never
8018 * be taken simultaenously as we maintain the
8019 * invariant that raw and opaque PSKs are never
8020 * configured simultaneously. As a safeguard,
8021 * though, `else` is omitted here. */
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8022#endif /* MBEDTLS_USE_PSA_CRYPTO */
8023 if( conf->psk != NULL )
8024 {
8025 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
8026
8027 mbedtls_free( conf->psk );
8028 conf->psk = NULL;
8029 conf->psk_len = 0;
8030 }
8031
8032 /* Remove reference to PSK identity, if any. */
8033 if( conf->psk_identity != NULL )
8034 {
8035 mbedtls_free( conf->psk_identity );
8036 conf->psk_identity = NULL;
8037 conf->psk_identity_len = 0;
8038 }
8039}
8040
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8041/* This function assumes that PSK identity in the SSL config is unset.
8042 * It checks that the provided identity is well-formed and attempts
8043 * to make a copy of it in the SSL config.
8044 * On failure, the PSK identity in the config remains unset. */
8045static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
8046 unsigned char const *psk_identity,
8047 size_t psk_identity_len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]8048{
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]8049 /* Identity len will be encoded on two bytes */
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8050 if( psk_identity == NULL ||
8051 ( psk_identity_len >> 16 ) != 0 ||
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]8052 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]8053 {
8054 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8055 }
8056
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8057 conf->psk_identity = mbedtls_calloc( 1, psk_identity_len );
8058 if( conf->psk_identity == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]8059 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]8060
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +0100[diff] [blame]8061 conf->psk_identity_len = psk_identity_len;
Manuel Pégourié-Gonnard120fdbd2015-05-07 17:07:50 +0100[diff] [blame]8062 memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
Paul Bakker5ad403f2013-09-18 21:21:30 +0200[diff] [blame]8063
8064 return( 0 );
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]8065}
8066
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8067int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
8068 const unsigned char *psk, size_t psk_len,
8069 const unsigned char *psk_identity, size_t psk_identity_len )
8070{
8071 int ret;
8072 /* Remove opaque/raw PSK + PSK Identity */
8073 ssl_conf_remove_psk( conf );
8074
8075 /* Check and set raw PSK */
8076 if( psk == NULL || psk_len > MBEDTLS_PSK_MAX_LEN )
8077 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8078 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
8079 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
8080 conf->psk_len = psk_len;
8081 memcpy( conf->psk, psk, conf->psk_len );
8082
8083 /* Check and set PSK Identity */
8084 ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len );
8085 if( ret != 0 )
8086 ssl_conf_remove_psk( conf );
8087
8088 return( ret );
8089}
8090
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8091static void ssl_remove_psk( mbedtls_ssl_context *ssl )
8092{
8093#if defined(MBEDTLS_USE_PSA_CRYPTO)
8094 if( ssl->handshake->psk_opaque != 0 )
8095 {
8096 ssl->handshake->psk_opaque = 0;
8097 }
8098 else
8099#endif /* MBEDTLS_USE_PSA_CRYPTO */
8100 if( ssl->handshake->psk != NULL )
8101 {
8102 mbedtls_platform_zeroize( ssl->handshake->psk,
8103 ssl->handshake->psk_len );
8104 mbedtls_free( ssl->handshake->psk );
8105 ssl->handshake->psk_len = 0;
8106 }
8107}
8108
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]8109int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
8110 const unsigned char *psk, size_t psk_len )
8111{
8112 if( psk == NULL || ssl->handshake == NULL )
8113 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8114
8115 if( psk_len > MBEDTLS_PSK_MAX_LEN )
8116 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8117
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8118 ssl_remove_psk( ssl );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]8119
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]8120 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]8121 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]8122
8123 ssl->handshake->psk_len = psk_len;
8124 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
8125
8126 return( 0 );
8127}
8128
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8129#if defined(MBEDTLS_USE_PSA_CRYPTO)
8130int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
Andrzej Kurek2349c4d2019-01-08 09:36:01 -0500[diff] [blame]8131 psa_key_handle_t psk_slot,
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8132 const unsigned char *psk_identity,
8133 size_t psk_identity_len )
8134{
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8135 int ret;
8136 /* Clear opaque/raw PSK + PSK Identity, if present. */
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8137 ssl_conf_remove_psk( conf );
8138
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8139 /* Check and set opaque PSK */
8140 if( psk_slot == 0 )
8141 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8142 conf->psk_opaque = psk_slot;
Hanno Becker7390c712018-11-15 13:33:04 +0000[diff] [blame]8143
8144 /* Check and set PSK Identity */
8145 ret = ssl_conf_set_psk_identity( conf, psk_identity,
8146 psk_identity_len );
8147 if( ret != 0 )
8148 ssl_conf_remove_psk( conf );
8149
8150 return( ret );
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8151}
8152
8153int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
Andrzej Kurek2349c4d2019-01-08 09:36:01 -0500[diff] [blame]8154 psa_key_handle_t psk_slot )
Hanno Beckerd20a8ca2018-10-22 15:31:26 +0100[diff] [blame]8155{
8156 if( psk_slot == 0 || ssl->handshake == NULL )
8157 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8158
8159 ssl_remove_psk( ssl );
8160 ssl->handshake->psk_opaque = psk_slot;
8161 return( 0 );
8162}
8163#endif /* MBEDTLS_USE_PSA_CRYPTO */
8164
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8165void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8166 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]8167 size_t),
8168 void *p_psk )
8169{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8170 conf->f_psk = f_psk;
8171 conf->p_psk = p_psk;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]8172}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8173#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]8174
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +0200[diff] [blame]8175#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Hanno Becker470a8c42017-10-04 15:28:46 +0100[diff] [blame]8176
8177#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8178int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8179{
8180 int ret;
8181
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]8182 if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ||
8183 ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
8184 {
8185 mbedtls_mpi_free( &conf->dhm_P );
8186 mbedtls_mpi_free( &conf->dhm_G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8187 return( ret );
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]8188 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8189
8190 return( 0 );
8191}
Hanno Becker470a8c42017-10-04 15:28:46 +0100[diff] [blame]8192#endif /* MBEDTLS_DEPRECATED_REMOVED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8193
Hanno Beckera90658f2017-10-04 15:29:08 +0100[diff] [blame]8194int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
8195 const unsigned char *dhm_P, size_t P_len,
8196 const unsigned char *dhm_G, size_t G_len )
8197{
8198 int ret;
8199
8200 if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
8201 ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
8202 {
8203 mbedtls_mpi_free( &conf->dhm_P );
8204 mbedtls_mpi_free( &conf->dhm_G );
8205 return( ret );
8206 }
8207
8208 return( 0 );
8209}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8210
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8211int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]8212{
8213 int ret;
8214
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]8215 if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ||
8216 ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
8217 {
8218 mbedtls_mpi_free( &conf->dhm_P );
8219 mbedtls_mpi_free( &conf->dhm_G );
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]8220 return( ret );
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]8221 }
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]8222
8223 return( 0 );
8224}
Manuel Pégourié-Gonnardcf141ca2015-05-20 10:35:51 +0200[diff] [blame]8225#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]8226
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]8227#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
8228/*
8229 * Set the minimum length for Diffie-Hellman parameters
8230 */
8231void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
8232 unsigned int bitlen )
8233{
8234 conf->dhm_min_bitlen = bitlen;
8235}
8236#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
8237
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]8238#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +0200[diff] [blame]8239/*
8240 * Set allowed/preferred hashes for handshake signatures
8241 */
8242void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
8243 const int *hashes )
8244{
8245 conf->sig_hashes = hashes;
8246}
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8247#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +0200[diff] [blame]8248
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]8249#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +0100[diff] [blame]8250/*
8251 * Set the allowed elliptic curves
8252 */
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8253void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8254 const mbedtls_ecp_group_id *curve_list )
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +0100[diff] [blame]8255{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8256 conf->curve_list = curve_list;
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +0100[diff] [blame]8257}
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8258#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +0100[diff] [blame]8259
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +0100[diff] [blame]8260#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8261int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8262{
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8263 /* Initialize to suppress unnecessary compiler warning */
8264 size_t hostname_len = 0;
8265
8266 /* Check if new hostname is valid before
8267 * making any change to current one */
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8268 if( hostname != NULL )
8269 {
8270 hostname_len = strlen( hostname );
8271
8272 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
8273 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8274 }
8275
8276 /* Now it's clear that we will overwrite the old hostname,
8277 * so we can free it safely */
8278
8279 if( ssl->hostname != NULL )
8280 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]8281 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8282 mbedtls_free( ssl->hostname );
8283 }
8284
8285 /* Passing NULL as hostname shall clear the old one */
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]8286
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8287 if( hostname == NULL )
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8288 {
8289 ssl->hostname = NULL;
8290 }
8291 else
8292 {
8293 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8294 if( ssl->hostname == NULL )
8295 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Paul Bakker75c1a6f2013-08-19 14:25:29 +0200[diff] [blame]8296
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8297 memcpy( ssl->hostname, hostname, hostname_len );
Paul Bakker75c1a6f2013-08-19 14:25:29 +0200[diff] [blame]8298
Hanno Becker947194e2017-04-07 13:25:49 +0100[diff] [blame]8299 ssl->hostname[hostname_len] = '\0';
8300 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8301
8302 return( 0 );
8303}
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]8304#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8305
Manuel Pégourié-Gonnardbc2b7712015-05-06 11:14:19 +0100[diff] [blame]8306#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8307void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8308 int (*f_sni)(void *, mbedtls_ssl_context *,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]8309 const unsigned char *, size_t),
8310 void *p_sni )
8311{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8312 conf->f_sni = f_sni;
8313 conf->p_sni = p_sni;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]8314}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8315#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]8316
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8317#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8318int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]8319{
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]8320 size_t cur_len, tot_len;
8321 const char **p;
8322
8323 /*
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]8324 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
8325 * MUST NOT be truncated."
8326 * We check lengths now rather than later.
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]8327 */
8328 tot_len = 0;
8329 for( p = protos; *p != NULL; p++ )
8330 {
8331 cur_len = strlen( *p );
8332 tot_len += cur_len;
8333
8334 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8335 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]8336 }
8337
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8338 conf->alpn_list = protos;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]8339
8340 return( 0 );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]8341}
8342
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8343const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]8344{
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]8345 return( ssl->alpn_chosen );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]8346}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8347#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +0200[diff] [blame]8348
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +0200[diff] [blame]8349void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]8350{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8351 conf->max_major_ver = major;
8352 conf->max_minor_ver = minor;
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]8353}
8354
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +0200[diff] [blame]8355void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]8356{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8357 conf->min_major_ver = major;
8358 conf->min_minor_ver = minor;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]8359}
8360
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8361#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8362void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]8363{
Manuel Pégourié-Gonnard684b0592015-05-06 09:27:31 +0100[diff] [blame]8364 conf->fallback = fallback;
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]8365}
8366#endif
8367
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]8368#if defined(MBEDTLS_SSL_SRV_C)
8369void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
8370 char cert_req_ca_list )
8371{
8372 conf->cert_req_ca_list = cert_req_ca_list;
8373}
8374#endif
8375
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8376#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8377void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]8378{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8379 conf->encrypt_then_mac = etm;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]8380}
8381#endif
8382
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8383#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8384void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]8385{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8386 conf->extended_ms = ems;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]8387}
8388#endif
8389
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200[diff] [blame]8390#if defined(MBEDTLS_ARC4_C)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8391void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]8392{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8393 conf->arc4_disabled = arc4;
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]8394}
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200[diff] [blame]8395#endif
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]8396
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8397#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8398int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +0200[diff] [blame]8399{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8400 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]8401 ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +0200[diff] [blame]8402 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8403 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +0200[diff] [blame]8404 }
8405
Manuel Pégourié-Gonnard6bf89d62015-05-05 17:01:57 +0100[diff] [blame]8406 conf->mfl_code = mfl_code;
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +0200[diff] [blame]8407
8408 return( 0 );
8409}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8410#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +0200[diff] [blame]8411
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8412#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard01e5e8c2015-05-11 10:11:56 +0200[diff] [blame]8413void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +0200[diff] [blame]8414{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8415 conf->trunc_hmac = truncate;
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +0200[diff] [blame]8416}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8417#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +0200[diff] [blame]8418
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8419#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8420void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]8421{
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +0100[diff] [blame]8422 conf->cbc_record_splitting = split;
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]8423}
8424#endif
8425
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8426void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8427{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8428 conf->allow_legacy_renegotiation = allow_legacy;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8429}
8430
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8431#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8432void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]8433{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8434 conf->disable_renegotiation = renegotiation;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]8435}
8436
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8437void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]8438{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8439 conf->renego_max_records = max_records;
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]8440}
8441
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200[diff] [blame]8442void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +0100[diff] [blame]8443 const unsigned char period[8] )
8444{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]8445 memcpy( conf->renego_period, period, 8 );
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +0100[diff] [blame]8446}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8447#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8448
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8449#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]8450#if defined(MBEDTLS_SSL_CLI_C)
8451void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]8452{
Manuel Pégourié-Gonnard2b494452015-05-06 10:05:11 +0100[diff] [blame]8453 conf->session_tickets = use_tickets;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]8454}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]8455#endif
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]8456
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]8457#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]8458void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
8459 mbedtls_ssl_ticket_write_t *f_ticket_write,
8460 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
8461 void *p_ticket )
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]8462{
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]8463 conf->f_ticket_write = f_ticket_write;
8464 conf->f_ticket_parse = f_ticket_parse;
8465 conf->p_ticket = p_ticket;
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]8466}
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]8467#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8468#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]8469
Robert Cragie4feb7ae2015-10-02 13:33:37 +0100[diff] [blame]8470#if defined(MBEDTLS_SSL_EXPORT_KEYS)
8471void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
8472 mbedtls_ssl_export_keys_t *f_export_keys,
8473 void *p_export_keys )
8474{
8475 conf->f_export_keys = f_export_keys;
8476 conf->p_export_keys = p_export_keys;
8477}
8478#endif
8479
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]8480#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine8bf79f62018-01-05 21:11:53 +0100[diff] [blame]8481void mbedtls_ssl_conf_async_private_cb(
8482 mbedtls_ssl_config *conf,
8483 mbedtls_ssl_async_sign_t *f_async_sign,
8484 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
8485 mbedtls_ssl_async_resume_t *f_async_resume,
8486 mbedtls_ssl_async_cancel_t *f_async_cancel,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]8487 void *async_config_data )
Gilles Peskine8bf79f62018-01-05 21:11:53 +0100[diff] [blame]8488{
8489 conf->f_async_sign_start = f_async_sign;
8490 conf->f_async_decrypt_start = f_async_decrypt;
8491 conf->f_async_resume = f_async_resume;
8492 conf->f_async_cancel = f_async_cancel;
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]8493 conf->p_async_config_data = async_config_data;
8494}
8495
Gilles Peskine8f97af72018-04-26 11:46:10 +0200[diff] [blame]8496void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
8497{
8498 return( conf->p_async_config_data );
8499}
8500
Gilles Peskine1febfef2018-04-30 11:54:39 +0200[diff] [blame]8501void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]8502{
8503 if( ssl->handshake == NULL )
8504 return( NULL );
8505 else
8506 return( ssl->handshake->user_async_ctx );
8507}
8508
Gilles Peskine1febfef2018-04-30 11:54:39 +0200[diff] [blame]8509void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]8510 void *ctx )
8511{
8512 if( ssl->handshake != NULL )
8513 ssl->handshake->user_async_ctx = ctx;
Gilles Peskine8bf79f62018-01-05 21:11:53 +0100[diff] [blame]8514}
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]8515#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine8bf79f62018-01-05 21:11:53 +0100[diff] [blame]8516
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8517/*
8518 * SSL get accessors
8519 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8520size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8521{
8522 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
8523}
8524
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8525int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
8526{
8527 /*
8528 * Case A: We're currently holding back
8529 * a message for further processing.
8530 */
8531
8532 if( ssl->keep_current_message == 1 )
8533 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]8534 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8535 return( 1 );
8536 }
8537
8538 /*
8539 * Case B: Further records are pending in the current datagram.
8540 */
8541
8542#if defined(MBEDTLS_SSL_PROTO_DTLS)
8543 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8544 ssl->in_left > ssl->next_record_offset )
8545 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]8546 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8547 return( 1 );
8548 }
8549#endif /* MBEDTLS_SSL_PROTO_DTLS */
8550
8551 /*
8552 * Case C: A handshake message is being processed.
8553 */
8554
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8555 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
8556 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]8557 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8558 return( 1 );
8559 }
8560
8561 /*
8562 * Case D: An application data message is being processed
8563 */
8564 if( ssl->in_offt != NULL )
8565 {
Hanno Beckera6fb0892017-10-23 13:17:48 +0100[diff] [blame]8566 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8567 return( 1 );
8568 }
8569
8570 /*
8571 * In all other cases, the rest of the message can be dropped.
Hanno Beckerc573ac32018-08-28 17:15:25 +0100[diff] [blame]8572 * As in ssl_get_next_record, this needs to be adapted if
Hanno Becker8b170a02017-10-10 11:51:19 +0100[diff] [blame]8573 * we implement support for multiple alerts in single records.
8574 */
8575
8576 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
8577 return( 0 );
8578}
8579
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]8580uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8581{
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +0000[diff] [blame]8582 if( ssl->session != NULL )
8583 return( ssl->session->verify_result );
8584
8585 if( ssl->session_negotiate != NULL )
8586 return( ssl->session_negotiate->verify_result );
8587
Manuel Pégourié-Gonnard6ab9b002015-05-14 11:25:04 +0200[diff] [blame]8588 return( 0xFFFFFFFF );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8589}
8590
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8591const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]8592{
Paul Bakker926c8e42013-03-06 10:23:34 +0100[diff] [blame]8593 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]8594 return( NULL );
Paul Bakker926c8e42013-03-06 10:23:34 +0100[diff] [blame]8595
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8596 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]8597}
8598
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8599const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8600{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8601#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8602 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +0100[diff] [blame]8603 {
8604 switch( ssl->minor_ver )
8605 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8606 case MBEDTLS_SSL_MINOR_VERSION_2:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +0100[diff] [blame]8607 return( "DTLSv1.0" );
8608
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8609 case MBEDTLS_SSL_MINOR_VERSION_3:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +0100[diff] [blame]8610 return( "DTLSv1.2" );
8611
8612 default:
8613 return( "unknown (DTLS)" );
8614 }
8615 }
8616#endif
8617
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8618 switch( ssl->minor_ver )
8619 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8620 case MBEDTLS_SSL_MINOR_VERSION_0:
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8621 return( "SSLv3.0" );
8622
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8623 case MBEDTLS_SSL_MINOR_VERSION_1:
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8624 return( "TLSv1.0" );
8625
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8626 case MBEDTLS_SSL_MINOR_VERSION_2:
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8627 return( "TLSv1.1" );
8628
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8629 case MBEDTLS_SSL_MINOR_VERSION_3:
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]8630 return( "TLSv1.2" );
8631
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8632 default:
Manuel Pégourié-Gonnardb21ca2a2014-02-10 13:43:33 +0100[diff] [blame]8633 return( "unknown" );
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8634 }
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]8635}
8636
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8637int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8638{
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]8639 size_t transform_expansion = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8640 const mbedtls_ssl_transform *transform = ssl->transform_out;
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]8641 unsigned block_size;
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8642
Hanno Becker78640902018-08-13 16:35:15 +0100[diff] [blame]8643 if( transform == NULL )
8644 return( (int) mbedtls_ssl_hdr_len( ssl ) );
8645
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8646#if defined(MBEDTLS_ZLIB_SUPPORT)
8647 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
8648 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8649#endif
8650
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8651 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8652 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8653 case MBEDTLS_MODE_GCM:
8654 case MBEDTLS_MODE_CCM:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]8655 case MBEDTLS_MODE_CHACHAPOLY:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8656 case MBEDTLS_MODE_STREAM:
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8657 transform_expansion = transform->minlen;
8658 break;
8659
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8660 case MBEDTLS_MODE_CBC:
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]8661
8662 block_size = mbedtls_cipher_get_block_size(
8663 &transform->cipher_ctx_enc );
8664
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]8665 /* Expansion due to the addition of the MAC. */
8666 transform_expansion += transform->maclen;
8667
8668 /* Expansion due to the addition of CBC padding;
8669 * Theoretically up to 256 bytes, but we never use
8670 * more than the block size of the underlying cipher. */
8671 transform_expansion += block_size;
8672
8673 /* For TLS 1.1 or higher, an explicit IV is added
8674 * after the record header. */
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]8675#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
8676 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]8677 transform_expansion += block_size;
Hanno Becker5b559ac2018-08-03 09:40:07 +0100[diff] [blame]8678#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker3136ede2018-08-17 15:28:19 +0100[diff] [blame]8679
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8680 break;
8681
8682 default:
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]8683 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8684 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8685 }
8686
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]8687 return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
Manuel Pégourié-Gonnard9b35f182014-10-14 17:47:31 +0200[diff] [blame]8688}
8689
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8690#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
8691size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
8692{
8693 size_t max_len;
8694
8695 /*
8696 * Assume mfl_code is correct since it was checked when set
8697 */
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]8698 max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8699
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8700 /* Check if a smaller max length was negotiated */
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8701 if( ssl->session_out != NULL &&
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]8702 ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8703 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]8704 max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8705 }
8706
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8707 /* During a handshake, use the value being negotiated */
8708 if( ssl->session_negotiate != NULL &&
8709 ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
8710 {
8711 max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
8712 }
8713
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8714 return( max_len );
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]8715}
8716#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
8717
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8718#if defined(MBEDTLS_SSL_PROTO_DTLS)
8719static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
8720{
Andrzej Kurekef43ce62018-10-09 08:24:12 -0400[diff] [blame]8721 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
8722 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
8723 ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
8724 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
8725 return ( 0 );
8726
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8727 if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
8728 return( ssl->mtu );
8729
8730 if( ssl->mtu == 0 )
8731 return( ssl->handshake->mtu );
8732
8733 return( ssl->mtu < ssl->handshake->mtu ?
8734 ssl->mtu : ssl->handshake->mtu );
8735}
8736#endif /* MBEDTLS_SSL_PROTO_DTLS */
8737
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8738int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
8739{
8740 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
8741
Manuel Pégourié-Gonnard000281e2018-08-21 11:20:58 +0200[diff] [blame]8742#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
8743 !defined(MBEDTLS_SSL_PROTO_DTLS)
8744 (void) ssl;
8745#endif
8746
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8747#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
8748 const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
8749
8750 if( max_len > mfl )
8751 max_len = mfl;
8752#endif
8753
8754#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8755 if( ssl_get_current_mtu( ssl ) != 0 )
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8756 {
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8757 const size_t mtu = ssl_get_current_mtu( ssl );
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8758 const int ret = mbedtls_ssl_get_record_expansion( ssl );
8759 const size_t overhead = (size_t) ret;
8760
8761 if( ret < 0 )
8762 return( ret );
8763
8764 if( mtu <= overhead )
8765 {
8766 MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
8767 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
8768 }
8769
8770 if( max_len > mtu - overhead )
8771 max_len = mtu - overhead;
8772 }
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8773#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8774
Hanno Becker0defedb2018-08-10 12:35:02 +0100[diff] [blame]8775#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
8776 !defined(MBEDTLS_SSL_PROTO_DTLS)
8777 ((void) ssl);
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]8778#endif
8779
8780 return( (int) max_len );
8781}
8782
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8783#if defined(MBEDTLS_X509_CRT_PARSE_C)
8784const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
Paul Bakkerb0550d92012-10-30 07:51:03 +0000[diff] [blame]8785{
8786 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]8787 return( NULL );
Paul Bakkerb0550d92012-10-30 07:51:03 +0000[diff] [blame]8788
Hanno Beckere6824572019-02-07 13:18:46 +0000[diff] [blame]8789#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]8790 return( ssl->session->peer_cert );
Hanno Beckere6824572019-02-07 13:18:46 +0000[diff] [blame]8791#else
8792 return( NULL );
8793#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakkerb0550d92012-10-30 07:51:03 +0000[diff] [blame]8794}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8795#endif /* MBEDTLS_X509_CRT_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +0000[diff] [blame]8796
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8797#if defined(MBEDTLS_SSL_CLI_C)
Hanno Beckerf852b1c2019-02-05 11:42:30 +0000[diff] [blame]8798int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
8799 mbedtls_ssl_session *dst )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8800{
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8801 if( ssl == NULL ||
8802 dst == NULL ||
8803 ssl->session == NULL ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8804 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8805 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8806 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8807 }
8808
Hanno Becker52055ae2019-02-06 14:30:46 +0000[diff] [blame]8809 return( mbedtls_ssl_session_copy( dst, ssl->session ) );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8810}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8811#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +0200[diff] [blame]8812
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8813/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8814 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8815 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8816int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8817{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8818 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8819
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]8820 if( ssl == NULL || ssl->conf == NULL )
8821 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8822
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8823#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8824 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8825 ret = mbedtls_ssl_handshake_client_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8826#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8827#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8828 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8829 ret = mbedtls_ssl_handshake_server_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8830#endif
8831
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8832 return( ret );
8833}
8834
8835/*
8836 * Perform the SSL handshake
8837 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8838int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8839{
8840 int ret = 0;
8841
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]8842 if( ssl == NULL || ssl->conf == NULL )
8843 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8844
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8845 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8846
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8847 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8848 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8849 ret = mbedtls_ssl_handshake_step( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]8850
8851 if( ret != 0 )
8852 break;
8853 }
8854
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8855 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8856
8857 return( ret );
8858}
8859
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8860#if defined(MBEDTLS_SSL_RENEGOTIATION)
8861#if defined(MBEDTLS_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8862/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8863 * Write HelloRequest to request renegotiation on server
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8864 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8865static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8866{
8867 int ret;
8868
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8869 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8870
8871 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8872 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
8873 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8874
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]8875 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8876 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]8877 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8878 return( ret );
8879 }
8880
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8881 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8882
8883 return( 0 );
8884}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8885#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8886
8887/*
8888 * Actually renegotiate current connection, triggered by either:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8889 * - any side: calling mbedtls_ssl_renegotiate(),
8890 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
8891 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
Manuel Pégourié-Gonnard55e4ff22014-08-19 11:16:35 +0200[diff] [blame]8892 * the initial handshake is completed.
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8893 * If the handshake doesn't complete due to waiting for I/O, it will continue
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8894 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8895 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8896static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8897{
8898 int ret;
8899
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8900 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8901
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8902 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
8903 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8904
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +0200[diff] [blame]8905 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
8906 * the ServerHello will have message_seq = 1" */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8907#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8908 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8909 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +0200[diff] [blame]8910 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8911 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]8912 ssl->handshake->out_msg_seq = 1;
8913 else
8914 ssl->handshake->in_msg_seq = 1;
Manuel Pégourié-Gonnard0557bd52014-08-19 19:18:39 +0200[diff] [blame]8915 }
8916#endif
8917
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8918 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
8919 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8920
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8921 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8922 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8923 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8924 return( ret );
8925 }
8926
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8927 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]8928
8929 return( 0 );
8930}
8931
8932/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8933 * Renegotiate current connection on client,
8934 * or request renegotiation on server
8935 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8936int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8937{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8938 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8939
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]8940 if( ssl == NULL || ssl->conf == NULL )
8941 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8942
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8943#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8944 /* On server, just send the request */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]8945 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8946 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8947 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
8948 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8949
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8950 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]8951
8952 /* Did we already try/start sending HelloRequest? */
8953 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8954 return( mbedtls_ssl_flush_output( ssl ) );
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]8955
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8956 return( ssl_write_hello_request( ssl ) );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8957 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8958#endif /* MBEDTLS_SSL_SRV_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8959
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8960#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8961 /*
8962 * On client, either start the renegotiation process or,
8963 * if already in progress, continue the handshake
8964 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8965 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8966 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8967 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
8968 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8969
8970 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
8971 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8972 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8973 return( ret );
8974 }
8975 }
8976 else
8977 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8978 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8979 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8980 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8981 return( ret );
8982 }
8983 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8984#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +0100[diff] [blame]8985
Paul Bakker37ce0ff2013-10-31 14:32:04 +0100[diff] [blame]8986 return( ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +0100[diff] [blame]8987}
8988
8989/*
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]8990 * Check record counters and renegotiate if they're above the limit.
8991 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8992static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]8993{
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]8994 size_t ep_len = ssl_ep_len( ssl );
8995 int in_ctr_cmp;
8996 int out_ctr_cmp;
8997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8998 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
8999 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9000 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]9001 {
9002 return( 0 );
9003 }
9004
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]9005 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
9006 ssl->conf->renego_period + ep_len, 8 - ep_len );
Hanno Becker19859472018-08-06 09:40:20 +0100[diff] [blame]9007 out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]9008 ssl->conf->renego_period + ep_len, 8 - ep_len );
9009
9010 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]9011 {
9012 return( 0 );
9013 }
9014
Manuel Pégourié-Gonnardcb0d2122015-07-22 11:52:11 +0200[diff] [blame]9015 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9016 return( mbedtls_ssl_renegotiate( ssl ) );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]9017}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9018#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9019
9020/*
9021 * Receive application data decrypted from the SSL layer
9022 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9023int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9024{
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9025 int ret;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]9026 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9027
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]9028 if( ssl == NULL || ssl->conf == NULL )
9029 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
9030
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9031 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9032
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9033#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9034 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]9035 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9036 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]9037 return( ret );
9038
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9039 if( ssl->handshake != NULL &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9040 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9041 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]9042 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9043 return( ret );
9044 }
Manuel Pégourié-Gonnardabf16242014-09-23 09:42:16 +0200[diff] [blame]9045 }
9046#endif
9047
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9048 /*
9049 * Check if renegotiation is necessary and/or handshake is
9050 * in process. If yes, perform/continue, and fall through
9051 * if an unexpected packet is received while the client
9052 * is waiting for the ServerHello.
9053 *
9054 * (There is no equivalent to the last condition on
9055 * the server-side as it is not treated as within
9056 * a handshake while waiting for the ClientHello
9057 * after a renegotiation request.)
9058 */
9059
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9060#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9061 ret = ssl_check_ctr_renegotiate( ssl );
9062 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
9063 ret != 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]9064 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9065 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +0100[diff] [blame]9066 return( ret );
9067 }
9068#endif
9069
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9070 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9071 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9072 ret = mbedtls_ssl_handshake( ssl );
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9073 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
9074 ret != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9075 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9076 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9077 return( ret );
9078 }
9079 }
9080
Hanno Beckere41158b2017-10-23 13:30:32 +0100[diff] [blame]9081 /* Loop as long as no application data record is available */
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]9082 while( ssl->in_offt == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9083 {
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]9084 /* Start timer if not already running */
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]9085 if( ssl->f_get_timer != NULL &&
9086 ssl->f_get_timer( ssl->p_timer ) == -1 )
9087 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9088 ssl_set_timer( ssl, ssl->conf->read_timeout );
Manuel Pégourié-Gonnard545102e2015-05-13 17:28:43 +0200[diff] [blame]9089 }
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]9090
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]9091 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9092 {
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9093 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
9094 return( 0 );
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]9095
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9096 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
9097 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9098 }
9099
9100 if( ssl->in_msglen == 0 &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9101 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9102 {
9103 /*
9104 * OpenSSL sends empty messages to randomize the IV
9105 */
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]9106 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9107 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9108 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]9109 return( 0 );
9110
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9111 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9112 return( ret );
9113 }
9114 }
9115
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9116 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9117 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9118 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9119
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9120 /*
9121 * - For client-side, expect SERVER_HELLO_REQUEST.
9122 * - For server-side, expect CLIENT_HELLO.
9123 * - Fail (TLS) or silently drop record (DTLS) in other cases.
9124 */
9125
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9126#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9127 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9128 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9129 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9130 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9131 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9132
9133 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9134#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9135 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]9136 {
9137 continue;
9138 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9139#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9140 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9141 }
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9142#endif /* MBEDTLS_SSL_CLI_C */
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9143
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9144#if defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9145 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9146 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9147 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9148 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9149
9150 /* With DTLS, drop the packet (probably from last handshake) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9151#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9152 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]9153 {
9154 continue;
9155 }
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9156#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9157 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9158 }
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9159#endif /* MBEDTLS_SSL_SRV_C */
9160
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]9161#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9162 /* Determine whether renegotiation attempt should be accepted */
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]9163 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
9164 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
9165 ssl->conf->allow_legacy_renegotiation ==
9166 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
9167 {
9168 /*
9169 * Accept renegotiation request
9170 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9171
Hanno Beckerb4ff0aa2017-10-17 11:03:04 +0100[diff] [blame]9172 /* DTLS clients need to know renego is server-initiated */
9173#if defined(MBEDTLS_SSL_PROTO_DTLS)
9174 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
9175 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
9176 {
9177 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
9178 }
9179#endif
9180 ret = ssl_start_renegotiation( ssl );
9181 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
9182 ret != 0 )
9183 {
9184 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
9185 return( ret );
9186 }
9187 }
9188 else
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]9189#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9190 {
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9191 /*
9192 * Refuse renegotiation
9193 */
9194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9195 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9196
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9197#if defined(MBEDTLS_SSL_PROTO_SSL3)
9198 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9199 {
Gilles Peskine92e44262017-05-10 17:27:49 +0200[diff] [blame]9200 /* SSLv3 does not have a "no_renegotiation" warning, so
9201 we send a fatal alert and abort the connection. */
9202 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9203 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
9204 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]9205 }
9206 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9207#endif /* MBEDTLS_SSL_PROTO_SSL3 */
9208#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
9209 defined(MBEDTLS_SSL_PROTO_TLS1_2)
9210 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]9211 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9212 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
9213 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
9214 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]9215 {
9216 return( ret );
9217 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9218 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]9219 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9220#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
9221 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]9222 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9223 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
9224 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]9225 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9226 }
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]9227
Hanno Becker90333da2017-10-10 11:27:13 +0100[diff] [blame]9228 /* At this point, we don't know whether the renegotiation has been
9229 * completed or not. The cases to consider are the following:
9230 * 1) The renegotiation is complete. In this case, no new record
9231 * has been read yet.
9232 * 2) The renegotiation is incomplete because the client received
9233 * an application data record while awaiting the ServerHello.
9234 * 3) The renegotiation is incomplete because the client received
9235 * a non-handshake, non-application data message while awaiting
9236 * the ServerHello.
9237 * In each of these case, looping will be the proper action:
9238 * - For 1), the next iteration will read a new record and check
9239 * if it's application data.
9240 * - For 2), the loop condition isn't satisfied as application data
9241 * is present, hence continue is the same as break
9242 * - For 3), the loop condition is satisfied and read_record
9243 * will re-deliver the message that was held back by the client
9244 * when expecting the ServerHello.
9245 */
9246 continue;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9247 }
Hanno Becker21df7f92017-10-17 11:03:26 +0100[diff] [blame]9248#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9249 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]9250 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9251 if( ssl->conf->renego_max_records >= 0 )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]9252 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9253 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]9254 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9255 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]9256 "but not honored by client" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9257 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]9258 }
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]9259 }
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +0100[diff] [blame]9260 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9261#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]9262
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9263 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
9264 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]9265 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9266 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
Manuel Pégourié-Gonnard88369942015-05-06 16:19:31 +0100[diff] [blame]9267 return( MBEDTLS_ERR_SSL_WANT_READ );
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +0200[diff] [blame]9268 }
9269
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9270 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9271 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9272 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
9273 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9274 }
9275
9276 ssl->in_offt = ssl->in_msg;
Manuel Pégourié-Gonnard6b651412014-10-01 18:29:03 +0200[diff] [blame]9277
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9278 /* We're going to return something now, cancel timer,
9279 * except if handshake (renegotiation) is in progress */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9280 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9281 ssl_set_timer( ssl, 0 );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9282
Manuel Pégourié-Gonnard286a1362015-05-13 16:22:05 +0200[diff] [blame]9283#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9284 /* If we requested renego but received AppData, resend HelloRequest.
9285 * Do it now, after setting in_offt, to avoid taking this branch
9286 * again if ssl_write_hello_request() returns WANT_WRITE */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9287#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9288 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9289 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9290 {
Manuel Pégourié-Gonnarddf3acd82014-10-15 15:07:45 +0200[diff] [blame]9291 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9292 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9293 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
Manuel Pégourié-Gonnard26a4cf62014-10-15 13:52:48 +0200[diff] [blame]9294 return( ret );
9295 }
9296 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9297#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9298#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9299 }
9300
9301 n = ( len < ssl->in_msglen )
9302 ? len : ssl->in_msglen;
9303
9304 memcpy( buf, ssl->in_offt, n );
9305 ssl->in_msglen -= n;
9306
9307 if( ssl->in_msglen == 0 )
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9308 {
9309 /* all bytes consumed */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9310 ssl->in_offt = NULL;
Hanno Beckerbdf39052017-06-09 10:42:03 +0100[diff] [blame]9311 ssl->keep_current_message = 0;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9312 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9313 else
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9314 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9315 /* more data available */
9316 ssl->in_offt += n;
Hanno Becker4a810fb2017-05-24 16:27:30 +0100[diff] [blame]9317 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9318
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9319 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9320
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]9321 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9322}
9323
9324/*
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]9325 * Send application data to be encrypted by the SSL layer, taking care of max
9326 * fragment length and buffer size.
9327 *
9328 * According to RFC 5246 Section 6.2.1:
9329 *
9330 * Zero-length fragments of Application data MAY be sent as they are
9331 * potentially useful as a traffic analysis countermeasure.
9332 *
9333 * Therefore, it is possible that the input message length is 0 and the
9334 * corresponding return code is 0 on success.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9335 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9336static int ssl_write_real( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9337 const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9338{
Manuel Pégourié-Gonnard9468ff12017-09-21 13:49:50 +0200[diff] [blame]9339 int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
9340 const size_t max_len = (size_t) ret;
9341
9342 if( ret < 0 )
9343 {
9344 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
9345 return( ret );
9346 }
9347
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9348 if( len > max_len )
9349 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9350#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]9351 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9352 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9353 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9354 "maximum fragment length: %d > %d",
9355 len, max_len ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9356 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9357 }
9358 else
9359#endif
9360 len = max_len;
9361 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]9362
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9363 if( ssl->out_left != 0 )
9364 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]9365 /*
9366 * The user has previously tried to send the data and
9367 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
9368 * written. In this case, we expect the high-level write function
9369 * (e.g. mbedtls_ssl_write()) to be called with the same parameters
9370 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9371 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9372 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9373 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9374 return( ret );
9375 }
9376 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]9377 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]9378 {
Andres Amaya Garcia5b923522017-09-28 14:41:17 +0100[diff] [blame]9379 /*
9380 * The user is trying to send a message the first time, so we need to
9381 * copy the data into the internal buffers and setup the data structure
9382 * to keep track of partial writes
9383 */
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9384 ssl->out_msglen = len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9385 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9386 memcpy( ssl->out_msg, buf, len );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]9387
Hanno Becker67bc7c32018-08-06 11:33:50 +0100[diff] [blame]9388 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]9389 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9390 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]9391 return( ret );
9392 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9393 }
9394
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]9395 return( (int) len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9396}
9397
9398/*
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9399 * Write application data, doing 1/n-1 splitting if necessary.
9400 *
9401 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]9402 * then the caller will call us again with the same arguments, so
Hanno Becker2b187c42017-09-18 14:58:11 +0100[diff] [blame]9403 * remember whether we already did the split or not.
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9404 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9405#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9406static int ssl_write_split( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9407 const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9408{
9409 int ret;
9410
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +0100[diff] [blame]9411 if( ssl->conf->cbc_record_splitting ==
9412 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +0100[diff] [blame]9413 len <= 1 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9414 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
9415 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
9416 != MBEDTLS_MODE_CBC )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9417 {
9418 return( ssl_write_real( ssl, buf, len ) );
9419 }
9420
9421 if( ssl->split_done == 0 )
9422 {
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]9423 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9424 return( ret );
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]9425 ssl->split_done = 1;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9426 }
9427
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]9428 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
9429 return( ret );
9430 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9431
9432 return( ret + 1 );
9433}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9434#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +0100[diff] [blame]9435
9436/*
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9437 * Write application data (public-facing wrapper)
9438 */
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9439int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9440{
9441 int ret;
9442
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9443 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9444
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]9445 if( ssl == NULL || ssl->conf == NULL )
9446 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
9447
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9448#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9449 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
9450 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9451 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9452 return( ret );
9453 }
9454#endif
9455
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9456 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9457 {
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9458 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9459 {
Manuel Pégourié-Gonnard151dc772015-05-14 13:55:51 +0200[diff] [blame]9460 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9461 return( ret );
9462 }
9463 }
9464
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9465#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9466 ret = ssl_write_split( ssl, buf, len );
9467#else
9468 ret = ssl_write_real( ssl, buf, len );
9469#endif
9470
Manuel Pégourié-Gonnard144bc222015-04-17 20:39:07 +0200[diff] [blame]9471 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +0200[diff] [blame]9472
9473 return( ret );
9474}
9475
9476/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9477 * Notify the peer that the connection is being closed
9478 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9479int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9480{
9481 int ret;
9482
Manuel Pégourié-Gonnardf81ee2e2015-09-01 17:43:40 +0200[diff] [blame]9483 if( ssl == NULL || ssl->conf == NULL )
9484 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
9485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9486 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9487
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]9488 if( ssl->out_left != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9489 return( mbedtls_ssl_flush_output( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9490
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9491 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9492 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9493 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
9494 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
9495 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9496 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9497 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9498 return( ret );
9499 }
9500 }
9501
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9502 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9503
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +0200[diff] [blame]9504 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9505}
9506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9507void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9508{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]9509 if( transform == NULL )
9510 return;
9511
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9512#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9513 deflateEnd( &transform->ctx_deflate );
9514 inflateEnd( &transform->ctx_inflate );
9515#endif
9516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9517 mbedtls_cipher_free( &transform->cipher_ctx_enc );
9518 mbedtls_cipher_free( &transform->cipher_ctx_dec );
Manuel Pégourié-Gonnardf71e5872013-09-23 17:12:43 +0200[diff] [blame]9519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9520 mbedtls_md_free( &transform->md_ctx_enc );
9521 mbedtls_md_free( &transform->md_ctx_dec );
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]9522
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9523 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9524}
9525
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9526#if defined(MBEDTLS_X509_CRT_PARSE_C)
9527static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]9528{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9529 mbedtls_ssl_key_cert *cur = key_cert, *next;
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]9530
9531 while( cur != NULL )
9532 {
9533 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9534 mbedtls_free( cur );
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]9535 cur = next;
9536 }
9537}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9538#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]9539
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]9540#if defined(MBEDTLS_SSL_PROTO_DTLS)
9541
9542static void ssl_buffering_free( mbedtls_ssl_context *ssl )
9543{
9544 unsigned offset;
9545 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
9546
9547 if( hs == NULL )
9548 return;
9549
Hanno Becker283f5ef2018-08-24 09:34:47 +0100[diff] [blame]9550 ssl_free_buffered_record( ssl );
9551
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]9552 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]9553 ssl_buffering_free_slot( ssl, offset );
9554}
9555
9556static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
9557 uint8_t slot )
9558{
9559 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
9560 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
Hanno Beckerb309b922018-08-23 13:18:05 +0100[diff] [blame]9561
9562 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
9563 return;
9564
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]9565 if( hs_buf->is_valid == 1 )
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]9566 {
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]9567 hs->buffering.total_bytes_buffered -= hs_buf->data_len;
Hanno Becker805f2e12018-10-12 16:31:41 +0100[diff] [blame]9568 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
Hanno Beckere605b192018-08-21 15:59:07 +0100[diff] [blame]9569 mbedtls_free( hs_buf->data );
9570 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]9571 }
9572}
9573
9574#endif /* MBEDTLS_SSL_PROTO_DTLS */
9575
Gilles Peskine9b562d52018-04-25 20:32:43 +0200[diff] [blame]9576void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9577{
Gilles Peskine9b562d52018-04-25 20:32:43 +0200[diff] [blame]9578 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
9579
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]9580 if( handshake == NULL )
9581 return;
9582
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]9583#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
9584 if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
9585 {
Gilles Peskine8f97af72018-04-26 11:46:10 +0200[diff] [blame]9586 ssl->conf->f_async_cancel( ssl );
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]9587 handshake->async_in_progress = 0;
9588 }
9589#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
9590
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +0200[diff] [blame]9591#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
9592 defined(MBEDTLS_SSL_PROTO_TLS1_1)
9593 mbedtls_md5_free( &handshake->fin_md5 );
9594 mbedtls_sha1_free( &handshake->fin_sha1 );
9595#endif
9596#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
9597#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]9598#if defined(MBEDTLS_USE_PSA_CRYPTO)
9599 psa_hash_abort( &handshake->fin_sha256_psa );
9600#else
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +0200[diff] [blame]9601 mbedtls_sha256_free( &handshake->fin_sha256 );
9602#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]9603#endif
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +0200[diff] [blame]9604#if defined(MBEDTLS_SHA512_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]9605#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500[diff] [blame]9606 psa_hash_abort( &handshake->fin_sha384_psa );
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]9607#else
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +0200[diff] [blame]9608 mbedtls_sha512_free( &handshake->fin_sha512 );
9609#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500[diff] [blame]9610#endif
Manuel Pégourié-Gonnardb9d64e52015-07-06 14:18:56 +0200[diff] [blame]9611#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9612
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9613#if defined(MBEDTLS_DHM_C)
9614 mbedtls_dhm_free( &handshake->dhm_ctx );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9615#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9616#if defined(MBEDTLS_ECDH_C)
9617 mbedtls_ecdh_free( &handshake->ecdh_ctx );
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]9618#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]9619#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200[diff] [blame]9620 mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200[diff] [blame]9621#if defined(MBEDTLS_SSL_CLI_C)
9622 mbedtls_free( handshake->ecjpake_cache );
9623 handshake->ecjpake_cache = NULL;
9624 handshake->ecjpake_cache_len = 0;
9625#endif
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200[diff] [blame]9626#endif
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]9627
Janos Follath4ae5c292016-02-10 11:27:43 +0000[diff] [blame]9628#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
9629 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]9630 /* explicit void pointer cast for buggy MS compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9631 mbedtls_free( (void *) handshake->curves );
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]9632#endif
9633
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]9634#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
9635 if( handshake->psk != NULL )
9636 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9637 mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
Manuel Pégourié-Gonnard4b682962015-05-07 15:59:54 +0100[diff] [blame]9638 mbedtls_free( handshake->psk );
9639 }
9640#endif
9641
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9642#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
9643 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200[diff] [blame]9644 /*
9645 * Free only the linked list wrapper, not the keys themselves
9646 * since the belong to the SNI callback
9647 */
9648 if( handshake->sni_key_cert != NULL )
9649 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9650 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200[diff] [blame]9651
9652 while( cur != NULL )
9653 {
9654 next = cur->next;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9655 mbedtls_free( cur );
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200[diff] [blame]9656 cur = next;
9657 }
9658 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9659#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]9660
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]9661#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +0200[diff] [blame]9662 mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
Hanno Becker3dad3112019-02-05 17:19:52 +0000[diff] [blame]9663 if( handshake->ecrs_peer_cert != NULL )
9664 {
9665 mbedtls_x509_crt_free( handshake->ecrs_peer_cert );
9666 mbedtls_free( handshake->ecrs_peer_cert );
9667 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]9668#endif
9669
Hanno Becker75173122019-02-06 16:18:31 +0000[diff] [blame]9670#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
9671 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
9672 mbedtls_pk_free( &handshake->peer_pubkey );
9673#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
9674
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9675#if defined(MBEDTLS_SSL_PROTO_DTLS)
9676 mbedtls_free( handshake->verify_cookie );
Manuel Pégourié-Gonnardffa67be2014-09-19 11:18:57 +0200[diff] [blame]9677 ssl_flight_free( handshake->flight );
Hanno Becker0271f962018-08-16 13:23:47 +0100[diff] [blame]9678 ssl_buffering_free( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]9679#endif
9680
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]9681#if defined(MBEDTLS_ECDH_C) && \
9682 defined(MBEDTLS_USE_PSA_CRYPTO)
9683 psa_destroy_key( handshake->ecdh_psa_privkey );
9684#endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
9685
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9686 mbedtls_platform_zeroize( handshake,
9687 sizeof( mbedtls_ssl_handshake_params ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9688}
9689
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9690void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9691{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]9692 if( session == NULL )
9693 return;
9694
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9695#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Becker1294a0b2019-02-05 12:38:15 +0000[diff] [blame]9696 ssl_clear_peer_cert( session );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]9697#endif
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]9698
Manuel Pégourié-Gonnardb596abf2015-05-20 10:45:29 +0200[diff] [blame]9699#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9700 mbedtls_free( session->ticket );
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]9701#endif
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +0200[diff] [blame]9702
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9703 mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9704}
9705
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9706/*
9707 * Free an SSL context
9708 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9709void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9710{
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]9711 if( ssl == NULL )
9712 return;
9713
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9714 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9715
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +0100[diff] [blame]9716 if( ssl->out_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9717 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]9718 mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9719 mbedtls_free( ssl->out_buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9720 }
9721
Manuel Pégourié-Gonnard7ee6f0e2014-02-13 10:54:07 +0100[diff] [blame]9722 if( ssl->in_buf != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9723 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]9724 mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9725 mbedtls_free( ssl->in_buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9726 }
9727
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9728#if defined(MBEDTLS_ZLIB_SUPPORT)
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]9729 if( ssl->compress_buf != NULL )
9730 {
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]9731 mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9732 mbedtls_free( ssl->compress_buf );
Paul Bakker16770332013-10-11 09:59:44 +0200[diff] [blame]9733 }
9734#endif
9735
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9736 if( ssl->transform )
9737 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9738 mbedtls_ssl_transform_free( ssl->transform );
9739 mbedtls_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9740 }
9741
9742 if( ssl->handshake )
9743 {
Gilles Peskine9b562d52018-04-25 20:32:43 +0200[diff] [blame]9744 mbedtls_ssl_handshake_free( ssl );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9745 mbedtls_ssl_transform_free( ssl->transform_negotiate );
9746 mbedtls_ssl_session_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9747
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9748 mbedtls_free( ssl->handshake );
9749 mbedtls_free( ssl->transform_negotiate );
9750 mbedtls_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]9751 }
9752
Paul Bakkerc0463502013-02-14 11:19:38 +0100[diff] [blame]9753 if( ssl->session )
9754 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9755 mbedtls_ssl_session_free( ssl->session );
9756 mbedtls_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +0100[diff] [blame]9757 }
9758
Manuel Pégourié-Gonnard55fab2d2015-05-11 16:15:19 +0200[diff] [blame]9759#if defined(MBEDTLS_X509_CRT_PARSE_C)
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]9760 if( ssl->hostname != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9761 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9762 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9763 mbedtls_free( ssl->hostname );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9764 }
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]9765#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9766
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9767#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
9768 if( mbedtls_ssl_hw_record_finish != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]9769 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9770 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
9771 mbedtls_ssl_hw_record_finish( ssl );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]9772 }
9773#endif
9774
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +0200[diff] [blame]9775#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9776 mbedtls_free( ssl->cli_id );
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]9777#endif
9778
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9779 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]9780
Paul Bakker86f04f42013-02-14 11:20:09 +0100[diff] [blame]9781 /* Actually clear after last debug message */
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]9782 mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9783}
9784
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9785/*
9786 * Initialze mbedtls_ssl_config
9787 */
9788void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
9789{
9790 memset( conf, 0, sizeof( mbedtls_ssl_config ) );
9791}
9792
Simon Butcherc97b6972015-12-27 23:48:17 +0000[diff] [blame]9793#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +0100[diff] [blame]9794static int ssl_preset_default_hashes[] = {
9795#if defined(MBEDTLS_SHA512_C)
9796 MBEDTLS_MD_SHA512,
9797 MBEDTLS_MD_SHA384,
9798#endif
9799#if defined(MBEDTLS_SHA256_C)
9800 MBEDTLS_MD_SHA256,
9801 MBEDTLS_MD_SHA224,
9802#endif
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]9803#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +0100[diff] [blame]9804 MBEDTLS_MD_SHA1,
9805#endif
9806 MBEDTLS_MD_NONE
9807};
Simon Butcherc97b6972015-12-27 23:48:17 +0000[diff] [blame]9808#endif
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +0100[diff] [blame]9809
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9810static int ssl_preset_suiteb_ciphersuites[] = {
9811 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
9812 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
9813 0
9814};
9815
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]9816#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9817static int ssl_preset_suiteb_hashes[] = {
9818 MBEDTLS_MD_SHA256,
9819 MBEDTLS_MD_SHA384,
9820 MBEDTLS_MD_NONE
9821};
9822#endif
9823
9824#if defined(MBEDTLS_ECP_C)
9825static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
9826 MBEDTLS_ECP_DP_SECP256R1,
9827 MBEDTLS_ECP_DP_SECP384R1,
9828 MBEDTLS_ECP_DP_NONE
9829};
9830#endif
9831
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9832/*
Tillmann Karras588ad502015-09-25 04:27:22 +0200[diff] [blame]9833 * Load default in mbedtls_ssl_config
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9834 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +0200[diff] [blame]9835int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9836 int endpoint, int transport, int preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9837{
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +0200[diff] [blame]9838#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9839 int ret;
Manuel Pégourié-Gonnard8b431fb2015-05-11 12:54:52 +0200[diff] [blame]9840#endif
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9841
Manuel Pégourié-Gonnard0de074f2015-05-14 12:58:01 +0200[diff] [blame]9842 /* Use the functions here so that they are covered in tests,
9843 * but otherwise access member directly for efficiency */
9844 mbedtls_ssl_conf_endpoint( conf, endpoint );
9845 mbedtls_ssl_conf_transport( conf, transport );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9846
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9847 /*
9848 * Things that are common to all presets
9849 */
Manuel Pégourié-Gonnard419d5ae2015-05-04 19:32:36 +0200[diff] [blame]9850#if defined(MBEDTLS_SSL_CLI_C)
9851 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
9852 {
9853 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
9854#if defined(MBEDTLS_SSL_SESSION_TICKETS)
9855 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
9856#endif
9857 }
9858#endif
9859
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200[diff] [blame]9860#if defined(MBEDTLS_ARC4_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9861 conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200[diff] [blame]9862#endif
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9863
9864#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
9865 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
9866#endif
9867
9868#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
9869 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
9870#endif
9871
Manuel Pégourié-Gonnard17eab2b2015-05-05 16:34:53 +0100[diff] [blame]9872#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
9873 conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
9874#endif
9875
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +0200[diff] [blame]9876#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9877 conf->f_cookie_write = ssl_cookie_write_dummy;
9878 conf->f_cookie_check = ssl_cookie_check_dummy;
9879#endif
9880
9881#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
9882 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
9883#endif
9884
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]9885#if defined(MBEDTLS_SSL_SRV_C)
9886 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
9887#endif
9888
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9889#if defined(MBEDTLS_SSL_PROTO_DTLS)
9890 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
9891 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
9892#endif
9893
9894#if defined(MBEDTLS_SSL_RENEGOTIATION)
9895 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
Andres AG2196c7f2016-12-15 17:01:16 +0000[diff] [blame]9896 memset( conf->renego_period, 0x00, 2 );
9897 memset( conf->renego_period + 2, 0xFF, 6 );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9898#endif
9899
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9900#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
9901 if( endpoint == MBEDTLS_SSL_IS_SERVER )
9902 {
Hanno Becker00d0a682017-10-04 13:14:29 +0100[diff] [blame]9903 const unsigned char dhm_p[] =
9904 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
9905 const unsigned char dhm_g[] =
9906 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
9907
Hanno Beckera90658f2017-10-04 15:29:08 +0100[diff] [blame]9908 if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
9909 dhm_p, sizeof( dhm_p ),
9910 dhm_g, sizeof( dhm_g ) ) ) != 0 )
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9911 {
9912 return( ret );
9913 }
9914 }
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]9915#endif
9916
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9917 /*
9918 * Preset-specific defaults
9919 */
9920 switch( preset )
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9921 {
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9922 /*
9923 * NSA Suite B
9924 */
9925 case MBEDTLS_SSL_PRESET_SUITEB:
9926 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
9927 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
9928 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
9929 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
9930
9931 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
9932 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
9933 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
9934 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
9935 ssl_preset_suiteb_ciphersuites;
9936
9937#if defined(MBEDTLS_X509_CRT_PARSE_C)
9938 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9939#endif
9940
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]9941#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9942 conf->sig_hashes = ssl_preset_suiteb_hashes;
9943#endif
9944
9945#if defined(MBEDTLS_ECP_C)
9946 conf->curve_list = ssl_preset_suiteb_curves;
9947#endif
Manuel Pégourié-Gonnardc98204e2015-08-11 04:21:01 +0200[diff] [blame]9948 break;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9949
9950 /*
9951 * Default
9952 */
9953 default:
Ron Eldor5e9f14d2017-05-28 10:46:38 +0300[diff] [blame]9954 conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
9955 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
9956 MBEDTLS_SSL_MIN_MAJOR_VERSION :
9957 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
9958 conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
9959 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
9960 MBEDTLS_SSL_MIN_MINOR_VERSION :
9961 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9962 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
9963 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
9964
9965#if defined(MBEDTLS_SSL_PROTO_DTLS)
9966 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
9967 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
9968#endif
9969
9970 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
9971 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
9972 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
9973 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
9974 mbedtls_ssl_list_ciphersuites();
9975
9976#if defined(MBEDTLS_X509_CRT_PARSE_C)
9977 conf->cert_profile = &mbedtls_x509_crt_profile_default;
9978#endif
9979
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]9980#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard47229c72015-12-04 15:02:56 +0100[diff] [blame]9981 conf->sig_hashes = ssl_preset_default_hashes;
Manuel Pégourié-Gonnardb31c5f62015-06-17 13:53:47 +0200[diff] [blame]9982#endif
9983
9984#if defined(MBEDTLS_ECP_C)
9985 conf->curve_list = mbedtls_ecp_grp_id_list();
9986#endif
9987
9988#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
9989 conf->dhm_min_bitlen = 1024;
9990#endif
9991 }
9992
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]9993 return( 0 );
9994}
9995
9996/*
9997 * Free mbedtls_ssl_config
9998 */
9999void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
10000{
10001#if defined(MBEDTLS_DHM_C)
10002 mbedtls_mpi_free( &conf->dhm_P );
10003 mbedtls_mpi_free( &conf->dhm_G );
10004#endif
10005
10006#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
10007 if( conf->psk != NULL )
10008 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]10009 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]10010 mbedtls_free( conf->psk );
Azim Khan27e8a122018-03-21 14:24:11 +0000[diff] [blame]10011 conf->psk = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]10012 conf->psk_len = 0;
junyeonLEE316b1622017-12-20 16:29:30 +0900[diff] [blame]10013 }
10014
10015 if( conf->psk_identity != NULL )
10016 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]10017 mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
junyeonLEE316b1622017-12-20 16:29:30 +0900[diff] [blame]10018 mbedtls_free( conf->psk_identity );
Azim Khan27e8a122018-03-21 14:24:11 +0000[diff] [blame]10019 conf->psk_identity = NULL;
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]10020 conf->psk_identity_len = 0;
10021 }
10022#endif
10023
10024#if defined(MBEDTLS_X509_CRT_PARSE_C)
10025 ssl_key_cert_free( conf->key_cert );
10026#endif
10027
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]10028 mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
Manuel Pégourié-Gonnardcd523e22015-05-04 13:35:39 +0200[diff] [blame]10029}
10030
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]10031#if defined(MBEDTLS_PK_C) && \
10032 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10033/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10034 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10035 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10036unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10037{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10038#if defined(MBEDTLS_RSA_C)
10039 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
10040 return( MBEDTLS_SSL_SIG_RSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10041#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10042#if defined(MBEDTLS_ECDSA_C)
10043 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
10044 return( MBEDTLS_SSL_SIG_ECDSA );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10045#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10046 return( MBEDTLS_SSL_SIG_ANON );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]10047}
10048
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]10049unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
10050{
10051 switch( type ) {
10052 case MBEDTLS_PK_RSA:
10053 return( MBEDTLS_SSL_SIG_RSA );
10054 case MBEDTLS_PK_ECDSA:
10055 case MBEDTLS_PK_ECKEY:
10056 return( MBEDTLS_SSL_SIG_ECDSA );
10057 default:
10058 return( MBEDTLS_SSL_SIG_ANON );
10059 }
10060}
10061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10062mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10063{
10064 switch( sig )
10065 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10066#if defined(MBEDTLS_RSA_C)
10067 case MBEDTLS_SSL_SIG_RSA:
10068 return( MBEDTLS_PK_RSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10069#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10070#if defined(MBEDTLS_ECDSA_C)
10071 case MBEDTLS_SSL_SIG_ECDSA:
10072 return( MBEDTLS_PK_ECDSA );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10073#endif
10074 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10075 return( MBEDTLS_PK_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10076 }
10077}
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]10078#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10079
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]10080#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
10081 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
10082
10083/* Find an entry in a signature-hash set matching a given hash algorithm. */
10084mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
10085 mbedtls_pk_type_t sig_alg )
10086{
10087 switch( sig_alg )
10088 {
10089 case MBEDTLS_PK_RSA:
10090 return( set->rsa );
10091 case MBEDTLS_PK_ECDSA:
10092 return( set->ecdsa );
10093 default:
10094 return( MBEDTLS_MD_NONE );
10095 }
10096}
10097
10098/* Add a signature-hash-pair to a signature-hash set */
10099void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
10100 mbedtls_pk_type_t sig_alg,
10101 mbedtls_md_type_t md_alg )
10102{
10103 switch( sig_alg )
10104 {
10105 case MBEDTLS_PK_RSA:
10106 if( set->rsa == MBEDTLS_MD_NONE )
10107 set->rsa = md_alg;
10108 break;
10109
10110 case MBEDTLS_PK_ECDSA:
10111 if( set->ecdsa == MBEDTLS_MD_NONE )
10112 set->ecdsa = md_alg;
10113 break;
10114
10115 default:
10116 break;
10117 }
10118}
10119
10120/* Allow exactly one hash algorithm for each signature. */
10121void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
10122 mbedtls_md_type_t md_alg )
10123{
10124 set->rsa = md_alg;
10125 set->ecdsa = md_alg;
10126}
10127
10128#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
10129 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
10130
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +0200[diff] [blame]10131/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]10132 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +0200[diff] [blame]10133 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10134mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10135{
10136 switch( hash )
10137 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10138#if defined(MBEDTLS_MD5_C)
10139 case MBEDTLS_SSL_HASH_MD5:
10140 return( MBEDTLS_MD_MD5 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10141#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10142#if defined(MBEDTLS_SHA1_C)
10143 case MBEDTLS_SSL_HASH_SHA1:
10144 return( MBEDTLS_MD_SHA1 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10145#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10146#if defined(MBEDTLS_SHA256_C)
10147 case MBEDTLS_SSL_HASH_SHA224:
10148 return( MBEDTLS_MD_SHA224 );
10149 case MBEDTLS_SSL_HASH_SHA256:
10150 return( MBEDTLS_MD_SHA256 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10151#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10152#if defined(MBEDTLS_SHA512_C)
10153 case MBEDTLS_SSL_HASH_SHA384:
10154 return( MBEDTLS_MD_SHA384 );
10155 case MBEDTLS_SSL_HASH_SHA512:
10156 return( MBEDTLS_MD_SHA512 );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10157#endif
10158 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10159 return( MBEDTLS_MD_NONE );
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]10160 }
10161}
10162
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]10163/*
10164 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
10165 */
10166unsigned char mbedtls_ssl_hash_from_md_alg( int md )
10167{
10168 switch( md )
10169 {
10170#if defined(MBEDTLS_MD5_C)
10171 case MBEDTLS_MD_MD5:
10172 return( MBEDTLS_SSL_HASH_MD5 );
10173#endif
10174#if defined(MBEDTLS_SHA1_C)
10175 case MBEDTLS_MD_SHA1:
10176 return( MBEDTLS_SSL_HASH_SHA1 );
10177#endif
10178#if defined(MBEDTLS_SHA256_C)
10179 case MBEDTLS_MD_SHA224:
10180 return( MBEDTLS_SSL_HASH_SHA224 );
10181 case MBEDTLS_MD_SHA256:
10182 return( MBEDTLS_SSL_HASH_SHA256 );
10183#endif
10184#if defined(MBEDTLS_SHA512_C)
10185 case MBEDTLS_MD_SHA384:
10186 return( MBEDTLS_SSL_HASH_SHA384 );
10187 case MBEDTLS_MD_SHA512:
10188 return( MBEDTLS_SSL_HASH_SHA512 );
10189#endif
10190 default:
10191 return( MBEDTLS_SSL_HASH_NONE );
10192 }
10193}
10194
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]10195#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10196/*
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]10197 * Check if a curve proposed by the peer is in our list.
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200[diff] [blame]10198 * Return 0 if we're willing to use it, -1 otherwise.
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10199 */
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200[diff] [blame]10200int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10201{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10202 const mbedtls_ecp_group_id *gid;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10203
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200[diff] [blame]10204 if( ssl->conf->curve_list == NULL )
10205 return( -1 );
10206
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]10207 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10208 if( *gid == grp_id )
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200[diff] [blame]10209 return( 0 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10210
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200[diff] [blame]10211 return( -1 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]10212}
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]10213#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10214
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]10215#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]10216/*
10217 * Check if a hash proposed by the peer is in our list.
10218 * Return 0 if we're willing to use it, -1 otherwise.
10219 */
10220int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
10221 mbedtls_md_type_t md )
10222{
10223 const int *cur;
10224
10225 if( ssl->conf->sig_hashes == NULL )
10226 return( -1 );
10227
10228 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
10229 if( *cur == (int) md )
10230 return( 0 );
10231
10232 return( -1 );
10233}
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200[diff] [blame]10234#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]10235
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10236#if defined(MBEDTLS_X509_CRT_PARSE_C)
10237int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
10238 const mbedtls_ssl_ciphersuite_t *ciphersuite,
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10239 int cert_endpoint,
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]10240 uint32_t *flags )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10241{
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10242 int ret = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10243#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10244 int usage = 0;
10245#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10246#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10247 const char *ext_oid;
10248 size_t ext_len;
10249#endif
10250
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10251#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
10252 !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10253 ((void) cert);
10254 ((void) cert_endpoint);
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10255 ((void) flags);
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10256#endif
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10257
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10258#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
10259 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10260 {
10261 /* Server part of the key exchange */
10262 switch( ciphersuite->key_exchange )
10263 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10264 case MBEDTLS_KEY_EXCHANGE_RSA:
10265 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +0100[diff] [blame]10266 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10267 break;
10268
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10269 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
10270 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
10271 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
10272 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10273 break;
10274
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10275 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
10276 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +0100[diff] [blame]10277 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10278 break;
10279
10280 /* Don't use default: we want warnings when adding new values */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10281 case MBEDTLS_KEY_EXCHANGE_NONE:
10282 case MBEDTLS_KEY_EXCHANGE_PSK:
10283 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
10284 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +0200[diff] [blame]10285 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10286 usage = 0;
10287 }
10288 }
10289 else
10290 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10291 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
10292 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10293 }
10294
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10295 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10296 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +0100[diff] [blame]10297 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10298 ret = -1;
10299 }
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10300#else
10301 ((void) ciphersuite);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10302#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10303
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10304#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
10305 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10306 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10307 ext_oid = MBEDTLS_OID_SERVER_AUTH;
10308 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10309 }
10310 else
10311 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10312 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
10313 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10314 }
10315
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10316 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10317 {
Manuel Pégourié-Gonnarde6028c92015-04-20 12:19:02 +0100[diff] [blame]10318 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10319 ret = -1;
10320 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10321#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]10322
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]10323 return( ret );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]10324}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10325#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard3a306b92014-04-29 15:11:17 +0200[diff] [blame]10326
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10327/*
10328 * Convert version numbers to/from wire format
10329 * and, for DTLS, to/from TLS equivalent.
10330 *
10331 * For TLS this is the identity.
Brian J Murray1903fb32016-11-06 04:45:15 -0800[diff] [blame]10332 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10333 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
10334 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
10335 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10336void mbedtls_ssl_write_version( int major, int minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10337 unsigned char ver[2] )
10338{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10339#if defined(MBEDTLS_SSL_PROTO_DTLS)
10340 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10341 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10342 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10343 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
10344
10345 ver[0] = (unsigned char)( 255 - ( major - 2 ) );
10346 ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
10347 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]10348 else
10349#else
10350 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10351#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]10352 {
10353 ver[0] = (unsigned char) major;
10354 ver[1] = (unsigned char) minor;
10355 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10356}
10357
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10358void mbedtls_ssl_read_version( int *major, int *minor, int transport,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10359 const unsigned char ver[2] )
10360{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10361#if defined(MBEDTLS_SSL_PROTO_DTLS)
10362 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10363 {
10364 *major = 255 - ver[0] + 2;
10365 *minor = 255 - ver[1] + 1;
10366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10367 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10368 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
10369 }
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]10370 else
10371#else
10372 ((void) transport);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10373#endif
Manuel Pégourié-Gonnard34c10112014-03-25 13:36:22 +0100[diff] [blame]10374 {
10375 *major = ver[0];
10376 *minor = ver[1];
10377 }
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]10378}
10379
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]10380int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
10381{
10382#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
10383 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
10384 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
10385
10386 switch( md )
10387 {
10388#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
10389#if defined(MBEDTLS_MD5_C)
10390 case MBEDTLS_SSL_HASH_MD5:
Janos Follath182013f2016-10-25 10:50:22 +0100[diff] [blame]10391 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]10392#endif
10393#if defined(MBEDTLS_SHA1_C)
10394 case MBEDTLS_SSL_HASH_SHA1:
10395 ssl->handshake->calc_verify = ssl_calc_verify_tls;
10396 break;
10397#endif
10398#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
10399#if defined(MBEDTLS_SHA512_C)
10400 case MBEDTLS_SSL_HASH_SHA384:
10401 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
10402 break;
10403#endif
10404#if defined(MBEDTLS_SHA256_C)
10405 case MBEDTLS_SSL_HASH_SHA256:
10406 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
10407 break;
10408#endif
10409 default:
10410 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
10411 }
10412
10413 return 0;
10414#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
10415 (void) ssl;
10416 (void) md;
10417
10418 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
10419#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
10420}
10421
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10422#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
10423 defined(MBEDTLS_SSL_PROTO_TLS1_1)
10424int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
10425 unsigned char *output,
10426 unsigned char *data, size_t data_len )
10427{
10428 int ret = 0;
10429 mbedtls_md5_context mbedtls_md5;
10430 mbedtls_sha1_context mbedtls_sha1;
10431
10432 mbedtls_md5_init( &mbedtls_md5 );
10433 mbedtls_sha1_init( &mbedtls_sha1 );
10434
10435 /*
10436 * digitally-signed struct {
10437 * opaque md5_hash[16];
10438 * opaque sha_hash[20];
10439 * };
10440 *
10441 * md5_hash
10442 * MD5(ClientHello.random + ServerHello.random
10443 * + ServerParams);
10444 * sha_hash
10445 * SHA(ClientHello.random + ServerHello.random
10446 * + ServerParams);
10447 */
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10448 if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10449 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10450 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10451 goto exit;
10452 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10453 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10454 ssl->handshake->randbytes, 64 ) ) != 0 )
10455 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10456 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10457 goto exit;
10458 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10459 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10460 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10461 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10462 goto exit;
10463 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10464 if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10465 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10466 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10467 goto exit;
10468 }
10469
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10470 if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10471 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10472 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10473 goto exit;
10474 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10475 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10476 ssl->handshake->randbytes, 64 ) ) != 0 )
10477 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10478 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10479 goto exit;
10480 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10481 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10482 data_len ) ) != 0 )
10483 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10484 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10485 goto exit;
10486 }
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10487 if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10488 output + 16 ) ) != 0 )
10489 {
Gilles Peskine9e4f77c2018-01-22 11:48:08 +0100[diff] [blame]10490 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10491 goto exit;
10492 }
10493
10494exit:
10495 mbedtls_md5_free( &mbedtls_md5 );
10496 mbedtls_sha1_free( &mbedtls_sha1 );
10497
10498 if( ret != 0 )
10499 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
10500 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
10501
10502 return( ret );
10503
10504}
10505#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
10506 MBEDTLS_SSL_PROTO_TLS1_1 */
10507
10508#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
10509 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10510
10511#if defined(MBEDTLS_USE_PSA_CRYPTO)
10512int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
10513 unsigned char *hash, size_t *hashlen,
10514 unsigned char *data, size_t data_len,
10515 mbedtls_md_type_t md_alg )
10516{
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10517 psa_status_t status;
Jaeden Amero34973232019-02-20 10:32:28 +0000[diff] [blame]10518 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10519 psa_algorithm_t hash_alg = mbedtls_psa_translate_md( md_alg );
10520
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100[diff] [blame]10521 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform PSA-based computation of digest of ServerKeyExchange" ) );
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10522
10523 if( ( status = psa_hash_setup( &hash_operation,
10524 hash_alg ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10525 {
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10526 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_setup", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10527 goto exit;
10528 }
10529
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10530 if( ( status = psa_hash_update( &hash_operation, ssl->handshake->randbytes,
10531 64 ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10532 {
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10533 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10534 goto exit;
10535 }
10536
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10537 if( ( status = psa_hash_update( &hash_operation,
10538 data, data_len ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10539 {
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10540 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10541 goto exit;
10542 }
10543
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10544 if( ( status = psa_hash_finish( &hash_operation, hash, MBEDTLS_MD_MAX_SIZE,
10545 hashlen ) ) != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10546 {
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10547 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status );
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10548 goto exit;
10549 }
10550
10551exit:
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10552 if( status != PSA_SUCCESS )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10553 {
10554 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
10555 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10556 switch( status )
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10557 {
10558 case PSA_ERROR_NOT_SUPPORTED:
10559 return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10560 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10561 case PSA_ERROR_BUFFER_TOO_SMALL:
10562 return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
10563 case PSA_ERROR_INSUFFICIENT_MEMORY:
10564 return( MBEDTLS_ERR_MD_ALLOC_FAILED );
10565 default:
10566 return( MBEDTLS_ERR_MD_HW_ACCEL_FAILED );
10567 }
10568 }
10569 return( 0 );
10570}
10571
10572#else
10573
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10574int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]10575 unsigned char *hash, size_t *hashlen,
10576 unsigned char *data, size_t data_len,
10577 mbedtls_md_type_t md_alg )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10578{
10579 int ret = 0;
10580 mbedtls_md_context_t ctx;
10581 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]10582 *hashlen = mbedtls_md_get_size( md_info );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10583
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100[diff] [blame]10584 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform mbedtls-based computation of digest of ServerKeyExchange" ) );
Andrzej Kurek814feff2019-01-14 04:35:19 -0500[diff] [blame]10585
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10586 mbedtls_md_init( &ctx );
10587
10588 /*
10589 * digitally-signed struct {
10590 * opaque client_random[32];
10591 * opaque server_random[32];
10592 * ServerDHParams params;
10593 * };
10594 */
10595 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
10596 {
10597 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
10598 goto exit;
10599 }
10600 if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
10601 {
10602 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
10603 goto exit;
10604 }
10605 if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
10606 {
10607 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
10608 goto exit;
10609 }
10610 if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
10611 {
10612 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
10613 goto exit;
10614 }
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]10615 if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10616 {
10617 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
10618 goto exit;
10619 }
10620
10621exit:
10622 mbedtls_md_free( &ctx );
10623
10624 if( ret != 0 )
10625 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
10626 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
10627
10628 return( ret );
10629}
Andrzej Kurekd6db9be2019-01-10 05:27:10 -0500[diff] [blame]10630#endif /* MBEDTLS_USE_PSA_CRYPTO */
10631
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]10632#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
10633 MBEDTLS_SSL_PROTO_TLS1_2 */
10634
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10635#endif /* MBEDTLS_SSL_TLS_C */